[Samba] Samba 4 AD member server authentication issues, domain vs. ads security
Rowland penny
rpenny at samba.org
Wed Jun 22 19:52:17 UTC 2016
On 22/06/16 19:29, Eric Shell wrote:
> I should add that the samba.log file was logging NT_STATUS_NO_LOGON_SERVERS
> errors when authentication attempts were failing. Workstations in the
> domains were still able to authenticate, however, and I verified that the
> DNS records were still correct. The SRV records were all in place and the
> domain controllers' host names were resolving.
>
> On Wed, Jun 22, 2016 at 9:44 AM, Eric Shell <eshell at ucsc.edu> wrote:
>
>> Thanks for the quick replies.
>>
>> One domain is at Windows Server 2008 functional level, and the other is
>> Windows Server 2012 R2. The samba 4 servers are running 4.2.10 and the
>> samba 3 servers are running 3.6.23, both from rpms available from either
>> the CentOS 6 or 7 repos (samba 4 on CentOS 7, samba 3 on CentOS 6).
>>
>> Here's the smb.conf used on the two samba 4 servers:
>>
>> [global]
>>> workgroup = BSOE
>>> server string = SAMBA-01
>>> netbios name = SAMBA-01
>>> realm = ad.soe.ucsc.edu
>>> security = ads
>>> log file = /var/log/samba.log
>>> log level = 2
>>> browseable = yes
>>> read only = no
>>> local master = no
>>> load printers = no
>>> preserve case = yes
>>> case sensitive = yes
>>> wins support = no
>>> passdb backend = tdbsam
>>> printing = bsd
>>> printcap name = /dev/null
>>> disable spoolss = yes
>>> client ldap sasl wrapping = sign
>>> short preserve case = yes
>>> nt acl support = no
>>> wide links = no
>>> unix extensions = no
>>> strict locking = no
>>> kernel change notify = no
>> include = /etc/samba/shares.conf
>>
>>
>> Rowland, I changed the security option based on the example on that page
>> of the wiki but I didn't perform the winbind portion because I wasn't sure
>> whether it was necessary or wise. The issue with some clients not having
>> kerberos tickets is that we have some systems that are not integrated with
>> AD and have been using password authentication thus far. If possible, we
>> would like to continue to be able to use password authentication for
>> clients that aren't part of the domains since some of them will not/can not
>> be joined.
>>
>
>
OK, back in April, Samba released major security releases, amongst which
was version 4.2.11, this included a regression fix for 4.2.10 (which
wasn't released), red-hat released this as 4.2.10
There has been another release since then (4.2.12), this was to fix a
number of regressions from 4.2.11
You can read the release notes here:
https://www.samba.org/samba/history/samba-4.2.10.html
https://www.samba.org/samba/history/samba-4.2.11.html
https://www.samba.org/samba/history/samba-4.2.12.html
Samba did not release anything for the 3.6 versions because it is EOL,
but red-hat backported the 4.x patches to 3.6, so if you can sort out
your problem with 4.2.10, you will probably find it is the same problem
for 3.6
I take it you are using sssd on the centos machines, I haven't checked
lately (I don't use sssd), but you could try asking on the sssd mailing
list for help as well.
Rowland
More information about the samba
mailing list