William Kirstaedter
2022-Aug-30 15:12 UTC
[Samba] upgrade from samba 4.13 to 4.16 broke CIFS Server Authentication
Hello, I'm running a samba AD server in the form of a univention appliance ... with their latest release upgrade from UCS-5.0-1 to UCS-5.0-2 the samba version bumped from 4.13 to 4.16. furthermore, I'm running commercial NetApp Storage Systems, providing a CIFS Server (joined my UCS Domain) since the upgrade, I have the following problem: while domain-joined windows clients still can connect to the shares provided by the NetApp, non-domain windows clients cant anymore. they always produce the following error message in the netapps event log and report that the domain isnt available right now. 8/30/2022 16:06:21? napV-02 ERROR???????? secd.cifsAuth.problem: vserver (napV2) General CIFS authentication pr oblem. Error: User authentication procedure failed CIFS SMB2 Share mapping - Client Ip = 192.168.6.129 ? [? 0 ms] Login attempt by domain user 'FHI\cliff' using NTLMv2 style security ? [???? 0] No servers available for MS_NETLOGON, vserver: 4, domain: fhi.mpg.de. ? [??? 11] Hostname found in Name Service Cache ? [??? 11] Successfully connected to ip 192.168.6.100, port 445 using TCP ? [??? 31] Encountered NT error (NT_STATUS_INVALID_PARAMETER) for SMB command SessionSetup ? [??? 34] Unable to connect to NetLogon service on wayland.fhi.mpg.de (Error: RESULT_ERROR_SECD_NO_CONNECTIONS_AVAILABL E) ? [??? 34] No servers available for MS_NETLOGON, vserver: 4, domain: fhi.mpg.de. **[??? 34] FAILURE: Unable to make a connection (NetLogon:FHI.MPG.DE), result: 6940 ? [??? 34] CIFS authentication failed 8/30/2022 16:06:01? napV-02????????? ERROR Nblade.CifsOperationTimedOut: Detected a timed out CIFS operation. SM B command for this operation: SMB2_COM_SESSION_SETUP, Number of times this command was suspended: 1186, Number of times this command was restarted: 0, Last CSM error during this operation: CSM_OK, Remote blade UUID: 00000000-0000-0000-0000- 000000000000, Is QoS enabled: QoS_disabled, Last SpinNp error during this operation: SPINNP_NO_FO_ERROR, Client IP addre ss: 192.168.6.129, Local IP address: 192.168.6.12, Target Vserver ID: 4, Target disk's DSID: 0 while my log.smbd file reports [2022/08/30 17:11:39.808445,? 1, pid=8018] ../../auth/gensec/spnego.c:1341(gensec_spnego_server_negTokenInit_step) ? gensec_spnego_server_negTokenInit_step: Could not find a suitable mechtype in NEG_TOKEN_INIT I'm now asking here because neither Univention nor Netapp seem to want to help since they both say that combination is not supported / recommended. no reasons given. I was hoping to get a new idea here... thanks in advance, -- William Kirstaedter (PP&B) Fritz-Haber-Institut der MPG Faradayweg 4-6 14195 Berlin Tel: 030 8413 5405 Mail: kirstaedter at fhi-berlin.mpg.de
Rowland Penny
2022-Aug-30 16:10 UTC
[Samba] upgrade from samba 4.13 to 4.16 broke CIFS Server Authentication
On Tue, 2022-08-30 at 17:12 +0200, William Kirstaedter via samba wrote:> Error verifying signature: parse error > --------------ms090900020002010303020809 > Content-Type: text/plain; charset=UTF-8; format=flowed > Content-Transfer-Encoding: 8bit > > Hello, > > I'm running a samba AD server in the form of a univention appliance > ... > > with their latest release upgrade from UCS-5.0-1 to UCS-5.0-2 the > samba > version bumped from 4.13 to 4.16. > > furthermore, I'm running commercial NetApp Storage Systems, providing > a > CIFS Server (joined my UCS Domain) > > since the upgrade, I have the following problem: > > while domain-joined windows clients still can connect to the shares > provided by the NetApp, non-domain windows clients cant anymore. > > they always produce the following error message in the netapps event > log > and report that the domain isnt available right now. > > 8/30/2022 16:06:21 napV-02 ERROR secd.cifsAuth.problem: > vserver > (napV2) General CIFS authentication pr > oblem. Error: User authentication procedure failed > CIFS SMB2 Share mapping - Client Ip = 192.168.6.129 > [ 0 ms] Login attempt by domain user 'FHI\cliff' using NTLMv2 > style > security > [ 0] No servers available for MS_NETLOGON, vserver: 4, > domain: > fhi.mpg.de. > [ 11] Hostname found in Name Service Cache > [ 11] Successfully connected to ip 192.168.6.100, port 445 > using TCP > [ 31] Encountered NT error (NT_STATUS_INVALID_PARAMETER) for > SMB > command SessionSetup > [ 34] Unable to connect to NetLogon service on > wayland.fhi.mpg.de > (Error: RESULT_ERROR_SECD_NO_CONNECTIONS_AVAILABL > E) > [ 34] No servers available for MS_NETLOGON, vserver: 4, > domain: > fhi.mpg.de. > **[ 34] FAILURE: Unable to make a connection > (NetLogon:FHI.MPG.DE), > result: 6940 > [ 34] CIFS authentication failed > 8/30/2022 16:06:01 napV-02 ERROR > Nblade.CifsOperationTimedOut: > Detected a timed out CIFS operation. SM > B command for this operation: SMB2_COM_SESSION_SETUP, Number of > times > this command was suspended: 1186, Number of times > this command was restarted: 0, Last CSM error during this operation: > CSM_OK, Remote blade UUID: 00000000-0000-0000-0000- > 000000000000, Is QoS enabled: QoS_disabled, Last SpinNp error during > this operation: SPINNP_NO_FO_ERROR, Client IP addre > ss: 192.168.6.129, Local IP address: 192.168.6.12, Target Vserver ID: > 4, > Target disk's DSID: 0 > > while my log.smbd file reports > > [2022/08/30 17:11:39.808445, 1, pid=8018] > ../../auth/gensec/spnego.c:1341(gensec_spnego_server_negTokenInit_ste > p) > gensec_spnego_server_negTokenInit_step: Could not find a suitable > mechtype in NEG_TOKEN_INIT > > I'm now asking here because neither Univention nor Netapp seem to > want > to help since they both say that combination is not supported / > recommended. no reasons given.Netapp uses their own proprietary operating system, so could this be another 'Sonos' like problem ? i.e. It only uses SMBv1 Does the Netapp device have a smb.conf ? Do you have a contract with either Univention or Netapp ? If so, they should explain why it isn't supported. Rowland
Ralph Boehme
2022-Aug-31 08:30 UTC
[Samba] upgrade from samba 4.13 to 4.16 broke CIFS Server Authentication
On 8/30/22 17:12, William Kirstaedter via samba wrote:> I'm now asking here because neither Univention nor Netapp seem to want > to help since they both say that combination is not supported / > recommended. no reasons given.ouch, so you're sitting between the chairs. :/ If you can share logs from the Samba DC and network traces of the SMB login with the list, with a bit of luck someone has the time to look into them. But given the complexity of the issue and that this is going to contain sensitive data, I'm not sure community support is going to cut it. If you have the option, you could consider commercial support via: https://www.samba.org/samba/support/globalsupport.html Cheers! -slow -- Ralph Boehme, Samba Team https://samba.org/ SerNet Samba Team Lead https://sernet.de/en/team-samba -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20220831/a2435b0f/OpenPGP_signature.sig>