samba - Sep 2019 - flood of (auth in progress) connections from unresponsive windows client crashing samba

Unfortunately I do not have the ability to add the user/group information to AD
directly at this time.

Does anyone know exactly what the following error message "means"?  It
shows up every time these symptoms occur, and if I could understand why the
lookup fails, I might be able to prevent the issue.

"lookup_name_smbconf for CLIENTHOSTNAME$ failed"


________________________________
From: samba <samba-bounces at lists.samba.org> on behalf of Rowland penny
via samba <samba at lists.samba.org>
Sent: Friday, August 30, 2019 12:52 PM
To: sambalist <samba at lists.samba.org>
Subject: Re: [Samba] flood of (auth in progress) connections from unresponsive
windows client crashing samba

On 30/08/2019 18:15, David Walling wrote:
> /etc/samba/user_and_group_map.txt contains Windows username/group to
> linux username/group mappings.  In our setup, all users exist in ldap,
> as do the directory groups, but the linux user and group information
> (namely uid/gid) do not.  This has been setup such that the users
> connect to samba as the windows username (ex. PRODUCTION+user1) for an
> authroized group (PRODUCTION+group1), but the files and permissions on
> the linux samba server are created and managed with the appropriate
> uid/gids.
>
> Example:
>
> linuxuser=PRODUCTION+windowsuser
> G-234=PRODUCTION+directorygroup
>
> I do not believe we are using sssd, but are using winbind.  Its quite
> possible we don't have this setup optimally, but this setup does work
> as needed, outside of these occasional crash/unresponsive states.
>
> Thanks!
>
> David W.
Why are you doing this ?

Why not just have everything in AD ?

Using AD would allow Windows users & groups  to become Unix users and groups

e.g. 'getent passwd rowland' gives me:


rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash


'rowland' is only in AD and nowhere else


Try using this smb.conf:


[global]
         workgroup = PRODUCTION
         security = ADS
         realm = PRODUCTION.REDACTED.ORG
         netbios name = service-samba4

         idmap config *:backend = tdb
         idmap config *:range = 3000-7999
         idmap config PRODUCTION : backend = rid
         idmap config PRODUCTION : range = 100000-200000

         bind interfaces only = yes
         interfaces = eth0 ~ change to your network device
         preferred master = no
         winbind separator = +
         max log size = 20000
         log level = 1 smbd:10
         log file = /var/log/samba/log.%m
         dns proxy = no

         username map = /etc/samba/user.map

         # ACL Settings
         vfs objects = acl_xattr
         map acl inherit = yes
         store dos attributes = yes

         # Multichannel
         aio read size = 0
         aio write size = 0

         # Prevent zombie processes
         deadtime = 15
         csc policy = disable

[share1]
         path = /samba/share1
         read only = no
         inherit acls = yes
         inherit permissions = yes
         create mask = 700
         directory mask = 700
         valid users = @"G-817803"
         hosts allow =  redacted


and create /etc/samba/user.map with just this content:


!root = PRODUCTION\Administrator


Restart nmbd.smbd and winbind and run:


getent passwd PRODUCTION\'A_VALID_USERNAME'


Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions: 
https://lists.samba.org/mailman/options/samba
>> This message is from an external sender. Learn more about why this
<<
>> matters at https://links.utexas.edu/rtyclf.                       
<<

On 03/09/2019 14:52, David Walling wrote:
> Unfortunately I do not have the ability to add the user/group 
> information to AD directly at this time.
>
> Does anyone know exactly what the following error message
"means"?? It
> shows up every time these symptoms occur, and if I could understand 
> why the lookup fails, I might be able to prevent the issue.
>
> "lookup_name_smbconf for CLIENTHOSTNAME$ failed"
>
The lookup fails because it is looking up user info for a computer, the 
line is coming from 'create_token_from_username', which is in 
'source3/auth', so you are going to get this every time a computer 
connects (i.e. a lot)


Rowland

I believe the core of my issue was not setting up the 'trusted' machine
accounts for the Windows clients correctly.  After adding the local unix account
manually for each client on the samba server and running "smbpasswd -a -m
machine_name", the issue seems to be resolved.

Thank you Rowland for your help!

________________________________
From: samba <samba-bounces at lists.samba.org> on behalf of Rowland penny
via samba <samba at lists.samba.org>
Sent: Tuesday, September 3, 2019 9:16 AM
To: sambalist <samba at lists.samba.org>
Subject: Re: [Samba] flood of (auth in progress) connections from unresponsive
windows client crashing samba

On 03/09/2019 14:52, David Walling wrote:
> Unfortunately I do not have the ability to add the user/group
> information to AD directly at this time.
>
> Does anyone know exactly what the following error message
"means"?  It
> shows up every time these symptoms occur, and if I could understand
> why the lookup fails, I might be able to prevent the issue.
>
> "lookup_name_smbconf for CLIENTHOSTNAME$ failed"
>
The lookup fails because it is looking up user info for a computer, the
line is coming from 'create_token_from_username', which is in
'source3/auth', so you are going to get this every time a computer
connects (i.e. a lot)


Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions: 
https://lists.samba.org/mailman/options/samba
>> This message is from an external sender. Learn more about why this
<<
>> matters at https://links.utexas.edu/rtyclf.                       
<<