Popp, Casey A SGT USARMY NG NEARNG (US)
2013-Jan-16 21:30 UTC
[Samba] Samba AD Auth Stops After Patches
Hello, I have an issue that I can't sort out.
Issue: Just applied the latest round of patches that brought me up to this
Samba version and
suddenly end-users are being prompted for authentication when attempting to
access shares
on this CentOS box from their Windows Vista, 7x86, and 7x64 workstations.
Problem: I am new to Samba and seem to not be connecting the dots
Layer 1: I can ping local host, Samba server name and IP from the Samaba
Server and from a Win7x64 client
Here is my research and observations:
1. cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.9 (Tikanga)
---
2. smbstatus
Samba version 3.6.6-0.129.el5
---
3. There are no permission problems on the shared directories nor the parent
chain
---
4. (Symptom) There is an apparent group ownership problem on the shares.
Where it used to resolve the
active directory security group, now there is only a numerical string.
Attempting to reassign the
proper group ownsership fails as follows:
4a. ll | grep 12345
drwxrwxrwx 4 comp 1488701 4096 Jan 31 2006 12345
4b. chown -R comp:orrfo12345 12345
chown: `comp:orrfo12345': invalid group
4e. Ok, this is a big problem but what is causing it?
---
5. From the server hosting Samba, I looked to see if it could resolve the
groups. (A Factor) One concern
regarding this process is that we collapsed into a much larger domain
about a year ago. As a result,
what is retrieved for a data set is rather large. Also, it takes some
time. That is why I grep in the
following:
5a. wbinfo -g | grep -i ORRFO
5b. getent group OR+ORRFO12345 | awk -F: '{print $4}' | sed
's/OR+//g' | sed
's/,/\n/g'
5c. Both commands return a valid list after several seconds
---
6. Checking the winbind user:
6a. net help getauthuser
6b. The command returns the credentails of a active directory account that
is present, unlocked, and set
with the correct password.
---
7. Checking if it can resolve the domain controller
7a. wbinfo -I IPAddrOfDC
7b. It resolves correctly
---
8. Check to see if can get sid of windbind user
8a. wbinfo -n OR+linux.samba.svc
8b. The command returns the SID
---
9. Checked on services
9a. wbinfo -p
Ping to winbindd succeeded
9b. wbinfo -t
checking the trust secret for domain OR via RPC calls succeeded
9c. service --status-all | egrep "winbindd|nmbd|smbd"
nmbd (pid 15246) is running...
smbd (pid 28397 26486 21186 20942 20941 20940 20939 20938 20937
20936 20935 20934 20933 20930 20929 20927 20926 20925 20924 20923
20922 20921 20920 20917 20916 18027 14885 14878 6418) is running...
winbindd (pid 9208 9187 9185 9184 9182) is running...
9d. wbinfo --online-status
BUILTIN : online
OR-CENTSAMBA-01 : online
OR : online
9e. (Problem) Not sure if it is an issue but nmbd was not started initially.
The results above come after having started it.
---
10. Verifying smb.conf. I cut out all but one of the shares to keep it
simple. The allow connections section
was also trimmed but all were ok.
10a. testparm /etc/samba/smb.conf MyWorkstationName MyWorkstationIP
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
WARNING: The "idmap backend" option is deprecated
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
Processing section "[12345]"
Loaded services file OK.
WARNING: The setting 'security=ads' should NOT be combined with the
'password server' parameter.
(by default Samba will discover the correct DC to contact automatically).
'winbind separator = +' might cause problems with group membership.
WARNING: You have some share names that are longer than 12 characters.
These may not be accessible to some older clients.
(Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.)
Server role: ROLE_DOMAIN_MEMBER
Allow connection from MyWorkstationName (MyWorkstationIP) to 12345
10b. (Don't Know) I am not sure if these warnings had been on the system
before or
if they are the result of patching.
---
11. I created a new user on the Samba server and added it to smbusers. An
identically
named account exists on another CentOS server that rides the backbone. I
am able to
access the directories from that server using without being prompted for
auth:
11a. smb://OR-CENTSAMBA-01
---
12. I checked the time on the DC against that on the Samba server and they
are within seconds.
---
13. I refreshed the Kerberos ticket. It is good.
---
14. (Problem) Here is one I can't explain. I came accross this as a check
but never found what to
do if this didn't work.
14a. smbclient -L localhost
WARNING: The "idmap backend" option is deprecated
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
Enter root's password:
Connection to localhost failed (Error NT_STATUS_CONNECTION_REFUSED)
---
15. Here is my smb.conf
15b. more /etc/samba/smb.conf
[global]
workgroup = OR
realm = OR.SOME.THING.COM
netbios name = OR-CENTSAMBA-01
server string = OR Cent Samba
interfaces = MyServerIP
bind interfaces only = Yes
security = ADS
client schannel = No
allow trusted domains = No
password server = IPforDC1 IPforDC2
syslog = 0
;log level = 10
log file = /var/log/samba/log.%m
max log size = 20480
;socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
socket options = TCP_NODELAY IPTOS_LOWDELAY
server signing = auto
;client use spnego = No
local master = No
domain master = No
dns proxy = No
wins server = IPforWINSsvr1 IPforWINSsvr2
name resolve order = host wins bcast
pid directory = /var/run/samba
idmap backend = rid:OR=1000000-3000000
idmap uid = 1000000-3000000
idmap gid = 1000000-3000000
template homedir = /home/%U
template shell = /bin/bash
winbind separator = +
winbind cache time = 10
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind offline logon = false
read only = No
hosts allow = hostname, octet1.octet2., 127.
short preserve case = No
veto oplock files = /*.xls/
dos filetime resolution = Yes
################## SHARE DEFINITIONS
##############################################
[12345]
comment = 12345
valid users = @OR+ORRFO12345
path = /parent/12345
public = no
writeable = yes
force group = @OR+ORRFO12345
[TEST]
comment = Test Share
valid users = "@OR+SecGrpName"
path = /parent/test
public = no
writeable = yes
force group = "@OR+SecGrpName"
create mask = 0770
directory mask = 0770
#=========================Printer
Test========================================[smbpdf]
comment = PDF Generator
valid users = @OR+"Domain Users"
printing = sysv
path = /var/spool/samba
printable = yes
print command = /usr/sbin/pdfprint %s %U %I %a
lpq command = #
lprm command = #
lppause command = #
lpresume command = #
queuepause command = #
queueresume command = #
use client driver = yes
[smbtiff]
comment = TIFF Generator
valid users = @OR+"Domain Users"
printing = sysv
path = /var/spool/samba
printable = yes
print command = /usr/sbin/tiffprint %s %U %I %a
lpq command = #
lprm command = #
lppause command = #
lpresume command = #
queuepause command = #
queueresume command = #
use client driver = yes
15c. I have validated that the first listed Wins server is online and that
it contains the following active records
[1Eh]
[00h]
[03h]
[20h]
15d. All of the shares prompt for authentication
---
16. Latest patches that might fit into the time frame when this was first
noticed.
16a. cat /var/log/yum.log | egrep "winbind|nmb|smb|samba"
Jan 11 09:33:45 Updated: samba3x-winbind-3.6.6-0.129.el5.i386
Jan 11 09:33:49 Updated: samba3x-common-3.6.6-0.129.el5.i386
Jan 11 09:33:52 Updated: samba3x-doc-3.6.6-0.129.el5.i386
Jan 11 09:33:52 Updated: samba3x-winbind-devel-3.6.6-0.129.el5.i386
Jan 11 09:33:56 Updated: samba3x-3.6.6-0.129.el5.i386
Jan 11 09:34:02 Updated: samba3x-client-3.6.6-0.129.el5.i386
---
So, the big things I see is that I can access AD from the Samaba server and
query, however, whatever is supposed to
be resolving the group names on the shares is not working. I am left to
assume that this is the cause for the auth
prompts on windows explorer on the windows client PCs as well. But what
mechanisim is it?
Thanks,
Casey
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5634 bytes
Desc: not available
URL:
<http://lists.samba.org/pipermail/samba/attachments/20130116/eb3d1fe9/attachment.bin>
It could be several things. idmap syntax changed again in 3.6.x. I've put an example of that in your [global] section below. 3.6.x introduced some problems with winbind - https://bugzilla.samba.org/show_bug.cgi?id=8676 specifically got me, but there are others documented also. Dale On 01/16/2013 3:30 PM, Popp, Casey A SGT USARMY NG NEARNG (US) wrote:> Hello, I have an issue that I can't sort out. > > Issue: Just applied the latest round of patches that brought me up to this > Samba version and > suddenly end-users are being prompted for authentication when attempting to > access shares > on this CentOS box from their Windows Vista, 7x86, and 7x64 workstations. > > Problem: I am new to Samba and seem to not be connecting the dots > > Layer 1: I can ping local host, Samba server name and IP from the Samaba > Server and from a Win7x64 client > > > Here is my research and observations: > > 1. cat /etc/redhat-release > Red Hat Enterprise Linux Server release 5.9 (Tikanga) > > --- > > 2. smbstatus > Samba version 3.6.6-0.129.el5 > > --- > > 3. There are no permission problems on the shared directories nor the parent > chain > > --- > > 4. (Symptom) There is an apparent group ownership problem on the shares. > Where it used to resolve the > active directory security group, now there is only a numerical string. > Attempting to reassign the > proper group ownsership fails as follows: > > 4a. ll | grep 12345 > > drwxrwxrwx 4 comp 1488701 4096 Jan 31 2006 12345 > > 4b. chown -R comp:orrfo12345 12345 > > chown: `comp:orrfo12345': invalid group > > 4e. Ok, this is a big problem but what is causing it? > > --- > > 5. From the server hosting Samba, I looked to see if it could resolve the > groups. (A Factor) One concern > regarding this process is that we collapsed into a much larger domain > about a year ago. As a result, > what is retrieved for a data set is rather large. Also, it takes some > time. That is why I grep in the > following: > > 5a. wbinfo -g | grep -i ORRFO > 5b. getent group OR+ORRFO12345 | awk -F: '{print $4}' | sed 's/OR+//g' | sed > 's/,/\n/g' > > 5c. Both commands return a valid list after several seconds > > --- > > 6. Checking the winbind user: > > 6a. net help getauthuser > > 6b. The command returns the credentails of a active directory account that > is present, unlocked, and set > with the correct password. > > --- > > 7. Checking if it can resolve the domain controller > > 7a. wbinfo -I IPAddrOfDC > > 7b. It resolves correctly > > --- > > 8. Check to see if can get sid of windbind user > > 8a. wbinfo -n OR+linux.samba.svc > > 8b. The command returns the SID > > --- > > 9. Checked on services > > 9a. wbinfo -p > > Ping to winbindd succeeded > > 9b. wbinfo -t > > checking the trust secret for domain OR via RPC calls succeeded > > 9c. service --status-all | egrep "winbindd|nmbd|smbd" > > nmbd (pid 15246) is running... > > smbd (pid 28397 26486 21186 20942 20941 20940 20939 20938 20937 > 20936 20935 20934 20933 20930 20929 20927 20926 20925 20924 20923 > 20922 20921 20920 20917 20916 18027 14885 14878 6418) is running... > > winbindd (pid 9208 9187 9185 9184 9182) is running... > > > 9d. wbinfo --online-status > BUILTIN : online > OR-CENTSAMBA-01 : online > OR : online > > 9e. (Problem) Not sure if it is an issue but nmbd was not started initially. > The results above come after having started it. > > --- > > 10. Verifying smb.conf. I cut out all but one of the shares to keep it > simple. The allow connections section > was also trimmed but all were ok. > > > 10a. testparm /etc/samba/smb.conf MyWorkstationName MyWorkstationIP > > Load smb config files from /etc/samba/smb.conf > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > WARNING: The "idmap backend" option is deprecated > WARNING: The "idmap uid" option is deprecated > WARNING: The "idmap gid" option is deprecated > Processing section "[12345]" > Loaded services file OK. > WARNING: The setting 'security=ads' should NOT be combined with the > 'password server' parameter. > (by default Samba will discover the correct DC to contact automatically). > 'winbind separator = +' might cause problems with group membership. > WARNING: You have some share names that are longer than 12 characters. > These may not be accessible to some older clients. > (Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.) > Server role: ROLE_DOMAIN_MEMBER > Allow connection from MyWorkstationName (MyWorkstationIP) to 12345 > > > 10b. (Don't Know) I am not sure if these warnings had been on the system > before or > if they are the result of patching. > > --- > > 11. I created a new user on the Samba server and added it to smbusers. An > identically > named account exists on another CentOS server that rides the backbone. I > am able to > access the directories from that server using without being prompted for > auth: > > > 11a. smb://OR-CENTSAMBA-01 > > --- > > 12. I checked the time on the DC against that on the Samba server and they > are within seconds. > > > --- > > 13. I refreshed the Kerberos ticket. It is good. > > --- > > 14. (Problem) Here is one I can't explain. I came accross this as a check > but never found what to > do if this didn't work. > > 14a. smbclient -L localhost > > WARNING: The "idmap backend" option is deprecated > WARNING: The "idmap uid" option is deprecated > WARNING: The "idmap gid" option is deprecated > Enter root's password: > Connection to localhost failed (Error NT_STATUS_CONNECTION_REFUSED) > > --- > > 15. Here is my smb.conf > > 15b. more /etc/samba/smb.conf > > [global] > workgroup = OR > realm = OR.SOME.THING.COM > netbios name = OR-CENTSAMBA-01 > server string = OR Cent Samba > interfaces = MyServerIP > bind interfaces only = Yes > security = ADS > client schannel = No > allow trusted domains = No > password server = IPforDC1 IPforDC2 > syslog = 0 > ;log level = 10 > log file = /var/log/samba/log.%m > max log size = 20480 > ;socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > socket options = TCP_NODELAY IPTOS_LOWDELAY > server signing = auto > ;client use spnego = No > local master = No > domain master = No > dns proxy = No > wins server = IPforWINSsvr1 IPforWINSsvr2 > name resolve order = host wins bcast > pid directory = /var/run/samba > # idmap backend = rid:OR=1000000-3000000 > # idmap uid = 1000000-3000000 > # idmap gid = 1000000-3000000idmap config * : backend = tdb idmap config * : range = <low> - <high> idmap config <DOMAIN> : default = Yes idmap config <DOMAIN> : backend = rid idmap config <DOMAIN> : range = <different low> - <different high>> template homedir = /home/%U > template shell = /bin/bash > winbind separator = + > winbind cache time = 10 > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > winbind offline logon = false > read only = No > hosts allow = hostname, octet1.octet2., 127. > short preserve case = No > veto oplock files = /*.xls/ > dos filetime resolution = Yes > > ################## SHARE DEFINITIONS > ############################################## > > [12345] > comment = 12345 > valid users = @OR+ORRFO12345 > path = /parent/12345 > public = no > writeable = yes > force group = @OR+ORRFO12345 > > [TEST] > comment = Test Share > valid users = "@OR+SecGrpName" > path = /parent/test > public = no > writeable = yes > force group = "@OR+SecGrpName" > create mask = 0770 > directory mask = 0770 > > #=========================Printer > Test========================================> [smbpdf] > comment = PDF Generator > valid users = @OR+"Domain Users" > printing = sysv > path = /var/spool/samba > printable = yes > print command = /usr/sbin/pdfprint %s %U %I %a > lpq command = # > lprm command = # > lppause command = # > lpresume command = # > queuepause command = # > queueresume command = # > use client driver = yes > > [smbtiff] > comment = TIFF Generator > valid users = @OR+"Domain Users" > printing = sysv > path = /var/spool/samba > printable = yes > print command = /usr/sbin/tiffprint %s %U %I %a > lpq command = # > lprm command = # > lppause command = # > lpresume command = # > queuepause command = # > queueresume command = # > use client driver = yes > > > > 15c. I have validated that the first listed Wins server is online and that > it contains the following active records > > [1Eh] > [00h] > [03h] > [20h] > > > 15d. All of the shares prompt for authentication > > --- > > 16. Latest patches that might fit into the time frame when this was first > noticed. > > > 16a. cat /var/log/yum.log | egrep "winbind|nmb|smb|samba" > > > Jan 11 09:33:45 Updated: samba3x-winbind-3.6.6-0.129.el5.i386 > Jan 11 09:33:49 Updated: samba3x-common-3.6.6-0.129.el5.i386 > Jan 11 09:33:52 Updated: samba3x-doc-3.6.6-0.129.el5.i386 > Jan 11 09:33:52 Updated: samba3x-winbind-devel-3.6.6-0.129.el5.i386 > Jan 11 09:33:56 Updated: samba3x-3.6.6-0.129.el5.i386 > Jan 11 09:34:02 Updated: samba3x-client-3.6.6-0.129.el5.i386 > > --- > > So, the big things I see is that I can access AD from the Samaba server and > query, however, whatever is supposed to > be resolving the group names on the shares is not working. I am left to > assume that this is the cause for the auth > prompts on windows explorer on the windows client PCs as well. But what > mechanisim is it? > > > Thanks, > > Casey > > >