[Bug 1092099] New: Samba AD DC authentication failure
http://bugzilla.opensuse.org/show_bug.cgi?id=1092099 Bug ID: 1092099 Summary: Samba AD DC authentication failure Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.0 Hardware: x86-64 OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Samba Assignee: samba-maintainers@SuSE.de Reporter: helios_reds@gmx.net QA Contact: samba-maintainers@SuSE.de Found By: --- Blocker: --- Created attachment 769176 --> http://bugzilla.opensuse.org/attachment.cgi?id=769176&action=edit Auto generated /etc/samba/smb.conf After setting up Samba AD DC, authentication fails. # smbclient //localhost/netlogon -U Administrator -c 'ls' Enter TAD24\Administrator's password: session setup failed: NT_STATUS_LOGON_FAILURE /var/log/samba/log.smbd: [2018/05/07 17:08:28.325346, 0] ../source3/auth/auth.c:429(load_auth_module) load_auth_module: can't find auth method samba4! Steps to reproduce: 1. Install openSUSE Leap 15.0 Beta as server. 2. Configure network settings. 3. Replace all Samba related packages with ones from network:/samba:/STABLE/openSUSE_Leap_15.0 repo and install yast2-samba-provision package. 4. Configure the domain with YaST "Provision an Active Directory Domain Controller". 5. Start samba-ad-dc.service. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1092099
http://bugzilla.opensuse.org/show_bug.cgi?id=1092099#c1
--- Comment #1 from Satoru Matsumoto
# smb.conf is the main Samba configuration file. You find a full commented # version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the # samba-doc package is installed. [global] workgroup = TAD24 passdb backend = samba_dsdb printing = cups printcap name = cups printcap cache time = 750 cups options = raw map to guest = Never include = /etc/samba/dhcp.conf logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: usershare allow guests = Yes dns forwarder = 8.8.8.8 netbios name = TADDC24 realm = TAD24.MYCOMPANY.CO.JP security = AUTO server role = domain controller log level = 3
[homes] comment = Home Directories valid users = %S, %D%w%S browseable = No read only = No inherit acls = Yes
[profiles] comment = Network Profiles Service path = %H read only = No store dos attributes = Yes create mask = 0600 directory mask = 0700
[users] comment = All users path = /home read only = No inherit acls = Yes veto files = /aquota.user/groups/shares/
[groups] comment = All groups path = /home/groups read only = No inherit acls = Yes
[printers] comment = All Printers path = /var/tmp printable = Yes create mask = 0600 browseable = No
[print$] comment = Printer Drivers path = /var/lib/samba/drivers write list = @ntadmin root force group = ntadmin create mask = 0664 directory mask = 0775
[netlogon] path = /var/locks/sysvol/tad24.mycompany.co.jp/scripts read only = No
[sysvol] path = /var/locks/sysvol read only = No
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1092099
http://bugzilla.opensuse.org/show_bug.cgi?id=1092099#c2
--- Comment #2 from Satoru Matsumoto
# smb.conf is the main Samba configuration file. You find a full commented # version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the # samba-doc package is installed. [global] workgroup = TAD24 passdb backend = samba_dsdb printing = cups printcap name = cups printcap cache time = 750 cups options = raw map to guest = Never include = /etc/samba/dhcp.conf logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: usershare allow guests = Yes dns forwarder = 8.8.8.8 netbios name = TADDC24 realm = TAD24.MYCOMPANY.CO.JP security = AUTO server role = domain controller log level = 3
[homes] comment = Home Directories valid users = %S, %D%w%S browseable = No read only = No inherit acls = Yes
[profiles] comment = Network Profiles Service path = %H read only = No store dos attributes = Yes create mask = 0600 directory mask = 0700
[users] comment = All users path = /home read only = No inherit acls = Yes veto files = /aquota.user/groups/shares/
[groups] comment = All groups path = /home/groups read only = No inherit acls = Yes
[printers] comment = All Printers path = /var/tmp printable = Yes create mask = 0600 browseable = No
[print$] comment = Printer Drivers path = /var/lib/samba/drivers write list = @ntadmin root force group = ntadmin create mask = 0664 directory mask = 0775
[netlogon] path = /var/locks/sysvol/tad24.mycompany.co.jp/scripts read only = No
[sysvol] path = /var/locks/sysvol read only = No
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1092099
http://bugzilla.opensuse.org/show_bug.cgi?id=1092099#c3
Samuel Cabrero
http://bugzilla.opensuse.org/show_bug.cgi?id=1092099
Samuel Cabrero
http://bugzilla.opensuse.org/show_bug.cgi?id=1092099
http://bugzilla.opensuse.org/show_bug.cgi?id=1092099#c4
--- Comment #4 from Satoru Matsumoto
http://bugzilla.opensuse.org/show_bug.cgi?id=1092099
http://bugzilla.opensuse.org/show_bug.cgi?id=1092099#c5
--- Comment #5 from Satoru Matsumoto
http://bugzilla.opensuse.org/show_bug.cgi?id=1092099
http://bugzilla.opensuse.org/show_bug.cgi?id=1092099#c6
--- Comment #6 from Satoru Matsumoto
http://bugzilla.opensuse.org/show_bug.cgi?id=1092099
http://bugzilla.opensuse.org/show_bug.cgi?id=1092099#c8
--- Comment #8 from Satoru Matsumoto
looks like we need to update the shipped apparmor profiles. These are the missing entries:
/etc/apparmor.d/usr.sbin.smbd: ... /usr/lib*/samba/auth/*.so mr, /usr/lib*/samba/gensec/*.so mr, ...
/etc/apparmor.d/usr.sbin.winbindd: ... /run/user/*/krb5cc/* rwk, ...
Then reload apparmor with 'rcapparmor reload' and restart samba with 'rcsamba-ad-dc restart' to refresh the shares profile "/etc/apparmor.d/local/usr.sbin.smbd-shares"
This had no effect on this case. And /etc/apparmor.d/local/usr.sbin.smbd-shares isn't refreshed (still empty). Even if I stop apparmor with "rcapparmor stop", the problem cannot be solved.
About the kinit error "Cannot contact any KDC for realm 'TAD24.MYCOMPANY.CO.JP' while getting initial credentials", check your primary resolver is 127.0.0.1 in /etc/resolv.conf.
There's a little bit progress on this. The resolver has been correct. I added entry below to /etc/krb5.conf : ... [realms] TAD24.MYCOMPANY.CO.JP = { kdc = taddc24.tad24.mycompany.co.jp admin_server = taddc24.tad24.mycompany.co.jp } ... After that, the result of kinit and klist has been changed. # kinit Administrator@TAD24.MYCOMPANY.CO.JP kinit: Credential cache directory /run/user/0/krb5cc does not exist while getting default ccache # klist klist: Credential cache directory /run/user/0/krb5cc does not exist while getting default ccache -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1092099
http://bugzilla.opensuse.org/show_bug.cgi?id=1092099#c9
Christian Boltz
http://bugzilla.opensuse.org/show_bug.cgi?id=1092099
http://bugzilla.opensuse.org/show_bug.cgi?id=1092099#c13
--- Comment #13 from Satoru Matsumoto
please check again disabling/enabling apparmor through the YaST interface. While I was testing I saw that restarting from command line did not seem to reload the profiles after changing them.
No effect. And "load_auth_module: can't find auth method samba4!" was recorded in /var/log/samba/log.smbd again. After that, I updated the system by "zypper ref && zypper up"(this included apparmour-profile package as well), "zypper dup" and then rebooted the system. But the problem cannot be solved. Is this really an apparmour issue?
About the kinit error message, could you attach the output of kinit -V? Are you running it with sudo or after su - another user?
* As a normal user (mucompanyadmin):
kinit -V Using default cache: :/run/user/1000/krb5cc/tkt Using principal: mycompanyadmin@TAD24.MYCOMPANY.CO.JP kinit: Client 'mycompanyadmin@TAD24.MYCOMPANY.CO.JP' not found in Kerberos database while getting initial credentials
* sudo:
sudo kinit -V kinit: Credential cache directory /run/user/0/krb5cc does not exist while getting default ccache
* after "su -": # kinit -V kinit: Credential cache directory /run/user/0/krb5cc does not exist while getting default ccach -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1092099
http://bugzilla.opensuse.org/show_bug.cgi?id=1092099#c14
--- Comment #14 from Christian Boltz
please check again disabling/enabling apparmor through the YaST interface.
This sounds like the equivalent of stopping and then starting AppArmor, which is a bad idea - stopping it will remove AppArmor confinement from running processes, and starting will _not_ (re)apply the confinement to running processes (unless you restart them).
While I was testing I saw that restarting from command line did not seem to reload the profiles after changing them.
If this is really true, I'd be very interested to see the output of apparmor_parser -r /etc/apparmor.d and what gets logged in /var/log/audit/audit.log when doing that. If you suspect that AppArmor denies something, also check audit.log for lines containing DENIED (or ALLOWED if a profile is in complain mode). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1092099
http://bugzilla.opensuse.org/show_bug.cgi?id=1092099#c15
--- Comment #15 from Satoru Matsumoto
http://bugzilla.opensuse.org/show_bug.cgi?id=1092099
http://bugzilla.opensuse.org/show_bug.cgi?id=1092099#c18
--- Comment #18 from Satoru Matsumoto
Hi Satoru,
is everything all right? Can we close this?
Still I get "NT_STATUS_ACCESS_DENIED listing \*" error. But if I provision an AD DC by samba-tool manually, the problem is solved. So I think the authentication problem itself caused by apparmor settings seems to be solved, but the YaST AD DC provisioning tool doesn't work properly. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com