Bug 1202347
Summary: | Can no longer connect to samba4 shares not in AD domain | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Sten Sletbak <Sten.Sletbak> | ||||||||
Component: | samba | Assignee: | Guenther Deschner <gdeschner> | ||||||||
Status: | CLOSED ERRATA | QA Contact: | Robin Hack <rhack> | ||||||||
Severity: | urgent | Docs Contact: | |||||||||
Priority: | urgent | ||||||||||
Version: | 7.1 | CC: | asakure, asn, brodbd, bugzilla, bugzilla, ccoursey, chekov, dpal, ekeck, gdeschner, gmcgrath, jarrpa, jscotka, just1nsan3, marvin24, m.j.goldstone, mom20xx, ngaywood, paetzold, rblocker, rhack, sbose, sreber, Sten.Sletbak, wbachman | ||||||||
Target Milestone: | rc | Keywords: | ZStream | ||||||||
Target Release: | --- | ||||||||||
Hardware: | Unspecified | ||||||||||
OS: | Unspecified | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | samba-4.1.12-22.el7 | Doc Type: | Bug Fix | ||||||||
Doc Text: |
When running Samba without the winbindd service, authentication with user name and password sometimes failed. Now, it is possible to run Samba without winbindd, although it is not recommended.
|
Story Points: | --- | ||||||||
Clone Of: | |||||||||||
: | 1233295 1258317 (view as bug list) | Environment: | |||||||||
Last Closed: | 2015-11-19 09:11:16 UTC | Type: | Bug | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Bug Depends On: | |||||||||||
Bug Blocks: | 1258317 | ||||||||||
Attachments: |
|
Description
Sten Sletbak
2015-03-16 12:54:14 UTC
Can you check with rpm -qi sssd-libwbclient if a package called sssd-libwbclient is installed? If yes, please remove it and try again. # rpm -qi sssd-libwbclient package sssd-libwbclient is not installed ok, thank you, Can you add your config and log files to the ticket as described on https://www.samba.org/~asn/reporting_samba_bugs.txt. Do you want any specific log levels to the smb, sssd and smbclient logs? Created attachment 1002287 [details]
Config and log files
I'm sorry but you do not give detailed information. I assume the user ADA\stens wants to log in. As this is a domain user we need to lookup the user from AD using winbind but: check_winbind_security: wbcAuthenticateUserEx failed: WBC_ERR_WINBIND_NOT_AVAILABLE There is no winbind running ... Ah, sorry, yes, ADA\stens is the relevant user in the logs. The logs are from a non production server that's joined to the ADA domain. We're using sss to lookup users in AD, not winbind. Logs from sssd should be included in the attached tarball (1002287). Do you need any other logs and/or debug levels? Just to clarify: I can reach the share from a Windows box joined to the domain and with smbclient -k //nhb/stens, but not from machines that are not domain members and does not have an ADA kerberos setup. SSSD only supports Kerberos auth. Please try to start winbind so that Samba can use winbind for NTLM. Thanks, it worked! :-) Testet with smbclient //nhb/stens -U stens -W ADA and from an OSX machine. I gather this is due to a change in sssd with the release of RHEL 7.1? No problems involved in running both sssd and winbind? SSSD never supported NTLM which is the only authentication method for clients not joined to a domain. So you say it worked with RHEL-7.0 without running winbind? Yup, just tried with the RHEL-7.0 template VM. The issue started after the upgrade to RHEL-7.1. winbind isn't even installed on these servers. Can you sent the samba logs form RHEL-7.0 as well? Created attachment 1002868 [details]
Samba logs
smbclient //rh7-smb/stens -U stens -W ADA
We are seeing a similar issue after having moved to samba 4.1.12-21, we don't rely on sssd or winbind in our configuration. If this should go in a separate bug report please let me know. Or setup involves using kinit and net ads join to get the basic authentication steps working for samba, and falling back on local system uid/gid sets for ownership of files. Similar to above winbind is not even installed on the machines in question. Samba security is set to 'ADS'. We started seeing the following errors a few days ago after 4.1.12-21 was applied: Mar 23 18:06:16 xxxx smbd[14936]: [2015/03/23 18:06:16.524510, 0] ../source3/auth/auth_domain.c:302(domain_client_validate) Mar 23 18:06:16 xxxx smbd[14936]: domain_client_validate: unable to validate password for user xxxx in domain xxxxxxx to Domain controller PDOM2.xx.xx.xxxxxxxx.xxx. Error was NT_STATUS_INVALID_COMPUTER_NAME. These persist over rejoins of the domain and do not crop up in all circumstances. As of right now a windows machine (non domain member) can connect via the standard domain name + username + pw combo, linux machines appear to be causing the server to generate core dumps (tested on fully patched fedora 20 and centos7.1), and OSX clients can only connect if they insert the realm name for the AD servers in instead of the domain name. Previous to -21, all three client types could connect with default arguments by supplying their AD username, password and the AD domain. Created attachment 1005911 [details]
Core Dump info from /var/log/messages on problem server
This is a copy of the smbd output into /var/log/messages from a linux client attempting to connect to our samba 4.1.12-21 server with standard options, supplying domain/username/password.
Issue is also present in CentOS 71. In CentOS 7.1 the issue is fixed when building the spec file from 4.1.12-21 without patches 100 and patch 101 patch100 samba-4.2.x-fix_gecos_field_with_samlogon.patch patch101 samba-4.2.x-fix_net_rpc_join_schannel.patch according to https://lists.samba.org/archive/samba/2015-April/191212.html patch100 seems to break everything here. maybe patch101 has nothing to do with that issue but i removed it because the rpm will not build when patch100 is removed and patch101 should be applied. hopefully this will help you to fix this issue. best regards, mom20xx Seems to affect latest Fedora packages as well. Should I open a new bug? Fedora22 has the fix already that was still missing RHEL. If you're seeing the same issue there, it will likely have a different cause, but please: yes, open a new bug for it. Thanks! I put in bug#1233295 This bug will be released with RHEL 7.2. If you need a z-stream release, you should look up the process how to request one ... (In reply to Andreas Schneider from comment #30) > This bug will be released with RHEL 7.2. If you need a z-stream release, you > should look up the process how to request one ... Any particular reason why this won't be released before 7.2? Does that mean 7.2 is just around the corner? Any idea when? Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2258.html |