[CentOS] upg. CentOS 7.5 to 7.6: unable to mount smb shares - samba NT domain member using ldap
Miroslav Geisselreiter
mg at intar.cz
Fri Dec 21 12:37:23 UTC 2018
I am sorry logs are bad formatted I am trying again and hope it will be
better. Otherwise lokk at link bellow or tell me how to send logs correctly.
Mirek
21.12.2018 v 13:19 Miroslav Geisselreiter:
> Originally I posted this question at CentOS forum 20.12.2018.
> https://www.centos.org/forums/viewtopic.php?f=48&t=69193
>
> Hi all,
>
> I am not able to mount samba shares after upgrading CentOS 7.5 to 7.6.
> I have been searching and trying to configure samba and winbind but no
> success. I find a lot of manuals and help pages about setting samba
> and winbind for machine acting as AD DC member but almost nothing
> about machine acting as NT4 style DC member and that is my case.
>
> Samba version before upgrade: samba-4.7.1-9.el7_5.x86_64, after
> upgrade: samba-4.8.3-4.el7.x86_64. I noticed that now it is necessary
> to use winbind which I did not use before upgrade.
>
> My network:
>
> Machine with CentOS 6.9 is PDC (NT4 style) configured with ldap and
> kerberos, providing domain logon services to Windows and Samba clients
> of an NT4-like domain. openldap-2.4.40-16.el6.x86_64,
> krb5-server-1.10.3-65.el6.x86_64, samba-3.6.23-51.el6.x86_64.
>
> Machine with CentOS 7.6 is domain member offering network shares to
> windows clients. Before upgrade my samba-4.7 run only smb and nmb
> services and everything were fine. After upgrade samba-4.8.3 runs smb
> nmb and winbind services.
> smb.conf:
> workgroup = NT4DOMAIN
> netbios name = NT4MEMBER
> |# wbinfo -m --verbose Domain Name DNS Domain Trust Type Transitive In
> Out BUILTIN Local NT4MEMBER Local NT4DOMAIN INTRANET.XX Workstation
> Yes No Yes # wbinfo --own-domain NT4DOMAIN |
>
> I discovered that winbind is not authenticating users with NT4DOMAIN
> but only with NT4MEMBER. In this case NT4MEMBER users ARE NT4DOMAIN
> users (there is only one user1 in ldap database). It can be seen in
> logs bellow. I set debug level 3 for smbd and winbindd. Windows
> machines have joined NT4DOMAIN but now cannot mount shares from
> NT4MEMBER. Windows mount command net use /user:NT4DOMAIN\user1
> \\NT4MEMBER\share1 is equal to linux command smbclient
> //NT4MEMBER/share1 -U NT4DOMAIN\\user1. From linux machine I can mount
> share by this command: smbclient //NT4MEMBER/share1 -U
> NT4MEMBER\\user1 but from windows machine it is not possible. Normally
> (before upgrade) Windows users mapped shares from startup script with
> this command: net use \\NT4MEMBER\share1.
>
> What is going wrong can be seen from logs:
> |# smbclient //NT4MEMBER/share1 -U NT4DOMAIN\\user1 smbd log:
> check_ntlm_password: Checking password for unmapped user
> [NT4DOMAIN]\[user1]@[NT4MEMBER] with the new password interface
> check_ntlm_password: mapped user is: [NT4DOMAIN]\[user1]@[NT4MEMBER]
> check_ntlm_password: Authentication for user [user1] -> [user1] FAILED
> with error NT_STATUS_NO_MEMORY, authoritative=1 Auth: [SMB2,(null)]
> user [NT4DOMAIN]\[user1] at [Wed, 19 Dec 2018 13:56:08.989053 CET]
> with [NTLMv2] status [NT_STATUS_NO_MEMORY] workstation [NT4MEMBER]
> remote host [ipv4:X.X.X.X:40488] mapped to [NT4DOMAIN]\[user1]. local
> host [ipv4:X.X.X.X:445] log_no_json: JSON auth logs not available
> unless compiled with jansson gensec_spnego_server_negTokenTarg_step:
> SPNEGO(ntlmssp) login failed: NT_STATUS_NO_MEMORY
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_NO_MEMORY] || at ../source3/smbd/smb2_sesssetup.c:137
> Server exit (NT_STATUS_END_OF_FILE) Terminated winbind log: [ 9232]:
> request interface version (version = 30) [ 9232]: request location of
> privileged pipe [ 9232]: pam auth crap domain: [NT4DOMAIN] user: user1
> set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was
> a DC for domain NT4MEMBER, refusing to initialize [ 9228]: pam auth
> crap domain: NT4DOMAIN user: user1 set_dc_type_and_flags_connect: DC
> for domain NT4DOMAIN claimed it was a DC for domain NT4MEMBER,
> refusing to initialize set_dc_type_and_flags_connect: DC for domain
> NT4DOMAIN claimed it was a DC for domain NT4MEMBER, refusing to
> initialize ldb_wrap open of secrets.ldb rpccli_create_netlogon_creds
> failed for NT4DOMAIN, unable to create NETLOGON credentials:
> NT_STATUS_NO_MEMORY Could not open handle to NETLOGON pipe (error:
> NT_STATUS_NO_MEMORY, attempts: 0) The connection to netlogon failed,
> retrying set_dc_type_and_flags_connect: DC for domain NT4DOMAIN
> claimed it was a DC for domain NT4MEMBER, refusing to initialize
> set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was
> a DC for domain NT4MEMBER, refusing to initialize ldb_wrap open of
> secrets.ldb rpccli_create_netlogon_creds failed for NT4DOMAIN, unable
> to create NETLOGON credentials: NT_STATUS_NO_MEMORY Could not open
> handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts: 1) This
> is again a problem for this particular call, forcing the close of this
> connection The connection to netlogon failed, retrying
> set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was
> a DC for domain NT4MEMBER, refusing to initialize
> set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was
> a DC for domain NT4MEMBER, refusing to initialize ldb_wrap open of
> secrets.ldb rpccli_create_netlogon_creds failed for NT4DOMAIN, unable
> to create NETLOGON credentials: NT_STATUS_NO_MEMORY Could not open
> handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts: 2) This
> is again a problem for this particular call, forcing the close of this
> connection This is the third problem for this particular call, adding
> DC to the negative cache list: NT4DOMAIN (null) The connection to
> netlogon failed, retrying set_dc_type_and_flags_connect: DC for domain
> NT4DOMAIN claimed it was a DC for domain NT4MEMBER, refusing to
> initialize set_dc_type_and_flags_connect: DC for domain NT4DOMAIN
> claimed it was a DC for domain NT4MEMBER, refusing to initialize
> ldb_wrap open of secrets.ldb rpccli_create_netlogon_creds failed for
> NT4DOMAIN, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY
> Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY,
> attempts: 3) This is again a problem for this particular call, forcing
> the close of this connection This is the third problem for this
> particular call, adding DC to the negative cache list: NT4DOMAIN
> (null) NTLM CRAP authentication for user [NT4DOMAIN]\[user1] returned
> NT_STATUS_NO_MEMORY # smbclient //NT4MEMBER/share1 -U NT4MEMBER\\user1
> smbd log: check_ntlm_password: Checking password for unmapped user
> [NT4MEMBER]\[user1]@[NT4MEMBER] with the new password interface
> check_ntlm_password: mapped user is: [NT4MEMBER]\[user1]@[NT4MEMBER]
> init_sam_from_ldap: Entry found for user: user1
> auth_check_ntlm_password: sam authentication for user [user1]
> succeeded Auth: [SMB2,(null)] user [NT4MEMBER]\[user1] at [Wed, 19 Dec
> 2018 14:00:37.714900 CET] with [NTLMv2] status [NT_STATUS_OK]
> workstation [NT4MEMBER] remote host [ipv4:X.X.X.X:40494] became
> [NT4MEMBER]\[user1] [S-1-5-21-x-x-x-21020]. local host
> [ipv4:X.X.X.X:445] log_no_json: JSON auth logs not available unless
> compiled with jansson check_ntlm_password: authentication for user
> [user1] -> [user1] -> [user1] succeeded NTLMSSP Sign/Seal -
> Initialising with flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP
> Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215
> init_group_from_ldap: Entry found for group: 544 init_group_from_ldap:
> Entry found for group: 100000 Adding homes service for user 'user1'
> using home directory: '/posta/user1' adding home's share [user1] for
> user 'user1' at '/data/osobni/%S' Allowed connection from X.X.X.X
> (X.X.X.X) Connect path is '/tmp' for service [IPC$] Initialising
> default vfs hooks Initialising custom vfs hooks from [/[Default VFS]/]
> NT4MEMBER (ipv4:X.X.X.X:40494) connect to service IPC$ initially as
> user user1 (uid=10010, gid=513) (pid 7874) get_referred_path: |share1|
> in dfs path \NT4MEMBER\share1 is not a dfs root.
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_NOT_FOUND] || at ../source3/smbd/smb2_ioctl.c:312
> NT4MEMBER (ipv4:X.X.X.X:40494) closed connection to service IPC$
> Allowed connection from X.X.X.X (X.X.X.X) Connect path is
> '/samba1/664' for service [share1] Initialising default vfs hooks
> Initialising custom vfs hooks from [/[Default VFS]/] Initialising
> custom vfs hooks from [recycle] load_module_absolute_path: Module
> '/usr/lib64/samba/vfs/recycle.so' loaded NT4MEMBER
> (ipv4:X.X.X.X:40494) connect to service share1 initially as user user1
> (uid=10010, gid=513) (pid 7874) winbind log: [ 9238]: request
> interface version (version = 30) [ 9238]: request location of
> privileged pipe sids_to_xids sam_sid_to_name sam_sid_to_name
> sam_sid_to_name StartTLS issued: using a TLS connection
> smbldap_open_connection: connection opened ldap_connect_system:
> successful connection to the LDAP server |
> I can provide more details (config parameters etc.) later if it is
> necessary. I played with all winbind parameters, idmap config
> parameters but no success. Can anyone please help me to solve this
> problem?
>
> Please find more logs. wbinfo -i user1 (without prepending domain)
> should show NT4DOMAIN\user1 not NT4MEMBER\user1. The same should be
> for wbinfo -i NT4DOMAIN\\user1.
> |# wbinfo -i user1 NT4MEMBER\user1:*:10010:513::/posta/user1:/bin/false
> winbindd log: [ 9747]: request interface version (version = 30) [
> 9747]: request location of privileged pipe getpwnam user1
> sam_name_to_sid name_to_sid: user1 for domain init_sam_from_ldap:
> Entry found for user: user1 name_to_sid: user1 for domain
> init_sam_from_ldap: Entry found for user: user1 sam_rids_to_names for
> NT4MEMBER sam_sid_to_name # wbinfo -i NT4MEMBER\\user1
> NT4MEMBER\user1:*:10010:513::/posta/user1:/bin/false winbindd log: [
> 9744]: request interface version (version = 30) [ 9744]: request
> location of privileged pipe getpwnam NT4MEMBER\user1 sam_name_to_sid
> name_to_sid: NT4MEMBER\user1 for domain NT4MEMBER init_sam_from_ldap:
> Entry found for user: user1 name_to_sid: NT4MEMBER\user1 for domain
> NT4MEMBER init_sam_from_ldap: Entry found for user: user1
> sam_rids_to_names for NT4MEMBER sam_sid_to_name # wbinfo -i
> NT4DOMAIN\\user1 Could not get info for user NT4DOMAIN\user1 winbindd
> log: [ 9746]: request interface version (version = 30) [ 9746]:
> request location of privileged pipe getpwnam NT4DOMAIN\user1
> sam_name_to_sid name_to_sid: NT4DOMAIN\user1 for domain NT4DOMAIN
> name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED name_to_sid:
> NT4DOMAIN\user1 for domain NT4DOMAIN name_to_sid: failed to lookup
> name: NT_STATUS_NONE_MAPPED |
> wbinfo -u should list all users from NT4DOMAIN but list nothing.
> wbinfo -u --domain="NT4MEMBER" list all users which are from ldap -
> they are NT4DOMAIN users.
> |# wbinfo -u winbindd log: [ 9754]: request interface version (version
> = 30) [ 9754]: request location of privileged pipe [ 9754]: request
> interface version (version = 30) [ 9754]: request misc info [ 9754]:
> request netbios name [ 9754]: request domain name [ 9754]: domain_info
> [NT4DOMAIN] list_users NT4DOMAIN samr: sequence number # wbinfo -u
> --domain="NT4MEMBER" NT4MEMBER\dovecot NT4MEMBER\root NT4MEMBER\nobody
> NT4MEMBER\user1 winbindd log: [ 9756]: request interface version
> (version = 30) [ 9756]: request location of privileged pipe list_users
> NT4MEMBER samr_query_user_list smbldap_search_paged: base =>
> [ou=Users,dc=intranet,dc=xx], filter =>
> [(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize =>
> [1000] smbldap_search_paged: search was successful samr: sequence
> number sam_rids_to_names for NT4MEMBER |
> Mirek
>
More information about the CentOS
mailing list