thr3ads.net - samba - [Samba] NT domain login no longer works after distro upgrade (samba 4.2.12 -> 4.3.11, 4.4.5) [Aug 2016]

If this information is useful, please help other people find it:
Share via:

Martin Vuille

2016-Aug-01 20:10 UTC

[Samba] NT domain login no longer works after distro upgrade (samba 4.2.12 -> 4.3.11, 4.4.5)

Workstation  is member of NT domain, DC is samba 3.6.12.

Was running Fedora 22 (samba 4.2.12), domain logins were working fine.

Upgraded to Fedora 23 (samba 4.3.11) and domain logins no longer work:
"Domain Controller unreachable, using cached credentials instead." Can
connect to shares on the DC (e.g., with smbclient) without problem.

Upgraded to samba 4.4.5 (from Fedora 24), issue still present.

I'm seeing the following errors in log.winbindd-idmap:

=========[2016/07/22 11:23:28.791764, 10, pid=1153, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_cm.c:1917(cm_open_connection)
  cm_open_connection: dcname is 'MIMIR' for domain YGGDRASIL
[2016/07/22 11:23:28.793277, 10, pid=1153, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_cm.c:1023(cm_prepare_connection)
  cm_prepare_connection: connecting to DC MIMIR for domain YGGDRASIL
ldb: unable to stat module /usr/lib64/samba/ldb : No such file or directory
[2016/07/22 11:23:28.794755,  5, pid=1153, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_cm.c:1142(cm_prepare_connection)
  connecting to MIMIR from THOR using NTLMSSP with username
[YGGDRASIL]\[THOR$]
[2016/07/22 11:23:28.798607,  0]
../libcli/smb/smb_signing.c:138(smb_signing_good)
  smb_signing_good: BAD SIG: seq 1
[2016/07/22 11:23:28.798690,  4, pid=1153, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_cm.c:1184(cm_prepare_connection)
  authenticated session setup failed with NT_STATUS_ACCESS_DENIED
=========
After installing samba 4.4.5, there are no more complaints about "unable
to stat module", but the rest of the logs are the same.

I am also seeing SELinux errors for winbindd, but not sure whether they
are relevant.

=========time->Fri Jul 22 09:45:06 2016
type=PROCTITLE msg=audit(1469195106.880:3563):
proctitle="/usr/sbin/winbindd"
type=PATH msg=audit(1469195106.880:3563): item=0
name="/var/lib/samba/private/msg.sock/1207" inode=2502647 dev=fd:00
mode=0140777 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:samba_var_t:s0 nametype=NORMAL
type=CWD msg=audit(1469195106.880:3563):  cwd="/"
type=SOCKADDR msg=audit(1469195106.880:3563):
saddr=01002F7661722F6C69622F73616D62612F707269766174652F6D73672E736F636B2F31323037000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
type=SYSCALL msg=audit(1469195106.880:3563): arch=c000003e syscall=46
success=no exit=-13 a0=7 a1=7fff67c8aaa0 a2=0 a3=0 items=1 ppid=1137
pid=1139 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="winbindd"
exe="/usr/sbin/winbindd" subj=system_u:system_r:winbind_t:s0
key=(null)
type=AVC msg=audit(1469195106.880:3563): avc:  denied  { sendto } for 
pid=1139 comm="winbindd"
path="/var/lib/samba/private/msg.sock/1207"
scontext=system_u:system_r:winbind_t:s0
tcontext=system_u:system_r:nmbd_t:s0 tclass=unix_dgram_socket permissive=0
=========
Looking for some hints about direction to pursue debugging the problem.

MV

Maybe Matching Threads

Search for more apparently analagous threads

samba - Aug 2016 - NT domain login no longer works after distro upgrade (samba 4.2.12 -> 4.3.11, 4.4.5)

[Samba] NT domain login no longer works after distro upgrade (samba 4.2.12 -> 4.3.11, 4.4.5)

Maybe Matching Threads

Wisdom of the Ancients