We applied latest MS security patches on our Windows 2008 R2 domain controllers. That had unexpected consequence of breaking all our Samba servers. They no longer can authenticate with our domain controllers. Looking into this we think it has to do with the BADLOCK security patch. We tried installing the latest Samba, version 4.4.5 which is supposed to be patched for the BADLOCK, but it is still unable to authenticate with AD. Error on windows is "no logon servers found". So just checking if anyone else has run into this and found a solution? smb.conf: [global] workgroup = ENGR_DOM server string = Web Server security = DOMAIN passdb backend = smbpasswd map untrusted to domain = Yes log level = 1 log file = /var/log/samba/logs/log.%m name resolve order = host bcast unix extensions = No keepalive = 0 max open files = 10000 socket options = TCP_NODELAY SO_KEEPALIVE load printers = No dns proxy = No lock spin time = 3 idmap config * : range idmap config * : backend = tdb strict locking = No -- C. J. Keist Email: cj.keist at colostate.edu Systems Group Manager Solaris 10 OS (SAI) Engineering Network Services Phone: 970-491-0630 College of Engineering, CSU Fax: 970-491-5569 Ft. Collins, CO 80523-1301 All I want is a chance to prove 'Money can't buy happiness'
On Thu, 25 Aug 2016 14:34:26 -0600 CJ Keist via samba <samba at lists.samba.org> wrote:> We applied latest MS security patches on our Windows 2008 R2 domain > controllers. That had unexpected consequence of breaking all our > Samba servers. They no longer can authenticate with our domain > controllers. Looking into this we think it has to do with the BADLOCK > security patch. > > We tried installing the latest Samba, version 4.4.5 which is supposed > to be patched for the BADLOCK, but it is still unable to authenticate > with AD. Error on windows is "no logon servers found". > > So just checking if anyone else has run into this and found a > solution? > > smb.conf: > > [global] > workgroup = ENGR_DOM > server string = Web Server > security = DOMAIN > passdb backend = smbpasswd > map untrusted to domain = Yes > log level = 1 > log file = /var/log/samba/logs/log.%m > name resolve order = host bcast > unix extensions = No > keepalive = 0 > max open files = 10000 > socket options = TCP_NODELAY SO_KEEPALIVE > load printers = No > dns proxy = No > lock spin time = 3 > idmap config * : range > idmap config * : backend = tdb > strict locking = No > >See here for setting up an AD domain member: https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member You will also need to run winbind if you are not already running it. Rowland
Thank you! Switching to ADS for security fixed it. So is "security = DOMAIN" being phased out? On 8/25/16 3:02 PM, Rowland Penny via samba wrote:> On Thu, 25 Aug 2016 14:34:26 -0600 > CJ Keist via samba <samba at lists.samba.org> wrote: > >> We applied latest MS security patches on our Windows 2008 R2 domain >> controllers. That had unexpected consequence of breaking all our >> Samba servers. They no longer can authenticate with our domain >> controllers. Looking into this we think it has to do with the BADLOCK >> security patch. >> >> We tried installing the latest Samba, version 4.4.5 which is supposed >> to be patched for the BADLOCK, but it is still unable to authenticate >> with AD. Error on windows is "no logon servers found". >> >> So just checking if anyone else has run into this and found a >> solution? >> >> smb.conf: >> >> [global] >> workgroup = ENGR_DOM >> server string = Web Server >> security = DOMAIN >> passdb backend = smbpasswd >> map untrusted to domain = Yes >> log level = 1 >> log file = /var/log/samba/logs/log.%m >> name resolve order = host bcast >> unix extensions = No >> keepalive = 0 >> max open files = 10000 >> socket options = TCP_NODELAY SO_KEEPALIVE >> load printers = No >> dns proxy = No >> lock spin time = 3 >> idmap config * : range >> idmap config * : backend = tdb >> strict locking = No >> >> > See here for setting up an AD domain member: > https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member > > You will also need to run winbind if you are not already running it. > > Rowland >-- C. J. Keist Email: cj.keist at colostate.edu Systems Group Manager Solaris 10 OS (SAI) Engineering Network Services Phone: 970-491-0630 College of Engineering, CSU Fax: 970-491-5569 Ft. Collins, CO 80523-1301 All I want is a chance to prove 'Money can't buy happiness'
Reasonably Related Threads
- More strangeness with ZFS and Samba
- No logon servers avaialbe
- vfs objects - zfsacl
- File permissions getting destroyed with M$ software on ZFS
- Fatal: master: service(imap): child 20258 killed with signal 6 (core not dumped - set service imap { drop_priv_before_exec=yes })