Dirk Kleinhesselink
2016-Apr-19 23:46 UTC
[Samba] samba security updates broke NT4 DC setup
I've been running a NT4-style domain with a samba 3.x PDC using a LDAP back end and it's mostly worked very will for a long time. However since yesterday, clients are having problems with the domain. I saw that updates came out on all my systems - my PDC and BDC are ubuntu 12.04 LTS. The samba version there still seems to be 3.6x. A client with a problem that was working is Ubuntu 14.04 LTS and no longer can authenticate against the PDC. I removed it from the domain and tried to rejoin, but it now believes I am trying to join it to an AD domain and complains the realm has not been specified, do I really want to join an Active Directory server? If I continue and enter my login - I am a Domain Admin, I get back: smb_signing_good: BAD SIG: seq 1 Failed to join domain: failed to lookup DC info for domain ... over rpc: Access denied smbclient -L ... to the DC works and indicates it it samba version 3.6.25 and I can access shares. The ubuntu 14.04 client installed samba 4.3.8 packages with the last security update Monday, I believe. I'll post configuration files if requested - any help is greatly appreciated. Thank you.
El 20/04/16 a les 01:46, Dirk Kleinhesselink ha escrit:> > I've been running a NT4-style domain with a samba 3.x PDC using a > LDAP back end and it's mostly worked very will for a long time. > However since yesterday, clients are having problems with the domain. I > saw that updates came out on all my systems - my PDC and BDC are ubuntu > 12.04 LTS. The samba version there still seems to be 3.6x. A client > with a problem that was working is Ubuntu 14.04 LTS and no longer can > authenticate against the PDC.Same problem here with one machine. I tried all the options in the advisory (client ipc signing = no, require strong key=false) and other options (like client schannel=no) with no luck. I finally reverted to the snapshot I took before upgrading (with samba 2:4.1.6+dfsg-1ubuntu2.14.04). Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es/ Tel. +34 93 5883004 (Ext.3010) Fax +34 93 5883007
El 20/04/16 a les 08:49, Luca Olivetti ha escrit:> El 20/04/16 a les 01:46, Dirk Kleinhesselink ha escrit: >> >> I've been running a NT4-style domain with a samba 3.x PDC using a >> LDAP back end and it's mostly worked very will for a long time. >> However since yesterday, clients are having problems with the domain. I >> saw that updates came out on all my systems - my PDC and BDC are ubuntu >> 12.04 LTS. The samba version there still seems to be 3.6x. A client >> with a problem that was working is Ubuntu 14.04 LTS and no longer can >> authenticate against the PDC. > > Same problem here with one machine. I tried all the options in the > advisory (client ipc signing = no, require strong key=false) and other > options (like client schannel=no) with no luck. > I finally reverted to the snapshot I took before upgrading (with samba > 2:4.1.6+dfsg-1ubuntu2.14.04).I also tried "client ntlmv2 auth=no". Strangely enough, I just updated my laptop (running ubuntu 15.10) and I have no problem authenticating against the same, old, pdc, so probably the problem is in the packaging for 14.04lts and not in samba itself. Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es/ Tel. +34 93 5883004 (Ext.3010) Fax +34 93 5883007