This.> ../../source4/auth/ntlm/auth.c:241(auth_check_password_send) > auth_check_password_send: Checking password for unmapped user > [CYBERDYNE]\[CYB64W10-TEST$]@[CYB64W10-TEST]I would have expected> [CYBERDYNE]\[CYB64W10-TEST$]@[AD.CYBERDYNE.LOCAL]I see this so now and then here also that, suddenly a computer/user cant login. Common causes.. 1) PC time out of sync with DC. 2) Computer account its password expired. 3) Lots domain trust. But what does the evenlog show and i assume the same user on an other computer can login?> I also compared "samba-tool computer show" of a working and one > non-working machine and can't find any differences other than > timestamps.Hmm, is this an "old" domain, like from before 4.9? Did you use 'samba-tool dns zoneoptions' for aging control ---------------------------------------------- Or Marking old records as static or dynamic with 'samba-tool'>From : https://www.samba.org/samba/history/samba-4.15.0.htmlIf i have to gamble on this, 2 options. Windows 10 bug or Samba fix in 4.15 that triggered it. And if you dont want to re-register 1 pc.. (You can do this with a script at login for the whole domain. ) Increase the debugging and post it, maybe we see more in these loggings. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: rme at bluemail.ch [mailto:rme at bluemail.ch] > Verzonden: woensdag 29 september 2021 9:50 > Aan: L.P.H. van Belle; samba at lists.samba.org > Onderwerp: Re: [Samba] Problem after update version 4.15.0 > > Hi Louis > > On 29.09.2021 09:23, L.P.H. van Belle via samba wrote: > > The computer password is expired. > > You can try, Remove the pc from domain and rejoin. > > > > And did you verify if the computer time is in sync with AD. > > Where can I check this? And why does it not happen on Samba 4.14.7? > > In fact I can perfectly use the computer account when downgrading to > 4.14.7. I did the upgrade, test, downgrade cycle a couple of times > already. Samba 4.14.7 always working finde and Samba 4.15 > claiming the password to be wrong (wrong, not expired). > > If expiration is a problem the question is how the password can be > renewed without having to re-join the machine - before the upgrade of > course. > > I don't want to lose 80% of my machines after Samba 4.15 upgrade > blocking my users to log in and then having to re-join all > the machines > which work perfectly fine on Samba 4.14.7. > > best regards, > Rainer > >
Hello On 29.09.2021 10:08, L.P.H. van Belle via samba wrote:> This. >> ../../source4/auth/ntlm/auth.c:241(auth_check_password_send) >> auth_check_password_send: Checking password for unmapped user >> [CYBERDYNE]\[CYB64W10-TEST$]@[CYB64W10-TEST] > > I would have expected >> [CYBERDYNE]\[CYB64W10-TEST$]@[AD.CYBERDYNE.LOCAL]Actually right. Would expect the same. But in Samba 4.14.7 no such problem appearing.> I see this so now and then here also that, suddenly a computer/user cant login. > Common causes.. > 1) PC time out of sync with DC.No, Time is NTP-Synchronized.> 2) Computer account its password expired.Not sure but Samba 4.14.7 does not complain at all - even if reverting just Samba binaries I am perfectly able to log on. Passwords are supposed to renew automatically as of my knowledge. The machine is in use almost daily so it's not a machine which was not connected or off for months.> 3) Lots domain trust.Right after Samba 4.15 upgrade? On 80% of my machines? And machines re-gain trust after Samba downgrade? hmmm> But what does the evenlog show and i assume the same user on an other computer can login?Good point, let me try to dig up some logs from my attempts yesterday (meanwhile my Samba is rolled back). Here is what I found in the event logs: Log Name: System Source: NETLOGON Date: 9/28/2021 9:44:07 PM Event ID: 3210 Task Category: None Level: Error Keywords: Classic User: N/A Computer: cyb64w10-test.ad.cyberdyne.local Description: This computer could not authenticate with \\skynet.ad.cyberdyne.local, a Windows domain controller for domain CYBERDYNE, and therefore this computer might deny logon requests. This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized. If this message appears again, contact your system administrator. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="NETLOGON" /> <EventID Qualifiers="0">3210</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2021-09-28T19:44:07.3916682Z" /> <EventRecordID>24124</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>System</Channel> <Computer>cyb64w10-test.ad.cyberdyne.local</Computer> <Security /> </System> <EventData> <Data>CYBERDYNE</Data> <Data>\\skynet.ad.cyberdyne.local</Data> <Binary>220000C0</Binary> </EventData> </Event> Again, this completely disappeared after rolling back, without domain re-join or anything else. Samba 4.15 seems just to refuse authentication for no good reason.>> I also compared "samba-tool computer show" of a working and one >> non-working machine and can't find any differences other than >> timestamps. > Hmm, is this an "old" domain, like from before 4.9?Yes, even older. I was even using SAMBA-ldap on pre-4.0 releases. But this particular machine was added later, for sure after 4.0 AD upgrade. Sure I don't remember exact dates of upgrade. But yes this Domain was upgraded all the way since first Samba 4.x releases. However I don't see why this should cause such issues and why there is no proper migration. So we might be looking at some upgrade/migration issues but my understanding was that Samba should actually handle this and not just start denying computer account logins on upgrade. Sure if the machine using some legacy authentication method or anything like this, then I would expect Samba first to force the client to update the password or authentication method before completely locking it out.> > Did you use > 'samba-tool dns zoneoptions' for aging control > ---------------------------------------------- > Or > Marking old records as static or dynamic with 'samba-tool' > > From : https://www.samba.org/samba/history/samba-4.15.0.htmlYes, I did this. Set my servers to static entries and clients to dynamic using regex.> If i have to gamble on this, 2 options. > Windows 10 bug or Samba fix in 4.15 that triggered it.Guessing the second one too. But I seem not to be the only one having this issue. As meintioned it seems to happen only to machines which are joined to the domain since quite a while (2 years+). Another machine I just joined a few days ago on Samba 4.14.7 is not affected and still allows login after 4.15 upgrade. So I would be fine if anyone could either: - Provide a fix in Samba - Provide a procedure to be run before the upgrade - Provide a procedure to be run after the upgrade (preferably no manual actions on clients like re-join) Obviously I would like to avoid having to re-join all the machines but if I would have to run some database-update command or migration script I would be totally fine.> And if you dont want to re-register 1 pc.. > (You can do this with a script at login for the whole domain. )At login? First of all no user can log on to the affected machines (except local user accounts). Users don't have any admin privileges on the machines, logon scripts run in user context and cannot perform domain join. Moreover the users can't even log on. I might be able to use psexec to execute commands remotely but did not try if this works if the domain machine account is denied actually. Also I don't want to do this as if I roll out Samba 4.15 in an environment with hundreds of machines I would rather prefer not having to sync witht the users to bring the machines online and run commands in background. It's also just not acceptable to send a technician to all users to log on locally and perform a domain re-join. This machine is in my personal lab. I am holding on with Samba 4.15 deployment in any larger customer environment I am maintaining for this reason.> Increase the debugging and post it, maybe we see more in these loggings.I could re-deploy 4.15 in my personal environment trying to reproduce but I am not sure to which log levels I should increase. For me it certainly looks like changed behavior or Samba bug as downgrading to 4.14.7 resolves the problem entirely. Thanks for your hints and help.
> -----Oorspronkelijk bericht----- > Van: rme at bluemail.ch [mailto:rme at bluemail.ch] > Verzonden: woensdag 29 september 2021 10:48 > Aan: L.P.H. van Belle; samba at lists.samba.org > Onderwerp: Re: [Samba] Problem after update version 4.15.0 > > Hello > > On 29.09.2021 10:08, L.P.H. van Belle via samba wrote: > > This. > >> ../../source4/auth/ntlm/auth.c:241(auth_check_password_send) > >> auth_check_password_send: Checking password for unmapped user > >> [CYBERDYNE]\[CYB64W10-TEST$]@[CYB64W10-TEST] > > > > I would have expected > >> [CYBERDYNE]\[CYB64W10-TEST$]@[AD.CYBERDYNE.LOCAL] > > Actually right. Would expect the same. But in Samba 4.14.7 no such > problem appearing. > > > I see this so now and then here also that, suddenly a > computer/user cant login. > > Common causes.. > > 1) PC time out of sync with DC. > > No, Time is NTP-Synchronized.Yeah, same here, but still, for some reason, sometimes 1 pc is off.. Thats why im asking.. Check, dont assume..> > > 2) Computer account its password expired. > > Not sure but Samba 4.14.7 does not complain at all - even if > reverting > just Samba binaries I am perfectly able to log on. Passwords are > supposed to renew automatically as of my knowledge. The machine is in > use almost daily so it's not a machine which was not connected or off > for months. > > > 3) Lots domain trust. > > Right after Samba 4.15 upgrade? On 80% of my machines? And machines > re-gain trust after Samba downgrade? HmmmDefinitly strange, but im thinking, are these pc's syspreped. And was there SID reset at that time.> > > > But what does the evenlog show and i assume the same user > on an other computer can login? > > Good point, let me try to dig up some logs from my attempts yesterday > (meanwhile my Samba is rolled back). > > Here is what I found in the event logs: > > Log Name: System > Source: NETLOGON > Date: 9/28/2021 9:44:07 PM > Event ID: 3210 > Task Category: None > Level: Error > Keywords: Classic > User: N/A > Computer: cyb64w10-test.ad.cyberdyne.local > Description: > This computer could not authenticate with > \\skynet.ad.cyberdyne.local, a > Windows domain controller for domain CYBERDYNE, and therefore this > computer might deny logon requests. This inability to > authenticate might > be caused by another computer on the same network using the > same name or > the password for this computer account is not recognized. If this > message appears again, contact your system administrator. > Event Xml: > <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> > <System> > <Provider Name="NETLOGON" /> > <EventID Qualifiers="0">3210</EventID> > <Version>0</Version> > <Level>2</Level> > <Task>0</Task> > <Opcode>0</Opcode> > <Keywords>0x80000000000000</Keywords> > <TimeCreated SystemTime="2021-09-28T19:44:07.3916682Z" /> > <EventRecordID>24124</EventRecordID> > <Correlation /> > <Execution ProcessID="0" ThreadID="0" /> > <Channel>System</Channel> > <Computer>cyb64w10-test.ad.cyberdyne.local</Computer> > <Security /> > </System> > <EventData> > <Data>CYBERDYNE</Data> > <Data>\\skynet.ad.cyberdyne.local</Data> > <Binary>220000C0</Binary> > </EventData> > </Event> > > > Again, this completely disappeared after rolling back, without domain > re-join or anything else. Samba 4.15 seems just to refuse > authentication for no good reason. > > > >> I also compared "samba-tool computer show" of a working and one > >> non-working machine and can't find any differences other than > >> timestamps. > > Hmm, is this an "old" domain, like from before 4.9? > > Yes, even older. I was even using SAMBA-ldap on pre-4.0 releases. But > this particular machine was added later, for sure after 4.0 > AD upgrade. > Sure I don't remember exact dates of upgrade. But yes this Domain was > upgraded all the way since first Samba 4.x releases. However > I don't see > why this should cause such issues and why there is no proper > migration. > So we might be looking at some upgrade/migration issues but my > understanding was that Samba should actually handle this and not just > start denying computer account logins on upgrade. > Sure if the machine using some legacy authentication method > or anything > like this, then I would expect Samba first to force the > client to update > the password or authentication method before completely > locking it out.Ah, im pretty sure your "source" of the problem is this.> > > > > > Did you use > > 'samba-tool dns zoneoptions' for aging control > > ---------------------------------------------- > > Or > > Marking old records as static or dynamic with 'samba-tool' > > > > From : https://www.samba.org/samba/history/samba-4.15.0.html > > Yes, I did this. Set my servers to static entries and clients > to dynamic using regex.So, it seems there must be more thats off,> > > > If i have to gamble on this, 2 options. > > Windows 10 bug or Samba fix in 4.15 that triggered it. > > Guessing the second one too. But I seem not to be the only one having > this issue. As meintioned it seems to happen only to machines > which are joined to the domain since quite a while (2 years+). > Another machine I just joined a few days ago on Samba 4.14.7 > is not affected and still allows login after 4.15 upgrade.And what if you compair the 2 ldap objects of a working and not working There IS a difference somewhere.> > So I would be fine if anyone could either: > - Provide a fix in Samba > - Provide a procedure to be run before the upgrade > - Provide a procedure to be run after the upgrade > (preferably no manual actions on clients like re-join) > > Obviously I would like to avoid having to re-join all the > machines but if I would have to run some database-update command or > migration script > I would be totally fine.Im thinking what we can do here..> > > > And if you dont want to re-register 1 pc.. > > (You can do this with a script at login for the whole domain. ) > > At login? > First of all no user can log on to the affected machines > (except local user accounts).While on Samba 4.17.. Then users can login.> Users don't have any admin privileges on the machines, > logon scripts run in user context and cannot perform domain join.Then you run the script in the "computer" context" and a computer can maintain its own records as far i know. You might needed to add an xlm file locally first *can be done with GPO's. I just found this one, https://mcpmag.com/articles/2015/03/05/rejoin-a-computer-from-a-domain.aspx Read it, that might give the idea on howto rejoin them. Because, i think its really needed.. Your domain is even older then mine, i started with 4.1.x And im even thinking currenlty to, setup a complete new fresh domain.> Moreover the users can't even log on. > I might be able to use psexec to execute commands remotely > but did not > try if this works if the domain machine account is denied > actually. Also > I don't want to do this as if I roll out Samba 4.15 in an environment > with hundreds of machines I would rather prefer not having to > sync witht > the users to bring the machines online and run commands in > background. > It's also just not acceptable to send a technician to all > users to log on locally and perform a domain re-join. > > This machine is in my personal lab. I am holding on with Samba 4.15 > deployment in any larger customer environment I am > maintaining for this reason. > > > > Increase the debugging and post it, maybe we see more in > these loggings. > > I could re-deploy 4.15 in my personal environment trying to reproduce > but I am not sure to which log levels I should increase. > > For me it certainly looks like changed behavior or Samba bug as > downgrading to 4.14.7 resolves the problem entirely. > > Thanks for your hints and help.Your welkom..