[Samba] Samba 4.1 as member server, problems doing password authentication using CentOS/RedHat 7 packages
Ty.Boyack at colostate.edu
Thu Apr 23 14:40:51 MDT 2015
On 04/21/2015 11:39 AM, Rowland Penny wrote:
> On 21/04/15 18:24, Ty! Boyack wrote:
>> On 04/20/2015 05:30 PM, Andrey Repin wrote:
>>> Greetings, Ty! Boyack!
>> Thanks, and Hi!
>>> I dumped (using testparm -v) all of the default settings, and found
>>> With Samba 4, I've found the output of "samba-tool testparm" to be
>>> from "testparm". The former looks more trustworthy to me.
>> I feel really foolish here -- but I don't see samba-tool as an
>> installed binary or in any of the packages available via the
>> repositsories we use for CentOS or Fedora. Is this part of the
>> standard suite or samba
> You will not get samba-tool on any red-hat distro, you cannot set up a
> samba AD DC on red-hat with distro packages because they want to use
> MIT kerberos.
Aha, thanks. I don't want to set up an AD, since we have a solid AD
structure with windows servers in this environment. That makes sense
why I don't see the tool though.
>>> Following smb.conf compare, I would compare krb5.conf, particularly
>>> the realm
>>> name and capitalization.
>>> Been bitten by that >.<
>> Good thought. I use 'net ads join' to join the active directory
>> domain, so that creates it's krb5 file on the fly in
>> /var/lib/samba/smb_krb5. The contents of the files on each server is
>> almost the same -- it is the same information (including
>> capitalization -- you are right on that!) but the order of the KDCs
>> is different. I changed the order to make sure that is not the issue
>> and confirmed that the behavior is the same.
>> I wonder if the package compilation invokes substantially different
>> options for this behavior? I don't know how to tell what configure
>> options are used by the package creators. Does anyone know if that
>> is easy to discover?
> running 'smbd -b' will give you the build spec, but beware, it is
> usually very long and will probably scroll off screen, pipe it to a
> text file and read that.
Thanks -- that smbd -b was a good bit of insight.
I ended up building a copy of 4.1.17 from source, and it works fine.
Then I grabbed the 4.1.12 source RPM from CentOS, and if all the patches
are removed it works fine. So I rebuilt it a dozen times or so to
identify which patch was causing the problem, and it is entirely
reproducible by applying the patch
samba-4.2.x-fix_gecos_field_with_samlogon.patch. Interestingly, it is
mislabeled in part of the spec file as
.samba-4.1.13-fix_gecos_field_with_samlogon.patch. This patch has been
applied to the distributed binary package samba-4.1.12-21.el7_1.
Andrey and Rowland, thank you for the help and pointing me in good
Now I just need to find out where to submit a bug report. I don't know
if it's a Samba bug (since the base packages work fine) or if it is a
packaging bug. And if a packaging bug I'm not sure where those bugs are
tracked (I would assume with RedHat or CentOS, but just not sure).
TL;DR (or just in case someone comes across this with the same problem):
At least with our config in our environment, the current Samba package
from the CentOS base repo fails to properly authenticate sessions using
passwords when acting as a domain member server. It will authenticate
sessions using kerberos fine.If you deploy samba in an environment where
you use Samba as a member server with Windows Domain Controllers, you
may be unable to authenticate users who are not part of your kerberos
domain with the current samba package (4.1.12-21.el7_1).
If a fix is necessary, you can recompile the source RPM with the
patch100 and patch101 commented out in the SPEC file. At least for us,
it seems to be working fine. (YMMV)
More information about the samba