[Samba] AD Member setup broken after samba upgrade

Thibault Roulet thibault.roulet at epfl.ch
Tue Apr 5 12:04:38 UTC 2022


Hi all,

I'm a bit lost in a samba setup which turned bad after an upgrade
Everything was working fine when running samba 2:4.13.5+dfsg-2 and it 
broke my setup after upgrade to 2:4.13.13+dfsg-1~deb11u3

The server is running an up to date debian stable and configured as a 
domain member only.
- samba 4.13.13+dfsg-1~deb11u3
- winbind 4.13.13+dfsg-1~deb11u3
- libnss-winbind 4.13.13+dfsg-1~deb11u3

Kerberos is correctly configured and the machine has been linked to the 
domain using net ads join.

All the domain controllers of the domain are running Windows Server.


## SMB conf file ##

[global]
     client signing = required
     deadtime = 30
     dedicated keytab file = /etc/krb5.keytab
     disable spoolss = Yes
     dns proxy = No
     domain master = No
     kerberos method = secrets and keytab
     load printers = No
     local master = No
     log file = /var/log/samba/log.%I
     max log size = 3000
     panic action = /usr/share/samba/panic-action %d
     password server = AD1.DOMAIN.MYDOMAIN.ORG
     realm = DOMAIN.MYDOMAIN.ORG
     security = ADS
     server min protocol = SMB2
     server signing = required
     server string = srv.MYDOMAIN.ORG
     template homedir = /home/%U
     template shell = /bin/bash
     username map = /etc/samba/smbusers
     username map script = /bin/echo
     usershare allow guests = Yes
     winbind use default domain = Yes
     wins server = 123.123.1.2
     workgroup = DOMAIN
     idmap config DOMAIN:unix_primary_group = no
     idmap config DOMAIN:unix_nss_info = no
     idmap config DOMAIN:range = 9000 - 90000000
     idmap config DOMAIN:backend = ad
     idmap config INTRANET:schema_mode = rfc2307
     idmap config * : range = 3000 - 8500
     idmap config * : backend = tdb
     hosts allow = 123.123. 127. 10.95.


## nsswitch.conf ##
passwd:         compat winbind ldap systemd
group:          compat winbind ldap systemd


## SMB LOGS ##

When connecting the share using a windows or linux, I have this result 
and can't enter the shared folder.

[2022/04/05 13:18:28.795040,  3] 
../../auth/ntlmssp/ntlmssp_server.c:509(ntlmssp_server_preauth)
   Got user=[myuser] domain=[mydomain] workstation=[machine] len1=0 len2=142
[2022/04/05 13:18:28.800143,  3] 
../../source3/auth/user_util.c:353(map_username)
   Mapped user myuser to myuser
[2022/04/05 13:18:28.800228,  3] 
../../source3/auth/auth.c:200(auth_check_ntlm_password)
   check_ntlm_password:  Checking password for unmapped user 
[mydomain]\[myuser]@[machine] with the new password interface
[2022/04/05 13:18:28.800254,  3] 
../../source3/auth/auth.c:203(auth_check_ntlm_password)
   check_ntlm_password:  mapped user is: [mydomain]\[myuser]@[machine]
[2022/04/05 13:18:28.810026,  3] 
../../source3/auth/user_util.c:353(map_username)
   Mapped user mydomain\myuser to mydomain\myuser
[2022/04/05 13:18:28.810155,  3] 
../../source3/auth/auth.c:267(auth_check_ntlm_password)
   auth_check_ntlm_password: winbind authentication for user [myuser] 
succeeded
[2022/04/05 13:18:28.810264,  3] 
../../auth/auth_log.c:635(log_authentication_event_human_readable)
   Auth: [SMB2,(null)] user [mydomain]\[myuser] at [Tue, 05 Apr 2022 
13:18:28.810236 CEST] with [NTLMv2] status [NT_STATUS_OK] workstation 
[machine] remote host [ipv4:123.123.157.16:50120] became 
[mydomain]\[myuser] [S-1-5-21-12345678-123456789-112233445-142182]. 
local host [ipv4:123.123.241.3:445]
   {"timestamp": "2022-04-05T13:18:28.810420+0200", "type": 
"Authentication", "Authentication": {"version": {"major": 1, "minor": 
2}, "eventId": 4624, "logonId": "0", "logonType": 3, "status": 
"NT_STATUS_OK", "localAddress": "ipv4:123.123.241.3:445", 
"remoteAddress": "ipv4:123.123.157.16:50120", "serviceDescription": 
"SMB2", "authDescription": null, "clientDomain": "mydomain", 
"clientAccount": "myuser", "workstation": "machine", "becameAccount": 
"myuser", "becameDomain": "mydomain", "becameSid": 
"S-1-5-21-12345678-123456789-112233445-142182", "mappedAccount": 
"myuser", "mappedDomain": "mydomain", "netlogonComputer": null, 
"netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", 
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, 
"passwordType": "NTLMv2", "duration": 16317}}
[2022/04/05 13:18:28.810490,  2] 
../../source3/auth/auth.c:323(auth_check_ntlm_password)
   check_ntlm_password:  authentication for user [myuser] -> [myuser] -> 
[mydomain\myuser] succeeded


[2022/04/05 13:18:28.812094,  3] 
../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
   NTLMSSP Sign/Seal - Initialising with flags:
[2022/04/05 13:18:28.812115,  3] 
../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
   Got NTLMSSP neg_flags=0xe2088235
[2022/04/05 13:18:28.812920,  1] 
../../source3/auth/token_util.c:1089(create_token_from_sid)
   sid_to_gid(S-1-5-21-12345678-123456789-112233445-513) failed
[2022/04/05 13:18:28.812986,  3] 
../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex)
   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] 
status[NT_STATUS_LOGON_FAILURE] || at 
../../source3/smbd/smb2_sesssetup.c:146

==> log.wb-mydomain <==
[2022/04/05 13:18:28.801106,  3] 
../../source3/winbindd/winbindd_pam.c:2698(winbindd_dual_pam_auth_crap)
   [ 7141]: pam auth crap domain: mydomain user: myuser
[2022/04/05 13:18:28.804698,  3] 
../../auth/auth_log.c:635(log_authentication_event_human_readable)
   Auth: [winbind,NTLM_AUTH, smbd, 7141] user [mydomain]\[myuser] at 
[Tue, 05 Apr 2022 13:18:28.804672 CEST] with [NTLMv2] status 
[NT_STATUS_OK] workstation [sbitpc23] remote host [unix:] became 
[mydomain]\[myuser] [S-1-5-21-12345678-123456789-112233445-142182]. 
local host [unix:]
   {"timestamp": "2022-04-05T13:18:28.804766+0200", "type": 
"Authentication", "Authentication": {"version": {"major": 1, "minor": 
2}, "eventId": 4624, "logonId": "123d123fbfb6d8dd", "logonType": 3, 
"status": "NT_STATUS_OK", "localAddress": "unix:", "remoteAddress": 
"unix:", "serviceDescription": "winbind", "authDescription": "NTLM_AUTH, 
smbd, 7141", "clientDomain": "mydomain", "clientAccount": "myuser", 
"workstation": "sbitpc23", "becameAccount": "myuser", "becameDomain": 
"mydomain", "becameSid": "S-1-5-21-12345678-123456789-112233445-142182", 
"mappedAccount": null, "mappedDomain": null, "netlogonComputer": null, 
"netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", 
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, 
"passwordType": "NTLMv2", "duration": 3685}}

I did a lot of tests and could finally "fix" the issue by switching
     idmap config DOMAIN:backend = ad
to
     idmap config DOMAIN:backend = rid

But then it obviously killed all my UID/GID mappings.

I can't understand what's wrong in this setup and why the AD backend is 
suddenly not working after this smb upgrade. When I rollback to the 
prior version, everything comes back as normal.

It looks like I have the same issue on a CentOS 7 server where I could 
rollback samba before finding a working solution.

Any advise would be nice, thanks in advance!

-- 

Thibault


More information about the samba mailing list