[Samba] Authentication issue after updating samba on CentOS 7 (from yum)

Alex samba at abisoft.biz
Wed Dec 22 14:12:03 UTC 2021 

Hello,

After updating from samba-4.10.16-15.el7_9.x86_64 to samba-4.10.16-17.el7_9.x86_64 our users are no longer able to get to samba shares. Besides that, winbindd and samba logs are getting flooded (even when nobody tries to get to a share):
winbindd.log:
...
[2021/12/22 16:21:32.350675,  3] ../../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac)
  Found account name from PAC: username [Firstname Lastname]
[2021/12/22 16:21:33.426925,  3] ../../source3/winbindd/winbindd_misc.c:432(winbindd_interface_version)
  winbindd_interface_version: [smbd (5383)]: request interface version (version = 31)
[2021/12/22 16:21:33.427150,  3] ../../source3/winbindd/winbindd_misc.c:470(winbindd_priv_pipe_dir)
  winbindd_priv_pipe_dir: [smbd (5383)]: request location of privileged pipe
[2021/12/22 16:21:33.429703,  3] ../../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac)
  Found account name from PAC: username [Firstname Lastname]
[2021/12/22 16:21:33.512604,  3] ../../source3/winbindd/winbindd_misc.c:432(winbindd_interface_version)
  winbindd_interface_version: [smbd (5385)]: request interface version (version = 31)
[2021/12/22 16:21:33.512853,  3] ../../source3/winbindd/winbindd_misc.c:470(winbindd_priv_pipe_dir)
  winbindd_priv_pipe_dir: [smbd (5385)]: request location of privileged pipe
[2021/12/22 16:21:33.515820,  3] ../../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac)
  Found account name from PAC: username [Firstname Lastname]
...

172.26.10.1.log:
...
[2021/12/22 16:21:33.454953,  3] ../../source3/smbd/oplock.c:1422(init_oplocks)
  init_oplocks: initializing messages.
[2021/12/22 16:21:33.455252,  3] ../../source3/smbd/process.c:1948(process_smb)
  Transaction 0 of length 108 (0 toread)
[2021/12/22 16:21:33.455648,  3] ../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot)
  Selected protocol SMB2_10
[2021/12/22 16:21:33.522077,  3] ../../source3/auth/auth_util.c:1877(check_account)
  Failed to find authenticated user DOMAIN\username via getpwnam(), denying access.
[2021/12/22 16:21:33.522316,  3] ../../source3/smbd/smb2_server.c:3213(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2021/12/22 16:21:33.524042,  3] ../../source3/smbd/server_exit.c:236(exit_server_common)
  Server exit (NT_STATUS_CONNECTION_RESET)
...

I've rolled back to 4.10.16-15 and things got back to work.

Here is the changelog: https://access.redhat.com/errata/RHSA-2021:5192

I understand you don't care much about packaged versions, but probably you could help me figure out what should be changed in the config to get latest version working.

smb.conf:
[global]
   workgroup = DOMAIN
   server string = vm-corp
   netbios name = VM-CORP
   realm = DOMAIN.BIZ
   security = ads
   template shell = /sbin/nologin
   kerberos method = secrets and keytab

    log file = /var/log/samba/%m.log
    log level = 3
    max log size = 1000

    idmap config * : backend = tdb
    idmap config * : range = 16777216-33554431

    idmap config DOMAIN:backend = ad
    idmap config DOMAIN:schema_mode = rfc2307
    idmap config DOMAIN:range = 400-999999
    idmap config DOMAIN:unix_primary_group = yes
    idmap config DOMAIN:unix_nss_info = yes

   winbind use default domain = true
   winbind offline logon = false
   winbind enum users = Yes
   winbind enum groups = Yes
   winbind cache time = 15
   winbind refresh tickets = Yes
   winbind expand groups = 5

    vfs objects = acl_xattr
    map acl inherit = yes
    store dos attributes = yes

    load printers = No
    domain master = no
    local master = no
    preferred master = no
    server min protocol = SMB2
    use sendfile = yes
    dos charset = CP866

    veto oplock files = /*.mdb/*.MDB/*.dbf/*.DBF/
    veto files = /*:Zone.Identifier:*/

[username]
        comment = username's home
        path = /home/username
        read only = No
        create mode = 0660
        valid users = username

I tried to create the username_map_script.sh and add the following lines (as mentioned in https://bugzilla.samba.org/show_bug.cgi?id=14901):
    min domain uid = 500
    username map script = /etc/samba/username_map_script.sh
    local nt token from nss:DOMAIN = no

But that didn't help.

# uname -r
3.10.0-1160.45.1.el7.x86_64

Thanks in advance!

-- 
Best regards,
Alexander Kolesnik

More information about the samba mailing list