samba - Jun 2017 - DRS stopped working after upgrade from debian Jessie to Stretch

On Tue, 20 Jun 2017 17:54:09 +0200
Prunk Dump via samba <samba at lists.samba.org> wrote:
> Hello thanks again for the help !
> 
> I have analysed samba logs more closely. I'am very worried. I have
> three DC (fichdc, fichds01, fichds02) but here I talk just about
> fichdc's logs.
> 
How did you upgrade 'jessie' to 'stretch' and why ?

Did all the  Samba packages get upgraded (this includes things like
talloc, tevent etc)

Rowland

2017-06-20 18:12 GMT+02:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Tue, 20 Jun 2017 17:54:09 +0200
> Prunk Dump via samba <samba at lists.samba.org> wrote:
>
>> Hello thanks again for the help !
>>
>> I have analysed samba logs more closely. I'am very worried. I have
>> three DC (fichdc, fichds01, fichds02) but here I talk just about
>> fichdc's logs.
>>
>
> How did you upgrade 'jessie' to 'stretch' and why ?
>
> Did all the  Samba packages get upgraded (this includes things like
> talloc, tevent etc)
>
> Rowland
>
Hello.

I upgraded Debian from "Jessie" to "Strech" following the
Debian
Upgrade Handbook. I'am not using special repositories, just the Debian
stable branch. Everything is updated with "apt-get upgrade" and
"apt-get dist-upgrade".

This upgrade is really mandatory because after two years of Debian
Jessie I have encountered many difficulties with the samba version. By
two times the Debian security team was not able to apply security
patch to the base stable Samba version. So two times Samba version
change and put my network down. So I can't keep the Jessie Samba
Version for two years more I want to maintain good security.

But now I'am very disappointed.
I don't understand why all my DCs have a bad
"/var/lib/samba/private/secret.keytab"
I don't understand why Kerberos authentication does not works inside
Samba but works with "kinit" (like in the previous log have sent).

I'm lost. I don't know what to do...

-> How can I regererate the "/var/lib/samba/private/secret.keytab"
with all the 5 encryptions ?

-> On the DC that have all the FSMO roles have made a "samba-tool
dbcheck --cross-ncs --fix --yes" (as say on the samba upgrade guide).
Do I need to do this on the others DCs ? Or is this better to first
restoring replication ?

-> Do I need to do a manual directory replication ?

Thank you very much for your help.

Baptiste.

On Tue, 20 Jun 2017 18:52:49 +0200
Prunk Dump <prunkdump at gmail.com> wrote:
> Hello.
> 
> I upgraded Debian from "Jessie" to "Strech" following
the Debian
> Upgrade Handbook. I'am not using special repositories, just the Debian
> stable branch. Everything is updated with "apt-get upgrade" and
> "apt-get dist-upgrade".
> 
> This upgrade is really mandatory because after two years of Debian
> Jessie I have encountered many difficulties with the samba version. By
> two times the Debian security team was not able to apply security
> patch to the base stable Samba version. So two times Samba version
> change and put my network down. So I can't keep the Jessie Samba
> Version for two years more I want to maintain good security.
Not sure if upgrading to an unreleased Debian version is a good idea,
you could do what I am doing, use Louis Van Belle's packages on Jessie.
> 
> But now I'am very disappointed.
> I don't understand why all my DCs have a bad
> "/var/lib/samba/private/secret.keytab"
> I don't understand why Kerberos authentication does not works inside
> Samba but works with "kinit" (like in the previous log have
sent).
I don't understand it either, but I feel it must down to at least one
of the packages that got upgraded and that are used by Samba. Perhaps
Louis can comment here, I feel he knows more about what is required to
get the latest version of Samba working on Debian.
> 
> I'm lost. I don't know what to do...
> 
> -> How can I regererate the
"/var/lib/samba/private/secret.keytab"
> with all the 5 encryptions ?
This is something Andrew is going to have to help you with, but I
think he gave a hint about using 'chgtdcpass'
> 
> -> On the DC that have all the FSMO roles have made a "samba-tool
> dbcheck --cross-ncs --fix --yes" (as say on the samba upgrade guide).
> Do I need to do this on the others DCs ? Or is this better to first
> restoring replication ?
This should fix any faults in db on this machine, replication should
then send any changes to the other DCs, but I can see no reason not to
run the command on the other DCs
> 
> -> Do I need to do a manual directory replication ?
> 
I wouldn't at this stage, but if you can fix it on one DC and the fixes
don't get replicated, this may be something to consider later.

Rowland

Hai, 

Im wondering also what happend here, i cant figure it out (yet). 
I did read this now few times.. 

Baptiste, can you give me the following output. 
( keep this order for the output please. 

cat /etc/hosts
cat /etc/resolv.conf
cat /etc/nssswitch.conf

cat /etc/krb5.conf
cat /var/lib/samba/private/krb5.conf

klist -ket /etc/krb5.keytab
klist -ket /var/lib/samba/private/secrets.keytab

Get this script, run it, and if you get errors post them. 
http://downloads.van-belle.nl/samba4/samba-check-db-repl.sh

cat /etc/samba/smb.conf


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: dinsdag 20 juni 2017 19:13
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] DRS stopped working after upgrade from 
> debian Jessie to Stretch
> 
> On Tue, 20 Jun 2017 18:52:49 +0200
> Prunk Dump <prunkdump at gmail.com> wrote:
> 
> > Hello.
> > 
> > I upgraded Debian from "Jessie" to "Strech"
following the Debian
> > Upgrade Handbook. I'am not using special repositories, just 
> the Debian 
> > stable branch. Everything is updated with "apt-get upgrade"
and
> > "apt-get dist-upgrade".
! I noticed that, samba-dsdb-modules in a "winbind" only install
errors again.
Not a problem, but check if samba-dsdb-modules is installed on your DC after the
upgrade.
Better, show me : 
dpkg -l | egrep "samba|?mbd|winbind|nss|talloc|tevent|tdb|ldb"


> > 
> > This upgrade is really mandatory because after two years of Debian 
> > Jessie I have encountered many difficulties with the samba 
> version. By 
> > two times the Debian security team was not able to apply security 
> > patch to the base stable Samba version. So two times Samba version 
> > change and put my network down. So I can't keep the Jessie Samba 
> > Version for two years more I want to maintain good security.
Can you point me to these 2?
> 
> Not sure if upgrading to an unreleased Debian version is a 
> good idea, you could do what I am doing, use Louis Van 
> Belle's packages on Jessie.
Rowland, Debian Stretch is released 3 days ago  ;-) 
> 
> > 
> > But now I'am very disappointed.
> > I don't understand why all my DCs have a bad 
> > "/var/lib/samba/private/secret.keytab"
> > I don't understand why Kerberos authentication does not 
> works inside 
> > Samba but works with "kinit" (like in the previous log have
sent).
We will figure this out, .. Just thinking.. 

kinit uses the defealt /etc/krb5.conf 
Samba /var/lib/samba/private/krb5.conf

System default normaly points to /etc/krb5.keytab
Samba /var/lib/samba/private/secret.keytab
> 
> I don't understand it either, but I feel it must down to at 
> least one of the packages that got upgraded and that are used 
> by Samba. Perhaps Louis can comment here, I feel he knows 
> more about what is required to get the latest version of 
> Samba working on Debian.
Im thinging, baptiste, your using nfsv4 kerberized? 
Do cat /etc/idmap.conf for me also, are you using "[Static"] user
namemappings like
principal at REALM = localusername

> 
> > 
> > I'm lost. I don't know what to do...
> > 
> > -> How can I regererate the
"/var/lib/samba/private/secret.keytab"
> > with all the 5 encryptions ?
First the info, then the fix. 
> 
> This is something Andrew is going to have to help you with, 
> but I think he gave a hint about using 'chgtdcpass'
> 
> > 
> > -> On the DC that have all the FSMO roles have made a
"samba-tool
> > dbcheck --cross-ncs --fix --yes" (as say on the samba 
> upgrade guide).
> > Do I need to do this on the others DCs ? Or is this better to first 
> > restoring replication ?
Run my samba-check-db-repl.sh script then well see what needs fixing. 
> 
> This should fix any faults in db on this machine, replication 
> should then send any changes to the other DCs, but I can see 
> no reason not to run the command on the other DCs
> 
> > 
> > -> Do I need to do a manual directory replication ?
> > 
> 
> I wouldn't at this stage, but if you can fix it on one DC and 
> the fixes don't get replicated, this may be something to 
> consider later.
> 
> Rowland
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>