View Issue Details

IDProjectCategoryView StatusLast Update
0015046CentOS-7sambapublic2018-09-06 15:45
ReporterCharlweed 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
Product Version7.5.1804 
Target VersionFixed in Version 
Summary0015046: Samba-4.7.1-6 smbd can't authenticate against Active Directory
DescriptionThe smbd server in samba-4.7.1-6.el7.x86_64, won't authenticate with active directory as a member server. The logged smbd errors contain "kerberos_kinit_password failed: Preauthentication failed".
The previous smb worked correctly, with the same configuration. I built Samba 4.8.3 from source, and kept the same configuration, and that version works as well. This is only a problem in smbd, as sssd works regardless.
I do not know what the real problem is, but the broken smbd ends up using a different keytab entry for the cifs service then Active Directory wants. I could not find a workaroud, other than installing a more recent version built from source.
Steps To ReproduceConfigure an Active Directory member server with /etc/samba/smb.conf:
[global]
       workgroup = ADOMAIN
       realm = ADOMAIN.ORG
        server string = Excalibur %v
        netbios name = EXCALIBUR
        interfaces = lo enp4s0 192.168.0.0/24
        log file = /var/log/samba/samba_%m.log
        max log size = 50
        log level = 2 auth:2
        security = ads
        encrypt passwords = yes
        passdb backend = tdbsam
        logon path = /home/%D/%U/profile
        logon home = /home/%D/%U
        template shell = /bin/bash
        kerberos method = secrets and keytab
        machine password timeout = 604800
        local master = no
        preferred master = no
        unix extensions = no
        allow insecure wide links = yes
[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        read only = No
        inherit acls = Yes
        browseable = yes
        writable = yes
        follow symlinks = yes
Additional InformationMy AD server is WIndows 2008R2
I tried joining and quitting with adcli, realm and net. None provided a workaround. I deleted all the data in the sssd cache, and the keytab, that ever helped either, because the verbose logs showed that AD was using kvno 4 for the cifs service, while smbd was using kvno 2. Creating a knvo 4 for cifs changes the error from "not found" to "unable to decrypt"

Now that I'm using Samba 4.8.3, I do not have logs that show the problem.
Tagssmb AD Active_Directory
abrt_hash
URL

Activities

Charlweed

Charlweed

2018-07-25 20:33

reporter   ~0032357

This issue may be invalid. It may be a problem where 4.7.1 is not backwards compatible with my configuration.
A complete fresh install of 4.8.3 works, but I can reproduce failure on 4.8.3 if I re-use the old 4.7.1 data in /var/lib/samba, and omit the required "idmap config" statements from /etc/samba/smb.conf
dapilori

dapilori

2018-09-06 15:45

reporter   ~0032666

Did you try removing the file /var/tmp/host_0 and restarting samba?

Issue History

Date Modified Username Field Change
2018-07-13 22:51 Charlweed New Issue
2018-07-13 22:51 Charlweed Tag Attached: smb AD Active_Directory
2018-07-25 20:33 Charlweed Note Added: 0032357
2018-09-06 15:45 dapilori Note Added: 0032666