[Samba] Samba AD Auth Stops After Patches
Dale Schroeder
dale at BriannasSaladDressing.com
Thu Jan 17 09:38:14 MST 2013
It could be several things. idmap syntax changed again in 3.6.x. I've
put an example of that in your [global] section below. 3.6.x introduced
some problems with winbind -
https://bugzilla.samba.org/show_bug.cgi?id=8676 specifically got me, but
there are others documented also.
Dale
On 01/16/2013 3:30 PM, Popp, Casey A SGT USARMY NG NEARNG (US) wrote:
> Hello, I have an issue that I can't sort out.
>
> Issue: Just applied the latest round of patches that brought me up to this
> Samba version and
> suddenly end-users are being prompted for authentication when attempting to
> access shares
> on this CentOS box from their Windows Vista, 7x86, and 7x64 workstations.
>
> Problem: I am new to Samba and seem to not be connecting the dots
>
> Layer 1: I can ping local host, Samba server name and IP from the Samaba
> Server and from a Win7x64 client
>
>
> Here is my research and observations:
>
> 1. cat /etc/redhat-release
> Red Hat Enterprise Linux Server release 5.9 (Tikanga)
>
> ---
>
> 2. smbstatus
> Samba version 3.6.6-0.129.el5
>
> ---
>
> 3. There are no permission problems on the shared directories nor the parent
> chain
>
> ---
>
> 4. (Symptom) There is an apparent group ownership problem on the shares.
> Where it used to resolve the
> active directory security group, now there is only a numerical string.
> Attempting to reassign the
> proper group ownsership fails as follows:
>
> 4a. ll | grep 12345
>
> drwxrwxrwx 4 comp 1488701 4096 Jan 31 2006 12345
>
> 4b. chown -R comp:orrfo12345 12345
>
> chown: `comp:orrfo12345': invalid group
>
> 4e. Ok, this is a big problem but what is causing it?
>
> ---
>
> 5. From the server hosting Samba, I looked to see if it could resolve the
> groups. (A Factor) One concern
> regarding this process is that we collapsed into a much larger domain
> about a year ago. As a result,
> what is retrieved for a data set is rather large. Also, it takes some
> time. That is why I grep in the
> following:
>
> 5a. wbinfo -g | grep -i ORRFO
> 5b. getent group OR+ORRFO12345 | awk -F: '{print $4}' | sed 's/OR+//g' | sed
> 's/,/\n/g'
>
> 5c. Both commands return a valid list after several seconds
>
> ---
>
> 6. Checking the winbind user:
>
> 6a. net help getauthuser
>
> 6b. The command returns the credentails of a active directory account that
> is present, unlocked, and set
> with the correct password.
>
> ---
>
> 7. Checking if it can resolve the domain controller
>
> 7a. wbinfo -I IPAddrOfDC
>
> 7b. It resolves correctly
>
> ---
>
> 8. Check to see if can get sid of windbind user
>
> 8a. wbinfo -n OR+linux.samba.svc
>
> 8b. The command returns the SID
>
> ---
>
> 9. Checked on services
>
> 9a. wbinfo -p
>
> Ping to winbindd succeeded
>
> 9b. wbinfo -t
>
> checking the trust secret for domain OR via RPC calls succeeded
>
> 9c. service --status-all | egrep "winbindd|nmbd|smbd"
>
> nmbd (pid 15246) is running...
>
> smbd (pid 28397 26486 21186 20942 20941 20940 20939 20938 20937
> 20936 20935 20934 20933 20930 20929 20927 20926 20925 20924 20923
> 20922 20921 20920 20917 20916 18027 14885 14878 6418) is running...
>
> winbindd (pid 9208 9187 9185 9184 9182) is running...
>
>
> 9d. wbinfo --online-status
> BUILTIN : online
> OR-CENTSAMBA-01 : online
> OR : online
>
> 9e. (Problem) Not sure if it is an issue but nmbd was not started initially.
> The results above come after having started it.
>
> ---
>
> 10. Verifying smb.conf. I cut out all but one of the shares to keep it
> simple. The allow connections section
> was also trimmed but all were ok.
>
>
> 10a. testparm /etc/samba/smb.conf MyWorkstationName MyWorkstationIP
>
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> WARNING: The "idmap backend" option is deprecated
> WARNING: The "idmap uid" option is deprecated
> WARNING: The "idmap gid" option is deprecated
> Processing section "[12345]"
> Loaded services file OK.
> WARNING: The setting 'security=ads' should NOT be combined with the
> 'password server' parameter.
> (by default Samba will discover the correct DC to contact automatically).
> 'winbind separator = +' might cause problems with group membership.
> WARNING: You have some share names that are longer than 12 characters.
> These may not be accessible to some older clients.
> (Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.)
> Server role: ROLE_DOMAIN_MEMBER
> Allow connection from MyWorkstationName (MyWorkstationIP) to 12345
>
>
> 10b. (Don't Know) I am not sure if these warnings had been on the system
> before or
> if they are the result of patching.
>
> ---
>
> 11. I created a new user on the Samba server and added it to smbusers. An
> identically
> named account exists on another CentOS server that rides the backbone. I
> am able to
> access the directories from that server using without being prompted for
> auth:
>
>
> 11a. smb://OR-CENTSAMBA-01
>
> ---
>
> 12. I checked the time on the DC against that on the Samba server and they
> are within seconds.
>
>
> ---
>
> 13. I refreshed the Kerberos ticket. It is good.
>
> ---
>
> 14. (Problem) Here is one I can't explain. I came accross this as a check
> but never found what to
> do if this didn't work.
>
> 14a. smbclient -L localhost
>
> WARNING: The "idmap backend" option is deprecated
> WARNING: The "idmap uid" option is deprecated
> WARNING: The "idmap gid" option is deprecated
> Enter root's password:
> Connection to localhost failed (Error NT_STATUS_CONNECTION_REFUSED)
>
> ---
>
> 15. Here is my smb.conf
>
> 15b. more /etc/samba/smb.conf
>
> [global]
> workgroup = OR
> realm = OR.SOME.THING.COM
> netbios name = OR-CENTSAMBA-01
> server string = OR Cent Samba
> interfaces = MyServerIP
> bind interfaces only = Yes
> security = ADS
> client schannel = No
> allow trusted domains = No
> password server = IPforDC1 IPforDC2
> syslog = 0
> ;log level = 10
> log file = /var/log/samba/log.%m
> max log size = 20480
> ;socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> socket options = TCP_NODELAY IPTOS_LOWDELAY
> server signing = auto
> ;client use spnego = No
> local master = No
> domain master = No
> dns proxy = No
> wins server = IPforWINSsvr1 IPforWINSsvr2
> name resolve order = host wins bcast
> pid directory = /var/run/samba
> # idmap backend = rid:OR=1000000-3000000
> # idmap uid = 1000000-3000000
> # idmap gid = 1000000-3000000
idmap config * : backend = tdb
idmap config * : range = <low> - <high>
idmap config <DOMAIN> : default = Yes
idmap config <DOMAIN> : backend = rid
idmap config <DOMAIN> : range = <different
low> - <different high>
> template homedir = /home/%U
> template shell = /bin/bash
> winbind separator = +
> winbind cache time = 10
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind offline logon = false
> read only = No
> hosts allow = hostname, octet1.octet2., 127.
> short preserve case = No
> veto oplock files = /*.xls/
> dos filetime resolution = Yes
>
> ################## SHARE DEFINITIONS
> ##############################################
>
> [12345]
> comment = 12345
> valid users = @OR+ORRFO12345
> path = /parent/12345
> public = no
> writeable = yes
> force group = @OR+ORRFO12345
>
> [TEST]
> comment = Test Share
> valid users = "@OR+SecGrpName"
> path = /parent/test
> public = no
> writeable = yes
> force group = "@OR+SecGrpName"
> create mask = 0770
> directory mask = 0770
>
> #=========================Printer
> Test=========================================
> [smbpdf]
> comment = PDF Generator
> valid users = @OR+"Domain Users"
> printing = sysv
> path = /var/spool/samba
> printable = yes
> print command = /usr/sbin/pdfprint %s %U %I %a
> lpq command = #
> lprm command = #
> lppause command = #
> lpresume command = #
> queuepause command = #
> queueresume command = #
> use client driver = yes
>
> [smbtiff]
> comment = TIFF Generator
> valid users = @OR+"Domain Users"
> printing = sysv
> path = /var/spool/samba
> printable = yes
> print command = /usr/sbin/tiffprint %s %U %I %a
> lpq command = #
> lprm command = #
> lppause command = #
> lpresume command = #
> queuepause command = #
> queueresume command = #
> use client driver = yes
>
>
>
> 15c. I have validated that the first listed Wins server is online and that
> it contains the following active records
>
> [1Eh]
> [00h]
> [03h]
> [20h]
>
>
> 15d. All of the shares prompt for authentication
>
> ---
>
> 16. Latest patches that might fit into the time frame when this was first
> noticed.
>
>
> 16a. cat /var/log/yum.log | egrep "winbind|nmb|smb|samba"
>
>
> Jan 11 09:33:45 Updated: samba3x-winbind-3.6.6-0.129.el5.i386
> Jan 11 09:33:49 Updated: samba3x-common-3.6.6-0.129.el5.i386
> Jan 11 09:33:52 Updated: samba3x-doc-3.6.6-0.129.el5.i386
> Jan 11 09:33:52 Updated: samba3x-winbind-devel-3.6.6-0.129.el5.i386
> Jan 11 09:33:56 Updated: samba3x-3.6.6-0.129.el5.i386
> Jan 11 09:34:02 Updated: samba3x-client-3.6.6-0.129.el5.i386
>
> ---
>
> So, the big things I see is that I can access AD from the Samaba server and
> query, however, whatever is supposed to
> be resolving the group names on the shares is not working. I am left to
> assume that this is the cause for the auth
> prompts on windows explorer on the windows client PCs as well. But what
> mechanisim is it?
>
>
> Thanks,
>
> Casey
>
>
>
More information about the samba
mailing list