[Samba] Samba 4.1 as member server, problems doing password authentication using CentOS/RedHat 7 packages

Ken Bass kbass at kenbass.com
Mon Apr 27 13:20:01 MDT 2015 

On 4/23/2015 4:40 PM, Ty! Boyack wrote:
>
> TL;DR (or just in case someone comes across this with the same problem):
>
> At least with our config in our environment, the current Samba package 
> from the CentOS base repo fails to properly authenticate sessions 
> using passwords when acting as a domain member server. It will 
> authenticate sessions using kerberos fine.If you deploy samba in an 
> environment where you use Samba as a member server with Windows Domain 
> Controllers, you may be unable to authenticate users who are not part 
> of your kerberos domain with the current samba package (4.1.12-21.el7_1).
>
> If a fix is necessary, you can recompile the source RPM with the 
> patch100 and patch101 commented out in the SPEC file. At least for us, 
> it seems to be working fine. (YMMV)
>
>

Did you figure out who/where to submit a bug report to? Or find any more 
info? I just upgraded my Centos boxes and my Samba shares are now 
broken. I believe I was running samba-4.1.1-38.el7_0. It just upgraded 
to samba-4.1.12-21.el7_1.

My Centos share machine uses security = domain, with password servers 
set to my two Centos samba domain controllers (primary and backup - 
linked via ldap). There is no AD in this environment. I do have MIT 
Kerberos setup, but it is not used by Samba - only for SSH.

When I try to connect to a share on the machine, it fails and I see:

[2015/04/27 14:53:19.363856,  0] 
../source3/auth/auth_domain.c:302(domain_client_validate)
   domain_client_validate: unable to validate password for user 
MYDOMuser in domain MYDOM to Domain controller PDC. Error was 
NT_STATUS_LOCK_NOT_GRANTED.
[2015/04/27 14:53:19.367346,  2] 
../source3/auth/auth.c:300(auth_check_ntlm_password)
   check_ntlm_password:  Authentication for user [MYDOMuser] -> 
[MYDOMuser] FAILED with error NT_STATUS_LOCK_NOT_GRANTED
[2015/04/27 14:53:19.367449,  2] 
../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
   SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED

I am considering rebuilding the RPMs without patches you mentioned, but 
wanted to check first.

More information about the samba mailing list