samba - Dec 2021 - Authentication issue after updating samba on CentOS 7 (from yum)

>> > >     idmap config * : backend = tdb
>> > >     idmap config * : range = 16777216-33554431
>> > Is there some reason for that range ? It will allow you 16777215
>> > users
>> > & groups for something that requires only about 200.
>> 
>> I think it's a legacy. Don't remember why it's here.
I'll try to
>> remove it.
> You are probably stuck with it.
Anyway, they don't seem to correlate with the current issue, right?
>> 
>> > >     idmap config DOMAIN:unix_primary_group = yes
>> > Do your users have gidNumber attributes.
>> 
>> Yes, they do. This came from MS Services for Unix.
> Have you actually checked, MS-SFU didn't add a gidNumber attribute to
> users, unless you told it to.
Yes, of course. Here is a sample of AD user entry: https://paste.ee/p/7X6N0
>> > >    winbind use default domain = true
>> > >    winbind offline logon = false
>> > >    winbind enum users = Yes
>> > >    winbind enum groups = Yes
>> > You do not need the 'enum' lines, it works without them.
>> 
>> There was an issue w/o the enum lines. Unfortunately, I don't
>> remember exactly what it was, probably couldn't retrieve groups
from
>> the AD with "getent group" command.
> Adding those lines would not fix such a problem, either it would work
> or it wouldn't. All those lines do is to get 'getent user' to
display
> all users and 'getent group' to display all groups, along with
slowing
> everything down.
So, I was right :) I don't see any slowness, actually. Everything worked
pretty good before this update has come.
>> 
>> > > [username]
>> > >         comment = username's home
>> > >         path = /home/username
>> > >         read only = No
>> > >         create mode = 0660
>> > >         valid users = username
>> > As noted above, why are you not using '[homes]' ?
>> 
>> It's b/c most users are prohibited from using this server. So, I
>> allowed homes on this server for just a few of them directly.
> So does that mean you have multiple '[username]' shares in smb.conf
?
Yeah, just like this one. I skipped them for the letter's size sake.
>>  I did that both (changed min uid to 0 and set a user.map file) -
>> still can't log in :(
> This is very strange, I am using Samba 4.15.3 with this smb.conf and I
> can log in:
[skip]

Any ideas what to do?

-- 
Best regards,
Alex

Rowland,

I think I found what's going on. It appears the recent patch
(https://bugzilla.samba.org/show_bug.cgi?id=14901#c14) hasn't been applied
to CentOS 7 4.10.16-17 package:
# yumdownloader --source samba-4.10.16-17\*
...
samba-4.10.16-17.el7_9.src.rpm                                                  
|  12 MB  00:00:09
# rpm -ihv samba-4.10.16-17.el7_9.src.rpm
Updating / installing...
   1:samba-0:4.10.16-17.el7_9         ################################# [100%]
...
# rpmbuild -bp samba.spec
Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.ygAPHU
+ umask 022
+ cd /root/rpmbuild/BUILD
+ xzcat /root/rpmbuild/SOURCES/samba-4.10.16.tar.xz
+ gpgv2 --quiet --keyring
/root/rpmbuild/SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg
/root/rpmbuild/SOURCES/samba-4.10.16.tar.asc -
gpgv: Signature made Mon May 25 11:32:59 2020 MSK using DSA key ID 6568B7EA
gpgv: Good signature from "Samba Distribution Verification Key
<samba-bugs at samba.org>"
+ cd /root/rpmbuild/BUILD
+ rm -rf samba-4.10.16
+ /usr/bin/xz -dc /root/rpmbuild/SOURCES/samba-4.10.16.tar.xz
+ /usr/bin/tar -xf -
+ STATUS=0
+ '[' 0 -ne 0 ']'
+ cd samba-4.10.16
+ /usr/bin/chmod -Rf a+rX,u+w,g-w,o-w .
+ /usr/bin/cat /root/rpmbuild/SOURCES/samba-4.10-redhat.patch
+ /usr/bin/patch -p1 -s
+ /usr/bin/cat /root/rpmbuild/SOURCES/libldb-require-version-1.5.4.patch
+ /usr/bin/patch -p1 -s
+ exit 0

# grep libcli/security/dom_sid.h
/root/rpmbuild/BUILD/samba-4.10.16/source3/winbindd/idmap_nss.c
#

I'm going to email Andreas Schneider (he seems to be a packager of Samba in
RH) to apply the recent patch and release the new package. Please, let me know
if there's something else I can do to speed up the fix.
>>> > >     idmap config * : backend = tdb
>>> > >     idmap config * : range = 16777216-33554431
>>> > Is there some reason for that range ? It will allow you
16777215
>>> > users
>>> > & groups for something that requires only about 200.
>>> 
>>> I think it's a legacy. Don't remember why it's here.
I'll try to
>>> remove it.
>> You are probably stuck with it.
> Anyway, they don't seem to correlate with the current issue, right?
>>> 
>>> > >     idmap config DOMAIN:unix_primary_group = yes
>>> > Do your users have gidNumber attributes.
>>> 
>>> Yes, they do. This came from MS Services for Unix.
>> Have you actually checked, MS-SFU didn't add a gidNumber attribute
to
>> users, unless you told it to.
> Yes, of course. Here is a sample of AD user entry: https://paste.ee/p/7X6N0
>>> > >    winbind use default domain = true
>>> > >    winbind offline logon = false
>>> > >    winbind enum users = Yes
>>> > >    winbind enum groups = Yes
>>> > You do not need the 'enum' lines, it works without
them.
>>> 
>>> There was an issue w/o the enum lines. Unfortunately, I don't
>>> remember exactly what it was, probably couldn't retrieve groups
from
>>> the AD with "getent group" command.
>> Adding those lines would not fix such a problem, either it would work
>> or it wouldn't. All those lines do is to get 'getent user'
to display
>> all users and 'getent group' to display all groups, along with
slowing
>> everything down.
> So, I was right :) I don't see any slowness, actually. Everything
worked pretty good before this update has come.
>>> 
>>> > > [username]
>>> > >         comment = username's home
>>> > >         path = /home/username
>>> > >         read only = No
>>> > >         create mode = 0660
>>> > >         valid users = username
>>> > As noted above, why are you not using '[homes]' ?
>>> 
>>> It's b/c most users are prohibited from using this server. So,
I
>>> allowed homes on this server for just a few of them directly.
>> So does that mean you have multiple '[username]' shares in
smb.conf ?
> Yeah, just like this one. I skipped them for the letter's size sake.
>>>  I did that both (changed min uid to 0 and set a user.map file) -
>>> still can't log in :(
>> This is very strange, I am using Samba 4.15.3 with this smb.conf and I
>> can log in:
> [skip]
> Any ideas what to do?
> -- 
> Best regards,
> Alex




-- 
Best regards,
Alex