1

I have a Samba 4.6.2 samba ActiveDirectory member server. Every month or so, all clients lose the ability to connect to all the shares. I can work around the issue by leaving the domain, deleting the machine account, and re-joining the domain, but it is obviously wrong that I have to do this every few weeks. I thought that it was a machine account password expiration issue, but running adcli update does not help. I tried changing the Group Policy for machine password expiration, but that did not help either.

  • Centos 7.4.1708
  • Samba 4.6.2
  • sssd-krb5-1.15.2
  • SSSD 1.15.2-50
  • realmd-0.16.1-9

The error message on the client side is 

"\\cheetoes is not accessible. You might not have permissions to use this network resource. Contact the administrator of this server to find out if you have access permissions.
Login Failure: The target account name is incorrect"

On the server side, at startup, log.smbd contains:

[2018/05/09 12:03:41.622878,  0] ../source3/libads/kerberos_util.c:74(ads_kinit_password)
  kerberos_kinit_password CHEETOES$@HYMESRUZICKA.ORG failed: Preauthentication failed
[2018/05/09 12:03:41.622923,  1] ../source3/libads/sasl.c:821(ads_sasl_spnego_bind)
  ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/true-companion.hymesruzicka.org with user[CHEETOES$] realm=[HYMESRUZICKA.ORG]: Preauthentication failed

And the per-client log shows:

[2018/05/09 12:06:58.259646,  1] ../source3/librpc/crypto/gse.c:646(gse_get_server_auth_token)
  gss_accept_sec_context failed with [Unspecified GSS failure.  Minor code may provide more information: Request ticket server cifs/CHEETOES.hymesruzicka.org@HYMESRUZICKA.ORG not found in keytab (ticket kvno 3)]
[2018/05/09 12:06:59.099902,  1] ../source3/librpc/crypto/gse.c:646(gse_get_server_auth_token)
  gss_accept_sec_context failed with [Unspecified GSS failure.  Minor code may provide more information: Request ticket server cifs/CHEETOES.hymesruzicka.org@HYMESRUZICKA.ORG not found in keytab (ticket kvno 3)]

Immediately after I rejoin, I do not get the client failures, nor the "Preauthentication failed" error in the log.smbd. I'm particularly puzzled why rejoining works, but only for a while.

Charlweed
  • 209
  • 2
  • 12
  • I assumed this is really that the keytab entries in krb5.keytab are lost / bad / invalidated / expired, but that did not help me find a way to fix the problem. – Charlweed May 24 '18 at 03:47
  • 1
    Searching long on an unrelated issue, I discovered that adcli is segfaulting several times every day. Adcli is supposed to be the ting which updates the machine password. Don't know if this is root cause, or how I should get patched version: https://bugs.freedesktop.org/show_bug.cgi?id=100466 – Charlweed May 31 '18 at 21:05

1 Answers1

0

CentOS 7 builds of Samba are very broken in an Active Directory context. The CentOS build of Samba 4.8.3 results in adcli dumping core when the 'update' subcommand is attempted. adcli also fails to join or leave the domain correctly, and wrecks /etc/samba/smb.conf, as well as the sssd and pam configs.

And it's not just adcli. realmd, winbind, and smbd itself do not work correctly with Windows Active Directory servers, leaving some clients (such as iOS devices) unable to connect. The only workaround I found is to build a "stock" samba stack, and adcli+reamld from the latest release sources, and use that over the CentOS samba stack. You must also disable updates for all samba components in /etc/yum.conf, otherwise your local samba installation will be broken by the CentOS one. Your yum.conf file needs at least:

exclude=adcli-* libsmbclient-* libwbclient* python-smbc-* realmd-* samba-* samba-client-* samba-client-libs-* samba-common-* samba-common-libs-* samba\
-common-tools-* samba-libs-* samba-python-* samba-winbind-* samba-winbind-clients-* samba-winbind-modules-*

Note that it's not practical to uninstall CentOS's samba, because many other packages depend upon it.

Charlweed
  • 209
  • 2
  • 12