[Samba] Authentication issue after updating samba on CentOS 7 (from yum)
Alex
samba at abisoft.biz
Wed Dec 22 14:12:03 UTC 2021
Hello,
After updating from samba-4.10.16-15.el7_9.x86_64 to samba-4.10.16-17.el7_9.x86_64 our users are no longer able to get to samba shares. Besides that, winbindd and samba logs are getting flooded (even when nobody tries to get to a share):
winbindd.log:
...
[2021/12/22 16:21:32.350675, 3] ../../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac)
Found account name from PAC: username [Firstname Lastname]
[2021/12/22 16:21:33.426925, 3] ../../source3/winbindd/winbindd_misc.c:432(winbindd_interface_version)
winbindd_interface_version: [smbd (5383)]: request interface version (version = 31)
[2021/12/22 16:21:33.427150, 3] ../../source3/winbindd/winbindd_misc.c:470(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [smbd (5383)]: request location of privileged pipe
[2021/12/22 16:21:33.429703, 3] ../../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac)
Found account name from PAC: username [Firstname Lastname]
[2021/12/22 16:21:33.512604, 3] ../../source3/winbindd/winbindd_misc.c:432(winbindd_interface_version)
winbindd_interface_version: [smbd (5385)]: request interface version (version = 31)
[2021/12/22 16:21:33.512853, 3] ../../source3/winbindd/winbindd_misc.c:470(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [smbd (5385)]: request location of privileged pipe
[2021/12/22 16:21:33.515820, 3] ../../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac)
Found account name from PAC: username [Firstname Lastname]
...
172.26.10.1.log:
...
[2021/12/22 16:21:33.454953, 3] ../../source3/smbd/oplock.c:1422(init_oplocks)
init_oplocks: initializing messages.
[2021/12/22 16:21:33.455252, 3] ../../source3/smbd/process.c:1948(process_smb)
Transaction 0 of length 108 (0 toread)
[2021/12/22 16:21:33.455648, 3] ../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot)
Selected protocol SMB2_10
[2021/12/22 16:21:33.522077, 3] ../../source3/auth/auth_util.c:1877(check_account)
Failed to find authenticated user DOMAIN\username via getpwnam(), denying access.
[2021/12/22 16:21:33.522316, 3] ../../source3/smbd/smb2_server.c:3213(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2021/12/22 16:21:33.524042, 3] ../../source3/smbd/server_exit.c:236(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
...
I've rolled back to 4.10.16-15 and things got back to work.
Here is the changelog: https://access.redhat.com/errata/RHSA-2021:5192
I understand you don't care much about packaged versions, but probably you could help me figure out what should be changed in the config to get latest version working.
smb.conf:
[global]
workgroup = DOMAIN
server string = vm-corp
netbios name = VM-CORP
realm = DOMAIN.BIZ
security = ads
template shell = /sbin/nologin
kerberos method = secrets and keytab
log file = /var/log/samba/%m.log
log level = 3
max log size = 1000
idmap config * : backend = tdb
idmap config * : range = 16777216-33554431
idmap config DOMAIN:backend = ad
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 400-999999
idmap config DOMAIN:unix_primary_group = yes
idmap config DOMAIN:unix_nss_info = yes
winbind use default domain = true
winbind offline logon = false
winbind enum users = Yes
winbind enum groups = Yes
winbind cache time = 15
winbind refresh tickets = Yes
winbind expand groups = 5
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
load printers = No
domain master = no
local master = no
preferred master = no
server min protocol = SMB2
use sendfile = yes
dos charset = CP866
veto oplock files = /*.mdb/*.MDB/*.dbf/*.DBF/
veto files = /*:Zone.Identifier:*/
[username]
comment = username's home
path = /home/username
read only = No
create mode = 0660
valid users = username
I tried to create the username_map_script.sh and add the following lines (as mentioned in https://bugzilla.samba.org/show_bug.cgi?id=14901):
min domain uid = 500
username map script = /etc/samba/username_map_script.sh
local nt token from nss:DOMAIN = no
But that didn't help.
# uname -r
3.10.0-1160.45.1.el7.x86_64
Thanks in advance!
--
Best regards,
Alexander Kolesnik
More information about the samba
mailing list