Samba upgrade to samba-4.10.16-18.el7_9.x86_64 issues

General support questions
tmar
Posts: 12
Joined: 2009/03/24 10:09:24

Samba upgrade to samba-4.10.16-18.el7_9.x86_64 issues

Post by tmar » 2022/02/16 10:44:33

Hello

I have recently upgrade samba to samba-4.10.16-18.el7_9.x86_64, on centos 7.8
Users trying to map home directory to U:\ drive from windows 10 machine are getting "The specified network password is not correct" and on the linux server, in log.IPpc file I get
Smb and winbind are running ok

022/02/16 12:39:20.010884, 3] ../../source3/smbd/oplock.c:1422(init_oplocks)
init_oplocks: initializing messages.
[2022/02/16 12:39:20.013264, 3] ../../source3/smbd/process.c:1948(process_smb)
Transaction 0 of length 240 (0 toread)
[2022/02/16 12:39:20.013450, 3] ../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot)
Selected protocol SMB3_11
[2022/02/16 12:39:20.739287, 0] ../../source3/auth/auth_util.c:1889(check_account)
check_account: Failed to convert SID S-1-5-21-3244330370-710286947-636655351-13965 to a UID (dom_user[XXXXX\<username>])
[2022/02/16 12:39:20.739338, 3] ../../source3/smbd/smb2_server.c:3213(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2022/02/16 12:39:20.766776, 3] ../../source3/smbd/server_exit.c:236(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)

Any suggestions? Anyone with the same issue?

Thank you

Maria

BShT
Posts: 584
Joined: 2019/10/09 12:31:40

Re: Samba upgrade to samba-4.10.16-18.el7_9.x86_64 issues

Post by BShT » 2022/02/16 11:19:28

look at
# net ads info
output

and min and max protocol at your smb.conf

tmar
Posts: 12
Joined: 2009/03/24 10:09:24

Re: Samba upgrade to samba-4.10.16-18.el7_9.x86_64 issues

Post by tmar » 2022/02/16 12:10:15

Thank you for your reply

Below is the output of net ads info


LDAP server: 10.16.1.124
LDAP server name: homer.example.xx.yy
Realm: EXAMPLE.XX.YY
Bind Path: dc=EXAMPLE,dc=XX,dc=YY
LDAP port: 389
Server time: Wed, 16 Feb 2022 14:07:07 EET
KDC server: 10.16.1.124
Server time offset: 0
Last machine account password change: Wed, 16 Feb 2022 11:38:42 EET

and I haven't configured the min and max protocols in smb.conf

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Samba upgrade to samba-4.10.16-18.el7_9.x86_64 issues

Post by TrevorH » 2022/02/16 13:21:06

I have recently upgrade samba to samba-4.10.16-18.el7_9.x86_64, on centos 7.8
Please note that the current version is 7.9 not 7.8 which is several years out of date. We don't support cherry picking individual updates so you need to update everything, not just samba. For a start, there is a cifs kernel module that may well need to be updated in parallel with the samba updates.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

syrzisko
Posts: 2
Joined: 2022/02/21 16:33:37

Re: Samba upgrade to samba-4.10.16-18.el7_9.x86_64 issues

Post by syrzisko » 2022/02/21 16:43:06

Hello,

what I did is downgrading Samba to -15 (as -17 is bugous) then installing yum plugin to block to -15 :

yum downgrade libsmbclient-4.10.16-15.el7_9.x86_64 libwbclient-4.10.16-15.el7_9.x86_64 samba-4.10.16-15.el7_9.x86_64 samba-client-libs-4.10.16-15.el7_9.x86_64 samba-common-4.10.16-15.el7_9.noarch samba-common-libs-4.10.16-15.el7_9.x86_64 samba-common-tools-4.10.16-15.el7_9.x86_64 samba-libs-4.10.16-15.el7_9.x86_64

yum install yum-plugin-versionlock

yum versionlock libsmbclient-4.10.16-15.el7_9.x86_64 libwbclient-4.10.16-15.el7_9.x86_64 samba-4.10.16-15.el7_9.x86_64 samba-client-libs-4.10.16-15.el7_9.x86_64 samba-common-4.10.16-15.el7_9.noarch samba-common-libs-4.10.16-15.el7_9.x86_64 samba-common-tools-4.10.16-15.el7_9.x86_64 samba-libs-4.10.16-15.el7_9.x86_64

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Samba upgrade to samba-4.10.16-18.el7_9.x86_64 issues

Post by TrevorH » 2022/02/22 00:50:14

This is the wrong solution. By backleveling to that old version you have now created a system that is vulnerable to all the things that were fixed in -18.

Code: Select all

* Tue Jan 25 2022 Andreas Schneider <asn@redhat.com> - 4.10.16-18
- resolves: #2034800 - Fix usermap script regression caused by CVE-2020-25717
- resolves: #2036595 - Fix MIT realm regression caused by CVE-2020-25717
- resolves: #2046148 - Fix CVE-2021-44142

* Mon Nov 15 2021 Andreas Schneider <asn@redhat.com> - 4.10.16-17
- related: #2019673 - Add missing checks for IPA DC server role

* Mon Nov 08 2021 Andreas Schneider <asn@redhat.com> - 4.10.16-16
- resolves: #2019661 - Fix CVE-2016-2124
- resolves: #2019673 - Fix CVE-2020-25717
- resolves: #2021428 - Add missing PAC buffer types to krb5pac.idl
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

syrzisko
Posts: 2
Joined: 2022/02/21 16:33:37

Re: Samba upgrade to samba-4.10.16-18.el7_9.x86_64 issues

Post by syrzisko » 2022/02/22 10:22:59

I know. Big security issues. But temporary solution to let users continue to work. It was not possible to install winscp or filezilla on their computer.

Until migration to Redhat8 or another one I do not see a solution.

But security issues yes.

tmar
Posts: 12
Joined: 2009/03/24 10:09:24

Re: Samba upgrade to samba-4.10.16-18.el7_9.x86_64 issues

Post by tmar » 2022/02/24 11:29:33

Many thanks for your reply.
We have upgraded our server to centos 7.9 but the problem still persists.
Please let me explain our setup. We have a centos 7.9 file server,that stores user's home directories and runs samba and nfs server. Users are not allowed to login on this server, but they get their home directories through nfs clients on centos machines, and through samba from windows clients. Authentication is done through windows AD domain. We have 7 DCS and 1 RODC. RODC is located on our local subdomain. In addition we have an OpenLdap server that stores unix attributes like uid,gid,home directory,shell etc attributes.

smb.conf file is as follows

[global]
workgroup = EXAMPLE
security = domain
realm = EXAMPLE.XX.YY
passdb backend = tdbsam
printing = cups
printcap name = /dev/null # mute annoying errors
load printers = no
cups options = raw
log level = 1
winbind use default domain = yes
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind enum users = no
log file = /var/log/samba/log.%m
max log size = 50
log level = 10 auth:3 winbind:15


[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
----------------------------------------------------------------------------------------------------------------------------
sssd.conf

[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = example.xx.yy

[nss]
filter_groups = root, psystem
filter_users = root, psystem
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/ucy.ac.cy]
ad_domain = example.xx.yy
krb5_realm = EXAMPLE.XX.YY
dns_discovery_domain = EXAMPLE.XX.YY
realmd_tags = manages-system joined-with-adcli
ad_maximum_machine_account_password_age = 0
cache_credentials = True
id_provider = ldap
auth_provider = krb5
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
access_provider = simple
ldap_schema = rfc2307bis
enumerate = TRUE
ldap_group_member = uniqueMember
ldap_search_base = dc=cs,dc=example,dc=xx,dc=yy
ldap_uri = ldap://ariadni.in.cs.example.xx.yy/
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/certs
ldap_tls_reqcert = allow
ldap_tls_cacert = /etc/openldap/certs/sectigo.crt
debug_level = 3

----------------------------------------------------------------------------------------------------------------------------
/etc/nsswitch.conf
passwd: files sss
shadow: files sss
group: files sss
#initgroups: files

#hosts: db files nisplus nis dns
hosts: files dns myhostname

# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss

netgroup: files sss

publickey: nisplus

automount: files sss
aliases: files nisplus

When users tries map their home directory through windows clients they get errors like " The security database on the server does not have a computer account for this workstation trust.."
On server site /var/log/samba/clientIP.log file logs the following

../../source3/auth/auth.c:334(auth_check_ntlm_password) check_ntlm_password: Authentication for user [userx@exampe.xx.yy] -> [userx@exampe.xx.yy] FAILED with error NT_STATUS_NO_TRUST_SAM_ACCOUNT, authoritative=1

Running samba samba-4.10.16-15.el7_9.x86_64 with the same setup, does not seems to have any issues

Seems that this is a bug of the newest samba version?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Samba upgrade to samba-4.10.16-18.el7_9.x86_64 issues

Post by TrevorH » 2022/02/24 11:52:50

Do you have winbind installed and running?

It appears that winbind is now a requirement. See https://access.redhat.com/documentation ... otes/index
samba rebased to version 4.8.3
The samba packages have been upgraded to upstream version 4.8.3, which provides a number of bug fixes and enhancements over the previous version:
The smbd service no longer queries user and group information from Active Directory domain controllers and NT4 primary domain controllers directly. Installations with the security parameter set to ads or domain now require that the winbindd service is running.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

tmar
Posts: 12
Joined: 2009/03/24 10:09:24

Re: Samba upgrade to samba-4.10.16-18.el7_9.x86_64 issues

Post by tmar » 2022/02/24 12:05:36

Yes of course, winbind is up and running

Post Reply