Alex
2022-Jan-11 11:27 UTC
[Samba] Authentication issue after updating samba on CentOS 7 (from yum)
Robert, Rowland, I guess I found the root of the issue. Look: [2022/01/11 13:33:07.895774, 3] ../../source3/smbd/oplock.c:1422(init_oplocks) init_oplocks: initializing messages. [2022/01/11 13:33:07.896199, 3] ../../source3/smbd/process.c:1948(process_smb) Transaction 0 of length 108 (0 toread) [2022/01/11 13:33:07.896674, 3] ../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot) Selected protocol SMB2_10 [2022/01/11 13:33:07.972677, 3] ../../source3/auth/user_util.c:351(map_username) Mapped user ABISOFT\username to username [2022/01/11 13:33:07.977752, 3] ../../source3/auth/auth_generic.c:171(auth3_generate_session_info_pac) Kerberos ticket principal name is [username at ABISOFT.BIZ] [2022/01/11 13:33:07.978650, 1] ../../source3/auth/token_util.c:1082(create_token_from_sid) sid_to_gid(S-1-5-21-3729968760-1240331958-298020672-513) failed [2022/01/11 13:33:07.978827, 3] ../../source3/smbd/smb2_server.c:3213(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146 [2022/01/11 13:33:07.980941, 3] ../../source3/smbd/server_exit.c:236(exit_server_common) Server exit (NT_STATUS_CONNECTION_RESET) Particularly, this line: sid_to_gid(S-1-5-21-3729968760-1240331958-298020672-513) failed # wbinfo --domain=ABISOFT -s S-1-5-21-3729968760-1240331958-298020672-513 ABISOFT\Domain Users 2 # wbinfo --domain=ABISOFT -Y S-1-5-21-3729968760-1240331958-298020672-513 failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND Indeed, Domain Users group (username's primary group) does not have unix group id associated with it. However, it didn't create any problems before 4.10.16-17. Is it possible to fix it w/o assigning a unix group id? Monday, January 10, 2022, 7:50:43 PM, you wrote:> On 1/10/22 12:47 PM, Alex via samba wrote: >> Robert, it appears I was too fast in reply. The fix you mentioned didn't help :(> Sad to hear that. I didn't try the missing patch, but the work around using:> username map script = /var/lib/samba/scripts/username_map_script.sh > local nt token from nss:SAMBA = no>> >> Thank you very much for your reply! I've applied the fixing patch and it did the job! Hopefully, the RH team will release the official fix soon. >> >>> On 1/10/22 6:21 AM, Alex via samba wrote: >>>>> Rowland, could you please help me with this? I tried to remove some patches and rebuild but this is very time-consuming and I wasn't able to find the affecting patch yet :( >>>>>> Also I'm wondering what 2.33.1 and 2.30.2 mean in the patch file, for example: >>>>> # diff samba-4.10-redhat.patch.15 samba-4.10-redhat.patch |less >>>>> 4c4 >>>>> < Subject: [PATCH 01/48] s3-rpcserver: fix security level check for >>>>> --- >>>>>> Subject: [PATCH 01/88] s3-rpcserver: fix security level check for >>>>> 83c83 >>>>> < 2.30.2 >>>>> --- >>>>>> 2.33.1 >> >>> I was hit by this problem, apparently is a missing backported patch [1]. >> >>> The workaround at [2] is working for me. Just updated the domain name on the script and placed it instead on /var/lib/samba/scripts to make SELinux happy. Will wait for an updated RPM and remove the workaround for testing at that time. >> >>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=2036595 >>>> [2] https://bugzilla.samba.org/show_bug.cgi?id=14901#c0 >> > >> [skip] >> > > >-- Best regards, Alex
Rowland Penny
2022-Jan-11 17:49 UTC
[Samba] Authentication issue after updating samba on CentOS 7 (from yum)
On Tue, 2022-01-11 at 14:27 +0300, Alex via samba wrote:> Robert, Rowland, > > I guess I found the root of the issue. Look: > [2022/01/11 13:33:07.895774, 3] > ../../source3/smbd/oplock.c:1422(init_oplocks) > init_oplocks: initializing messages. > [2022/01/11 13:33:07.896199, 3] > ../../source3/smbd/process.c:1948(process_smb) > Transaction 0 of length 108 (0 toread) > [2022/01/11 13:33:07.896674, 3] > ../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negpr > ot) > Selected protocol SMB2_10 > [2022/01/11 13:33:07.972677, 3] > ../../source3/auth/user_util.c:351(map_username) > Mapped user ABISOFT\username to username > [2022/01/11 13:33:07.977752, 3] > ../../source3/auth/auth_generic.c:171(auth3_generate_session_info_pac > ) > Kerberos ticket principal name is [username at ABISOFT.BIZ] > [2022/01/11 13:33:07.978650, 1] > ../../source3/auth/token_util.c:1082(create_token_from_sid) > sid_to_gid(S-1-5-21-3729968760-1240331958-298020672-513) failed > [2022/01/11 13:33:07.978827, 3] > ../../source3/smbd/smb2_server.c:3213(smbd_smb2_request_error_ex) > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] > status[NT_STATUS_LOGON_FAILURE] || at > ../../source3/smbd/smb2_sesssetup.c:146 > [2022/01/11 13:33:07.980941, 3] > ../../source3/smbd/server_exit.c:236(exit_server_common) > Server exit (NT_STATUS_CONNECTION_RESET) > > Particularly, this line: > sid_to_gid(S-1-5-21-3729968760-1240331958-298020672-513) failed > > # wbinfo --domain=ABISOFT -s S-1-5-21-3729968760-1240331958- > 298020672-513 > ABISOFT\Domain Users 2 > > # wbinfo --domain=ABISOFT -Y S-1-5-21-3729968760-1240331958- > 298020672-513 > failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND > > Indeed, Domain Users group (username's primary group) does not have > unix group id associated with it. However, it didn't create any > problems before 4.10.16-17. Is it possible to fix it w/o assigning a > unix group id?No idea, it has been years since I used nslcd, I do know that if you use the winbind 'ad' backend on a Unix domain member, then you must give Domain Users a gidNumber. Rowland