James Atwell
2020-May-16 13:40 UTC
[Samba] Upgrade from 4.11.6 to 4.12.2 created authentication issues
On 5/16/2020 5:00 AM, Rowland penny via samba wrote:> On 15/05/2020 19:52, James Atwell via samba wrote: >> Hello, >> >> ??????? I upgraded two DC's to 4.12.2 from 4.11.6 before I noticed >> authentication issues with a couple Netgear ReadyNAS we have. For >> reference I have a total of 6 DC's with 4 running 4.11.6 and two now >> running 4.12.2.? I ran the usual ./configure,make,make install from >> tar without issues. However running samba-tool drs showrepl I noticed >> a couple errors. Looking through the list I found someone else with >> the same initial problems.? See thread here >> https://lists.samba.org/archive/samba/2020-April/229230.html From >> this thread I did what was suggested by Alex and that resolved those >> initial errors.? This brings me back to the Netgear file servers. I >> am no longer able to authenticate the ReadyNAS with my domain.? I >> receive a join error within the Netgear dashboard with no additional >> info. No error code, nothing. I turned up the logging on the Samba >> server I pointed the ReadyNAS at and could see the log for the >> administrator user I'm using to try and join and authenticate. Samba >> shows a successful authentication but then it appears to end there. >> Additional details below about my setup. > > You need to see the logs for the readynas to try and find out what is > going on. > > This is what I would do: > > Seize the FSMO roles to one of the 4.11.6 DC's > > Demote the two 4.12.2 DC's > > Remove everything in /usr/local/samba > > Test if your readynas now connects to the domain again, try a re-join > if not > > If you have connection, then good, if not, you need to find out why > not and this will require seeing the readynas logs, you may have to > ask netgear about that. > > Once you have connection from the readynas, run 'make install' again > (No, you shouldn't have to totally build Samba again) > > Once Samba is installed again, try joining as a DC, hopefully it > should now work. > > The only major change between 4.11.x and 4.12.x is that you now need > Python 3.5, perhaps you do not have this ? > > Rowland > > >Thanks for the input. Before I do I want to add additional troubleshooting details.? Replication works among all DC's with no obvious samba errors or windows authentication errors.? I unjoined a Windows 10 machine and rejoined to the domain without issue. Everything else is working as it should (i.e, user creation, dns admin, gpo's).? The one other thing I did do different this time and I should have noted previously was use the Verified Package Dependencies from the Wiki to ensure I wasn't missing any. Other than that the build was the same. I haven't had to do a seize in a long time of the FSMO roles. If the DC's I upgraded appear to be working should I just transfer or seize? Thanks. -James
Rowland penny
2020-May-16 13:55 UTC
[Samba] Upgrade from 4.11.6 to 4.12.2 created authentication issues
On 16/05/2020 14:40, James Atwell wrote:> > On 5/16/2020 5:00 AM, Rowland penny via samba wrote: >> On 15/05/2020 19:52, James Atwell via samba wrote: >>> Hello, >>> >>> ??????? I upgraded two DC's to 4.12.2 from 4.11.6 before I noticed >>> authentication issues with a couple Netgear ReadyNAS we have. For >>> reference I have a total of 6 DC's with 4 running 4.11.6 and two now >>> running 4.12.2.? I ran the usual ./configure,make,make install from >>> tar without issues. However running samba-tool drs showrepl I >>> noticed a couple errors. Looking through the list I found someone >>> else with the same initial problems.? See thread here >>> https://lists.samba.org/archive/samba/2020-April/229230.html From >>> this thread I did what was suggested by Alex and that resolved those >>> initial errors.? This brings me back to the Netgear file servers. I >>> am no longer able to authenticate the ReadyNAS with my domain.? I >>> receive a join error within the Netgear dashboard with no additional >>> info. No error code, nothing. I turned up the logging on the Samba >>> server I pointed the ReadyNAS at and could see the log for the >>> administrator user I'm using to try and join and authenticate. Samba >>> shows a successful authentication but then it appears to end there. >>> Additional details below about my setup. >> >> You need to see the logs for the readynas to try and find out what is >> going on. >> >> This is what I would do: >> >> Seize the FSMO roles to one of the 4.11.6 DC's >> >> Demote the two 4.12.2 DC's >> >> Remove everything in /usr/local/samba >> >> Test if your readynas now connects to the domain again, try a re-join >> if not >> >> If you have connection, then good, if not, you need to find out why >> not and this will require seeing the readynas logs, you may have to >> ask netgear about that. >> >> Once you have connection from the readynas, run 'make install' again >> (No, you shouldn't have to totally build Samba again) >> >> Once Samba is installed again, try joining as a DC, hopefully it >> should now work. >> >> The only major change between 4.11.x and 4.12.x is that you now need >> Python 3.5, perhaps you do not have this ? >> >> Rowland >> >> >> > Thanks for the input. Before I do I want to add additional > troubleshooting details.? Replication works among all DC's with no > obvious samba errors or windows authentication errors.? I unjoined a > Windows 10 machine and rejoined to the domain without issue.You didn't say that before ;-) If everything is working except for your readynas, then it sounds like this could be a problem with your readynas. You do not say how old the readynas is, but are there any updates available for it ? Before you do anything, I would ask netgear if they are aware of this problem, might be worth mentioning the word 'SMBv1'.> Everything else is working as it should (i.e, user creation, dns > admin, gpo's).? The one other thing I did do different this time and I > should have noted previously was use the Verified Package Dependencies > from the Wiki to ensure I wasn't missing any. Other than that the > build was the same. > > I haven't had to do a seize in a long time of the FSMO roles. If the > DC's I upgraded appear to be working should I just transfer or seize? > Thanks. >Simple answer, if you can transfer, then transfer, if not, then seize, but use '--force' (this stops a useless transfer attempt). Rowland> > -James >
James Atwell
2020-May-16 16:58 UTC
[Samba] Upgrade from 4.11.6 to 4.12.2 created authentication issues
On 5/16/2020 9:55 AM, Rowland penny via samba wrote:> On 16/05/2020 14:40, James Atwell wrote: >> >> On 5/16/2020 5:00 AM, Rowland penny via samba wrote: >>> On 15/05/2020 19:52, James Atwell via samba wrote: >>>> Hello, >>>> >>>> ??????? I upgraded two DC's to 4.12.2 from 4.11.6 before I noticed >>>> authentication issues with a couple Netgear ReadyNAS we have. For >>>> reference I have a total of 6 DC's with 4 running 4.11.6 and two >>>> now running 4.12.2.? I ran the usual ./configure,make,make install >>>> from tar without issues. However running samba-tool drs showrepl I >>>> noticed a couple errors. Looking through the list I found someone >>>> else with the same initial problems.? See thread here >>>> https://lists.samba.org/archive/samba/2020-April/229230.html From >>>> this thread I did what was suggested by Alex and that resolved >>>> those initial errors.? This brings me back to the Netgear file >>>> servers. I am no longer able to authenticate the ReadyNAS with my >>>> domain.? I receive a join error within the Netgear dashboard with >>>> no additional info. No error code, nothing. I turned up the logging >>>> on the Samba server I pointed the ReadyNAS at and could see the log >>>> for the administrator user I'm using to try and join and >>>> authenticate. Samba shows a successful authentication but then it >>>> appears to end there. Additional details below about my setup. >>> >>> You need to see the logs for the readynas to try and find out what >>> is going on. >>> >>> This is what I would do: >>> >>> Seize the FSMO roles to one of the 4.11.6 DC's >>> >>> Demote the two 4.12.2 DC's >>> >>> Remove everything in /usr/local/samba >>> >>> Test if your readynas now connects to the domain again, try a >>> re-join if not >>> >>> If you have connection, then good, if not, you need to find out why >>> not and this will require seeing the readynas logs, you may have to >>> ask netgear about that. >>> >>> Once you have connection from the readynas, run 'make install' again >>> (No, you shouldn't have to totally build Samba again) >>> >>> Once Samba is installed again, try joining as a DC, hopefully it >>> should now work. >>> >>> The only major change between 4.11.x and 4.12.x is that you now need >>> Python 3.5, perhaps you do not have this ? >>> >>> Rowland >>> >>> >>> >> Thanks for the input. Before I do I want to add additional >> troubleshooting details.? Replication works among all DC's with no >> obvious samba errors or windows authentication errors.? I unjoined a >> Windows 10 machine and rejoined to the domain without issue. > > You didn't say that before ;-) > > If everything is working except for your readynas, then it sounds like > this could be a problem with your readynas. > > You do not say how old the readynas is, but are there any updates > available for it ? > > Before you do anything, I would ask netgear if they are aware of this > problem, might be worth mentioning the word 'SMBv1'. > >> Everything else is working as it should (i.e, user creation, dns >> admin, gpo's).? The one other thing I did do different this time and >> I should have noted previously was use the Verified Package >> Dependencies from the Wiki to ensure I wasn't missing any. Other than >> that the build was the same. >> >> I haven't had to do a seize in a long time of the FSMO roles. If the >> DC's I upgraded appear to be working should I just transfer or seize? >> Thanks. >> > Simple answer, if you can transfer, then transfer, if not, then seize, > but use '--force' (this stops a useless transfer attempt). > > Rowland > > >> >> -James >> > >Rowland, ? I pulled the NAS logs and below is from the last time it successfully imported the users. -------------------------------------------------------------------------------------------------------------------------------- [20-05-15 00:40:42] 3288 rndb_ads_utils.c:176 info: ADS CMD::ldap search open: LANG=C net -P ads search \(objectClass=group\) sAMAccountName objectSid distinguishedName [20-05-15 00:40:43] 3288 rndb_account.c:1425 info: 111 domain groups found [20-05-15 00:40:43] 3288 rndb_account.c:1470 debug: sAMAccountName=Incoming Forest Trust Builders sid=S-1-5-32-557 is not domain object. domain sid is S-1-5-21-940051827-2291820289-3341758437 [20-05-15 00:40:43] 3288 rndb_account.c:1470 debug: sAMAccountName=Distributed COM Users sid=S-1-5-32-562 is not domain object. domain sid is S-1-5-21-940051827-2291820289-3341758437 [20-05-15 00:40:43] 3288 rndb_account.c:1470 debug: sAMAccountName=Backup Operators sid=S-1-5-32-551 is not domain object. domain sid is S-1-5-21-940051827-2291820289-3341758437 [20-05-15 00:40:43] 3288 rndb_account.c:1470 debug: sAMAccountName=Certificate Service DCOM Access sid=S-1-5-32-574 is not domain object. domain sid is S-1-5-21-940051827-2291820289-3341758437 [20-05-15 00:40:43] 3288 rndb_account.c:1470 debug: sAMAccountName=Performance Monitor Users sid=S-1-5-32-558 is not domain object. domain sid is S-1-5-21-940051827-2291820289-3341758437 [20-05-15 00:40:43] 3288 rndb_account.c:1470 debug: sAMAccountName=Network Configuration Operators sid=S-1-5-32-556 is not domain object. domain sid is S-1-5-21-940051827-2291820289-3341758437 [20-05-15 00:40:43] 3288 rndb_account.c:1470 debug: sAMAccountName=Event Log Readers sid=S-1-5-32-573 is not domain object. domain sid is S-1-5-21-940051827-2291820289-3341758437 [20-05-15 00:40:43] 3288 rndb_account.c:1470 debug: sAMAccountName=Administrators sid=S-1-5-32-544 is not domain object. domain sid is S-1-5-21-940051827-2291820289-3341758437 [20-05-15 00:40:43] 3288 rndb_account.c:1470 debug: sAMAccountName=Account Operators sid=S-1-5-32-548 is not domain object. domain sid is S-1-5-21-940051827-2291820289-3341758437 [20-05-15 00:40:43] 3288 rndb_account.c:1470 debug: sAMAccountName=Windows Authorization Access Group sid=S-1-5-32-560 is not domain object. domain sid is S-1-5-21-940051827-2291820289-3341758437 [20-05-15 00:40:43] 3288 rndb_account.c:1470 debug: sAMAccountName=Performance Log Users sid=S-1-5-32-559 is not domain object. domain sid is S-1-5-21-940051827-2291820289-3341758437 [20-05-15 00:40:43] 3288 rndb_account.c:1470 debug: sAMAccountName=Server Operators sid=S-1-5-32-549 is not domain object. domain sid is S-1-5-21-940051827-2291820289-3341758437 [20-05-15 00:40:43] 3288 rndb_account.c:1470 debug: sAMAccountName=Replicator sid=S-1-5-32-552 is not domain object. domain sid is S-1-5-21-940051827-2291820289-3341758437 [20-05-15 00:40:43] 3288 rndb_account.c:1470 debug: sAMAccountName=Cryptographic Operators sid=S-1-5-32-569 is not domain object. domain sid is S-1-5-21-940051827-2291820289-3341758437 [20-05-15 00:40:44] 3288 rndb_account.c:1470 debug: sAMAccountName=Users sid=S-1-5-32-545 is not domain object. domain sid is S-1-5-21-940051827-2291820289-3341758437 [20-05-15 00:40:44] 3288 rndb_account.c:1470 debug: sAMAccountName=Pre-Windows 2000 Compatible Access sid=S-1-5-32-554 is not domain object. domain sid is S-1-5-21-940051827-2291820289-3341758437 [20-05-15 00:40:44] 3288 rndb_account.c:1470 debug: sAMAccountName=Print Operators sid=S-1-5-32-550 is not domain object. domain sid is S-1-5-21-940051827-2291820289-3341758437 [20-05-15 00:40:44] 3288 rndb_account.c:1470 debug: sAMAccountName=Guests sid=S-1-5-32-546 is not domain object. domain sid is S-1-5-21-940051827-2291820289-3341758437 [20-05-15 00:40:44] 3288 rndb_account.c:1470 debug: sAMAccountName=IIS_IUSRS sid=S-1-5-32-568 is not domain object. domain sid is S-1-5-21-940051827-2291820289-3341758437 [20-05-15 00:40:44] 3288 rndb_account.c:1451 info: 100/111 groups imported so far [20-05-15 00:40:44] 3288 rndb_account.c:1470 debug: sAMAccountName=Remote Desktop Users sid=S-1-5-32-555 is not domain object. domain sid is S-1-5-21-940051827-2291820289-3341758437 [20-05-15 00:40:44] 3288 rndb_account.c:1470 debug: sAMAccountName=Terminal Server License Servers sid=S-1-5-32-561 is not domain object. domain sid is S-1-5-21-940051827-2291820289-3341758437 [20-05-15 00:40:44] 3288 rndb_account.c:1555 info: 111/111 groups imported in 1658ms. [20-05-15 00:40:44] 3288 rndb_ads_utils.c:176 info: ADS CMD::ldap search open: LANG=C net -P ads search \(\&\(objectClass=user\)\(\!\(sAMAccountType=805306369\)\)\(\!\(sAMAccountType=805306370\)\)\) sAMAccountName objectSid distinguishedName mail primaryGroupID memberOf cn [20-05-15 00:40:45] 3288 rndb_account.c:1136 info: 226 domain user found [20-05-15 00:40:45] 3288 rndb_account.c:1167 info: 100/226 users imported so far [20-05-15 00:40:46] 3288 rndb_account.c:1167 info: 200/226 users imported so far [20-05-15 00:40:46] 3288 rndb_account.c:1362 info: 226/226 users imported in 2064ms. [20-05-15 00:40:46] 3288 rndb_ads_utils.c:237 info: ADS CMD::update domain sid (group-admin): wbinfo --sid-to-gid S-1-5-21-940051827-2291820289-3341758437-512 [20-05-15 00:40:46] 3288 rndb_ads_utils.c:287 info: ADS CMD::update domain sid (user-admin): wbinfo --sid-to-uid S-1-5-21-940051827-2291820289-3341758437-500 ----------------------------------------------------------------------------------------------------------------------------- Next is when it began to fail to import after I upgraded to 4.12.2. ---------------------------------------------------------------------------------------------------------------------------- [20-05-15 10:42:01] 3288 rndb_account.c:2577 info: ******************ADS Import Starts********************* [20-05-15 10:42:02] 3288 rndb_ads_utils.c:176 info: ADS CMD::ldap search open: LANG=C net -P ads search \(objectClass=group\) sAMAccountName objectSid distinguishedName [20-05-15 10:42:05] 3288 rndb_ads_utils.c:190 error: Parse error on cmd=<LANG=C net -P ads search \(objectClass=group\) sAMAccountName objectSid distinguishedName> output: [20-05-15 10:42:15] 3288 rndb_ads_utils.c:176 info: ADS CMD::ldap search open: LANG=C net -P ads search \(objectClass=group\) sAMAccountName objectSid distinguishedName [20-05-15 10:42:16] 3288 rndb_ads_utils.c:190 error: Parse error on cmd=<LANG=C net -P ads search \(objectClass=group\) sAMAccountName objectSid distinguishedName> output: [20-05-15 10:42:26] 3288 rndb_ads_utils.c:176 info: ADS CMD::ldap search open: LANG=C net -P ads search \(objectClass=group\) sAMAccountName objectSid distinguishedName [20-05-15 10:42:29] 3288 rndb_ads_utils.c:190 error: Parse error on cmd=<LANG=C net -P ads search \(objectClass=group\) sAMAccountName objectSid distinguishedName> output: [20-05-15 10:42:39] 3288 rndb_ads_utils.c:176 info: ADS CMD::ldap search open: LANG=C net -P ads search \(objectClass=group\) sAMAccountName objectSid distinguishedName [20-05-15 10:42:41] 3288 rndb_ads_utils.c:190 error: Parse error on cmd=<LANG=C net -P ads search \(objectClass=group\) sAMAccountName objectSid distinguishedName> output: [20-05-15 10:42:51] 3288 rndb_ads_utils.c:176 info: ADS CMD::ldap search open: LANG=C net -P ads search \(objectClass=group\) sAMAccountName objectSid distinguishedName [20-05-15 10:42:54] 3288 rndb_ads_utils.c:190 error: Parse error on cmd=<LANG=C net -P ads search \(objectClass=group\) sAMAccountName objectSid distinguishedName> output: [20-05-15 10:43:04] 3288 rndb_ads_utils.c:176 info: ADS CMD::ldap search open: LANG=C net -P ads search \(objectClass=group\) sAMAccountName objectSid distinguishedName [20-05-15 10:43:06] 3288 rndb_ads_utils.c:190 error: Parse error on cmd=<LANG=C net -P ads search \(objectClass=group\) sAMAccountName objectSid distinguishedName> output: [20-05-15 10:43:06] 3288 rndb_account.c:1413 error: Cannot open LDAP search with filter (objectClass=group). Check network. [20-05-15 10:43:06] 3288 rndb_account.c:1563 error: _rndb_account_domain_group_import() ==> 9 (64047ms) [20-05-15 10:43:06] 3288 rndb_account.c:2614 error: rndb_ads_account_import() ==> 1 (65553ms) [20-05-15 10:43:06] 3288 rndb_api.c:1205 error: rndb_import_nolock() ==> 1 (65559ms) [20-05-15 10:47:29] 2967 rndb_ads_utils.c:97 info: ADS CMD::get domain sid: net getdomainsid [20-05-15 10:47:29] 2967 rndb_account.c:623 info: Local user import has started [20-05-15 10:47:29] 2967 rndb_account.c:626 info: Removing all users from $user table excluding ADS users if exist [20-05-15 10:47:31] 2967 rndb_account.c:780 info: Local group import has started [20-05-15 10:47:31] 2967 rndb_ads_utils.c:237 info: ADS CMD::update domain sid (group-admin): wbinfo --sid-to-gid S-1-5-21-940051827-2291820289-3341758437-512 [20-05-15 10:47:31] 2967 rndb_ads_utils.c:287 info: ADS CMD::update domain sid (user-admin): wbinfo --sid-to-uid S-1-5-21-940051827-2291820289-3341758437-500 --------------------------------------------------------------------------------------------------------------------------------------------- The above repeats with every attempt to import the users.? I have several Ready NAS with different model types. The oldest is around 5 years old with the others being less than 2. All are updated to current firmware.? It doesn't help that the option to download the logs includes 90 files with the filenames not being very descriptive. The logs from above are from a file titled ADS. Anything stand out from the ReadyNAS logs? Thanks. -James
James Atwell
2020-May-16 17:41 UTC
[Samba] Upgrade from 4.11.6 to 4.12.2 created authentication issues
On 5/16/2020 9:55 AM, Rowland penny via samba wrote:> On 16/05/2020 14:40, James Atwell wrote: >> >> On 5/16/2020 5:00 AM, Rowland penny via samba wrote: >>> On 15/05/2020 19:52, James Atwell via samba wrote: >>>> Hello, >>>> >>>> ??????? I upgraded two DC's to 4.12.2 from 4.11.6 before I noticed >>>> authentication issues with a couple Netgear ReadyNAS we have. For >>>> reference I have a total of 6 DC's with 4 running 4.11.6 and two >>>> now running 4.12.2.? I ran the usual ./configure,make,make install >>>> from tar without issues. However running samba-tool drs showrepl I >>>> noticed a couple errors. Looking through the list I found someone >>>> else with the same initial problems.? See thread here >>>> https://lists.samba.org/archive/samba/2020-April/229230.html From >>>> this thread I did what was suggested by Alex and that resolved >>>> those initial errors.? This brings me back to the Netgear file >>>> servers. I am no longer able to authenticate the ReadyNAS with my >>>> domain.? I receive a join error within the Netgear dashboard with >>>> no additional info. No error code, nothing. I turned up the logging >>>> on the Samba server I pointed the ReadyNAS at and could see the log >>>> for the administrator user I'm using to try and join and >>>> authenticate. Samba shows a successful authentication but then it >>>> appears to end there. Additional details below about my setup. >>> >>> You need to see the logs for the readynas to try and find out what >>> is going on. >>> >>> This is what I would do: >>> >>> Seize the FSMO roles to one of the 4.11.6 DC's >>> >>> Demote the two 4.12.2 DC's >>> >>> Remove everything in /usr/local/samba >>> >>> Test if your readynas now connects to the domain again, try a >>> re-join if not >>> >>> If you have connection, then good, if not, you need to find out why >>> not and this will require seeing the readynas logs, you may have to >>> ask netgear about that. >>> >>> Once you have connection from the readynas, run 'make install' again >>> (No, you shouldn't have to totally build Samba again) >>> >>> Once Samba is installed again, try joining as a DC, hopefully it >>> should now work. >>> >>> The only major change between 4.11.x and 4.12.x is that you now need >>> Python 3.5, perhaps you do not have this ? >>> >>> Rowland >>> >>> >>> >> Thanks for the input. Before I do I want to add additional >> troubleshooting details.? Replication works among all DC's with no >> obvious samba errors or windows authentication errors.? I unjoined a >> Windows 10 machine and rejoined to the domain without issue. > > You didn't say that before ;-) > > If everything is working except for your readynas, then it sounds like > this could be a problem with your readynas. > > You do not say how old the readynas is, but are there any updates > available for it ? > > Before you do anything, I would ask netgear if they are aware of this > problem, might be worth mentioning the word 'SMBv1'. > >> Everything else is working as it should (i.e, user creation, dns >> admin, gpo's).? The one other thing I did do different this time and >> I should have noted previously was use the Verified Package >> Dependencies from the Wiki to ensure I wasn't missing any. Other than >> that the build was the same. >> >> I haven't had to do a seize in a long time of the FSMO roles. If the >> DC's I upgraded appear to be working should I just transfer or seize? >> Thanks. >> > Simple answer, if you can transfer, then transfer, if not, then seize, > but use '--force' (this stops a useless transfer attempt). > > Rowland > > >> >> -James >> > >So I suppose I still have trouble with my domain. root at pfdc1:/# net ads user info administrator -U administrator Enter administrator's password: kerberos_kinit_password SAMBA at SAMBA.LOCAL failed: Client not found in Kerberos database kerberos_kinit_password SAMBA at SAMBA.LOCAL failed: Client not found in Kerberos database
Possibly Parallel Threads
- Upgrade from 4.11.6 to 4.12.2 created authentication issues
- Upgrade from 4.11.6 to 4.12.2 created authentication issues
- Upgrade from 4.11.6 to 4.12.2 created authentication issues
- Upgrade from 4.11.6 to 4.12.2 created authentication issues
- Upgrade from 4.11.6 to 4.12.2 created authentication issues