Ty! Boyack
2015-Apr-21 17:24 UTC
[Samba] Samba 4.1 as member server, problems doing password authentication using CentOS/RedHat 7 packages
On 04/20/2015 05:30 PM, Andrey Repin wrote:> Greetings, Ty! Boyack!Thanks, and Hi!> I dumped (using testparm -v) all of the default settings, and found that > With Samba 4, I've found the output of "samba-tool testparm" to be different > from "testparm". The former looks more trustworthy to me.I feel really foolish here -- but I don't see samba-tool as an installed binary or in any of the packages available via the repositsories we use for CentOS or Fedora. Is this part of the standard suite or samba> Following smb.conf compare, I would compare krb5.conf, particularly the realm > name and capitalization. > Been bitten by that >.< > >Good thought. I use 'net ads join' to join the active directory domain, so that creates it's krb5 file on the fly in /var/lib/samba/smb_krb5. The contents of the files on each server is almost the same -- it is the same information (including capitalization -- you are right on that!) but the order of the KDCs is different. I changed the order to make sure that is not the issue and confirmed that the behavior is the same. I wonder if the package compilation invokes substantially different options for this behavior? I don't know how to tell what configure options are used by the package creators. Does anyone know if that is easy to discover? Thanks, -Ty! -- -===========================- Ty Boyack NREL Senior IT Engineer Ty.Boyack at colostate.edu (970) 491-1186 -===========================-
Rowland Penny
2015-Apr-21 17:39 UTC
[Samba] Samba 4.1 as member server, problems doing password authentication using CentOS/RedHat 7 packages
On 21/04/15 18:24, Ty! Boyack wrote:> On 04/20/2015 05:30 PM, Andrey Repin wrote: >> Greetings, Ty! Boyack! > > Thanks, and Hi! >> I dumped (using testparm -v) all of the default settings, and found that >> With Samba 4, I've found the output of "samba-tool testparm" to be >> different >> from "testparm". The former looks more trustworthy to me. > > I feel really foolish here -- but I don't see samba-tool as an > installed binary or in any of the packages available via the > repositsories we use for CentOS or Fedora. Is this part of the > standard suite or sambaYou will not get samba-tool on any red-hat distro, you cannot set up a samba AD DC on red-hat with distro packages because they want to use MIT kerberos.> >> Following smb.conf compare, I would compare krb5.conf, particularly >> the realm >> name and capitalization. >> Been bitten by that >.< >> >> > > Good thought. I use 'net ads join' to join the active directory > domain, so that creates it's krb5 file on the fly in > /var/lib/samba/smb_krb5. The contents of the files on each server is > almost the same -- it is the same information (including > capitalization -- you are right on that!) but the order of the KDCs is > different. I changed the order to make sure that is not the issue and > confirmed that the behavior is the same. > > I wonder if the package compilation invokes substantially different > options for this behavior? I don't know how to tell what configure > options are used by the package creators. Does anyone know if that is > easy to discover?running 'smbd -b' will give you the build spec, but beware, it is usually very long and will probably scroll off screen, pipe it to a text file and read that. Rowland> > Thanks, > > -Ty! > >
Ty! Boyack
2015-Apr-23 20:40 UTC
[Samba] Samba 4.1 as member server, problems doing password authentication using CentOS/RedHat 7 packages
On 04/21/2015 11:39 AM, Rowland Penny wrote:> On 21/04/15 18:24, Ty! Boyack wrote: >> On 04/20/2015 05:30 PM, Andrey Repin wrote: >>> Greetings, Ty! Boyack! >> >> Thanks, and Hi! >>> I dumped (using testparm -v) all of the default settings, and found >>> that >>> With Samba 4, I've found the output of "samba-tool testparm" to be >>> different >>> from "testparm". The former looks more trustworthy to me. >> >> I feel really foolish here -- but I don't see samba-tool as an >> installed binary or in any of the packages available via the >> repositsories we use for CentOS or Fedora. Is this part of the >> standard suite or samba > > You will not get samba-tool on any red-hat distro, you cannot set up a > samba AD DC on red-hat with distro packages because they want to use > MIT kerberos. >Aha, thanks. I don't want to set up an AD, since we have a solid AD structure with windows servers in this environment. That makes sense why I don't see the tool though.>> >>> Following smb.conf compare, I would compare krb5.conf, particularly >>> the realm >>> name and capitalization. >>> Been bitten by that >.< >>> >>> >> >> Good thought. I use 'net ads join' to join the active directory >> domain, so that creates it's krb5 file on the fly in >> /var/lib/samba/smb_krb5. The contents of the files on each server is >> almost the same -- it is the same information (including >> capitalization -- you are right on that!) but the order of the KDCs >> is different. I changed the order to make sure that is not the issue >> and confirmed that the behavior is the same. >> >> I wonder if the package compilation invokes substantially different >> options for this behavior? I don't know how to tell what configure >> options are used by the package creators. Does anyone know if that >> is easy to discover? > > running 'smbd -b' will give you the build spec, but beware, it is > usually very long and will probably scroll off screen, pipe it to a > text file and read that. >Thanks -- that smbd -b was a good bit of insight. I ended up building a copy of 4.1.17 from source, and it works fine. Then I grabbed the 4.1.12 source RPM from CentOS, and if all the patches are removed it works fine. So I rebuilt it a dozen times or so to identify which patch was causing the problem, and it is entirely reproducible by applying the patch samba-4.2.x-fix_gecos_field_with_samlogon.patch. Interestingly, it is mislabeled in part of the spec file as .samba-4.1.13-fix_gecos_field_with_samlogon.patch. This patch has been applied to the distributed binary package samba-4.1.12-21.el7_1. Andrey and Rowland, thank you for the help and pointing me in good directions! Now I just need to find out where to submit a bug report. I don't know if it's a Samba bug (since the base packages work fine) or if it is a packaging bug. And if a packaging bug I'm not sure where those bugs are tracked (I would assume with RedHat or CentOS, but just not sure). TL;DR (or just in case someone comes across this with the same problem): At least with our config in our environment, the current Samba package from the CentOS base repo fails to properly authenticate sessions using passwords when acting as a domain member server. It will authenticate sessions using kerberos fine.If you deploy samba in an environment where you use Samba as a member server with Windows Domain Controllers, you may be unable to authenticate users who are not part of your kerberos domain with the current samba package (4.1.12-21.el7_1). If a fix is necessary, you can recompile the source RPM with the patch100 and patch101 commented out in the SPEC file. At least for us, it seems to be working fine. (YMMV)
Possibly Parallel Threads
- Samba 4.1 as member server, problems doing password authentication using CentOS/RedHat 7 packages
- Samba 4.1 as member server, problems doing password authentication using CentOS/RedHat 7 packages
- Samba 4.1 as member server, problems doing password authentication using CentOS/RedHat 7 packages
- Migration Samba3 -> Samba4: Accessing domain member server is not working
- Release 7 1503 includes samba-common.i686 (breaks multilib installs)