On 20/06/16 19:53, Dale Schroeder wrote:> On 06/17/2016 4:31 PM, peter lawrie wrote: >> Hi all >> About 18 months ago I connected 14 new Windows 7 PCs to a Centos5.1 >> server >> with samba3x as domain members. There are no other servers on site. >> Today, I had to visit to connect up a PC in a new location. As I would >> normally do I checked for Centos updates and found 35 outstanding >> including >> samba3x 3.6.23-12.el5_11 and samba3x-client, samba3x-common, >> samba3x-doc, >> samba3x-domainjoin-gui, samba3x-swat, samba3x-winbind, >> samba3x-winbind-devel >> >> Having completed the cabling I tried to log the PC in but received >> 'trust >> relationship between this workstation and primary domain failed'. >> Several >> times I removed it from the domain and added it back again - this >> made no >> difference. I noted the time on the PC was 7 minutes out from the >> server, >> so corrected that, removed from the domain, added it in again but had >> the >> same message. >> Thinking it was just related to this PC, I left it configured as a >> workgroup member, created a new local user to match the domain >> username it >> had been using and connected it to the server shares. >> >> Then I went to another PC which had an unrelated issue which needed >> attention but when I tried to logon to the domain received the same >> domain >> trust failure message. >> Only then did I suspect that the samba3x update may have been the >> cause so >> I removed it installed 3x 3.6.23-9 - now when I tried to login I get >> "there >> are no login servers available to service the login request" >> >> As other users were complaining about losing access to the server >> shares, I >> then had to visit every PC, remove each of them from the domain into a >> workgroup, create a local user on each to match the samba username >> and copy >> the profile. Needless to say, a job which should have taken 1 to 2 hours >> took 7. >> >> I still have no idea why the problem occurred, is there an issue with >> the >> latest samba update. All I could find online was that the update >> related to >> a fix for badlock vulnerability. >> Peter Lawrie > Peter, > > The badlock patches have been a big problem for Samba classic > domains. Many have posted asking for help, but I have seen no > solution presented on this list; i.e. the silence is deafening. It may > be that NT4 classic domains will not work going forward. > > For example, refer to the post by Peter Tuharsky: > http://www.spinics.net/lists/samba/msg134710.html > > In all actuality, Samba 4.3.x pre-badlock had already broken classic > ldap domains.I did some testing before the badlock patches and did manage to get an ldap based NT4 PDC running and connected a Unix client to it, but this was a test domain and it didn't use smbldap-tools. I think one of the problems is that nobody has logged a bug report for this problem, so nobody is looking in to it, another problem is that windows is trying to deter the use of NT4-style domains, it is my understanding that Win10 will not connect to one out-of-the-box. They could (and probably will) make the use of NT4 domains impossible at any time. Rowland> > So, if anyone has a working Samba/openldap NT4 classic domain > post-badlock patches, would you please share your config to help these > people? > > And, if you have a working 4.3 or 4.4 classic domain config, please > help me out. > > Thanks, > Dale > > >
El 20/06/16 a les 21:19, Rowland penny ha escrit:> I think one of the problems is that nobody has logged a bug report for > this problem, so nobody is looking in to it, another problem is that > windows is trying to deter the use of NT4-style domains, it is my > understanding that Win10 will not connect to one out-of-the-box. They > could (and probably will) make the use of NT4 domains impossible at any > time.Meanwhile, those windows 10 workstation have no problem joining my NT domain managed by a very old samba (I know, I know, an update is planned but not right now), while badlock patched samba cannot[*] :-( [*] I'm referring to the distro provided version, in this case ubuntu 14.04.4 LTS. Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es/ Tel. +34 93 5883004 (Ext.3010) Fax +34 93 5883007
On 06/20/16 15:19, Rowland penny wrote:> On 20/06/16 19:53, Dale Schroeder wrote: >> On 06/17/2016 4:31 PM, peter lawrie wrote: >>> Hi all >>> About 18 months ago I connected 14 new Windows 7 PCs to a Centos5.1 >>> server >>> with samba3x as domain members. There are no other servers on site. >>> Today, I had to visit to connect up a PC in a new location. As I would >>> normally do I checked for Centos updates and found 35 outstanding >>> including >>> samba3x 3.6.23-12.el5_11 and samba3x-client, samba3x-common, >>> samba3x-doc, >>> samba3x-domainjoin-gui, samba3x-swat, samba3x-winbind, >>> samba3x-winbind-devel >>> >>> Having completed the cabling I tried to log the PC in but received >>> 'trust >>> relationship between this workstation and primary domain failed'. >>> Several >>> times I removed it from the domain and added it back again - this >>> made no >>> difference. I noted the time on the PC was 7 minutes out from the >>> server, >>> so corrected that, removed from the domain, added it in again but >>> had the >>> same message. >>> Thinking it was just related to this PC, I left it configured as a >>> workgroup member, created a new local user to match the domain >>> username it >>> had been using and connected it to the server shares. >>> >>> Then I went to another PC which had an unrelated issue which needed >>> attention but when I tried to logon to the domain received the same >>> domain >>> trust failure message. >>> Only then did I suspect that the samba3x update may have been the >>> cause so >>> I removed it installed 3x 3.6.23-9 - now when I tried to login I get >>> "there >>> are no login servers available to service the login request" >>> >>> As other users were complaining about losing access to the server >>> shares, I >>> then had to visit every PC, remove each of them from the domain into a >>> workgroup, create a local user on each to match the samba username >>> and copy >>> the profile. Needless to say, a job which should have taken 1 to 2 >>> hours >>> took 7. >>> >>> I still have no idea why the problem occurred, is there an issue >>> with the >>> latest samba update. All I could find online was that the update >>> related to >>> a fix for badlock vulnerability. >>> Peter Lawrie >> Peter, >> >> The badlock patches have been a big problem for Samba classic >> domains. Many have posted asking for help, but I have seen no >> solution presented on this list; i.e. the silence is deafening. It >> may be that NT4 classic domains will not work going forward. >> >> For example, refer to the post by Peter Tuharsky: >> http://www.spinics.net/lists/samba/msg134710.html >> >> In all actuality, Samba 4.3.x pre-badlock had already broken classic >> ldap domains. > > I did some testing before the badlock patches and did manage to get an > ldap based NT4 PDC running and connected a Unix client to it, but this > was a test domain and it didn't use smbldap-tools. > > I think one of the problems is that nobody has logged a bug report for > this problem, so nobody is looking in to it, another problem is that > windows is trying to deter the use of NT4-style domains, it is my > understanding that Win10 will not connect to one out-of-the-box. They > could (and probably will) make the use of NT4 domains impossible at > any time. > > Rowland > >> >> So, if anyone has a working Samba/openldap NT4 classic domain >> post-badlock patches, would you please share your config to help >> these people? >> >> And, if you have a working 4.3 or 4.4 classic domain config, please >> help me out. >> >> Thanks, >> Dale >> >> >> > >Windows 10 clients can be connected to a non-badlock patched classic-domain. Requires the same registry changes as Windows 7 to set "DomainCompatibilityMode" = 1 (I think this would be same as disabling RequireSignOrSeal in group policy.) The samba badlock patches change the default behavior of samba server to require signing. It may be that you need to explicitly set "server signing" and "client signing" to auto to force the older behavior. I was never able to make patch domain members work with a non-patch domain controller. (Also running Samba 3.x as classic domain. ) I suspect the reverse is true. Even with disabling signing on the samba member servers, I was getting schannel and spnego errors so something changed there too. I could get the patched member servers to join the domain but domain users from windows or samba would not be allowed to access resources. I had expected that patched domain controller would would with a patched member server and that the windows machines would auto-negotiate everything but now I doubt that.
El 20/06/16 a les 23:32, Gaiseric Vandal ha escrit:> I could get the patched member servers to join > the domain but domain users from windows or samba would not be allowed > to access resources.I couldn't even manage to join the domain. OTOH smbclient (patched I guess[*]) has no problem accessing the server. [*] $ dpkg -l samba smbclient Desitjat=desconegUt/Instaŀla/supRimeix/Purga/retín(H) | Estat=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Estat,Err: majúsc.=dolent) ||/ Nom Versió Arquitectura Descripció +++-====================================================-===============================-===============================-============================================================================================================ii samba 2:4.3.9+dfsg-0ubuntu0.14.04.3 amd64 SMB/CIFS file, print, and login server for Unix ii smbclient 2:4.3.9+dfsg-0ubuntu0.14.04.3 amd64 command-line SMB/CIFS clients for Unix Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es/ Tel. +34 93 5883004 (Ext.3010) Fax +34 93 5883007