One user updated his Scientific Linux 7 recently. The version of Samba was upgraded from 4.4 to 4.8. The samba service was not running smoothly after that. One strange problem is that some people could access the samba share, but some could not. You can see the following messages in the log when you set the log level to 3:
[2019/03/11 12:26:12.597548, 3] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
get_user_from_kerberos_info: Username DOMAIN\user is invalid on this system
[2019/03/11 12:26:12.597583, 3] ../source3/auth/auth_generic.c:147(auth3_generate_session_info_pac)
auth3_generate_session_info_pac: Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
[2019/03/11 12:26:12.597649, 3] ../source3/smbd/smb2_server.c:3171(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_sesssetup.c:137
[2019/03/11 12:26:12.598658, 3] ../source3/smbd/server_exit.c:236(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
It took me a while to fix the problem. The problem is caused by bogus entries in samba and winbind’s cache. I found this article about clearing the cache. Our server is part of an AD domain, so there is one extra step to perform. That is rejoining the domain after cache is cleared. Here are all the commands that I ran:
service winbind stop service smb stop net cache flush rm -f /var/lib/samba/*.tdb rm -f /var/lib/samba/group_mapping.ldb net ads join -U Administrator service smb start service winbind start
Note that the net cache fulsh command could take a long time to finish. Just wait for a few minutes and it would finish eventually.
This post may contain affiliated links. When you click on the link and purchase a product, we receive a small commision to keep us running. Thanks.