Hello
On 29.09.2021 10:08, L.P.H. van Belle via samba wrote:> This.
>> ../../source4/auth/ntlm/auth.c:241(auth_check_password_send)
>> auth_check_password_send: Checking password for unmapped user
>> [CYBERDYNE]\[CYB64W10-TEST$]@[CYB64W10-TEST]
>
> I would have expected
>> [CYBERDYNE]\[CYB64W10-TEST$]@[AD.CYBERDYNE.LOCAL]
Actually right. Would expect the same. But in Samba 4.14.7 no such
problem appearing.
> I see this so now and then here also that, suddenly a computer/user cant
login.
> Common causes..
> 1) PC time out of sync with DC.
No, Time is NTP-Synchronized.
> 2) Computer account its password expired.
Not sure but Samba 4.14.7 does not complain at all - even if reverting
just Samba binaries I am perfectly able to log on. Passwords are
supposed to renew automatically as of my knowledge. The machine is in
use almost daily so it's not a machine which was not connected or off
for months.
> 3) Lots domain trust.
Right after Samba 4.15 upgrade? On 80% of my machines? And machines
re-gain trust after Samba downgrade? hmmm
> But what does the evenlog show and i assume the same user on an other
computer can login?
Good point, let me try to dig up some logs from my attempts yesterday
(meanwhile my Samba is rolled back).
Here is what I found in the event logs:
Log Name: System
Source: NETLOGON
Date: 9/28/2021 9:44:07 PM
Event ID: 3210
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: cyb64w10-test.ad.cyberdyne.local
Description:
This computer could not authenticate with \\skynet.ad.cyberdyne.local, a
Windows domain controller for domain CYBERDYNE, and therefore this
computer might deny logon requests. This inability to authenticate might
be caused by another computer on the same network using the same name or
the password for this computer account is not recognized. If this
message appears again, contact your system administrator.
Event Xml:
<Event
xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="NETLOGON" />
<EventID Qualifiers="0">3210</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2021-09-28T19:44:07.3916682Z" />
<EventRecordID>24124</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>cyb64w10-test.ad.cyberdyne.local</Computer>
<Security />
</System>
<EventData>
<Data>CYBERDYNE</Data>
<Data>\\skynet.ad.cyberdyne.local</Data>
<Binary>220000C0</Binary>
</EventData>
</Event>
Again, this completely disappeared after rolling back, without domain
re-join or anything else. Samba 4.15 seems just to refuse authentication
for no good reason.
>> I also compared "samba-tool computer show" of a working and
one
>> non-working machine and can't find any differences other than
>> timestamps.
> Hmm, is this an "old" domain, like from before 4.9?
Yes, even older. I was even using SAMBA-ldap on pre-4.0 releases. But
this particular machine was added later, for sure after 4.0 AD upgrade.
Sure I don't remember exact dates of upgrade. But yes this Domain was
upgraded all the way since first Samba 4.x releases. However I don't see
why this should cause such issues and why there is no proper migration.
So we might be looking at some upgrade/migration issues but my
understanding was that Samba should actually handle this and not just
start denying computer account logins on upgrade.
Sure if the machine using some legacy authentication method or anything
like this, then I would expect Samba first to force the client to update
the password or authentication method before completely locking it out.
>
> Did you use
> 'samba-tool dns zoneoptions' for aging control
> ----------------------------------------------
> Or
> Marking old records as static or dynamic with 'samba-tool'
>
> From : https://www.samba.org/samba/history/samba-4.15.0.html
Yes, I did this. Set my servers to static entries and clients to dynamic
using regex.
> If i have to gamble on this, 2 options.
> Windows 10 bug or Samba fix in 4.15 that triggered it.
Guessing the second one too. But I seem not to be the only one having
this issue. As meintioned it seems to happen only to machines which are
joined to the domain since quite a while (2 years+). Another machine I
just joined a few days ago on Samba 4.14.7 is not affected and still
allows login after 4.15 upgrade.
So I would be fine if anyone could either:
- Provide a fix in Samba
- Provide a procedure to be run before the upgrade
- Provide a procedure to be run after the upgrade
(preferably no manual actions on clients like re-join)
Obviously I would like to avoid having to re-join all the machines but
if I would have to run some database-update command or migration script
I would be totally fine.
> And if you dont want to re-register 1 pc..
> (You can do this with a script at login for the whole domain. )
At login?
First of all no user can log on to the affected machines (except local
user accounts). Users don't have any admin privileges on the machines,
logon scripts run in user context and cannot perform domain join.
Moreover the users can't even log on.
I might be able to use psexec to execute commands remotely but did not
try if this works if the domain machine account is denied actually. Also
I don't want to do this as if I roll out Samba 4.15 in an environment
with hundreds of machines I would rather prefer not having to sync witht
the users to bring the machines online and run commands in background.
It's also just not acceptable to send a technician to all users to log
on locally and perform a domain re-join.
This machine is in my personal lab. I am holding on with Samba 4.15
deployment in any larger customer environment I am maintaining for this
reason.
> Increase the debugging and post it, maybe we see more in these loggings.
I could re-deploy 4.15 in my personal environment trying to reproduce
but I am not sure to which log levels I should increase.
For me it certainly looks like changed behavior or Samba bug as
downgrading to 4.14.7 resolves the problem entirely.
Thanks for your hints and help.