Marc Muehlfeld
2016-Dec-29 20:40 UTC
[Samba] Connections to Samba fail when "includedir" is set in krb5.conf (e. g. after RHEL 7.2 to 7.3 update)
Hi, I spent some time today to figure out why my clients are unable to connect to my Samba AD domain member after updating the operating system from CentOS 7.2 to 7.3 and I thought sharing the reason and the workaround can help others: If you run RHEL/CentOS 7.2 with an unmodified /etc/krb5.conf file and update to 7.3, the krb5-workstation-1.14.1-27 package adds an "includedir" statement to the top of the file. If you modified the file in the past, the entry is not added and everything is fine. This "includedir" statement causes all connections (shares, RPC, etc.) to the Samba domain member to fail. If you set the log level to 3 or higher, the following error is logged: [2016/12/29 20:40:12.306475, 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_UNSUCCESSFUL] || at ../source3/smbd/smb2_sesssetup.c:134 [2016/12/29 20:40:12.307256, 3] ../source3/smbd/server_exit.c:246(exit_server_common) Server exit (NT_STATUS_CONNECTION_RESET) To work around the problem, simply remove the "includedir" statement from the /etc/krb5.conf file. No restart is required. Here is the bug report: https://bugzilla.samba.org/show_bug.cgi?id=12488 Regards, Marc
Rowland Penny
2016-Dec-29 21:17 UTC
[Samba] Connections to Samba fail when "includedir" is set in krb5.conf (e. g. after RHEL 7.2 to 7.3 update)
On Thu, 29 Dec 2016 21:40:56 +0100 Marc Muehlfeld via samba <samba at lists.samba.org> wrote:> Hi, > > I spent some time today to figure out why my clients are unable to > connect to my Samba AD domain member after updating the operating > system from CentOS 7.2 to 7.3 and I thought sharing the reason and the > workaround can help others: > > If you run RHEL/CentOS 7.2 with an unmodified /etc/krb5.conf fileHi Marc, that is your problem there and it has highlighted another problem, the Samba wiki page: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Doesn't have anything about krb5.conf You should run the same /etc/krb5.conf as on a DC, of course this may change when red-hat finally releases a Samba AD DC MIT package.> and > update to 7.3, the krb5-workstation-1.14.1-27 package adds an > "includedir" statement to the top of the file. If you modified the > file in the past, the entry is not added and everything is fine. > > This "includedir" statement causes all connections (shares, RPC, etc.) > to the Samba domain member to fail. If you set the log level to 3 or > higher, the following error is logged: > > [2016/12/29 20:40:12.306475, 3] > ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex) > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] > status[NT_STATUS_UNSUCCESSFUL] || > at ../source3/smbd/smb2_sesssetup.c:134 [2016/12/29 20:40:12.307256, > 3] ../source3/smbd/server_exit.c:246(exit_server_common) > Server exit (NT_STATUS_CONNECTION_RESET) > > To work around the problem, simply remove the "includedir" statement > from the /etc/krb5.conf file. No restart is required. > > Here is the bug report: > https://bugzilla.samba.org/show_bug.cgi?id=12488Why are you logging a Samba bug for what seems to be a configuration error ? Rowland
Marc Muehlfeld
2016-Dec-29 22:21 UTC
[Samba] Connections to Samba fail when "includedir" is set in krb5.conf (e. g. after RHEL 7.2 to 7.3 update)
Am 29.12.2016 um 22:17 schrieb Rowland Penny via samba:> Hi Marc, that is your problem there and it has highlighted another > problem, the Samba wiki page: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > Doesn't have anything about krb5.conf > > You should run the same /etc/krb5.conf as on a DC, ...You can set up a domain member without configuring Kerberos in krb5.conf. That's what is currently described on the Wiki page and the procedure works. However, in this case you're not able to use Kerberos stuff, such as kinit. I add a new section to the page tomorrow describing the Kerberos configuration on the domain member.>> Here is the bug report: >> https://bugzilla.samba.org/show_bug.cgi?id=12488 > > Why are you logging a Samba bug for what seems to be a > configuration error ?Samba domain members work without configuring krb5.conf, and in this case, user may have not touched their krb5.conf file, but Samba reads this file. Also a lot of distributions ship MIT Kerberos which supports including config snippets. That's why I think Samba needs to be patched: If "includedir" is not supported in Heimdal, we should ignore such unknown options instead of starting the services and fail serving without any helpful error message (nothing is logged on level < 3 and on>=3 a message is logged, that tells nothing about the problem: Anunknown parameter in krb5.conf). Regards, Marc
Possibly Parallel Threads
- Connections to Samba fail when "includedir" is set in krb5.conf (e. g. after RHEL 7.2 to 7.3 update)
- Connections to Samba fail when "includedir" is set in krb5.conf (e. g. after RHEL 7.2 to 7.3 update)
- Connections to Samba fail when "includedir" is set in krb5.conf (e. g. after RHEL 7.2 to 7.3 update)
- Troubleshooting high CPU load
- unable to browse shares