upg. CentOS 7.5 to 7.6: unable to mount smb shares - samba NT domain member using ldap

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Originally I posted this question at CentOS forum 20.12.2018.
https://www.centos.org/forums/viewtopic.php?f=48&t=69193

Hi all,

I am not able to mount samba shares after upgrading CentOS 7.5 to 7.6. I have been searching and trying to configure samba and winbind but no success. I find a lot of manuals and help pages about setting samba and winbind for machine acting as AD DC member but almost nothing about machine acting as NT4 style DC member and that is my case.

Samba version before upgrade: samba-4.7.1-9.el7_5.x86_64, after upgrade: samba-4.8.3-4.el7.x86_64. I noticed that now it is necessary to use winbind which I did not use before upgrade.

My network:

Machine with CentOS 6.9 is PDC (NT4 style) configured with ldap and kerberos, providing domain logon services to Windows and Samba clients of an NT4-like domain. openldap-2.4.40-16.el6.x86_64, krb5-server-1.10.3-65.el6.x86_64, samba-3.6.23-51.el6.x86_64.

Machine with CentOS 7.6 is domain member offering network shares to windows clients. Before upgrade my samba-4.7 run only smb and nmb services and everything were fine. After upgrade samba-4.8.3 runs smb nmb and winbind services.
smb.conf:
workgroup = NT4DOMAIN
netbios name = NT4MEMBER

|# wbinfo -m --verbose Domain Name DNS Domain Trust Type Transitive In Out BUILTIN Local NT4MEMBER Local NT4DOMAIN INTRANET.XX Workstation Yes No Yes # wbinfo --own-domain NT4DOMAIN |


I discovered that winbind is not authenticating users with NT4DOMAIN but only with NT4MEMBER. In this case NT4MEMBER users ARE NT4DOMAIN users (there is only one user1 in ldap database). It can be seen in logs bellow. I set debug level 3 for smbd and winbindd. Windows machines have joined NT4DOMAIN but now cannot mount shares from NT4MEMBER. Windows mount command net use /user:NT4DOMAIN\user1 \\NT4MEMBER\share1 is equal to linux command smbclient //NT4MEMBER/share1 -U NT4DOMAIN\\user1. From linux machine I can mount share by this command: smbclient //NT4MEMBER/share1 -U NT4MEMBER\\user1 but from windows machine it is not possible. Normally (before upgrade) Windows users mapped shares from startup script with this command: net use \\NT4MEMBER\share1.

What is going wrong can be seen from logs:

|# smbclient //NT4MEMBER/share1 -U NT4DOMAIN\\user1 smbd log: check_ntlm_password: Checking password for unmapped user [NT4DOMAIN]\[user1]@[NT4MEMBER] with the new password interface check_ntlm_password: mapped user is: [NT4DOMAIN]\[user1]@[NT4MEMBER] check_ntlm_password: Authentication for user [user1] -> [user1] FAILED with error NT_STATUS_NO_MEMORY, authoritative=1 Auth: [SMB2,(null)] user [NT4DOMAIN]\[user1] at [Wed, 19 Dec 2018 13:56:08.989053 CET] with [NTLMv2] status [NT_STATUS_NO_MEMORY] workstation [NT4MEMBER] remote host [ipv4:X.X.X.X:40488] mapped to [NT4DOMAIN]\[user1]. local host [ipv4:X.X.X.X:445] log_no_json: JSON auth logs not available unless compiled with jansson gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed: NT_STATUS_NO_MEMORY smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NO_MEMORY] || at ../source3/smbd/smb2_sesssetup.c:137 Server exit (NT_STATUS_END_OF_FILE) Terminated winbind log: [ 9232]: request interface version (version = 30) [ 9232]: request location of privileged pipe [ 9232]: pam auth crap domain: [NT4DOMAIN] user: user1 set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was a DC for domain NT4MEMBER, refusing to initialize [ 9228]: pam auth crap domain: NT4DOMAIN user: user1 set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was a DC for domain NT4MEMBER, refusing to initialize set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was a DC for domain NT4MEMBER, refusing to initialize ldb_wrap open of secrets.ldb rpccli_create_netlogon_creds failed for NT4DOMAIN, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts: 0) The connection to netlogon failed, retrying set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was a DC for domain NT4MEMBER, refusing to initialize set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was a DC for domain NT4MEMBER, refusing to initialize ldb_wrap open of secrets.ldb rpccli_create_netlogon_creds failed for NT4DOMAIN, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts: 1) This is again a problem for this particular call, forcing the close of this connection The connection to netlogon failed, retrying set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was a DC for domain NT4MEMBER, refusing to initialize set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was a DC for domain NT4MEMBER, refusing to initialize ldb_wrap open of secrets.ldb rpccli_create_netlogon_creds failed for NT4DOMAIN, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts: 2) This is again a problem for this particular call, forcing the close of this connection This is the third problem for this particular call, adding DC to the negative cache list: NT4DOMAIN (null) The connection to netlogon failed, retrying set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was a DC for domain NT4MEMBER, refusing to initialize set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was a DC for domain NT4MEMBER, refusing to initialize ldb_wrap open of secrets.ldb rpccli_create_netlogon_creds failed for NT4DOMAIN, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts: 3) This is again a problem for this particular call, forcing the close of this connection This is the third problem for this particular call, adding DC to the negative cache list: NT4DOMAIN (null) NTLM CRAP authentication for user [NT4DOMAIN]\[user1] returned NT_STATUS_NO_MEMORY # smbclient //NT4MEMBER/share1 -U NT4MEMBER\\user1 smbd log: check_ntlm_password: Checking password for unmapped user [NT4MEMBER]\[user1]@[NT4MEMBER] with the new password interface check_ntlm_password: mapped user is: [NT4MEMBER]\[user1]@[NT4MEMBER] init_sam_from_ldap: Entry found for user: user1 auth_check_ntlm_password: sam authentication for user [user1] succeeded Auth: [SMB2,(null)] user [NT4MEMBER]\[user1] at [Wed, 19 Dec 2018 14:00:37.714900 CET] with [NTLMv2] status [NT_STATUS_OK] workstation [NT4MEMBER] remote host [ipv4:X.X.X.X:40494] became [NT4MEMBER]\[user1] [S-1-5-21-x-x-x-21020]. local host [ipv4:X.X.X.X:445] log_no_json: JSON auth logs not available unless compiled with jansson check_ntlm_password: authentication for user [user1] -> [user1] -> [user1] succeeded NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 init_group_from_ldap: Entry found for group: 544 init_group_from_ldap: Entry found for group: 100000 Adding homes service for user 'user1' using home directory: '/posta/user1' adding home's share [user1] for user 'user1' at '/data/osobni/%S' Allowed connection from X.X.X.X (X.X.X.X) Connect path is '/tmp' for service [IPC$] Initialising default vfs hooks Initialising custom vfs hooks from [/[Default VFS]/] NT4MEMBER (ipv4:X.X.X.X:40494) connect to service IPC$ initially as user user1 (uid=10010, gid=513) (pid 7874) get_referred_path: |share1| in dfs path \NT4MEMBER\share1 is not a dfs root. smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NOT_FOUND] || at ../source3/smbd/smb2_ioctl.c:312 NT4MEMBER (ipv4:X.X.X.X:40494) closed connection to service IPC$ Allowed connection from X.X.X.X (X.X.X.X) Connect path is '/samba1/664' for service [share1] Initialising default vfs hooks Initialising custom vfs hooks from [/[Default VFS]/] Initialising custom vfs hooks from [recycle] load_module_absolute_path: Module '/usr/lib64/samba/vfs/recycle.so' loaded NT4MEMBER (ipv4:X.X.X.X:40494) connect to service share1 initially as user user1 (uid=10010, gid=513) (pid 7874) winbind log: [ 9238]: request interface version (version = 30) [ 9238]: request location of privileged pipe sids_to_xids sam_sid_to_name sam_sid_to_name sam_sid_to_name StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server |

I can provide more details (config parameters etc.) later if it is necessary. I played with all winbind parameters, idmap config parameters but no success. Can anyone please help me to solve this problem?

Please find more logs. wbinfo -i user1 (without prepending domain) should show NT4DOMAIN\user1 not NT4MEMBER\user1. The same should be for wbinfo -i NT4DOMAIN\\user1.

|# wbinfo -i user1 NT4MEMBER\user1:*:10010:513::/posta/user1:/bin/false winbindd log: [ 9747]: request interface version (version = 30) [ 9747]: request location of privileged pipe getpwnam user1 sam_name_to_sid name_to_sid: user1 for domain init_sam_from_ldap: Entry found for user: user1 name_to_sid: user1 for domain init_sam_from_ldap: Entry found for user: user1 sam_rids_to_names for NT4MEMBER sam_sid_to_name # wbinfo -i NT4MEMBER\\user1 NT4MEMBER\user1:*:10010:513::/posta/user1:/bin/false winbindd log: [ 9744]: request interface version (version = 30) [ 9744]: request location of privileged pipe getpwnam NT4MEMBER\user1 sam_name_to_sid name_to_sid: NT4MEMBER\user1 for domain NT4MEMBER init_sam_from_ldap: Entry found for user: user1 name_to_sid: NT4MEMBER\user1 for domain NT4MEMBER init_sam_from_ldap: Entry found for user: user1 sam_rids_to_names for NT4MEMBER sam_sid_to_name # wbinfo -i NT4DOMAIN\\user1 Could not get info for user NT4DOMAIN\user1 winbindd log: [ 9746]: request interface version (version = 30) [ 9746]: request location of privileged pipe getpwnam NT4DOMAIN\user1 sam_name_to_sid name_to_sid: NT4DOMAIN\user1 for domain NT4DOMAIN name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED name_to_sid: NT4DOMAIN\user1 for domain NT4DOMAIN name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED |

wbinfo -u should list all users from NT4DOMAIN but list nothing. wbinfo -u --domain="NT4MEMBER" list all users which are from ldap - they are NT4DOMAIN users.

|# wbinfo -u winbindd log: [ 9754]: request interface version (version = 30) [ 9754]: request location of privileged pipe [ 9754]: request interface version (version = 30) [ 9754]: request misc info [ 9754]: request netbios name [ 9754]: request domain name [ 9754]: domain_info [NT4DOMAIN] list_users NT4DOMAIN samr: sequence number # wbinfo -u --domain="NT4MEMBER" NT4MEMBER\dovecot NT4MEMBER\root NT4MEMBER\nobody NT4MEMBER\user1 winbindd log: [ 9756]: request interface version (version = 30) [ 9756]: request location of privileged pipe list_users NT4MEMBER samr_query_user_list smbldap_search_paged: base => [ou=Users,dc=intranet,dc=xx], filter => [(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize => [1000] smbldap_search_paged: search was successful samr: sequence number sam_rids_to_names for NT4MEMBER |

Mirek

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux