samba - Aug 2016 - No logon servers avaialbe

We applied latest MS security patches on our Windows 2008 R2 domain 
controllers.  That had unexpected consequence of breaking all our Samba 
servers.  They no longer can authenticate with our domain controllers.  
Looking into this we think it has to do with the BADLOCK security patch.

We tried installing the latest Samba, version 4.4.5 which is supposed to 
be patched for the BADLOCK, but it is still unable to authenticate with 
AD.  Error on windows is "no logon servers found".

So just checking if anyone else has run into this and found a solution?

smb.conf:

[global]
     workgroup = ENGR_DOM
     server string = Web Server
     security = DOMAIN
     passdb backend = smbpasswd
     map untrusted to domain = Yes
     log level = 1
     log file = /var/log/samba/logs/log.%m
     name resolve order = host bcast
     unix extensions = No
     keepalive = 0
     max open files = 10000
     socket options = TCP_NODELAY SO_KEEPALIVE
     load printers = No
     dns proxy = No
     lock spin time = 3
     idmap config * : range      idmap config * : backend = tdb
     strict locking = No


-- 
C. J. Keist                     Email: cj.keist at colostate.edu
Systems Group Manager           Solaris 10 OS (SAI)
Engineering Network Services    Phone: 970-491-0630
College of Engineering, CSU     Fax:   970-491-5569	
Ft. Collins, CO 80523-1301

All I want is a chance to prove 'Money can't buy happiness'

On Thu, 25 Aug 2016 14:34:26 -0600
CJ Keist via samba <samba at lists.samba.org> wrote:
> We applied latest MS security patches on our Windows 2008 R2 domain 
> controllers.  That had unexpected consequence of breaking all our
> Samba servers.  They no longer can authenticate with our domain
> controllers. Looking into this we think it has to do with the BADLOCK
> security patch.
> 
> We tried installing the latest Samba, version 4.4.5 which is supposed
> to be patched for the BADLOCK, but it is still unable to authenticate
> with AD.  Error on windows is "no logon servers found".
> 
> So just checking if anyone else has run into this and found a
> solution?
> 
> smb.conf:
> 
> [global]
>      workgroup = ENGR_DOM
>      server string = Web Server
>      security = DOMAIN
>      passdb backend = smbpasswd
>      map untrusted to domain = Yes
>      log level = 1
>      log file = /var/log/samba/logs/log.%m
>      name resolve order = host bcast
>      unix extensions = No
>      keepalive = 0
>      max open files = 10000
>      socket options = TCP_NODELAY SO_KEEPALIVE
>      load printers = No
>      dns proxy = No
>      lock spin time = 3
>      idmap config * : range >      idmap config * : backend = tdb
>      strict locking = No
> 
> 
See here for setting up an AD domain member: 
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

You will also need to run winbind if you are not already running it.

Rowland

Thank you! Switching to ADS for security fixed it.  So is "security = 
DOMAIN" being phased out?



On 8/25/16 3:02 PM, Rowland Penny via samba wrote:
> On Thu, 25 Aug 2016 14:34:26 -0600
> CJ Keist via samba <samba at lists.samba.org> wrote:
>
>> We applied latest MS security patches on our Windows 2008 R2 domain
>> controllers.  That had unexpected consequence of breaking all our
>> Samba servers.  They no longer can authenticate with our domain
>> controllers. Looking into this we think it has to do with the BADLOCK
>> security patch.
>>
>> We tried installing the latest Samba, version 4.4.5 which is supposed
>> to be patched for the BADLOCK, but it is still unable to authenticate
>> with AD.  Error on windows is "no logon servers found".
>>
>> So just checking if anyone else has run into this and found a
>> solution?
>>
>> smb.conf:
>>
>> [global]
>>       workgroup = ENGR_DOM
>>       server string = Web Server
>>       security = DOMAIN
>>       passdb backend = smbpasswd
>>       map untrusted to domain = Yes
>>       log level = 1
>>       log file = /var/log/samba/logs/log.%m
>>       name resolve order = host bcast
>>       unix extensions = No
>>       keepalive = 0
>>       max open files = 10000
>>       socket options = TCP_NODELAY SO_KEEPALIVE
>>       load printers = No
>>       dns proxy = No
>>       lock spin time = 3
>>       idmap config * : range >>       idmap config * : backend =
tdb
>>       strict locking = No
>>
>>
> See here for setting up an AD domain member:
> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>
> You will also need to run winbind if you are not already running it.
>
> Rowland
>
-- 
C. J. Keist                     Email: cj.keist at colostate.edu
Systems Group Manager           Solaris 10 OS (SAI)
Engineering Network Services    Phone: 970-491-0630
College of Engineering, CSU     Fax:   970-491-5569
Ft. Collins, CO 80523-1301

All I want is a chance to prove 'Money can't buy happiness'