Hello everyone, Samba stopped authenticating AD users after minor upgrade. Environment: - OS: CentOS 7 - Samba Version: Upgraded from samba-4.10.16-15 to samba-4.10.16-25 Problem: Clients are unable to authenticate with Active Directory credentials, receiving a "password incorrect" error. Verification: sudo net ads testjoin shows a successful join. wbinfo --ping-dc confirms successful connection to the domain controller "windc1.domain". Troubleshooting Steps: Verified user and group information: getent passwd user getent group usergroup id user All the above are printing correct results and AD seems to be syncing with SAMBA without any issue. Latest entries from the logs: log.smbd [2024/04/04 12:52:30.935843, 0] ../../lib/util/become_daemon.c:136(daemon_ready) daemon_ready: daemon 'smbd' finished starting up and ready to serve connections [2024/04/04 12:52:30.938077, 2] ../../source3/smbd/server.c:1421(smbd_parent_loop) waiting for connections log.wb-SAMBA [2024/04/04 12:32:02.947286, 2] ../../source3/winbindd/winbindd_rpc.c:301(rpc_name_to_sid) name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED [2024/04/04 12:48:32.894497, 0] ../../source3/winbindd/winbindd.c:243(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=0) log.winbindd [2024/04/04 12:56:35.981413, 2] ../../auth/kerberos/kerberos_pac.c:100(check_pac_checksum) check_pac_checksum: PAC Verification failed: Decrypt integrity check failed (-1765328353) log.wb-cs [2024/04/04 12:04:04.115315, 1] ../../source3/rpc_client/cli_pipe.c:569(cli_pipe_validate_current_pdu) ../../source3/rpc_client/cli_pipe.c:569: RPC fault code DCERPC_FAULT_SEC_PKG_ERROR received from host windc1.domain! [2024/04/04 12:48:32.890687, 0] ../../source3/winbindd/winbindd.c:243(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=0) [2024/04/04 12:52:01.993363, 0] ../../source3/winbindd/winbindd.c:243(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=0) log.winbindd-dc-connect [2024/04/04 11:59:34.111573, 1] ../../source3/libads/ldap.c:565(ads_find_dc) ads_find_dc: name resolution for realm 'XYZ.domain' (domain 'XYZ') failed: NT_STATUS_NO_LOGON_SERVERS I've also attempted restarting all Samba-related services and rebooting the server, but the issue persists. Any assistance or pointers in the right direction would be greatly appreciated. For the time being I have reverted back to samba-4.10.16-15 and it started working again. Thanks, Zaheer
On Thu, 4 Apr 2024 14:28:16 +0100 Zaheer Abbas via samba <samba at lists.samba.org> wrote:> Hello everyone, > > Samba stopped authenticating AD users after minor upgrade. > > Environment: > - OS: CentOS 7 > - Samba Version: Upgraded from samba-4.10.16-15 to samba-4.10.16-25 >The problem is, Centos 7 will go EOL in about 3 months, at which point you will have to move to Centos stream (which is a different beast to the Centos you have now) , use RHEL (which, because you are using Centos, I doubt you want to) or use Rocky Linux, Alma Linux etc. 4.10.x is EOL from the Samba point of view, in fact 4.20.0 has just been released, so there is little chance of getting 4.10.x fixed if you have found a bug, unless it is fixed in RHEL and then ported to Centos 7. I suggest you upgrade to something like Rocky Linux 9, which will get you 4.17.x (still EOL from Samba (Samba supports the last three versions, 4.20, 4.19 and 4.18)). If you want a very recent version of Samba, use Debian 12 and Samba from bookworm-backports, this will get you 4.19.5 If you still have your problem after upgrading to a version supported by Samba, then I suggest you open a bug report. Of course, it may be a configuration error, so it might help if you post the output from 'testparm -s' Rowland