[Samba] Authentication issue after updating samba on CentOS 7 (from yum)

Alex samba at abisoft.biz
Thu Dec 23 11:27:29 UTC 2021


Rowland,

I think I found what's going on. It appears the recent patch (https://bugzilla.samba.org/show_bug.cgi?id=14901#c14) hasn't been applied to CentOS 7 4.10.16-17 package:
# yumdownloader --source samba-4.10.16-17\*
...
samba-4.10.16-17.el7_9.src.rpm                                                                                                         |  12 MB  00:00:09
# rpm -ihv samba-4.10.16-17.el7_9.src.rpm
Updating / installing...
   1:samba-0:4.10.16-17.el7_9         ################################# [100%]
...
# rpmbuild -bp samba.spec
Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.ygAPHU
+ umask 022
+ cd /root/rpmbuild/BUILD
+ xzcat /root/rpmbuild/SOURCES/samba-4.10.16.tar.xz
+ gpgv2 --quiet --keyring /root/rpmbuild/SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg /root/rpmbuild/SOURCES/samba-4.10.16.tar.asc -
gpgv: Signature made Mon May 25 11:32:59 2020 MSK using DSA key ID 6568B7EA
gpgv: Good signature from "Samba Distribution Verification Key <samba-bugs at samba.org>"
+ cd /root/rpmbuild/BUILD
+ rm -rf samba-4.10.16
+ /usr/bin/xz -dc /root/rpmbuild/SOURCES/samba-4.10.16.tar.xz
+ /usr/bin/tar -xf -
+ STATUS=0
+ '[' 0 -ne 0 ']'
+ cd samba-4.10.16
+ /usr/bin/chmod -Rf a+rX,u+w,g-w,o-w .
+ /usr/bin/cat /root/rpmbuild/SOURCES/samba-4.10-redhat.patch
+ /usr/bin/patch -p1 -s
+ /usr/bin/cat /root/rpmbuild/SOURCES/libldb-require-version-1.5.4.patch
+ /usr/bin/patch -p1 -s
+ exit 0

# grep libcli/security/dom_sid.h /root/rpmbuild/BUILD/samba-4.10.16/source3/winbindd/idmap_nss.c
#

I'm going to email Andreas Schneider (he seems to be a packager of Samba in RH) to apply the recent patch and release the new package. Please, let me know if there's something else I can do to speed up the fix.

>>> > >     idmap config * : backend = tdb
>>> > >     idmap config * : range = 16777216-33554431
>>> > Is there some reason for that range ? It will allow you 16777215
>>> > users
>>> > & groups for something that requires only about 200.
>>> 
>>> I think it's a legacy. Don't remember why it's here. I'll try to
>>> remove it.

>> You are probably stuck with it.

> Anyway, they don't seem to correlate with the current issue, right?

>>> 
>>> > >     idmap config DOMAIN:unix_primary_group = yes
>>> > Do your users have gidNumber attributes.
>>> 
>>> Yes, they do. This came from MS Services for Unix.

>> Have you actually checked, MS-SFU didn't add a gidNumber attribute to
>> users, unless you told it to.

> Yes, of course. Here is a sample of AD user entry: https://paste.ee/p/7X6N0

>>> > >    winbind use default domain = true
>>> > >    winbind offline logon = false
>>> > >    winbind enum users = Yes
>>> > >    winbind enum groups = Yes
>>> > You do not need the 'enum' lines, it works without them.
>>> 
>>> There was an issue w/o the enum lines. Unfortunately, I don't
>>> remember exactly what it was, probably couldn't retrieve groups from
>>> the AD with "getent group" command.

>> Adding those lines would not fix such a problem, either it would work
>> or it wouldn't. All those lines do is to get 'getent user' to display
>> all users and 'getent group' to display all groups, along with slowing
>> everything down.

> So, I was right :) I don't see any slowness, actually. Everything worked pretty good before this update has come.

>>> 
>>> > > [username]
>>> > >         comment = username's home
>>> > >         path = /home/username
>>> > >         read only = No
>>> > >         create mode = 0660
>>> > >         valid users = username
>>> > As noted above, why are you not using '[homes]' ?
>>> 
>>> It's b/c most users are prohibited from using this server. So, I
>>> allowed homes on this server for just a few of them directly.

>> So does that mean you have multiple '[username]' shares in smb.conf ?

> Yeah, just like this one. I skipped them for the letter's size sake.

>>>  I did that both (changed min uid to 0 and set a user.map file) -
>>> still can't log in :(

>> This is very strange, I am using Samba 4.15.3 with this smb.conf and I
>> can log in:

> [skip]

> Any ideas what to do?

> -- 
> Best regards,
> Alex





-- 
Best regards,
Alex




More information about the samba mailing list