# Samba crashes when security set to ADS

## noway2

I have been trying to get Samba, currently version 4.8.6 to work in conjunction with Kerberos to authenticate user accounts on an AD domain.  I have successfully set up other machines (using either Ubuntu or Centos) to authenticate domain users and I do have an account with domain admin privilges.  I have kerberos instaled and it appears to be working correctly as kinit will ask for a password and then issue a ticket for the domained user.  Over the last several days, I have tried a lot of different of combinations and followed several how to guides all to no avail.  The common factor is that anytime I try to set 'security = ads' the smbd and winbind daemon processes crash while the nmbd continues to function.  If I set the configuration to USER it will run, but then a join will fail saying it's not a domain member PC.  I am NOT trying to confiure the system as a domain controller.

The current (stripped down) smb.conf file is as follows:

```

[global]

         workgroup = AD

         client signing = yes

         client use spnego = yes

         kerberos method = secrets and keytab

         realm = AD.UNC.EDU

         security = ADS

         guest account = nobody

         guest ok = yes

 
```

*note the guest account lines were added to try to address the error messages and based upon some search attempts at a fix. 

The krb5.conf file is below.  This comes straight from the IT depatrtment help desk:

```

[logging]

 default = FILE:/var/log/krb5libs.log

 kdc = FILE:/var/log/krb5kdc.log

 admin_server = FILE:/var/log/kadmind.log

[libdefaults]

 default_realm = ISIS.UNC.EDU

[realms]

 ISIS.UNC.EDU = {

 kdc = krb3.unc.edu

 kdc = krb2.unc.edu

 kdc = krb1.unc.edu

 kdc = krb0.unc.edu

 admin_server = krba.unc.edu

 default_domain = isis.unc.edu

}

[domain_realm]

 .unc.edu = ISIS.UNC.EDU

```

The three samba logs are as follows:

log.nmbd:

```

[2019/06/14 15:23:06.568978,  0] ../lib/util/become_daemon.c:138(daemon_ready)

  daemon_ready: STATUS=daemon 'nmbd' finished starting up and ready to serve connections
```

log.smbd:

```

[2019/06/14 15:23:06.544487,  0] ../source3/auth/auth_util.c:1372(make_new_session_info_guest)

  create_local_token failed: NT_STATUS_NO_MEMORY

[2019/06/14 15:23:06.544627,  0] ../source3/smbd/server.c:1993(main)

  ERROR: failed to setup guest info.

```

and 

log.winbindd:

```

2019/06/14 15:23:06.633919,  0] ../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache)

  initialize_winbindd_cache: clearing cache and re-creating with version number 2

[2019/06/14 15:23:06.636829,  0] ../source3/winbindd/winbindd_util.c:1264(init_domain_list)

  Could not fetch our SID - did we join?

[2019/06/14 15:23:06.636897,  0] ../source3/winbindd/winbindd.c:1360(winbindd_register_handlers)

  unable to initialize domain list

```

As I mentioned Kerberos will issue tickets to the domain users:

```

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: myuser.adm@AD.UNC.EDU

Valid starting       Expires              Service principal

06/14/2019 14:43:20  06/15/2019 00:43:20  krbtgt/AD.UNC.EDU@AD.UNC.EDU

        renew until 06/15/2019 14:43:11

```

The use flag list for Samba is as follows:

```

[ Legend : U - final flag setting for installation]

[        : I - package is installed with flag     ]

[ Colors : set, unset                             ]

 * Found these USE flags for net-fs/samba-4.8.6-r2:

 U I

 - - abi_x86_32               : 32-bit (x86) libraries

 + + acl                      : Add support for Access Control Lists

 - - addc                     : Enable Active Directory Domain Controller support

 - - addns                    : Enable AD DNS integration

 + + ads                      : Enable Active Directory support

 - - ceph                     : Enable support for Ceph distributed filesystem via sys-cluster/ceph

 + + client                   : Enables the client part

 - - cluster                  : Enable support for clustering

 + + cups                     : Add support for CUPS (Common Unix Printing System)

 - - debug                    : Enable extra debug codepaths, like asserts and extra output. If you want to get meaningful backtraces see

                                https://wiki.gentoo.org/wiki/Project:Quality_Assurance/Backtraces

 - - fam                      : Enable FAM (File Alteration Monitor) support

 + + gnutls                   : Prefer net-libs/gnutls as SSL/TLS provider (ineffective with USE=-ssl)

 - - gpg                      : Use app-crypt/gpgme for AD DC

 - - iprint                   : Enabling iPrint technology by Novell

 + + ldap                     : Add LDAP support (Lightweight Directory Access Protocol)

 + + pam                      : Add support for PAM (Pluggable Authentication Modules) - DANGEROUS to arbitrarily flip

 - - python                   : Add optional support/bindings for the Python language

 + + python_targets_python2_7 : Build with Python 2.7

 - - quota                    : Enables support for user quotas

 + + syslog                   : Enable support for syslog

 + + system-mitkrb5           : Use app-crypt/mit-krb5 instead of app-crypt/heimdal.

 - - systemd                  : Enable use of systemd-specific libraries and features like socket activation or session tracking

 - - test                     : Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently)

 + + winbind                  : Enables support for the winbind auth daemon

 - - zeroconf                 : Support for DNS Service Discovery (DNS-SD)

```

I have also tried the Gentoo guide here: https://wiki.gentoo.org/wiki/Kerberos_Windows_Interoperability  If I run the configuration as outlined at the top of the document (no line securty = ads) Samba will start and run but I get the following:

Host is not configured as a member server.

Invalid configuration.  Exiting....

Failed to join domain: This operation is only allowed for the PDC of the domain.

If I try the section at the bottom it will crash because of the security = ADS

I found this mail archive from Debian, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899269 where someone seemed to be having a similar issue in that Winbind wouldn't start and they said that it was a bug in Samba but it was introduced after 4.7 something and fixed in 4.9 something,.  Consequently, I reverted Samba to version  4.5.16 to no avail, problem persists.

Samba's testparm doesn't issue any errors and when it runs (no ADS) I get the following:

```

Loaded services file OK.

Server role: ROLE_STANDALONE

Press enter to see a dump of your service definitions

```

Followed by the global items listed above.

If anyone can point me in the correct direction or help me out, I would greatly appreciate it.

----------

## alamahant

You mention 

 *Quote:*   

> 
> 
> Host is not configured as a member server. 
> 
> Invalid configuration. Exiting.... 
> ...

 

You need to install something similar to centos krb5-workstation

and issue both machine pricipals and service principals for all your boxes(including the samba server)

Try something like:

```

kadmin

addprinc -randkey host/<FQDN> ####add a host machine

ktadd host/<FQDN>    #####create a keytab entry to be stored in /etc/krb5.keytab

addprinc -randkey cifs/<FQDN> ####add the samba service principal

ktadd cifs/<FQDN>  ####likewise for the samba keytab entry

```

Now unlike kerberized nfs which nowadays works out of the box with nfs4 ,kerberized samba shares are very tricky.

It would be beneficial if you installed sssd in all your machines.(authconfig creates great sssd.confs but its not available in Gentoo..Maybe use a centos machine in similar setup to create the sssd.confs and copy it tp your other machines with slight modifications.)

Is your firewall configured correctly?

Do you have sys-auth/pam_krb5 installed?

I read this

 *Quote:*   

> 
> 
> Loaded services file OK. 
> 
> Server role: ROLE_STANDALONE 
> ...

 

It seems your samba server is not configured to be a domain member.

May be you need something like

 *Quote:*   

> 
> 
> server role = member server
> 
> 

 

in your smb.conf...

 :Very Happy: 

----------

