[Samba] Samba 4.1 as member server, problems doing password authentication using CentOS/RedHat 7 packages

Andrey Repin anrdaemon at yandex.ru
Mon Apr 20 17:30:11 MDT 2015 

Greetings, Ty! Boyack!

> I've come across a difference I can't explain between the way Samba 
> behaves on Fedora 20 (4.1.17-1.fc20) and Centos 7 (4.1.12-21.el7). I 
> have a test server of each system (Fedora 20 and Centos 7), each newly 
> built, fully updated, and with the same config file.  Each is joined to 
> our AD domain (Windows DCs).  Some of our client systems are joined to 
> the domain and use Kerberos tickets to get access. Others are not joined 
> to the domain and need to supply a username/password.

> Clients which are joined to the AD domain (i.e. kerberos) work fine on 
> both CentOS and Fedora servers.  But if a client is not on the AD domain 
> and therefore giving us a username/password pair to authenticate with, 
> the service only works on the Fedora system.

> On both Fedora and CentOS I see that the Samba process is contacting the 
> DC with the logon information.  While Fedora gets back an appropriate 
> response of logon success or logon failure, the CentOS version gets back 
> one of 3 responses (I have not seen a pattern to which response we get):
> NT_STATUS_LOCK_NOT_GRANTED
> NT_STATUS_ACCESS_DENIED
> NT_STATUS_INVALID_PARAMETER

> With any of those errors, it denies the client access to the share, even 
> though the correct username and password has been sent.

> I dumped (using testparm -v) all of the default settings, and found that 

With Samba 4, I've found the output of "samba-tool testparm" to be different
from "testparm". The former looks more trustworthy to me.

> there were two entries with different defaults:
> (CentOS):
> winbindd socket directory = /run/samba/winbindd
> winbind sealed pipes = Yes
> (Fedora):
> winbindd socket directory =
> winbind sealed pipes = No

> However, changing them on the CentOS server did not change it's behavior 
> (didn't expect that it would).

> Also, the CentOS version has 5 additional default-set parameters that 
> don't exist in the Fedora version:
> neutralize nt4 emulation = No
> reject md5 servers = No
> require strong key = Yes
> allow nt4 crypto = No
> reject md5 clients = No

> I've tried changing those defaults, but did not see a change in this 
> behavior. I don't see how to unset them so that they don't exist at 
> all.  It may be worth noting that these seem to come from some 4.2 code, 
> so it might be that RedHat has applied some 4.2 patches in the process.

> My smb.conf file is pretty simple, and the same for each server:

> [global]
>         workgroup = [short domain name]
>         server string = WCNR Samba Server Version %v
>         # logs split per machine
>         log file = /var/log/samba/log.%m
>         # max 250KB per log file, then rotate
>         max log size = 250
>         security = ads
>         realm = [fully qualified domain name]
>         smb ports = 445
>         veto files = /lost+found/
>         unix extensions = No
>         create mask = 0664
>         directory mask = 0775
>         username map script = /var/lib/samba/scripts/username_map_script


> [sambatest]
>    path = /export/sambatest
>    writable = yes
>    browseable = no


> Does anyone have any idea of why username/password logons would fail on 
> CentOS 7 when the rest of it seems to be working correctly?

> Thanks much in advance!

Following smb.conf compare, I would compare krb5.conf, particularly the realm
name and capitalization.
Been bitten by that >.<


-- 
With best regards,
Andrey Repin
Tuesday, April 21, 2015 02:27:22

Sorry for my terrible english...

More information about the samba mailing list