samba - Jun 2017 - samba 4.4.14 breaks classic domain

Good catch.  I had set server max protocol to NT1 after upgrading from 
samba 3.x to 4.x .  Some windows clients had problems with SMB2  and 
file shares (tho this should not really be an issue with the domain 
controllers.)




I have now set the dc's to

         server max protocol = SMB2
         server min protocol = NT1


and the client machine to be

         client max protocol = SMB2
         client min protocol = NT1


But it doesn't fix the problem.      I don't thin kthe


The machine in question is not used heavily so it is possible there was 
some issue prior to the latest patch.

Setting a 4.4.13 version machine to use NT1 and SMB2 as the min and max 
protocols for client and server does not seem to cause a problems with 
validating the domain membership.



I had compiled samba 4.5.1 some months ago in an alternate directory, 
and it also fails with "net join" (although it may be picking up
library
files that were updated with the system update.)

I may try rolling back the OS patches.




On 06/21/17 12:18, Rowland Penny via samba wrote:
> On Wed, 21 Jun 2017 11:55:47 -0400
> Gaiseric Vandal via samba <samba at lists.samba.org> wrote:
>
>> I increased the logging to 10 on the problem member server.  Didn't
>> see anything of interest.
>>
>> I did a packet capture on the PDC while typing " net rpc
testjoin"
>> from both the problem member server (4.4.14) and a working member
>> server (4.4.13)
>>
>> e.g
>>
>>          SMB:  ----- SMB Header -----
>>          SMB:
>>          SMB:  CLIENT REQUEST
>>          SMB:  Command code = 0x72
>>          SMB:  Command name =  SMBnegprot
>>          SMB:
>>          SMB:  SMB Status:
>>          SMB:     - Error class = No error
>>          SMB:     - Error code = No error
>>          SMB:
>>          SMB:  Header:
>>          SMB:     - Tree ID      (TID) = 0x0000
>>          SMB:     - Process ID   (PID) = 0xfffe
>>          SMB:     - User ID      (UID) = 0x0000
>>          SMB:     - Multiplex ID (MID) = 0x0000
>>          SMB:     - Flags summary = 0x18
>>          SMB:     - Flags2 summary = 0xc843
>>          SMB:
>>          SMB:  ByteCount = 49
>>          SMB:  Dialect String = NT LANMAN 1.0
>>          SMB:  Dialect String = NT LM 0.12
>>          SMB:  Dialect String = SMB 2.002
>>          SMB:  Dialect String = SMB 2.???
>>          SMB:
>>
>>
>>
>> On the working member server, the packet capture included a lot of
>> "SMB" traffic.  With the problem server,  all the
"SMB" packets were
>> empty.
>>
>> e.g.
>>
>>          SMB:  ----- SMB:   -----
>>          SMB:
>>          SMB:  ""
>>          SMB:
>>
>>
>>
>>
>> Both machines are configured for a max protocol of SMB2.  The problem
>> machine is also configured for a  min protocol of SMB2.
>>
>>
>> testparm -v
>>
>>           client ipc max protocol = default
>>           client max protocol = SMB2
>>           server max protocol = SMB2
>>
>>          client ipc min protocol = SMB2
>>           client min protocol = SMB2
>>           server min protocol = SMB2
>>
>> On the PDC, the log file for IP_ADDRESS_OF_PROBLEM_SERVER shows
>>
>>
>>           Non-SMB packet of length 182. Terminating server
>>
>>
> I wonder if this has anything to do with the same reason that you have
> to set 'server max protocol = NT1' in smb.conf on the PDC if using
> Win10 clients, see here for more info:
>
>
https://wiki.samba.org/index.php/Required_Settings_for_Samba_NT4_Domains#Windows_10:_There_Are_Currently_No_Logon_Servers_Available_to_Service_the_Logon_Request
>
> Rowland
>

Setting my domain controllers to use SMB2 breaks windows domain 
authentication for Windows clients.  I don't know why.       The clients 
in question are Windows 7 and Windows 2008 R2.

Once I set the domain controllers and problem member server to

         server max protocol = NT1
         server min protocol = NT1
         client max protocol = NT1
         client min protocol = NT1


the domain join problem went away.

I don't know what would happen if I had the member servers use

         server max protocol = SMB2
         server min protocol = NT1


Presumably that would not affect authentication from windows clients.


On 06/21/17 14:57, Gaiseric Vandal wrote:
> Good catch.  I had set server max protocol to NT1 after upgrading from 
> samba 3.x to 4.x .  Some windows clients had problems with SMB2  and 
> file shares (tho this should not really be an issue with the domain 
> controllers.)
>
>
>
>
> I have now set the dc's to
>
>         server max protocol = SMB2
>         server min protocol = NT1
>
>
> and the client machine to be
>
>         client max protocol = SMB2
>         client min protocol = NT1
>
>
> But it doesn't fix the problem.      I don't thin kthe
>
>
> The machine in question is not used heavily so it is possible there 
> was some issue prior to the latest patch.
>
> Setting a 4.4.13 version machine to use NT1 and SMB2 as the min and 
> max protocols for client and server does not seem to cause a problems 
> with validating the domain membership.
>
>
>
> I had compiled samba 4.5.1 some months ago in an alternate directory, 
> and it also fails with "net join" (although it may be picking up 
> library files that were updated with the system update.)
>
> I may try rolling back the OS patches.
>
>
>
>
> On 06/21/17 12:18, Rowland Penny via samba wrote:
>> On Wed, 21 Jun 2017 11:55:47 -0400
>> Gaiseric Vandal via samba <samba at lists.samba.org> wrote:
>>
>>> I increased the logging to 10 on the problem member server. 
Didn't
>>> see anything of interest.
>>>
>>> I did a packet capture on the PDC while typing " net rpc
testjoin"
>>> from both the problem member server (4.4.14) and a working member
>>> server (4.4.13)
>>>
>>> e.g
>>>
>>>          SMB:  ----- SMB Header -----
>>>          SMB:
>>>          SMB:  CLIENT REQUEST
>>>          SMB:  Command code = 0x72
>>>          SMB:  Command name =  SMBnegprot
>>>          SMB:
>>>          SMB:  SMB Status:
>>>          SMB:     - Error class = No error
>>>          SMB:     - Error code = No error
>>>          SMB:
>>>          SMB:  Header:
>>>          SMB:     - Tree ID      (TID) = 0x0000
>>>          SMB:     - Process ID   (PID) = 0xfffe
>>>          SMB:     - User ID      (UID) = 0x0000
>>>          SMB:     - Multiplex ID (MID) = 0x0000
>>>          SMB:     - Flags summary = 0x18
>>>          SMB:     - Flags2 summary = 0xc843
>>>          SMB:
>>>          SMB:  ByteCount = 49
>>>          SMB:  Dialect String = NT LANMAN 1.0
>>>          SMB:  Dialect String = NT LM 0.12
>>>          SMB:  Dialect String = SMB 2.002
>>>          SMB:  Dialect String = SMB 2.???
>>>          SMB:
>>>
>>>
>>>
>>> On the working member server, the packet capture included a lot of
>>> "SMB" traffic.  With the problem server,  all the
"SMB" packets were
>>> empty.
>>>
>>> e.g.
>>>
>>>          SMB:  ----- SMB:   -----
>>>          SMB:
>>>          SMB:  ""
>>>          SMB:
>>>
>>>
>>>
>>>
>>> Both machines are configured for a max protocol of SMB2.  The
problem
>>> machine is also configured for a  min protocol of SMB2.
>>>
>>>
>>> testparm -v
>>>
>>>           client ipc max protocol = default
>>>           client max protocol = SMB2
>>>           server max protocol = SMB2
>>>
>>>          client ipc min protocol = SMB2
>>>           client min protocol = SMB2
>>>           server min protocol = SMB2
>>>
>>> On the PDC, the log file for IP_ADDRESS_OF_PROBLEM_SERVER shows
>>>
>>>
>>>           Non-SMB packet of length 182. Terminating server
>>>
>>>
>> I wonder if this has anything to do with the same reason that you have
>> to set 'server max protocol = NT1' in smb.conf on the PDC if
using
>> Win10 clients, see here for more info:
>>
>>
https://wiki.samba.org/index.php/Required_Settings_for_Samba_NT4_Domains#Windows_10:_There_Are_Currently_No_Logon_Servers_Available_to_Service_the_Logon_Request
>>
>>
>> Rowland
>>
>

Hi
>>> to set 'server max protocol = NT1' in smb.conf on the PDC
if using
>>> Win10 clients, see here for more info:
>>>
>>>
https://wiki.samba.org/index.php/Required_Settings_for_Samba_NT4_Domains#Windows_10:_There_Are_Currently_No_Logon_Servers_Available_to_Service_the_Logon_Request
>>>
>>>
>>> Rowland
>>>
>>
I observed the same problem with 4.4.14


In my case it seeems toe be related to

https://bugzilla.samba.org/show_bug.cgi?id=12200

A

net rpc join  -U root

fails finding the DC's

Failed to join domain: failed to find DC for domain TEST.XXX

and it seems to look for an AD-DC

dns_send_req: Failed to resolve _ldap._tcp.dc._msdcs.TEST.XXX (Success)
ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_UNSUCCESSFUL)
internal_resolve_name: looking up TEST.XXX#1c (sitename (null))
no entry for TEST.XXX#1C found.


If i specify a server it still tries it the AD way

net rpc join  -U root -S test-pdc
No realm has been specified! Do you really want to join an Active
Directory server?


Regards


Hansjörg





-- 
Dr. Hansjörg Maurer
itsystems Deutschland AG
Erzgießereistr. 22
80335 München
Tel:   +49-89-52 04 68-41
Fax:   +49-89-52 04 68-59
E-Mail: hansjoerg.maurer at itsd.de
Web:    http://www.itsd.de


Amtsgericht München HRB 132146
USt-IdNr. DE 812991301
Steuer-Nr. 143/100/81575

Aufsichtsratsvorsitzender:
Stefan Adam
Vorstand:
Dr. Michael Krocka
Dr. Hansjörg Maurer
 



----------------------------
Unser System ist mit einem Mailverschluesselungs-Gateway ausgestattet. Wenn Sie
moechten, dass an Sie gerichtete E-Mails verschluesselt werden, senden Sie
einfach eine S/MIME-signierte E-Mail oder Ihren PGP Public Key an
hansjoerg.maurer at itsd.de.

Our system is equipped with an email encryption gateway. If you want email sent
to you to be encrypted please send a S/MIME signed email or your PGP public key
to hansjoerg.maurer at itsd.de.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5507 bytes
Desc: not available
URL:
<http://lists.samba.org/pipermail/samba/attachments/20170623/c6cb7d08/smime.bin>