James Atwell
2020-May-16 23:24 UTC
[Samba] Upgrade from 4.11.6 to 4.12.2 created authentication issues
On 5/16/2020 2:02 PM, Rowland penny via samba wrote:> On 16/05/2020 18:41, James Atwell wrote: >> >> On 5/16/2020 9:55 AM, Rowland penny via samba wrote: >>> On 16/05/2020 14:40, James Atwell wrote: >>>> >>>> On 5/16/2020 5:00 AM, Rowland penny via samba wrote: >>>>> On 15/05/2020 19:52, James Atwell via samba wrote: >>>>>> Hello, >>>>>> >>>>>> ??????? I upgraded two DC's to 4.12.2 from 4.11.6 before I >>>>>> noticed authentication issues with a couple Netgear ReadyNAS we >>>>>> have. For reference I have a total of 6 DC's with 4 running >>>>>> 4.11.6 and two now running 4.12.2.? I ran the usual >>>>>> ./configure,make,make install from tar without issues. However >>>>>> running samba-tool drs showrepl I noticed a couple errors. >>>>>> Looking through the list I found someone else with the same >>>>>> initial problems.? See thread here >>>>>> https://lists.samba.org/archive/samba/2020-April/229230.html From >>>>>> this thread I did what was suggested by Alex and that resolved >>>>>> those initial errors.? This brings me back to the Netgear file >>>>>> servers. I am no longer able to authenticate the ReadyNAS with my >>>>>> domain.? I receive a join error within the Netgear dashboard with >>>>>> no additional info. No error code, nothing. I turned up the >>>>>> logging on the Samba server I pointed the ReadyNAS at and could >>>>>> see the log for the administrator user I'm using to try and join >>>>>> and authenticate. Samba shows a successful authentication but >>>>>> then it appears to end there. Additional details below about my >>>>>> setup. >>>>> >>>>> You need to see the logs for the readynas to try and find out what >>>>> is going on. >>>>> >>>>> This is what I would do: >>>>> >>>>> Seize the FSMO roles to one of the 4.11.6 DC's >>>>> >>>>> Demote the two 4.12.2 DC's >>>>> >>>>> Remove everything in /usr/local/samba >>>>> >>>>> Test if your readynas now connects to the domain again, try a >>>>> re-join if not >>>>> >>>>> If you have connection, then good, if not, you need to find out >>>>> why not and this will require seeing the readynas logs, you may >>>>> have to ask netgear about that. >>>>> >>>>> Once you have connection from the readynas, run 'make install' >>>>> again (No, you shouldn't have to totally build Samba again) >>>>> >>>>> Once Samba is installed again, try joining as a DC, hopefully it >>>>> should now work. >>>>> >>>>> The only major change between 4.11.x and 4.12.x is that you now >>>>> need Python 3.5, perhaps you do not have this ? >>>>> >>>>> Rowland >>>>> >>>>> >>>>> >>>> Thanks for the input. Before I do I want to add additional >>>> troubleshooting details.? Replication works among all DC's with no >>>> obvious samba errors or windows authentication errors.? I unjoined >>>> a Windows 10 machine and rejoined to the domain without issue. >>> >>> You didn't say that before ;-) >>> >>> If everything is working except for your readynas, then it sounds >>> like this could be a problem with your readynas. >>> >>> You do not say how old the readynas is, but are there any updates >>> available for it ? >>> >>> Before you do anything, I would ask netgear if they are aware of >>> this problem, might be worth mentioning the word 'SMBv1'. >>> >>>> Everything else is working as it should (i.e, user creation, dns >>>> admin, gpo's).? The one other thing I did do different this time >>>> and I should have noted previously was use the Verified Package >>>> Dependencies from the Wiki to ensure I wasn't missing any. Other >>>> than that the build was the same. >>>> >>>> I haven't had to do a seize in a long time of the FSMO roles. If >>>> the DC's I upgraded appear to be working should I just transfer or >>>> seize? Thanks. >>>> >>> Simple answer, if you can transfer, then transfer, if not, then >>> seize, but use '--force' (this stops a useless transfer attempt). >>> >>> Rowland >>> >>> >>>> >>>> -James >>>> >>> >>> >> So I suppose I still have trouble with my domain. >> >> root at pfdc1:/# net ads user info administrator -U administrator >> >> Enter administrator's password: >> kerberos_kinit_password SAMBA at SAMBA.LOCAL failed: Client not found in >> Kerberos database >> >> kerberos_kinit_password SAMBA at SAMBA.LOCAL failed: Client not found in >> Kerberos database > > Well that sorts that out, '-P' isn't working ;-) > > Is this on one of the 4.12 DC's or a 4.11 DC ? > > Rowland > > > >Forgot to add that kinit works though. root at dundc3:~# kinit administrator Password for administrator at SAMBA.LOCAL: root at dundc3:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator at SAMBA.LOCAL Valid starting?????? Expires????????????? Service principal 05/16/2020 19:22:03? 05/17/2020 05:22:03 krbtgt/SAMBA.LOCAL at SAMBA.LOCAL ??????? renew until 05/17/2020 19:21:59 -James
Rowland penny
2020-May-17 09:29 UTC
[Samba] Upgrade from 4.11.6 to 4.12.2 created authentication issues
On 17/05/2020 00:24, James Atwell wrote:>>> So I suppose I still have trouble with my domain. >>> >>> root at pfdc1:/# net ads user info administrator -U administrator >>> >>> Enter administrator's password: >>> kerberos_kinit_password SAMBA at SAMBA.LOCAL failed: Client not found >>> in Kerberos database >>> >>> kerberos_kinit_password SAMBA at SAMBA.LOCAL failed: Client not found >>> in Kerberos databaseNo, you might not have anything wrong with the domain. Does this look familiar ? root at dc01:~# net ads user info administrator -U administrator Enter administrator's password: kerberos_kinit_password SAMDOM at SAMDOM.EXAMPLE.COM failed: Client not found in Kerberos database kerberos_kinit_password SAMDOM at SAMDOM.EXAMPLE.COM failed: Client not found in Kerberos database This happens on both my DC's, one is running 4.10.14, the other 4.11.7 But on a domain joined rpi running 4.11.7: pi at raspberrypi:~ $ sudo net ads user info administrator -U administrator Enter administrator's password: Domain Users Domain Admins Administrators Enterprise Admins Group Policy Creator Owners Schema Admins Do you have a Unix domain member you could test from ? It is looking like it is a problem with your readynas. Rowland
James Atwell
2020-May-17 15:54 UTC
[Samba] Upgrade from 4.11.6 to 4.12.2 created authentication issues
On 5/17/2020 5:29 AM, Rowland penny via samba wrote:> On 17/05/2020 00:24, James Atwell wrote: >>>> So I suppose I still have trouble with my domain. >>>> >>>> root at pfdc1:/# net ads user info administrator -U administrator >>>> >>>> Enter administrator's password: >>>> kerberos_kinit_password SAMBA at SAMBA.LOCAL failed: Client not found >>>> in Kerberos database >>>> >>>> kerberos_kinit_password SAMBA at SAMBA.LOCAL failed: Client not found >>>> in Kerberos database > > No, you might not have anything wrong with the domain. > > Does this look familiar ? > > root at dc01:~# net ads user info administrator -U administrator > Enter administrator's password: > kerberos_kinit_password SAMDOM at SAMDOM.EXAMPLE.COM failed: Client not > found in Kerberos database > kerberos_kinit_password SAMDOM at SAMDOM.EXAMPLE.COM failed: Client not > found in Kerberos database > > This happens on both my DC's, one is running 4.10.14, the other 4.11.7 > > But on a domain joined rpi running 4.11.7: > > pi at raspberrypi:~ $ sudo net ads user info administrator -U administrator > Enter administrator's password: > Domain Users > Domain Admins > Administrators > Enterprise Admins > Group Policy Creator Owners > Schema Admins > > Do you have a Unix domain member you could test from ? > > It is looking like it is a problem with your readynas. > > Rowland > > >Strange results on a domain member jatwell at osticket:~$ net ads user info administrator -U administrator Enter administrator's password: create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/run /samba/smb_tmp_krb5.Bgy6b4. Errno Permission denied create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/run /samba/smb_tmp_krb5.M1pz6T. Errno Permission denied Domain Users Administrators Group Policy Creator Owners Enterprise Admins Schema Admins Remote Desktop Users Group Domain Admins If run as root I get this. root at osticket:~# net ads user info administrator -U administrator Enter administrator's password: gss_init_sec_context failed with [ Miscellaneous failure (see text): encryption type 3 not supported] kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred. gss_init_sec_context failed with [ Miscellaneous failure (see text): encryption type 3 not supported] gss_init_sec_context failed with [ Miscellaneous failure (see text): encryption type 3 not supported] kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred. Running this command on all my DC's looks exactly like what you mentioned on yours.? Maybe if I talk this out something will spring to mind. The following are the steps I took to do an in place upgrade on 2 DC's that caused all 4 of my Netgear ReadyNAS to no longer import the users and groups. The first DC I chose to upgrade was my DC that holds all my FSMO roles.? I ran apt-get update followed by apt-get dist-upgrade. Rebooted and ran the dependencies scripts(first time) from the wiki on an Ubuntu 16.04. Downloaded samba source and ran ./configure --mandir=/usr/share/man, make, shutdown samba and install.? After reboot went to check replication with samba-tool drs showrepl and noticed an error immediately as the screen scrolled to show replication working correctly. Scrolled to the top and seen the following error; ldb: unable to dlopen /usr/lib64/samba/ldb/local_password.so : /usr/lib64/samba/libsamdb-common-samba4.so: version `SAMBA_4.11.6' not found (required by /usr/lib64/samba/ldb/local_password.so) ldb: unable to dlopen /usr/lib64/samba/ldb/simple_dn.so : /usr/lib64/samba/libdsdb-module-samba4.so: version `SAMBA_4.11.6' not found (required by /usr/lib64/samba/ldb/simple_dn.so) ldb: unable to dlopen /usr/lib64/samba/ldb/simple_ldap_map.so : /usr/lib64/samba/libsamdb-common-samba4.so: version `SAMBA_4.11.6' not found (required by /usr/lib64/samba/ldb/simple_ldap_map.so) A google search of the error landed me on the samba list with mention to this error.? Reading the thread I see a member mention moving the samba folder and building again. So I did. After the build and install I copied back the following files folders from my original samba folder * etc * private * sysvol I then rebooted and ran samba-tool drs showrepl. The previous error was gone but now a new error displayed, but I can't recall what it said. Keep in my replication still showed as working. I do recall the error was complaining about Kerberos or the keytab. I can't recall exactly.? But from the error I chose to run? kinit administrator to resolve. That much I took from the error. Kinit and klist succeeded and and I reran samba-tool drs showrepl. This time no errors reported. Did the exact same steps on another server running Ubuntu 18.04 when I began to notice I had issues with my ReadyNAS. ? Did I forget to copy something from my original samba folder? -James