Luis Felipe Dominguez Vega
2016-Dec-28 13:45 UTC
[Samba] Error with samba update in debian.
I comment the idmap line and "systemctl restart samba-ad-dc" but the squid not authenticate, same error... --------------------------------------- Al tanto Ing. Luis Felipe Domínguez Vega Administrador de la Red de Desoft Matanzas GNU/Linux Kernel Developer - rtlwifi kernel module "No es grande aquel que nunca falla, es grande el que nunca se da por vencido… " ----- Original Message ----- From: "Rowland Penny via samba" <samba at lists.samba.org> To: samba at lists.samba.org Sent: Wednesday, December 28, 2016 8:12:30 AM Subject: Re: [Samba] Error with samba update in debian. On Wed, 28 Dec 2016 13:57:58 +0100 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hai, > Can you post your smb.conf that helps. > > But you probly forgot to set: > ntlm auth = yes > > and maybe more, a summup: > > This is the full list: > https://wiki.samba.org/index.php/Samba_Features_added/changed_(by_release) > > > The complete history, have a look at the X.x.0 release notes. > https://www.samba.org/samba/history/ > > For the major differences (new features, etc.) > > Upgrade samba from a : 4.4.x => 4.5.x > ! remove all idmap config lines from your smb.conf of the DC's. > ! run: net cache flush > ! Restart samba or reboot the DC >Nearly correct ;-) It should be: If you have 'idmap config' lines in a smb.conf on a DC, remove them. They had absolutely no affect and did nothing before Samba version 4.5.0, from Samba 4.5.0 they lead to errors. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On Wed, 28 Dec 2016 08:45:17 -0500 (CST) Luis Felipe Dominguez Vega <luis.dominguez at mtz.desoft.cu> wrote:> I comment the idmap line and "systemctl restart samba-ad-dc" but the > squid not authenticate, same error... > > --------------------------------------- > Al tanto > Ing. Luis Felipe Domínguez Vega > Administrador de la Red de Desoft Matanzas > GNU/Linux Kernel Developer - rtlwifi kernel module > > "No es grande aquel que nunca falla, es grande el que nunca se da por > vencido… " > > ----- Original Message ----- > From: "Rowland Penny via samba" <samba at lists.samba.org> > To: samba at lists.samba.org > Sent: Wednesday, December 28, 2016 8:12:30 AM > Subject: Re: [Samba] Error with samba update in debian. > > On Wed, 28 Dec 2016 13:57:58 +0100 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > Hai, > > Can you post your smb.conf that helps. > > > > But you probly forgot to set: > > ntlm auth = yes > > > > and maybe more, a summup: > > > > This is the full list: > > https://wiki.samba.org/index.php/Samba_Features_added/changed_(by_release) > > > > > > The complete history, have a look at the X.x.0 release notes. > > https://www.samba.org/samba/history/ > > > > For the major differences (new features, etc.) > > > > Upgrade samba from a : 4.4.x => 4.5.x > > ! remove all idmap config lines from your smb.conf of the DC's. > > ! run: net cache flush > > ! Restart samba or reboot the DC > > > > Nearly correct ;-) > > It should be: > > If you have 'idmap config' lines in a smb.conf on a DC, remove them. > They had absolutely no affect and did nothing before Samba version > 4.5.0, from Samba 4.5.0 they lead to errors. > > Rowland >If you mean: idmap_ldb:use rfc2307 = yes Then uncomment it, you need this line on a Samba AD DC. I referred to the 'idmap config' lines you find on a Samba domain member, i.e. 'idmap config SAMDOM : range = 10000-999999' These lines do not have and never have had a place on a Samba AD DC. Rowland
About the :> ERROR: Negotiate Authentication validating user. Result: {result=BH,> notes={message: NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; }}I suspect the pc you trying with is not domain joined? Or you using user at REALM Can you add ?-d? to the auth line of squid and try again and post that log. ( -d = enable debugging ) Now what i dont know. A samba DC reported with wbinfo ?u : DOMAIN\user I have in my samba member ( and this is a member only setting ) winbind enum users = yes So when i wbinfo ?u i see only the usernames. In the second link, a snap from some text. /snap You may need to use a Basic auth helper that allows stripping the @DOMAIN part off the credentials received. I think some systems send the user at DOMAIN in Basic with the machine name as DOMAIN. That wont work against any real DC server. /snap-off This can be a problem, but im not sure about that, thats more a squid list question. And remove : map to guest = bad user in smb.conf If needed you can add it later on, first detect whats going wrong. Now, i had the same problem. My question to the squid list. Starts here : http://lists.squid-cache.org/pipermail/squid-users/2015-August/005025.html And my last question. http://lists.squid-cache.org/pipermail/squid-users/2015-August/005033.html Read throug it, i can help you... Amos explains better then me. Beware, debian testing can break easy, especialy before the freeze so know what your doing. And do remember debian testing does NOT get security updates quick. Debian Testing is last to get them. I hope this helps you bit more. Greetz, Louis> -----Oorspronkelijk bericht-----> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny via> samba> Verzonden: woensdag 28 december 2016 15:17> Aan: samba at lists.samba.org> Onderwerp: Re: [Samba] Error with samba update in debian.>> On Wed, 28 Dec 2016 08:45:17 -0500 (CST)> Luis Felipe Dominguez Vega <luis.dominguez at mtz.desoft.cu> wrote:>> > I comment the idmap line and "systemctl restart samba-ad-dc" but the> > squid not authenticate, same error...> >> > ---------------------------------------> > Al tanto> > Ing. Luis Felipe Domínguez Vega> > Administrador de la Red de Desoft Matanzas> > GNU/Linux Kernel Developer - rtlwifi kernel module> >> > "No es grande aquel que nunca falla, es grande el que nunca se da por> > vencido? "> >> > ----- Original Message -----> > From: "Rowland Penny via samba" <samba at lists.samba.org>> > To: samba at lists.samba.org> > Sent: Wednesday, December 28, 2016 8:12:30 AM> > Subject: Re: [Samba] Error with samba update in debian.> >> > On Wed, 28 Dec 2016 13:57:58 +0100> > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> >> > > Hai,> > > Can you post your smb.conf that helps.> > >> > > But you probly forgot to set:> > > ntlm auth = yes> > >> > > and maybe more, a summup:> > >> > > This is the full list:> > >> https://wiki.samba.org/index.php/Samba_Features_added/changed_(by_release)> > >> > >> > > The complete history, have a look at the X.x.0 release notes.> > > https://www.samba.org/samba/history/> > >> > > For the major differences (new features, etc.)> > >> > > Upgrade samba from a : 4.4.x => 4.5.x> > > ! remove all idmap config lines from your smb.conf of the DC's.> > > ! run: net cache flush> > > ! Restart samba or reboot the DC> > >> >> > Nearly correct ;-)> >> > It should be:> >> > If you have 'idmap config' lines in a smb.conf on a DC, remove them.> > They had absolutely no affect and did nothing before Samba version> > 4.5.0, from Samba 4.5.0 they lead to errors.> >> > Rowland> >>> If you mean:>> idmap_ldb:use rfc2307 = yes>> Then uncomment it, you need this line on a Samba AD DC.>> I referred to the 'idmap config' lines you find on a Samba domain> member, i.e. 'idmap config SAMDOM : range = 10000-999999'>> These lines do not have and never have had a place on a Samba AD DC.>> Rowland>> --> To unsubscribe from this list go to the following URL and read the> instructions: https://lists.samba.org/mailman/options/samba
On Wed, 28 Dec 2016 15:40:34 +0100 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> About the : > > > ERROR: Negotiate Authentication validating user. Result: {result=BH, > > > notes={message: NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; }} > > > > I suspect the pc you trying with is not domain joined? > > Or you using user at REALM > > Can you add ?-d? to the auth line of squid and try again and post > that log. > > ( -d = enable debugging ) > > > > Now what i dont know. > > A samba DC reported with wbinfo ?u : DOMAIN\userYes, the DC uses the DOMAIN as part of the username and you cannot turn it off.> > I have in my samba member ( and this is a member only setting ) > winbind enum users = yesYou can also use this line on a DC.> > So when i wbinfo ?u i see only the usernames.You will also have this line in your domain members smb.conf: winbind use default domain = yes The default is no (i.e. same as a DC) So, if squid insists on just the username without the DOMAIN, it is (in my opinion) badly broken and they need to fix it. Rowland
Luis Felipe Dominguez Vega
2016-Dec-28 15:20 UTC
[Samba] Error with samba update in debian.
The proxy already is into domain "wbinfo -u" returns all users from the AD, the kinit command with -t /etc/squid/PROXY.keytab is working great, but the NTLM phase into the squid log is the same ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; }} are in recent versions some changes about the NTLM or NT KEY or something??? that squid now can interpret the handshakes??? --------------------------------------- Al tanto Ing. Luis Felipe Domínguez Vega Administrador de la Red de Desoft Matanzas GNU/Linux Kernel Developer - rtlwifi kernel module "No es grande aquel que nunca falla, es grande el que nunca se da por vencido… " ----- Original Message ----- From: "L.P.H. van Belle via samba" <samba at lists.samba.org> To: samba at lists.samba.org Sent: Wednesday, December 28, 2016 9:40:34 AM Subject: Re: [Samba] Error with samba update in debian. About the :> ERROR: Negotiate Authentication validating user. Result: {result=BH,> notes={message: NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; }}I suspect the pc you trying with is not domain joined? Or you using user at REALM Can you add ?-d? to the auth line of squid and try again and post that log. ( -d = enable debugging ) Now what i dont know. A samba DC reported with wbinfo ?u : DOMAIN\user I have in my samba member ( and this is a member only setting ) winbind enum users = yes So when i wbinfo ?u i see only the usernames. In the second link, a snap from some text. /snap You may need to use a Basic auth helper that allows stripping the @DOMAIN part off the credentials received. I think some systems send the user at DOMAIN in Basic with the machine name as DOMAIN. That wont work against any real DC server. /snap-off This can be a problem, but im not sure about that, thats more a squid list question. And remove : map to guest = bad user in smb.conf If needed you can add it later on, first detect whats going wrong. Now, i had the same problem. My question to the squid list. Starts here : http://lists.squid-cache.org/pipermail/squid-users/2015-August/005025.html And my last question. http://lists.squid-cache.org/pipermail/squid-users/2015-August/005033.html Read throug it, i can help you... Amos explains better then me. Beware, debian testing can break easy, especialy before the freeze so know what your doing. And do remember debian testing does NOT get security updates quick. Debian Testing is last to get them. I hope this helps you bit more. Greetz, Louis> -----Oorspronkelijk bericht-----> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny via> samba> Verzonden: woensdag 28 december 2016 15:17> Aan: samba at lists.samba.org> Onderwerp: Re: [Samba] Error with samba update in debian.>> On Wed, 28 Dec 2016 08:45:17 -0500 (CST)> Luis Felipe Dominguez Vega <luis.dominguez at mtz.desoft.cu> wrote:>> > I comment the idmap line and "systemctl restart samba-ad-dc" but the> > squid not authenticate, same error...> >> > ---------------------------------------> > Al tanto> > Ing. Luis Felipe Domínguez Vega> > Administrador de la Red de Desoft Matanzas> > GNU/Linux Kernel Developer - rtlwifi kernel module> >> > "No es grande aquel que nunca falla, es grande el que nunca se da por> > vencido? "> >> > ----- Original Message -----> > From: "Rowland Penny via samba" <samba at lists.samba.org>> > To: samba at lists.samba.org> > Sent: Wednesday, December 28, 2016 8:12:30 AM> > Subject: Re: [Samba] Error with samba update in debian.> >> > On Wed, 28 Dec 2016 13:57:58 +0100> > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> >> > > Hai,> > > Can you post your smb.conf that helps.> > >> > > But you probly forgot to set:> > > ntlm auth = yes> > >> > > and maybe more, a summup:> > >> > > This is the full list:> > >> https://wiki.samba.org/index.php/Samba_Features_added/changed_(by_release)> > >> > >> > > The complete history, have a look at the X.x.0 release notes.> > > https://www.samba.org/samba/history/> > >> > > For the major differences (new features, etc.)> > >> > > Upgrade samba from a : 4.4.x => 4.5.x> > > ! remove all idmap config lines from your smb.conf of the DC's.> > > ! run: net cache flush> > > ! Restart samba or reboot the DC> > >> >> > Nearly correct ;-)> >> > It should be:> >> > If you have 'idmap config' lines in a smb.conf on a DC, remove them.> > They had absolutely no affect and did nothing before Samba version> > 4.5.0, from Samba 4.5.0 they lead to errors.> >> > Rowland> >>> If you mean:>> idmap_ldb:use rfc2307 = yes>> Then uncomment it, you need this line on a Samba AD DC.>> I referred to the 'idmap config' lines you find on a Samba domain> member, i.e. 'idmap config SAMDOM : range = 10000-999999'>> These lines do not have and never have had a place on a Samba AD DC.>> Rowland>> --> To unsubscribe from this list go to the following URL and read the> instructions: https://lists.samba.org/mailman/options/samba-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
No its a misconfiguration somewhere. Squid works fine i have it all running. Took me some time to understand things but it works fine now. See the list links.. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny via > samba > Verzonden: woensdag 28 december 2016 16:12 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Error with samba update in debian. > > On Wed, 28 Dec 2016 15:40:34 +0100 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > About the : > > > > > ERROR: Negotiate Authentication validating user. Result: {result=BH, > > > > > notes={message: NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; }} > > > > > > > > I suspect the pc you trying with is not domain joined? > > > > Or you using user at REALM > > > > Can you add ?-d? to the auth line of squid and try again and post > > that log. > > > > ( -d = enable debugging ) > > > > > > > > Now what i dont know. > > > > A samba DC reported with wbinfo ?u : DOMAIN\user > > Yes, the DC uses the DOMAIN as part of the username and you cannot turn > it off. > > > > > I have in my samba member ( and this is a member only setting ) > > winbind enum users = yes > > You can also use this line on a DC. > > > > > So when i wbinfo ?u i see only the usernames. > > You will also have this line in your domain members smb.conf: > > winbind use default domain = yes > > The default is no (i.e. same as a DC) > > So, if squid insists on just the username without the DOMAIN, it is (in > my opinion) badly broken and they need to fix it. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba