Re: [CentOS] upg. CentOS 7.5 to 7.6: unable to mount smb shares - samba NT domain member using ldap
On 1/2/19 12:09 PM, Miroslav Geisselreiter wrote:
some parameters from smb.conf: [global] workgroup = NT4DOMAIN netbios name = nt4member security = domain passdb backend = ldapsam:"ldap://ldap1server.intranet.xx ldap://ldap2server.intranet.xx"
I'm not sure it makes sense to use "security = domain" with an ldap passdb backend. If you're using a real NT4 domain, then you shouldn't need a passdb backend at all. If you're not in an NT4 domain, then you should set "security = USER".
The man page for smb.conf notes "This mode will only work correctly if net(8) has been used to add this machine into a Windows NT Domain." Did you add this host to a Windows NT domain, using "net join ..."?
Dne 2.1.2019 v 21:54 Gordon Messmer napsal(a):
On 1/2/19 12:09 PM, Miroslav Geisselreiter wrote:
some parameters from smb.conf: [global] workgroup = NT4DOMAIN netbios name = nt4member security = domain passdb backend = ldapsam:"ldap://ldap1server.intranet.xx ldap://ldap2server.intranet.xx"
I'm not sure it makes sense to use "security = domain" with an ldap passdb backend. If you're using a real NT4 domain, then you shouldn't need a passdb backend at all. If you're not in an NT4 domain, then you should set "security = USER".
The man page for smb.conf notes "This mode will only work correctly if net(8) has been used to add this machine into a Windows NT Domain." Did you add this host to a Windows NT domain, using "net join ..."?
Yes, I add this host with command: net rpc join MEMBER -S NT4LIKEDOMAINSERVER -U root
I tried to change "security = USER" but it did not help.
I have to say that before upgrade samba from 4.7.1-9 to 4.8.3-4 I did not use and did not run winbind daemon. But now it is necessary to run winbind according to samba documentation: https://www.samba.org/samba/history/samba-4.8.0.html
Domain member setups require winbindd ------------------------------------- Setups with "security = domain" or "security = ads" require a running 'winbindd' now. The fallback that smbd directly contacts domain controllers is gone.
Without windbind running samba 4.8 do not allow mount smb shares so I have to run winbind.
On 1/3/19 6:09 AM, Miroslav Geisselreiter wrote:
Yes, I add this host with command: net rpc join MEMBER -S NT4LIKEDOMAINSERVER -U root
I don't have any NT4-style domains handy to test with, so I can't be very specific. Your logs seem to indicate that Samba believes itself to be the best DC for the domain. See what you get from:
net rpc info net rpc testjoin
If nothing seems relevant, try leaving the domain and re-joining.
Dne 4.1.2019 v 1:32 Gordon Messmer napsal(a):
On 1/3/19 6:09 AM, Miroslav Geisselreiter wrote:
Yes, I add this host with command: net rpc join MEMBER -S NT4LIKEDOMAINSERVER -U root
I don't have any NT4-style domains handy to test with, so I can't be very specific. Your logs seem to indicate that Samba believes itself to be the best DC for the domain. See what you get from:
net rpc info net rpc testjoin
If nothing seems relevant, try leaving the domain and re-joining.
I had to change in smb.conf client ipc signing = no
Than: # net rpc info Enter root's password: Domain Name: NT4DOMAIN Domain SID: S-1-5-21-somesid Sequence number: somenubmer Num users: xxx Num domain groups: xxx Num local groups: xxx
# net rpc testjoin Join to 'NT4DOMAIN' is OK
Previously I deleted all files from /var/lib/samba, than set ldap admin password: smbpasswd -W Than I re-join DC, it did not help.
FYI: I have NT4-style domain configured on CentOS 6 linux server and here is part of smb.conf of this DC - NT4LIKEDOMAINSERVER: [global] time server = yes workgroup = NT4DOMAIN server string = Samba Server Version %v netbios name = NT4LIKEDOMAINSERVER passdb backend = ldapsam:"ldap://ldap1server.intranet.xx ldap://ldap2server.intranet.xx" ldap ssl = start tls realm = INTRANET.XX kerberos method = system keytab ldap suffix = dc=intranet,dc=xx ldap admin dn = uid=ldapadmin,dc=intranet,dc=xx ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 domain master = yes domain logons = yes logon script = %U.bat logon path = "" wins support = yes [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon guest ok = no writable = no browseable = no printable = no
Installed samba on DC: # rpm -q samba samba-3.6.23-51.el6.x86_64 and running smbd and nmbd
On 1/3/19 11:46 PM, Miroslav Geisselreiter wrote:
Previously I deleted all files from /var/lib/samba, than set ldap admin password: smbpasswd -W Than I re-join DC, it did not help.
Shame. I'm not really sure what else to try, beyond my previous suggestion that it doesn't make sense to be both a domain member and use an ldap passdb backend.
Try reverting the configuration file to the last known-good state. Leave the domain. Change "security = user". I'd expect that your system would work without any interactions with the DC.
Dne 5.1.2019 v 0:46 Gordon Messmer napsal(a):
On 1/3/19 11:46 PM, Miroslav Geisselreiter wrote:
Previously I deleted all files from /var/lib/samba, than set ldap admin password: smbpasswd -W Than I re-join DC, it did not help.
Shame. I'm not really sure what else to try, beyond my previous suggestion that it doesn't make sense to be both a domain member and use an ldap passdb backend.
Try reverting the configuration file to the last known-good state. Leave the domain. Change "security = user". I'd expect that your system would work without any interactions with the DC.
I found some solution which solve only part of my problem and is not very "clean".
When I run winbind with these options client which are member of my NT4DOMAIN are now able to mout smb shares from NT4MEMBER server:
# winbindd -i -d 3 -S -n --option="netbios name"=NT4DOMAIN --option="ntlm auth"=yes
option "netbios name"=NT4DOMAIN overwrites this option from smb.conf: "netbios name"=NT4MEMBER
Nenertheless I am not able to mount smb shares from clients which are not members of NT4DOMAIN.
Dne 7.1.2019 v 12:36 Miroslav Geisselreiter napsal(a):
Dne 5.1.2019 v 0:46 Gordon Messmer napsal(a):
On 1/3/19 11:46 PM, Miroslav Geisselreiter wrote:
Previously I deleted all files from /var/lib/samba, than set ldap admin password: smbpasswd -W Than I re-join DC, it did not help.
Shame. I'm not really sure what else to try, beyond my previous suggestion that it doesn't make sense to be both a domain member and use an ldap passdb backend.
Try reverting the configuration file to the last known-good state. Leave the domain. Change "security = user". I'd expect that your system would work without any interactions with the DC.
I found some solution which solve only part of my problem and is not very "clean".
When I run winbind with these options client which are member of my NT4DOMAIN are now able to mout smb shares from NT4MEMBER server:
# winbindd -i -d 3 -S -n --option="netbios name"=NT4DOMAIN --option="ntlm auth"=yes
option "netbios name"=NT4DOMAIN overwrites this option from smb.conf: "netbios name"=NT4MEMBER
Nevertheless I am not able to mount smb shares from clients which are not members of NT4DOMAIN.
SOLVED:
I had to change only two parameters in smb.conf: security = user ntlm auth = yes
Everything works now like before upgrade and I do not even run winbind daemon.
Thanks to all for help and hints.
https://www.rootusers.com/how-to-install-xfce-gui-in-centos-7-linux/
Hallo, my rdp connection is closed immediately after login. I can see open terminals etc. so it is clear that the login is working. Has anyone hints what ist going wrong?
Ralf
[20200127-12:36:47] [INFO ] starting xrdp-sessvc - xpid=2161 - wmpid=2160 [20200127-12:41:02] [INFO ] shutting down sesman 1 [20200127-12:41:02] [WARN ] receiving SIGHUP 1 [20200127-12:41:02] [INFO ] ++ terminated session: username root, display :11.0, session_pid 2159, ip 192.168.245.103:50664 - socket: 12 [20200127-12:41:02] [INFO ] shutting down sesman 1 [20200127-12:41:02] [DEBUG] Closed socket 7 (AF_INET 127.0.0.1:3350) [20200127-12:41:02] [CORE ] shutting down log subsystem... [20200127-12:41:29] [DEBUG] libscp initialized [20200127-12:41:29] [INFO ] starting xrdp-sesman with pid 1342 [20200127-12:41:29] [INFO ] listening to port 3350 on 127.0.0.1 [20200127-12:42:27] [INFO ] A connection received from 127.0.0.1 port 58114 [20200127-12:42:27] [INFO ] ++ created session (access granted): username root, ip 192.168.245.103:50796 - socket: 12 [20200127-12:42:27] [INFO ] starting Xvnc session... [20200127-12:42:27] [DEBUG] Closed socket 9 (AF_INET 0.0.0.0:5911) [20200127-12:42:27] [DEBUG] Closed socket 9 (AF_INET 0.0.0.0:6011) [20200127-12:42:27] [DEBUG] Closed socket 9 (AF_INET 0.0.0.0:6211) [20200127-12:42:27] [DEBUG] Closed socket 7 (AF_INET 127.0.0.1:3350) [20200127-12:42:27] [DEBUG] Closed socket 8 (AF_INET 127.0.0.1:3350) [20200127-12:42:27] [INFO ] Xvnc :11 -auth .Xauthority -geometry 1440x900 -depth 16 -rfbauth /root/.vnc/sesman_root_passwd:11 -bs -nolisten tcp -localhost -dpi 96 [20200127-12:42:28] [INFO ] starting xrdp-sessvc - xpid=2898 - wmpid=2897
xxx [20200127-12:42:29] [DEBUG] xrdp_wm_log_msg: VNC receiving name [20200127-12:42:29] [DEBUG] xrdp_wm_log_msg: VNC sending pixel format [20200127-12:42:29] [DEBUG] xrdp_wm_log_msg: VNC sending encodings [20200127-12:42:29] [DEBUG] xrdp_wm_log_msg: VNC sending framebuffer update request [20200127-12:42:29] [DEBUG] xrdp_wm_log_msg: VNC sending cursor [20200127-12:42:29] [DEBUG] xrdp_wm_log_msg: VNC connection complete, connected ok [20200127-12:42:29] [INFO ] The following channel is allowed: rdpdr (0) [20200127-12:42:29] [INFO ] The following channel is allowed: rdpsnd (1) [20200127-12:42:29] [INFO ] The following channel is allowed: cliprdr (2) [20200127-12:42:29] [INFO ] The following channel is allowed: drdynvc (3) [20200127-12:42:29] [DEBUG] The allow channel list now initialized for this session [20200127-12:42:29] [DEBUG] xrdp_wm_log_msg: connected ok [20200127-12:42:29] [DEBUG] xrdp_mm_connect_chansrv: chansrv connect successful [20200127-12:42:29] [DEBUG] Closed socket 18 (AF_INET 127.0.0.1:58114) [20200127-12:42:29] [DEBUG] VNC got clip data [20200127-12:42:29] [DEBUG] Closed socket 12 (AF_INET 192.168.242.3:3389) [20200127-12:42:29] [DEBUG] xrdp_mm_module_cleanup [20200127-12:42:29] [DEBUG] VNC mod_exit [20200127-12:42:29] [DEBUG] Closed socket 19 (AF_INET 127.0.0.1:59920) [20200127-12:42:29] [DEBUG] Closed socket 20 (AF_UNIX) [20200127-12:42:29] [ERROR] Listening socket is in wrong state, terminating listener
-
Gordon Messmer -
Miroslav Geisselreiter -
Ralf Prengel