[Samba] Authentication problems with AD after migration of Samba from 3.5 to 3.6

Rowland penny rpenny at samba.org
Fri Jan 15 18:27:24 UTC 2021


On 15/01/2021 15:58, Girouard, Yvon via samba wrote:
> Hi,
>
> We have updated Samba from 3.5 to 3.6 on 2 Linux RedHat 5.8 servers, both authenticating with AD.

Is there some reason why you upgraded to a dead version of Samba ? On a 
dead OS ?


>   On the first server everything is working as expected. On the second server, authentication with AD does not work. The OS version and configuration files are the same on both servers.
>
> Nsswitch.conf
> passwd:     files winbind
> shadow:     files winbind
> group:      files winbind
> hosts:      files dns winbind
'winbind' should only be in the passwd & group lines.
> Smb.conf
> [global]
>     workgroup                    = DOM
>     realm                        = DOM.REG.QC.CA
>     netbios name                 = SERVER123
>     ldap timeout                 = 200
>     local master                 = no
>     preferred master             = no
>     server string                = Samba Server Version %v
>     security                     = ADS
>     encrypt passwords            = yes
>     log level                    = 10
>     log file                     = /var/log/samba/%m.log
>     max log size                 = 102400
>     template shell               = /bin/false
>     load printers                = no
>     show add printer wizard      = no
>     printcap name                = /dev/null
>     disable spoolss              = yes
>     winbind enum users           = yes
>     winbind enum groups          = yes
>     winbind use default domain   = yes
>     winbind nested groups        = yes
>     winbind expand groups        = 3
>     winbind separator            = +
>     idmap config * : backend     = tdb
>     idmap config * : range       = 120000-199999
>     idmap config DOM : range     = 20000-99999

There appears to be a line missing 'idmap config DOM : backend = rid'

Though the 'rid' part could be 'ad' if you have rfc2307 attributes in AD.

>     max protocol                 = SMB2
>     inherit acls                 = Yes
>     store dos attributes         = yes
>     winbind cache time              = 3600
> [sharefs]
>          path = /sharefs
>          browseable = yes
>          writeable = yes
>          inherit permissions = yes
>          force group = images-rw
>          create mask = 0664
>          directory mask = 2775
>          valid users         = @shareauth, @shareadmin
>          write list          = @shareauth, @shareadmin
>
>
>
> Log on server that is not working
>
> [2020/12/21 18:10:52.084029, 10] auth/auth_builtin.c:44(check_guest_security)
>    Check auth for: [user86]
> [2020/12/21 18:10:52.084583, 10] auth/auth.c:269(check_ntlm_password)
>    check_ntlm_password: guest had nothing to say
> [2020/12/21 18:10:52.085139, 10] auth/auth_sam.c:75(auth_samstrict_auth)
>    Check auth for: [user86]
> [2020/12/21 18:10:52.085691,  8] lib/util.c:1521(is_myname)
>    is_myname("DOM") returns 0
> [2020/12/21 18:10:52.086250,  6] auth/auth_sam.c:88(auth_samstrict_auth)
>    check_samstrict_security: DOM is not one of my local names (ROLE_DOMAIN_MEMBER)
> [2020/12/21 18:10:52.086809, 10] auth/auth.c:269(check_ntlm_password)
>    check_ntlm_password: sam had nothing to say
> [2020/12/21 18:10:52.087364, 10] auth/auth_winbind.c:50(check_winbind_security)
>    Check auth for: [user86]
> [2020/12/21 18:10:52.087977,  4] smbd/sec_ctx.c:214(push_sec_ctx)
>    push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2020/12/21 18:10:52.088565,  4] smbd/uid.c:460(push_conn_ctx)
>    push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2020/12/21 18:10:52.089129,  4] smbd/sec_ctx.c:314(set_sec_ctx)
>    setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2020/12/21 18:10:52.089682,  5] ../libcli/security/security_token.c:53(security_token_debug)
>    Security token: (NULL)
> [2020/12/21 18:10:52.090235,  5] auth/token_util.c:527(debug_unix_user_token)
>    UNIX token of user 0
>    Primary group is 0 and contains 0 supplementary groups
> [2020/12/21 18:10:52.154608,  4] smbd/sec_ctx.c:422(pop_sec_ctx)
>    pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2020/12/21 18:10:52.155917,  5] lib/username.c:171(Get_Pwnam_alloc)
>    Finding user DOM+user86
> [2020/12/21 18:10:52.157044,  5] lib/username.c:116(Get_Pwnam_internals)
>    Trying _Get_Pwnam(), username as lowercase is dom+user86
> [2020/12/21 18:10:52.159178,  5] lib/username.c:124(Get_Pwnam_internals)
>    Trying _Get_Pwnam(), username as given is DOM+user86
> [2020/12/21 18:10:52.161287,  5] lib/username.c:134(Get_Pwnam_internals)
>    Trying _Get_Pwnam(), username as uppercase is DOM+UDUBO86
Why did 'user86' change to 'UDUB086' ??????

Rowland






More information about the samba mailing list