upg. CentOS 7.5 to 7.6: unable to mount smb shares - samba NT domain member using ldap

[gizi]

Hi all,

I am not able to mount samba shares after upgrading CentOS 7.5 to 7.6. I have been searching and trying to configure samba and winbind but no success. I find a lot of manuals and help pages about setting samba and winbind for machine acting as AD DC member but almost nothing about machine acting as NT4 style DC member and that is my case.

Samba version before upgrade: samba-4.7.1-9.el7_5.x86_64, after upgrade: samba-4.8.3-4.el7.x86_64. I noticed that now it is necessary to use winbind which I did not use before upgrade.

My network:

Machine with CentOS 6.9 is PDC (NT4 style) configured with ldap and kerberos, providing domain logon services to Windows and Samba clients of an NT4-like domain. openldap-2.4.40-16.el6.x86_64, krb5-server-1.10.3-65.el6.x86_64, samba-3.6.23-51.el6.x86_64.

Machine with CentOS 7.6 is domain member offering network shares to windows clients. Before upgrade my samba-4.7 run only smb and nmb services and everything were fine. After upgrade samba-4.8.3 runs smb nmb and winbind services.
smb.conf:
workgroup = NT4DOMAIN
netbios name = NT4MEMBER

Code: Select all

# wbinfo -m --verbose
Domain Name     DNS Domain                                                       Trust Type  Transitive  In   Out
BUILTIN                                                                          Local
NT4MEMBER                                                                        Local
NT4DOMAIN       INTRANET.XX                                                      Workstation Yes         No   Yes

# wbinfo --own-domain
NT4DOMAIN

I discovered that winbind is not authenticating users with NT4DOMAIN but only with NT4MEMBER. In this case NT4MEMBER users ARE NT4DOMAIN users (there is only one user1 in ldap database). It can be seen in logs bellow. I set debug level 3 for smbd and winbindd. Windows machines have joined NT4DOMAIN but now cannot mount shares from NT4MEMBER. Windows mount command net use /user:NT4DOMAIN\user1 \\NT4MEMBER\share1 is equal to linux command smbclient //NT4MEMBER/share1 -U NT4DOMAIN\\user1. From linux machine I can mount share by this command: smbclient //NT4MEMBER/share1 -U NT4MEMBER\\user1 but from windows machine it is not possible. Normally (before upgrade) Windows users mapped shares from startup script with this command: net use \\NT4MEMBER\share1.

What is going wrong can be seen from logs:

Code: Select all

# smbclient //NT4MEMBER/share1 -U NT4DOMAIN\\user1

smbd log:
check_ntlm_password:  Checking password for unmapped user [NT4DOMAIN]\[user1]@[NT4MEMBER] with the new password interface
check_ntlm_password:  mapped user is: [NT4DOMAIN]\[user1]@[NT4MEMBER]
check_ntlm_password:  Authentication for user [user1] -> [user1] FAILED with error NT_STATUS_NO_MEMORY, authoritative=1
Auth: [SMB2,(null)] user [NT4DOMAIN]\[user1] at [Wed, 19 Dec 2018 13:56:08.989053 CET] with [NTLMv2] status [NT_STATUS_NO_MEMORY] workstation [NT4MEMBER] remote host [ipv4:X.X.X.X:40488] mapped to [NT4DOMAIN]\[user1]. local host [ipv4:X.X.X.X:445]
log_no_json: JSON auth logs not available unless compiled with jansson
gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed: NT_STATUS_NO_MEMORY
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NO_MEMORY] || at ../source3/smbd/smb2_sesssetup.c:137
Server exit (NT_STATUS_END_OF_FILE)
Terminated

winbind log:
[ 9232]: request interface version (version = 30)
[ 9232]: request location of privileged pipe
[ 9232]: pam auth crap domain: [NT4DOMAIN] user: user1
set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was a DC for domain NT4MEMBER, refusing to initialize
[ 9228]: pam auth crap domain: NT4DOMAIN user: user1
set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was a DC for domain NT4MEMBER, refusing to initialize
set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was a DC for domain NT4MEMBER, refusing to initialize
ldb_wrap open of secrets.ldb
rpccli_create_netlogon_creds failed for NT4DOMAIN, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY
Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts: 0)
The connection to netlogon failed, retrying
set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was a DC for domain NT4MEMBER, refusing to initialize
set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was a DC for domain NT4MEMBER, refusing to initialize
ldb_wrap open of secrets.ldb
rpccli_create_netlogon_creds failed for NT4DOMAIN, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY
Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts: 1)
This is again a problem for this particular call, forcing the close of this connection
The connection to netlogon failed, retrying
set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was a DC for domain NT4MEMBER, refusing to initialize
set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was a DC for domain NT4MEMBER, refusing to initialize
ldb_wrap open of secrets.ldb
rpccli_create_netlogon_creds failed for NT4DOMAIN, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY
Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts: 2)
This is again a problem for this particular call, forcing the close of this connection
This is the third problem for this particular call, adding DC to the negative cache list: NT4DOMAIN (null)
The connection to netlogon failed, retrying
set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was a DC for domain NT4MEMBER, refusing to initialize
set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was a DC for domain NT4MEMBER, refusing to initialize
ldb_wrap open of secrets.ldb
rpccli_create_netlogon_creds failed for NT4DOMAIN, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY
Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts: 3)
This is again a problem for this particular call, forcing the close of this connection
This is the third problem for this particular call, adding DC to the negative cache list: NT4DOMAIN (null)
NTLM CRAP authentication for user [NT4DOMAIN]\[user1] returned NT_STATUS_NO_MEMORY


# smbclient //NT4MEMBER/share1 -U NT4MEMBER\\user1

smbd log:
check_ntlm_password:  Checking password for unmapped user [NT4MEMBER]\[user1]@[NT4MEMBER] with the new password interface
check_ntlm_password:  mapped user is: [NT4MEMBER]\[user1]@[NT4MEMBER]
init_sam_from_ldap: Entry found for user: user1
auth_check_ntlm_password: sam authentication for user [user1] succeeded
Auth: [SMB2,(null)] user [NT4MEMBER]\[user1] at [Wed, 19 Dec 2018 14:00:37.714900 CET] with [NTLMv2] status [NT_STATUS_OK] workstation [NT4MEMBER] remote host [ipv4:X.X.X.X:40494] became [NT4MEMBER]\[user1] [S-1-5-21-x-x-x-21020]. local host [ipv4:X.X.X.X:445]
log_no_json: JSON auth logs not available unless compiled with jansson
check_ntlm_password:  authentication for user [user1] -> [user1] -> [user1] succeeded
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
init_group_from_ldap: Entry found for group: 544
init_group_from_ldap: Entry found for group: 100000
Adding homes service for user 'user1' using home directory: '/posta/user1'
adding home's share [user1] for user 'user1' at '/data/osobni/%S'
Allowed connection from X.X.X.X (X.X.X.X)
Connect path is '/tmp' for service [IPC$]
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
NT4MEMBER (ipv4:X.X.X.X:40494) connect to service IPC$ initially as user user1 (uid=10010, gid=513) (pid 7874)
get_referred_path: |share1| in dfs path \NT4MEMBER\share1 is not a dfs root.
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NOT_FOUND] || at ../source3/smbd/smb2_ioctl.c:312
NT4MEMBER (ipv4:X.X.X.X:40494) closed connection to service IPC$
Allowed connection from X.X.X.X (X.X.X.X)
Connect path is '/samba1/664' for service [share1]
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [recycle]
load_module_absolute_path: Module '/usr/lib64/samba/vfs/recycle.so' loaded
NT4MEMBER (ipv4:X.X.X.X:40494) connect to service share1 initially as user user1 (uid=10010, gid=513) (pid 7874)

winbind log:
[ 9238]: request interface version (version = 30)
[ 9238]: request location of privileged pipe
sids_to_xids
sam_sid_to_name
sam_sid_to_name
sam_sid_to_name
StartTLS issued: using a TLS connection
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server

I can provide more details (config parameters etc.) later if it is necessary. I played with all winbind parameters, idmap config parameters but no success. Can anyone please help me to solve this problem?

[TrevorH]

The RHEL 7.6 release notes say it is now necessary to install/configure and run winbindd for some methods of authentication to work now.

[gizi]

Thanks TrevorH for your reply. I mentioned that I use winbindd now. I tried a lot of configuration options but without success. The result is always almost the same as logs show. I spent a lot of time with testing and searching internet. I believe there must be some people using similar configuration and having similar problems. Hope somebody will help.

[gizi]

Please find more logs. wbinfo -i user1 (without prepending domain) should show NT4DOMAIN\user1 not NT4MEMBER\user1. The same should be for wbinfo -i NT4DOMAIN\\user1.

Code: Select all

# wbinfo -i user1
NT4MEMBER\user1:*:10010:513::/posta/user1:/bin/false

winbindd log:
[ 9747]: request interface version (version = 30)
[ 9747]: request location of privileged pipe
getpwnam user1
sam_name_to_sid
name_to_sid: user1 for domain
init_sam_from_ldap: Entry found for user: user1
name_to_sid: user1 for domain
init_sam_from_ldap: Entry found for user: user1
sam_rids_to_names for NT4MEMBER
sam_sid_to_name


# wbinfo -i NT4MEMBER\\user1
NT4MEMBER\user1:*:10010:513::/posta/user1:/bin/false

winbindd log:
[ 9744]: request interface version (version = 30)
[ 9744]: request location of privileged pipe
getpwnam NT4MEMBER\user1
sam_name_to_sid
name_to_sid: NT4MEMBER\user1 for domain NT4MEMBER
init_sam_from_ldap: Entry found for user: user1
name_to_sid: NT4MEMBER\user1 for domain NT4MEMBER
init_sam_from_ldap: Entry found for user: user1
sam_rids_to_names for NT4MEMBER
sam_sid_to_name


# wbinfo -i NT4DOMAIN\\user1
Could not get info for user NT4DOMAIN\user1

winbindd log:
[ 9746]: request interface version (version = 30)
[ 9746]: request location of privileged pipe
getpwnam NT4DOMAIN\user1
sam_name_to_sid
name_to_sid: NT4DOMAIN\user1 for domain NT4DOMAIN
name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED
name_to_sid: NT4DOMAIN\user1 for domain NT4DOMAIN
name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED

wbinfo -u should list all users from NT4DOMAIN but list nothing. wbinfo -u --domain="NT4MEMBER" list all users which are from ldap - they are NT4DOMAIN users.

Code: Select all

# wbinfo -u

winbindd log:
[ 9754]: request interface version (version = 30)
[ 9754]: request location of privileged pipe
[ 9754]: request interface version (version = 30)
[ 9754]: request misc info
[ 9754]: request netbios name
[ 9754]: request domain name
[ 9754]: domain_info [NT4DOMAIN]
list_users NT4DOMAIN
samr: sequence number


# wbinfo -u --domain="NT4MEMBER"
NT4MEMBER\dovecot
NT4MEMBER\root
NT4MEMBER\nobody
NT4MEMBER\user1

winbindd log:
[ 9756]: request interface version (version = 30)
[ 9756]: request location of privileged pipe
list_users NT4MEMBER
samr_query_user_list
smbldap_search_paged: base => [ou=Users,dc=intranet,dc=xx], filter => [(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize => [1000]
smbldap_search_paged: search was successful
samr: sequence number
sam_rids_to_names for NT4MEMBER

[gizi]

I spent some more time playing with ldap parameters with no success. I posted this question to CentOS mailing list CentOS@centos.org hoping somebody will help.

[gizi]

Till now nobody respont this question. Guys, can anybody help? Or do you thing it is a bug - if so should I report it to samba.org or somewhere else?

[Arie]

Hi There,

Had some situation with samba to, solved is in the following manner in etc/fstab, hope this gives a hint:

//<ip>/SAN01 /mnt/san cifs user=xxxx,pass=xxxx,noserverino,nounix,ro,sec=ntlm 0 0 (Centos 7.5)
//<ip>/SAN01 /mnt/san cifs user=xxxx,pass=xxxx,noserverino,nounix,ro,sec=ntlm,vers=1.0 0 0 (Centos 7.6)

[gizi]

Thank you Arie for your post. I am able to mount smb shares from linux clients but I am NOT able to mount from Windows clients. Smb shares are from linux machine acting as member of NT4-style domain. With samba 4.7 I run smbd and nmbd and everything was fine. Acording to samba documentation:
https://www.samba.org/samba/history/samba-4.8.0.html

Domain member setups require winbindd
-------------------------------------
Setups with "security = domain" or "security = ads" require a
running 'winbindd' now. The fallback that smbd directly contacts
domain controllers is gone.

Without windbind running samba 4.8 do not allow mount smb shares so I have to run winbind. So with samba 4.8 I run smbd, nmbd and winbindd but I am not able to mount shares from WIndows clients. I got error: NT_STATUS_NO_MEMORY.

Users are stored in ldap. security = domain.

[gizi]

I somehow managed to solve this problem partially.

When I run winbind with these options client which are member of my NT4DOMAIN are now able to mout smb shares from NT4MEMBER server:

# winbindd -i -d 3 -S -n --option="netbios name"=NT4DOMAIN --option="ntlm auth"=yes

option "netbios name"=NT4DOMAIN overwrites this option from smb.conf: "netbios name"=NT4MEMBER

Nevertheless I am not able to mount smb shares from clients which are not members of NT4DOMAIN.

More explanation:
When "netbios name"=NT4MEMBER (it is a name of linux server oferring smb shares) winbind is looking for domain users credentials locally not in ldap.
When "netbios name"=NT4DOMAIN winbind is looking for domain users credentials in ldap. But clients who are not domain members of NT4DOMAIN are treated as non existent and are not able to mount smb shares.

I want all users with valid usernames/passwords to be able to mount smb shares the same way as it was before ie. with samba 4.7 with only smbd and nmbd running (winbind was not even installed).

Anybody has some solution or have similar experience?

[gizi]

Please find some winbind debug logs for above situation:

1. "netbios name"=NT4MEMBER, user DOMAINUSER from Windows 7 (Windows 7 has joined NT4DOMAIN)

Code: Select all

# winbindd -i -d 3 -S -n --option="netbios name"=NT4MEMBER --option="ntlm auth"=yes

[10240]: pam auth crap domain: [NT4DOMAIN] user: domainuser
set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was a DC for domain NT4MEMBER, refusing to initialize
[10238]: pam auth crap domain: NT4DOMAIN user: domainuser
ldb_wrap open of secrets.ldb
rpccli_create_netlogon_creds failed for NT4DOMAIN, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY
Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts: 0)
The connection to netlogon failed, retrying

2. "netbios name"=NT4DOMAIN, user DOMAINUSER from Windows 7 (Windows 7 has joined NT4DOMAIN)

Code: Select all

# winbindd -i -d 3 -S -n --option="netbios name"=NT4DOMAIN --option="ntlm auth"=yes

[10249]: request interface version (version = 30)
[10249]: request location of privileged pipe
[10249]: pam auth crap domain: [NT4DOMAIN] user: domainmember
[10247]: pam auth crap domain: NT4DOMAIN user: domainmember
check_ntlm_password:  Checking password for unmapped user [NT4DOMAIN]\[domainmember]@[NT4DOMAIN] with the new password interface
check_ntlm_password:  mapped user is: [NT4DOMAIN]\[domainmember]@[NT4DOMAIN]
StartTLS issued: using a TLS connection
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
init_sam_from_ldap: Entry found for user: domainmember
auth_check_ntlm_password: sam authentication for user [domainmember] succeeded
Auth: [winbind,(null)] user [NT4DOMAIN]\[domainmember] at [Tue, 08 Jan 2019 08:50:57.699247 CET] with [NTLMv1] status [NT_STATUS_OK] workstation [NT4DOMAIN] remote host [ipv4:127.0.0.1:0] became [NT4DOMAIN]\[domainmember] [S-1-5-21-somenumbers]. local host [ipv4:127.0.0.1:0]
log_no_json: JSON auth logs not available unless compiled with jansson
check_ntlm_password:  authentication for user [domainmember] -> [domainmember] -> [domainmember] succeeded

3. "netbios name"=NT4DOMAIN, user DOMAINUSER from Konica-Minolta copier (Konica-Minolta has NOT joined NT4DOMAIN)

Code: Select all

# winbindd -i -d 3 -S -n --option="netbios name"=NT4DOMAIN --option="ntlm auth"=yes

[10269]: pam auth crap domain: [] user: domainuser
[10267]: pam auth crap domain:  user: domainuser
check_ntlm_password:  Checking password for unmapped user []\[domainuser]@[NT4DOMAIN] with the new password interface
check_ntlm_password:  mapped user is: []\[domainuser]@[NT4DOMAIN]
check_ntlm_password:  Authentication for user [domainuser] -> [domainuser] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=0
Auth: [winbind,(null)] user []\[domainuser] at [Tue, 08 Jan 2019 09:03:11.706636 CET] with [NTLMv1] status [NT_STATUS_NO_SUCH_USER] workstation [NT4DOMAIN] remote host [ipv4:127.0.0.1:0] mapped to []\[domainuser]. local host [ipv4:127.0.0.1:0]
log_no_json: JSON auth logs not available unless compiled with jansson
ldb_wrap open of secrets.ldb
rpccli_create_netlogon_creds failed for NT4DOMAIN, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY
Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts: 0)
The connection to netlogon failed, retrying

4. "netbios name"=NT4DOMAIN, user DOMAINUSER from Konica-Minolta copier (Konica-Minolta has NOT joined NT4DOMAIN)
trying to pass domain name with user: NT4DOMAIN\domainuser - see logs below - it is not possible to pass domain correctly for winbind.

Code: Select all

# winbindd -i -d 3 -S -n --option="netbios name"=NT4DOMAIN --option="ntlm auth"=yes

[10277]: pam auth crap domain: [] user: nt4domain\domainuser
[10275]: pam auth crap domain:  user: nt4domain\domainuser
check_ntlm_password:  Checking password for unmapped user []\[nt4domain\domainuser]@[nt4domain] with the new password interface
check_ntlm_password:  mapped user is: []\[nt4domain\domainuser]@[nt4domain]
check_ntlm_password:  Authentication for user [nt4domain\domainuser] -> [nt4domain\domainuser] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=0
Auth: [winbind,(null)] user []\[nt4domain\\domainuser] at [Tue, 08 Jan 2019 09:10:59.685960 CET] with [NTLMv1] status [NT_STATUS_NO_SUCH_USER] workstation [nt4domain] remote host [ipv4:127.0.0.1:0] mapped to []\[nt4domain\\domainuser]. local host [ipv4:127.0.0.1:0]
log_no_json: JSON auth logs not available unless compiled with jansson
ldb_wrap open of secrets.ldb
rpccli_create_netlogon_creds failed for nt4domain, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY
Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts: 0)
The connection to netlogon failed, retrying