[Samba] Samba 4.1 as member server, problems doing password authentication using CentOS/RedHat 7 packages

Ty! Boyack Ty.Boyack at colostate.edu
Mon Apr 20 14:33:58 MDT 2015 

I've come across a difference I can't explain between the way Samba 
behaves on Fedora 20 (4.1.17-1.fc20) and Centos 7 (4.1.12-21.el7). I 
have a test server of each system (Fedora 20 and Centos 7), each newly 
built, fully updated, and with the same config file.  Each is joined to 
our AD domain (Windows DCs).  Some of our client systems are joined to 
the domain and use Kerberos tickets to get access. Others are not joined 
to the domain and need to supply a username/password.

Clients which are joined to the AD domain (i.e. kerberos) work fine on 
both CentOS and Fedora servers.  But if a client is not on the AD domain 
and therefore giving us a username/password pair to authenticate with, 
the service only works on the Fedora system.

On both Fedora and CentOS I see that the Samba process is contacting the 
DC with the logon information.  While Fedora gets back an appropriate 
response of logon success or logon failure, the CentOS version gets back 
one of 3 responses (I have not seen a pattern to which response we get):
NT_STATUS_LOCK_NOT_GRANTED
NT_STATUS_ACCESS_DENIED
NT_STATUS_INVALID_PARAMETER

With any of those errors, it denies the client access to the share, even 
though the correct username and password has been sent.

I dumped (using testparm -v) all of the default settings, and found that 
there were two entries with different defaults:
(CentOS):
winbindd socket directory = /run/samba/winbindd
winbind sealed pipes = Yes
(Fedora):
winbindd socket directory =
winbind sealed pipes = No

However, changing them on the CentOS server did not change it's behavior 
(didn't expect that it would).

Also, the CentOS version has 5 additional default-set parameters that 
don't exist in the Fedora version:
neutralize nt4 emulation = No
reject md5 servers = No
require strong key = Yes
allow nt4 crypto = No
reject md5 clients = No

I've tried changing those defaults, but did not see a change in this 
behavior. I don't see how to unset them so that they don't exist at 
all.  It may be worth noting that these seem to come from some 4.2 code, 
so it might be that RedHat has applied some 4.2 patches in the process.

My smb.conf file is pretty simple, and the same for each server:

[global]
        workgroup = [short domain name]
        server string = WCNR Samba Server Version %v
        # logs split per machine
        log file = /var/log/samba/log.%m
        # max 250KB per log file, then rotate
        max log size = 250
        security = ads
        realm = [fully qualified domain name]
        smb ports = 445
        veto files = /lost+found/
        unix extensions = No
        create mask = 0664
        directory mask = 0775
        username map script = /var/lib/samba/scripts/username_map_script


[sambatest]
   path = /export/sambatest
   writable = yes
   browseable = no


Does anyone have any idea of why username/password logons would fail on 
CentOS 7 when the rest of it seems to be working correctly?

Thanks much in advance!

-Ty!



-- 
-===========================-
    Ty Boyack
    NREL Senior IT Engineer
    Ty.Boyack at colostate.edu
    (970) 491-1186
-===========================-

More information about the samba mailing list