samba - Oct 2020 - Samba 3.6 member server auth problems after DC upgrade 2012 R2 -> 2019

I have this old Centos 6 server running Samba 3.6 as a member server
in a domain with two Windows Server 2012R2 DC's.

Through a series of promotions and demotions, the DC's were replaced
with Windows Server 2019 DC's.

Although I expected problems to arise from that, this has been working
fine for months, until the Samba server was reset by the server's
watchdog card.

Suddenly, clients would no longer be able to authenticate to the Samba
server. "getent passwd" would only list local users.
Users could no longer ssh to the samba server using AD credentials.

Yet, "net ads testjoin" would report the AD join is OK.
And "wbinfo -u" would successfully list all AD users.
No messages were logged in /var/log/samba/* that indicated an error.

Normal operation would resume after reintroducing a third DC running
2012R2, and have Samba explicitly use that DC using
"password server = the2012r2dc".

I am assuming that Windows Server 2019 security needs to be
compromised to accommodate a Samba 3.6 member server. Probably some
Kerberos parameter. I would prefer to do that, and demote the 2012R2
DC, until I can replace/update the Samba 3.6 server.

What would I need to change to the Server 2019's security to make
this work?

smb.conf:

[global]
workgroup????????????????? = EXAMPLE
realm????????????????????? = EXAMPLE.COM
security?????????????????? = ads
server string????????????? = CentOS 6 - Samba %v
printing?????????????????? = cups
printcap name????????????? = cups
load printers????????????? = yes
socket options???????????? = TCP_NODELAY
dns proxy????????????????? = no
time server??????????????? = yes
encrypt passwords????????? = yes
disable netbios??????????? = yes
smb ports????????????????? = 445
idmap config * : backend?? = rid
idmap config * : range???? = 200000-299999
template homedir?????????? = /home/%U
template shell???????????? = /bin/bash
winbind use default domain = yes
winbind offline logon????? = false
follow symlinks??????????? = yes
wide links???????????????? = yes
unix extensions??????????? = no
max protocol?????????????? = SMB2
server signing???????????? = auto

[homes]
comment???????????? = Home Directories
browseable????????? = no
writable??????????? = yes
guest ok??????????? = no

On 29/10/2020 17:13, Pim Zandbergen via samba wrote:
> I have this old Centos 6 server running Samba 3.6 as a member server
> in a domain with two Windows Server 2012R2 DC's.
>
> Through a series of promotions and demotions, the DC's were replaced
> with Windows Server 2019 DC's.
>
> Although I expected problems to arise from that, this has been working
> fine for months, until the Samba server was reset by the server's
> watchdog card.
>
> Suddenly, clients would no longer be able to authenticate to the Samba
> server. "getent passwd" would only list local users.
> Users could no longer ssh to the samba server using AD credentials.
>
> Yet, "net ads testjoin" would report the AD join is OK.
> And "wbinfo -u" would successfully list all AD users.
> No messages were logged in /var/log/samba/* that indicated an error.
>
> Normal operation would resume after reintroducing a third DC running
> 2012R2, and have Samba explicitly use that DC using
> "password server = the2012r2dc".
>
> I am assuming that Windows Server 2019 security needs to be
> compromised to accommodate a Samba 3.6 member server. Probably some
> Kerberos parameter. I would prefer to do that, and demote the 2012R2
> DC, until I can replace/update the Samba 3.6 server.
>
> What would I need to change to the Server 2019's security to make
> this work?
>
> smb.conf:
>
> [global]
> workgroup????????????????? = EXAMPLE
> realm????????????????????? = EXAMPLE.COM
> security?????????????????? = ads
> server string????????????? = CentOS 6 - Samba %v
> printing?????????????????? = cups
> printcap name????????????? = cups
> load printers????????????? = yes
> socket options???????????? = TCP_NODELAY
> dns proxy????????????????? = no
> time server??????????????? = yes
> encrypt passwords????????? = yes
> disable netbios??????????? = yes
> smb ports????????????????? = 445
> idmap config * : backend?? = rid
> idmap config * : range???? = 200000-299999
> template homedir?????????? = /home/%U
> template shell???????????? = /bin/bash
> winbind use default domain = yes
> winbind offline logon????? = false
> follow symlinks??????????? = yes
> wide links???????????????? = yes
> unix extensions??????????? = no
> max protocol?????????????? = SMB2
> server signing???????????? = auto
>
> [homes]
> comment???????????? = Home Directories
> browseable????????? = no
> writable??????????? = yes
> guest ok??????????? = no
>
I suggest you upgrade your Centos 6 server, it will go EOL in a month 
and Samba 3.6 went EOL quite a few years ago. Your problem is possibly 
something to do SMBv1, Samba 3.6 will be using it (along with ntlm 
auth), but you Windows DC's probably aren't.

Rowland

I will take your suggestion.

Still, Samba 3.6 appears to support SMBv2 just fine.
Windows 10 PC's and Windows 2019 Servers are able to connect as a 
client, with SMBv1 disabled.
As long as there's a Windows 2012 R2 server doing the backend 
authentication.

Pim

On 10/29/2020 7:09 PM, Rowland penny via samba wrote:
> I suggest you upgrade your Centos 6 server, it will go EOL in a month 
> and Samba 3.6 went EOL quite a few years ago. Your problem is possibly 
> something to do SMBv1, Samba 3.6 will be using it (along with ntlm 
> auth), but you Windows DC's probably aren't.
>
> Rowland
>
>
>