Pim Zandbergen
2020-Oct-29 17:13 UTC
[Samba] Samba 3.6 member server auth problems after DC upgrade 2012 R2 -> 2019
I have this old Centos 6 server running Samba 3.6 as a member server in a domain with two Windows Server 2012R2 DC's. Through a series of promotions and demotions, the DC's were replaced with Windows Server 2019 DC's. Although I expected problems to arise from that, this has been working fine for months, until the Samba server was reset by the server's watchdog card. Suddenly, clients would no longer be able to authenticate to the Samba server. "getent passwd" would only list local users. Users could no longer ssh to the samba server using AD credentials. Yet, "net ads testjoin" would report the AD join is OK. And "wbinfo -u" would successfully list all AD users. No messages were logged in /var/log/samba/* that indicated an error. Normal operation would resume after reintroducing a third DC running 2012R2, and have Samba explicitly use that DC using "password server = the2012r2dc". I am assuming that Windows Server 2019 security needs to be compromised to accommodate a Samba 3.6 member server. Probably some Kerberos parameter. I would prefer to do that, and demote the 2012R2 DC, until I can replace/update the Samba 3.6 server. What would I need to change to the Server 2019's security to make this work? smb.conf: [global] workgroup????????????????? = EXAMPLE realm????????????????????? = EXAMPLE.COM security?????????????????? = ads server string????????????? = CentOS 6 - Samba %v printing?????????????????? = cups printcap name????????????? = cups load printers????????????? = yes socket options???????????? = TCP_NODELAY dns proxy????????????????? = no time server??????????????? = yes encrypt passwords????????? = yes disable netbios??????????? = yes smb ports????????????????? = 445 idmap config * : backend?? = rid idmap config * : range???? = 200000-299999 template homedir?????????? = /home/%U template shell???????????? = /bin/bash winbind use default domain = yes winbind offline logon????? = false follow symlinks??????????? = yes wide links???????????????? = yes unix extensions??????????? = no max protocol?????????????? = SMB2 server signing???????????? = auto [homes] comment???????????? = Home Directories browseable????????? = no writable??????????? = yes guest ok??????????? = no
Rowland penny
2020-Oct-29 18:09 UTC
[Samba] Samba 3.6 member server auth problems after DC upgrade 2012 R2 -> 2019
On 29/10/2020 17:13, Pim Zandbergen via samba wrote:> I have this old Centos 6 server running Samba 3.6 as a member server > in a domain with two Windows Server 2012R2 DC's. > > Through a series of promotions and demotions, the DC's were replaced > with Windows Server 2019 DC's. > > Although I expected problems to arise from that, this has been working > fine for months, until the Samba server was reset by the server's > watchdog card. > > Suddenly, clients would no longer be able to authenticate to the Samba > server. "getent passwd" would only list local users. > Users could no longer ssh to the samba server using AD credentials. > > Yet, "net ads testjoin" would report the AD join is OK. > And "wbinfo -u" would successfully list all AD users. > No messages were logged in /var/log/samba/* that indicated an error. > > Normal operation would resume after reintroducing a third DC running > 2012R2, and have Samba explicitly use that DC using > "password server = the2012r2dc". > > I am assuming that Windows Server 2019 security needs to be > compromised to accommodate a Samba 3.6 member server. Probably some > Kerberos parameter. I would prefer to do that, and demote the 2012R2 > DC, until I can replace/update the Samba 3.6 server. > > What would I need to change to the Server 2019's security to make > this work? > > smb.conf: > > [global] > workgroup????????????????? = EXAMPLE > realm????????????????????? = EXAMPLE.COM > security?????????????????? = ads > server string????????????? = CentOS 6 - Samba %v > printing?????????????????? = cups > printcap name????????????? = cups > load printers????????????? = yes > socket options???????????? = TCP_NODELAY > dns proxy????????????????? = no > time server??????????????? = yes > encrypt passwords????????? = yes > disable netbios??????????? = yes > smb ports????????????????? = 445 > idmap config * : backend?? = rid > idmap config * : range???? = 200000-299999 > template homedir?????????? = /home/%U > template shell???????????? = /bin/bash > winbind use default domain = yes > winbind offline logon????? = false > follow symlinks??????????? = yes > wide links???????????????? = yes > unix extensions??????????? = no > max protocol?????????????? = SMB2 > server signing???????????? = auto > > [homes] > comment???????????? = Home Directories > browseable????????? = no > writable??????????? = yes > guest ok??????????? = no >I suggest you upgrade your Centos 6 server, it will go EOL in a month and Samba 3.6 went EOL quite a few years ago. Your problem is possibly something to do SMBv1, Samba 3.6 will be using it (along with ntlm auth), but you Windows DC's probably aren't. Rowland
Pim Zandbergen
2020-Oct-29 18:39 UTC
[Samba] Samba 3.6 member server auth problems after DC upgrade 2012 R2 -> 2019
I will take your suggestion. Still, Samba 3.6 appears to support SMBv2 just fine. Windows 10 PC's and Windows 2019 Servers are able to connect as a client, with SMBv1 disabled. As long as there's a Windows 2012 R2 server doing the backend authentication. Pim On 10/29/2020 7:09 PM, Rowland penny via samba wrote:> I suggest you upgrade your Centos 6 server, it will go EOL in a month > and Samba 3.6 went EOL quite a few years ago. Your problem is possibly > something to do SMBv1, Samba 3.6 will be using it (along with ntlm > auth), but you Windows DC's probably aren't. > > Rowland > > >
Possibly Parallel Threads
- Samba 3.6 member server auth problems after DC upgrade 2012 R2 -> 2019
- Samba 3.6 member server auth problems after DC upgrade 2012 R2 -> 2019
- _really_ disable netbios
- Vista can't use samba hosted printer drivers
- Samba 3.6.23, Windows Server 2012 R2 AD Environment