samba - May 2020 - Upgrade from 4.11.6 to 4.12.2 created authentication issues

On 5/17/2020 5:29 AM, Rowland penny via samba wrote:
> On 17/05/2020 00:24, James Atwell wrote:
>>>> So I suppose I still have trouble with my domain.
>>>>
>>>> root at pfdc1:/# net ads user info administrator -U
administrator
>>>>
>>>> Enter administrator's password:
>>>> kerberos_kinit_password SAMBA at SAMBA.LOCAL failed: Client not
found
>>>> in Kerberos database
>>>>
>>>> kerberos_kinit_password SAMBA at SAMBA.LOCAL failed: Client not
found
>>>> in Kerberos database
>
> No, you might not have anything wrong with the domain.
>
> Does this look familiar ?
>
> root at dc01:~# net ads user info administrator -U administrator
> Enter administrator's password:
> kerberos_kinit_password SAMDOM at SAMDOM.EXAMPLE.COM failed: Client not 
> found in Kerberos database
> kerberos_kinit_password SAMDOM at SAMDOM.EXAMPLE.COM failed: Client not 
> found in Kerberos database
>
> This happens on both my DC's, one is running 4.10.14, the other 4.11.7
>
> But on a domain joined rpi running 4.11.7:
>
> pi at raspberrypi:~ $ sudo net ads user info administrator -U administrator
> Enter administrator's password:
> Domain Users
> Domain Admins
> Administrators
> Enterprise Admins
> Group Policy Creator Owners
> Schema Admins
>
> Do you have a Unix domain member you could test from ?
>
> It is looking like it is a problem with your readynas.
>
> Rowland
>
>
>
Strange results on a domain member

jatwell at osticket:~$ net ads user info administrator -U administrator
Enter administrator's password:
create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file 
/var/run /samba/smb_tmp_krb5.Bgy6b4. Errno Permission denied
create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file 
/var/run /samba/smb_tmp_krb5.M1pz6T. Errno Permission denied
Domain Users
Administrators
Group Policy Creator Owners
Enterprise Admins
Schema Admins
Remote Desktop Users Group
Domain Admins

If run as root I get this.

root at osticket:~# net ads user info administrator -U administrator
Enter administrator's password:
gss_init_sec_context failed with [ Miscellaneous failure (see text): 
encryption type 3 not supported]
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An 
internal error occurred.
gss_init_sec_context failed with [ Miscellaneous failure (see text): 
encryption type 3 not supported]
gss_init_sec_context failed with [ Miscellaneous failure (see text): 
encryption type 3 not supported]
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An 
internal error occurred.

Running this command on all my DC's looks exactly like what you 
mentioned on yours.? Maybe if I talk this out something will spring to 
mind. The following are the steps I took to do an in place upgrade on 2 
DC's that caused all 4 of my Netgear ReadyNAS to no longer import the 
users and groups.

The first DC I chose to upgrade was my DC that holds all my FSMO roles.? 
I ran apt-get update followed by apt-get dist-upgrade. Rebooted and ran 
the dependencies scripts(first time) from the wiki on an Ubuntu 16.04. 
Downloaded samba source and ran ./configure --mandir=/usr/share/man, 
make, shutdown samba and install.? After reboot went to check 
replication with samba-tool drs showrepl and noticed an error 
immediately as the screen scrolled to show replication working 
correctly. Scrolled to the top and seen the following error;

ldb: unable to dlopen /usr/lib64/samba/ldb/local_password.so :
/usr/lib64/samba/libsamdb-common-samba4.so: version `SAMBA_4.11.6' not
found (required by /usr/lib64/samba/ldb/local_password.so)
ldb: unable to dlopen /usr/lib64/samba/ldb/simple_dn.so :
/usr/lib64/samba/libdsdb-module-samba4.so: version `SAMBA_4.11.6' not found
(required by /usr/lib64/samba/ldb/simple_dn.so)
ldb: unable to dlopen /usr/lib64/samba/ldb/simple_ldap_map.so :
/usr/lib64/samba/libsamdb-common-samba4.so: version `SAMBA_4.11.6' not
found (required by /usr/lib64/samba/ldb/simple_ldap_map.so)

A google search of the error landed me on the samba list with mention to 
this error.? Reading the thread I see a member mention moving the samba 
folder and building again. So I did. After the build and install I 
copied back the following files folders from my original samba folder

  * etc
  * private
  * sysvol

I then rebooted and ran samba-tool drs showrepl. The previous error was 
gone but now a new error displayed, but I can't recall what it said. 
Keep in my replication still showed as working. I do recall the error 
was complaining about Kerberos or the keytab. I can't recall exactly.? 
But from the error I chose to run? kinit administrator to resolve. That 
much I took from the error. Kinit and klist succeeded and and I reran 
samba-tool drs showrepl. This time no errors reported. Did the exact 
same steps on another server running Ubuntu 18.04 when I began to notice 
I had issues with my ReadyNAS. ? Did I forget to copy something from my 
original samba folder?

-James

On 17/05/2020 16:54, James Atwell wrote:
>
> Strange results on a domain member
>
> jatwell at osticket:~$ net ads user info administrator -U administrator
> Enter administrator's password:
> create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for 
> file /var/run/samba/smb_tmp_krb5.Bgy6b4. Errno Permission denied
>
That works for me, but on Devuan (Debian Buster sans systemd), why is it 
trying to create a temporary krb5.conf ?
>
> If run as root I get this.
>
> root at osticket:~# net ads user info administrator -U administrator
> Enter administrator's password:
> gss_init_sec_context failed with [ Miscellaneous failure (see text): 
> encryption type 3 not supported]
> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An 
> internal error occurred.
> gss_init_sec_context failed with [ Miscellaneous failure (see text): 
> encryption type 3 not supported]
> gss_init_sec_context failed with [ Miscellaneous failure (see text): 
> encryption type 3 not supported]
> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An 
> internal error occurred.
>
Okay, just what is in that temp krb5.conf (I am taking that it is being 
used) and why is it using one and not the one in /etc ?
>
> Running this command on all my DC's
>
Are you wedded to Ubuntu 16.04 ? why not upgrade to 20.04 (or something 
else) ?
>
> A google search of the error landed me on the samba list with mention 
> to this error.? Reading the thread I see a member mention moving the 
> samba folder and building again. So I did. After the build and install 
> I copied back the following files folders from my original samba folder
>
>   * etc
>   * private
>   * sysvol
>
I would have moved the Samba directory out of the way, demoted the DC, 
installed Samba again and rejoined the DC

Rowland

On 5/17/2020 1:43 PM, Rowland penny via samba wrote:
> On 17/05/2020 16:54, James Atwell wrote:
>>
>> Strange results on a domain member
>>
>> jatwell at osticket:~$ net ads user info administrator -U administrator
>> Enter administrator's password:
>> create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for 
>> file /var/run/samba/smb_tmp_krb5.Bgy6b4. Errno Permission denied
>>
> That works for me, but on Devuan (Debian Buster sans systemd), why is 
> it trying to create a temporary krb5.conf ?
>>
>> If run as root I get this.
>>
>> root at osticket:~# net ads user info administrator -U administrator
>> Enter administrator's password:
>> gss_init_sec_context failed with [ Miscellaneous failure (see text): 
>> encryption type 3 not supported]
>> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An 
>> internal error occurred.
>> gss_init_sec_context failed with [ Miscellaneous failure (see text): 
>> encryption type 3 not supported]
>> gss_init_sec_context failed with [ Miscellaneous failure (see text): 
>> encryption type 3 not supported]
>> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An 
>> internal error occurred.
>>
> Okay, just what is in that temp krb5.conf (I am taking that it is 
> being used) and why is it using one and not the one in /etc ?
>>
>> Running this command on all my DC's
>>
> Are you wedded to Ubuntu 16.04 ? why not upgrade to 20.04 (or 
> something else) ?
>>
>> A google search of the error landed me on the samba list with mention 
>> to this error.? Reading the thread I see a member mention moving the 
>> samba folder and building again. So I did. After the build and 
>> install I copied back the following files folders from my original 
>> samba folder
>>
>> ? * etc
>> ? * private
>> ? * sysvol
>>
> I would have moved the Samba directory out of the way, demoted the DC, 
> installed Samba again and rejoined the DC
>
> Rowland
>
>
>
>
I assume it's trying to create a tmp krb5.conf because the user I'm 
logged into the domain member isn't a domain user? The tmp krb5.conf 
never gets created even if I run as sudo. etc/krb5.conf does exist though.

I'm not tied to Ubuntu or Ubuntu 16.04 or 18.04.