Hi all,
I'm a bit lost in a samba setup which turned bad after an upgrade
Everything was working fine when running samba 2:4.13.5+dfsg-2 and it
broke my setup after upgrade to 2:4.13.13+dfsg-1~deb11u3
The server is running an up to date debian stable and configured as a
domain member only.
- samba 4.13.13+dfsg-1~deb11u3
- winbind 4.13.13+dfsg-1~deb11u3
- libnss-winbind 4.13.13+dfsg-1~deb11u3
Kerberos is correctly configured and the machine has been linked to the
domain using net ads join.
All the domain controllers of the domain are running Windows Server.
## SMB conf file ##
[global]
?? ?client signing = required
?? ?deadtime = 30
?? ?dedicated keytab file = /etc/krb5.keytab
?? ?disable spoolss = Yes
?? ?dns proxy = No
?? ?domain master = No
?? ?kerberos method = secrets and keytab
?? ?load printers = No
?? ?local master = No
?? ?log file = /var/log/samba/log.%I
?? ?max log size = 3000
?? ?panic action = /usr/share/samba/panic-action %d
?? ?password server = AD1.DOMAIN.MYDOMAIN.ORG
?? ?realm = DOMAIN.MYDOMAIN.ORG
?? ?security = ADS
?? ?server min protocol = SMB2
?? ?server signing = required
?? ?server string = srv.MYDOMAIN.ORG
?? ?template homedir = /home/%U
?? ?template shell = /bin/bash
?? ?username map = /etc/samba/smbusers
?? ?username map script = /bin/echo
?? ?usershare allow guests = Yes
?? ?winbind use default domain = Yes
?? ?wins server = 123.123.1.2
?? ?workgroup = DOMAIN
?? ?idmap config DOMAIN:unix_primary_group = no
?? ?idmap config DOMAIN:unix_nss_info = no
?? ?idmap config DOMAIN:range = 9000 - 90000000
?? ?idmap config DOMAIN:backend = ad
??? idmap config INTRANET:schema_mode = rfc2307
??? idmap config * : range = 3000 - 8500
?? ?idmap config * : backend = tdb
?? ?hosts allow = 123.123. 127. 10.95.
## nsswitch.conf ##
passwd:???????? compat winbind ldap systemd
group:????????? compat winbind ldap systemd
## SMB LOGS ##
When connecting the share using a windows or linux, I have this result
and can't enter the shared folder.
[2022/04/05 13:18:28.795040,? 3]
../../auth/ntlmssp/ntlmssp_server.c:509(ntlmssp_server_preauth)
? Got user=[myuser] domain=[mydomain] workstation=[machine] len1=0 len2=142
[2022/04/05 13:18:28.800143,? 3]
../../source3/auth/user_util.c:353(map_username)
? Mapped user myuser to myuser
[2022/04/05 13:18:28.800228,? 3]
../../source3/auth/auth.c:200(auth_check_ntlm_password)
? check_ntlm_password:? Checking password for unmapped user
[mydomain]\[myuser]@[machine] with the new password interface
[2022/04/05 13:18:28.800254,? 3]
../../source3/auth/auth.c:203(auth_check_ntlm_password)
? check_ntlm_password:? mapped user is: [mydomain]\[myuser]@[machine]
[2022/04/05 13:18:28.810026,? 3]
../../source3/auth/user_util.c:353(map_username)
? Mapped user mydomain\myuser to mydomain\myuser
[2022/04/05 13:18:28.810155,? 3]
../../source3/auth/auth.c:267(auth_check_ntlm_password)
? auth_check_ntlm_password: winbind authentication for user [myuser]
succeeded
[2022/04/05 13:18:28.810264,? 3]
../../auth/auth_log.c:635(log_authentication_event_human_readable)
? Auth: [SMB2,(null)] user [mydomain]\[myuser] at [Tue, 05 Apr 2022
13:18:28.810236 CEST] with [NTLMv2] status [NT_STATUS_OK] workstation
[machine] remote host [ipv4:123.123.157.16:50120] became
[mydomain]\[myuser] [S-1-5-21-12345678-123456789-112233445-142182].
local host [ipv4:123.123.241.3:445]
? {"timestamp": "2022-04-05T13:18:28.810420+0200",
"type":
"Authentication", "Authentication": {"version":
{"major": 1, "minor":
2}, "eventId": 4624, "logonId": "0",
"logonType": 3, "status":
"NT_STATUS_OK", "localAddress":
"ipv4:123.123.241.3:445",
"remoteAddress": "ipv4:123.123.157.16:50120",
"serviceDescription":
"SMB2", "authDescription": null, "clientDomain":
"mydomain",
"clientAccount": "myuser", "workstation":
"machine", "becameAccount":
"myuser", "becameDomain": "mydomain",
"becameSid":
"S-1-5-21-12345678-123456789-112233445-142182",
"mappedAccount":
"myuser", "mappedDomain": "mydomain",
"netlogonComputer": null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags":
"0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid":
null,
"passwordType": "NTLMv2", "duration": 16317}}
[2022/04/05 13:18:28.810490,? 2]
../../source3/auth/auth.c:323(auth_check_ntlm_password)
? check_ntlm_password:? authentication for user [myuser] -> [myuser] ->
[mydomain\myuser] succeeded
[2022/04/05 13:18:28.812094,? 3]
../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
? NTLMSSP Sign/Seal - Initialising with flags:
[2022/04/05 13:18:28.812115,? 3]
../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
? Got NTLMSSP neg_flags=0xe2088235
[2022/04/05 13:18:28.812920,? 1]
../../source3/auth/token_util.c:1089(create_token_from_sid)
? sid_to_gid(S-1-5-21-12345678-123456789-112233445-513) failed
[2022/04/05 13:18:28.812986,? 3]
../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex)
? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_LOGON_FAILURE] || at
../../source3/smbd/smb2_sesssetup.c:146
==> log.wb-mydomain <=[2022/04/05 13:18:28.801106,? 3]
../../source3/winbindd/winbindd_pam.c:2698(winbindd_dual_pam_auth_crap)
? [ 7141]: pam auth crap domain: mydomain user: myuser
[2022/04/05 13:18:28.804698,? 3]
../../auth/auth_log.c:635(log_authentication_event_human_readable)
? Auth: [winbind,NTLM_AUTH, smbd, 7141] user [mydomain]\[myuser] at
[Tue, 05 Apr 2022 13:18:28.804672 CEST] with [NTLMv2] status
[NT_STATUS_OK] workstation [sbitpc23] remote host [unix:] became
[mydomain]\[myuser] [S-1-5-21-12345678-123456789-112233445-142182].
local host [unix:]
? {"timestamp": "2022-04-05T13:18:28.804766+0200",
"type":
"Authentication", "Authentication": {"version":
{"major": 1, "minor":
2}, "eventId": 4624, "logonId":
"123d123fbfb6d8dd", "logonType": 3,
"status": "NT_STATUS_OK", "localAddress":
"unix:", "remoteAddress":
"unix:", "serviceDescription": "winbind",
"authDescription": "NTLM_AUTH,
smbd, 7141", "clientDomain": "mydomain",
"clientAccount": "myuser",
"workstation": "sbitpc23", "becameAccount":
"myuser", "becameDomain":
"mydomain", "becameSid":
"S-1-5-21-12345678-123456789-112233445-142182",
"mappedAccount": null, "mappedDomain": null,
"netlogonComputer": null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags":
"0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid":
null,
"passwordType": "NTLMv2", "duration": 3685}}
I did a lot of tests and could finally "fix" the issue by switching
?? ?idmap config DOMAIN:backend = ad
to
?? ?idmap config DOMAIN:backend = rid
But then it obviously killed all my UID/GID mappings.
I can't understand what's wrong in this setup and why the AD backend is
suddenly not working after this smb upgrade. When I rollback to the
prior version, everything comes back as normal.
It looks like I have the same issue on a CentOS 7 server where I could
rollback samba before finding a working solution.
Any advise would be nice, thanks in advance!
--
Thibault
Try it again with adding in [Global] min domain uid = 0> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Thibault Roulet via samba > Verzonden: dinsdag 5 april 2022 14:05 > Aan: samba at lists.samba.org > Onderwerp: [Samba] AD Member setup broken after samba upgrade > > Hi all, > > I'm a bit lost in a samba setup which turned bad after an upgrade > Everything was working fine when running samba 2:4.13.5+dfsg-2 and it > broke my setup after upgrade to 2:4.13.13+dfsg-1~deb11u3 > > The server is running an up to date debian stable and configured as a > domain member only. > - samba 4.13.13+dfsg-1~deb11u3 > - winbind 4.13.13+dfsg-1~deb11u3 > - libnss-winbind 4.13.13+dfsg-1~deb11u3 > > Kerberos is correctly configured and the machine has been > linked to the > domain using net ads join. > > All the domain controllers of the domain are running Windows Server. > > > ## SMB conf file ## > > [global] > ?? ?client signing = required > ?? ?deadtime = 30 > ?? ?dedicated keytab file = /etc/krb5.keytab > ?? ?disable spoolss = Yes > ?? ?dns proxy = No > ?? ?domain master = No > ?? ?kerberos method = secrets and keytab > ?? ?load printers = No > ?? ?local master = No > ?? ?log file = /var/log/samba/log.%I > ?? ?max log size = 3000 > ?? ?panic action = /usr/share/samba/panic-action %d > ?? ?password server = AD1.DOMAIN.MYDOMAIN.ORG > ?? ?realm = DOMAIN.MYDOMAIN.ORG > ?? ?security = ADS > ?? ?server min protocol = SMB2 > ?? ?server signing = required > ?? ?server string = srv.MYDOMAIN.ORG > ?? ?template homedir = /home/%U > ?? ?template shell = /bin/bash > ?? ?username map = /etc/samba/smbusers > ?? ?username map script = /bin/echo > ?? ?usershare allow guests = Yes > ?? ?winbind use default domain = Yes > ?? ?wins server = 123.123.1.2 > ?? ?workgroup = DOMAIN > ?? ?idmap config DOMAIN:unix_primary_group = no > ?? ?idmap config DOMAIN:unix_nss_info = no > ?? ?idmap config DOMAIN:range = 9000 - 90000000 > ?? ?idmap config DOMAIN:backend = ad > ??? idmap config INTRANET:schema_mode = rfc2307 > ??? idmap config * : range = 3000 - 8500 > ?? ?idmap config * : backend = tdb > ?? ?hosts allow = 123.123. 127. 10.95. > > > ## nsswitch.conf ## > passwd:???????? compat winbind ldap systemd > group:????????? compat winbind ldap systemd > > > ## SMB LOGS ## > > When connecting the share using a windows or linux, I have > this result > and can't enter the shared folder. > > [2022/04/05 13:18:28.795040,? 3] > ../../auth/ntlmssp/ntlmssp_server.c:509(ntlmssp_server_preauth) > ? Got user=[myuser] domain=[mydomain] workstation=[machine] > len1=0 len2=142 > [2022/04/05 13:18:28.800143,? 3] > ../../source3/auth/user_util.c:353(map_username) > ? Mapped user myuser to myuser > [2022/04/05 13:18:28.800228,? 3] > ../../source3/auth/auth.c:200(auth_check_ntlm_password) > ? check_ntlm_password:? Checking password for unmapped user > [mydomain]\[myuser]@[machine] with the new password interface > [2022/04/05 13:18:28.800254,? 3] > ../../source3/auth/auth.c:203(auth_check_ntlm_password) > ? check_ntlm_password:? mapped user is: [mydomain]\[myuser]@[machine] > [2022/04/05 13:18:28.810026,? 3] > ../../source3/auth/user_util.c:353(map_username) > ? Mapped user mydomain\myuser to mydomain\myuser > [2022/04/05 13:18:28.810155,? 3] > ../../source3/auth/auth.c:267(auth_check_ntlm_password) > ? auth_check_ntlm_password: winbind authentication for user [myuser] > succeeded > [2022/04/05 13:18:28.810264,? 3] > ../../auth/auth_log.c:635(log_authentication_event_human_readable) > ? Auth: [SMB2,(null)] user [mydomain]\[myuser] at [Tue, 05 Apr 2022 > 13:18:28.810236 CEST] with [NTLMv2] status [NT_STATUS_OK] workstation > [machine] remote host [ipv4:123.123.157.16:50120] became > [mydomain]\[myuser] [S-1-5-21-12345678-123456789-112233445-142182]. > local host [ipv4:123.123.241.3:445] > ? {"timestamp": "2022-04-05T13:18:28.810420+0200", "type": > "Authentication", "Authentication": {"version": {"major": 1, "minor": > 2}, "eventId": 4624, "logonId": "0", "logonType": 3, "status": > "NT_STATUS_OK", "localAddress": "ipv4:123.123.241.3:445", > "remoteAddress": "ipv4:123.123.157.16:50120", "serviceDescription": > "SMB2", "authDescription": null, "clientDomain": "mydomain", > "clientAccount": "myuser", "workstation": "machine", "becameAccount": > "myuser", "becameDomain": "mydomain", "becameSid": > "S-1-5-21-12345678-123456789-112233445-142182", "mappedAccount": > "myuser", "mappedDomain": "mydomain", "netlogonComputer": null, > "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", > "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, > "passwordType": "NTLMv2", "duration": 16317}} > [2022/04/05 13:18:28.810490,? 2] > ../../source3/auth/auth.c:323(auth_check_ntlm_password) > ? check_ntlm_password:? authentication for user [myuser] -> > [myuser] -> > [mydomain\myuser] succeeded > > > [2022/04/05 13:18:28.812094,? 3] > ../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset) > ? NTLMSSP Sign/Seal - Initialising with flags: > [2022/04/05 13:18:28.812115,? 3] > ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags) > ? Got NTLMSSP neg_flags=0xe2088235 > [2022/04/05 13:18:28.812920,? 1] > ../../source3/auth/token_util.c:1089(create_token_from_sid) > ? sid_to_gid(S-1-5-21-12345678-123456789-112233445-513) failed > [2022/04/05 13:18:28.812986,? 3] > ../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex) > ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] > status[NT_STATUS_LOGON_FAILURE] || at > ../../source3/smbd/smb2_sesssetup.c:146 > > ==> log.wb-mydomain <=> [2022/04/05 13:18:28.801106,? 3] > ../../source3/winbindd/winbindd_pam.c:2698(winbindd_dual_pam_a > uth_crap) > ? [ 7141]: pam auth crap domain: mydomain user: myuser > [2022/04/05 13:18:28.804698,? 3] > ../../auth/auth_log.c:635(log_authentication_event_human_readable) > ? Auth: [winbind,NTLM_AUTH, smbd, 7141] user [mydomain]\[myuser] at > [Tue, 05 Apr 2022 13:18:28.804672 CEST] with [NTLMv2] status > [NT_STATUS_OK] workstation [sbitpc23] remote host [unix:] became > [mydomain]\[myuser] [S-1-5-21-12345678-123456789-112233445-142182]. > local host [unix:] > ? {"timestamp": "2022-04-05T13:18:28.804766+0200", "type": > "Authentication", "Authentication": {"version": {"major": 1, "minor": > 2}, "eventId": 4624, "logonId": "123d123fbfb6d8dd", "logonType": 3, > "status": "NT_STATUS_OK", "localAddress": "unix:", "remoteAddress": > "unix:", "serviceDescription": "winbind", "authDescription": > "NTLM_AUTH, > smbd, 7141", "clientDomain": "mydomain", "clientAccount": "myuser", > "workstation": "sbitpc23", "becameAccount": "myuser", "becameDomain": > "mydomain", "becameSid": > "S-1-5-21-12345678-123456789-112233445-142182", > "mappedAccount": null, "mappedDomain": null, > "netlogonComputer": null, > "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", > "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, > "passwordType": "NTLMv2", "duration": 3685}} > > I did a lot of tests and could finally "fix" the issue by switching > ?? ?idmap config DOMAIN:backend = ad > to > ?? ?idmap config DOMAIN:backend = rid > > But then it obviously killed all my UID/GID mappings. > > I can't understand what's wrong in this setup and why the AD > backend is > suddenly not working after this smb upgrade. When I rollback to the > prior version, everything comes back as normal. > > It looks like I have the same issue on a CentOS 7 server > where I could > rollback samba before finding a working solution. > > Any advise would be nice, thanks in advance! > > -- > > Thibault > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >