[Samba] Authentication issue after updating samba on CentOS 7 (from yum)

Rowland Penny rpenny at samba.org
Wed Dec 22 14:57:38 UTC 2021 

On Wed, 2021-12-22 at 17:12 +0300, Alex via samba wrote:
> Hello,
> 
> After updating from samba-4.10.16-15.el7_9.x86_64 to samba-4.10.16-
> 17.el7_9.x86_64 our users are no longer able to get to samba shares.
> Besides that, winbindd and samba logs are getting flooded (even when
> nobody tries to get to a share):
> winbindd.log:
> ...
> [2021/12/22 16:21:32.350675,  3]
> ../../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac)
>   Found account name from PAC: username [Firstname Lastname]
> [2021/12/22 16:21:33.426925,  3]
> ../../source3/winbindd/winbindd_misc.c:432(winbindd_interface_version
> )
>   winbindd_interface_version: [smbd (5383)]: request interface
> version (version = 31)
> [2021/12/22 16:21:33.427150,  3]
> ../../source3/winbindd/winbindd_misc.c:470(winbindd_priv_pipe_dir)
>   winbindd_priv_pipe_dir: [smbd (5383)]: request location of
> privileged pipe
> [2021/12/22 16:21:33.429703,  3]
> ../../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac)
>   Found account name from PAC: username [Firstname Lastname]
> [2021/12/22 16:21:33.512604,  3]
> ../../source3/winbindd/winbindd_misc.c:432(winbindd_interface_version
> )
>   winbindd_interface_version: [smbd (5385)]: request interface
> version (version = 31)
> [2021/12/22 16:21:33.512853,  3]
> ../../source3/winbindd/winbindd_misc.c:470(winbindd_priv_pipe_dir)
>   winbindd_priv_pipe_dir: [smbd (5385)]: request location of
> privileged pipe
> [2021/12/22 16:21:33.515820,  3]
> ../../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac)
>   Found account name from PAC: username [Firstname Lastname]
> ...
> 
> 172.26.10.1.log:
> ...
> [2021/12/22 16:21:33.454953,  3]
> ../../source3/smbd/oplock.c:1422(init_oplocks)
>   init_oplocks: initializing messages.
> [2021/12/22 16:21:33.455252,  3]
> ../../source3/smbd/process.c:1948(process_smb)
>   Transaction 0 of length 108 (0 toread)
> [2021/12/22 16:21:33.455648,  3]
> ../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negpr
> ot)
>   Selected protocol SMB2_10
> [2021/12/22 16:21:33.522077,  3]
> ../../source3/auth/auth_util.c:1877(check_account)
>   Failed to find authenticated user DOMAIN\username via getpwnam(),
> denying access.
> [2021/12/22 16:21:33.522316,  3]
> ../../source3/smbd/smb2_server.c:3213(smbd_smb2_request_error_ex)
>   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_LOGON_FAILURE] || at
> ../../source3/smbd/smb2_sesssetup.c:146
> [2021/12/22 16:21:33.524042,  3]
> ../../source3/smbd/server_exit.c:236(exit_server_common)
>   Server exit (NT_STATUS_CONNECTION_RESET)
> ...
> 
> I've rolled back to 4.10.16-15 and things got back to work.
> 
> Here is the changelog: 
> https://access.redhat.com/errata/RHSA-2021:5192
> 
> I understand you don't care much about packaged versions, but
> probably you could help me figure out what should be changed in the
> config to get latest version working.

It is not that we don't care about packaged versions, it is that a
problem may have been fixed in a later version of Samba.

> 
> smb.conf:
> [global]
>    workgroup = DOMAIN
>    server string = vm-corp
>    netbios name = VM-CORP
>    realm = DOMAIN.BIZ
>    security = ads
>    template shell = /sbin/nologin

So, your users never log into the server directly, just via Samba.

>    kerberos method = secrets and keytab
> 
>     log file = /var/log/samba/%m.log
>     log level = 3
>     max log size = 1000
> 
>     idmap config * : backend = tdb
>     idmap config * : range = 16777216-33554431

Is there some reason for that range ? It will allow you 16777215 users
& groups for something that requires only about 200.

> 
>     idmap config DOMAIN:backend = ad
>     idmap config DOMAIN:schema_mode = rfc2307
>     idmap config DOMAIN:range = 400-999999

Again why the strange range, do you have users & groups with uidNumber
& gidNumber attributes that low ?

>     idmap config DOMAIN:unix_primary_group = yes

Do your users have gidNumber attributes.

>     idmap config DOMAIN:unix_nss_info = yes

This is interesting, you only need that if your users have a
unixHomeDirectory attribute (at least), yet you are not using '[homes]'
below.

> 
>    winbind use default domain = true
>    winbind offline logon = false
>    winbind enum users = Yes
>    winbind enum groups = Yes

You do not need the 'enum' lines, it works without them.

>    winbind cache time = 15
>    winbind refresh tickets = Yes
>    winbind expand groups = 5
> 
>     vfs objects = acl_xattr
>     map acl inherit = yes
>     store dos attributes = yes
> 
>     load printers = No
>     domain master = no
>     local master = no
>     preferred master = no
>     server min protocol = SMB2
>     use sendfile = yes
>     dos charset = CP866
> 
>     veto oplock files = /*.mdb/*.MDB/*.dbf/*.DBF/
>     veto files = /*:Zone.Identifier:*/
> 
> [username]
>         comment = username's home
>         path = /home/username
>         read only = No
>         create mode = 0660
>         valid users = username

As noted above, why are you not using '[homes]' ?

> 
> I tried to create the username_map_script.sh and add the following
> lines (as mentioned in 
> https://bugzilla.samba.org/show_bug.cgi?id=14901):
>     min domain uid = 500

Try changing the '500' to '0'

>     username map script = /etc/samba/username_map_script.sh

Change that to:
username map script = /etc/samba/user.map

Create /etc/samba/user.map containing:

!root = DOMAIN\Administrator

Rowland

More information about the samba mailing list