[Samba] After Suse Enterprise upgrade from 11.4 to 15.4 PCs fails authentication when trying to mount Samba share
John Adamski (Work Account)
adamski at graceland.edu
Thu Feb 9 18:09:48 UTC 2023
Our ERP server was on SLES 11.4 and we upgraded to SLES 15.4 last September and have had a problem since with Samba shares on the SLES server accessed by windows desktops. Can't authenticate not translating the Windows side user to Linux side user. Not exactly sure if windows GUID to UID or username to username . It seems the translations that use to take place with username not happing anymore and I never figured out why.
The upgrade process was migrate from 11.4 to 15.1 and then to 15.4 as a migration, SLES didn't have a direct path from 11.4 to 15.4. For the most part the upgrade of the OS went ok.
We had been using the samba shares for years without problems until upgrading to 15.4. I had an open case with SUSE shortly after the upgrade but they basically said its not a break-fix but a configuration problem and they couldn't help. Did offer an outrageous priced consulting option. I did get from the SUSE "expert" that looked at the case when we disagreed with them not helping, and he said 15.4 Samba was a major rewrite and that is probably why we are having problems. But still agreed a consulting problem not support problem.
We paid a local VR that had a RHEL expert, but he could figure out why not working and said SUSE seemed to be very different then other Linux he worked on. Also posted on SUSE forum, no help there. So trying Samba forum.
The ERP requires local Linux user accounts and local group for security so can't get this from AD. When SUSE had me try SSSD the SLES server could see and get information from AD and users now had local and AD groups which caused a big mess. Even though the server could get AD information still could authenticate to mount the shares. I undid all those changes. I'm just trying to get a simple and easy to maintain configuration so PC can mount a SLES home directory and transfer files back and forth.
As I understand how worked on 11.4 was using Samba and winbind, PAM and Kerberos might have been in the mix I can't remember.
Here are the specs for the server and domain controllers in the network, the windows PC are all win10 21H2 or 22H2. I've and so many changes over the last months not sure what is what any more.
cat /etc/os-release
NAME="SLES"
VERSION="15-SP4"
VERSION_ID="15.4"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP4"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp4"
DOCUMENTATION_URL="https://documentation.suse.com/"
smbd -V
Version 4.15.8-git.527.8d0c05d313e150400.3.16.11-SUSE-oS15.0-x86_64
The DC's are Windows Server 2019 (version 1809 build 17763.3887)
from different opensuse server to SLES server I get this
smbclient -L //xxxxxx
Password for [WORKGROUP\xxxxxx]:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
tmp Disk Temporary file space
IPC$ IPC IPC Service (Samba 4.15.8-git.527.8d0c05d313e150400.3.16.11-SUSE-oS15.0-x86_64)
SMB1 disabled -- no workgroup available
if I try to connect to one of the shares from the openSUSE server to the SLES server I get this:
smbclient //xxxxxx/tmp
Password for [WORKGROUP\xxxxxx]:
Anonymous login successful
tree connect failed: NT_STATUS_ACCESS_DENIED
if I try form windows to the SLES server I get this in the logs of the SLES:
from the /var/log/samba/log.smbd
[2023/02/08 14:51:37.411728, 0] ../../source3/auth/auth_util.c:1928(check_account)
check_account: Failed to convert SID S-1-1-11-111111111-111111111-1111111111-11111 to a UID (dom_user[GRACELAND\xxxxxx])
from /var/log/warn
2023-02-08T14:51:37.412164-06:00 nova smbd[17655]: [2023/02/08 14:51:37.411728, 0] ../../source3/auth/auth_util.c:1928(check_account)
2023-02-08T14:51:37.412291-06:00 nova smbd[17655]: check_account: Failed to convert SID S-1-1-11-111111111-111111111-1111111111-11111 to a UID (dom_user[GRACELAND\xxxxxx])
-=-=-=-=-=-=-=-=-=- SMB.CONF -=-=-=-=-=-=-=-=-=-=-
cat smb.conf
# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2015-05-01
[global]
workgroup = GRACELAND
#kerberos method = secrets and keytab
password server = xxxxxx.graceland.edu
realm = GRACELAND.EDU
security = ADS
#follow symlinks = yes
#wide links = yes
#unix extensions = no
netbios name = nova
#passdb backend = ldapsam:ldap://xxxxxx.graceland.edu
#log level = 10
usershare allow guests = No
wins support = No
#debug level = 7
#enable core files = yes
#username map script = /bin/echo
#username map script = /etc/samba/StripDomainName.sh
idmap config * : backend = tdb
idmap config * : range = 10000-199999
idmap config GRACELAND:unix_nss_info = yes
idmap config GRACELAND : backend = tdb
#idmap config SAMDOM:schema_mode = rfc2307
idmap config GRACELAND : range = 200000-2000200000
ldap admin dn = CN=xxxxxx,CN=Users,DC=graceland,DC=edu
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Machines
ldap passwd sync = Yes
ldap suffix = dc=graceland,dc=edu
ldap user suffix = ou=Users
ldap ssl = off
#passdb backend = tdbsam
allow insecure wide links = yes
client ipc signing = auto
wins server =
[homes]
comment = Home Directories
valid users = %S
browseable = no
read only = no
inherit acls = yes
follow symlinks = yes
wide links = yes
[tmp]
comment = Temporary file space
inherit acls = Yes
path = /tmp
read only = No
-=-=-=-=-=-=-=-=-=-=- resolv.conf -=-=-=-=-=-=-=-=-=-=-
### /etc/resolv.conf is a symlink to /run/netconfig/resolv.conf
### autogenerated by netconfig!
#
# Before you change this file manually, consider to define the
# static DNS configuration using the following variables in the
# /etc/sysconfig/network/config file:
# NETCONFIG_DNS_STATIC_SEARCHLIST
# NETCONFIG_DNS_STATIC_SERVERS
# NETCONFIG_DNS_FORWARDER
# or disable DNS configuration updates via netconfig by setting:
# NETCONFIG_DNS_POLICY=''
#
# See also the netconfig(8) manual page and other documentation.
#
### Call "netconfig update -f" to force adjusting of /etc/resolv.conf.
####
#### GU deleted symbolic link to /var/run/netconfig/resolv.conf and hardcoded
####
domain graceland.edu
search graceland.edu
nameserver xxx.xxx.xxx.xxx
nameserver xxx.xxx.xxx.xxx
-=-=-=-=-=-=-=-=-=-=- krb5.conf -=-=-=-=-=-=-=-=-=-=-
cat krb5.conf
[libdefaults]
default_realm = GRACELAND.EDU
clockskew = 500
# dns_lookup_realm = true
# dns_lookup_kdc = true
# forwardable = true
# default_ccache_name = FILE:/tmp/krb5cc_%{uid}
# default_tkt_enctypes = aes128-cts-hmac-sha1-96 rc4-hmac
# default_tgs_enctypes = aes128-cts-hmac-sha1-96 rc4-hmac
# permitted_enctypes = aes128-cts-hmac-sha1-96 rc4-hmac
# proxiable = false
# noaddresses = false
# allow_weak_crypto = false
[domain_realm]
.graceland.edu = GRACELAND.EDU
graceland.edu = GRACELAND.EDU
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[realms]
GRACELAND.EDU = {
default_domain = graceland.edu
admin_server = xxxxxx.graceland.edu
kdc = xxxxxx.graceland.edu
}
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 1
external = sshd
use_shmem = sshd
-=-=-=-=-=-=-=-=-=-=- idmap.conf -=-=-=-=-=-=-=-=-=-=-
[General]
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = localdomain
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody
John David Adamski
Sr. Sysadmin/DBA
Graceland University
More information about the samba
mailing list