[Samba] security=domain fails after upgr. to 4.9, winbind doesn't help
Frank Steiner
fsteiner-mail1 at bio.ifi.lmu.de
Thu Nov 28 16:46:16 UTC 2019
Hi,
we've problems getting samba shares to work after upgrading from 4.7 to 4.9. We have one samba PDC server providing some shares and the users via local passdb.tdb file. Its smb.conf (names/ips changed):
[global]
security = user
encrypt passwords = yes
passdb backend = tdbsam:/etc/samba/passdb.tdb
workgroup = OURWORKGROUP
netbios name = SERVER1
server string = main server
map untrusted to domain = Yes
local master = yes
preferred master = yes
domain master = yes
os level = 255
wins support = yes
dns proxy = yes
name resolve order = host wins bcast
hosts allow = <our networks>
[... the shares ...]
And one server that is providing some shares and does user authentification via the PDC. It's smb.conf:
[global]
security = domain
password server = SERVER1
encrypt passwords = yes
guest ok = no
workgroup = OURWORKGROUP
netbios name = SERVER2
server string = secondary server
local master = yes
preferred master = no
domain master = no
os level = 40
wins server = SERVER1
dns proxy = yes
name resolve order = host wins bcast
hosts allow = <our networks>
[ ... the shares ... ]
We have windows terminal server using these shares, some win 10 clients and some linux clients.
This all worked fine when both servers ran samba 4.7. Now SERVER2 was upgraded to samba 4.9 (because SuSE Linux Enterprise 15 was updated to 15 SP1, SERVER1 is still running 15 without SP1) and I learned that "security = domain" no longer works without winbind. I thought I could just start winbind to use the "netlogon proxy only mode", so I did that on both servers.
So, winbindd is running on SERVER2:
server2 /root# rcwinbind status
* winbind.service - Samba Winbind Daemon
Loaded: loaded (/usr/lib/systemd/system/winbind.service; disabled; vendor preset: disabled)
Active: active (running) since Thu 2019-11-28 15:47:13 CET; 1h 21min ago
Main PID: 20444 (winbindd)
Status: "winbindd: ready to serve connections..."
Tasks: 2 (limit: 4915)
CGroup: /system.slice/winbind.service
|-20444 /usr/sbin/winbindd --foreground --no-process-group
`-20446 /usr/sbin/winbindd --foreground --no-process-group
Nov 28 15:47:13 server2 winbindd[20444]: [2019/11/28 15:47:13.100030, 0] ../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache)
Nov 28 15:47:13 server2 winbindd[20444]: initialize_winbindd_cache: clearing cache and re-creating with version number 2
Nov 28 15:47:13 server2 winbindd[20444]: [2019/11/28 15:47:13.101272, 0] ../lib/util/become_daemon.c:138(daemon_ready)
Nov 28 15:47:13 server2 winbindd[20444]: daemon_ready: STATUS=daemon 'winbindd' finished starting up and ready to serve connections
But even after restaring smbd, it doesn't find winbindd:
server2 /root# rcsmb status
* smb.service - Samba SMB Daemon
Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2019-11-28 16:47:35 CET; 22min ago
Main PID: 26379 (smbd)
Status: "smbd: ready to serve connections..."
Tasks: 4 (limit: 4915)
CGroup: /system.slice/smb.service
|-26379 /usr/sbin/smbd --foreground --no-process-group
|-26381 /usr/sbin/smbd --foreground --no-process-group
|-26382 /usr/sbin/smbd --foreground --no-process-group
`-26383 /usr/sbin/smbd --foreground --no-process-group
Nov 28 16:47:35 server2 smbd[26379]: [2019/11/28 16:47:35.114442, 0] ../lib/util/become_daemon.c:138(daemon_ready)
Nov 28 16:47:35 server2 smbd[26379]: daemon_ready: STATUS=daemon 'smbd' finished starting up and ready to serve connections
Nov 28 17:10:16 server2 smbd[29446]: [2019/11/28 17:10:16.947758, 0] ../source3/auth/auth_winbind.c:122(check_winbind_security)
Nov 28 17:10:16 server2 smbd[29446]: check_winbind_security: winbindd not running - but required as domain member: NT_STATUS_NO_LOGON_SERVERS
The last two lines appear in the log after doing a "smbclient -D OURWORKGROUP -U someuser -L //SERVER2/" which returns
Enter WORKGROUP\somuser's password:
session setup failed: NT_STATUS_NO_LOGON_SERVERS
Do I need to setup some winbind options for just using the "netlogon proxy only mode"? All documentation I find is only about using winbind with nss or kerberos or windows ad controllers etc., nothing is explained about the proxy only mode. Just this mail: https://lists.samba.org/archive/samba/2014-January/178375.html which indicates that I must do nothing but only start winbind...
What do I do wrong? For the moment I had to downgrade to 4.7 again to make the shares work.
cu,
Frank
--
Dipl.-Inform. Frank Steiner Web: http://www.bio.ifi.lmu.de/~steiner/
Lehrstuhl f. Bioinformatik Mail: http://www.bio.ifi.lmu.de/~steiner/m/
LMU, Amalienstr. 17 Phone: +49 89 2180-4049
80333 Muenchen, Germany Fax: +49 89 2180-99-4049
* Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. *
More information about the samba
mailing list