[Samba] Authentication issue after updating samba on CentOS 7 (from yum)
Alex
samba at abisoft.biz
Tue Jan 11 11:27:26 UTC 2022
Robert, Rowland,
I guess I found the root of the issue. Look:
[2022/01/11 13:33:07.895774, 3] ../../source3/smbd/oplock.c:1422(init_oplocks)
init_oplocks: initializing messages.
[2022/01/11 13:33:07.896199, 3] ../../source3/smbd/process.c:1948(process_smb)
Transaction 0 of length 108 (0 toread)
[2022/01/11 13:33:07.896674, 3] ../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot)
Selected protocol SMB2_10
[2022/01/11 13:33:07.972677, 3] ../../source3/auth/user_util.c:351(map_username)
Mapped user ABISOFT\username to username
[2022/01/11 13:33:07.977752, 3] ../../source3/auth/auth_generic.c:171(auth3_generate_session_info_pac)
Kerberos ticket principal name is [username at ABISOFT.BIZ]
[2022/01/11 13:33:07.978650, 1] ../../source3/auth/token_util.c:1082(create_token_from_sid)
sid_to_gid(S-1-5-21-3729968760-1240331958-298020672-513) failed
[2022/01/11 13:33:07.978827, 3] ../../source3/smbd/smb2_server.c:3213(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2022/01/11 13:33:07.980941, 3] ../../source3/smbd/server_exit.c:236(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
Particularly, this line:
sid_to_gid(S-1-5-21-3729968760-1240331958-298020672-513) failed
# wbinfo --domain=ABISOFT -s S-1-5-21-3729968760-1240331958-298020672-513
ABISOFT\Domain Users 2
# wbinfo --domain=ABISOFT -Y S-1-5-21-3729968760-1240331958-298020672-513
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
Indeed, Domain Users group (username's primary group) does not have unix group id associated with it. However, it didn't create any problems before 4.10.16-17. Is it possible to fix it w/o assigning a unix group id?
Monday, January 10, 2022, 7:50:43 PM, you wrote:
> On 1/10/22 12:47 PM, Alex via samba wrote:
>> Robert, it appears I was too fast in reply. The fix you mentioned didn't help :(
> Sad to hear that. I didn't try the missing patch, but the work around using:
> username map script = /var/lib/samba/scripts/username_map_script.sh
> local nt token from nss:SAMBA = no
>> >> Thank you very much for your reply! I've applied the fixing patch and it did the job! Hopefully, the RH team will release the official fix soon.
>> >>> On 1/10/22 6:21 AM, Alex via samba wrote:
>>>>> Rowland, could you please help me with this? I tried to remove some patches and rebuild but this is very time-consuming and I wasn't able to find the affecting patch yet :(
>>>>>> Also I'm wondering what 2.33.1 and 2.30.2 mean in the patch file, for example:
>>>>> # diff samba-4.10-redhat.patch.15 samba-4.10-redhat.patch |less
>>>>> 4c4
>>>>> < Subject: [PATCH 01/48] s3-rpcserver: fix security level check for
>>>>> ---
>>>>>> Subject: [PATCH 01/88] s3-rpcserver: fix security level check for
>>>>> 83c83
>>>>> < 2.30.2
>>>>> ---
>>>>>> 2.33.1
>> >>> I was hit by this problem, apparently is a missing backported patch [1].
>> >>> The workaround at [2] is working for me. Just updated the domain name on the script and placed it instead on /var/lib/samba/scripts to make SELinux happy. Will wait for an updated RPM and remove the workaround for testing at that time.
>> >>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=2036595
>>>> [2] https://bugzilla.samba.org/show_bug.cgi?id=14901#c0
>> > >> [skip]
>> > > >
--
Best regards,
Alex
More information about the samba
mailing list