[Samba] CentOS update broke Samba
Alex Moen
alexm at ndtel.com
Sat Oct 19 19:18:39 UTC 2019
Running CentOS Linux release 7.7.1908. Have Samba running as our fileserver on our (mostly) Windows network. Ran my "normal" yum updates today, and Samba was upgraded (last updates were on 8/10/2019). I was on 4.8.3 before; now it's 4.9.1:
Updated samba-4.8.3-6.el7_6.x86_64 @updates
Updated samba-client-4.8.3-6.el7_6.x86_64 @updates
Updated samba-client-libs-4.8.3-6.el7_6.x86_64 @updates
Updated samba-common-4.8.3-6.el7_6.noarch @updates
Updated samba-common-libs-4.8.3-6.el7_6.x86_64 @updates
Updated samba-common-tools-4.8.3-6.el7_6.x86_64 @updates
Updated samba-libs-4.8.3-6.el7_6.x86_64 @updates
Updated samba-winbind-4.8.3-6.el7_6.x86_64 @updates
Updated samba-winbind-modules-4.8.3-6.el7_6.x86_64 @updates
samba-4.9.1-6.el7.x86_64 Sat 19 Oct 2019 09:43:13 AM CDT
samba-winbind-4.9.1-6.el7.x86_64 Sat 19 Oct 2019 09:43:00 AM CDT
samba-client-4.9.1-6.el7.x86_64 Sat 19 Oct 2019 09:43:00 AM CDT
samba-winbind-modules-4.9.1-6.el7.x86_64 Sat 19 Oct 2019 09:42:29 AM CDT
samba-common-tools-4.9.1-6.el7.x86_64 Sat 19 Oct 2019 09:40:54 AM CDT
samba-libs-4.9.1-6.el7.x86_64 Sat 19 Oct 2019 09:40:53 AM CDT
samba-client-libs-4.9.1-6.el7.x86_64 Sat 19 Oct 2019 09:40:52 AM CDT
samba-common-libs-4.9.1-6.el7.x86_64 Sat 19 Oct 2019 09:40:51 AM CDT
samba-common-4.9.1-6.el7.noarch Sat 19 Oct 2019 09:40:51 AM CDT
Initially, smbd wouldn't even start. nmbd and winbind were fine, but smbd was spouting an error about "nobody is a group name" and "Failed to create BUILTIN\Guests group NT_STATUS_ACCESS_DENIED! Can Winbind allocate gids?"
After lots of googling, I finally got the process to start properly, and (from the limited testing I can do on Saturdays) Windows clients can connect (this is the only Samba/CIFS server on the network). (FFR: I added the "username map script" and the two "idmap config A36561" stanzas in the smb.conf file below to get smbd restarted. I also needed to create a new guest user, and add "guest account = guest".) However, my Linux clients are not able to connect using CIFS. I am encountering the following errors in the log file for the Linux PC:
"gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed: NT_STATUS_NO_SUCH_USER"
"NT error packet at ../source3/smbd/sesssetup.c(247) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE"
even though, earlier in the log file, I have this (encouraging) entry:
"Auth: [SMB,(null)] user [A36561]\[alexm] at [Sat, 19 Oct 2019 13:58:12.577574 CDT] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [ALEXM-SURFACE-PRO] remote host [ipv4:192.168.254.191:56314] mapped to [A36561]\[alexm]. local host [ipv4:192.168.255.5:445]"
So, my usermap seems to be working, as my login should be alexm.
I have been working on this for four hours now, and am completely out of ideas.
smb.conf:
# Global parameters
[global]
interfaces = lo eno16780032
netbios name = NDTC-FS
server string = NDTC File Server 2017
#server max protocol = SMB2
workgroup = A36561
domain master = Yes
preferred master = yes
local master = yes
ldap admin dn = cn=admin,o=ndtc
ldap passwd sync = yes
ldap ssl = no
ldap suffix = ou=ndtel,o=ndtc
ldap debug level = 1
ldap debug threshold = 5
log file = /var/log/samba/log.%m
log level = 3
max log size = 50000
domain logons = Yes
nt pipe support = No
lanman auth = Yes
passdb backend = ldapsam:"ldap://66.163.128.204"
security = user
guest account = guest
username map = /etc/samba/usermap.txt
username map script = /bin/echo
wins support = Yes
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
idmap config A36561 : backend = autorib
idmap config A36561 : range = 2000000-4000000
cups options = raw
ntlm auth = yes
[homes]
comment = Home Directories
browseable = No
read only = No
[groups]
comment = Group Directories
path = /cust/ndtel/groups
blocking locks = No
force create mode = 0660
force directory mode = 0770
read only = No
[officeview]
comment = The Office View
path = /cust/ndtel/officeview
force create mode = 0777
force directory mode = 0777
guest ok = Yes
read only = No
write list = +users
[docvault]
comment = Document Vault
path = /cust/ndtel/groups/business/docvault
browseable = No
force create mode = 0777
force directory mode = 0777
force group = +business
read only = No
write list = +business
[share]
comment = Share space
path = /cust/ndtel/share
force create mode = 0777
force directory mode = 0777
guest ok = Yes
read only = No
write list = +users
[archive]
comment = Archive area
path = /archive
force create mode = 0777
force directory mode = 0777
force group = +internet
read only = no
write list = +internet
[printers]
comment = All Printers
path = /var/spool/samba
browseable = No
printable = Yes
Output of testparm:
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /etc/openldap/ldap.conf
ldap_init: using /etc/openldap/ldap.conf
ldap_url_parse_ext(ldap://66.163.128.204)
ldap_init: HOME env is /root
ldap_init: trying /root/ldaprc
ldap_init: trying /root/.ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[groups]"
Processing section "[officeview]"
Processing section "[docvault]"
Processing section "[share]"
Processing section "[archive]"
Processing section "[printers]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions
Any advice would be very greatly appreciated.
TIA,
Alex
More information about the samba
mailing list