thr3ads.net - samba - [Samba] Unable to access shares after upgrade to version 4.17.3 [Nov 2022]

If this information is useful, please help other people find it:
Share via:

spindles seven

2022-Nov-20 23:24 UTC

[Samba] Unable to access shares after upgrade to version 4.17.3

Hi all,

I have a domain-joined fileserver which was running a self-compiled version
4.17.2.   I updated this to version 4.17.3 when it came out ? again
self-compiled.     When bullseye backports became available for my box?s
architecture (armel) I decided to use that valuable resource rather than
continue to self-compile.  (Many thanks Michael for providing these releases in
Backports ? much appreciated).   So I uninstalled the self-compiled version,
deleted the folder /usr/local/samba and any .tdb files I could find.

 

I installed samba version 4.17.3-debian from backports and re-joined the domain,
using the same smb.conf.    However I now can?t access the share from any
Windows machine ? even if I provide valid credentials.   Testing with smbclient
produces:

 

root at goflex:~# smbclient -L localhost -U%

 

        Sharename       Type      Comment

        ---------       ----      -------

        images          Disk

        IPC$            IPC       IPC Service (Samba 4.17.3-Debian)

SMB1 disabled -- no workgroup available

 

root at goflex:~# smbclient //goflex/images -U roy

Password for [MICROLYNX\roy]:

session setup failed: NT_STATUS_LOGON_FAILURE

 

root at goflex:~# smbclient //goflex.microlynx.org/images -U roy

Password for [MICROLYNX\roy]:

session setup failed: NT_STATUS_LOGON_FAILURE

 

BUT using the IP address of golfex succeeds:

root at goflex:~# smbclient //192.168.2.40/images -U roy

Password for [MICROLYNX\roy]:

Try "help" to get a list of possible commands.

smb: \>

 

Don?t know whether this is relevant, but the log file: log.wb-GOFLEX reports:

[2022/11/20 22:44:19.851122,  1]
../../source3/rpc_client/cli_pipe.c:550(cli_pipe_validate_current_pdu)

  ../../source3/rpc_client/cli_pipe.c:550: RPC fault code
DCERPC_NCA_S_OP_RNG_ERROR received from host goflex!

and

 

log.wb-MICROLYNX reports:

[2022/11/20 22:44:09.611781,  1]
../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)

  ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with
backend 'tdb': Unable to open tdb
'/var/lib/samba/private/secrets.ldb': No such file or directory

 

and indeed there is no such file.

 

This pointed to a dns issue, so I checked that goflex.microlynx.org has an
entry:

root at goflex:~# host -t A goflex

goflex.microlynx.org has address 192.168.2.40

root at goflex:~# host -t A goflex.microlynx.org

goflex.microlynx.org has address 192.168.2.40

root at goflex:~# dig goflex.microlynx.org

 

; <<>> DiG 9.16.33-Debian <<>> goflex.microlynx.org

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38034

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

 

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 1232

; COOKIE: aa9b9eee1a385ba201000000637ab570830c55f6a435553b (good)

;; QUESTION SECTION:

;goflex.microlynx.org.          IN      A

 

;; ANSWER SECTION:

goflex.microlynx.org.   3600    IN      A       192.168.2.40

 

;; Query time: 0 msec

;; SERVER: 192.168.2.4#53(192.168.2.4)

;; WHEN: Sun Nov 20 23:17:04 GMT 2022

;; MSG SIZE  rcvd: 93

root at goflex:~# cat /etc/resolv.conf

search microlynx.org

nameserver 192.168.2.4

nameserver 192.168.2.5

 

The other interesting thing is that I can no longer logon via SSH using my
Kerberos ticket from my Windows machine.

 

I?m stumped at this point, so any help will be appreciated,

 

Regards,

 

Roy

Michael Tokarev

2022-Nov-21 05:31 UTC

head link

[Samba] Unable to access shares after upgrade to version 4.17.3

21.11.2022 02:24, spindles seven via samba wrote:> Hi all,
> 
> I have a domain-joined fileserver which was running a self-compiled version
4.17.2.   I updated this to version 4.17.3 when it came out ? again
self-compiled.     When bullseye backports became available for my box?s
architecture (armel) I decided to use that valuable resource rather than
continue to self-compile.  (Many thanks Michael for providing these releases in
Backports ? much appreciated).   So I uninstalled the self-compiled version,
deleted the folder /usr/local/samba and any .tdb files I could find.
> 
> I installed samba version 4.17.3-debian from backports and re-joined the
domain, using the same smb.conf.    However I now can?t access the share from
any Windows machine ? even if I provide valid credentials.   Testing with
smbclient produces:
This is a second report about 4.17.3-bpo version of samba in a few
days after an upload. I wonder if there's an issue with the build
somehow, - the samba package itself is no different from the one in
debian testing now, though.

Did you have similar probs with the self-compiled 4.17.3?

What's running on the DC?

...> root at goflex:~# smbclient //goflex/images -U roy
> Password for [MICROLYNX\roy]:
> session setup failed: NT_STATUS_LOGON_FAILURE
So it looks like a different issue than reported yesterday, -
there, smbclient worked fine, it was only windows 10 machines
which were having issue accessing the shares (see the thread
"No longer access to shares after upgrade to 4.17.3" from
yesterday). But the situation is very similar.
> BUT using the IP address of golfex succeeds:
> root at goflex:~# smbclient //192.168.2.40/images -U roy
> Password for [MICROLYNX\roy]:
> Try "help" to get a list of possible commands.
> smb: \>
..> This pointed to a dns issue, so I checked that goflex.microlynx.org has an
entry:
It might not be a DNS issue per se (or else you wont be able
to *connect* in the first place). It smells more about the
krb tickets - maybe for the machine itself?..
..
> The other interesting thing is that I can no longer logon via SSH using my
Kerberos ticket from my Windows machine.
That might be worth to debug I think, or try to anyway.
(Not that I can be of a great help there, - I'm still
learning how it all works).

/mjt

Rowland Penny

2022-Nov-21 08:30 UTC

head link

[Samba] Unable to access shares after upgrade to version 4.17.3

On 20/11/2022 23:24, spindles seven via samba wrote:> Hi all,
> 
> I have a domain-joined fileserver which was running a self-compiled version
4.17.2.   I updated this to version 4.17.3 when it came out ? again
self-compiled.     When bullseye backports became available for my box?s
architecture (armel) I decided to use that valuable resource rather than
continue to self-compile.  (Many thanks Michael for providing these releases in
Backports ? much appreciated).   So I uninstalled the self-compiled version,
deleted the folder /usr/local/samba and any .tdb files I could find.
> 
>   
> 
> I installed samba version 4.17.3-debian from backports and re-joined the
domain, using the same smb.conf.    However I now can?t access the share from
any Windows machine ? even if I provide valid credentials.   Testing with
smbclient produces:
> 
>   
> 
> root at goflex:~# smbclient -L localhost -U%
> 
>   
> 
>          Sharename       Type      Comment
> 
>          ---------       ----      -------
> 
>          images          Disk
> 
>          IPC$            IPC       IPC Service (Samba 4.17.3-Debian)
> 
> SMB1 disabled -- no workgroup available
> 
>   
> 
> root at goflex:~# smbclient //goflex/images -U roy
> 
> Password for [MICROLYNX\roy]:
> 
> session setup failed: NT_STATUS_LOGON_FAILURE
> 
>   
> 
> root at goflex:~# smbclient //goflex.microlynx.org/images -U roy
> 
> Password for [MICROLYNX\roy]:
> 
> session setup failed: NT_STATUS_LOGON_FAILURE
> 
>   
> 
> BUT using the IP address of golfex succeeds:
> 
> root at goflex:~# smbclient //192.168.2.40/images -U roy
> 
> Password for [MICROLYNX\roy]:
> 
> Try "help" to get a list of possible commands.
> 
> smb: \>
> 
>   
> 
> Don?t know whether this is relevant, but the log file: log.wb-GOFLEX
reports:
> 
> [2022/11/20 22:44:19.851122,  1]
../../source3/rpc_client/cli_pipe.c:550(cli_pipe_validate_current_pdu)
> 
>    ../../source3/rpc_client/cli_pipe.c:550: RPC fault code
DCERPC_NCA_S_OP_RNG_ERROR received from host goflex!
> 
> and
> 
>   
> 
> log.wb-MICROLYNX reports:
> 
> [2022/11/20 22:44:09.611781,  1]
../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
> 
>    ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb'
with backend 'tdb': Unable to open tdb
'/var/lib/samba/private/secrets.ldb': No such file or directory
> 
>   
> 
> and indeed there is no such file.
> 
>   
> 
> This pointed to a dns issue, so I checked that goflex.microlynx.org has an
entry:
> 
> root at goflex:~# host -t A goflex
> 
> goflex.microlynx.org has address 192.168.2.40
> 
> root at goflex:~# host -t A goflex.microlynx.org
> 
> goflex.microlynx.org has address 192.168.2.40
> 
> root at goflex:~# dig goflex.microlynx.org
> 
>   
> 
> ; <<>> DiG 9.16.33-Debian <<>> goflex.microlynx.org
> 
> ;; global options: +cmd
> 
> ;; Got answer:
> 
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38034
> 
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> 
>   
> 
> ;; OPT PSEUDOSECTION:
> 
> ; EDNS: version: 0, flags:; udp: 1232
> 
> ; COOKIE: aa9b9eee1a385ba201000000637ab570830c55f6a435553b (good)
> 
> ;; QUESTION SECTION:
> 
> ;goflex.microlynx.org.          IN      A
> 
>   
> 
> ;; ANSWER SECTION:
> 
> goflex.microlynx.org.   3600    IN      A       192.168.2.40
> 
>   
> 
> ;; Query time: 0 msec
> 
> ;; SERVER: 192.168.2.4#53(192.168.2.4)
> 
> ;; WHEN: Sun Nov 20 23:17:04 GMT 2022
> 
> ;; MSG SIZE  rcvd: 93
> 
> root at goflex:~# cat /etc/resolv.conf
> 
> search microlynx.org
> 
> nameserver 192.168.2.4
> 
> nameserver 192.168.2.5
> 
>   
> 
> The other interesting thing is that I can no longer logon via SSH using my
Kerberos ticket from my Windows machine.
> 
>   
> 
> I?m stumped at this point, so any help will be appreciated,
> 
>   
> 
> Regards,
> 
>   
> 
> Roy
> 
>   
> 
OK, 4.17.3 was released to deal with CVE-2022-42898. Unfortunately there 
is a regression in Heimdal, but it is only supposed to affect 32bit 
systems, see here for more details:

https://bugzilla.samba.org/show_bug.cgi?id=15203

Rowland

Michael Tokarev

2022-Nov-21 18:02 UTC

head link

[Samba] Unable to access shares after upgrade to version 4.17.3

I've just uploaded samba_4.17.3+dfsg-2 package with the fix for this
regression to debian unstable, and built samba_4.17.3+dfsg-2~bpo11-1.
Debian rules don't allow me to upload the bpo11 version right to the
debian-backports, because it should be a backport of version in testing,
but just-uploaded -2 will have to migrate first. That usually takes 2
days, after which I'll upload 4.17.3+dfsg-2~bpo11-1.

I already made this package available in my repository, but this is
only for amd64, which is not affected, so that's of no use.

I can try to build the bpo version for other architectures, but that
will take a while too. At the very least, i386 will be built shortly
too. What else do we need, armel?

It looks like I was a bit too fast with switching bpo to 4.17. My
gut feeling was saying me to wait for a bit longer and stuck with
4.16 for a while.. ;)

I'm sorry for too fast switch.

/mjt

samba - Nov 2022 - Unable to access shares after upgrade to version 4.17.3

[Samba] Unable to access shares after upgrade to version 4.17.3

[Samba] Unable to access shares after upgrade to version 4.17.3

[Samba] Unable to access shares after upgrade to version 4.17.3

[Samba] Unable to access shares after upgrade to version 4.17.3