Robert Marcano
2022-Jan-10 16:50 UTC
[Samba] Authentication issue after updating samba on CentOS 7 (from yum)
On 1/10/22 12:47 PM, Alex via samba wrote:> Robert, it appears I was too fast in reply. The fix you mentioned didn't help :(Sad to hear that. I didn't try the missing patch, but the work around using: username map script = /var/lib/samba/scripts/username_map_script.sh local nt token from nss:SAMBA = no> >> Thank you very much for your reply! I've applied the fixing patch and it did the job! Hopefully, the RH team will release the official fix soon. > >>> On 1/10/22 6:21 AM, Alex via samba wrote: >>>> Rowland, could you please help me with this? I tried to remove some patches and rebuild but this is very time-consuming and I wasn't able to find the affecting patch yet :( >>>>> Also I'm wondering what 2.33.1 and 2.30.2 mean in the patch file, for example: >>>> # diff samba-4.10-redhat.patch.15 samba-4.10-redhat.patch |less >>>> 4c4 >>>> < Subject: [PATCH 01/48] s3-rpcserver: fix security level check for >>>> --- >>>>> Subject: [PATCH 01/88] s3-rpcserver: fix security level check for >>>> 83c83 >>>> < 2.30.2 >>>> --- >>>>> 2.33.1 > >>> I was hit by this problem, apparently is a missing backported patch [1]. > >>> The workaround at [2] is working for me. Just updated the domain name on the script and placed it instead on /var/lib/samba/scripts to make SELinux happy. Will wait for an updated RPM and remove the workaround for testing at that time. > >>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=2036595 >>> [2] https://bugzilla.samba.org/show_bug.cgi?id=14901#c0 > > >> [skip] > > > >
Alex
2022-Jan-11 11:27 UTC
[Samba] Authentication issue after updating samba on CentOS 7 (from yum)
Robert, Rowland, I guess I found the root of the issue. Look: [2022/01/11 13:33:07.895774, 3] ../../source3/smbd/oplock.c:1422(init_oplocks) init_oplocks: initializing messages. [2022/01/11 13:33:07.896199, 3] ../../source3/smbd/process.c:1948(process_smb) Transaction 0 of length 108 (0 toread) [2022/01/11 13:33:07.896674, 3] ../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot) Selected protocol SMB2_10 [2022/01/11 13:33:07.972677, 3] ../../source3/auth/user_util.c:351(map_username) Mapped user ABISOFT\username to username [2022/01/11 13:33:07.977752, 3] ../../source3/auth/auth_generic.c:171(auth3_generate_session_info_pac) Kerberos ticket principal name is [username at ABISOFT.BIZ] [2022/01/11 13:33:07.978650, 1] ../../source3/auth/token_util.c:1082(create_token_from_sid) sid_to_gid(S-1-5-21-3729968760-1240331958-298020672-513) failed [2022/01/11 13:33:07.978827, 3] ../../source3/smbd/smb2_server.c:3213(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146 [2022/01/11 13:33:07.980941, 3] ../../source3/smbd/server_exit.c:236(exit_server_common) Server exit (NT_STATUS_CONNECTION_RESET) Particularly, this line: sid_to_gid(S-1-5-21-3729968760-1240331958-298020672-513) failed # wbinfo --domain=ABISOFT -s S-1-5-21-3729968760-1240331958-298020672-513 ABISOFT\Domain Users 2 # wbinfo --domain=ABISOFT -Y S-1-5-21-3729968760-1240331958-298020672-513 failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND Indeed, Domain Users group (username's primary group) does not have unix group id associated with it. However, it didn't create any problems before 4.10.16-17. Is it possible to fix it w/o assigning a unix group id? Monday, January 10, 2022, 7:50:43 PM, you wrote:> On 1/10/22 12:47 PM, Alex via samba wrote: >> Robert, it appears I was too fast in reply. The fix you mentioned didn't help :(> Sad to hear that. I didn't try the missing patch, but the work around using:> username map script = /var/lib/samba/scripts/username_map_script.sh > local nt token from nss:SAMBA = no>> >> Thank you very much for your reply! I've applied the fixing patch and it did the job! Hopefully, the RH team will release the official fix soon. >> >>> On 1/10/22 6:21 AM, Alex via samba wrote: >>>>> Rowland, could you please help me with this? I tried to remove some patches and rebuild but this is very time-consuming and I wasn't able to find the affecting patch yet :( >>>>>> Also I'm wondering what 2.33.1 and 2.30.2 mean in the patch file, for example: >>>>> # diff samba-4.10-redhat.patch.15 samba-4.10-redhat.patch |less >>>>> 4c4 >>>>> < Subject: [PATCH 01/48] s3-rpcserver: fix security level check for >>>>> --- >>>>>> Subject: [PATCH 01/88] s3-rpcserver: fix security level check for >>>>> 83c83 >>>>> < 2.30.2 >>>>> --- >>>>>> 2.33.1 >> >>> I was hit by this problem, apparently is a missing backported patch [1]. >> >>> The workaround at [2] is working for me. Just updated the domain name on the script and placed it instead on /var/lib/samba/scripts to make SELinux happy. Will wait for an updated RPM and remove the workaround for testing at that time. >> >>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=2036595 >>>> [2] https://bugzilla.samba.org/show_bug.cgi?id=14901#c0 >> > >> [skip] >> > > >-- Best regards, Alex