[Samba] Authentication issue after updating samba on CentOS 7 (from yum)

Alex samba at abisoft.biz
Tue Jan 11 11:27:26 UTC 2022 

Robert, Rowland,

I guess I found the root of the issue. Look:
[2022/01/11 13:33:07.895774,  3] ../../source3/smbd/oplock.c:1422(init_oplocks)
  init_oplocks: initializing messages.
[2022/01/11 13:33:07.896199,  3] ../../source3/smbd/process.c:1948(process_smb)
  Transaction 0 of length 108 (0 toread)
[2022/01/11 13:33:07.896674,  3] ../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot)
  Selected protocol SMB2_10
[2022/01/11 13:33:07.972677,  3] ../../source3/auth/user_util.c:351(map_username)
  Mapped user ABISOFT\username to username
[2022/01/11 13:33:07.977752,  3] ../../source3/auth/auth_generic.c:171(auth3_generate_session_info_pac)
  Kerberos ticket principal name is [username at ABISOFT.BIZ]
[2022/01/11 13:33:07.978650,  1] ../../source3/auth/token_util.c:1082(create_token_from_sid)
  sid_to_gid(S-1-5-21-3729968760-1240331958-298020672-513) failed
[2022/01/11 13:33:07.978827,  3] ../../source3/smbd/smb2_server.c:3213(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2022/01/11 13:33:07.980941,  3] ../../source3/smbd/server_exit.c:236(exit_server_common)
  Server exit (NT_STATUS_CONNECTION_RESET)

Particularly, this line:
  sid_to_gid(S-1-5-21-3729968760-1240331958-298020672-513) failed

# wbinfo --domain=ABISOFT -s S-1-5-21-3729968760-1240331958-298020672-513
ABISOFT\Domain Users 2

# wbinfo --domain=ABISOFT -Y S-1-5-21-3729968760-1240331958-298020672-513
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND

Indeed, Domain Users group (username's primary group) does not have unix group id associated with it. However, it didn't create any problems before 4.10.16-17. Is it possible to fix it w/o assigning a unix group id?


Monday, January 10, 2022, 7:50:43 PM, you wrote:

> On 1/10/22 12:47 PM, Alex via samba wrote:
>> Robert, it appears I was too fast in reply. The fix you mentioned didn't help :(

> Sad to hear that. I didn't try the missing patch, but the work around using:

>    username map script = /var/lib/samba/scripts/username_map_script.sh
>    local nt token from nss:SAMBA = no


>> >> Thank you very much for your reply! I've applied the fixing patch and it did the job! Hopefully, the RH team will release the official fix soon.
>> >>> On 1/10/22 6:21 AM, Alex via samba wrote:
>>>>> Rowland, could you please help me with this? I tried to remove some patches and rebuild but this is very time-consuming and I wasn't able to find the affecting patch yet :(
>>>>>> Also I'm wondering what 2.33.1 and 2.30.2 mean in the patch file, for example:
>>>>> # diff samba-4.10-redhat.patch.15 samba-4.10-redhat.patch |less
>>>>> 4c4
>>>>> < Subject: [PATCH 01/48] s3-rpcserver: fix security level check for
>>>>> ---
>>>>>> Subject: [PATCH 01/88] s3-rpcserver: fix security level check for
>>>>> 83c83
>>>>> < 2.30.2
>>>>> ---
>>>>>> 2.33.1
>> >>> I was hit by this problem, apparently is a missing backported patch [1].
>> >>> The workaround at [2] is working for me. Just updated the domain name on the script and placed it instead on /var/lib/samba/scripts to make SELinux happy. Will wait for an updated RPM and remove the workaround for testing at that time.
>> >>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=2036595
>>>> [2] https://bugzilla.samba.org/show_bug.cgi?id=14901#c0
>> > >> [skip]
>> > > > 




-- 
Best regards,
Alex

More information about the samba mailing list