samba - Mar 2017 - AD integration not working after move/version

Hi!

I am in a bit of trouble, I have moved a samba installation from one virtual
host to another keeping the configuration files and filesystems. But during the
transition something broke, now windows users are no longer able to access their
shares. I think it has to do with the AD integration. I do not know it it
because some state is missing on this host related to the AD integration or if
something has changed since the version of samba is higher on the new host. We
have the same set of private files also (passed.tbd and secrets.tbd).

Old version was 3.5.8 and the new version on the virtual host that does not work
is 3.6.25.

Any ides on how to debug this is helpful, I know very little about AD
integration, perhaps the virtual host needs to join the domain again and
authenticate, can I check the status of the integration in any way?

Some error messages I was able to find:

[2017/03/18 15:33:21.544063,  0] auth/auth_domain.c:331(domain_client_validate) 
domain_client_validate: unable to validate password for user USERX in domain
DOMAINX to Domain controller DCHOSTNAME. Error was NT_STATUS_ACCESS_DENIED.
[2017/03/18 15:33:21.554733,  0]
rpc_client/cli_netlogon.c:459(rpccli_netlogon_sam_network_logon)
  rpccli_netlogon_sam_network_logon: credentials chain check failed
[2017/03/18 15:33:21.554814,  0] auth/auth_domain.c:331(domain_client_validate)
  domain_client_validate: unable to validate password for user USERX in domain
DOMAINX to Domain controller DCHOSTNAME. Error was NT_STATUS_ACCESS_DENIED.
[2017/03/18 15:33:21.565235,  0]
rpc_client/cli_netlogon.c:459(rpccli_netlogon_sam_network_logon)
  rpccli_netlogon_sam_network_logon: credentials chain check failed
[2017/03/18 15:33:21.565330,  0] auth/auth_domain.c:331(domain_client_validate)
  domain_client_validate: unable to validate password for user USERX in domain
DOMAINX to Domain controller DCHOSTNAME. Error was NT_STATUS_ACCESS_DENIED


Configuration, with user names and real paths removed, only change otherwise is
that we had to change to ISO8859-1 for locale, not the argument “LOCALE” that
was not longer supported.

# Global parameters
[global]
        log file = /var/samba/log/clientlog.%m
        dns proxy = No
        acl check permissions = False
        netbios aliases = string1
        server string = string1
        name resolve order = hosts bcast
        realm = DOMAIN.NET
        password server = server3.string1.net sever4.string1.net
#       wins server = x.x.x.x
        local master = no
        workgroup = WGNAME
        os level = 0
        domain master = no
        encrypt passwords = yes
        security = DOMAIN
        unix charset = ISO8859-1
        max log size = 50
        # Fix for not to do lpstat since we don't use printers in Samba
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes


[homes]
        browseable = No
        comment = Home Directories
        writable = yes
        create mode = 775
        directory mode = 775

[string2]
        user = user1,user2
        path = /path/string2
        write list = userx,userx

[string3]
        path = /string3
        read only = Yes
        write list = user3,user4,user5
        create mask = 0760
        force create mode = 0760

[home]
        path = /path/home
        read only = No

[string4]
        path = /path
        read only = Yes
        write list = user9,user10,user11

[string5]
        revalidate = yes
        browseable = no
        writeable = yes
        valid users = @string5, at string6, at string7
        path = /path/path

[string11]
        path = /path/path2/path3
        writeable = yes
        valid users = @string9,string9
        browseable = no
        create mask = 0660
        force group = groupx


[string8]
        comment = Comment1 here
        path = /path/string8
        force group = userx
        valid users = @string10, @string11
        writeable = yes

Thankful for any assistance.

On Sat, 18 Mar 2017 16:06:28 +0100
Henrik Johansson via samba <samba at lists.samba.org> wrote:
> Hi!
> 
> I am in a bit of trouble, I have moved a samba installation from one
> virtual host to another keeping the configuration files and
> filesystems. But during the transition something broke, now windows
> users are no longer able to access their shares. I think it has to do
> with the AD integration. I do not know it it because some state is
> missing on this host related to the AD integration or if something
> has changed since the version of samba is higher on the new host. We
> have the same set of private files also (passed.tbd and secrets.tbd).
> 
> Old version was 3.5.8 and the new version on the virtual host that
> does not work is 3.6.25.
What OS is this on ?
Can you upgrade to a Samba version that is not EOL ?
> 
> Any ides on how to debug this is helpful, I know very little about AD
> integration, perhaps the virtual host needs to join the domain again
> and authenticate, can I check the status of the integration in any
> way?
You will probably need to join the new domain member again.

> # Global parameters
> [global]
>         log file = /var/samba/log/clientlog.%m
>         dns proxy = No
>         acl check permissions = False
>         netbios aliases = string1
>         server string = string1
>         name resolve order = hosts bcast
>         realm = DOMAIN.NET
>         password server = server3.string1.net sever4.string1.net
> #       wins server = x.x.x.x
>         local master = no
>         workgroup = WGNAME
>         os level = 0
>         domain master = no
>         encrypt passwords = yes
>         security = DOMAIN
Try changing 'security = DOMAIN' to 'security = ADS'

Are you running winbind or are you using something else for
authentication ?

Rowland

Hi Henrik,

Am 18.03.2017 um 16:06 schrieb Henrik Johansson via
samba:
> Old version was 3.5.8 and the new version on the virtual host that does not
work is 3.6.25.
That's not really a step forward to a supported Samba version. :-)
https://wiki.samba.org/index.php/Samba_Release_Planning


> # Global parameters
> [global]
>         log file = /var/samba/log/clientlog.%m
>         dns proxy = No
>         acl check permissions = False
>         netbios aliases = string1
>         server string = string1
>         name resolve order = hosts bcast
>         realm = DOMAIN.NET
>         password server = server3.string1.net sever4.string1.net
> #       wins server = x.x.x.x
>         local master = no
>         workgroup = WGNAME
>         os level = 0
>         domain master = no
>         encrypt passwords = yes
>         security = DOMAIN
>         unix charset = ISO8859-1
>         max log size = 50
>         # Fix for not to do lpstat since we don't use printers in Samba
>         load printers = no
>         printing = bsd
>         printcap name = /dev/null
>         disable spoolss = yes


First some nitpicks about your smb.conf:
* netbios aliases = string1
   Makes no sense to set an alias to exactly the same name
   as "server string" :-)

* password server: If there is not reason to only request some
   specific servers, I would not limit this. If both are down,
   Samba won't talk to other remaining DCs.

* encrypt passwords = yes
   This is default since a longer time.

This are just some improvement suggestions, but not related to your problem.




Ok. And now the things that are incorrect for a Samba AD domain member:

* realm = DOMAIN.NET   and   workgroup = WGNAME
   In this case, I would expect that "DOMAIN" is your NetBIOS domain
   name ("workgroup" setting), not something different. If this
   really matches your AD setup, it should work - but it's not
   the recommended way how to set up an AD.

* security = DOMAIN
   This setting is for an NT4 domain. Use "security = ADS"

* Your ID mapping configuration is missing completely.
   See https://wiki.samba.org/index.php/Identity_Mapping_Back_Ends
   No warranty that this works for 3.6. Our documentation only
   covers supported Samba versions.




I recommend the following:

* Update Samba to a supported version (recommended: 4.6.0).
   Samba 3.6 was released 2011. A lot of things regarding AD were
   improved in later releases.
   https://wiki.samba.org/index.php/Updating_Samba

* Read: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
   I recently rewrote the doc and it works for all supported versions.



Regards,
Marc

Hi Rowland and thanks for your reply,
> On 18 Mar 2017, at 16:54, Rowland Penny via samba <samba at
lists.samba.org> wrote:
> 
> On Sat, 18 Mar 2017 16:06:28 +0100
> Henrik Johansson via samba <samba at lists.samba.org> wrote:
> 
>> Hi!
>> 
>> I am in a bit of trouble, I have moved a samba installation from one
>> virtual host to another keeping the configuration files and
>> filesystems. But during the transition something broke, now windows
>> users are no longer able to access their shares. I think it has to do
>> with the AD integration. I do not know it it because some state is
>> missing on this host related to the AD integration or if something
>> has changed since the version of samba is higher on the new host. We
>> have the same set of private files also (passed.tbd and secrets.tbd).
>> 
>> Old version was 3.5.8 and the new version on the virtual host that
>> does not work is 3.6.25.
> 
> What OS is this on ?
> Can you upgrade to a Samba version that is not EOL ?
Short summary; this is on a old Solaris 10 system, the virtual host is a Solaris
zone, or two instance of the zone on two hosts for failover. The config is years
old and I had no part in this, but we needed to upgrade Solaris Oracle has only
managed to release 3.5.8 or something close to that as patches. I could of
course compile my own version or something but Samba was not the scope for this
operation, it just stopped working which is a huge problem, and it can be
because we needed to switch to the other zone or because the config did not work
with this slightly newer version.
> 
>> 
>> Any ides on how to debug this is helpful, I know very little about AD
>> integration, perhaps the virtual host needs to join the domain again
>> and authenticate, can I check the status of the integration in any
>> way?
> 
> You will probably need to join the new domain member again.
I’m trying, and getting: 

kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not found in
Kerberos database
Failed to join domain: failed to connect to AD: Server not found in Kerberos
database

> 
> 
>> # Global parameters
>> [global]
>>        log file = /var/samba/log/clientlog.%m
>>        dns proxy = No
>>        acl check permissions = False
>>        netbios aliases = string1
>>        server string = string1
>>        name resolve order = hosts bcast
>>        realm = DOMAIN.NET
>>        password server = server3.string1.net sever4.string1.net
>> #       wins server = x.x.x.x
>>        local master = no
>>        workgroup = WGNAME
>>        os level = 0
>>        domain master = no
>>        encrypt passwords = yes
>>        security = DOMAIN
> 
> Try changing 'security = DOMAIN' to 'security = ADS'
> 
> Are you running winbind or are you using something else for
> authentication ?
I am under the impression that it’s kerberos.
> 
> Rowland
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Hi marc and thanks for your reply,

> On 18 Mar 2017, at 17:26, Marc Muehlfeld via samba <samba at
lists.samba.org> wrote:
> 
> Hi Henrik,
> 
> Am 18.03.2017 um 16:06 schrieb Henrik Johansson via samba:
>> Old version was 3.5.8 and the new version on the virtual host that does
not work is 3.6.25.
> 
> That's not really a step forward to a supported Samba version. :-)
> https://wiki.samba.org/index.php/Samba_Release_Planning
> 
I just replied the first answer I got, and wrote a bit about the background,
it’s Solaris 10 with the provided samba. I will look trough your suggestion and
try to create a new config, I wold however like just to get it working as it was
before right now and then take care of improvements when it’s not a disturbance
for customers ( and not after a long night working in the weekend ;) ). I’ll try
to see if I can recreate the “unconfigured” behaviour with id-mapping for now.
> 
> 
>> # Global parameters
>> [global]
>>        log file = /var/samba/log/clientlog.%m
>>        dns proxy = No
>>        acl check permissions = False
>>        netbios aliases = string1
>>        server string = string1
>>        name resolve order = hosts bcast
>>        realm = DOMAIN.NET
>>        password server = server3.string1.net sever4.string1.net
>> #       wins server = x.x.x.x
>>        local master = no
>>        workgroup = WGNAME
>>        os level = 0
>>        domain master = no
>>        encrypt passwords = yes
>>        security = DOMAIN
>>        unix charset = ISO8859-1
>>        max log size = 50
>>        # Fix for not to do lpstat since we don't use printers in
Samba
>>        load printers = no
>>        printing = bsd
>>        printcap name = /dev/null
>>        disable spoolss = yes
> 
> 
> 
> First some nitpicks about your smb.conf:
> * netbios aliases = string1
>  Makes no sense to set an alias to exactly the same name
>  as "server string" :-)
> 
> * password server: If there is not reason to only request some
>  specific servers, I would not limit this. If both are down,
>  Samba won't talk to other remaining DCs.
> 
> * encrypt passwords = yes
>  This is default since a longer time.
> 
> This are just some improvement suggestions, but not related to your
problem.
> 
> 
> 
> 
> Ok. And now the things that are incorrect for a Samba AD domain member:
> 
> * realm = DOMAIN.NET   and   workgroup = WGNAME
>  In this case, I would expect that "DOMAIN" is your NetBIOS
domain
>  name ("workgroup" setting), not something different. If this
>  really matches your AD setup, it should work - but it's not
>  the recommended way how to set up an AD.
> 
> * security = DOMAIN
>  This setting is for an NT4 domain. Use "security = ADS"
> 
> * Your ID mapping configuration is missing completely.
>  See https://wiki.samba.org/index.php/Identity_Mapping_Back_Ends
>  No warranty that this works for 3.6. Our documentation only
>  covers supported Samba versions.
> 
> 
> 
> 
> I recommend the following:
> 
> * Update Samba to a supported version (recommended: 4.6.0).
>  Samba 3.6 was released 2011. A lot of things regarding AD were
>  improved in later releases.
>  https://wiki.samba.org/index.php/Updating_Samba
> 
> * Read:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>  I recently rewrote the doc and it works for all supported versions.
> 

Thank you, it looks like I have stumbled on a old configuration that has not
been maintained, I’ll do my best to get up to speed on samba and see if I can
get a working configuration and/or new versin and get it to work.

Regards
Henrik

On Sat, 18 Mar 2017 17:26:11 +0100
Marc Muehlfeld via samba <samba at lists.samba.org> wrote:
> Hi Henrik,
> 
> Am 18.03.2017 um 16:06 schrieb Henrik Johansson via samba:
> > Old version was 3.5.8 and the new version on the virtual host that
> > does not work is 3.6.25.
> 
> That's not really a step forward to a supported Samba version. :-)
> https://wiki.samba.org/index.php/Samba_Release_Planning
Some people cannot upgrade, so they have to use what they have, but
without knowing what OS the OP is using, we don't know if they can
upgrade easily.
> 
> First some nitpicks about your smb.conf:
> * netbios aliases = string1
>    Makes no sense to set an alias to exactly the same name
>    as "server string" :-)
Why ? 
> 
> * password server: If there is not reason to only request some
>    specific servers, I would not limit this. If both are down,
>    Samba won't talk to other remaining DCs.
That is correct and 'man smb.conf' tells you not to do it this way, but
who reads manpages ;-)
> 
> * encrypt passwords = yes
>    This is default since a longer time.
It doesn't matter if there or not.
> 
> Ok. And now the things that are incorrect for a Samba AD domain
> member:
> 
> * realm = DOMAIN.NET   and   workgroup = WGNAME
>    In this case, I would expect that "DOMAIN" is your NetBIOS
domain
>    name ("workgroup" setting), not something different. If this
>    really matches your AD setup, it should work - but it's not
>    the recommended way how to set up an AD.
Well, Microsoft says you can use a netbios domain name that is
different from the left part of the DNS name, so I suppose Samba
should as well.
 
 
> * Your ID mapping configuration is missing completely.
>    See https://wiki.samba.org/index.php/Identity_Mapping_Back_Ends
>    No warranty that this works for 3.6. Our documentation only
>    covers supported Samba versions.
I notice it was missing as well, but the OP could be using something
else instead of winbind. 'idmap config' existed on 3.6.0, so it should
work.
> I recommend the following:
> 
> * Update Samba to a supported version (recommended: 4.6.0).
>    Samba 3.6 was released 2011. A lot of things regarding AD were
>    improved in later releases.
Why recommend something, that the OP might not be able to do, without
all the facts.

Rowland