[Samba] Unable to authenticate domain users
Doug Sampson
dougs at dawnsign.com
Wed May 31 03:38:49 UTC 2023
I'm having trouble wrapping my mind around this issue.
We've upgraded Samba from 4.13 to 4.16 on a few FreeBSD servers (v13.1) running ZFS and the upgrade process has gone well. However, after attempting to upgrade samba on the very last FreeBSD server, I am having issues with domain users trying to connect to various shares. This server is a role member server in a M$ AD environment. The two domain controllers in our environment are W2K22.
The log shows "permissions denied" as being the reason for rejection.
We are able to retrieve info from running wbinfo -u and wbinfo -g. getent produces output that combines both Unix user accounts and AD user accounts. So far so good. However, when a domain user tries to connect to a share mapped via a drive letter, the user is unable to connect. Log as follows:
[2023/05/30 18:57:04.169039, 2] ../../source3/modules/vfs_acl_xattr.c:292(connect_acl_xattr)
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service IPC$
[2023/05/30 18:57:04.188074, 1] ../../librpc/ndr/ndr.c:628(_ndr_pull_error)
ndr_pull_advance: ndr_pull_error(Buffer Size Error): Pull bytes 4294967295 (../../librpc/ndr/ndr.c:202) at ../../librpc/ndr/ndr.c:202
[2023/05/30 18:57:04.188330, 1] ../../source3/smbd/smbXsrv_tcon.c:1199(smbXsrv_tcon_global_traverse_fn)
Invalid record in smbXsrv_tcon_global.tdb:key '17D708A6' ndr_pull_struct_blob - Buffer Size Error
[2023/05/30 18:57:04.189069, 2] ../../source3/smbd/service.c:852(make_connection_snum)
192.168.101.109 (ipv4:192.168.101.109:62628) connect to service groups initially as user EXAMPLE-malcolmd (uid=51222, gid=50514) (pid 27148)
[2023/05/30 18:57:04.207794, 1] ../../librpc/ndr/ndr.c:628(_ndr_pull_error)
ndr_pull_advance: ndr_pull_error(Buffer Size Error): Pull bytes 4294967295 (../../librpc/ndr/ndr.c:202) at ../../librpc/ndr/ndr.c:202
[2023/05/30 18:57:04.208033, 1] ../../source3/smbd/smbXsrv_tcon.c:1199(smbXsrv_tcon_global_traverse_fn)
Invalid record in smbXsrv_tcon_global.tdb:key 'CC19D747' ndr_pull_struct_blob - Buffer Size Error
[2023/05/30 18:57:04.208314, 0] ../../source3/modules/vfs_full_audit.c:577(init_bitmap)
Could not find opname chmod_acl, logging all
[2023/05/30 18:57:04.209164, 2] ../../source3/smbd/service.c:852(make_connection_snum)
192.168.101.109 (ipv4:192.168.101.109:62628) connect to service home initially as user EXAMPLE-malcolmd (uid=51222, gid=50514) (pid 27148)
[2023/05/30 18:57:04.216581, 0] ../../source3/smbd/service.c:169(chdir_current_service)
chdir_current_service: vfs_ChDir(/zdata/home) failed: Permission denied. Current token: uid=51222, gid=50514, 9 groups: 51222 50514 51157 51134 51146 1003 1004 1006 1001
[2023/05/30 18:57:04.217790, 1] ../../librpc/ndr/ndr.c:628(_ndr_pull_error)
ndr_pull_advance: ndr_pull_error(Buffer Size Error): Pull bytes 4294967295 (../../librpc/ndr/ndr.c:202) at ../../librpc/ndr/ndr.c:202
[2023/05/30 18:57:04.218031, 1] ../../source3/smbd/smbXsrv_tcon.c:1199(smbXsrv_tcon_global_traverse_fn)
Invalid record in smbXsrv_tcon_global.tdb:key 'A077D1CB' ndr_pull_struct_blob - Buffer Size Error
[2023/05/30 18:57:04.218308, 0] ../../source3/modules/vfs_full_audit.c:577(init_bitmap)
Could not find opname chmod_acl, logging all
[2023/05/30 18:57:04.219131, 2] ../../source3/smbd/service.c:852(make_connection_snum)
192.168.101.109 (ipv4:192.168.101.109:62628) connect to service home initially as user EXAMPLE-malcolmd (uid=51222, gid=50514) (pid 27148)
[2023/05/30 18:57:04.219936, 0] ../../source3/smbd/service.c:169(chdir_current_service)
chdir_current_service: vfs_ChDir(/zdata/home) failed: Permission denied. Current token: uid=51222, gid=50514, 9 groups: 51222 50514 51157 51134 51146 1003 1004 1006 1001
[2023/05/30 18:57:04.981167, 1] ../../librpc/ndr/ndr.c:628(_ndr_pull_error)
ndr_pull_advance: ndr_pull_error(Buffer Size Error): Pull bytes 4294967295 (../../librpc/ndr/ndr.c:202) at ../../librpc/ndr/ndr.c:202
[2023/05/30 18:57:04.981471, 1] ../../source3/smbd/smbXsrv_tcon.c:1199(smbXsrv_tcon_global_traverse_fn)
Invalid record in smbXsrv_tcon_global.tdb:key '9796D692' ndr_pull_struct_blob - Buffer Size Error
[2023/05/30 18:57:04.982193, 2] ../../source3/smbd/service.c:852(make_connection_snum)
192.168.101.109 (ipv4:192.168.101.109:62628) connect to service shared initially as user EXAMPLE-malcolmd (uid=51222, gid=50514) (pid 27148)
[2023/05/30 18:57:19.030379, 0] ../../source3/smbd/service.c:169(chdir_current_service)
chdir_current_service: vfs_ChDir(/zdata/home) failed: Permission denied. Current token: uid=51222, gid=50514, 9 groups: 51222 50514 51157 51134 51146 1003 1004 1006 1001
Does the error referencing "Buffer Size Error" relevant to the issue here?
# testparm
....
# Global parameters
[global]
client ldap sasl wrapping = seal
deadtime = 10
disable netbios = Yes
disable spoolss = Yes
domain master = No
kerberos encryption types = strong
kerberos method = secrets and keytab
load printers = No
local master = No
log file = /var/log/samba4/log.%m
max open files = 65535
max xmit = 65535
mdns name = mdns
min receivefile size = 16384
os level = 0
preferred master = No
printcap name = /dev/null
realm = EXAMPLE.COM
reject md5 servers = Yes
security = ADS
server string =
smb ports = 445
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
template shell = /bin/bash
winbind cache time = 10
winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind separator = -
workgroup = EXAMPLE
nfs4:acedup = merge
nfs4:mode = simple
idmap config *:range = 1000-50000
idmap config EXAMPLE:backend = rid
idmap config EXAMPLE:default = yes
idmap config EXAMPLE:range = 50001-60000
idmap config * : backend = tdb
admin users = EXAMPLE-doug "@ EXAMPLE-domain admins"
aio read size = 16384
aio write size = 16384
directory name cache size = 0
hosts allow = 192.168.xxx.
inherit owner = windows and unix
inherit permissions = Yes
map acl inherit = Yes
max connections = 65535
read only = No
strict locking = No
strict sync = No
use sendfile = Yes
vfs objects = zfsacl acl_xattr audit
[groups]
comment = Departmental folders
delete veto files = Yes
force create mode = 0770
force directory mode = 0770
hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
map archive = No
path = /zdata/groups
valid users = "@EXAMPLE-domain users"
veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
vfs objects = zfsacl shadow_copy2
shadow: localtime = no
shadow: sort = desc
shadow: snapdirseverywhere = yes
shadow: format = %Y-%m-%dT%H:%M:%S
shadow: snapdir = .zfs/snapshot
[shared]
comment = Folder for intra-company sharing
delete veto files = Yes
hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
map archive = No
path = /zdata/shared
valid users = "@ EXAMPLE-domain users"
veto files = /lost+found/Network Trash Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
vfs objects = zfsacl
Additionally, a domain user can map a drive letter to a share on that server and succeed. However, when switching to X: via a command prompt window, it fails with an error message "Access is denied".
I've reviewed the ACLs of the directories offered as shares and they appear to be valid. An example is as follows:
[root at aries /zdata]# getfacl ./groups
# file: ./groups
# owner: root
# group: wheel
group:EXAMPLE-domain admins:rwxpDdaARWcCos:fd-----:allow
group: EXAMPLE-domain users:rwxpDdaARWcCos:-------:allow
owner@:rwxp--aARWcCos:-------:allow
group@:rwxp--a-R-c--s:-------:allow
everyone@:------a-R-c--s:-------:allow
[root at aries /zdata]#
I have uninstalled and reinstalled samba 4.16 a few times and have trashed /var/db/samba4 in between installs. Still our domain users are not able to access.
What am I missing here?
~Doug
More information about the samba
mailing list