[Samba] AD Member setup broken after samba upgrade
L.P.H. van Belle
belle at bazuin.nl
Tue Apr 5 12:41:39 UTC 2022
Try it again with adding in [Global]
min domain uid = 0
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Thibault Roulet via samba
> Verzonden: dinsdag 5 april 2022 14:05
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] AD Member setup broken after samba upgrade
>
> Hi all,
>
> I'm a bit lost in a samba setup which turned bad after an upgrade
> Everything was working fine when running samba 2:4.13.5+dfsg-2 and it
> broke my setup after upgrade to 2:4.13.13+dfsg-1~deb11u3
>
> The server is running an up to date debian stable and configured as a
> domain member only.
> - samba 4.13.13+dfsg-1~deb11u3
> - winbind 4.13.13+dfsg-1~deb11u3
> - libnss-winbind 4.13.13+dfsg-1~deb11u3
>
> Kerberos is correctly configured and the machine has been
> linked to the
> domain using net ads join.
>
> All the domain controllers of the domain are running Windows Server.
>
>
> ## SMB conf file ##
>
> [global]
> client signing = required
> deadtime = 30
> dedicated keytab file = /etc/krb5.keytab
> disable spoolss = Yes
> dns proxy = No
> domain master = No
> kerberos method = secrets and keytab
> load printers = No
> local master = No
> log file = /var/log/samba/log.%I
> max log size = 3000
> panic action = /usr/share/samba/panic-action %d
> password server = AD1.DOMAIN.MYDOMAIN.ORG
> realm = DOMAIN.MYDOMAIN.ORG
> security = ADS
> server min protocol = SMB2
> server signing = required
> server string = srv.MYDOMAIN.ORG
> template homedir = /home/%U
> template shell = /bin/bash
> username map = /etc/samba/smbusers
> username map script = /bin/echo
> usershare allow guests = Yes
> winbind use default domain = Yes
> wins server = 123.123.1.2
> workgroup = DOMAIN
> idmap config DOMAIN:unix_primary_group = no
> idmap config DOMAIN:unix_nss_info = no
> idmap config DOMAIN:range = 9000 - 90000000
> idmap config DOMAIN:backend = ad
> idmap config INTRANET:schema_mode = rfc2307
> idmap config * : range = 3000 - 8500
> idmap config * : backend = tdb
> hosts allow = 123.123. 127. 10.95.
>
>
> ## nsswitch.conf ##
> passwd: compat winbind ldap systemd
> group: compat winbind ldap systemd
>
>
> ## SMB LOGS ##
>
> When connecting the share using a windows or linux, I have
> this result
> and can't enter the shared folder.
>
> [2022/04/05 13:18:28.795040, 3]
> ../../auth/ntlmssp/ntlmssp_server.c:509(ntlmssp_server_preauth)
> Got user=[myuser] domain=[mydomain] workstation=[machine]
> len1=0 len2=142
> [2022/04/05 13:18:28.800143, 3]
> ../../source3/auth/user_util.c:353(map_username)
> Mapped user myuser to myuser
> [2022/04/05 13:18:28.800228, 3]
> ../../source3/auth/auth.c:200(auth_check_ntlm_password)
> check_ntlm_password: Checking password for unmapped user
> [mydomain]\[myuser]@[machine] with the new password interface
> [2022/04/05 13:18:28.800254, 3]
> ../../source3/auth/auth.c:203(auth_check_ntlm_password)
> check_ntlm_password: mapped user is: [mydomain]\[myuser]@[machine]
> [2022/04/05 13:18:28.810026, 3]
> ../../source3/auth/user_util.c:353(map_username)
> Mapped user mydomain\myuser to mydomain\myuser
> [2022/04/05 13:18:28.810155, 3]
> ../../source3/auth/auth.c:267(auth_check_ntlm_password)
> auth_check_ntlm_password: winbind authentication for user [myuser]
> succeeded
> [2022/04/05 13:18:28.810264, 3]
> ../../auth/auth_log.c:635(log_authentication_event_human_readable)
> Auth: [SMB2,(null)] user [mydomain]\[myuser] at [Tue, 05 Apr 2022
> 13:18:28.810236 CEST] with [NTLMv2] status [NT_STATUS_OK] workstation
> [machine] remote host [ipv4:123.123.157.16:50120] became
> [mydomain]\[myuser] [S-1-5-21-12345678-123456789-112233445-142182].
> local host [ipv4:123.123.241.3:445]
> {"timestamp": "2022-04-05T13:18:28.810420+0200", "type":
> "Authentication", "Authentication": {"version": {"major": 1, "minor":
> 2}, "eventId": 4624, "logonId": "0", "logonType": 3, "status":
> "NT_STATUS_OK", "localAddress": "ipv4:123.123.241.3:445",
> "remoteAddress": "ipv4:123.123.157.16:50120", "serviceDescription":
> "SMB2", "authDescription": null, "clientDomain": "mydomain",
> "clientAccount": "myuser", "workstation": "machine", "becameAccount":
> "myuser", "becameDomain": "mydomain", "becameSid":
> "S-1-5-21-12345678-123456789-112233445-142182", "mappedAccount":
> "myuser", "mappedDomain": "mydomain", "netlogonComputer": null,
> "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000",
> "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null,
> "passwordType": "NTLMv2", "duration": 16317}}
> [2022/04/05 13:18:28.810490, 2]
> ../../source3/auth/auth.c:323(auth_check_ntlm_password)
> check_ntlm_password: authentication for user [myuser] ->
> [myuser] ->
> [mydomain\myuser] succeeded
>
>
> [2022/04/05 13:18:28.812094, 3]
> ../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
> NTLMSSP Sign/Seal - Initialising with flags:
> [2022/04/05 13:18:28.812115, 3]
> ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0xe2088235
> [2022/04/05 13:18:28.812920, 1]
> ../../source3/auth/token_util.c:1089(create_token_from_sid)
> sid_to_gid(S-1-5-21-12345678-123456789-112233445-513) failed
> [2022/04/05 13:18:28.812986, 3]
> ../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_LOGON_FAILURE] || at
> ../../source3/smbd/smb2_sesssetup.c:146
>
> ==> log.wb-mydomain <==
> [2022/04/05 13:18:28.801106, 3]
> ../../source3/winbindd/winbindd_pam.c:2698(winbindd_dual_pam_a
> uth_crap)
> [ 7141]: pam auth crap domain: mydomain user: myuser
> [2022/04/05 13:18:28.804698, 3]
> ../../auth/auth_log.c:635(log_authentication_event_human_readable)
> Auth: [winbind,NTLM_AUTH, smbd, 7141] user [mydomain]\[myuser] at
> [Tue, 05 Apr 2022 13:18:28.804672 CEST] with [NTLMv2] status
> [NT_STATUS_OK] workstation [sbitpc23] remote host [unix:] became
> [mydomain]\[myuser] [S-1-5-21-12345678-123456789-112233445-142182].
> local host [unix:]
> {"timestamp": "2022-04-05T13:18:28.804766+0200", "type":
> "Authentication", "Authentication": {"version": {"major": 1, "minor":
> 2}, "eventId": 4624, "logonId": "123d123fbfb6d8dd", "logonType": 3,
> "status": "NT_STATUS_OK", "localAddress": "unix:", "remoteAddress":
> "unix:", "serviceDescription": "winbind", "authDescription":
> "NTLM_AUTH,
> smbd, 7141", "clientDomain": "mydomain", "clientAccount": "myuser",
> "workstation": "sbitpc23", "becameAccount": "myuser", "becameDomain":
> "mydomain", "becameSid":
> "S-1-5-21-12345678-123456789-112233445-142182",
> "mappedAccount": null, "mappedDomain": null,
> "netlogonComputer": null,
> "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000",
> "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null,
> "passwordType": "NTLMv2", "duration": 3685}}
>
> I did a lot of tests and could finally "fix" the issue by switching
> idmap config DOMAIN:backend = ad
> to
> idmap config DOMAIN:backend = rid
>
> But then it obviously killed all my UID/GID mappings.
>
> I can't understand what's wrong in this setup and why the AD
> backend is
> suddenly not working after this smb upgrade. When I rollback to the
> prior version, everything comes back as normal.
>
> It looks like I have the same issue on a CentOS 7 server
> where I could
> rollback samba before finding a working solution.
>
> Any advise would be nice, thanks in advance!
>
> --
>
> Thibault
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list