[Samba] Samba 4.1 as member server, problems doing password authentication using CentOS/RedHat 7 packages

Mon Apr 27 14:38:31 MDT 2015

On 04/27/2015 01:20 PM, Ken Bass wrote:
> On 4/23/2015 4:40 PM, Ty! Boyack wrote:
>>
>> TL;DR (or just in case someone comes across this with the same problem):
>>
>> At least with our config in our environment, the current Samba 
>> package from the CentOS base repo fails to properly authenticate 
>> sessions using passwords when acting as a domain member server. It 
>> will authenticate sessions using kerberos fine.If you deploy samba in 
>> an environment where you use Samba as a member server with Windows 
>> Domain Controllers, you may be unable to authenticate users who are 
>> not part of your kerberos domain with the current samba package 
>> (4.1.12-21.el7_1).
>>
>> If a fix is necessary, you can recompile the source RPM with the 
>> patch100 and patch101 commented out in the SPEC file. At least for 
>> us, it seems to be working fine. (YMMV)
>>
>>
>
> Did you figure out who/where to submit a bug report to? Or find any 
> more info? I just upgraded my Centos boxes and my Samba shares are now 
> broken. I believe I was running samba-4.1.1-38.el7_0. It just upgraded 
> to samba-4.1.12-21.el7_1.
>
> My Centos share machine uses security = domain, with password servers 
> set to my two Centos samba domain controllers (primary and backup - 
> linked via ldap). There is no AD in this environment. I do have MIT 
> Kerberos setup, but it is not used by Samba - only for SSH.
>
> When I try to connect to a share on the machine, it fails and I see:
>
> [2015/04/27 14:53:19.363856,  0] 
> ../source3/auth/auth_domain.c:302(domain_client_validate)
>   domain_client_validate: unable to validate password for user 
> MYDOMuser in domain MYDOM to Domain controller PDC. Error was 
> NT_STATUS_LOCK_NOT_GRANTED.
> [2015/04/27 14:53:19.367346,  2] 
> ../source3/auth/auth.c:300(auth_check_ntlm_password)
>   check_ntlm_password:  Authentication for user [MYDOMuser] -> 
> [MYDOMuser] FAILED with error NT_STATUS_LOCK_NOT_GRANTED
> [2015/04/27 14:53:19.367449,  2] 
> ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
>   SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED
>
> I am considering rebuilding the RPMs without patches you mentioned, 
> but wanted to check first.

Hi Ken,

That looks like the most common error I get when trying to authenticate 
against Windows domain controllers too, and it's interesting to see it 
coming up against other DCs.  Thanks for the information and the 
corroboration -- I wasn't sure if I had something unique to my environment.

I hadn't found out where to file a bug report and have not been able to 
focus on this for a couple of days, but luckily someone else found where 
to report the bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1202347

Thanks to MOM20xxx in that thread for getting the information from this 
discussion into the bug report there.