Frank Steiner
2019-Nov-28 16:46 UTC
[Samba] security=domain fails after upgr. to 4.9, winbind doesn't help
Hi, we've problems getting samba shares to work after upgrading from 4.7 to 4.9. We have one samba PDC server providing some shares and the users via local passdb.tdb file. Its smb.conf (names/ips changed): [global] security = user encrypt passwords = yes passdb backend = tdbsam:/etc/samba/passdb.tdb workgroup = OURWORKGROUP netbios name = SERVER1 server string = main server map untrusted to domain = Yes local master = yes preferred master = yes domain master = yes os level = 255 wins support = yes dns proxy = yes name resolve order = host wins bcast hosts allow = <our networks> [... the shares ...] And one server that is providing some shares and does user authentification via the PDC. It's smb.conf: [global] security = domain password server = SERVER1 encrypt passwords = yes guest ok = no workgroup = OURWORKGROUP netbios name = SERVER2 server string = secondary server local master = yes preferred master = no domain master = no os level = 40 wins server = SERVER1 dns proxy = yes name resolve order = host wins bcast hosts allow = <our networks> [ ... the shares ... ] We have windows terminal server using these shares, some win 10 clients and some linux clients. This all worked fine when both servers ran samba 4.7. Now SERVER2 was upgraded to samba 4.9 (because SuSE Linux Enterprise 15 was updated to 15 SP1, SERVER1 is still running 15 without SP1) and I learned that "security = domain" no longer works without winbind. I thought I could just start winbind to use the "netlogon proxy only mode", so I did that on both servers. So, winbindd is running on SERVER2: server2 /root# rcwinbind status * winbind.service - Samba Winbind Daemon Loaded: loaded (/usr/lib/systemd/system/winbind.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2019-11-28 15:47:13 CET; 1h 21min ago Main PID: 20444 (winbindd) Status: "winbindd: ready to serve connections..." Tasks: 2 (limit: 4915) CGroup: /system.slice/winbind.service |-20444 /usr/sbin/winbindd --foreground --no-process-group `-20446 /usr/sbin/winbindd --foreground --no-process-group Nov 28 15:47:13 server2 winbindd[20444]: [2019/11/28 15:47:13.100030, 0] ../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache) Nov 28 15:47:13 server2 winbindd[20444]: initialize_winbindd_cache: clearing cache and re-creating with version number 2 Nov 28 15:47:13 server2 winbindd[20444]: [2019/11/28 15:47:13.101272, 0] ../lib/util/become_daemon.c:138(daemon_ready) Nov 28 15:47:13 server2 winbindd[20444]: daemon_ready: STATUS=daemon 'winbindd' finished starting up and ready to serve connections But even after restaring smbd, it doesn't find winbindd: server2 /root# rcsmb status * smb.service - Samba SMB Daemon Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2019-11-28 16:47:35 CET; 22min ago Main PID: 26379 (smbd) Status: "smbd: ready to serve connections..." Tasks: 4 (limit: 4915) CGroup: /system.slice/smb.service |-26379 /usr/sbin/smbd --foreground --no-process-group |-26381 /usr/sbin/smbd --foreground --no-process-group |-26382 /usr/sbin/smbd --foreground --no-process-group `-26383 /usr/sbin/smbd --foreground --no-process-group Nov 28 16:47:35 server2 smbd[26379]: [2019/11/28 16:47:35.114442, 0] ../lib/util/become_daemon.c:138(daemon_ready) Nov 28 16:47:35 server2 smbd[26379]: daemon_ready: STATUS=daemon 'smbd' finished starting up and ready to serve connections Nov 28 17:10:16 server2 smbd[29446]: [2019/11/28 17:10:16.947758, 0] ../source3/auth/auth_winbind.c:122(check_winbind_security) Nov 28 17:10:16 server2 smbd[29446]: check_winbind_security: winbindd not running - but required as domain member: NT_STATUS_NO_LOGON_SERVERS The last two lines appear in the log after doing a "smbclient -D OURWORKGROUP -U someuser -L //SERVER2/" which returns Enter WORKGROUP\somuser's password: session setup failed: NT_STATUS_NO_LOGON_SERVERS Do I need to setup some winbind options for just using the "netlogon proxy only mode"? All documentation I find is only about using winbind with nss or kerberos or windows ad controllers etc., nothing is explained about the proxy only mode. Just this mail: https://lists.samba.org/archive/samba/2014-January/178375.html which indicates that I must do nothing but only start winbind... What do I do wrong? For the moment I had to downgrade to 4.7 again to make the shares work. cu, Frank -- Dipl.-Inform. Frank Steiner Web: http://www.bio.ifi.lmu.de/~steiner/ Lehrstuhl f. Bioinformatik Mail: http://www.bio.ifi.lmu.de/~steiner/m/ LMU, Amalienstr. 17 Phone: +49 89 2180-4049 80333 Muenchen, Germany Fax: +49 89 2180-99-4049 * Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. *
Rowland penny
2019-Nov-28 17:31 UTC
[Samba] security=domain fails after upgr. to 4.9, winbind doesn't help
On 28/11/2019 16:46, Frank Steiner via samba wrote:> > Hi, > > we've problems getting samba shares to work after upgrading from 4.7 > to 4.9. We have one samba PDC server providing some shares and the > users via local passdb.tdb file. Its smb.conf (names/ips changed): > > [global] > ??????? security = user > ??????? encrypt passwords = yes > ??????? passdb backend = tdbsam:/etc/samba/passdb.tdb > ??????? workgroup = OURWORKGROUP > ??????? netbios name = SERVER1 > ??????? server string = main server > ??????? map untrusted to domain = Yes > > ??????? local master = yes > ??????? preferred master = yes > ??????? domain master = yes > ??????? os level = 255 > ??????? wins support = yes > > ??????? dns proxy = yes > ??????? name resolve order = host wins bcast > > ??????? hosts allow = <our networks>OK, 'testparm' thinks the above is a standalone server: testparm testsmb.conf Load smb config files from testsmb.conf Loaded services file OK. Server role: ROLE_STANDALONE Remove 'map untrusted to domain = Yes', it has been removed. Add 'domain logons = Yes' This gets it back to being a PDC: testparm testsmb.conf Load smb config files from testsmb.conf Loaded services file OK. idmap range not specified for domain '*' ERROR: Invalid idmap range for domain *! Server role: ROLE_DOMAIN_PDC Yes, I know there is a different error, but this can be fixed if necessary. Rowland
Frank Steiner
2019-Nov-28 19:39 UTC
[Samba] security=domain fails after upgr. to 4.9, winbind doesn't help
Hi Rowland,> Remove 'map untrusted to domain = Yes', it has been removed. > > Add 'domain logons = Yes' > > This gets it back to being a PDC:thanks for the hints! I did that, but it doesn't help. I guess the problem is not on the PDC server but on SERVER2. That's the one that got upgraded and stopped working (even with the non-pdc config of SERVER1). I think the problem is missing connection between smbd and winbindd on SERVER2, i.e. this error message:> check_winbind_security: winbindd not running - but required as domain member: NT_STATUS_NO_LOGON_SERVERSObviously I have to change sth. on SERVER2 as "security=domain" should no longer work without winbindd in samba 4.8 and later. But as just starting windbindd doesn't make smbd see it, I don't know what to do else. I sent the SERVER2 smb.conf through testparm (thanks for reminding me of this tool) and removed "passwd server" option due to WARNING: The setting 'security=domain' should NOT be combined with the 'password server' parameter. (by default Samba will discover the correct DC to contact automatically). but still winbindd is not detected. The process spawned by the systemctl service is 25130 /usr/sbin/winbindd --foreground --no-process-group cu, Frank -- Dipl.-Inform. Frank Steiner Web: http://www.bio.ifi.lmu.de/~steiner/ Lehrstuhl f. Bioinformatik Mail: http://www.bio.ifi.lmu.de/~steiner/m/ LMU, Amalienstr. 17 Phone: +49 89 2180-4049 80333 Muenchen, Germany Fax: +49 89 2180-99-4049 * Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. *
Possibly Parallel Threads
- security=domain fails after upgr. to 4.9, winbind doesn't help
- security=domain fails after upgr. to 4.9, winbind doesn't help
- security=domain fails after upgr. to 4.9, winbind doesn't help
- security=domain fails after upgr. to 4.9, winbind doesn't help
- Why are system-namespaces not copied?