Original Message:
Sent: 3/20/2025 7:12:00 AM
From: Steven Hammett
Subject: RE: Samba 4.21.2-1 update broke samba authentication
I had similar issues... though I'm not sure they are exactly the same. Sharing my workaround in case it helps point others in the right direction.
For me, the id mapping wasn't working correctly as it now include DOMAIN\ string. So I just strip that off as follows-
Add usermap script to smb.conf -
username map script = /etc/samba/usermap
usermap script contains (need to change MYDOMAIN to whatever your domain is) –
#!/bin/ksh
ACCOUNTNAME="$1"
DOMAINNAME="MYDOMAIN"
case "${ACCOUNTNAME}" in
${DOMAINNAME}\\root)
# skip
;;
${DOMAINNAME}\\*)
printf "%s\n" "${ACCOUNTNAME}" | sed -e 's/[^\\]*\\//'
;;
esac
exit 0
<u5:p></u5:p>I found that code elsewhere but did need to swap out echo for printf as I found it didn't work for many usernames since echo would convert special character strings e.g. username starting with a "t" would have \t for a tab.
One other thing I've noticed with samba 4.21 is I've had to turn off extended attribute (ea) support in my smb.conf file. It was working fine for creating new files but getting access denied when copying files.
ea support = no
Original Message:
Sent: Wed March 05, 2025 04:15 PM
From: Mark Skinner
Subject: Samba 4.21.2-1 update broke samba authentication
I really like to hear about any progress on this as well - I'm keeping the production server on version 4.18.9 in the meantime.
I do have a test Samba server with an alternate boot image where literally the only difference in the environments is the version of Samba code, with one at V4.18.9 and one at V4.21.2. After verifying the "join" to Active Directory is in place, the V4.18.9 code works fine; I then boot to the V4.21.2 code level, verify the "join" is in place and then get login failures; boot back to the older code level and authentication works fine again.
Original Message:
Sent: 2/28/2025 11:49:00 AM
From: Jaqui Lynch
Subject: RE: Samba 4.21.2-1 update broke samba authentication
Anyone have any luck resolving this?
Thanks
Jaqui
------------------------------
Jaqui Lynch
Architect
Jaqui Lynch
Nashville
Original Message:
Sent: Thu February 06, 2025 09:52 AM
From: Jaqui Lynch
Subject: Samba 4.21.2-1 update broke samba authentication
Sorry I have two accounts - the one I am testing with is jlynch3
wbinfo -i 'JALCORP\jlynch3'
JALCORP\jlynch3:*:3000:3084::/home/JALCORP/jlynch3:/bin/false
As a note all accounts are failing the same way
On the previous version of samba with no changes to the config everything works fine.
Thanks
Jaqui
------------------------------
Jaqui Lynch
Architect
Jaqui Lynch
Nashville
Original Message:
Sent: Thu February 06, 2025 01:38 AM
From: Ayappan P
Subject: Samba 4.21.2-1 update broke samba authentication
The UID here shows as 3001 but in the logs , it was searching for 3000. Is this issue happening only for this particular user or for all users ?
------------------------------
Ayappan P
Original Message:
Sent: Mon February 03, 2025 04:22 PM
From: Jaqui Lynch
Subject: Samba 4.21.2-1 update broke samba authentication
wbinfo -i 'JALCORP\jlynch'
JALCORP\jlynch:*:3001:3084::/home/JALCORP/jlynch:/bin/false
wbinfo -u
Provides a list of all the users in JALCORP
------------------------------
Jaqui Lynch
Architect
Jaqui Lynch
Nashville
Original Message:
Sent: Mon February 03, 2025 07:32 AM
From: Ayappan P
Subject: Samba 4.21.2-1 update broke samba authentication
Used the exact same config , but not able to reproduce the problem.
From the logs shared, looks like user account validation is failing. What's the o/p of wbinfo -u and wbinfo -i 'JALCORP\jlynch' ?
------------------------------
Ayappan P
Original Message:
Sent: Tue January 28, 2025 09:23 AM
From: Jaqui Lynch
Subject: Samba 4.21.2-1 update broke samba authentication
Below are the software levels and the full smb.conf. I have tried it with and without Valid Users and the same failure with the AD accounts. This works fine on the earlier 4.18 samba. AD is working fine - I can login etc to AIX. It is only samba that is the issue.
# oslevel -s
7300-03-00-2446
Samba:
#rpm -qa | grep samba
samba-client-4.21.2-1.ppc
samba-devel-4.21.2-1.ppc
samba-libs-4.21.2-1.ppc
samba-winbind-4.21.2-1.ppc
samba-winbind-clients-4.21.2-1.ppc
samba-common-4.21.2-1.ppc
samba-4.21.2-1.ppc
samba-winbind-krb5-locator-4.21.2-1.ppc
#lslpp -l | grep krb
krb5.client.rte 1.16.1.6 COMMITTED Network Authentication Service
krb5.client.samples 1.16.1.6 COMMITTED Network Authentication Service
krb5.doc.en_US.html 1.16.1.6 COMMITTED Network Auth Service HTML
krb5.doc.en_US.pdf 1.16.1.6 COMMITTED Network Auth Service PDF
krb5.lic 1.16.1.6 COMMITTED Network Authentication Service
krb5.client.rte 1.16.1.6 COMMITTED Network Authentication Service
# lslpp -l | grep ldap
idsldap.clt32bit64.rte 6.4.0.28 COMMITTED Directory Server - 32 bit
idsldap.clt64bit64.rte 6.4.0.28 COMMITTED Directory Server - 64 bit
idsldap.cltbase64.adt 6.4.0.28 COMMITTED Directory Server - Base Client
idsldap.cltbase64.rte 6.4.0.28 COMMITTED Directory Server - Base Client
idsldap.cltjava64.rte 6.4.0.28 COMMITTED Directory Server - Java Client
idsldap.license64.rte 6.4.0.28 COMMITTED Directory Server - License
idsldap.msg64.en_US 6.4.0.28 COMMITTED Directory Server - Messages -
idsldap.clt32bit64.rte 6.4.0.28 COMMITTED Directory Server - 32 bit
idsldap.clt64bit64.rte 6.4.0.28 COMMITTED Directory Server - 64 bit
idsldap.cltbase64.rte 6.4.0.28 COMMITTED Directory Server - Base Client
/etc/samba/smb.conf
[global]
workgroup = JALCORP
netbios name = AIXT73
security = ADS
realm = jal.local
machine password timeout = 0
server string = Fileshare on (%h)
encrypt passwords = yes
#obey pam restrictions = yes
wins support = no
log level = 3
log file = /usr/local/logs/samba/%m.log
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config DOMAIN : unix_nss_info
idmap config DOMAIN : unix_nss_info = yes
idmap config DOMAIN:unix_primary_group = yes
idmap config JALCORP:backend = ad
idmap config JALCORP:schema_mode = rfc2307
idmap config JALCORP:range = 10000-999999
idmap config JALCORP:unix_nss_info = yes
max log size = 3000
socket options = TCP_NODELAY SO_RCVBUF=262140 SO_SNDBUF=262140 IPTOS_LOWDELAY
#read size = 262140
max xmit = 262140
dns proxy = No
read only = no
unix extensions = no
read raw = yes
write raw = yes
server signing = No
min receivefile size = 16384
use sendfile = Yes
aio read size = 16384
aio write size = 16384
####
[saswork]
path = /saswork
read only = No
create mask = 0770
directory mask = 0770
browsable = yes
Valid Users = jlynch3@JALCORP
------------------------------
Jaqui Lynch
Architect
Jaqui Lynch
Nashville
Original Message:
Sent: Mon January 27, 2025 11:20 PM
From: Ayappan P
Subject: Samba 4.21.2-1 update broke samba authentication
@Jaqui Lynch We are not able to reproduce this on our end. The config you shared, is that the entire smb.conf file ?
------------------------------
Ayappan P
Original Message:
Sent: Mon January 27, 2025 03:04 PM
From: Jaqui Lynch
Subject: Samba 4.21.2-1 update broke samba authentication
My config file was in the original post - has anyone had any luck resolving this?
Thanks
Jaqui
------------------------------
Jaqui Lynch
Architect
Jaqui Lynch
Nashville
Original Message:
Sent: Thu January 23, 2025 12:17 AM
From: Ayappan P
Subject: Samba 4.21.2-1 update broke samba authentication
Can you share your smb.conf file ?
------------------------------
Ayappan P
Original Message:
Sent: Wed January 22, 2025 08:02 PM
From: Mark Skinner
Subject: Samba 4.21.2-1 update broke samba authentication
I also am now experiencing the same Active Directory authentication failure on an AIX 7200-05-09-2446 server after updating the Samba code from V4.18.9 to 4.21.2, and with me as well Samba works again just fine after reverting back to V4.18.9 code. From the Samba logs:
WORKS - At 4.18.9:
[2025/01/22 18:46:51.665615, 2] ../../source3/smbd/smb2_service.c:814(make_connection_snum) 10.12.3.31 (ipv4:10.12.3.31:55274) signed connect to service folders initially as user skinner (uid=199936, gid=248) (pid 9830728)
[2025/01/22 18:48:43.473719, 2] ../../source3/smbd/smb2_service.c:814(make_connection_snum) 10.12.3.31 (ipv4:10.12.3.31:55287) signed connect to service folders initially as user skinner (uid=199936, gid=248) (pid 9961842)
[2025/01/22 18:51:11.474565, 2] ../../source3/smbd/smb2_service.c:814(make_connection_snum) 10.12.3.31 (ipv4:10.12.3.31:55301) signed connect to service folders initially as user skinner (uid=199936, gid=248) (pid 10748308)
FAILS - At 4.21.2:
Unable to map network drive - on PC claims "The specified network password is not correct."
[2025/01/22 19:01:24.806687, 0] ../../source3/auth/auth_util.c:1954(check_account) check_account: Failed to find local account with UID 2000 for SID S-1-5-21-861567501-1993962763-1202660629-437503 (dom_user[NYSENATE\skinner])
[2025/01/22 19:01:24.868623, 0] ../../source3/auth/auth_util.c:1954(check_account) check_account: Failed to find local account with UID 2000 for SID S-1-5-21-861567501-1993962763-1202660629-437503 (dom_user[NYSENATE\skinner]
Using a local Samba password for the userid connects the network drive just fine, but authentication with Active Directory breaks with the Samba code update. Any assistance getting AD authentication working again is greatly appreciated -
------------------------------
Mark Skinner
Original Message:
Sent: Mon January 20, 2025 11:23 AM
From: Jaqui Lynch
Subject: Samba 4.21.2-1 update broke samba authentication
Thanks. I had looked at that and commented out all my valid users statements but it made no difference. I think the issue is with the following error:
[2025/01/20 09:38:58.567640, 3, traceid=5] ../../source3/winbindd/idmap.c:397(idmap_init_domain)
idmap backend ad not found
[2025/01/20 09:38:58.570352, 3, traceid=5] ../../source3/winbindd/idmap.c:402(idmap_init_domain)
Could not probe idmap module ad
[2025/01/20 09:38:58.570374, 3, traceid=5] ../../source3/winbindd/idmap.c:270(idmap_found_domain_backend)
idmap_found_domain_backend: Could not init idmap domain jalcorp
Back to searching some more :)
------------------------------
Jaqui Lynch
Architect
Jaqui Lynch
Nashville
Original Message:
Sent: Mon January 20, 2025 08:40 AM
From: Ayappan P
Subject: Samba 4.21.2-1 update broke samba authentication
I don't know if this related to this excerpt from 4.21.0 release,
This is the first stable release of the Samba 4.21 release series.Please read the release notes carefully before upgrading.Hardening of "valid users", "invalid users", "read list" and "write list"=========================================================================In previous versions of Samba, if a user or group name in either of thementioned options could not be resolved to a valid SID, the user (or group)would be skipped without any notification. This could result in unexpected andinsecure behaviour. Starting with this version of Samba, if any user or groupname in any of the options cannot be resolved due to a communication error witha domain controller, Samba will log an error and the tree connect will fail.Non existing users (or groups) are ignored.
https://www.samba.org/samba/history/samba-4.21.0.html
------------------------------
Ayappan P
Original Message:
Sent: Fri January 17, 2025 11:01 AM
From: Jaqui Lynch
Subject: Samba 4.21.2-1 update broke samba authentication
I recently updated my LPARS to AIX 7.3.3 and did a dnf update. This updated samba from 4.18.9-1 to 4.21.2-1. After that my samba environment no longer authenticates - if I remove and reinstall at the earlier version on samba it works fine. On the updated LPAR wbinfo -u and wbinfo -g work and provide a full list of the AD users
Users can login using SSH. The only thing not working is samba authentication.
net ads lookup jlynch3 - provides all the info needed
We had samba leave and rejoin the domain (net ads join) and rebooted - no change
id for my account looks right
server2: id jlynch3
uid=23134(jlynch3) gid=153(sasusr) groups=810(AIX_Admins)
Below is the config for samba plus some of the error messages. I am hoping someone has run into this before.
Thanks
Jaqui
[global]
workgroup = JALCORP
netbios name = SERVER2
#client ntlmv2 auth = yes
security = ADS
realm = jal.local
machine password timeout = 0
server string = Fileshare on (%h)
encrypt passwords = yes
#obey pam restrictions = yes
wins support = no
log level = 3
log file = /usr/local/logs/samba/%m.log
###
# added idmap stuff here
###
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config DOMAIN : unix_nss_info
idmap config DOMAIN : unix_nss_info = yes
idmap config DOMAIN:unix_primary_group = yes
idmap config JALCORP:backend = ad
idmap config JALCORP:schema_mode = rfc2307
idmap config JALCORP:range = 10000-999999
idmap config JALCORP:unix_nss_info = yes
idmap config JALCORP:default = true
OLD SAMBA VERSION THAT WORKS
rpm -qa | grep samba
samba-common-4.18.9-1.ppc
samba-libs-4.18.9-1.ppc
samba-winbind-4.18.9-1.ppc
samba-client-4.18.9-1.ppc
samba-devel-4.18.9-1.ppc
samba-winbind-clients-4.18.9-1.ppc
samba-4.18.9-1.ppc
samba-winbind-krb5-locator-4.18.9-1.ppc
NEW SAMBA VERSION
rpm -qa | grep samba
samba-client-4.21.2-1.ppc
samba-devel-4.21.2-1.ppc
samba-libs-4.21.2-1.ppc
samba-winbind-4.21.2-1.ppc
samba-winbind-clients-4.21.2-1.ppc
samba-common-4.21.2-1.ppc
samba-4.21.2-1.ppc
samba-winbind-krb5-locator-4.21.2-1.ppc
ERROR LOG MESSAGES
[2025/01/13 09:28:22.552803, 2] ../../source3/passdb/pdb_interface.c:163(make_pdb_method_name)
No builtin backend found, trying to load plugin
[2025/01/13 09:28:31.360132, 3] ../../source3/auth/auth.c:206(auth_check_ntlm_password)
auth_check_ntlm_password: check_ntlm_password: Checking password for unmapped user [JALCORP]\[jlynch3]@[GANDALF] with the new password interface
[2025/01/13 09:28:31.360163, 3] ../../source3/auth/auth.c:211(auth_check_ntlm_password)
auth_check_ntlm_password: check_ntlm_password: mapped user is: [JALCORP]\[jlynch3]@[GANDALF]
[2025/01/13 09:28:31.439675, 0] ../../source3/auth/auth_util.c:1954(check_account)
check_account: Failed to find local account with UID 3000 for SID S-1-5-21-8915387-927614349-1190612905-131158 (dom_user[JALCORP\jlynch3])
[2025/01/13 09:28:31.439775, 2] ../../source3/auth/auth.c:356(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [jlynch3] -> [jlynch3] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2025/01/13 09:28:31.439881, 2] ../../auth/auth_log.c:876(log_authentication_event_human_readable)
Auth: [SMB2,(NULL)] user [JALCORP]\[jlynch3] at [Mon, 13 Jan 2025 09:28:31.439844 CST] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [GANDALF] remote host [ipv4:10.192.130.88:55061] mapped to [JALCORP]\[jlynch3]. local host [ipv4:10.192.130.26:445]
[2025/01/13 09:28:31.439934, 3] ../../auth/auth_log.c:683(log_no_json)
log_no_json: JSON auth logs not available unless compiled with jansson
[2025/01/13 09:28:31.439994, 3] ../../auth/gensec/spnego.c:1428(gensec_spnego_server_negTokenTarg_step)
gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed: NT_STATUS_NO_SUCH_USER
[2025/01/13 09:28:31.440065, 3] ../../source3/smbd/smb2_server.c:4054(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:148
log winbindd idmap
[2025/01/13 09:28:31.429316, 3, traceid=5] ../../source3/winbindd/idmap.c:397(idmap_init_domain)
idmap backend ad not found
[2025/01/13 09:28:31.435200, 3, traceid=5] ../../source3/winbindd/idmap.c:402(idmap_init_domain)
Could not probe idmap module ad
[2025/01/13 09:28:31.435224, 3, traceid=5] ../../source3/winbindd/idmap.c:270(idmap_found_domain_backend)
idmap_found_domain_backend: Could not init idmap domain JALCORP
[2025/01/13 09:28:41.588378, 0] ../../source3/winbindd/winbindd_dual.c:1983(winbindd_sig_term_handler)
Got sig[15] terminate (is_parent=0)
syslog
Jan 13 09:28:31 server2 daemon:err|error smbd[15008178]: check_account: Failed to find local account with UID 3000 for SID S-1-5-21-8915387-927614349-1190612905-131158 (dom_user[JALCORP\jlynch3])
------------------------------
Jaqui Lynch
Architect
Jaqui Lynch
Nashville
------------------------------