Hi! I upgrade for Samba 4 8.2 my 3 DCs(no ore erro, and replication is ok with kcc), but msg about Squid with NTLM persist, and dont work more... May 18 11:50:43 DC3 samba: conn[named_pipe] c[unix:] s[unix:/opt/samba/var/run/ncalrpc/np/netlogon] server_id[2157][2157]: schannel_check_required: [LOJA09A] is not using schannel Any ideia ? Regards; On 18-05-2018 12:24, Carlos wrote:> > More information: > > Macchine [LOJA09A] is my proxy Squid with ntlm, is dont working now... > > Winbind is ok(list user and group), but not autenticatio!! > > Squid > > auth_param ntlm program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp > auth_param ntlm children 25 startup=0 idle=1 > auth_param ntlm keep_alive on > > auth_param basic program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-basic > auth_param basic children 25 startup=5 idle=1 > auth_param basic realm Autenticacao Proxy Server > auth_param basic credentialsttl 2 hours > > Any Idea? > > Regards; > > On 18-05-2018 11:54, Carlos wrote: >> >> Hi! >> >> I upgraded DC2 and DC3, i will upgrade DC1,, but i will wait >> >> In DC3 dont correct message... :-| >> >> In DC2/DC3 new msg in syslog >> >> many messages equal to this in syslog: >> >> May 18 11:50:43 DC3 samba: conn[named_pipe] c[unix:] >> s[unix:/opt/samba/var/run/ncalrpc/np/netlogon] >> server_id[2157][2157]: schannel_check_required: [LOJA09A] is not >> using schannel >> >> What this it is ? >> >> >> Regards >> >> >> >> On 18-05-2018 10:26, Carlos wrote: >>> Hi! >>> >>> "sambaundoguididx" several erro... >>> >>> https://lists.samba.org/archive/samba/2018-March/214530.html >>> >>> I will upgrade samba to 4.8.2 for test, if will correct erro >>> >>> Regards; >>> >>> >>> >>> On 18-05-2018 10:07, Rowland Penny via samba wrote: >>>> On Fri, 18 May 2018 09:51:29 -0300 >>>> Carlos via samba <samba at lists.samba.org> wrote: >>>> >>>>> Hi! >>>>> >>>>> uhum..... >>>>> >>>>> I upgraded DC3(4.7.7 to 4.8.0) to some months ago but an error >>>>> occurred, then demote dc and join again, Is it some rubbish that got >>>>> stuck? >>>> Did you run 'sambaundoguididx' before the demote and speaking of >>>> demote, why did you demote, you could just have installed the earlier >>>> Samba version over 4.8.0 >>>> >>>>> Upgrade Samba 4.7.7 to Samba 4.8.2, is it ok? or not? >>>> Oh yes, 4.8.2 is fully working, just don't use 4.8.0 or 4.8.1 >>>> >>>> Rowland >>>> >>>> >>> >> >
On Sun, 2018-05-20 at 15:59 -0300, Carlos via samba wrote:> Hi! > > I upgrade for Samba 4 8.2 my 3 DCs(no ore erro, and replication is ok > with kcc), but msg about Squid with NTLM persist, and dont work more... > > May 18 11:50:43 DC3 samba: conn[named_pipe] c[unix:] > s[unix:/opt/samba/var/run/ncalrpc/np/netlogon] server_id[2157][2157]: > schannel_check_required: [LOJA09A] is not using schannel > > Any ideia ?https://www.samba.org/samba/history/samba-4.8.0.html This states that 'server schannel' changed to yes (was auto), meaning that clients must use a secure connection to talk to the server when checking NTLM credentials. You may have mistakenly disabled this important security feature on your squid server. I hope this helps, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
uhum,I had understood wrong, but i understand correct now. I will test , and say the resulted. Thanks :-) Regards; On 20-05-2018 18:29, Andrew Bartlett wrote:> On Sun, 2018-05-20 at 16:41 -0300, Carlos wrote: >> Hi! >> >> Thanks again! >> >> I will use option "client schannel = auto" in DC, for test... > No, that option is for the client. You need to set client schannel > yes or auto on your squid server. > > To just revert to the 4.7 behaviour short term on the DC, you need to > set 'server schannel = auto'. > > Please make getting the DC back to 'server schannel = yes' a priority, > because the option will be removed (and so forced to yes) in Samba 4.9. > > Andrew Bartlett >
Hi! In smb.conf in squid server, i dont why configuration was "client schannel = no", changed to "client schannel = auto", now is OK :-D Thanks very Much. Regards; On 20-05-2018 18:56, Carlos wrote:> uhum,I had understood wrong, but i understand correct now. > I will test , and say the resulted. > Thanks :-) > > Regards; > > > On 20-05-2018 18:29, Andrew Bartlett wrote: >> On Sun, 2018-05-20 at 16:41 -0300, Carlos wrote: >>> Hi! >>> >>> Thanks again! >>> >>> I will use option "client schannel = auto" in DC, for test... >> No, that option is for the client. You need to set client schannel >> yes or auto on your squid server. >> >> To just revert to the 4.7 behaviour short term on the DC, you need to >> set 'server schannel = auto'. >> >> Please make getting the DC back to 'server schannel = yes' a priority, >> because the option will be removed (and so forced to yes) in Samba 4.9. >> >> Andrew Bartlett >> >