LINUX Alert! – SAMBA update 4.2.10-6.el7 Breaks Active Directory Authentication.
Active Directory Authentication Breaks After Installing SAMBA 4.2.10-6.el7_2
This Issue Has Been Resolved! See Post – https://www.catracing.org/hendrb/post-update-active-directory-authentication-fixed-samba-update-4-2-10-6-2-el7_2/ For additional information!
This is not going to be a very long technical post, but I did want to get the word out that the latest update to the SAMBA client broke Active Directory authentication on my web server, and how to fix the issue.
While applying Windows Update fixes to my Windows servers, I also checked for updates on my CENT-OS box, and lo and behold there were quite a bit of updates, one being another SAMBA update. I can not remember a time where a package update broke something on my production box, the only other times I have had serious issue is after installing kernel updates. So needless to say I was quite shocked after rebooting the server (Runs as a virtual machine on top of the Windows box that had rebootable updates installed). I could no longer login with my AD account. NOT GOOD! Fortunately checking to make sure I can login as root and my local account is part of my pre-update checks.
After the updates and a reboot of the server you can see it is not allowing me to login with my domain account.
Here are the error message logged in /var/log/secure
(Server hostname has been replaced with ****)
Apr 14 13:50:53 **** polkitd[804]: Registered Authentication Agent for unix-session:c1 (system bus name :1.28 [gnome-shell --mode=gdm], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Apr 14 13:51:33 **** gdm-password]: pam_unix(gdm-password:auth): check pass; user unknown
Apr 14 13:51:33 **** gdm-password]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
I promptly removed the updated version of SAMBA and reinstalled the previous version. I always take a screen capture of the what yum is going to update before answering yes. This makes an easy reference in case I need to go back and remove anything. In this case I need to remove the following packages.
samba x86_64 4.2.10-6.el7_2 updates 614 k
samba-client x86_64 4.2.10-6.el7_2 updates 496k
samba-client-libs x86_64 4.2.10-6.el7_2 updates 4.3 M
samba-common noarch 4.2.10-6.el7_2 updates 272 k
samba-common-libs x86_64 4.2.10-6.el7_2 updates 156 k
samba-common-tools x86_64 4.2.10-6.el7_2 updates 444 k
samba-libs x86_64 4.2.10-6.el7_2 updates 260 k
samba-winbind x86_64 4.2.10-6.el7_2 updates 465 k
samba-winbind-modules x86_64 4.2.10-6.el7_2 updates 105 k
$ yum remove samba samba-client samb-client-libs samba-common samba-common-libs samba-common-tools samba-libs samba-winbind samba-winbind-modules
Once samba, and samba-winbind have been uninstalled, we need to install the previous version, again the listing I keep of all updates installed on the server come in handy, as I know SAMBA was updated back in January.
samba-client x86_64 4.2.3-11.el7_2 updates 496 k
samba-client-libs x86_64 4.2.3-11.el7_2 updates 4.3 M
samba-common noarch 4.2.3-11.el7_2 updates 269 k
samba-common-libs x86_64 4.2.3-11.el7_2 updates 156 k
samba-common-tools x86_64 4.2.3-11.el7_2 updates 443 k
samba-libs x86_64 4.2.3-11.el7_2 updates 259 k
samba-winbind x86_64 4.2.3-11.el7_2 updates 463 k
samba-winbind-modules x86_64 4.2.3-11.el7_2 updates 104 k
First let’s get the package names for all available versions of samba
$ yum –showduplicates list samba
The update we want 4.2.3-11.el7-2 is available. So let’s go ahead and install them.
$ yum install samba-0:4.2.3-11.el7_2.x86_64
Once the samba client is installed we need to install samba-winbind
$ yum install samba_winbind-0:4.2.3-11.el7_2.x86_64
Once this was complete, I rebooted the server, but was still unable to connect to the domain controller. Comparing files on my development server, I noticed that the /etc/samba/smb.conf file was modified on the server during the removal of the samba package. Not to worry yum made a backup first.
So let’s remove the new smb.conf
$ rm smb.conf
Now let’s rename the smb.conf.rpmsave to smb.conf
$ mv smb.conf.rpmsave smb.conf
Now let’s go ahead and reboot (You don’t need to, you can just shutdown your networking and samba service.), but a reboot never hurts.
$ reboot
Test logging in with a domain account, if the login still fails, log back in as your local account and troubleshoot the AD connection.
- Is the time on the LINUX box within 5 minutes of the time on the Active Directory server? If no this will cause the Kerberos ticket issuance to fail
- Can you issue wbinfo commands.IE wbinfo -g or wbinfo -u. If not, you may have to rejoin the domain.
These instructions should repair your domain authentication until the issue with the new version of SAMBA is resolved. I will keep working on a fix, unless another update fixes the problem.
Just a quick update, I am not the only one experiencing this issue. Though I have not been able to locate a fix, and more disturbingly I have read that someone compiled the update to this version on CENTOS 7 and the issue remains. I will be keeping this post updated until a resolution is found.
2 Weeks into this issue, and still no word about an update to SAMBA.. I have tried several of the fixes posted on the internet but no go. client ip signing = auto did not work for me. I really hope a patch is released soon!
Hi Brent,
Any luck on your side for centos 7 or 6.7 smb
Unfortunately not yet. I will be trying some more stuff this weekend, but I have a feeling we will be waiting until an update comes out from the SAMBA Folks (I have heard that this is also affecting Ubuntu.) Hopefully I will have some good news soon.
Still no fix to my AD Authentication woes! No updates SAMBA updates coming down the pipe, and I am not seeing anything new being posted on the web, besides the suggestion to use winbind (Which I already am in my AD authentication solution.) I am still hoping this get’s resolved soon!
No Update – I am still using the old version of SAMBA that works, however I did want to share how to update other packages while skipping updating SAMBA. So your installation does not get to out of date.
From the command line $ sudo yum --skip-broken -x ‘samba*’ update
Quick update everyone! It looks like Unbuntu fixed this issue over a month ago. I just noticed there is a new SAMBA update available for CentOS. 4.2.10-6.2. I just upgraded to Windows 10 on my production desktop, so I do not have access to my development VM as I have having issues with the virtual network. I will be working on getting this resolved by the end of the week. If I am unsuccessful, I will put back in the original Windows 7 hard drive specifically to test the patch! Hope to have an answer for you this weekend! Stay tuned!
GREAT NEWS!!!
I have installed and tested SAMBA 4.2.10-6.2 and the update does fix the issue with being able to login to an Active Directory account! This has been tested on both my development box and the production server. For those of you who have been waiting for this bug to be fixed (And I think we waited long enough). I would go ahead and install this in your testing environment as soon as possible!