James Atwell
2020-May-16 17:41 UTC
[Samba] Upgrade from 4.11.6 to 4.12.2 created authentication issues
On 5/16/2020 9:55 AM, Rowland penny via samba wrote:> On 16/05/2020 14:40, James Atwell wrote: >> >> On 5/16/2020 5:00 AM, Rowland penny via samba wrote: >>> On 15/05/2020 19:52, James Atwell via samba wrote: >>>> Hello, >>>> >>>> ??????? I upgraded two DC's to 4.12.2 from 4.11.6 before I noticed >>>> authentication issues with a couple Netgear ReadyNAS we have. For >>>> reference I have a total of 6 DC's with 4 running 4.11.6 and two >>>> now running 4.12.2.? I ran the usual ./configure,make,make install >>>> from tar without issues. However running samba-tool drs showrepl I >>>> noticed a couple errors. Looking through the list I found someone >>>> else with the same initial problems.? See thread here >>>> https://lists.samba.org/archive/samba/2020-April/229230.html From >>>> this thread I did what was suggested by Alex and that resolved >>>> those initial errors.? This brings me back to the Netgear file >>>> servers. I am no longer able to authenticate the ReadyNAS with my >>>> domain.? I receive a join error within the Netgear dashboard with >>>> no additional info. No error code, nothing. I turned up the logging >>>> on the Samba server I pointed the ReadyNAS at and could see the log >>>> for the administrator user I'm using to try and join and >>>> authenticate. Samba shows a successful authentication but then it >>>> appears to end there. Additional details below about my setup. >>> >>> You need to see the logs for the readynas to try and find out what >>> is going on. >>> >>> This is what I would do: >>> >>> Seize the FSMO roles to one of the 4.11.6 DC's >>> >>> Demote the two 4.12.2 DC's >>> >>> Remove everything in /usr/local/samba >>> >>> Test if your readynas now connects to the domain again, try a >>> re-join if not >>> >>> If you have connection, then good, if not, you need to find out why >>> not and this will require seeing the readynas logs, you may have to >>> ask netgear about that. >>> >>> Once you have connection from the readynas, run 'make install' again >>> (No, you shouldn't have to totally build Samba again) >>> >>> Once Samba is installed again, try joining as a DC, hopefully it >>> should now work. >>> >>> The only major change between 4.11.x and 4.12.x is that you now need >>> Python 3.5, perhaps you do not have this ? >>> >>> Rowland >>> >>> >>> >> Thanks for the input. Before I do I want to add additional >> troubleshooting details.? Replication works among all DC's with no >> obvious samba errors or windows authentication errors.? I unjoined a >> Windows 10 machine and rejoined to the domain without issue. > > You didn't say that before ;-) > > If everything is working except for your readynas, then it sounds like > this could be a problem with your readynas. > > You do not say how old the readynas is, but are there any updates > available for it ? > > Before you do anything, I would ask netgear if they are aware of this > problem, might be worth mentioning the word 'SMBv1'. > >> Everything else is working as it should (i.e, user creation, dns >> admin, gpo's).? The one other thing I did do different this time and >> I should have noted previously was use the Verified Package >> Dependencies from the Wiki to ensure I wasn't missing any. Other than >> that the build was the same. >> >> I haven't had to do a seize in a long time of the FSMO roles. If the >> DC's I upgraded appear to be working should I just transfer or seize? >> Thanks. >> > Simple answer, if you can transfer, then transfer, if not, then seize, > but use '--force' (this stops a useless transfer attempt). > > Rowland > > >> >> -James >> > >So I suppose I still have trouble with my domain. root at pfdc1:/# net ads user info administrator -U administrator Enter administrator's password: kerberos_kinit_password SAMBA at SAMBA.LOCAL failed: Client not found in Kerberos database kerberos_kinit_password SAMBA at SAMBA.LOCAL failed: Client not found in Kerberos database
Rowland penny
2020-May-16 18:02 UTC
[Samba] Upgrade from 4.11.6 to 4.12.2 created authentication issues
On 16/05/2020 18:41, James Atwell wrote:> > On 5/16/2020 9:55 AM, Rowland penny via samba wrote: >> On 16/05/2020 14:40, James Atwell wrote: >>> >>> On 5/16/2020 5:00 AM, Rowland penny via samba wrote: >>>> On 15/05/2020 19:52, James Atwell via samba wrote: >>>>> Hello, >>>>> >>>>> ??????? I upgraded two DC's to 4.12.2 from 4.11.6 before I noticed >>>>> authentication issues with a couple Netgear ReadyNAS we have. For >>>>> reference I have a total of 6 DC's with 4 running 4.11.6 and two >>>>> now running 4.12.2.? I ran the usual ./configure,make,make install >>>>> from tar without issues. However running samba-tool drs showrepl I >>>>> noticed a couple errors. Looking through the list I found someone >>>>> else with the same initial problems.? See thread here >>>>> https://lists.samba.org/archive/samba/2020-April/229230.html From >>>>> this thread I did what was suggested by Alex and that resolved >>>>> those initial errors.? This brings me back to the Netgear file >>>>> servers. I am no longer able to authenticate the ReadyNAS with my >>>>> domain.? I receive a join error within the Netgear dashboard with >>>>> no additional info. No error code, nothing. I turned up the >>>>> logging on the Samba server I pointed the ReadyNAS at and could >>>>> see the log for the administrator user I'm using to try and join >>>>> and authenticate. Samba shows a successful authentication but then >>>>> it appears to end there. Additional details below about my setup. >>>> >>>> You need to see the logs for the readynas to try and find out what >>>> is going on. >>>> >>>> This is what I would do: >>>> >>>> Seize the FSMO roles to one of the 4.11.6 DC's >>>> >>>> Demote the two 4.12.2 DC's >>>> >>>> Remove everything in /usr/local/samba >>>> >>>> Test if your readynas now connects to the domain again, try a >>>> re-join if not >>>> >>>> If you have connection, then good, if not, you need to find out why >>>> not and this will require seeing the readynas logs, you may have to >>>> ask netgear about that. >>>> >>>> Once you have connection from the readynas, run 'make install' >>>> again (No, you shouldn't have to totally build Samba again) >>>> >>>> Once Samba is installed again, try joining as a DC, hopefully it >>>> should now work. >>>> >>>> The only major change between 4.11.x and 4.12.x is that you now >>>> need Python 3.5, perhaps you do not have this ? >>>> >>>> Rowland >>>> >>>> >>>> >>> Thanks for the input. Before I do I want to add additional >>> troubleshooting details.? Replication works among all DC's with no >>> obvious samba errors or windows authentication errors.? I unjoined a >>> Windows 10 machine and rejoined to the domain without issue. >> >> You didn't say that before ;-) >> >> If everything is working except for your readynas, then it sounds >> like this could be a problem with your readynas. >> >> You do not say how old the readynas is, but are there any updates >> available for it ? >> >> Before you do anything, I would ask netgear if they are aware of this >> problem, might be worth mentioning the word 'SMBv1'. >> >>> Everything else is working as it should (i.e, user creation, dns >>> admin, gpo's).? The one other thing I did do different this time and >>> I should have noted previously was use the Verified Package >>> Dependencies from the Wiki to ensure I wasn't missing any. Other >>> than that the build was the same. >>> >>> I haven't had to do a seize in a long time of the FSMO roles. If the >>> DC's I upgraded appear to be working should I just transfer or >>> seize? Thanks. >>> >> Simple answer, if you can transfer, then transfer, if not, then >> seize, but use '--force' (this stops a useless transfer attempt). >> >> Rowland >> >> >>> >>> -James >>> >> >> > So I suppose I still have trouble with my domain. > > root at pfdc1:/# net ads user info administrator -U administrator > > Enter administrator's password: > kerberos_kinit_password SAMBA at SAMBA.LOCAL failed: Client not found in > Kerberos database > > kerberos_kinit_password SAMBA at SAMBA.LOCAL failed: Client not found in > Kerberos databaseWell that sorts that out, '-P' isn't working ;-) Is this on one of the 4.12 DC's or a 4.11 DC ? Rowland
James Atwell
2020-May-16 23:20 UTC
[Samba] Upgrade from 4.11.6 to 4.12.2 created authentication issues
On 5/16/2020 2:02 PM, Rowland penny via samba wrote:> On 16/05/2020 18:41, James Atwell wrote: >> >> On 5/16/2020 9:55 AM, Rowland penny via samba wrote: >>> On 16/05/2020 14:40, James Atwell wrote: >>>> >>>> On 5/16/2020 5:00 AM, Rowland penny via samba wrote: >>>>> On 15/05/2020 19:52, James Atwell via samba wrote: >>>>>> Hello, >>>>>> >>>>>> ??????? I upgraded two DC's to 4.12.2 from 4.11.6 before I >>>>>> noticed authentication issues with a couple Netgear ReadyNAS we >>>>>> have. For reference I have a total of 6 DC's with 4 running >>>>>> 4.11.6 and two now running 4.12.2.? I ran the usual >>>>>> ./configure,make,make install from tar without issues. However >>>>>> running samba-tool drs showrepl I noticed a couple errors. >>>>>> Looking through the list I found someone else with the same >>>>>> initial problems.? See thread here >>>>>> https://lists.samba.org/archive/samba/2020-April/229230.html From >>>>>> this thread I did what was suggested by Alex and that resolved >>>>>> those initial errors.? This brings me back to the Netgear file >>>>>> servers. I am no longer able to authenticate the ReadyNAS with my >>>>>> domain.? I receive a join error within the Netgear dashboard with >>>>>> no additional info. No error code, nothing. I turned up the >>>>>> logging on the Samba server I pointed the ReadyNAS at and could >>>>>> see the log for the administrator user I'm using to try and join >>>>>> and authenticate. Samba shows a successful authentication but >>>>>> then it appears to end there. Additional details below about my >>>>>> setup. >>>>> >>>>> You need to see the logs for the readynas to try and find out what >>>>> is going on. >>>>> >>>>> This is what I would do: >>>>> >>>>> Seize the FSMO roles to one of the 4.11.6 DC's >>>>> >>>>> Demote the two 4.12.2 DC's >>>>> >>>>> Remove everything in /usr/local/samba >>>>> >>>>> Test if your readynas now connects to the domain again, try a >>>>> re-join if not >>>>> >>>>> If you have connection, then good, if not, you need to find out >>>>> why not and this will require seeing the readynas logs, you may >>>>> have to ask netgear about that. >>>>> >>>>> Once you have connection from the readynas, run 'make install' >>>>> again (No, you shouldn't have to totally build Samba again) >>>>> >>>>> Once Samba is installed again, try joining as a DC, hopefully it >>>>> should now work. >>>>> >>>>> The only major change between 4.11.x and 4.12.x is that you now >>>>> need Python 3.5, perhaps you do not have this ? >>>>> >>>>> Rowland >>>>> >>>>> >>>>> >>>> Thanks for the input. Before I do I want to add additional >>>> troubleshooting details.? Replication works among all DC's with no >>>> obvious samba errors or windows authentication errors.? I unjoined >>>> a Windows 10 machine and rejoined to the domain without issue. >>> >>> You didn't say that before ;-) >>> >>> If everything is working except for your readynas, then it sounds >>> like this could be a problem with your readynas. >>> >>> You do not say how old the readynas is, but are there any updates >>> available for it ? >>> >>> Before you do anything, I would ask netgear if they are aware of >>> this problem, might be worth mentioning the word 'SMBv1'. >>> >>>> Everything else is working as it should (i.e, user creation, dns >>>> admin, gpo's).? The one other thing I did do different this time >>>> and I should have noted previously was use the Verified Package >>>> Dependencies from the Wiki to ensure I wasn't missing any. Other >>>> than that the build was the same. >>>> >>>> I haven't had to do a seize in a long time of the FSMO roles. If >>>> the DC's I upgraded appear to be working should I just transfer or >>>> seize? Thanks. >>>> >>> Simple answer, if you can transfer, then transfer, if not, then >>> seize, but use '--force' (this stops a useless transfer attempt). >>> >>> Rowland >>> >>> >>>> >>>> -James >>>> >>> >>> >> So I suppose I still have trouble with my domain. >> >> root at pfdc1:/# net ads user info administrator -U administrator >> >> Enter administrator's password: >> kerberos_kinit_password SAMBA at SAMBA.LOCAL failed: Client not found in >> Kerberos database >> >> kerberos_kinit_password SAMBA at SAMBA.LOCAL failed: Client not found in >> Kerberos database > > Well that sorts that out, '-P' isn't working ;-) > > Is this on one of the 4.12 DC's or a 4.11 DC ? > > Rowland > > > >The issue exists with all of them.? I tried with several different usernames and the same thing. -James
James Atwell
2020-May-16 23:24 UTC
[Samba] Upgrade from 4.11.6 to 4.12.2 created authentication issues
On 5/16/2020 2:02 PM, Rowland penny via samba wrote:> On 16/05/2020 18:41, James Atwell wrote: >> >> On 5/16/2020 9:55 AM, Rowland penny via samba wrote: >>> On 16/05/2020 14:40, James Atwell wrote: >>>> >>>> On 5/16/2020 5:00 AM, Rowland penny via samba wrote: >>>>> On 15/05/2020 19:52, James Atwell via samba wrote: >>>>>> Hello, >>>>>> >>>>>> ??????? I upgraded two DC's to 4.12.2 from 4.11.6 before I >>>>>> noticed authentication issues with a couple Netgear ReadyNAS we >>>>>> have. For reference I have a total of 6 DC's with 4 running >>>>>> 4.11.6 and two now running 4.12.2.? I ran the usual >>>>>> ./configure,make,make install from tar without issues. However >>>>>> running samba-tool drs showrepl I noticed a couple errors. >>>>>> Looking through the list I found someone else with the same >>>>>> initial problems.? See thread here >>>>>> https://lists.samba.org/archive/samba/2020-April/229230.html From >>>>>> this thread I did what was suggested by Alex and that resolved >>>>>> those initial errors.? This brings me back to the Netgear file >>>>>> servers. I am no longer able to authenticate the ReadyNAS with my >>>>>> domain.? I receive a join error within the Netgear dashboard with >>>>>> no additional info. No error code, nothing. I turned up the >>>>>> logging on the Samba server I pointed the ReadyNAS at and could >>>>>> see the log for the administrator user I'm using to try and join >>>>>> and authenticate. Samba shows a successful authentication but >>>>>> then it appears to end there. Additional details below about my >>>>>> setup. >>>>> >>>>> You need to see the logs for the readynas to try and find out what >>>>> is going on. >>>>> >>>>> This is what I would do: >>>>> >>>>> Seize the FSMO roles to one of the 4.11.6 DC's >>>>> >>>>> Demote the two 4.12.2 DC's >>>>> >>>>> Remove everything in /usr/local/samba >>>>> >>>>> Test if your readynas now connects to the domain again, try a >>>>> re-join if not >>>>> >>>>> If you have connection, then good, if not, you need to find out >>>>> why not and this will require seeing the readynas logs, you may >>>>> have to ask netgear about that. >>>>> >>>>> Once you have connection from the readynas, run 'make install' >>>>> again (No, you shouldn't have to totally build Samba again) >>>>> >>>>> Once Samba is installed again, try joining as a DC, hopefully it >>>>> should now work. >>>>> >>>>> The only major change between 4.11.x and 4.12.x is that you now >>>>> need Python 3.5, perhaps you do not have this ? >>>>> >>>>> Rowland >>>>> >>>>> >>>>> >>>> Thanks for the input. Before I do I want to add additional >>>> troubleshooting details.? Replication works among all DC's with no >>>> obvious samba errors or windows authentication errors.? I unjoined >>>> a Windows 10 machine and rejoined to the domain without issue. >>> >>> You didn't say that before ;-) >>> >>> If everything is working except for your readynas, then it sounds >>> like this could be a problem with your readynas. >>> >>> You do not say how old the readynas is, but are there any updates >>> available for it ? >>> >>> Before you do anything, I would ask netgear if they are aware of >>> this problem, might be worth mentioning the word 'SMBv1'. >>> >>>> Everything else is working as it should (i.e, user creation, dns >>>> admin, gpo's).? The one other thing I did do different this time >>>> and I should have noted previously was use the Verified Package >>>> Dependencies from the Wiki to ensure I wasn't missing any. Other >>>> than that the build was the same. >>>> >>>> I haven't had to do a seize in a long time of the FSMO roles. If >>>> the DC's I upgraded appear to be working should I just transfer or >>>> seize? Thanks. >>>> >>> Simple answer, if you can transfer, then transfer, if not, then >>> seize, but use '--force' (this stops a useless transfer attempt). >>> >>> Rowland >>> >>> >>>> >>>> -James >>>> >>> >>> >> So I suppose I still have trouble with my domain. >> >> root at pfdc1:/# net ads user info administrator -U administrator >> >> Enter administrator's password: >> kerberos_kinit_password SAMBA at SAMBA.LOCAL failed: Client not found in >> Kerberos database >> >> kerberos_kinit_password SAMBA at SAMBA.LOCAL failed: Client not found in >> Kerberos database > > Well that sorts that out, '-P' isn't working ;-) > > Is this on one of the 4.12 DC's or a 4.11 DC ? > > Rowland > > > >Forgot to add that kinit works though. root at dundc3:~# kinit administrator Password for administrator at SAMBA.LOCAL: root at dundc3:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator at SAMBA.LOCAL Valid starting?????? Expires????????????? Service principal 05/16/2020 19:22:03? 05/17/2020 05:22:03 krbtgt/SAMBA.LOCAL at SAMBA.LOCAL ??????? renew until 05/17/2020 19:21:59 -James
Possibly Parallel Threads
- Upgrade from 4.11.6 to 4.12.2 created authentication issues
- Upgrade from 4.11.6 to 4.12.2 created authentication issues
- Upgrade from 4.11.6 to 4.12.2 created authentication issues
- Upgrade from 4.11.6 to 4.12.2 created authentication issues
- Upgrade from 4.11.6 to 4.12.2 created authentication issues