Martin Vuille
2016-Aug-01 20:10 UTC
[Samba] NT domain login no longer works after distro upgrade (samba 4.2.12 -> 4.3.11, 4.4.5)
Workstation is member of NT domain, DC is samba 3.6.12. Was running Fedora 22 (samba 4.2.12), domain logins were working fine. Upgraded to Fedora 23 (samba 4.3.11) and domain logins no longer work: "Domain Controller unreachable, using cached credentials instead." Can connect to shares on the DC (e.g., with smbclient) without problem. Upgraded to samba 4.4.5 (from Fedora 24), issue still present. I'm seeing the following errors in log.winbindd-idmap: =========[2016/07/22 11:23:28.791764, 10, pid=1153, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1917(cm_open_connection) cm_open_connection: dcname is 'MIMIR' for domain YGGDRASIL [2016/07/22 11:23:28.793277, 10, pid=1153, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1023(cm_prepare_connection) cm_prepare_connection: connecting to DC MIMIR for domain YGGDRASIL ldb: unable to stat module /usr/lib64/samba/ldb : No such file or directory [2016/07/22 11:23:28.794755, 5, pid=1153, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1142(cm_prepare_connection) connecting to MIMIR from THOR using NTLMSSP with username [YGGDRASIL]\[THOR$] [2016/07/22 11:23:28.798607, 0] ../libcli/smb/smb_signing.c:138(smb_signing_good) smb_signing_good: BAD SIG: seq 1 [2016/07/22 11:23:28.798690, 4, pid=1153, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1184(cm_prepare_connection) authenticated session setup failed with NT_STATUS_ACCESS_DENIED ========= After installing samba 4.4.5, there are no more complaints about "unable to stat module", but the rest of the logs are the same. I am also seeing SELinux errors for winbindd, but not sure whether they are relevant. =========time->Fri Jul 22 09:45:06 2016 type=PROCTITLE msg=audit(1469195106.880:3563): proctitle="/usr/sbin/winbindd" type=PATH msg=audit(1469195106.880:3563): item=0 name="/var/lib/samba/private/msg.sock/1207" inode=2502647 dev=fd:00 mode=0140777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:samba_var_t:s0 nametype=NORMAL type=CWD msg=audit(1469195106.880:3563): cwd="/" type=SOCKADDR msg=audit(1469195106.880:3563): saddr=01002F7661722F6C69622F73616D62612F707269766174652F6D73672E736F636B2F31323037000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 type=SYSCALL msg=audit(1469195106.880:3563): arch=c000003e syscall=46 success=no exit=-13 a0=7 a1=7fff67c8aaa0 a2=0 a3=0 items=1 ppid=1137 pid=1139 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="winbindd" exe="/usr/sbin/winbindd" subj=system_u:system_r:winbind_t:s0 key=(null) type=AVC msg=audit(1469195106.880:3563): avc: denied { sendto } for pid=1139 comm="winbindd" path="/var/lib/samba/private/msg.sock/1207" scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:system_r:nmbd_t:s0 tclass=unix_dgram_socket permissive=0 ========= Looking for some hints about direction to pursue debugging the problem. MV