[Samba] Samba AD Authentication Issues After Update

Zaheer Abbas zaheer.psg at gmail.com
Thu Apr 4 13:28:16 UTC 2024 

Hello everyone,

Samba stopped authenticating AD users after minor upgrade.

Environment:
- OS: CentOS 7
- Samba Version: Upgraded from samba-4.10.16-15 to samba-4.10.16-25

Problem:
Clients are unable to authenticate with Active Directory credentials,
receiving a "password incorrect" error.

Verification:
sudo net ads testjoin shows a successful join.
wbinfo --ping-dc confirms successful connection to the domain controller
"windc1.domain".

Troubleshooting Steps:
Verified user and group information:
getent passwd user
getent group usergroup
id user

All the above are printing correct results and AD seems to be syncing with
SAMBA without any issue.


Latest entries from the logs:

log.smbd
[2024/04/04 12:52:30.935843, 0]
../../lib/util/become_daemon.c:136(daemon_ready)
 daemon_ready: daemon 'smbd' finished starting up and ready to serve
connections
[2024/04/04 12:52:30.938077, 2]
../../source3/smbd/server.c:1421(smbd_parent_loop)
 waiting for connections

log.wb-SAMBA
[2024/04/04 12:32:02.947286, 2]
../../source3/winbindd/winbindd_rpc.c:301(rpc_name_to_sid)
 name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED
[2024/04/04 12:48:32.894497, 0]
../../source3/winbindd/winbindd.c:243(winbindd_sig_term_handler)
 Got sig[15] terminate (is_parent=0)

log.winbindd
[2024/04/04 12:56:35.981413, 2]
../../auth/kerberos/kerberos_pac.c:100(check_pac_checksum)
 check_pac_checksum: PAC Verification failed: Decrypt integrity check
failed (-1765328353)


log.wb-cs
[2024/04/04 12:04:04.115315, 1]
../../source3/rpc_client/cli_pipe.c:569(cli_pipe_validate_current_pdu)
 ../../source3/rpc_client/cli_pipe.c:569: RPC fault code
DCERPC_FAULT_SEC_PKG_ERROR received from host windc1.domain!
[2024/04/04 12:48:32.890687, 0]
../../source3/winbindd/winbindd.c:243(winbindd_sig_term_handler)
 Got sig[15] terminate (is_parent=0)
[2024/04/04 12:52:01.993363, 0]
../../source3/winbindd/winbindd.c:243(winbindd_sig_term_handler)
 Got sig[15] terminate (is_parent=0)


log.winbindd-dc-connect
[2024/04/04 11:59:34.111573, 1] ../../source3/libads/ldap.c:565(ads_find_dc)
 ads_find_dc: name resolution for realm 'XYZ.domain' (domain 'XYZ') failed:
NT_STATUS_NO_LOGON_SERVERS


I've also attempted restarting all Samba-related services and rebooting the
server, but the issue persists. Any assistance or pointers in the right
direction would be greatly appreciated.

For the time being I have reverted back to samba-4.10.16-15 and it started
working again.

Thanks,
Zaheer

More information about the samba mailing list