Bug 1420445 - [GSS] CIFS access fails first attempt and then succeeds on the next attempt, UID is getting assigned -1 value
Summary: [GSS] CIFS access fails first attempt and then succeeds on the next attempt, ...
Alias: None
Product: Red Hat Gluster Storage
Classification: Red Hat
Component: samba
Version: rhgs-3.1
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Michael Adam
QA Contact: surabhi
Depends On:
TreeView+ depends on / blocked
Reported: 2017-02-08 16:32 UTC by jquinn
Modified: 2020-06-11 13:17 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-08-01 14:14:00 UTC
Target Upstream Version:

Attachments (Terms of Use)
smb log with debug = 3 enabled. (30.00 KB, text/plain)
2017-02-08 16:32 UTC, jquinn
no flags Details

Description jquinn 2017-02-08 16:32:41 UTC
Created attachment 1248638 [details]
smb log with debug = 3 enabled.

Description of problem:  When Customer tries to access Gluster CIFS share using ADS it fails on the first attempt and then succeeds for subsequent attempts.  If they leave for some time and come back it follow the same pattern. 

They have this issue on 2 nodes running RHEL7.x, but on the previous version running RHEL6 they did not experience this, and still have 2 nodes running rhel6 which they will leave in production while this is resolved on these 2 nodes that are not working. I believe this issue is related to a bug that has been found in samba version 4.1 and newer.  Rhel7 uses samba 4.4, while rhel6 is using samba 3.6.  

In the log snippet below you will see that the username/passwords is succesful, but the SID to UID conversion returned a -1 value. This is addressed in the below samba bug [1]

[1] https://bugzilla.samba.org/show_bug.cgi?id=10604

I am opening this bug for Engineering to OK the patch that has been create for this bugzilla and implement a fix or give the OK to apply the samba patch. 

Version-Release number of selected component (if applicable):Gluster 3.1/Rhel7/samba 4.4

How reproducible:every time. 

Steps to Reproduce:
1.attempt to access share with ADS configured, first attempt fails
2.second attempt succeeds. 

Actual results:

[2017/02/08 09:43:11.592254,  3, pid=7736] ../source3/auth/auth.c:178(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [ETS]\[dzuckerman]@[TYR] with the new password interface
[2017/02/08 09:43:11.592271,  3, pid=7736] ../source3/auth/auth.c:181(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [ETS]\[dzuckerman]@[TYR]
[2017/02/08 09:43:11.599836,  3, pid=7736] ../source3/auth/auth.c:249(auth_check_ntlm_password)
  check_ntlm_password: winbind authentication for user [dzuckerman] succeeded
[2017/02/08 09:43:11.599876,  2, pid=7736] ../source3/auth/auth.c:305(auth_check_ntlm_password)
  check_ntlm_password:  authentication for user [dzuckerman] -> [dzuckerman] -> [dzuckerman] succeeded   <------------ The username/password is succeeding. 
[2017/02/08 09:43:11.599910,  3, pid=7736] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
  NTLMSSP Sign/Seal - Initialising with flags:
[2017/02/08 09:43:11.599920,  3, pid=7736] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62088215
[2017/02/08 09:43:11.599946,  3, pid=7736] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
  NTLMSSP Sign/Seal - Initialising with flags:
[2017/02/08 09:43:11.599957,  3, pid=7736] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62088215
[2017/02/08 09:43:11.605893,  1, pid=7736] ../source3/auth/token_util.c:430(add_local_groups)
  SID S-1-5-21-8915387-1766009709-1703228666-10401 -> getpwuid(4294967295) failed        <------------------------The SID to UID mapping is what's failing
[2017/02/08 09:43:11.605926,  3, pid=7736] ../source3/auth/token_util.c:316(create_local_nt_token_from_info3)
  Failed to finalize nt token
[2017/02/08 09:43:11.605939,  1, pid=7736] ../source3/smbd/sesssetup.c:290(reply_sesssetup_and_X_spnego)
  Failed to generate session_info (user and group token) for session setup: NT_STATUS_UNSUCCESSFUL
[2017/02/08 09:43:11.605975,  3, pid=7736] ../source3/smbd/error.c:82(error_packet_set)
  NT error packet at ../source3/smbd/sesssetup.c(293) cmd=115 (SMBsesssetupX) NT_STATUS_UNSUCCESSFUL
[2017/02/08 09:43:11.606394,  3, pid=7736] ../source3/smbd/server_exit.c:246(exit_server_common)
  Server exit (failed to receive smb request)
[2017/02/08 09:43:11.609261,  3, pid=7597] ../source3/lib/util_procid.c:54(pid_to_procid)
  pid_to_procid: messaging_dgm_get_unique failed: No such file or directory
[2017/02/08 09:43:11.609672,  3, pid=7597] ../source3/lib/dbwrap/dbwrap_ctdb.c:1715(db_open_ctdb)
  db_open_ctdb: opened database 'serverid.tdb' with dbid 0x9ec2a880

Expected results:

The Cifs access should work the first attempt.  

Additional info:

Note You need to log in before you can comment on or make changes to this bug.