Aaron Johnson
2022-Aug-22  18:56 UTC
[Samba] authn timeouts enumerating (and connecting to) shares
Hello Samba users!
I?m experiencing an odd (hopefully, it?s odd to everyone and not just me) issue
with Alma Linux 8.6?s samba-4.15.5-8.el8_6.x86_64 (and related) release.
In short, I have a domain member Samba server with just the magic [homes] share
defined in smb.conf.  Mildly sanitized ?testparm -s? output:
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed
Server role: ROLE_DOMAIN_MEMBER
# Global parameters
[global]
                ldap connection timeout = 3
                ldap timeout = 3
                load printers = No
                log file = /var/log/samba/%m.log
log level = kerberos:10 auth:10 auth_audit:10 winbind:10
                ntlm auth = ntlmv1-permitted
                printcap name = /dev/null
                realm = MYDOMAIN.MYORG.COM
                security = ADS
                server role = member server
                winbind max domain connections = 10
                workgroup = MYDOMAIN
                idmap config MYDOMAIN : range = 100000-9999999
                idmap config MYDOMAIN : schema_mode = rfc2307
                idmap config MYDOMAIN : backend = ad
                idmap config * : range = 0-99999
                idmap config * : backend = tdb
[homes]
                browseable = No
                comment = Home Directories
                inherit acls = Yes
               read only = No
                valid users = %S %D%w%S
(I?ve added the ?log level? setting in there as testparm didn?t print it.)
Trying to list out any shares on this server results in an NT_STATUS_IO_TIMEOUT
like so:
[myuser at myserver ~]$ time smbclient -d 2 -U MYDOMAIN\\myuser -L
myserver.myorg.com
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
added interface eth0 ip=10.10.10.10 bcast=10.10.11.255 netmask=255.255.252.0
tdb(/var/lib/samba/lock/gencache.tdb): tdb_open_ex: could not open file
/var/lib/samba/lock/gencache.tdb: Permission denied
Password for [MYDOMAIN\ajohnson1]:
session setup failed: NT_STATUS_IO_TIMEOUT
real        0m27.191s
user       0m0.040s
sys          0m0.034s
[myuser at myserver ~]$
Watching the logs, I can see that smbd sends a query to winbind which is
promptly responded to with an NT_STATUS_OK:
[2022/08/08 14:52:25.779975, 10, pid=2686623, effective(0, 0), real(0, 0),
class=winbind] ../../source3/winbindd/winbindd.c:805(process_request_done)
  process_request_done: [smbd(2742274):PAM_AUTH_CRAP]: NT_STATUS_OK
[2022/08/08 14:52:25.780085, 10, pid=2686623, effective(0, 0), real(0, 0),
class=winbind] ../../source3/winbindd/winbindd.c:849(process_request_written)
  process_request_written: [smbd(2742274):PAM_AUTH_CRAP]: delivered response to
client
[2022/08/08 14:52:30.888462,  5, pid=2686623, effective(0, 0), real(0, 0),
class=winbind] ../../source3/winbindd/winbindd_dual.c:856(winbind_child_died)
  Already reaped child 2742291 died
Smbd then seems to do nothing with that for 2 minutes:
[2022/08/08 14:54:32.008739, 10, pid=2741857, effective(0, 0), real(0, 0),
class=auth] ../../source3/auth/auth_util.c:1924(check_account)
  check_account: Failed to find authenticated user MYDOMAIN\myuser via
getpwnam(), fallback to
sid_to_uid(S-1-5-21-1632765165-691681574-1546849883-1185380).
[2022/08/08 14:54:32.009822,  3, pid=2741857, effective(0, 0), real(0, 0),
class=auth] ../../source3/auth/auth.c:269(auth_check_ntlm_password)
  auth_check_ntlm_password: winbind authentication for user [myuser] succeeded
[2022/08/08 14:54:32.010332,  5, pid=2741857, effective(0, 0), real(0, 0),
class=auth] ../../source3/auth/auth.c:296(auth_check_ntlm_password)
  check_ntlm_password:  PAM Account for user [myuser] succeeded
[2022/08/08 14:54:32.010480,  3, pid=2741857, effective(0, 0), real(0, 0),
class=auth_audit]
../../auth/auth_log.c:653(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [MYDOMAIN]\[myuser] at [Mon, 08 Aug 2022
14:54:32.010447 MST] with [NTLMv2] status [NT_STATUS_OK] workstation
[MYSAMBASERVER] remote host [ipv4:10.10.10.10:48880] became [MYDOMAIN]\[myuser]
[S-1-5-21-1632765165-69168157
4-1546849883-1185380]. local host [ipv4:10.10.10.10:445]
[2022/08/08 14:54:32.010573,  2, pid=2741857, effective(0, 0), real(0, 0),
class=auth] ../../source3/auth/auth.c:330(auth_check_ntlm_password)
  check_ntlm_password:  authentication for user [myuser] -> [myuser] ->
[myuser] succeeded
[2022/08/08 14:54:32.011362, 10, pid=2741857, effective(0, 0), real(0, 0),
class=auth] ../../auth/gensec/gensec.c:456(gensec_update_send)
  gensec_update_send: ntlmssp[0x563bc7f52c70]: subreq: 0x563bc7f43740
And smbclient has long since given up on getting a response.
Does anyone out there have any ideas why the 2 minute delay is happening?  I?d
really love to get this working correctly ? we?d like to retire of all our
proprietary appliance based filers and move to clustered Samba with a CephFS
backend.  As you might imagine, having clients unable to authenticate is a
pretty big road block in that right now.
Thanks in advance.
Rowland Penny
2022-Aug-22  19:27 UTC
[Samba] authn timeouts enumerating (and connecting to) shares
On Mon, 2022-08-22 at 18:56 +0000, Aaron Johnson via samba wrote:> Hello Samba users! > > I?m experiencing an odd (hopefully, it?s odd to everyone and not just > me) issue with Alma Linux 8.6?s samba-4.15.5-8.el8_6.x86_64 (and > related) release. > > In short, I have a domain member Samba server with just the magic > [homes] share defined in smb.conf. Mildly sanitized ?testparm -s? > output: > > Load smb config files from /etc/samba/smb.conf > Loaded services file OK. > Weak crypto is allowed > > Server role: ROLE_DOMAIN_MEMBER > > # Global parameters > [global] > ldap connection timeout = 3 > ldap timeout = 3 > load printers = No > log file = /var/log/samba/%m.log > log level = kerberos:10 auth:10 auth_audit:10 winbind:10 > ntlm auth = ntlmv1-permitted > printcap name = /dev/null > realm = MYDOMAIN.MYORG.COM > security = ADS > server role = member server > winbind max domain connections = 10 > workgroup = MYDOMAIN > idmap config MYDOMAIN : range = 100000-9999999 > idmap config MYDOMAIN : schema_mode = rfc2307 > idmap config MYDOMAIN : backend = ad > idmap config * : range = 0-99999 > idmap config * : backend = tdb > > [homes] > browseable = No > comment = Home Directories > inherit acls = Yes > read only = No > valid users = %S %D%w%S > > (I?ve added the ?log level? setting in there as testparm didn?t print > it.) > > Trying to list out any shares on this server results in an > NT_STATUS_IO_TIMEOUT like so: > > [myuser at myserver ~]$ time smbclient -d 2 -U MYDOMAIN\\myuser -L > myserver.myorg.comThat command is interesting, you are trying to connect to 'myserver.myorg.com' , yet your realm is 'MYDOMAIN.MYORG.COM', so presumably your dns domain will be 'mydomain.myorg.com'. I think you should be connecting to 'myserver.mydomain.myorg.com' Rowland