samba - May 2020 - Upgrade from 4.11.6 to 4.12.2 created authentication issues

On 5/17/2020 1:43 PM, Rowland penny via samba wrote:
> On 17/05/2020 16:54, James Atwell wrote:
>>
>> Strange results on a domain member
>>
>> jatwell at osticket:~$ net ads user info administrator -U administrator
>> Enter administrator's password:
>> create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for 
>> file /var/run/samba/smb_tmp_krb5.Bgy6b4. Errno Permission denied
>>
> That works for me, but on Devuan (Debian Buster sans systemd), why is 
> it trying to create a temporary krb5.conf ?
>>
>> If run as root I get this.
>>
>> root at osticket:~# net ads user info administrator -U administrator
>> Enter administrator's password:
>> gss_init_sec_context failed with [ Miscellaneous failure (see text): 
>> encryption type 3 not supported]
>> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An 
>> internal error occurred.
>> gss_init_sec_context failed with [ Miscellaneous failure (see text): 
>> encryption type 3 not supported]
>> gss_init_sec_context failed with [ Miscellaneous failure (see text): 
>> encryption type 3 not supported]
>> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An 
>> internal error occurred.
>>
> Okay, just what is in that temp krb5.conf (I am taking that it is 
> being used) and why is it using one and not the one in /etc ?
>>
>> Running this command on all my DC's
>>
> Are you wedded to Ubuntu 16.04 ? why not upgrade to 20.04 (or 
> something else) ?
>>
>> A google search of the error landed me on the samba list with mention 
>> to this error.? Reading the thread I see a member mention moving the 
>> samba folder and building again. So I did. After the build and 
>> install I copied back the following files folders from my original 
>> samba folder
>>
>> ? * etc
>> ? * private
>> ? * sysvol
>>
> I would have moved the Samba directory out of the way, demoted the DC, 
> installed Samba again and rejoined the DC
>
> Rowland
>
>
>
>
I assume it's trying to create a tmp krb5.conf because the user I'm 
logged into the domain member isn't a domain user? The tmp krb5.conf 
never gets created even if I run as sudo. etc/krb5.conf does exist though.

I'm not tied to Ubuntu or Ubuntu 16.04 or 18.04.

On 17/05/2020 21:54, James Atwell wrote:
> I assume it's trying to create a tmp krb5.conf because the user I'm
> logged into the domain member isn't a domain user? The tmp krb5.conf 
> never gets created even if I run as sudo. etc/krb5.conf does exist 
> though.
You are logging into a domain joined machine as a local user and then 
wonder why you are having problems ?

Unless the user is root, there is a line like this in the smb.conf 
'username map = /etc/samba/user.map' and the 'user.map' contains
'!root
= DOMAIN\Administrator', where 'DOMAIN' is your netbios domain.
>
> I'm not tied to Ubuntu or Ubuntu 16.04 or 18.04.
It should work on 16.04, try sorting the above problem out first.

Rowland

On 5/17/2020 5:17 PM, Rowland penny via samba wrote:
> On 17/05/2020 21:54, James Atwell wrote:
>> I assume it's trying to create a tmp krb5.conf because the user
I'm
>> logged into the domain member isn't a domain user? The tmp
krb5.conf
>> never gets created even if I run as sudo. etc/krb5.conf does exist 
>> though.
>
> You are logging into a domain joined machine as a local user and then 
> wonder why you are having problems ?
>
> Unless the user is root, there is a line like this in the smb.conf 
> 'username map = /etc/samba/user.map' and the 'user.map'
contains
> '!root = DOMAIN\Administrator', where 'DOMAIN' is your
netbios domain.
>
>>
>> I'm not tied to Ubuntu or Ubuntu 16.04 or 18.04.
>
> It should work on 16.04, try sorting the above problem out first.
>
> Rowland
>
>
>
Funny how you read what you are doing wrong and it makes sense ;)

I added the line in my smb.conf and created the user.map file. Same 
issue as before.

This is my smb.conf from the domain member.

[global]
 ??????? security = ADS
 ??????? workgroup = SAMBA
 ??????? realm = SAMBA.LOCAL

 ??????? log file = /var/log/samba/%m.log
 ??????? log level = 1

 ??????? # Default ID mapping configuration for local BUILTIN accounts
 ??????? # and groups on a domain member. The default (*) domain:
 ??????? # - must not overlap with any domain ID mapping configuration!
 ??????? # - must use a read-write-enabled back end, such as tdb.
 ??????? # - Adding just this is not enough
 ??????? # - You must set a DOMAIN backend configuration, see below
 ??????? idmap config * : backend = tdb
 ??????? idmap config * : range = 3000-7999
 ??????? idmap config CIMG : backend = rid
 ??????? idmap config CIMG : range = 10000-999999

 ??????? # Template settings for login shell and home directory
 ??????? winbind nss info = template
 ??????? template shell = /bin/bash
 ??????? template homedir = /home/%U
 ??????? username map = /etc/samba/user.map


root at osticket:~# net ads user info administrator -U administrator
Enter administrator's password:
gss_init_sec_context failed with [ Miscellaneous failure (see text): 
encryption type 3 not supported]
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An 
internal error occurred.
gss_init_sec_context failed with [ Miscellaneous failure (see text): 
encryption type 3 not supported]
gss_init_sec_context failed with [ Miscellaneous failure (see text): 
encryption type 3 not supported]
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An 
internal error occurred.

root at osticket:~# net ads info -U administrator
Enter administrator's password:
LDAP server: 172.16.232.29
LDAP server name: pfdc1.samba.local
Realm: SAMBA.LOCAL
Bind Path: dc=SAMBA,dc=LOCAL
LDAP port: 389
Server time: Sun, 17 May 2020 18:00:35 EDT
KDC server: 172.16.232.29
Server time offset: 0

-James

On 5/17/2020 5:17 PM, Rowland penny via samba wrote:
> On 17/05/2020 21:54, James Atwell wrote:
>> I assume it's trying to create a tmp krb5.conf because the user
I'm
>> logged into the domain member isn't a domain user? The tmp
krb5.conf
>> never gets created even if I run as sudo. etc/krb5.conf does exist 
>> though.
>
> You are logging into a domain joined machine as a local user and then 
> wonder why you are having problems ?
>
> Unless the user is root, there is a line like this in the smb.conf 
> 'username map = /etc/samba/user.map' and the 'user.map'
contains
> '!root = DOMAIN\Administrator', where 'DOMAIN' is your
netbios domain.
>
>>
>> I'm not tied to Ubuntu or Ubuntu 16.04 or 18.04.
>
> It should work on 16.04, try sorting the above problem out first.
>
> Rowland
>
>
>
I decided to create a fresh domain member and attempt to join the 
domain. It fails. See error below.

root at membervm:/# /usr/local/samba/bin/net ads join -U administrator
Enter administrator's password:
gse_get_client_auth_token: gss_init_sec_context failed with [ 
Miscellaneous failure (see text): encryption type 3 not 
supported](2529638972)
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for 
ldap/pfdc1.samba.local with user[administrator] realm[SAMBA.LOCAL]: The 
attempted logon is invalid. This is either due to a bad username or 
authentication information.
gse_get_client_auth_token: gss_init_sec_context failed with [ 
Miscellaneous failure (see text): encryption type 3 not 
supported](2529638972)
Using short domain name -- SAMBA
Joined 'MEMBERVM' to dns domain 'samba.local'
No DNS domain configured for membervm. Unable to perform DNS Update.
DNS update failed: NT_STATUS_INVALID_PARAMETER

-James

On 5/17/2020 5:17 PM, Rowland penny via samba wrote:
> On 17/05/2020 21:54, James Atwell wrote:
>> I assume it's trying to create a tmp krb5.conf because the user
I'm
>> logged into the domain member isn't a domain user? The tmp
krb5.conf
>> never gets created even if I run as sudo. etc/krb5.conf does exist 
>> though.
>
> You are logging into a domain joined machine as a local user and then 
> wonder why you are having problems ?
>
> Unless the user is root, there is a line like this in the smb.conf 
> 'username map = /etc/samba/user.map' and the 'user.map'
contains
> '!root = DOMAIN\Administrator', where 'DOMAIN' is your
netbios domain.
>
>>
>> I'm not tied to Ubuntu or Ubuntu 16.04 or 18.04.
>
> It should work on 16.04, try sorting the above problem out first.
>
> Rowland
>
>
>
I got the issue with the ReadyNAS resolved. I decided to stop messing 
with the broken DC and just remove it. I transferred all the FSMO and 
demoted the DC.? This immediately allowed the ReadyNAS to join and 
import users and groups. Oddly enough the errors I mentioned earlier 
that I initially had when I ran samba-tool drs showrepl came back. 
Probably because the kinit ticket I generated had expired.? For 
reference I'm posting below.

root at pfdc1:~# samba-tool drs showrepl
Wrong username or password: kinit for PFDC1$@SAMBA.LOCAL failed (Client 
not found in Kerberos database)

Wrong username or password: kinit for PFDC1$@SAMBA.LOCAL failed (Client 
not found in Kerberos database)

Default-First-Site-Name\PFDC1
DSA Options: 0x00000001
DSA object GUID: acc2392f-9567-450f-bcb3-4fb1034b8753
DSA invocationId: d3644219-dbcd-43ff-815e-8850f94192e1

root at pfdc1:~# samba-tool drs showrepl
GSS client Update(krb5)(1) Update failed:? Miscellaneous failure (see 
text): encryption type 3 not supported
GSS client Update(krb5)(1) Update failed:? Miscellaneous failure (see 
text): encryption type 3 not supported

I'll mention the other DC I upgraded to 4.12.2 is still in the forest 
and not having any troubles. Rowland appreciate you taking your time to 
review.

-James