Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Samba] Connections to Samba fail when "includedir" is set in krb5.conf (e. g. after RHEL 7.2 to 7.3 update)

72 views
Skip to first unread message

Marc Muehlfeld via samba

unread,
Dec 29, 2016, 3:50:02 PM12/29/16
to
Hi,

I spent some time today to figure out why my clients are unable to
connect to my Samba AD domain member after updating the operating system
from CentOS 7.2 to 7.3 and I thought sharing the reason and the
workaround can help others:

If you run RHEL/CentOS 7.2 with an unmodified /etc/krb5.conf file and
update to 7.3, the krb5-workstation-1.14.1-27 package adds an
"includedir" statement to the top of the file. If you modified the file
in the past, the entry is not added and everything is fine.

This "includedir" statement causes all connections (shares, RPC, etc.)
to the Samba domain member to fail. If you set the log level to 3 or
higher, the following error is logged:

[2016/12/29 20:40:12.306475, 3]
../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_UNSUCCESSFUL] || at ../source3/smbd/smb2_sesssetup.c:134
[2016/12/29 20:40:12.307256, 3]
../source3/smbd/server_exit.c:246(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)

To work around the problem, simply remove the "includedir" statement
from the /etc/krb5.conf file. No restart is required.

Here is the bug report:
https://bugzilla.samba.org/show_bug.cgi?id=12488

Regards,
Marc

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Rowland Penny via samba

unread,
Dec 29, 2016, 4:30:03 PM12/29/16
to
On Thu, 29 Dec 2016 21:40:56 +0100
Marc Muehlfeld via samba <sa...@lists.samba.org> wrote:

> Hi,
>
> I spent some time today to figure out why my clients are unable to
> connect to my Samba AD domain member after updating the operating
> system from CentOS 7.2 to 7.3 and I thought sharing the reason and the
> workaround can help others:
>
> If you run RHEL/CentOS 7.2 with an unmodified /etc/krb5.conf file

Hi Marc, that is your problem there and it has highlighted another
problem, the Samba wiki page:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Doesn't have anything about krb5.conf

You should run the same /etc/krb5.conf as on a DC, of course this may
change when red-hat finally releases a Samba AD DC MIT package.

> and
> update to 7.3, the krb5-workstation-1.14.1-27 package adds an
> "includedir" statement to the top of the file. If you modified the
> file in the past, the entry is not added and everything is fine.
>
> This "includedir" statement causes all connections (shares, RPC, etc.)
> to the Samba domain member to fail. If you set the log level to 3 or
> higher, the following error is logged:
>
> [2016/12/29 20:40:12.306475, 3]
> ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_UNSUCCESSFUL] ||
> at ../source3/smbd/smb2_sesssetup.c:134 [2016/12/29 20:40:12.307256,
> 3] ../source3/smbd/server_exit.c:246(exit_server_common)
> Server exit (NT_STATUS_CONNECTION_RESET)
>
> To work around the problem, simply remove the "includedir" statement
> from the /etc/krb5.conf file. No restart is required.
>
> Here is the bug report:
> https://bugzilla.samba.org/show_bug.cgi?id=12488

Why are you logging a Samba bug for what seems to be a
configuration error ?

Rowland

Marc Muehlfeld via samba

unread,
Dec 29, 2016, 5:30:03 PM12/29/16
to
Am 29.12.2016 um 22:17 schrieb Rowland Penny via samba:
> Hi Marc, that is your problem there and it has highlighted another
> problem, the Samba wiki page:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
> Doesn't have anything about krb5.conf
>
> You should run the same /etc/krb5.conf as on a DC, ...

You can set up a domain member without configuring Kerberos in
krb5.conf. That's what is currently described on the Wiki page and the
procedure works. However, in this case you're not able to use Kerberos
stuff, such as kinit.

I add a new section to the page tomorrow describing the Kerberos
configuration on the domain member.


>> Here is the bug report:
>> https://bugzilla.samba.org/show_bug.cgi?id=12488
>
> Why are you logging a Samba bug for what seems to be a
> configuration error ?

Samba domain members work without configuring krb5.conf, and in this
case, user may have not touched their krb5.conf file, but Samba reads
this file. Also a lot of distributions ship MIT Kerberos which supports
including config snippets. That's why I think Samba needs to be patched:
If "includedir" is not supported in Heimdal, we should ignore such
unknown options instead of starting the services and fail serving
without any helpful error message (nothing is logged on level < 3 and on
>=3 a message is logged, that tells nothing about the problem: An
unknown parameter in krb5.conf).

Regards,
Marc

Rowland Penny via samba

unread,
Dec 29, 2016, 5:40:04 PM12/29/16
to
On Thu, 29 Dec 2016 23:21:23 +0100
Marc Muehlfeld <mmueh...@samba.org> wrote:

> Am 29.12.2016 um 22:17 schrieb Rowland Penny via samba:
> > Hi Marc, that is your problem there and it has highlighted another
> > problem, the Samba wiki page:
> >
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> >
> > Doesn't have anything about krb5.conf
> >
> > You should run the same /etc/krb5.conf as on a DC, ...
>
> You can set up a domain member without configuring Kerberos in
> krb5.conf. That's what is currently described on the Wiki page and the
> procedure works. However, in this case you're not able to use Kerberos
> stuff, such as kinit.

No you cannot, a lot of problems are caused by
mis-configured /etc/krb5.conf files, as you have found out yourself.



>
> I add a new section to the page tomorrow describing the Kerberos
> configuration on the domain member.

Don't bother, I have already done it.

Rowland

Marc Muehlfeld via samba

unread,
Dec 29, 2016, 6:50:03 PM12/29/16
to
Am 29.12.2016 um 23:29 schrieb Rowland Penny via samba:
>> You can set up a domain member without configuring Kerberos in
>> krb5.conf. That's what is currently described on the Wiki page and the
>> procedure works. However, in this case you're not able to use Kerberos
>> stuff, such as kinit.
>
> No you cannot, a lot of problems are caused by
> mis-configured /etc/krb5.conf files, as you have found out yourself.

Sure, you can. I ran several domain members in production in the past
without touching the default krb5.conf and never had any kind of problems.

What problems are you talking about exactly? Can you please give some
examples what problems user will encounter if they don't configure
krb5.conf and use the defaults?

>> I add a new section to the page tomorrow describing the Kerberos
>> configuration on the domain member.
>
> Don't bother, I have already done it.

Can you add some more details? I think is helps the reader to tell why
to do things. For example what you achieve by setting this up and what
problems you get if you use the default krb5.conf.

Regards,
Marc

0 new messages