Samba crashes when security set to ADS

[noway2]

I have been trying to get Samba, currently version 4.8.6 to work in conjunction with Kerberos to authenticate user accounts on an AD domain. I have successfully set up other machines (using either Ubuntu or Centos) to authenticate domain users and I do have an account with domain admin privilges. I have kerberos instaled and it appears to be working correctly as kinit will ask for a password and then issue a ticket for the domained user. Over the last several days, I have tried a lot of different of combinations and followed several how to guides all to no avail. The common factor is that anytime I try to set 'security = ads' the smbd and winbind daemon processes crash while the nmbd continues to function. If I set the configuration to USER it will run, but then a join will fail saying it's not a domain member PC. I am NOT trying to confiure the system as a domain controller.

The current (stripped down) smb.conf file is as follows:

Code: Select all

[global]
         workgroup = AD
         client signing = yes
         client use spnego = yes
         kerberos method = secrets and keytab
         realm = AD.UNC.EDU
         security = ADS
         guest account = nobody
         guest ok = yes
 

*note the guest account lines were added to try to address the error messages and based upon some search attempts at a fix.

The krb5.conf file is below. This comes straight from the IT depatrtment help desk:

Code: Select all

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = ISIS.UNC.EDU

[realms]

 ISIS.UNC.EDU = {
 kdc = krb3.unc.edu
 kdc = krb2.unc.edu
 kdc = krb1.unc.edu
 kdc = krb0.unc.edu
 admin_server = krba.unc.edu
 default_domain = isis.unc.edu
}

[domain_realm]
 .unc.edu = ISIS.UNC.EDU

The three samba logs are as follows:
log.nmbd:

Code: Select all

[2019/06/14 15:23:06.568978,  0] ../lib/util/become_daemon.c:138(daemon_ready)
  daemon_ready: STATUS=daemon 'nmbd' finished starting up and ready to serve connections

log.smbd:

Code: Select all

[2019/06/14 15:23:06.544487,  0] ../source3/auth/auth_util.c:1372(make_new_session_info_guest)
  create_local_token failed: NT_STATUS_NO_MEMORY
[2019/06/14 15:23:06.544627,  0] ../source3/smbd/server.c:1993(main)
  ERROR: failed to setup guest info.

and
log.winbindd:

Code: Select all

2019/06/14 15:23:06.633919,  0] ../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache)
  initialize_winbindd_cache: clearing cache and re-creating with version number 2
[2019/06/14 15:23:06.636829,  0] ../source3/winbindd/winbindd_util.c:1264(init_domain_list)
  Could not fetch our SID - did we join?
[2019/06/14 15:23:06.636897,  0] ../source3/winbindd/winbindd.c:1360(winbindd_register_handlers)
  unable to initialize domain list

As I mentioned Kerberos will issue tickets to the domain users:

Code: Select all

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: myuser.adm@AD.UNC.EDU

Valid starting       Expires              Service principal
06/14/2019 14:43:20  06/15/2019 00:43:20  krbtgt/AD.UNC.EDU@AD.UNC.EDU
        renew until 06/15/2019 14:43:11

The use flag list for Samba is as follows:

Code: Select all

[ Legend : U - final flag setting for installation]
[        : I - package is installed with flag     ]
[ Colors : set, unset                             ]
 * Found these USE flags for net-fs/samba-4.8.6-r2:
 U I
 - - abi_x86_32               : 32-bit (x86) libraries
 + + acl                      : Add support for Access Control Lists
 - - addc                     : Enable Active Directory Domain Controller support
 - - addns                    : Enable AD DNS integration
 + + ads                      : Enable Active Directory support
 - - ceph                     : Enable support for Ceph distributed filesystem via sys-cluster/ceph
 + + client                   : Enables the client part
 - - cluster                  : Enable support for clustering
 + + cups                     : Add support for CUPS (Common Unix Printing System)
 - - debug                    : Enable extra debug codepaths, like asserts and extra output. If you want to get meaningful backtraces see
                                https://wiki.gentoo.org/wiki/Project:Quality_Assurance/Backtraces
 - - fam                      : Enable FAM (File Alteration Monitor) support
 + + gnutls                   : Prefer net-libs/gnutls as SSL/TLS provider (ineffective with USE=-ssl)
 - - gpg                      : Use app-crypt/gpgme for AD DC
 - - iprint                   : Enabling iPrint technology by Novell
 + + ldap                     : Add LDAP support (Lightweight Directory Access Protocol)
 + + pam                      : Add support for PAM (Pluggable Authentication Modules) - DANGEROUS to arbitrarily flip
 - - python                   : Add optional support/bindings for the Python language
 + + python_targets_python2_7 : Build with Python 2.7
 - - quota                    : Enables support for user quotas
 + + syslog                   : Enable support for syslog
 + + system-mitkrb5           : Use app-crypt/mit-krb5 instead of app-crypt/heimdal.
 - - systemd                  : Enable use of systemd-specific libraries and features like socket activation or session tracking
 - - test                     : Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently)
 + + winbind                  : Enables support for the winbind auth daemon
 - - zeroconf                 : Support for DNS Service Discovery (DNS-SD)

I have also tried the Gentoo guide here: https://wiki.gentoo.org/wiki/Kerberos_W ... perability If I run the configuration as outlined at the top of the document (no line securty = ads) Samba will start and run but I get the following:

Host is not configured as a member server.
Invalid configuration. Exiting....
Failed to join domain: This operation is only allowed for the PDC of the domain.

If I try the section at the bottom it will crash because of the security = ADS

I found this mail archive from Debian, https://bugs.debian.org/cgi-bin/bugrepo ... bug=899269 where someone seemed to be having a similar issue in that Winbind wouldn't start and they said that it was a bug in Samba but it was introduced after 4.7 something and fixed in 4.9 something,. Consequently, I reverted Samba to version 4.5.16 to no avail, problem persists.

Samba's testparm doesn't issue any errors and when it runs (no ADS) I get the following:

Code: Select all

Loaded services file OK.
Server role: ROLE_STANDALONE

Press enter to see a dump of your service definitions

Followed by the global items listed above.

If anyone can point me in the correct direction or help me out, I would greatly appreciate it.

[alamahant]

You mention

Host is not configured as a member server.
Invalid configuration. Exiting....
Failed to join domain: This operation is only allowed for the PDC of the domain.

You need to install something similar to centos krb5-workstation
and issue both machine pricipals and service principals for all your boxes(including the samba server)
Try something like:

Code: Select all

kadmin
addprinc -randkey host/<FQDN> ####add a host machine
ktadd host/<FQDN>    #####create a keytab entry to be stored in /etc/krb5.keytab
addprinc -randkey cifs/<FQDN> ####add the samba service principal
ktadd cifs/<FQDN>  ####likewise for the samba keytab entry

Now unlike kerberized nfs which nowadays works out of the box with nfs4 ,kerberized samba shares are very tricky.
It would be beneficial if you installed sssd in all your machines.(authconfig creates great sssd.confs but its not available in Gentoo..Maybe use a centos machine in similar setup to create the sssd.confs and copy it tp your other machines with slight modifications.)
Is your firewall configured correctly?
Do you have sys-auth/pam_krb5 installed?

I read this

Loaded services file OK.
Server role: ROLE_STANDALONE

Press enter to see a dump of your service definitions

It seems your samba server is not configured to be a domain member.
May be you need something like

server role = member server

in your smb.conf...