samba - Nov 2020 - domain member file server failed after upgrade from 4.11.14 to 4.13.2

Hello !

I have just upgraded 40 x Samba domain member file server from 4.11.14 to 4.13.2

-          No problem with 20 x domain member that are in a unique Samba domain
(only samba DC)

-          But for my other domain (with composed of Windows 2016 DC), all of 20
x Samba domain member failed to desserve file after this upgrade :-/

I have triple check /etc/hosts, hostname, krb5 etc .... And nothings was wrong.
Thus samba domain members were working fine with 4.11.14.
Kerberos parts is OK (kinit/klist)

Here is some interesting logs (error only):
net ads testjoin
Join to domain is not valid: LDAP_OPERATIONS_ERROR

/var/log/samba/log.smbd :
[2020/11/22 13:13:18.319090,  0]
../../source3/printing/nt_printing.c:252(nt_printing_init)
  nt_printing_init: error checking published printers: WERR_ACCESS_DENIED

/var/log/samba/log.wb-EF540
[2020/11/22 12:14:31.081839,  0]
../../source3/winbindd/winbindd_cm.c:1874(wb_open_internal_pipe)
  open_internal_pipe: Could not connect to dssetup pipe:
NT_STATUS_RPC_INTERFACE_NOT_FOUND
[2020/11/22 12:14:31.094251,  0]
../../source3/rpc_server/rpc_ncacn_np.c:456(rpcint_dispatch)
  rpcint_dispatch: DCE/RPC fault in call lsarpc:2E - DCERPC_NCA_S_OP_RNG_ERROR

After searching for some hours, i downgrade to 4.11.14 to solve this problem.

I use tranquil.it repo, could it be some miss-build packages ?

Bellow the result of debug script :

Collected config  --- 2020-11-22-15:37 -----------

Hostname: ef540
DNS Domain: educ-for.local
FQDN: ef540.educ-for.local
ipaddress: 10.20.2.1

-----------

Kerberos SRV _kerberos._tcp.educ-for.local record verified ok, sample output:
Server:         10.1.1.12
Address:        10.1.1.12#53

_kerberos._tcp.educ-for.local   service = 0 100 88 Yoda.educ-for.local.
_kerberos._tcp.educ-for.local   service = 0 100 88 palpatine.educ-for.local.
_kerberos._tcp.educ-for.local   service = 0 100 88 yoda.educ-for.local.
_kerberos._tcp.educ-for.local   service = 0 100 88 vader.educ-for.local.
Samba is running as a Unix domain member
       Checking file: /etc/os-release

PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

-----------


This computer is running Debian 10.6 x86_64

-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
group default qlen 1000
    link/ether ee:26:ac:b2:ea:04 brd ff:ff:ff:ff:ff:ff
    inet 10.20.2.1/16 brd 10.20.255.255 scope global eth0

-----------
       Checking file: /etc/hosts

127.0.0.1       localhost
10.20.2.1       ef540.educ-for.local

-----------

       Checking file: /etc/resolv.conf

domain educ-for.local
search educ-for.local
nameserver 10.1.1.12
nameserver 10.1.5.1

-----------

       Checking file: /etc/krb5.conf

[libdefaults]
        default_realm = EDUC-FOR.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = true
        clockskew = 3600

-----------

       Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.

passwd:         compat winbind systemd
group:          compat winbind systemd
shadow:         compat winbind
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

-----------

       Checking file: /etc/samba/smb.conf

[global]
   workgroup = EDUC-FOR
   security = ADS
   realm = EDUC-FOR.LOCAL
   server role = member server

   bind interfaces only = yes
   interfaces = lo eth0

   # Disable Netbios
   disable netbios = Yes
   smb ports = 445

   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab
   winbind refresh tickets = Yes

   idmap config *:backend = tdb
   idmap config *:range = 70001-80000
   idmap config EDUC-FOR:backend  = rid
   idmap config EDUC-FOR:range  = 10000-70000

   winbind separator = +
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = yes

   domain master = no
   local master = no

   # For ACL support on member file server
   vfs objects = acl_xattr
   map acl inherit = Yes

   # Printing global configuration
   printcap cache time = 60
   printcap name = cups
   rpc_server:spoolss = external
   rpc_daemon:spoolssd = fork
   enumports command = /usr/local/bin/show-ports.sh

   # Disable offline mode on all shares
   csc policy = disable

[Commun]
        path = /home/commun
        read only = no

[users$]
        path = /home/users
        read only = no

[printers]
        path = /var/spool/samba
        comment = All Printers
        printable = yes
        printing = CUPS
        create mask = 0700
        guest ok = yes
        print ok = yes
        browseable = no

[print$]
        comment = Printer Drivers
        path = /var/lib/samba/printing
        writable = yes
        read only = no
        write list = root Administrateur @"Admins du domaine"

-----------

Running as Unix domain member and no user.map detected.
This is possible with an auth-only setup, checking also for NFS parts
-----------
    Warning, /etc/idmapd.conf does not exist

-----------


Installed packages:
ii  acl                               2.2.53-4                     amd64       
access control list - utilities
ii  attr                              1:2.4.48-4                   amd64       
utilities for manipulating filesystem extended attributes
ii  krb5-config                       2.6                          all         
Configuration files for Kerberos Version 5
ii  krb5-locales                      1.17-3+deb10u1               all         
internationalization support for MIT Kerberos
ii  krb5-user                         1.17-3+deb10u1               amd64       
basic programs to authenticate using MIT Kerberos
ii  libacl1:amd64                     2.2.53-4                     amd64       
access control list - shared library
ii  libattr1:amd64                    1:2.4.48-4                   amd64       
extended attribute handling - shared library
ii  libgssapi-krb5-2:amd64            1.17-3+deb10u1               amd64       
MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-3:amd64                   1.17-3+deb10u1               amd64       
MIT Kerberos runtime libraries
ii  libkrb5support0:amd64             1.17-3+deb10u1               amd64       
MIT Kerberos runtime libraries - Support library
ii  libnss-winbind:amd64              2:4.13.2+dfsg-0.1buster1     amd64       
Samba nameservice integration plugins
ii  libsmbclient:amd64                2:4.13.2+dfsg-0.1buster1     amd64       
shared library for communication with SMB/CIFS servers
ii  libwbclient0:amd64                2:4.13.2+dfsg-0.1buster1     amd64       
Samba winbind client library
ii  python3-samba                     2:4.13.2+dfsg-0.1buster1     amd64       
Python 3 bindings for Samba
ii  samba                             2:4.13.2+dfsg-0.1buster1     amd64       
SMB/CIFS file, print, and login server for Unix
ii  samba-common                      2:4.13.2+dfsg-0.1buster1     all         
common files used by both the Samba server and client
ii  samba-common-bin                  2:4.13.2+dfsg-0.1buster1     amd64       
Samba common files used by both the server and the client
ii  samba-dsdb-modules:amd64          2:4.13.2+dfsg-0.1buster1     amd64       
Samba Directory Services Database
ii  samba-libs:amd64                  2:4.13.2+dfsg-0.1buster1     amd64       
Samba core libraries
ii  samba-vfs-modules:amd64           2:4.13.2+dfsg-0.1buster1     amd64       
Samba Virtual FileSystem plugins
ii  smbclient                         2:4.13.2+dfsg-0.1buster1     amd64       
command-line SMB/CIFS clients for Unix
ii  winbind                           2:4.13.2+dfsg-0.1buster1     amd64       
service to resolve user and group information from Windows NT servers

-----------

On 22/11/2020 14:42, MORILLO Jordi via samba wrote:
> Hello !
>
> I have just upgraded 40 x Samba domain member file server from 4.11.14 to
4.13.2
>
> -          No problem with 20 x domain member that are in a unique Samba
domain (only samba DC)
>
> -          But for my other domain (with composed of Windows 2016 DC), all
of 20 x Samba domain member failed to desserve file after this upgrade :-/
Try installing these packages: libpam-krb5 libpam-winbind

Rowland

Hi Rowland,
Sorry to inform that none of thus packages solve my problem.

But today, with some Tranquil.it helps, I have some news:

- Upgrade from 4.11.14 -> 4.12.9 is OK
- Upgrade from 4.12.9 -> 4.13.2 : problem is present with Tranquil.it AND
Louis package
- Fresh install + member join with 4.13.2 is OK (Centos AND Buster packages)

Problem only occur when upgrading member to 4.13.2 with Windows 2016 DC.
Here is some interesting parts of net ads testjoin -d99 between 4.11.14 and
4.13.2:

4.11.14 (working)
[...]
sitename_fetch: Returning sitename for realm 'EDUC-FOR.LOCAL':
"Siege"
resolve_and_ping_dns: (cldap) looking for realm 'EDUC-FOR.LOCAL'
get_sorted_dc_list: attempting lookup for name EDUC-FOR.LOCAL (sitename Siege)
saf_fetch: Returning "Palpatine.educ-for.local" for
"EDUC-FOR.LOCAL" domain
get_dc_list: preferred server list: "Palpatine.educ-for.local, *"
internal_resolve_name: looking up EDUC-FOR.LOCAL#1c (sitename Siege)
name EDUC-FOR.LOCAL#1C found.
[...]

4.13.2 (failed)
sitename_fetch: Returning sitename for realm 'EDUC-FOR.LOCAL':
"Siege"
resolve_and_ping_dns: (cldap) looking for realm 'EDUC-FOR.LOCAL'
get_sorted_dc_list: attempting lookup for name EDUC-FOR.LOCAL (sitename Siege)
saf_fetch: failed to find server for "EDUC-FOR.LOCAL" domain
get_dc_list: preferred server list: ", *"
internal_resolve_name: looking up EDUC-FOR.LOCAL#1c (sitename Siege)
gencache_set_data_blob: Adding cache entry with key=[NBT/EDUC-FOR.LOCAL#1C] and
timeout=[jeu. janv.  1 01:00:00 1970 CET] (-1606149379 seconds in the past)
no entry for EDUC-FOR.LOCAL#1C found.
resolve_ads: Attempting to resolve DCs for EDUC-FOR.LOCAL using DNS

Good afternoon

-----Message d'origine-----
De?: samba <samba-bounces at lists.samba.org> De la part de Rowland penny
via samba
Envoy??: dimanche 22 novembre 2020 16:18
??: samba at lists.samba.org
Objet?: Re: [Samba] domain member file server failed after upgrade from 4.11.14
to 4.13.2

On 22/11/2020 14:42, MORILLO Jordi via samba wrote:
> Hello !
>
> I have just upgraded 40 x Samba domain member file server from 4.11.14 to
4.13.2
>
> -          No problem with 20 x domain member that are in a unique Samba
domain (only samba DC)
>
> -          But for my other domain (with composed of Windows 2016 DC), all
of 20 x Samba domain member failed to desserve file after this upgrade :-/
Try installing these packages: libpam-krb5 libpam-winbind

Rowland



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba