I am migrating an old but functional Samba 3.3.4 smbpasswd-based PDC to a new
Samba 4.0-based VM. I planned to build the 4.0 as a BDC and then simply
dcpromo it to my PDC, and then retire the old server. But I've come across
two problems for which I'm needing some guidance.
I've built the 4.0 box, extracted the original domain SID, and joined the
machine to the domain. I can log into shares hosted on the DC, and all
appears well. I then attempted to simply net rpc vampire the PDC's groups
and users, but doing so results in a Segmentation Fault immediately after
net attempts to get the domain database ("Fetching (to passdb) DOMAIN
database"). 
In looking at the SAMBA server logs on the PDC, there's a clear credential
failure from the BDC machine on the vampire attempt. Two log entries with
"BAD SIG... expected SMB signature of (empty)" appear, indicating an
empty
payload was sent as part of the SMB signature during the credential check.
That implies to me some sort of problem in the session setup or machine
key/account - yet net rpc testjoin says the join of the BDC is OK. I've
already removed and rejoined the machine to the domain with the same result
,so at this point, I don't know what's going wrong with the machine
credential check from the BDC to the PDC.
The second issue is in generating a list of users and groups off the PDC.
Right now, wbinfo simply won't work. wbinfo -p can't even ping winbindd
even
when I can see that it is, in fact, running. An strace run against wbinfo
seems to indicate wbinfo can't communicate with the winbindd pipe, and I
have no clue why. So it would seem to me that even if I fix the credential
exchange issue above, I've got another issue on the PDC with group and user
enumeration. 
Although I've found several issues roughly similar to this, none of the
fixes I've seen so far apply. I thought perhaps the "BAD SIG"
messages in
the log in the failed credential check might ring a bell for someone, but
the wbinfo failure really has thrown me for a loop. There's no reason I can
see why it won't work. Any suggestions appreciated.
--
View this message in context:
http://samba.2283325.n4.nabble.com/Problems-in-SAMBA-3-3-to-4-0-migration-tp4680653.html
Sent from the Samba - General mailing list archive at Nabble.com.
On 11/02/15 17:42, soonerdave wrote:> I am migrating an old but functional Samba 3.3.4 smbpasswd-based PDC to a new > Samba 4.0-based VM. I planned to build the 4.0 as a BDC and then simply > dcpromo it to my PDC, and then retire the old server. But I've come across > two problems for which I'm needing some guidance. > > I've built the 4.0 box, extracted the original domain SID, and joined the > machine to the domain. I can log into shares hosted on the DC, and all > appears well. I then attempted to simply net rpc vampire the PDC's groups > and users, but doing so results in a Segmentation Fault immediately after > net attempts to get the domain database ("Fetching (to passdb) DOMAIN > database"). > > In looking at the SAMBA server logs on the PDC, there's a clear credential > failure from the BDC machine on the vampire attempt. Two log entries with > "BAD SIG... expected SMB signature of (empty)" appear, indicating an empty > payload was sent as part of the SMB signature during the credential check. > That implies to me some sort of problem in the session setup or machine > key/account - yet net rpc testjoin says the join of the BDC is OK. I've > already removed and rejoined the machine to the domain with the same result > ,so at this point, I don't know what's going wrong with the machine > credential check from the BDC to the PDC. > > The second issue is in generating a list of users and groups off the PDC. > Right now, wbinfo simply won't work. wbinfo -p can't even ping winbindd even > when I can see that it is, in fact, running. An strace run against wbinfo > seems to indicate wbinfo can't communicate with the winbindd pipe, and I > have no clue why. So it would seem to me that even if I fix the credential > exchange issue above, I've got another issue on the PDC with group and user > enumeration. > > Although I've found several issues roughly similar to this, none of the > fixes I've seen so far apply. I thought perhaps the "BAD SIG" messages in > the log in the failed credential check might ring a bell for someone, but > the wbinfo failure really has thrown me for a loop. There's no reason I can > see why it won't work. Any suggestions appreciated. > > > > > > -- > View this message in context: http://samba.2283325.n4.nabble.com/Problems-in-SAMBA-3-3-to-4-0-migration-tp4680653.html > Sent from the Samba - General mailing list archive at Nabble.com.It might help if you post your smb.conf, what OS you are using and the reason to use samba 4.0 when 4.2 is about to come out. Rowland
Hi, Rowland, and thanks for the reply. The PDC OS is Slackware 13. The BDC OS is Slackware 14. The choice to use Samba 4.0 was merely due to its inclusion on the Slackware 14 distro. I'll worry about upgrading that once I have the migration complete. I will post the two machine's respective smb.conf's later today. -- View this message in context: http://samba.2283325.n4.nabble.com/Problems-in-SAMBA-3-3-to-4-0-migration-tp4680653p4680657.html Sent from the Samba - General mailing list archive at Nabble.com.
Trying to browse the shares on my Samba 4.1 BDC, and I get "NT_STATUS_ACCESS_DENIED" Machine-specific server logs for the connection attempt show an attempt to hit the IPC$ share, which fails: "[2015/02/17 20:45:23.930969, 1] ../source3/smbd/process.c:1508(switch_message) service[IPC$] requires encryptionSMBtdis ACCESS_DENIED. mid=6" I've tried to figure out how this particular variety of SMB encryption is turned on/configured, or at least which version of the protocol it's tied to, to no avail. Any pointers? -David -- View this message in context: http://samba.2283325.n4.nabble.com/Problems-in-SAMBA-3-3-to-4-0-migration-tp4680653p4681080.html Sent from the Samba - General mailing list archive at Nabble.com.
***** SUCCESS ***** After nearly a week of wrangling with this annoying and frustrating issue, I'm delighted to report that I finally have EVERYTHING working. I was on the cusp of giving up, but some diligent reading, lots and lots of testing, and some long evenings finally paid off. I know this thread is kinda buried now by virtue of its age, but I wanted to highlight the problems I had and offer the solution in the event someone else comes along with similar issues: 1. Periodic message indicating machine credential failures on the PDC. Thinking initially that a password change had taken place, and given that my local profile is too huge to risk losing via a machine/domain rejoin, I took the drastic step of actually dumping the hashes of my own laptop, and found out they matched those stored in my PDC smbpasswd file. I then realize a protocol issue had to be at hand. Turns out it was a really dumb one that's been wrong a long time: HKLM\System\CCS\Services\Netlogon\Parameters\RequireStrongKey was set to 0, and should be 1. After restarting NETLOGON, I was able to use the NLTEST tool to reset the secure channel between the machine and the PDC, which causes the machine to reauthenticate. Bingo. Problem solved. 2. Samba 3.6.24 PDC and Win7 clients cannot browse Samba 4.0 shares This one was really giving me fits. It was a bugzilla log found at https://bugzilla.samba.org/show_bug.cgi?id=10167 that finally turned on the light: I had configured the Samba 4.1.0 box to turn on SMB encryption and server signing, and given that Win7 and Samba 3.6.x can't go beyond SMB2, any client browsing from those boxes back to the Samba 4.1 box was doomed. Reset those two settings, and voila, everyone can now browse everyone else's shares!!!! This also explained the 'service[IPC$] requires encryptionSMBtdis ACCESS_DENIED' errors in my 4.1 logs - it was telling me precisely what was wrong, and I didn't quite recognize it. 3. NET RPC VAMPIRE failures - /probably/ resolved I ended up manually copying my smbpasswd and /etc/group files, then manually recreating the group maps because I couldn't get the vampire to work. Now that connections both ways appear to be working, I strongly suspect that this would, in fact, now work - but I don't want to risk upsetting the applecart as it is by trying it now. I'm reasonably sure it would work now, however. Bottom line - I've got a good BDC up and running in a VM now, and just some minor tweaks are needed going forward. Thanks to all who at least read and certainly to Rowland for the help. Hope I can return the favor sometime. -David -- View this message in context: http://samba.2283325.n4.nabble.com/Problems-in-SAMBA-3-3-to-4-0-migration-tp4680653p4681192.html Sent from the Samba - General mailing list archive at Nabble.com.
On Thu, 2015-02-19 at 22:06 -0800, soonerdave wrote:> ***** SUCCESS ***** > > After nearly a week of wrangling with this annoying and frustrating issue, > I'm delighted to report that I finally have EVERYTHING working. I was on the > cusp of giving up, but some diligent reading, lots and lots of testing, and > some long evenings finally paid off. I know this thread is kinda buried now > by virtue of its age, but I wanted to highlight the problems I had and offer > the solution in the event someone else comes along with similar issues: > > 1. Periodic message indicating machine credential failures on the PDC. > > > Thinking initially that a password change had taken place, and given that my > local profile is too huge to risk losing via a machine/domain rejoin, I took > the drastic step of actually dumping the hashes of my own laptop, and found > out they matched those stored in my PDC smbpasswd file. I then realize a > protocol issue had to be at hand. Turns out it was a really dumb one that's > been wrong a long time: > > HKLM\System\CCS\Services\Netlogon\Parameters\RequireStrongKey was set to 0, > and should be 1. > > After restarting NETLOGON, I was able to use the NLTEST tool to reset the > secure channel between the machine and the PDC, which causes the machine to > reauthenticate. Bingo. Problem solved.This is interesting. We did upgrade the security requirements with Samba 4.1 by default. It is odd the RequreStrongKey actually forces *down* what Windows will do.> 2. Samba 3.6.24 PDC and Win7 clients cannot browse Samba 4.0 shares > > > This one was really giving me fits. It was a bugzilla log found at > https://bugzilla.samba.org/show_bug.cgi?id=10167 that finally turned on the > light: I had configured the Samba 4.1.0 box to turn on SMB encryption and > server signing, and given that Win7 and Samba 3.6.x can't go beyond SMB2, > any client browsing from those boxes back to the Samba 4.1 box was doomed. > Reset those two settings, and voila, everyone can now browse everyone else's > shares!!!! > > This also explained the 'service[IPC$] requires encryptionSMBtdis > ACCESS_DENIED' errors in my 4.1 logs - it was telling me precisely what was > wrong, and I didn't quite recognize it. > > 3. NET RPC VAMPIRE failures - /probably/ resolved > > > I ended up manually copying my smbpasswd and /etc/group files, then manually > recreating the group maps because I couldn't get the vampire to work. Now > that connections both ways appear to be working, I strongly suspect that > this would, in fact, now work - but I don't want to risk upsetting the > applecart as it is by trying it now. I'm reasonably sure it would work now, > however. > > Bottom line - I've got a good BDC up and running in a VM now, and just some > minor tweaks are needed going forward. Thanks to all who at least read and > certainly to Rowland for the help. Hope I can return the favor sometime.'net rpc vampire' will never work against a Samba DC. We never implemented a sever-side for the SamSync (NETLOGON replication between and NT4-style PDC and BDC) protocol. This is different to AD replication which uses DRSUAPI, and that we do implement client and server side. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba