samba - Jun 2008 - Gentoo, Samba, Upgrade, Authentications now failing

I just updated Samba on Gentoo due to a security vulnerability and the 
authentication for domain accounts is now failing. Has anyone else seen 
this?
-- 
Jas

On Tue, Jun 3, 2008 at 7:52 AM, Jason Gerfen <jason.gerfen@scl.utah.edu>
wrote:
> I just updated Samba on Gentoo due to a security vulnerability and the
> authentication for domain accounts is now failing. Has anyone else seen
> this?
> --
I have upgraded a domain memberservers last week to
net-fs/samba-3.0.30 but not the PDC. No problems so far with that.

John

> I have upgraded a domain memberservers last week to
> net-fs/samba-3.0.30 but not the PDC. No problems so far with that.
>
It should have read all domain member servers.
John

Ivan Ordonez wrote:
> Hi Jason,
> 
> Sorry I can't be of any help but I am thinking about updating our PDC
to
> 3.0.30 but afraid it will have the same problem.  I have a few questions 
> if you don't mind.
> 
> 1.  Can a PDC be remove on the domain and join again?  if so, who will 
> be the login server to authenticate the process of joining the PDC to 
> the domain?  I have two BDC and one PDC.
%> net ads join -U ADMINISTRATOR@DOMAIN <-- joins samba server to domain 
(could be PDC, BDC or Domain member server types depending on config)
%> net ads leave -U ADMINISTRATOR@DOMAIN <-- this will remove the 
machine account from active directory
> 2.  Can you roll back to Samba 3.0.24 if you emerge 3.0.30
Nope, the lastest in portage right now is 3.0.28
> 
> 
> Thanks to any info you can provide.
> 
> -Ivan
> 
> 
> 
> Jason Gerfen wrote:
>> I rolled it back and experienced the same problems so I went ahead and 
>> followed the following steps during the upgrade to 3.0.30
>>
>> 1. Removed machine from domain trust user account
>> 2. Uninstalled samba
>> 3. Re-installed latest 3.0.30 using Gentoo's emerge facility
>> 4. Used Kinit with domain admin account
>> 5. Joined machine to domain
>> 6. Ensured that krb5auth using winbind worked (now working, had to 
>> modify user accounts in active directory. even having to go so far as 
>> to remove user, and recreate then apply the RFC2307 schema attributes)
>>
>>
>> Everything is authenticating again but I am not able to get the 
>> pam_mkhomedir.so object create my user directories.
>> relevant file info:
>>         nt acl support = yes
>>         inherit permissions = yes
>>         create mask = 0022
>>         template homedir = /home/samba/%U
>>
>>         comment = %U Home directory
>>         browsable = yes
>>         read only = yes
>>         create mask = 0022
>>         force create mode = 0022
>>         directory mask = 0022
>>         force directory mode = 0022
>>         path = /home/samba/%U
>>
>> %> ls -lah /home
>> drwxrwxrwx  2 nobody users  48 Jun  2 09:48 samba
>>
>> Am I missing something with the permissions? I know, they are at 755 
>> for now so I can figure out why its not working. What is the best 
>> practice for this folders permissions? Thanks.
>>
>> Jason Gerfen wrote:
>>> John Drescher wrote:
>>>>> Ok I have updated it and am no able to authenticate. It
seems that
>>>>> even
>>>>> though my smb.conf shows 'client plaintext auth =
no' in the logs when
>>>>> performing a 'wbinfo --krb5auth=username%password'
it shows
>>>>>
>>>>> plaintext kerberos password authentication for
[username%password]
>>>>> failed
>>>>> (requesting cctype: FILE)
>>>>>
>>>>> Any ideas? I do appreciate any help I can get on this. Here
is some
>>>>> version
>>>>> information: Version 3.0.30
>>>>> -- 
>>>>
>>>> Sorry that did not help. For now I am out of ideas. Hopefully
someone
>>>> knows how to fix that soon otherwise I would go back to the
last
>>>> version that worked.
>>>>
>>> No worries, I will roll it back to 3.0.28. I am not sure why it
would
>>> use plaintext vs. the ntlmv2 that is specified in the config.
>>>
>>>
>>>> John
>>>
>>>
>>
>>

-- 
Jas

>> 2.  Can you roll back to Samba 3.0.24 if you emerge 3.0.30
>
Save the ebuild from 3.0.24 into a local portage overlay

See here:
http://gentoo-wiki.com/HOWTO_Installing_3rd_Party_Ebuilds

The ebuild will be in
 /var/db/pkg/net-fs/samba-3.0.24

And then do a
quickpkg --include-config=y  =net-fs/samba-3.0.24

Then to restore

emerge -K =net-fs/samba-3.0.24

John