[Samba] Samba 4.1 as member server, problems doing password authentication using CentOS/RedHat 7 packages

Thu Apr 23 14:40:51 MDT 2015

On 04/21/2015 11:39 AM, Rowland Penny wrote:
> On 21/04/15 18:24, Ty! Boyack wrote:
>> On 04/20/2015 05:30 PM, Andrey Repin wrote:
>>> Greetings, Ty! Boyack!
>>
>> Thanks, and Hi!
>>> I dumped (using testparm -v) all of the default settings, and found
>>> that
>>> With Samba 4, I've found the output of "samba-tool testparm" to be
>>> different
>>> from "testparm". The former looks more trustworthy to me.
>>
>> I feel really foolish here -- but I don't see samba-tool as an
>> installed binary or in any of the packages available via the
>> repositsories we use for CentOS or Fedora. Is this part of the
>> standard suite or samba
>
> You will not get samba-tool on any red-hat distro, you cannot set up a
> samba AD DC on red-hat with distro packages because they want to use
> MIT kerberos.
>

Aha, thanks.  I don't want to set up an AD, since we have a solid AD 
structure with windows servers in this environment.  That makes sense 
why I don't see the tool though.

>>
>>> Following smb.conf compare, I would compare krb5.conf, particularly
>>> the realm
>>> name and capitalization.
>>> Been bitten by that >.<
>>>
>>>
>>
>> Good thought.  I use 'net ads join' to join the active directory
>> domain, so that creates it's krb5 file on the fly in
>> /var/lib/samba/smb_krb5.  The contents of the files on each server is
>> almost the same -- it is the same information (including
>> capitalization -- you are right on that!) but the order of the KDCs
>> is different.  I changed the order to make sure that is not the issue
>> and confirmed that the behavior is the same.
>>
>> I wonder if the package compilation invokes substantially different
>> options for this behavior?  I don't know how to tell what configure
>> options are used by the package creators.  Does anyone know if that
>> is easy to discover?
>
> running 'smbd -b' will give you the build spec, but beware, it is
> usually very long and will probably scroll off screen, pipe it to a
> text file and read that.
>

Thanks -- that smbd -b was a good bit of insight.

I ended up building a copy of 4.1.17 from source, and it works fine.

Then I grabbed the 4.1.12 source RPM from CentOS, and if all the patches 
are removed it works fine.  So I rebuilt it a dozen times or so to 
identify which patch was causing the problem, and it is entirely 
reproducible by applying the patch 
samba-4.2.x-fix_gecos_field_with_samlogon.patch.  Interestingly, it is 
mislabeled in part of the spec file as 
.samba-4.1.13-fix_gecos_field_with_samlogon.patch.  This patch has been 
applied to the distributed binary package samba-4.1.12-21.el7_1.

Andrey and Rowland, thank you for the help and pointing me in good 
directions!

Now I just need to find out where to submit a bug report.  I don't know 
if it's a Samba bug (since the base packages work fine) or if it is a 
packaging bug.  And if a packaging bug I'm not sure where those bugs are 
tracked (I would assume with RedHat or CentOS, but just not sure).

TL;DR (or just in case someone comes across this with the same problem):

At least with our config in our environment, the current Samba package 
from the CentOS base repo fails to properly authenticate sessions using 
passwords when acting as a domain member server.  It will authenticate 
sessions using kerberos fine.If you deploy samba in an environment where 
you use Samba as a member server with Windows Domain Controllers, you 
may be unable to authenticate users who are not part of your kerberos 
domain with the current samba package (4.1.12-21.el7_1).

If a fix is necessary, you can recompile the source RPM with the 
patch100 and patch101 commented out in the SPEC file. At least for us, 
it seems to be working fine. (YMMV)