Join Log in
Score:1
codeskipper avatar Server

Samba/Winbind domain member authentication issue

mx flag
codeskipper

In setting up a new Linux Samba fileserver as a AD member I keep running into an issue with authentication.

It appears to be triggered by running with selinux in Enforcing mode after joining AD, but it doesn't go away if I turn off selinux with setenforce 0 or reboot with SELINUX=permissive in the selinux config - at least not for an hour or so.

On the first test VM I set up with the same distro, setup steps and updates it has been working OK consistently, but right now I'm running into this auth issue on and off with the server I'm setting up for production use.

This is on Rocky Linux 8.5 and Samba 4.14.5

smb.conf mostly has default settings in [global] and I setup a public [testshare]

[global]
security = ads

        passdb backend = tdbsam

        printing = cups
        printcap name = cups
        load printers = no
        cups options = raw
kerberos method = secrets and keytab
template homedir = /home/%U@%D
template shell = /bin/bash
idmap config ADOMAIN : range = 2000000-2999999
idmap config ADOMAIN : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb
winbind use default domain = yes
winbind refresh tickets = yes
winbind offline logon = yes

# Allow guest access for public share without password
map to guest = bad user

# these should be set to no for prod use
winbind enum groups = yes
winbind enum users = yes

   # Mac tweaks for ACLs
   map acl inherit = Yes
   store dos attributes = Yes

   # Mac tweaks for Apple Resource forks
   vfs objects = fruit streams_xattr
   fruit:aapl = yes
   fruit:time machine = no
   fruit:resource = xattr
   fruit:nfs_aces = no
   fruit:model = MacSamba
workgroup = ADOMAIN
realm = ADOMAIN.LAN

   [testshare]
   path = /mnt/data01/smb/testshare
   browsable =yes
   writable = yes
   guest ok = yes
   read only = no

domain join was done with

 realm join --membership-software=samba --client-software=winbind adomain.lan

Kerberos auth keeps working OK

wbinfo -K user

This one also works

getent passwd ADOMAIN\\user

But the following fail

smbclient -L localhost -U guest%

wbinfo -a user

smbclient -d 3 //localhost/testshare -U user

The last one spits out this:

lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
added interface ens192 ip=10.18.100.102 bcast=10.18.103.255 netmask=255.255.252.0
Client started (version 4.14.5).
resolve_lmhosts: Attempting lmhosts lookup for name localhost<0x20>
Connecting to 127.0.0.1 at port 445
Enter ADOMAIN\user's password:
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GSE to 'localhost' does not make sense
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
SPNEGO login failed: {Access Denied} A process has requested access to an object but has not been granted those access rights.
session setup failed: NT_STATUS_ACCESS_DENIED

The audit log normally does not show any AVC denied errors. I tried turning off the dontaudit rules and allowed the AVC denied messages that turned up but that didn't help.

Do I need to give up on selinux to get this stable? Any other tips?

383
0 + 0
jp flag
Rowland Penny
This probably has nothing to do with selinux.
0
Reply
jp flag
Rowland Penny
STUPID SYSTEM only allowing a short time to edit, so attempt two: This probably has nothing to do with selinux. What exactly is in the global part of your smb.conf. How did you join the domain ? Have you created a user called 'guest' ? does 'getent passwd guest' show this user ? Why are you using the ranges set in smb.conf ?
0
Reply
codeskipper avatar
mx flag
codeskipper
Thanks for your input Rowland, I've updated the question to show the entire [global] section, and how the domain was joined.
0
Reply
codeskipper avatar
mx flag
codeskipper
@Rowland Penny, the idmap ranges set in the global section are just the defaults, I've not had cause to change them. After all the checking I did I agree it doesn't look like selinux is the root cause, but it does seem to trigger the issue. The guest user was not created by me, as I understood it this is the way to test anonymous access without password, this part also works OK before the issue is triggered.
0
Reply
codeskipper avatar
mx flag
codeskipper
@RowlandPenny - Just found out I was missing the `map to guest = bad user` in the global section - editing the question again. One reinstall too many. It doesn't change the issue, only now a Mac or Windows can now actually use guest again.
0
Reply
jp flag
Rowland Penny
As for the ranges, this is probably yet another red-hat 'default', they should probably work but are a bit inelegant, you might want to read this: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Setting_up_a_Basic_smb.conf_File . You have used realmd to join, I would have used 'net ads join' Samba uses 'nobody' as the default guest user.
0
Reply
Jiri B avatar
tg flag
Jiri B
Is your guest (nobody) and your AD user able to access all components of the path `/mnt/data01/smb/testshare` ? Anyway, `debug level = 10` and see smbd log.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.