James Atwell
2020-May-17 15:54 UTC
[Samba] Upgrade from 4.11.6 to 4.12.2 created authentication issues
On 5/17/2020 5:29 AM, Rowland penny via samba wrote:> On 17/05/2020 00:24, James Atwell wrote: >>>> So I suppose I still have trouble with my domain. >>>> >>>> root at pfdc1:/# net ads user info administrator -U administrator >>>> >>>> Enter administrator's password: >>>> kerberos_kinit_password SAMBA at SAMBA.LOCAL failed: Client not found >>>> in Kerberos database >>>> >>>> kerberos_kinit_password SAMBA at SAMBA.LOCAL failed: Client not found >>>> in Kerberos database > > No, you might not have anything wrong with the domain. > > Does this look familiar ? > > root at dc01:~# net ads user info administrator -U administrator > Enter administrator's password: > kerberos_kinit_password SAMDOM at SAMDOM.EXAMPLE.COM failed: Client not > found in Kerberos database > kerberos_kinit_password SAMDOM at SAMDOM.EXAMPLE.COM failed: Client not > found in Kerberos database > > This happens on both my DC's, one is running 4.10.14, the other 4.11.7 > > But on a domain joined rpi running 4.11.7: > > pi at raspberrypi:~ $ sudo net ads user info administrator -U administrator > Enter administrator's password: > Domain Users > Domain Admins > Administrators > Enterprise Admins > Group Policy Creator Owners > Schema Admins > > Do you have a Unix domain member you could test from ? > > It is looking like it is a problem with your readynas. > > Rowland > > >Strange results on a domain member jatwell at osticket:~$ net ads user info administrator -U administrator Enter administrator's password: create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/run /samba/smb_tmp_krb5.Bgy6b4. Errno Permission denied create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/run /samba/smb_tmp_krb5.M1pz6T. Errno Permission denied Domain Users Administrators Group Policy Creator Owners Enterprise Admins Schema Admins Remote Desktop Users Group Domain Admins If run as root I get this. root at osticket:~# net ads user info administrator -U administrator Enter administrator's password: gss_init_sec_context failed with [ Miscellaneous failure (see text): encryption type 3 not supported] kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred. gss_init_sec_context failed with [ Miscellaneous failure (see text): encryption type 3 not supported] gss_init_sec_context failed with [ Miscellaneous failure (see text): encryption type 3 not supported] kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred. Running this command on all my DC's looks exactly like what you mentioned on yours.? Maybe if I talk this out something will spring to mind. The following are the steps I took to do an in place upgrade on 2 DC's that caused all 4 of my Netgear ReadyNAS to no longer import the users and groups. The first DC I chose to upgrade was my DC that holds all my FSMO roles.? I ran apt-get update followed by apt-get dist-upgrade. Rebooted and ran the dependencies scripts(first time) from the wiki on an Ubuntu 16.04. Downloaded samba source and ran ./configure --mandir=/usr/share/man, make, shutdown samba and install.? After reboot went to check replication with samba-tool drs showrepl and noticed an error immediately as the screen scrolled to show replication working correctly. Scrolled to the top and seen the following error; ldb: unable to dlopen /usr/lib64/samba/ldb/local_password.so : /usr/lib64/samba/libsamdb-common-samba4.so: version `SAMBA_4.11.6' not found (required by /usr/lib64/samba/ldb/local_password.so) ldb: unable to dlopen /usr/lib64/samba/ldb/simple_dn.so : /usr/lib64/samba/libdsdb-module-samba4.so: version `SAMBA_4.11.6' not found (required by /usr/lib64/samba/ldb/simple_dn.so) ldb: unable to dlopen /usr/lib64/samba/ldb/simple_ldap_map.so : /usr/lib64/samba/libsamdb-common-samba4.so: version `SAMBA_4.11.6' not found (required by /usr/lib64/samba/ldb/simple_ldap_map.so) A google search of the error landed me on the samba list with mention to this error.? Reading the thread I see a member mention moving the samba folder and building again. So I did. After the build and install I copied back the following files folders from my original samba folder * etc * private * sysvol I then rebooted and ran samba-tool drs showrepl. The previous error was gone but now a new error displayed, but I can't recall what it said. Keep in my replication still showed as working. I do recall the error was complaining about Kerberos or the keytab. I can't recall exactly.? But from the error I chose to run? kinit administrator to resolve. That much I took from the error. Kinit and klist succeeded and and I reran samba-tool drs showrepl. This time no errors reported. Did the exact same steps on another server running Ubuntu 18.04 when I began to notice I had issues with my ReadyNAS. ? Did I forget to copy something from my original samba folder? -James
Rowland penny
2020-May-17 17:43 UTC
[Samba] Upgrade from 4.11.6 to 4.12.2 created authentication issues
On 17/05/2020 16:54, James Atwell wrote:> > Strange results on a domain member > > jatwell at osticket:~$ net ads user info administrator -U administrator > Enter administrator's password: > create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for > file /var/run/samba/smb_tmp_krb5.Bgy6b4. Errno Permission denied >That works for me, but on Devuan (Debian Buster sans systemd), why is it trying to create a temporary krb5.conf ?> > If run as root I get this. > > root at osticket:~# net ads user info administrator -U administrator > Enter administrator's password: > gss_init_sec_context failed with [ Miscellaneous failure (see text): > encryption type 3 not supported] > kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An > internal error occurred. > gss_init_sec_context failed with [ Miscellaneous failure (see text): > encryption type 3 not supported] > gss_init_sec_context failed with [ Miscellaneous failure (see text): > encryption type 3 not supported] > kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An > internal error occurred. >Okay, just what is in that temp krb5.conf (I am taking that it is being used) and why is it using one and not the one in /etc ?> > Running this command on all my DC's >Are you wedded to Ubuntu 16.04 ? why not upgrade to 20.04 (or something else) ?> > A google search of the error landed me on the samba list with mention > to this error.? Reading the thread I see a member mention moving the > samba folder and building again. So I did. After the build and install > I copied back the following files folders from my original samba folder > > * etc > * private > * sysvol >I would have moved the Samba directory out of the way, demoted the DC, installed Samba again and rejoined the DC Rowland
James Atwell
2020-May-17 20:54 UTC
[Samba] Upgrade from 4.11.6 to 4.12.2 created authentication issues
On 5/17/2020 1:43 PM, Rowland penny via samba wrote:> On 17/05/2020 16:54, James Atwell wrote: >> >> Strange results on a domain member >> >> jatwell at osticket:~$ net ads user info administrator -U administrator >> Enter administrator's password: >> create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for >> file /var/run/samba/smb_tmp_krb5.Bgy6b4. Errno Permission denied >> > That works for me, but on Devuan (Debian Buster sans systemd), why is > it trying to create a temporary krb5.conf ? >> >> If run as root I get this. >> >> root at osticket:~# net ads user info administrator -U administrator >> Enter administrator's password: >> gss_init_sec_context failed with [ Miscellaneous failure (see text): >> encryption type 3 not supported] >> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An >> internal error occurred. >> gss_init_sec_context failed with [ Miscellaneous failure (see text): >> encryption type 3 not supported] >> gss_init_sec_context failed with [ Miscellaneous failure (see text): >> encryption type 3 not supported] >> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An >> internal error occurred. >> > Okay, just what is in that temp krb5.conf (I am taking that it is > being used) and why is it using one and not the one in /etc ? >> >> Running this command on all my DC's >> > Are you wedded to Ubuntu 16.04 ? why not upgrade to 20.04 (or > something else) ? >> >> A google search of the error landed me on the samba list with mention >> to this error.? Reading the thread I see a member mention moving the >> samba folder and building again. So I did. After the build and >> install I copied back the following files folders from my original >> samba folder >> >> ? * etc >> ? * private >> ? * sysvol >> > I would have moved the Samba directory out of the way, demoted the DC, > installed Samba again and rejoined the DC > > Rowland > > > >I assume it's trying to create a tmp krb5.conf because the user I'm logged into the domain member isn't a domain user? The tmp krb5.conf never gets created even if I run as sudo. etc/krb5.conf does exist though. I'm not tied to Ubuntu or Ubuntu 16.04 or 18.04.
Apparently Analagous Threads
- Upgrade from 4.11.6 to 4.12.2 created authentication issues
- Upgrade from 4.11.6 to 4.12.2 created authentication issues
- Upgrade from 4.11.6 to 4.12.2 created authentication issues
- wbinfo -g stops after some hours
- auth problems with samba 4.4.6 (winbind) *(suppected bug)