samba - Jun 2017 - samba 4.4.14 breaks classic domain

I increased the logging to 10 on the problem member server.  Didn't see 
anything of interest.

I did a packet capture on the PDC while typing " net rpc testjoin"
from
both the problem member server (4.4.14) and a working member server 
(4.4.13)

e.g

        SMB:  ----- SMB Header -----
        SMB:
        SMB:  CLIENT REQUEST
        SMB:  Command code = 0x72
        SMB:  Command name =  SMBnegprot
        SMB:
        SMB:  SMB Status:
        SMB:     - Error class = No error
        SMB:     - Error code = No error
        SMB:
        SMB:  Header:
        SMB:     - Tree ID      (TID) = 0x0000
        SMB:     - Process ID   (PID) = 0xfffe
        SMB:     - User ID      (UID) = 0x0000
        SMB:     - Multiplex ID (MID) = 0x0000
        SMB:     - Flags summary = 0x18
        SMB:     - Flags2 summary = 0xc843
        SMB:
        SMB:  ByteCount = 49
        SMB:  Dialect String = NT LANMAN 1.0
        SMB:  Dialect String = NT LM 0.12
        SMB:  Dialect String = SMB 2.002
        SMB:  Dialect String = SMB 2.???
        SMB:



On the working member server, the packet capture included a lot of
"SMB"
traffic.  With the problem server,  all the "SMB" packets were empty.

e.g.

        SMB:  ----- SMB:   -----
        SMB:
        SMB:  ""
        SMB:




Both machines are configured for a max protocol of SMB2.  The problem 
machine is also configured for a  min protocol of SMB2.


testparm -v

         client ipc max protocol = default
         client max protocol = SMB2
         server max protocol = SMB2

        client ipc min protocol = SMB2
         client min protocol = SMB2
         server min protocol = SMB2

On the PDC, the log file for IP_ADDRESS_OF_PROBLEM_SERVER shows


         Non-SMB packet of length 182. Terminating server


On 06/21/17 04:52, Andrew Bartlett wrote:
> On Tue, 2017-06-20 at 17:23 -0400, Gaiseric Vandal via samba wrote:
>> I have several Samba 4.4.x servers (Solaris 11 x86_x64) in a samba
>> classic domain.    Samba patches are provided via the Oracle solaris
>> package update system.
>>
>>
>> The two domain controllers are running Samba 4.4.8.
>>
>>
>> A few weeks ago I ran the latest package  updates on a non-critical
>> server, which brought it up to 4.4.13.      All was OK as far as I
could
>> tell.  This weekend I updated packages and brought the server up to
4.1.14.
>>
>> This appears to have broken compatibility with the domain.
>>
>>      root at memberserver1:~# net rpc testjoin
>>      Join to domain 'MYDOMAIN' is not valid:
>>      NT_STATUS_CONNECTION_DISCONNECTED
>>      root at memberserver1:~#
>>
>>
>>      root at memberserver1:~# net rpc join -U Administrator -S
PDCServerName
>>      Enter Administrator's password:
>>      Failed to join domain: failed to lookup DC info for domain
>>      'MYDOMAIN' over rpc: The transport connection is now
disconnected.
>>      root at memberserver1:~#
>>
>>
>>      root at memberserver1:~# net rpc join -U Administrator -S
PDCServerIP
>>      Enter Administrator's password:
>>      Failed to join domain: failed to lookup DC info for domain
>>      'MYDOMAIN' over rpc: The transport connection is now
disconnected.
>>      root at memberserver1:~#
>>
>>
>>
>>
>> "nslookup PDCServer" and "ping PDCServer" both work
fine.
>>
>>
>> I suspect 4.4.14 was not tested in a classic domain and that I may be
>> out of luck.
> I would first suggest running a more recently supported version, but I
> suggest that you read the logs and see where it stops.  Turn up the log
> level if need be.
>
> Samba is tested as a classic DC in our autobuild system, so this isn't
> just globally broken for everyone, it will be something OS or site-
> specific.
>
> Sorry,
>
> Andrew Bartlett

On Wed, 21 Jun 2017 11:55:47 -0400
Gaiseric Vandal via samba <samba at lists.samba.org> wrote:
> I increased the logging to 10 on the problem member server.  Didn't
> see anything of interest.
> 
> I did a packet capture on the PDC while typing " net rpc
testjoin"
> from both the problem member server (4.4.14) and a working member
> server (4.4.13)
> 
> e.g
> 
>         SMB:  ----- SMB Header -----
>         SMB:
>         SMB:  CLIENT REQUEST
>         SMB:  Command code = 0x72
>         SMB:  Command name =  SMBnegprot
>         SMB:
>         SMB:  SMB Status:
>         SMB:     - Error class = No error
>         SMB:     - Error code = No error
>         SMB:
>         SMB:  Header:
>         SMB:     - Tree ID      (TID) = 0x0000
>         SMB:     - Process ID   (PID) = 0xfffe
>         SMB:     - User ID      (UID) = 0x0000
>         SMB:     - Multiplex ID (MID) = 0x0000
>         SMB:     - Flags summary = 0x18
>         SMB:     - Flags2 summary = 0xc843
>         SMB:
>         SMB:  ByteCount = 49
>         SMB:  Dialect String = NT LANMAN 1.0
>         SMB:  Dialect String = NT LM 0.12
>         SMB:  Dialect String = SMB 2.002
>         SMB:  Dialect String = SMB 2.???
>         SMB:
> 
> 
> 
> On the working member server, the packet capture included a lot of
> "SMB" traffic.  With the problem server,  all the "SMB"
packets were
> empty.
> 
> e.g.
> 
>         SMB:  ----- SMB:   -----
>         SMB:
>         SMB:  ""
>         SMB:
> 
> 
> 
> 
> Both machines are configured for a max protocol of SMB2.  The problem 
> machine is also configured for a  min protocol of SMB2.
> 
> 
> testparm -v
> 
>          client ipc max protocol = default
>          client max protocol = SMB2
>          server max protocol = SMB2
> 
>         client ipc min protocol = SMB2
>          client min protocol = SMB2
>          server min protocol = SMB2
> 
> On the PDC, the log file for IP_ADDRESS_OF_PROBLEM_SERVER shows
> 
> 
>          Non-SMB packet of length 182. Terminating server
> 
> 
I wonder if this has anything to do with the same reason that you have
to set 'server max protocol = NT1' in smb.conf on the PDC if using
Win10 clients, see here for more info:

https://wiki.samba.org/index.php/Required_Settings_for_Samba_NT4_Domains#Windows_10:_There_Are_Currently_No_Logon_Servers_Available_to_Service_the_Logon_Request

Rowland

Good catch.  I had set server max protocol to NT1 after upgrading from 
samba 3.x to 4.x .  Some windows clients had problems with SMB2  and 
file shares (tho this should not really be an issue with the domain 
controllers.)




I have now set the dc's to

         server max protocol = SMB2
         server min protocol = NT1


and the client machine to be

         client max protocol = SMB2
         client min protocol = NT1


But it doesn't fix the problem.      I don't thin kthe


The machine in question is not used heavily so it is possible there was 
some issue prior to the latest patch.

Setting a 4.4.13 version machine to use NT1 and SMB2 as the min and max 
protocols for client and server does not seem to cause a problems with 
validating the domain membership.



I had compiled samba 4.5.1 some months ago in an alternate directory, 
and it also fails with "net join" (although it may be picking up
library
files that were updated with the system update.)

I may try rolling back the OS patches.




On 06/21/17 12:18, Rowland Penny via samba wrote:
> On Wed, 21 Jun 2017 11:55:47 -0400
> Gaiseric Vandal via samba <samba at lists.samba.org> wrote:
>
>> I increased the logging to 10 on the problem member server.  Didn't
>> see anything of interest.
>>
>> I did a packet capture on the PDC while typing " net rpc
testjoin"
>> from both the problem member server (4.4.14) and a working member
>> server (4.4.13)
>>
>> e.g
>>
>>          SMB:  ----- SMB Header -----
>>          SMB:
>>          SMB:  CLIENT REQUEST
>>          SMB:  Command code = 0x72
>>          SMB:  Command name =  SMBnegprot
>>          SMB:
>>          SMB:  SMB Status:
>>          SMB:     - Error class = No error
>>          SMB:     - Error code = No error
>>          SMB:
>>          SMB:  Header:
>>          SMB:     - Tree ID      (TID) = 0x0000
>>          SMB:     - Process ID   (PID) = 0xfffe
>>          SMB:     - User ID      (UID) = 0x0000
>>          SMB:     - Multiplex ID (MID) = 0x0000
>>          SMB:     - Flags summary = 0x18
>>          SMB:     - Flags2 summary = 0xc843
>>          SMB:
>>          SMB:  ByteCount = 49
>>          SMB:  Dialect String = NT LANMAN 1.0
>>          SMB:  Dialect String = NT LM 0.12
>>          SMB:  Dialect String = SMB 2.002
>>          SMB:  Dialect String = SMB 2.???
>>          SMB:
>>
>>
>>
>> On the working member server, the packet capture included a lot of
>> "SMB" traffic.  With the problem server,  all the
"SMB" packets were
>> empty.
>>
>> e.g.
>>
>>          SMB:  ----- SMB:   -----
>>          SMB:
>>          SMB:  ""
>>          SMB:
>>
>>
>>
>>
>> Both machines are configured for a max protocol of SMB2.  The problem
>> machine is also configured for a  min protocol of SMB2.
>>
>>
>> testparm -v
>>
>>           client ipc max protocol = default
>>           client max protocol = SMB2
>>           server max protocol = SMB2
>>
>>          client ipc min protocol = SMB2
>>           client min protocol = SMB2
>>           server min protocol = SMB2
>>
>> On the PDC, the log file for IP_ADDRESS_OF_PROBLEM_SERVER shows
>>
>>
>>           Non-SMB packet of length 182. Terminating server
>>
>>
> I wonder if this has anything to do with the same reason that you have
> to set 'server max protocol = NT1' in smb.conf on the PDC if using
> Win10 clients, see here for more info:
>
>
https://wiki.samba.org/index.php/Required_Settings_for_Samba_NT4_Domains#Windows_10:_There_Are_Currently_No_Logon_Servers_Available_to_Service_the_Logon_Request
>
> Rowland
>