Return to Level1Techs.com

I broke samba somehow

helpdesk
#1

I have an ubuntu server setup that was working to auth users via AD on 16.04. I have since updated to 18.04 and somewhere along the way no one can authenticate to the share anymore

testparm output:

Processing section "[X Drive]"
Loaded services file OK.
idmap range not specified for domain '*'
ERROR: Invalid idmap range for domain *!

Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
        dns proxy = No
        domain master = No
        local master = No
        log file = /var/log/samba/log.%m
        map to guest = Bad User
        max log size = 1000
        obey pam restrictions = Yes
        pam password change = Yes
        panic action = /usr/share/samba/panic-action %d
        passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        passwd program = /usr/bin/passwd %u
        preferred master = No
        realm = MWSC.MODWHOLESALE.COM
        restrict anonymous = 2
        security = ADS
        server role = member server
        server string = %h server (Samba, Ubuntu)
        unix password sync = Yes
        usershare allow guests = Yes
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind offline logon = Yes
        winbind refresh tickets = Yes
        winbind use default domain = Yes
        workgroup = MWSC
        idmap config example:range = 10000-9999
        idmap config * : backend = tdb
        map acl inherit = Yes
        store dos attributes = Yes
        vfs objects = acl_xattr


[printers]
        browseable = No
        comment = All Printers
        create mask = 0700
        path = /var/spool/samba
        printable = Yes


[X Drive]
        access based share enum = Yes
        comment = Storage Drive
        create mask = 0755
        inherit permissions = Yes
        path = /storage
        read only = No
        valid users = "@MWSC\Domain Users"
        write list = "@MWSC\Domain Users"

wbinfo -u outputs a valid AD user list
wbinfo -g outputs a valid AD group list

I also have a nextcloud server and users have no issue logging in with their windows creds so the server clearly can auth correctly, its just samba that doesnt seem to work.

when I do smbclient -L localhost -U [my AD user] I get:

tree connect failed: NT_STATUS_ACCESS_DENIED

if I fail to enter my password it gives me:

session setup failed: NT_STATUS_LOGON_FAILURE

so it seems that passwords are working and its just a permissions issue on the share.

Permissions for the dir are drwxrwxrwx+ 1 root root 416 May 13 08:42 storage

I’m not sure where to go or what to do from here. Any ideas?

0 Likes

#2

If you temporarily make your share public do you still get the access_denied error?

0 Likes

#3

what do your winbind and samba logs say?

0 Likes

#4

making it public does allow the share to be accessed

not sure where the log for winbind would be

samba log for my machine:

[2019/05/11 19:32:12.509986,  1] ../source3/smbd/service.c:521(make_connection_snum)
  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2019/05/11 19:32:12.511566,  2] ../source3/smbd/service.c:338(create_connection_session_info)
  guest user (from session setup) not permitted to access this share (X Drive)

I checked /var/log/samba/cores/winbindd but its empty. I’m assuming I have to enable some log level to make it do anything

actually im retarded, they are in the same dir as samba logs and I just didnt see them because of all the samba logs


[2019/05/13 06:25:07.089978,  2] ../source3/param/loadparm.c:321(max_open_files)
  rlimit_max: increasing rlimit_max (270) to minimum Windows limit (16384)
[2019/05/13 06:25:07.090782,  2] ../source3/lib/interface.c:345(add_interface)
  added interface eno1 ip=192.168.100.113 bcast=192.168.100.255 netmask=255.255.255.0
[2019/05/13 09:01:09.493875,  0] ../source3/winbindd/winbindd.c:243(winbindd_sig_term_handler)
  Got sig[15] terminate (is_parent=1)
[2019/05/13 09:03:40.990097,  2] ../source3/param/loadparm.c:321(max_open_files)
  rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
[2019/05/13 09:03:40.990886,  2] ../source3/lib/interface.c:345(add_interface)
  added interface eno1 ip=192.168.100.113 bcast=192.168.100.255 netmask=255.255.255.0
[2019/05/13 09:03:40.991077,  2] ../source3/lib/interface.c:345(add_interface)
  added interface eno1 ip=192.168.100.113 bcast=192.168.100.255 netmask=255.255.255.0
[2019/05/13 09:03:41.568140,  0] ../source3/winbindd/winbindd_cache.c:4111(cache_traverse_validate_fn)
  cache_traverse_validate_fn: unknown cache entry
  key :
[2019/05/13 09:03:41.568337,  0] ../lib/util/util.c:515(dump_data)
  [0000] 4E 53 53 2F 50 57 49 4E   46 4F 2F 53 2D 31 2D 35   NSS/PWIN FO/S-1-5
  [0010] 2D 32 31 2D 33 34 32 32   38 33 30 33 33 37 2D 35   -21-3422 830337-5
  [0020] 35 35 39 31 33 32 39 39   2D 33 39 36 32 31 35 33   55913299 -3962153
  [0030] 37 31 37 2D 31 32 36 38                             717-1268
[2019/05/13 09:03:41.568497,  0] ../source3/winbindd/winbindd_cache.c:4113(cache_traverse_validate_fn)
  data :
[2019/05/13 09:03:41.568541,  0] ../lib/util/util.c:515(dump_data)
  [0000] 00 00 00 00 DE A0 17 00   0C 2B 1F 59 00 00 00 00   ........ .+.Y....
  [0010] 0B 2F 68 6F 6D 65 2F 25   44 2F 25 55 0A 2F 62 69   ./home/% D/%U./bi
  [0020] 6E 2F 66 61 6C 73 65 FF   FF FF FF FF               n/false. ....
[2019/05/13 09:03:41.573037,  1] ../source3/lib/tdb_validate.c:480(tdb_validate_and_backup)
  tdb '/var/lib/samba/winbindd_cache.tdb' is valid
[2019/05/13 09:03:42.205307,  1] ../source3/lib/tdb_validate.c:490(tdb_validate_and_backup)
  Created backup '/var/lib/samba/winbindd_cache.tdb.bak' of tdb '/var/lib/samba/winbindd_cache.tdb'
[2019/05/13 09:03:42.205957,  2] ../source3/winbindd/winbindd_util.c:283(add_trusted_domain_from_tdc)
  Added domain BUILTIN (null) S-1-5-32
[2019/05/13 09:03:42.206096,  2] ../source3/winbindd/winbindd_util.c:283(add_trusted_domain_from_tdc)
  Added domain UBUNTU (null) S-1-5-21-3674353586-497990819-3079028497
[2019/05/13 09:03:42.206179,  2] ../source3/winbindd/winbindd_util.c:283(add_trusted_domain_from_tdc)
  Added domain MWSC MWSC.MODWHOLESALE.COM S-1-5-21-3422830337-555913299-3962153717
[2019/05/13 09:03:42.252172,  0] ../lib/util/become_daemon.c:124(daemon_ready)
  STATUS=daemon 'winbindd' finished starting up and ready to serve connections
[2019/05/13 10:15:53.125486,  2] ../source3/param/loadparm.c:321(max_open_files)
  rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
[2019/05/13 10:15:53.126290,  2] ../source3/lib/interface.c:345(add_interface)
  added interface eno1 ip=192.168.100.113 bcast=192.168.100.255 netmask=255.255.255.0
[2019/05/13 10:15:53.126485,  2] ../source3/lib/interface.c:345(add_interface)
  added interface eno1 ip=192.168.100.113 bcast=192.168.100.255 netmask=255.255.255.0
[2019/05/13 10:15:53.130433,  0] ../lib/util/pidfile.c:104(pidfile_create)
  ERROR: winbindd is already running. File /var/run/samba/winbindd.pid exists and process id 794 is running.
[2019/05/13 10:16:55.951032,  2] ../source3/param/loadparm.c:321(max_open_files)
  rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
[2019/05/13 10:16:55.951821,  2] ../source3/lib/interface.c:345(add_interface)
  added interface eno1 ip=192.168.100.113 bcast=192.168.100.255 netmask=255.255.255.0
[2019/05/13 10:16:55.952006,  2] ../source3/lib/interface.c:345(add_interface)
  added interface eno1 ip=192.168.100.113 bcast=192.168.100.255 netmask=255.255.255.0
[2019/05/13 10:16:55.955966,  0] ../lib/util/pidfile.c:104(pidfile_create)
  ERROR: winbindd is already running. File /var/run/samba/winbindd.pid exists and process id 794 is running.
0 Likes

#5

Is it supposed to be a guest login or is that a mistake?

I may be wrong about this but shouldn’t it have ACLs in addition to xattrs?

0 Likes

#6

I’m not sure why its saying guest, im definitely using my AD creds.

possibly, im not sure. I’m far from knowledgeable.

0 Likes

#7

leaving everything in the config alone but commenting out the valid users line seems in smb.conf to allow the share to be browsed.

permissions on files in windows shows some funky stuff so I’m guessing that its pretending to be joined to the domain and is failing somehow.

0 Likes

#8

@SesameStreetThug what if I ran through a tutorial for getting this set up but do dpkg-reconfigure instead of apt install? You think that would get it going again?

0 Likes

#9

You could do that, or try doing a setup in a VM or on another machine and see if it sets ACLs on the share folder. Is samba just set up for a file share or is it a full AD-DC?

0 Likes

#10

I think its supposed to be set up as a member server. nextcloud is set up with a user in active directory so thats probably why it works but samba doesnt.

0 Likes

#11

Did you fix the testparm ERROR?

idmap config example:range = 10000-9999 should probably be idmap config * : range = 10000-99999

Your windows permissions are probably because the windows user mapping to posix isn’t working right. There were some changes to Samba detailed https://lists.fedorahosted.org/archives/list/[email protected]/thread/ACEUWJTGJUWUUD32EBN2I7PXIVZD3PTM/ and https://lists.fedorahosted.org/archives/list/[email protected]/thread/3OYJXJBNNXZWGJ2RENTSOQKUPE2TEV2Q/, and although not completely applicable because it doesn’t look like you’ve been using SSSD for system authentication, it may provide you with further direction.

I’d probably see if it really is domain joined like you said, see if users can login to the server using domain credentials.

0 Likes

#12

that is correct, I’m using winbind, im not sure exactly why I chose that over sssd

I did just now correct the idmap error

I could delete the machine on the 2012 server and attempt to rejoin the domain.

0 Likes

#13

Winbind is the default as far as I’m aware

0 Likes

#14

ok so I think I got somewhere, I was able to delete and rejoin the domain successfully. when I try to list the servers using net server name I get bad SMB2 signature for message. Which is interesting because I have enforced SMBv1 on the server.

Perhaps I need to configure samba to use SMBv1 because its not?

0 Likes

#15

cant set samba to do SMB1 in the config.

kinit cant find KDC for my realm either so… someone just take me out back and end my suffering.

0 Likes

#16

You’ll probably have to see if your kerberos configuration is setup correctly, but if your samba server wasn’t ever setup to authenticate that way then it’s probably all been password based or NTLM authentication.

I used realm tools to join domain as they did a lot of the autoconfiguration. You can use realm with winbind by specifying ID map provider as winbind, which is appropriate if you are going to do more than just kerberos authentication.

realm join --client-software=winbind domain_name

I mostly guides for setting up samba server in centos, but ubuntu has the same tools as well

0 Likes

#17

unless kerberos changed I cant see why my config would suddenly be bad

[libdefaults]
  ticket_lifetime = 24h
  default_realm = MWSC.MODWHOLESALE.COM
  forwardable = true

[realms]
  MWSC.MODWHOLESALE.COM = {
    kdc = 192.168.100.1
    default_domain = MWSC.MODWHOLESALE.COM
  }

[domain_realm]
  .mwsc.modwholesale.com = MWSC.MODWHOLESALE.COM
  mwsc.modwholesale.com = MWSC.MODWHOLESALE.COM

[kdc]
  profile = /etc/krb5kdc/kdc.conf

[appdefaults]
  pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
  }

[logging]
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmin.log
  default = FILE:/var/log/krb5lib.log

I’m already joined to the domain and realm seems to agree

[email protected]:/etc/samba# realm join --client-software=winbind MWSC.MODWHOLESALE.COM
realm: Already joined to this domain
0 Likes

#18

Don’t have any additional suggestions at this point, would probably increase log level in Samba and see if you can derive anything from that, if not might just have to build a test server/VM and see if you can get samba authentication and share permissions working properly.

log level = 3 passdb:5 auth:5

1 Like

#19

so looking into the logs there shows

[2019/05/13 15:48:14.201915,  3] ../source3/auth/auth_util.c:1249(check_account)
  Failed to find authenticated user MWSC\[AD USER] via getpwnam(), denying access.
[2019/05/13 15:48:14.202334,  5] ../source3/auth/auth.c:251(auth_check_ntlm_password)
  auth_check_ntlm_password: winbind authentication for user [[AD USER]] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2019/05/13 15:48:14.202427,  2] ../source3/auth/auth.c:332(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [[AD USER]] -> [[AD USER]] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2019/05/13 15:48:14.202481,  2] ../auth/auth_log.c:760(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [MWSC]\[[AD USER]] at [Mon, 13 May 2019 15:48:14.202461 CDT] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [CSADESKTOP4] remote host [ipv4:192.168.100.136:7816] mapped to [MWSC]\[[AD USER]]. local host [ipv4$
[2019/05/13 15:48:14.202632,  2] ../auth/auth_log.c:220(log_json)
  JSON Authentication: {"timestamp": "2019-05-13T15:48:14.202542-0500", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 0}, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:192.168.100.113:445", "r$
[2019/05/13 15:48:14.202678,  3] ../source3/auth/auth_util.c:1626(do_map_to_guest_server_info)
  No such user [AD USER] [MWSC] - using guest account

so it would appear that its not finding the account even though I can see them with wbinfo -u

googling more says to check getent passwd which shows only the local accounts.

its another direction to look for now.

0 Likes

#20

it looks like all modern tutorials of this use sssd instead of winbind, perhaps I should just switch over to that.

https://help.ubuntu.com/lts/serverguide/sssd-ad.html.en

1 Like