L. van Belle
2022-Aug-31 09:32 UTC
[Samba] upgrade from samba 4.13 to 4.16 broke CIFS Server Authentication
He needs to get the smb.conf from the Univetion server and show it in the list. Only when we see that, we can give an estimate whats going on. Just like the Synology, im assuming univention used "unsupported" settings.. They work in lower samba version but the higher the samba version to more problems they wil get. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba <samba-bounces at lists.samba.org> Namens Ralph Boehme via > samba > Verzonden: woensdag 31 augustus 2022 10:31 > Aan: William Kirstaedter <kirstaedter at fhi-berlin.mpg.de>; > samba at lists.samba.org > Onderwerp: Re: [Samba] upgrade from samba 4.13 to 4.16 broke CIFS Server > Authentication > > On 8/30/22 17:12, William Kirstaedter via samba wrote: > > I'm now asking here because neither Univention nor Netapp seem to want > > to help since they both say that combination is not supported / > > recommended. no reasons given. > > ouch, so you're sitting between the chairs. :/ > > If you can share logs from the Samba DC and network traces of the SMB login > with the list, with a bit of luck someone has the time to look into them. But > given the complexity of the issue and that this is going to contain sensitive > data, I'm not sure community support is going to cut it. > > If you have the option, you could consider commercial support via: > > https://www.samba.org/samba/support/globalsupport.html > > Cheers! > -slow > > -- > Ralph Boehme, Samba Team https://samba.org/ > SerNet Samba Team Lead https://sernet.de/en/team-samba
William Kirstaedter
2022-Aug-31 10:05 UTC
[Samba] upgrade from samba 4.13 to 4.16 broke CIFS Server Authentication
@Ralph I was referring to this line in the /var/log/samba/log.smbd on the AD Server: [2022/08/30 17:11:39.808445,? 1, pid=8018] ../../auth/gensec/spnego.c:1341(gensec_spnego_server_negTokenInit_step) ? gensec_spnego_server_negTokenInit_step: Could not find a suitable mechtype in NEG_TOKEN_INIT @Rowland Well the hammer is not an option, my colleague would cut my head off :D he likes them for their resilience and these machines are really expensive... @Louis / all heres the extracted smb.conf which compiles from several templates: root at wayland:~# cat /etc/samba/smb.conf # Warning: This file is auto-generated and might be overwritten by #????????? univention-config-registry. #????????? Please edit the following file(s) instead: # Warnung: Diese Datei wurde automatisch generiert und kann durch #????????? univention-config-registry ueberschrieben werden. #????????? Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en): # # /etc/univention/templates/files/etc/samba/smb.conf.d/10global # /etc/univention/templates/files/etc/samba/smb.conf.d/11univention-smb-service # /etc/univention/templates/files/etc/samba/smb.conf.d/21univention-samba_winbind # /etc/univention/templates/files/etc/samba/smb.conf.d/31univention-samba_password # /etc/univention/templates/files/etc/samba/smb.conf.d/41univention-samba_printing # /etc/univention/templates/files/etc/samba/smb.conf.d/51univention-samba_domain # /etc/univention/templates/files/etc/samba/smb.conf.d/61univention-samba_misc # /etc/univention/templates/files/etc/samba/smb.conf.d/71univention-samba_users # /etc/univention/templates/files/etc/samba/smb.conf.d/81univention-quota_scripts # /etc/univention/templates/files/etc/samba/smb.conf.d/90univention-samba_user_shares # /etc/univention/templates/files/etc/samba/smb.conf.d/91univention-samba_shares # /etc/univention/templates/files/etc/samba/smb.conf.d/92univention-samba_shares # /etc/univention/templates/files/etc/samba/smb.conf.d/95univention-samba_local_config # /etc/univention/templates/files/etc/samba/smb.conf.d/99univention-samba_local_shares # ; ---------------------<10global>------------------------ [global] ??????? debug level???? = 1 ??????? logging???????? = file ??????? max log size??? = 0 ??????? netbios name??? = wayland ??????? server role???? = active directory domain controller ??????? name resolve order????? = wins host bcast ??????? server string?? = Univention Corporate Server ??????? server services = -dns -smb +s3fs -nbt ??????? server role check:inhibit = yes ??????? # use nmbd; to disable set samba4/service/nmb to s4 ??????? nmbd_proxy_logon:cldap_server=127.0.0.1 ??????? workgroup?????? = FHI ??????? realm?????????? = FHI.MPG.DE ??????? tls enabled???? = yes ??????? tls keyfile???? = /etc/univention/ssl/wayland.fhi.mpg.de/private.key ??????? tls certfile??? = /etc/univention/ssl/wayland.fhi.mpg.de/cert.pem ??????? tls cafile????? = /etc/univention/ssl/ucsCA/CAcert.pem ??????? tls verify peer = ca_and_name ??????? ldap server require strong auth = allow_sasl_over_tls ??????? dsdb:schema update allowed = no ??????? max open files = 32808 ??????? interfaces????? = lo ens192 ??????? bind interfaces only??? = yes ??????? server signing? = yes ??????? ntlm auth?????? = yes ??????? machine password timeout??????? = 0 ??????? acl allow execute always = True ??????? kccsrv:samba_kcc = False ; ---------------------</10global>------------------------ ; ---------------------<smb service configuration>----------------------- ??????? debug hirestimestamp = yes ??????? debug pid = yes ; ---------------------</smb service configuration>---------------------- ??????? ; idmap/winbind ??????? winbind separator = + ??????? template shell = /bin/bash ??????? template homedir = /home/%D-%U ??????? idmap config * : backend = tdb ??????? idmap config * : range = 300000-400000 ??????? passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n *password*changed* ??????? obey pam restrictions = yes ??????? spoolss: architecture = Windows x64 ??????? ; domain service lookup related settings ??????? preferred master = yes ??????? local master = yes ??????? domain master = yes ??????? wins support = yes ??????? ; miscellaneous settings, mostly for file services ??????? oplocks = yes ??????? large readwrite = yes ??????? read raw = yes ??????? write raw = yes ??????? max xmit = 65535 ??????? acl:search = yes ??????? host msdfs = yes ??????? kernel oplocks = yes ??????? deadtime = 15 ??????? getwd cache = yes ??????? wide links = no ??????? store dos attributes = yes ??????? max protocol = smb2 ??????? client max protocol = smb2 ??????? logon home = \\wayland\%U ??????? logon drive = I: ??????? logon path = \\wayland\%U\windows-profiles\%a ??????? preserve case = yes ??????? short preserve case = yes ??????? guest account = nobody ??????? map to guest = Bad User ??????? admin users = administrator join-backup ??????? usershare max shares = 0 ; ----------------------------------------------------------------------------------------------------------- ??????? include = /etc/samba/base.conf ??????? include = /etc/samba/shares.conf ??????? include = /etc/samba/printers.conf ??????? include = /etc/samba/local.config.conf and the includes...: base.conf # Warning: This file is auto-generated and might be overwritten by #????????? univention-config-registry. #????????? Please edit the following file(s) instead: # Warnung: Diese Datei wurde automatisch generiert und kann durch #????????? univention-config-registry ueberschrieben werden. #????????? Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en): # #?????? /etc/univention/templates/files/etc/samba/base.conf # [netlogon] ??????? comment = Domain logon service ??????? path = /var/lib/samba/sysvol/fhi.mpg.de/scripts ??????? public = no ??????? preserve case = yes ??????? case sensitive = no ??????? vfs objects = dfs_samba4 acl_xattr ??????? read only = no [sysvol] ??????? path = /var/lib/samba/sysvol ??????? public = no ??????? preserve case = yes ??????? case sensitive = no ??????? vfs objects = dfs_samba4 acl_xattr ??????? read only = no ??????? acl xattr update mtime = yes [homes] ??????? comment = Heimatverzeichnisse ??????? hide files = /windows-profiles/ ??????? browsable = no ??????? read only = no ??????? create mask = 0700 ??????? directory mask = 0700 ??????? vfs objects = acl_xattr [printers] ??????? comment = Drucker ??????? browseable = no ??????? path = /tmp ??????? printable = yes ??????? public = no ??????? writable = no ??????? create mode = 0700 ??????? # use client driver = true ??????? # lpq command = lpstat -o %p ??????? # lprm command = cancel %p-%j ??????? # using windows printer drivers ??????? # print command = lpr -P %p -o raw %s -r ??????? # using cups drivers (PostScript on Windows) ??????? # print command = lpr -P %p %s [print$] ??????? comment = Printer Drivers ??????? path = /var/lib/samba/drivers ??????? browseable = yes ??????? guest ok = no ??????? read only = no ??????? write list = root, Administrator, @Printer-Admins ------------------------------------------------------------------------------ share.conf (only used for login wallpaper) [share] path = /share msdfs root = no writeable = yes browseable = yes public = yes dos filemode = no hide unreadable = no create mode = 0744 directory mode = 0755 force create mode = 00 force directory mode = 00 locking = 1 strict locking = Auto oplocks = 1 level2 oplocks = 1 fake oplocks = 0 csc policy = manual nt acl support = 1 inherit acls = 1 vfs objects = acl_xattr inherit owner = no inherit permissions = no map acl inherit = yes ------------------------------------------------------------------------------ homedirs.conf (this should not be of interest since all homes are on the netapp) [homedirs] path = /home msdfs root = no writeable = yes browseable = yes public = no dos filemode = no hide unreadable = no create mode = 0744 directory mode = 0755 force create mode = 00 force directory mode = 00 locking = 1 strict locking = Auto oplocks = 1 level2 oplocks = 1 fake oplocks = 0 csc policy = manual nt acl support = 1 inherit acls = 1 vfs objects = acl_xattr inherit owner = no inherit permissions = no map acl inherit = yes ------------------------------------------------------------------------------ global.local.config.conf (this was their fix for a previous upgrade) [global] auth methods = sam winbind sam_ignoredomain server require schannel:141.14.140.32 = no server require schannel:141.14.143.33 = no server require schannel:nap32.fhi.mpg.de = no server require schannel:nap32.rz-berlin.mpg.de = no server require schannel:nap33.fhi.mpg.de = no server require schannel:nap33.rz-berlin.mpg.de = no server schannel = yes ------------------------------------------------------------------------------ do you need more? I can also put log level to 10 and post a link to that huge file if you want to read through that... really thanks! William Kirstaedter (PP&B) Fritz-Haber-Institut der MPG Faradayweg 4-6 14195 Berlin Tel: 030 8413 5405 Mail: kirstaedter at fhi-berlin.mpg.de Am 31.08.2022 um 11:32 schrieb L. van Belle via samba:> He needs to get the smb.conf from the Univetion server and show it in the list. > Only when we see that, we can give an estimate whats going on. > > Just like the Synology, im assuming univention used "unsupported" settings.. > They work in lower samba version but the higher the samba version to more problems they wil get. > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba <samba-bounces at lists.samba.org> Namens Ralph Boehme via >> samba >> Verzonden: woensdag 31 augustus 2022 10:31 >> Aan: William Kirstaedter <kirstaedter at fhi-berlin.mpg.de>; >> samba at lists.samba.org >> Onderwerp: Re: [Samba] upgrade from samba 4.13 to 4.16 broke CIFS Server >> Authentication >> >> On 8/30/22 17:12, William Kirstaedter via samba wrote: >>> I'm now asking here because neither Univention nor Netapp seem to want >>> to help since they both say that combination is not supported / >>> recommended. no reasons given. >> ouch, so you're sitting between the chairs. :/ >> >> If you can share logs from the Samba DC and network traces of the SMB login >> with the list, with a bit of luck someone has the time to look into them. But >> given the complexity of the issue and that this is going to contain sensitive >> data, I'm not sure community support is going to cut it. >> >> If you have the option, you could consider commercial support via: >> >> https://www.samba.org/samba/support/globalsupport.html >> >> Cheers! >> -slow >> >> -- >> Ralph Boehme, Samba Team https://samba.org/ >> SerNet Samba Team Lead https://sernet.de/en/team-samba >