[Samba] AD Member setup broken after samba upgrade
Thibault Roulet
thibault.roulet at epfl.ch
Tue Apr 5 12:04:38 UTC 2022
Hi all,
I'm a bit lost in a samba setup which turned bad after an upgrade
Everything was working fine when running samba 2:4.13.5+dfsg-2 and it
broke my setup after upgrade to 2:4.13.13+dfsg-1~deb11u3
The server is running an up to date debian stable and configured as a
domain member only.
- samba 4.13.13+dfsg-1~deb11u3
- winbind 4.13.13+dfsg-1~deb11u3
- libnss-winbind 4.13.13+dfsg-1~deb11u3
Kerberos is correctly configured and the machine has been linked to the
domain using net ads join.
All the domain controllers of the domain are running Windows Server.
## SMB conf file ##
[global]
client signing = required
deadtime = 30
dedicated keytab file = /etc/krb5.keytab
disable spoolss = Yes
dns proxy = No
domain master = No
kerberos method = secrets and keytab
load printers = No
local master = No
log file = /var/log/samba/log.%I
max log size = 3000
panic action = /usr/share/samba/panic-action %d
password server = AD1.DOMAIN.MYDOMAIN.ORG
realm = DOMAIN.MYDOMAIN.ORG
security = ADS
server min protocol = SMB2
server signing = required
server string = srv.MYDOMAIN.ORG
template homedir = /home/%U
template shell = /bin/bash
username map = /etc/samba/smbusers
username map script = /bin/echo
usershare allow guests = Yes
winbind use default domain = Yes
wins server = 123.123.1.2
workgroup = DOMAIN
idmap config DOMAIN:unix_primary_group = no
idmap config DOMAIN:unix_nss_info = no
idmap config DOMAIN:range = 9000 - 90000000
idmap config DOMAIN:backend = ad
idmap config INTRANET:schema_mode = rfc2307
idmap config * : range = 3000 - 8500
idmap config * : backend = tdb
hosts allow = 123.123. 127. 10.95.
## nsswitch.conf ##
passwd: compat winbind ldap systemd
group: compat winbind ldap systemd
## SMB LOGS ##
When connecting the share using a windows or linux, I have this result
and can't enter the shared folder.
[2022/04/05 13:18:28.795040, 3]
../../auth/ntlmssp/ntlmssp_server.c:509(ntlmssp_server_preauth)
Got user=[myuser] domain=[mydomain] workstation=[machine] len1=0 len2=142
[2022/04/05 13:18:28.800143, 3]
../../source3/auth/user_util.c:353(map_username)
Mapped user myuser to myuser
[2022/04/05 13:18:28.800228, 3]
../../source3/auth/auth.c:200(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[mydomain]\[myuser]@[machine] with the new password interface
[2022/04/05 13:18:28.800254, 3]
../../source3/auth/auth.c:203(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [mydomain]\[myuser]@[machine]
[2022/04/05 13:18:28.810026, 3]
../../source3/auth/user_util.c:353(map_username)
Mapped user mydomain\myuser to mydomain\myuser
[2022/04/05 13:18:28.810155, 3]
../../source3/auth/auth.c:267(auth_check_ntlm_password)
auth_check_ntlm_password: winbind authentication for user [myuser]
succeeded
[2022/04/05 13:18:28.810264, 3]
../../auth/auth_log.c:635(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user [mydomain]\[myuser] at [Tue, 05 Apr 2022
13:18:28.810236 CEST] with [NTLMv2] status [NT_STATUS_OK] workstation
[machine] remote host [ipv4:123.123.157.16:50120] became
[mydomain]\[myuser] [S-1-5-21-12345678-123456789-112233445-142182].
local host [ipv4:123.123.241.3:445]
{"timestamp": "2022-04-05T13:18:28.810420+0200", "type":
"Authentication", "Authentication": {"version": {"major": 1, "minor":
2}, "eventId": 4624, "logonId": "0", "logonType": 3, "status":
"NT_STATUS_OK", "localAddress": "ipv4:123.123.241.3:445",
"remoteAddress": "ipv4:123.123.157.16:50120", "serviceDescription":
"SMB2", "authDescription": null, "clientDomain": "mydomain",
"clientAccount": "myuser", "workstation": "machine", "becameAccount":
"myuser", "becameDomain": "mydomain", "becameSid":
"S-1-5-21-12345678-123456789-112233445-142182", "mappedAccount":
"myuser", "mappedDomain": "mydomain", "netlogonComputer": null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null,
"passwordType": "NTLMv2", "duration": 16317}}
[2022/04/05 13:18:28.810490, 2]
../../source3/auth/auth.c:323(auth_check_ntlm_password)
check_ntlm_password: authentication for user [myuser] -> [myuser] ->
[mydomain\myuser] succeeded
[2022/04/05 13:18:28.812094, 3]
../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2022/04/05 13:18:28.812115, 3]
../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0xe2088235
[2022/04/05 13:18:28.812920, 1]
../../source3/auth/token_util.c:1089(create_token_from_sid)
sid_to_gid(S-1-5-21-12345678-123456789-112233445-513) failed
[2022/04/05 13:18:28.812986, 3]
../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_LOGON_FAILURE] || at
../../source3/smbd/smb2_sesssetup.c:146
==> log.wb-mydomain <==
[2022/04/05 13:18:28.801106, 3]
../../source3/winbindd/winbindd_pam.c:2698(winbindd_dual_pam_auth_crap)
[ 7141]: pam auth crap domain: mydomain user: myuser
[2022/04/05 13:18:28.804698, 3]
../../auth/auth_log.c:635(log_authentication_event_human_readable)
Auth: [winbind,NTLM_AUTH, smbd, 7141] user [mydomain]\[myuser] at
[Tue, 05 Apr 2022 13:18:28.804672 CEST] with [NTLMv2] status
[NT_STATUS_OK] workstation [sbitpc23] remote host [unix:] became
[mydomain]\[myuser] [S-1-5-21-12345678-123456789-112233445-142182].
local host [unix:]
{"timestamp": "2022-04-05T13:18:28.804766+0200", "type":
"Authentication", "Authentication": {"version": {"major": 1, "minor":
2}, "eventId": 4624, "logonId": "123d123fbfb6d8dd", "logonType": 3,
"status": "NT_STATUS_OK", "localAddress": "unix:", "remoteAddress":
"unix:", "serviceDescription": "winbind", "authDescription": "NTLM_AUTH,
smbd, 7141", "clientDomain": "mydomain", "clientAccount": "myuser",
"workstation": "sbitpc23", "becameAccount": "myuser", "becameDomain":
"mydomain", "becameSid": "S-1-5-21-12345678-123456789-112233445-142182",
"mappedAccount": null, "mappedDomain": null, "netlogonComputer": null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null,
"passwordType": "NTLMv2", "duration": 3685}}
I did a lot of tests and could finally "fix" the issue by switching
idmap config DOMAIN:backend = ad
to
idmap config DOMAIN:backend = rid
But then it obviously killed all my UID/GID mappings.
I can't understand what's wrong in this setup and why the AD backend is
suddenly not working after this smb upgrade. When I rollback to the
prior version, everything comes back as normal.
It looks like I have the same issue on a CentOS 7 server where I could
rollback samba before finding a working solution.
Any advise would be nice, thanks in advance!
--
Thibault
More information about the samba
mailing list