Eric Shell
2016-Jun-22 16:44 UTC
[Samba] Samba 4 AD member server authentication issues, domain vs. ads security
Thanks for the quick replies. One domain is at Windows Server 2008 functional level, and the other is Windows Server 2012 R2. The samba 4 servers are running 4.2.10 and the samba 3 servers are running 3.6.23, both from rpms available from either the CentOS 6 or 7 repos (samba 4 on CentOS 7, samba 3 on CentOS 6). Here's the smb.conf used on the two samba 4 servers: [global]> workgroup = BSOE > server string = SAMBA-01 > netbios name = SAMBA-01 > realm = ad.soe.ucsc.edu > security = ads > log file = /var/log/samba.log > log level = 2 > browseable = yes > read only = no > local master = no > load printers = no > preserve case = yes > case sensitive = yes > wins support = no > passdb backend = tdbsam > printing = bsd > printcap name = /dev/null > disable spoolss = yes > client ldap sasl wrapping = sign > short preserve case = yes > nt acl support = no > wide links = no > unix extensions = no > strict locking = no > kernel change notify = noinclude = /etc/samba/shares.conf Rowland, I changed the security option based on the example on that page of the wiki but I didn't perform the winbind portion because I wasn't sure whether it was necessary or wise. The issue with some clients not having kerberos tickets is that we have some systems that are not integrated with AD and have been using password authentication thus far. If possible, we would like to continue to be able to use password authentication for clients that aren't part of the domains since some of them will not/can not be joined.
Eric Shell
2016-Jun-22 18:29 UTC
[Samba] Samba 4 AD member server authentication issues, domain vs. ads security
I should add that the samba.log file was logging NT_STATUS_NO_LOGON_SERVERS errors when authentication attempts were failing. Workstations in the domains were still able to authenticate, however, and I verified that the DNS records were still correct. The SRV records were all in place and the domain controllers' host names were resolving. On Wed, Jun 22, 2016 at 9:44 AM, Eric Shell <eshell at ucsc.edu> wrote:> Thanks for the quick replies. > > One domain is at Windows Server 2008 functional level, and the other is > Windows Server 2012 R2. The samba 4 servers are running 4.2.10 and the > samba 3 servers are running 3.6.23, both from rpms available from either > the CentOS 6 or 7 repos (samba 4 on CentOS 7, samba 3 on CentOS 6). > > Here's the smb.conf used on the two samba 4 servers: > > [global] >> workgroup = BSOE >> server string = SAMBA-01 >> netbios name = SAMBA-01 >> realm = ad.soe.ucsc.edu >> security = ads >> log file = /var/log/samba.log >> log level = 2 >> browseable = yes >> read only = no >> local master = no >> load printers = no >> preserve case = yes >> case sensitive = yes >> wins support = no >> passdb backend = tdbsam >> printing = bsd >> printcap name = /dev/null >> disable spoolss = yes >> client ldap sasl wrapping = sign >> short preserve case = yes >> nt acl support = no >> wide links = no >> unix extensions = no >> strict locking = no >> kernel change notify = no > > include = /etc/samba/shares.conf > > > Rowland, I changed the security option based on the example on that page > of the wiki but I didn't perform the winbind portion because I wasn't sure > whether it was necessary or wise. The issue with some clients not having > kerberos tickets is that we have some systems that are not integrated with > AD and have been using password authentication thus far. If possible, we > would like to continue to be able to use password authentication for > clients that aren't part of the domains since some of them will not/can not > be joined. >-- Eric Shell UNIX Software & Google Apps Administrator Baskin School of Engineering UC Santa Cruz 831 459 4919
Rowland penny
2016-Jun-22 19:52 UTC
[Samba] Samba 4 AD member server authentication issues, domain vs. ads security
On 22/06/16 19:29, Eric Shell wrote:> I should add that the samba.log file was logging NT_STATUS_NO_LOGON_SERVERS > errors when authentication attempts were failing. Workstations in the > domains were still able to authenticate, however, and I verified that the > DNS records were still correct. The SRV records were all in place and the > domain controllers' host names were resolving. > > On Wed, Jun 22, 2016 at 9:44 AM, Eric Shell <eshell at ucsc.edu> wrote: > >> Thanks for the quick replies. >> >> One domain is at Windows Server 2008 functional level, and the other is >> Windows Server 2012 R2. The samba 4 servers are running 4.2.10 and the >> samba 3 servers are running 3.6.23, both from rpms available from either >> the CentOS 6 or 7 repos (samba 4 on CentOS 7, samba 3 on CentOS 6). >> >> Here's the smb.conf used on the two samba 4 servers: >> >> [global] >>> workgroup = BSOE >>> server string = SAMBA-01 >>> netbios name = SAMBA-01 >>> realm = ad.soe.ucsc.edu >>> security = ads >>> log file = /var/log/samba.log >>> log level = 2 >>> browseable = yes >>> read only = no >>> local master = no >>> load printers = no >>> preserve case = yes >>> case sensitive = yes >>> wins support = no >>> passdb backend = tdbsam >>> printing = bsd >>> printcap name = /dev/null >>> disable spoolss = yes >>> client ldap sasl wrapping = sign >>> short preserve case = yes >>> nt acl support = no >>> wide links = no >>> unix extensions = no >>> strict locking = no >>> kernel change notify = no >> include = /etc/samba/shares.conf >> >> >> Rowland, I changed the security option based on the example on that page >> of the wiki but I didn't perform the winbind portion because I wasn't sure >> whether it was necessary or wise. The issue with some clients not having >> kerberos tickets is that we have some systems that are not integrated with >> AD and have been using password authentication thus far. If possible, we >> would like to continue to be able to use password authentication for >> clients that aren't part of the domains since some of them will not/can not >> be joined. >> > >OK, back in April, Samba released major security releases, amongst which was version 4.2.11, this included a regression fix for 4.2.10 (which wasn't released), red-hat released this as 4.2.10 There has been another release since then (4.2.12), this was to fix a number of regressions from 4.2.11 You can read the release notes here: https://www.samba.org/samba/history/samba-4.2.10.html https://www.samba.org/samba/history/samba-4.2.11.html https://www.samba.org/samba/history/samba-4.2.12.html Samba did not release anything for the 3.6 versions because it is EOL, but red-hat backported the 4.x patches to 3.6, so if you can sort out your problem with 4.2.10, you will probably find it is the same problem for 3.6 I take it you are using sssd on the centos machines, I haven't checked lately (I don't use sssd), but you could try asking on the sssd mailing list for help as well. Rowland