Ty! Boyack
2015-Apr-23 20:40 UTC
[Samba] Samba 4.1 as member server, problems doing password authentication using CentOS/RedHat 7 packages
On 04/21/2015 11:39 AM, Rowland Penny wrote:> On 21/04/15 18:24, Ty! Boyack wrote: >> On 04/20/2015 05:30 PM, Andrey Repin wrote: >>> Greetings, Ty! Boyack! >> >> Thanks, and Hi! >>> I dumped (using testparm -v) all of the default settings, and found >>> that >>> With Samba 4, I've found the output of "samba-tool testparm" to be >>> different >>> from "testparm". The former looks more trustworthy to me. >> >> I feel really foolish here -- but I don't see samba-tool as an >> installed binary or in any of the packages available via the >> repositsories we use for CentOS or Fedora. Is this part of the >> standard suite or samba > > You will not get samba-tool on any red-hat distro, you cannot set up a > samba AD DC on red-hat with distro packages because they want to use > MIT kerberos. >Aha, thanks. I don't want to set up an AD, since we have a solid AD structure with windows servers in this environment. That makes sense why I don't see the tool though.>> >>> Following smb.conf compare, I would compare krb5.conf, particularly >>> the realm >>> name and capitalization. >>> Been bitten by that >.< >>> >>> >> >> Good thought. I use 'net ads join' to join the active directory >> domain, so that creates it's krb5 file on the fly in >> /var/lib/samba/smb_krb5. The contents of the files on each server is >> almost the same -- it is the same information (including >> capitalization -- you are right on that!) but the order of the KDCs >> is different. I changed the order to make sure that is not the issue >> and confirmed that the behavior is the same. >> >> I wonder if the package compilation invokes substantially different >> options for this behavior? I don't know how to tell what configure >> options are used by the package creators. Does anyone know if that >> is easy to discover? > > running 'smbd -b' will give you the build spec, but beware, it is > usually very long and will probably scroll off screen, pipe it to a > text file and read that. >Thanks -- that smbd -b was a good bit of insight. I ended up building a copy of 4.1.17 from source, and it works fine. Then I grabbed the 4.1.12 source RPM from CentOS, and if all the patches are removed it works fine. So I rebuilt it a dozen times or so to identify which patch was causing the problem, and it is entirely reproducible by applying the patch samba-4.2.x-fix_gecos_field_with_samlogon.patch. Interestingly, it is mislabeled in part of the spec file as .samba-4.1.13-fix_gecos_field_with_samlogon.patch. This patch has been applied to the distributed binary package samba-4.1.12-21.el7_1. Andrey and Rowland, thank you for the help and pointing me in good directions! Now I just need to find out where to submit a bug report. I don't know if it's a Samba bug (since the base packages work fine) or if it is a packaging bug. And if a packaging bug I'm not sure where those bugs are tracked (I would assume with RedHat or CentOS, but just not sure). TL;DR (or just in case someone comes across this with the same problem): At least with our config in our environment, the current Samba package from the CentOS base repo fails to properly authenticate sessions using passwords when acting as a domain member server. It will authenticate sessions using kerberos fine.If you deploy samba in an environment where you use Samba as a member server with Windows Domain Controllers, you may be unable to authenticate users who are not part of your kerberos domain with the current samba package (4.1.12-21.el7_1). If a fix is necessary, you can recompile the source RPM with the patch100 and patch101 commented out in the SPEC file. At least for us, it seems to be working fine. (YMMV)
Ken Bass
2015-Apr-27 19:20 UTC
[Samba] Samba 4.1 as member server, problems doing password authentication using CentOS/RedHat 7 packages
On 4/23/2015 4:40 PM, Ty! Boyack wrote:> > TL;DR (or just in case someone comes across this with the same problem): > > At least with our config in our environment, the current Samba package > from the CentOS base repo fails to properly authenticate sessions > using passwords when acting as a domain member server. It will > authenticate sessions using kerberos fine.If you deploy samba in an > environment where you use Samba as a member server with Windows Domain > Controllers, you may be unable to authenticate users who are not part > of your kerberos domain with the current samba package (4.1.12-21.el7_1). > > If a fix is necessary, you can recompile the source RPM with the > patch100 and patch101 commented out in the SPEC file. At least for us, > it seems to be working fine. (YMMV) > >Did you figure out who/where to submit a bug report to? Or find any more info? I just upgraded my Centos boxes and my Samba shares are now broken. I believe I was running samba-4.1.1-38.el7_0. It just upgraded to samba-4.1.12-21.el7_1. My Centos share machine uses security = domain, with password servers set to my two Centos samba domain controllers (primary and backup - linked via ldap). There is no AD in this environment. I do have MIT Kerberos setup, but it is not used by Samba - only for SSH. When I try to connect to a share on the machine, it fails and I see: [2015/04/27 14:53:19.363856, 0] ../source3/auth/auth_domain.c:302(domain_client_validate) domain_client_validate: unable to validate password for user MYDOMuser in domain MYDOM to Domain controller PDC. Error was NT_STATUS_LOCK_NOT_GRANTED. [2015/04/27 14:53:19.367346, 2] ../source3/auth/auth.c:300(auth_check_ntlm_password) check_ntlm_password: Authentication for user [MYDOMuser] -> [MYDOMuser] FAILED with error NT_STATUS_LOCK_NOT_GRANTED [2015/04/27 14:53:19.367449, 2] ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg) SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED I am considering rebuilding the RPMs without patches you mentioned, but wanted to check first.
Ty! Boyack
2015-Apr-27 20:38 UTC
[Samba] Samba 4.1 as member server, problems doing password authentication using CentOS/RedHat 7 packages
On 04/27/2015 01:20 PM, Ken Bass wrote:> On 4/23/2015 4:40 PM, Ty! Boyack wrote: >> >> TL;DR (or just in case someone comes across this with the same problem): >> >> At least with our config in our environment, the current Samba >> package from the CentOS base repo fails to properly authenticate >> sessions using passwords when acting as a domain member server. It >> will authenticate sessions using kerberos fine.If you deploy samba in >> an environment where you use Samba as a member server with Windows >> Domain Controllers, you may be unable to authenticate users who are >> not part of your kerberos domain with the current samba package >> (4.1.12-21.el7_1). >> >> If a fix is necessary, you can recompile the source RPM with the >> patch100 and patch101 commented out in the SPEC file. At least for >> us, it seems to be working fine. (YMMV) >> >> > > Did you figure out who/where to submit a bug report to? Or find any > more info? I just upgraded my Centos boxes and my Samba shares are now > broken. I believe I was running samba-4.1.1-38.el7_0. It just upgraded > to samba-4.1.12-21.el7_1. > > My Centos share machine uses security = domain, with password servers > set to my two Centos samba domain controllers (primary and backup - > linked via ldap). There is no AD in this environment. I do have MIT > Kerberos setup, but it is not used by Samba - only for SSH. > > When I try to connect to a share on the machine, it fails and I see: > > [2015/04/27 14:53:19.363856, 0] > ../source3/auth/auth_domain.c:302(domain_client_validate) > domain_client_validate: unable to validate password for user > MYDOMuser in domain MYDOM to Domain controller PDC. Error was > NT_STATUS_LOCK_NOT_GRANTED. > [2015/04/27 14:53:19.367346, 2] > ../source3/auth/auth.c:300(auth_check_ntlm_password) > check_ntlm_password: Authentication for user [MYDOMuser] -> > [MYDOMuser] FAILED with error NT_STATUS_LOCK_NOT_GRANTED > [2015/04/27 14:53:19.367449, 2] > ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg) > SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED > > I am considering rebuilding the RPMs without patches you mentioned, > but wanted to check first.Hi Ken, That looks like the most common error I get when trying to authenticate against Windows domain controllers too, and it's interesting to see it coming up against other DCs. Thanks for the information and the corroboration -- I wasn't sure if I had something unique to my environment. I hadn't found out where to file a bug report and have not been able to focus on this for a couple of days, but luckily someone else found where to report the bug: https://bugzilla.redhat.com/show_bug.cgi?id=1202347 Thanks to MOM20xxx in that thread for getting the information from this discussion into the bug report there.
Reasonably Related Threads
- Samba 4.1 as member server, problems doing password authentication using CentOS/RedHat 7 packages
- Samba 4.1 as member server, problems doing password authentication using CentOS/RedHat 7 packages
- Samba 4.1 as member server, problems doing password authentication using CentOS/RedHat 7 packages
- Samba 4.1 as member server, problems doing password authentication using CentOS/RedHat 7 packages
- Samba 4.1 as member server, problems doing password authentication using CentOS/RedHat 7 packages