Upg. CentOS 7.5 To 7.6: Unable To Mount Smb Shares – Samba NT Domain Member Using Ldap

Home » CentOS » Upg. CentOS 7.5 To 7.6: Unable To Mount Smb Shares – Samba NT Domain Member Using Ldap
CentOS 17 Comments

Originally I posted this question at CentOS forum 20.12.2018. https://www.CentOS.org/forums/viewtopic.php?fH&ti193

Hi all,

I am not able to mount samba shares after upgrading CentOS 7.5 to 7.6. I
have been searching and trying to configure samba and winbind but no success. I find a lot of manuals and help pages about setting samba and winbind for machine acting as AD DC member but almost nothing about machine acting as NT4 style DC member and that is my case.

Samba version before upgrade: samba-4.7.1-9.el7_5.x86_64, after upgrade:
samba-4.8.3-4.el7.x86_64. I noticed that now it is necessary to use winbind which I did not use before upgrade.

My network:

Machine with CentOS 6.9 is PDC (NT4 style) configured with ldap and kerberos, providing domain logon services to Windows and Samba clients of an NT4-like domain. openLDAP-2.4.40-16.el6.x86_64, krb5-server-1.10.3-65.el6.x86_64, samba-3.6.23-51.el6.x86_64.

Machine with CentOS 7.6 is domain member offering network shares to windows clients. Before upgrade my samba-4.7 run only smb and nmb services and everything were fine. After upgrade samba-4.8.3 runs smb nmb and winbind services. smb.conf:
workgroup = NT4DOMAIN
netbios name = NT4MEMBER

|# wbinfo -m –verbose Domain Name DNS Domain Trust Type Transitive In Out BUILTIN Local NT4MEMBER Local NT4DOMAIN INTRANET.XX Workstation Yes No Yes # wbinfo –own-domain NT4DOMAIN |

I discovered that winbind is not authenticating users with NT4DOMAIN but only with NT4MEMBER. In this case NT4MEMBER users ARE NT4DOMAIN users
(there is only one user1 in ldap database). It can be seen in logs bellow. I set debug level 3 for smbd and winbindd. Windows machines have joined NT4DOMAIN but now cannot mount shares from NT4MEMBER. Windows mount command net use /user:NT4DOMAIN\user1 \\NT4MEMBER\share1 is equal to linux command smbclient //NT4MEMBER/share1 -U NT4DOMAIN\\user1. From linux machine I can mount share by this command: smbclient
//NT4MEMBER/share1 -U NT4MEMBER\\user1 but from windows machine it is not possible. Normally (before upgrade) Windows users mapped shares from startup script with this command: net use \\NT4MEMBER\share1.

What is going wrong can be seen from logs:

|# smbclient //NT4MEMBER/share1 -U NT4DOMAIN\\user1 smbd log:
check_ntlm_password: Checking password for unmapped user
[NT4DOMAIN]\[user1]@[NT4MEMBER] with the new password interface check_ntlm_password: mapped user is: [NT4DOMAIN]\[user1]@[NT4MEMBER]
check_ntlm_password: Authentication for user [user1] -> [user1] FAILED
with error NT_STATUS_NO_MEMORY, authoritative=1 Auth: [SMB2,(null)] user
[NT4DOMAIN]\[user1] at [Wed, 19 Dec 2018 13:56:08.989053 CET] with
[NTLMv2] status [NT_STATUS_NO_MEMORY] workstation [NT4MEMBER] remote host [ipv4:X.X.X.X:40488] mapped to [NT4DOMAIN]\[user1]. local host
[ipv4:X.X.X.X:445] log_no_json: JSON auth logs not available unless compiled with jansson gensec_spnego_server_negTokenTarg_step:
SPNEGO(ntlmssp) login failed: NT_STATUS_NO_MEMORY
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_NO_MEMORY] || at ../source3/smbd/smb2_sesssetup.c:137
Server exit (NT_STATUS_END_OF_FILE) Terminated winbind log: [ 9232]:
request interface version (version = 30) [ 9232]: request location of privileged pipe [ 9232]: pam auth crap domain: [NT4DOMAIN] user: user1
set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was a DC for domain NT4MEMBER, refusing to initialize [ 9228]: pam auth crap domain: NT4DOMAIN user: user1 set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was a DC for domain NT4MEMBER, refusing to initialize set_dc_type_and_flags_connect: DC for domain NT4DOMAIN
claimed it was a DC for domain NT4MEMBER, refusing to initialize ldb_wrap open of secrets.ldb rpccli_create_netlogon_creds failed for NT4DOMAIN, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY
Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts: 0) The connection to netlogon failed, retrying set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was a DC for domain NT4MEMBER, refusing to initialize set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was a DC for domain NT4MEMBER, refusing to initialize ldb_wrap open of secrets.ldb rpccli_create_netlogon_creds failed for NT4DOMAIN, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts: 1) This is again a problem for this particular call, forcing the close of this connection The connection to netlogon failed, retrying set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was a DC for domain NT4MEMBER, refusing to initialize set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was a DC for domain NT4MEMBER, refusing to initialize ldb_wrap open of secrets.ldb rpccli_create_netlogon_creds failed for NT4DOMAIN, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts: 2) This is again a problem for this particular call, forcing the close of this connection This is the third problem for this particular call, adding DC to the negative cache list: NT4DOMAIN (null) The connection to netlogon failed, retrying set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was a DC for domain NT4MEMBER, refusing to initialize set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was a DC for domain NT4MEMBER, refusing to initialize ldb_wrap open of secrets.ldb rpccli_create_netlogon_creds failed for NT4DOMAIN, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts: 3) This is again a problem for this particular call, forcing the close of this connection This is the third problem for this particular call, adding DC to the negative cache list: NT4DOMAIN (null) NTLM CRAP authentication for user
[NT4DOMAIN]\[user1] returned NT_STATUS_NO_MEMORY # smbclient
//NT4MEMBER/share1 -U NT4MEMBER\\user1 smbd log: check_ntlm_password:
Checking password for unmapped user [NT4MEMBER]\[user1]@[NT4MEMBER] with the new password interface check_ntlm_password: mapped user is:
[NT4MEMBER]\[user1]@[NT4MEMBER] init_sam_from_ldap: Entry found for user: user1 auth_check_ntlm_password: sam authentication for user
[user1] succeeded Auth: [SMB2,(null)] user [NT4MEMBER]\[user1] at [Wed,
19 Dec 2018 14:00:37.714900 CET] with [NTLMv2] status [NT_STATUS_OK]
workstation [NT4MEMBER] remote host [ipv4:X.X.X.X:40494] became
[NT4MEMBER]\[user1] [S-1-5-21-x-x-x-21020]. local host
[ipv4:X.X.X.X:445] log_no_json: JSON auth logs not available unless compiled with jansson check_ntlm_password: authentication for user
[user1] -> [user1] -> [user1] succeeded NTLMSSP Sign/Seal – Initialising with flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP Sign/Seal –
Initialising with flags: Got NTLMSSP neg_flags=0x62088215
init_group_from_ldap: Entry found for group: 544 init_group_from_ldap:
Entry found for group: 100000 Adding homes service for user ‘user1’
using home directory: ‘/posta/user1’ adding home’s share [user1] for user ‘user1’ at ‘/data/osobni/%S’ Allowed connection from X.X.X.X
(X.X.X.X) Connect path is ‘/tmp’ for service [IPC$] Initialising default vfs hooks Initialising custom vfs hooks from [/[Default VFS]/] NT4MEMBER
(ipv4:X.X.X.X:40494) connect to service IPC$ initially as user user1
(uid010, gidQ3) (pid 7874) get_referred_path: |share1| in dfs path
\NT4MEMBER\share1 is not a dfs root. smbd_smb2_request_error_ex:
smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NOT_FOUND] || at
../source3/smbd/smb2_ioctl.c:312 NT4MEMBER (ipv4:X.X.X.X:40494) closed connection to service IPC$ Allowed connection from X.X.X.X (X.X.X.X)
Connect path is ‘/samba1/664’ for service [share1] Initialising default vfs hooks Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [recycle] load_module_absolute_path:
Module ‘/usr/lib64/samba/vfs/recycle.so’ loaded NT4MEMBER
(ipv4:X.X.X.X:40494) connect to service share1 initially as user user1
(uid010, gidQ3) (pid 7874) winbind log: [ 9238]: request interface version (version = 30) [ 9238]: request location of privileged pipe sids_to_xids sam_sid_to_name sam_sid_to_name sam_sid_to_name StartTLS
issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server |

I can provide more details (config parameters etc.) later if it is necessary. I played with all winbind parameters, idmap config parameters but no success. Can anyone please help me to solve this problem?

Please find more logs. wbinfo -i user1 (without prepending domain)
should show NT4DOMAIN\user1 not NT4MEMBER\user1. The same should be for wbinfo -i NT4DOMAIN\\user1.

|# wbinfo -i user1 NT4MEMBER\user1:*:10010:513::/posta/user1:/bin/false winbindd log: [ 9747]: request interface version (version = 30) [ 9747]:
request location of privileged pipe getpwnam user1 sam_name_to_sid name_to_sid: user1 for domain init_sam_from_ldap: Entry found for user:
user1 name_to_sid: user1 for domain init_sam_from_ldap: Entry found for user: user1 sam_rids_to_names for NT4MEMBER sam_sid_to_name # wbinfo -i NT4MEMBER\\user1 NT4MEMBER\user1:*:10010:513::/posta/user1:/bin/false winbindd log: [ 9744]: request interface version (version = 30) [ 9744]:
request location of privileged pipe getpwnam NT4MEMBER\user1
sam_name_to_sid name_to_sid: NT4MEMBER\user1 for domain NT4MEMBER
init_sam_from_ldap: Entry found for user: user1 name_to_sid:
NT4MEMBER\user1 for domain NT4MEMBER init_sam_from_ldap: Entry found for user: user1 sam_rids_to_names for NT4MEMBER sam_sid_to_name # wbinfo -i NT4DOMAIN\\user1 Could not get info for user NT4DOMAIN\user1 winbindd log: [ 9746]: request interface version (version = 30) [ 9746]: request location of privileged pipe getpwnam NT4DOMAIN\user1 sam_name_to_sid name_to_sid: NT4DOMAIN\user1 for domain NT4DOMAIN name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED name_to_sid: NT4DOMAIN\user1 for domain NT4DOMAIN name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED |

wbinfo -u should list all users from NT4DOMAIN but list nothing. wbinfo
-u –domain=”NT4MEMBER” list all users which are from ldap – they are NT4DOMAIN users.

|# wbinfo -u winbindd log: [ 9754]: request interface version (version 30) [ 9754]: request location of privileged pipe [ 9754]: request interface version (version = 30) [ 9754]: request misc info [ 9754]:
request netbios name [ 9754]: request domain name [ 9754]: domain_info
[NT4DOMAIN] list_users NT4DOMAIN samr: sequence number # wbinfo -u
–domain=”NT4MEMBER” NT4MEMBER\dovecot NT4MEMBER\root NT4MEMBER\nobody NT4MEMBER\user1 winbindd log: [ 9756]: request interface version
(version = 30) [ 9756]: request location of privileged pipe list_users NT4MEMBER samr_query_user_list smbldap_search_paged: base =>
[ou=Users,dc=intranet,dc=xx], filter =>
[(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize =>
[1000] smbldap_search_paged: search was successful samr: sequence number sam_rids_to_names for NT4MEMBER |

Mirek

17 thoughts on - Upg. CentOS 7.5 To 7.6: Unable To Mount Smb Shares – Samba NT Domain Member Using Ldap

  • I am sorry logs are bad formatted I am trying again and hope it will be better. Otherwise lokk at link bellow or tell me how to send logs correctly.

    Mirek

    21.12.2018 v 13:19 Miroslav Geisselreiter:

  • –Copy them to a pastebin and post the link to the pastebin. Pastebin is ideal for log files, source code, and other text data that’s large or needs special formatting.

  • Till now nobody respont this question. Guys, can anybody help? Or do you thing it is a bug – if so should I report it to samba.org or somewhere else?

    Mirek

    Dne 21.12.2018 v 21:15 Miroslav Geisselreiter napsal(a):

  • Thank you Gordon for this tip but it does not solve my problem.

    From smb.conf:
    workgroup = NT4DOMAIN
    netbios name = NT4MEMBER

    I am able to connect to smb share from linux client:
    smbclient //NT4MEMBER/share1 -U NT4MEMBER\\user1
    but from windows machine it is not possible.

    Correct command from linux client should be smbclient //NT4MEMBER/share1 -U NT4DOMAIN\\user1
    (user is from NT4DOMAIN, not from NT4MEMBER)

    This command is not working after upgrade. Logs say something about crap domain:
    [26721]: pam auth crap domain: [NT4DOMAIN] user: user1
    [26699]: pam auth crap domain: NT4DOMAIN user: user1
    set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was a DC for domain NT4MEMBER, refusing to initialize NTLM CRAP authentication for user [NT4DOMAIN]\[user1] returned NT_STATUS_NO_MEMORY

    From Windows clients there is no way how to connect.

    It looks like winbindd should use NT4DOMAIN but using NT4MEMBER.

    Mirek

    Dne 30.12.2018 v 20:57 Gordon Messmer napsal(a):

  • # wbinfo –ping-dc checking the NETLOGON for domain[NT4DOMAIN] dc connection to
    “nt4member.intranet.xx” succeeded

    Here is debug log from winbind:
    [15833]: request interface version (version = 30)
    [15833]: request location of privileged pipe
    [15833]: request interface version (version = 30)
    [15833]: request misc info
    [15833]: request netbios name
    [15833]: request domain name
    [15833]: domain_info [NT4DOMAIN]
    set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was a DC for domain NT4MEMBER, refusing to initialize set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was a DC for domain NT4MEMBER, refusing to initialize ldb_wrap open of secrets.ldb rpccli_create_netlogon_creds failed for NT4DOMAIN, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY
    set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was a DC for domain NT4MEMBER, refusing to initialize

    Dne 31.12.2018 v 19:41 Gordon Messmer napsal(a):

  • Well, the host where you ran that command thinks that “nt4member” is the DC.  Do you see anything in your configuration file that might indicate why?  You haven’t given us enough information to be much more use.

  • Thank you. Exactly and that is my problem.
    # grep -i nt4member /etc/samba/smb.conf netbios name = nt4member

    some parameters from smb.conf:
    [global]
        client ipc signing = default
        idmap config * : backend = tdb
        idmap config * : range = 100000-150000
        idmap config NT4DOMAIN : backend = tdb
        idmap config NT4DOMAIN : range = 500-99999
        winbind enum groups = yes
        winbind enum users = yes
        winbind expand groups = 0
        winbind max domain connections = 5
        winbind nested groups = yes
        winbind rpc only = no
        winbind scan trusted domains = no
        winbind sealed pipes = yes
        winbind use default domain = no
        workgroup = NT4DOMAIN
        netbios name = nt4member
            security = domain
            allow trusted domains = yes
            passdb backend = ldapsam:”ldap://ldap1server.intranet.xx ldap://ldap2server.intranet.xx”
            ldap ssl = start tls
            realm = INTRANET.XX
            ldap suffix = dc=intranet,dc=xx
            ldap admin dn = uid=ldapadmin,dc=intranet,dc=xx
            ldap group suffix = ou=Groups
            ldap user suffix = ou=Users
            ldap machine suffix = ou=Computers
            ldap idmap suffix = ou=Idmap
            ldapsam:trusted = yes
            ldap delete dn = no
            ldap deref = auto
            ldap follow referral = auto
            socket options = TCP_NODELAY
            domain master = no
            domain logons = no
            local master = no
            os level = 121
            preferred master = no
            wins server = X.X.X.X

    Tell me what more do you need.

  • I’m not sure it makes sense to use “security = domain” with an ldap passdb backend.  If you’re using a real NT4 domain, then you shouldn’t need a passdb backend at all.  If you’re not in an NT4 domain, then you should set “security = USER”.

    The man page for smb.conf notes “This mode will only work correctly if net(8) has been used to add this machine into a Windows NT Domain.”  Did you add this host to a Windows NT domain, using “net join …”?

  • Dne 2.1.2019 v 21:54 Gordon Messmer napsal(a):
    net rpc join MEMBER -S NT4LIKEDOMAINSERVER -U root

    I tried to change “security = USER” but it did not help.

    I have to say that before upgrade samba from 4.7.1-9 to 4.8.3-4 I did not use and did not run winbind daemon. But now it is necessary to run winbind according to samba documentation:
    https://www.samba.org/samba/history/samba-4.8.0.html

    Domain member setups require winbindd
    ————————————-
    Setups with “security = domain” or “security = ads” require a running ‘winbindd’ now. The fallback that smbd directly contacts domain controllers is gone.

    Without windbind running samba 4.8 do not allow mount smb shares so I
    have to run winbind.

  • I don’t have any NT4-style domains handy to test with, so I can’t be very specific.  Your logs seem to indicate that Samba believes itself to be the best DC for the domain.  See what you get from:

    net rpc info net rpc testjoin

    If nothing seems relevant, try leaving the domain and re-joining.

  • Dne 4.1.2019 v 1:32 Gordon Messmer napsal(a):
    I had to change in smb.conf client ipc signing = no

    Than:
    # net rpc info Enter root’s password:
    Domain Name: NT4DOMAIN
    Domain SID: S-1-5-21-somesid Sequence number: somenubmer Num users: xxx Num domain groups: xxx Num local groups: xxx

    # net rpc testjoin Join to ‘NT4DOMAIN’ is OK

    Previously I deleted all files from /var/lib/samba, than set ldap admin password:
    smbpasswd -W
    Than I re-join DC, it did not help.

    FYI: I have NT4-style domain configured on CentOS 6 linux server and here is part of smb.conf of this DC – NT4LIKEDOMAINSERVER:
    [global]
            time server = yes
            workgroup = NT4DOMAIN
            server string = Samba Server Version %v
            netbios name = NT4LIKEDOMAINSERVER
             passdb backend = ldapsam:”ldap://ldap1server.intranet.xx ldap://ldap2server.intranet.xx”
             ldap ssl = start tls
             realm = INTRANET.XX
             kerberos method = system keytab
             ldap suffix = dc=intranet,dc=xx
             ldap admin dn = uid=ldapadmin,dc=intranet,dc=xx
             ldap group suffix = ou=Groups
             ldap user suffix = ou=Users
             ldap machine suffix = ou=Computers
            socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
            domain master = yes
            domain logons = yes
            logon script = %U.bat
            logon path = “”
            wins support = yes
    [netlogon]
            comment = Network Logon Service
            path = /var/lib/samba/netlogon
            guest ok = no
            writable = no
            browseable = no
            printable = no

    Installed samba on DC:
    # rpm -q samba samba-3.6.23-51.el6.x86_64
    and running smbd and nmbd

  • Shame.  I’m not really sure what else to try, beyond my previous suggestion that it doesn’t make sense to be both a domain member and use an ldap passdb backend.

    Try reverting the configuration file to the last known-good state. 
    Leave the domain.  Change “security = user”.  I’d expect that your system would work without any interactions with the DC.

  • Dne 5.1.2019 v 0:46 Gordon Messmer napsal(a):
    very “clean”.

    When I run winbind with these options client which are member of my NT4DOMAIN are now able to mout smb shares from NT4MEMBER server:

    # winbindd -i -d 3 -S -n –option=”netbios name”=NT4DOMAIN
    –option=”ntlm auth”=yes

    option “netbios name”=NT4DOMAIN overwrites this option from smb.conf:
    “netbios name”=NT4MEMBER

    Nenertheless I am not able to mount smb shares from clients which are not members of NT4DOMAIN.

  • Dne 7.1.2019 v 12:36 Miroslav Geisselreiter napsal(a):

    I had to change only two parameters in smb.conf:
    security = user ntlm auth = yes

    Everything works now like before upgrade and I do not even run winbind daemon.

    Thanks to all for help and hints.