RHEL8環境のsamba4にアクセスできない

OS:RHEL8
samba:4.14.5-7.el8_5
sssd:2.5.2-2.el8_5.3
認証:ActiveDirectory(samba4)

上記バージョンにアップデートしたところ、以下のようなエラーログが出力されるようになってアクセスできなくなりました。
なお、smb.confには”log level = 3″を設定してます。

 GENSEC backend 'naclrpc_as_system' registered
[2021/12/22 00:22:24.955330, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'sasl-EXTERNAL' registered
[2021/12/22 00:22:24.955333, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'ntlmssp' registered
[2021/12/22 00:22:24.955336, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'ntlmssp_resume_ccache' registered
[2021/12/22 00:22:24.955339, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_basic' registered
[2021/12/22 00:22:24.955342, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_ntlm' registered
[2021/12/22 00:22:24.955346, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_negotiate' registered
[2021/12/22 00:22:24.955635, 1] ../../source3/librpc/crypto/gse_krb5.c:181(fill_mem_keytab_from_secrets)
fill_mem_keytab_from_secrets: secrets_fetch_or_upgrade_domain_info(ISOPPE) - NT_STATUS_CANT_ACCESS_DOMAIN_INFO
[2021/12/22 00:22:24.955667, 3] ../../source3/librpc/crypto/gse_krb5.c:572(gse_krb5_get_server_keytab)
../../source3/librpc/crypto/gse_krb5.c:572: Warning! Unable to set mem keytab from secrets!
[2021/12/22 00:22:24.956804, 3] ../../source3/smbd/negprot.c:777(reply_negprot)
Selected protocol SMB 2.???
[2021/12/22 00:22:24.966330, 3] ../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot)
Selected protocol SMB3_11
[2021/12/22 00:22:24.966533, 1] ../../source3/librpc/crypto/gse_krb5.c:181(fill_mem_keytab_from_secrets)
fill_mem_keytab_from_secrets: secrets_fetch_or_upgrade_domain_info(ISOPPE) - NT_STATUS_CANT_ACCESS_DOMAIN_INFO
[2021/12/22 00:22:24.966547, 3] ../../source3/librpc/crypto/gse_krb5.c:572(gse_krb5_get_server_keytab)
../../source3/librpc/crypto/gse_krb5.c:572: Warning! Unable to set mem keytab from secrets!
[2021/12/22 00:22:24.975717, 1] ../../source3/librpc/crypto/gse_krb5.c:181(fill_mem_keytab_from_secrets)
fill_mem_keytab_from_secrets: secrets_fetch_or_upgrade_domain_info(ISOPPE) - NT_STATUS_CANT_ACCESS_DOMAIN_INFO
[2021/12/22 00:22:24.975772, 3] ../../source3/librpc/crypto/gse_krb5.c:572(gse_krb5_get_server_keytab)
../../source3/librpc/crypto/gse_krb5.c:572: Warning! Unable to set mem keytab from secrets!
[2021/12/22 00:22:24.976501, 1] ../../source3/auth/auth_generic.c:210(auth3_generate_session_info_pac)
auth3_generate_session_info_pac: Unexpected PAC for [hoge@ISOPPE.JP] in standalone mode - NT_STATUS_BAD_TOKEN_TYPE
[2021/12/22 00:22:24.976534, 3] ../../source3/smbd/smb2_server.c:3874(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_BAD_TOKEN_TYPE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2021/12/22 00:22:24.978330, 3] ../../source3/smbd/server_exit.c:240(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
[2021/12/22 00:22:24.989733, 2] ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage)
Registered MSG_REQ_POOL_USAGE
[2021/12/22 00:22:24.989888, 3] ../../lib/util/access.c:372(allow_access)
Allowed connection from fc00:5::4525:51ff:9f35:223b (fc00:5::4525:51ff:9f35:223b)
[2021/12/22 00:22:24.990330, 3] ../../source3/smbd/oplock.c:1427(init_oplocks)
init_oplocks: initializing messages.
[2021/12/22 00:22:24.992721, 3] ../../source3/smbd/process.c:1957(process_smb)
Transaction 0 of length 240 (0 toread)
[2021/12/22 00:22:24.992965, 3] ../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot)
Selected protocol SMB3_11
[2021/12/22 00:22:24.993226, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_spnego' registered
[2021/12/22 00:22:24.993257, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_krb5' registered
[2021/12/22 00:22:24.993262, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_krb5_sasl' registered
[2021/12/22 00:22:24.993267, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'spnego' registered
[2021/12/22 00:22:24.993272, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'schannel' registered
[2021/12/22 00:22:24.993276, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'naclrpc_as_system' registered
[2021/12/22 00:22:24.993281, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'sasl-EXTERNAL' registered
[2021/12/22 00:22:24.993285, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'ntlmssp' registered
[2021/12/22 00:22:24.993290, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'ntlmssp_resume_ccache' registered
[2021/12/22 00:22:24.993295, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_basic' registered
[2021/12/22 00:22:24.993304, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_ntlm' registered
[2021/12/22 00:22:24.993262, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'gssapi_krb5_sasl' registered
[2021/12/22 00:22:24.993267, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'spnego' registered
[2021/12/22 00:22:24.993272, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'schannel' registered
[2021/12/22 00:22:24.993276, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'naclrpc_as_system' registered
[2021/12/22 00:22:24.993281, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'sasl-EXTERNAL' registered
[2021/12/22 00:22:24.993285, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'ntlmssp' registered
[2021/12/22 00:22:24.993290, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'ntlmssp_resume_ccache' registered
[2021/12/22 00:22:24.993295, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_basic' registered
[2021/12/22 00:22:24.993304, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_ntlm' registered
[2021/12/22 00:22:24.993308, 3] ../../auth/gensec/gensec_start.c:1089(gensec_register)
GENSEC backend 'http_negotiate' registered
[2021/12/22 00:22:24.993563, 1] ../../source3/librpc/crypto/gse_krb5.c:181(fill_mem_keytab_from_secrets)
fill_mem_keytab_from_secrets: secrets_fetch_or_upgrade_domain_info(ISOPPE) - NT_STATUS_CANT_ACCESS_DOMAIN_INFO
[2021/12/22 00:22:24.993586, 3] ../../source3/librpc/crypto/gse_krb5.c:572(gse_krb5_get_server_keytab)
../../source3/librpc/crypto/gse_krb5.c:572: Warning! Unable to set mem keytab from secrets!
[2021/12/22 00:22:25.004769, 1] ../../source3/librpc/crypto/gse_krb5.c:181(fill_mem_keytab_from_secrets)
fill_mem_keytab_from_secrets: secrets_fetch_or_upgrade_domain_info(ISOPPE) - NT_STATUS_CANT_ACCESS_DOMAIN_INFO
[2021/12/22 00:22:25.004798, 3] ../../source3/librpc/crypto/gse_krb5.c:572(gse_krb5_get_server_keytab)
../../source3/librpc/crypto/gse_krb5.c:572: Warning! Unable to set mem keytab from secrets!
[2021/12/22 00:22:25.005497, 1] ../../source3/auth/auth_generic.c:210(auth3_generate_session_info_pac)
auth3_generate_session_info_pac: Unexpected PAC for [hoge@ISOPPE.JP] in standalone mode - NT_STATUS_BAD_TOKEN_TYPE
[2021/12/22 00:22:25.005533, 3] ../../source3/smbd/smb2_server.c:3874(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_BAD_TOKEN_TYPE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2021/12/22 00:22:25.007250, 3] ../../source3/smbd/server_exit.c:240(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)

セキュリティ関係が変わった?
原因はわかってませんが、ファイルサーバにアクセスできないのは困るので、応急的にダウングレード対応で復旧させました。


# dnf downgrade samba

サブスクリプション管理リポジトリーを更新しています。
メタデータの期限切れの最終確認: 0:20:49 時間前の 2021年12月22日 02時19分06秒 に実施しました。
依存関係が解決しました。
============================================================================
パッケージ アーキテクチャー バージョン リポジトリー サイズ
============================================================================
ダウングレード:
libipa_hbac x86_64 2.5.2-2.el8_5.1 rhel-8-for-x86_64-baseos-rpms 115 k
libsmbclient x86_64 4.14.5-2.el8 rhel-8-for-x86_64-baseos-rpms 147 k
libsss_autofs x86_64 2.5.2-2.el8_5.1 rhel-8-for-x86_64-baseos-rpms 118 k
libsss_certmap x86_64 2.5.2-2.el8_5.1 rhel-8-for-x86_64-baseos-rpms 155 k
libsss_idmap x86_64 2.5.2-2.el8_5.1 rhel-8-for-x86_64-baseos-rpms 120 k
libsss_nss_idmap x86_64 2.5.2-2.el8_5.1 rhel-8-for-x86_64-baseos-rpms 127 k
libsss_sudo x86_64 2.5.2-2.el8_5.1 rhel-8-for-x86_64-baseos-rpms 116 k
libwbclient x86_64 4.14.5-2.el8 rhel-8-for-x86_64-baseos-rpms 121 k
python3-sssdconfig noarch 2.5.2-2.el8_5.1 rhel-8-for-x86_64-baseos-rpms 142 k
samba x86_64 4.14.5-2.el8 rhel-8-for-x86_64-baseos-rpms 847 k
samba-client-libs x86_64 4.14.5-2.el8 rhel-8-for-x86_64-baseos-rpms 5.4 M
samba-common noarch 4.14.5-2.el8 rhel-8-for-x86_64-baseos-rpms 220 k
samba-common-libs x86_64 4.14.5-2.el8 rhel-8-for-x86_64-baseos-rpms 173 k
samba-common-tools x86_64 4.14.5-2.el8 rhel-8-for-x86_64-baseos-rpms 499 k
samba-libs x86_64 4.14.5-2.el8 rhel-8-for-x86_64-baseos-rpms 169 k
sssd x86_64 2.5.2-2.el8_5.1 rhel-8-for-x86_64-baseos-rpms 107 k
sssd-ad x86_64 2.5.2-2.el8_5.1 rhel-8-for-x86_64-baseos-rpms 270 k
sssd-client x86_64 2.5.2-2.el8_5.1 rhel-8-for-x86_64-baseos-rpms 205 k
sssd-common x86_64 2.5.2-2.el8_5.1 rhel-8-for-x86_64-baseos-rpms 1.6 M
sssd-common-pac x86_64 2.5.2-2.el8_5.1 rhel-8-for-x86_64-baseos-rpms 178 k
sssd-ipa x86_64 2.5.2-2.el8_5.1 rhel-8-for-x86_64-baseos-rpms 347 k
sssd-kcm x86_64 2.5.2-2.el8_5.1 rhel-8-for-x86_64-baseos-rpms 254 k
sssd-krb5 x86_64 2.5.2-2.el8_5.1 rhel-8-for-x86_64-baseos-rpms 150 k
sssd-krb5-common x86_64 2.5.2-2.el8_5.1 rhel-8-for-x86_64-baseos-rpms 185 k
sssd-ldap x86_64 2.5.2-2.el8_5.1 rhel-8-for-x86_64-baseos-rpms 208 k
sssd-nfs-idmap x86_64 2.5.2-2.el8_5.1 rhel-8-for-x86_64-baseos-rpms 115 k
sssd-proxy x86_64 2.5.2-2.el8_5.1 rhel-8-for-x86_64-baseos-rpms 147 k

トランザクションの概要
============================================================================
ダウングレード 27 パッケージ

ダウンロードサイズの合計: 12 M

コメント

  1. Hiro より:

    samba-winbindが必要になったと思われます。
    私は以下で対処しました。

    yum install samba-winbind
    systemctl enable winbind
    systemctl start winbind
    systemctl restart smb