thr3ads.net - samba - [Samba] Printserver after latest MS updates [Oct 2021]

If this information is useful, please help other people find it:
Share via:

Ingo Asche

2021-Oct-19 14:02 UTC

[Samba] Printserver after latest MS updates

Same here...

Have set up one of my DCs new with the packages from Louis. This DC is 
also my print server. Thought at first I made an error but yesterday I 
found this:
https://www.bleepingcomputer.com/news/microsoft/new-windows-10-kb5006670-update-breaks-network-printing/

Taht's excatly the error I'm getting. But I couldn't check this with
uninstallting the last Windows patch until now.

Regards
Ingo

cn--- via samba schrieb am 19.10.2021 um 14:37:> Hello you all,
> Microsoft is still trying to fix the PrintNightmare bugs. And after 
> the latest patch day we see lots of NTLMv2 auths on our printserver. 
> And _only_ on our printserver and not on any other member servers.
>
> It is not that Kerberos does not work. I can ssh into that machine 
> using Kerberos I can connect with smbclient with kerberos. Also the 
> logs are really spammed with those messages. And it all started after 
> we released the last patchday updates from MS.
> This is on RockyLinux with Samba Version 4.14.8 from Sernet. Also had 
> the same Problem on 4.14.7. smb.conf is below.
> Everything seems to work as expected. It just is the number of NTLMv2 
> auths that made me look at this more closely.
>
> Anyone seen something similar?
>
>
> Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de winbindd[1468]: 
> [2021/10/19 14:22:55.209081,? 3] 
> ../../auth/auth_log.c:653(log_authentication_event_human_readable)
> Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de winbindd[1468]: Auth: 
> [winbind,NTLM_AUTH, nss_winbind, 1003] user [DOMAIN-02]\[user] at 
> [Tue, 19 Oct 2021 14:22:55.209056 CEST] with [NTLMv2] status 
> [NT_STATUS_OK] workstation [HOST] remote host [unix:] became 
> [DOMAIN-02]\[user] [S-1-5-21-XXX-XXX-XXX-xxxx]. local host [unix:]
> Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]: 
> [2021/10/19 14:22:55.209404,? 3] 
> ../../auth/auth_log.c:653(log_authentication_event_human_readable)
> Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]: Auth: 
> [DCE/RPC,(null)] user [DOMAIN-02]\[user] at [Tue, 19 Oct 2021 
> 14:22:55.209385 CEST] with [NTLMv2] status [NT_STATUS_OK] workstation 
> [HOST] remote host [ipv4:yyy.yyy.yyy.yyy:49949] became 
> [DOMAIN-02]\[user] [S-1-5-21-XXX-XXX-XXX-xxxx]. local host 
> [ipv4:yyy.yyy.yyy.xxxx:445]
> Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]: 
> [2021/10/19 14:22:55.213366,? 4] 
> ../../auth/auth_log.c:753(log_successful_authz_event_human_readable)
> Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]: 
> Successful AuthZ: [DCE/RPC,NTLMSSP] user [DOMAIN-02]\[user] 
> [S-1-5-21-XXX-XXX-XXX-xxxx] at [Tue, 19 Oct 2021 14:22:55.213356 CEST] 
> Remote host [ipv4:yyy.yyy.yyy.yyy:49949] local host 
> [ipv4:yyy.yyy.yyy.xxxx:445]
> Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de winbindd[1468]: 
> [2021/10/19 14:22:55.272006,? 3] 
> ../../auth/auth_log.c:653(log_authentication_event_human_readable)
> Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de winbindd[1468]: Auth: 
> [winbind,NTLM_AUTH, nss_winbind, 1003] user [DOMAIN-02]\[user] at 
> [Tue, 19 Oct 2021 14:22:55.271994 CEST] with [NTLMv2] status 
> [NT_STATUS_OK] workstation [HOST] remote host [unix:] became 
> [DOMAIN-02]\[user] [S-1-5-21-XXX-XXX-XXX-xxxx]. local host [unix:]
> Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]: 
> [2021/10/19 14:22:55.272247,? 3] 
> ../../auth/auth_log.c:653(log_authentication_event_human_readable)
> Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]: Auth: 
> [DCE/RPC,(null)] user [DOMAIN-02]\[user] at [Tue, 19 Oct 2021 
> 14:22:55.272236 CEST] with [NTLMv2] status [NT_STATUS_OK] workstation 
> [HOST] remote host [ipv4:yyy.yyy.yyy.yyy:49949] became 
> [DOMAIN-02]\[user] [S-1-5-21-XXX-XXX-XXX-xxxx]. local host 
> [ipv4:yyy.yyy.yyy.xxxx:445]
> Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]: 
> [2021/10/19 14:22:55.275198,? 4] 
> ../../auth/auth_log.c:753(log_successful_authz_event_human_readable)
> Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]: 
> Successful AuthZ: [DCE/RPC,NTLMSSP] user [DOMAIN-02]\[user] 
> [S-1-5-21-XXX-XXX-XXX-xxxx] at [Tue, 19 Oct 2021 14:22:55.275188 CEST] 
> Remote host [ipv4:yyy.yyy.yyy.yyy:49949] local host 
> [ipv4:yyy.yyy.yyy.xxxx:445]
>
>
>
> smb.conf
>
> [global]
> ??????? netbios name = Printserver
> ??????? server string = Printserver
> ??????? security = ADS
> ??????? realm = HQ.DOMAIN.DE
> ??????? workgroup = DOMAIN-02
> ??????? max log size = 50000
> ??????? disable netbios = yes
> ??????? smb ports = 445
> ??????? server min protocol = SMB2
> ??????? client min protocol = SMB2
> ??????? #log level = 4
> ??????? log level = 1 auth_audit:5
> ??????? logging =syslog only
> ??????? kerberos method = secrets and keytab
> ??????? dedicated keytab file = /etc/krb5.keytab
> ??????? writeable =YES
> ??????? map acl inherit = yes
> ??????? store dos attributes = yes
> ??????? inherit acls = Yes
> ??????? username map = /etc/samba/smbusers
>
> ??????? interfaces = lo eth0
> ??????? bind interfaces only = Yes
> ??????? ##idmap##
> ??????? # Default idmap config used for BUILTIN and local windows 
> accounts/groups
> ??????? idmap config *:backend = tdb
> ??????? idmap config *:range = 1000000-2000000
>
> ??????? # idmap config for domain DOMAIN-02
> ??????? idmap config DOMAIN-02:backend = ad
> ??????? idmap config DOMAIN-02:range = 500-65555
> ??????? idmap config DOMAIN-02:schema_mode = rfc2307
> ??????? idmap config DOMAIN-02:unix_nss_info = yes
> ??????? winbind use default domain = Yes
> ??????? winbind offline logon = yes
> ??????? winbind refresh tickets = yes
>
> ??????? #Printing
> ??????? rpc_server:spoolss = external
> ??????? rpc_daemon:spoolssd = fork
> ??????? spoolss: architecture = Windows x64
>
> [printers]
> ?????? path = /var/spool/samba/
> ?????? printable = yes
> ?????? printing = cups
>
> [print$]
> ?????? path = /srv/samba_printer_drivers/
> ?????? read only = no
>

cn at brain-biotech.de

2021-Oct-19 14:09 UTC

head link

[Samba] Printserver after latest MS updates

Am 19.10.21 um 16:02 schrieb Ingo Asche via samba:> Same here...
> 
> Have set up one of my DCs new with the packages from Louis. This DC is 
> also my print server. Thought at first I made an error but yesterday I 
> found this:
>
https://www.bleepingcomputer.com/news/microsoft/new-windows-10-kb5006670-update-breaks-network-printing/
> 
> 
> Taht's excatly the error I'm getting. But I couldn't check this
with
> uninstallting the last Windows patch until now.
As said. For us everything works. I was just wondering why only NTLMv2 
and not Kerberos is used and why only since last friday ...

I also did not have a chance to investigate if the removal of the patch 
fixes the problem.

Regards

-- 
Dr. Christian Naumer
Vice President
Unit Head Bioprocess Development

BRAIN Biotech AG
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
phone +49-6251-9331-30 / fax +49-6251-9331-11

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Adriaan Moelker (Vorstandsvorsitzender), 
Lukas Linnig
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen

L.P.H. van Belle

2021-Oct-19 14:27 UTC

head link

[Samba] Printserver after latest MS updates

Hai, 

I've re-checked my logs also and i dont seen any of these NTLMv2 messages in
my logs.

I see some messages, but no show stoppers, same as normal (for me then). 

We run windows 10 2004 upto windows 11 now. 
Samba with Cups setup. This is running on debian 10, samba 4.14.8 

2 settings you dont see there, but do show up for me with samba-tool testparm
-vv |grep -i ntlm

        client NTLMv2 auth = Yes
        ntlm auth = ntlmv2-only

I do have ntlm auth = ntlmv2-only on all my AD-DC's due other things i use,
which need NTLMv2.
Maybe it helps someone. 

My config. 
[global]

    log level = 1

    workgroup = ADDOM
    security = ADS
    realm = INTERNAL.DOMAIN.TLD
    netbios name = PRINT1

    preferred master = no
    domain master = no
    host msdfs = no

    interfaces = 192.168.1.5 127.0.0.1
    bind interfaces only = yes

    dns proxy = yes

    # Add and Update TLS Key
    tls enabled = yes
    tls keyfile = /etc/ssl/local/private/xxxxxx.key.pem
    tls certfile = /etc/ssl/local/certs/xxxxxxx.cert.pem
    tls cafile = /etc/ssl/certs/xxxxxxCA.pem

    ## map id's outside to domain to tdb files.
    idmap config * :backend = tdb
    idmap config * :range = 2000-9999

    ## map ids from the domain  the range may not overlap !
    idmap config ADDOM: backend = ad
    idmap config ADDOM: schema_mode = rfc2307
    idmap config ADDOM: range = 10000-3999999
    idmap config ADDOM: unix_primary_group = yes
    idmap config ADDOM: unix_nss_info = yes

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    # renew the kerberos ticket
    winbind refresh tickets = yes

    # show domain prefix
    # set to no, dont use the default domain, output shows: DOMAIN\user
    # set to yes, use the default domain, output shows: user
    winbind use default domain = yes

    # show users with getent passwd
    winbind enum users  = no
    winbind enum groups = no

    # enable offline logins
    winbind offline logon = yes

    # check depth of nested groups, ! slows down you samba, if to much groups
depth
    winbind expand groups = 1

    # user Administrator workaround, without it you are unable to set privileges
    username map = /etc/samba/samba_usermapping

    # disable usershares creating, when set empty no error log messages.
    usershare path 
    # For Windows ACL support on member file server, enabled globaly, OBLIGATED
    # For a mixed setup of rights, put this per share!
    vfs objects = acl_xattr
    map acl inherit = yes
    store dos attributes = yes

    # Share Setting Globally
    veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
    hide unreadable = yes

##### PRINT SERVER PART #######
    #enable asu support = yes

    ## Enabling spoolssd
    rpc_server:spoolss = external
    rpc_daemon:spoolssd = fork
    spoolss:architecture = Windows x64
    spoolssd:prefork_min_children = 5           # Minimum number of child
processes
    spoolssd:prefork_max_children = 25          # Maximum number of child
processes
    spoolssd:prefork_spawn_rate = 5             # Start (fork) x new childs if
one connection comes in (up to prefork_max_children)
    spoolssd:prefork_max_allowed_clients = 100  # Number of clients, a child
process should be responsible for
    spoolssd:prefork_child_min_life = 60        # Minimum lifetime of a child
process (60 seconds
                                                # is the minimum, even a lower
value has been configured)
    load printers = yes

# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
   comment = Printer Drivers
   path = /home/samba/printing/drivers
   acl_xattr:ignore system acl = yes
   browseable = yes
   writable = yes
   guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it
   write list = root, administrator, @"Domain Admins", @lpadmin,
@"Print Operators"

[printers]
   comment = All Printers
   path = /home/samba/printing/spool
   acl_xattr:ignore system acl = yes
   browseable = yes
   printable = yes
   printing = CUPS


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> cn--- via samba
> Verzonden: dinsdag 19 oktober 2021 16:09
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Printserver after latest MS updates
> 
> Am 19.10.21 um 16:02 schrieb Ingo Asche via samba:
> > Same here...
> > 
> > Have set up one of my DCs new with the packages from Louis. 
> This DC is 
> > also my print server. Thought at first I made an error but 
> yesterday I 
> > found this:
> > 
> https://www.bleepingcomputer.com/news/microsoft/new-windows-10
> -kb5006670-update-breaks-network-printing/ 
> > 
> > 
> > Taht's excatly the error I'm getting. But I couldn't check
> this with 
> > uninstallting the last Windows patch until now.
> 
> As said. For us everything works. I was just wondering why 
> only NTLMv2 
> and not Kerberos is used and why only since last friday ...
> 
> I also did not have a chance to investigate if the removal of 
> the patch 
> fixes the problem.
> 
> Regards
> 
> -- 
> Dr. Christian Naumer
> Vice President
> Unit Head Bioprocess Development
> 
> BRAIN Biotech AG
> Darmstaedter Str. 34-36, D-64673 Zwingenberg
> e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
> phone +49-6251-9331-30 / fax +49-6251-9331-11
> 
> Sitz der Gesellschaft: Zwingenberg/Bergstrasse
> Registergericht AG Darmstadt, HRB 24758
> Vorstand: Adriaan Moelker (Vorstandsvorsitzender), 
> Lukas Linnig
> Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

samba - Oct 2021 - Printserver after latest MS updates

[Samba] Printserver after latest MS updates

[Samba] Printserver after latest MS updates

[Samba] Printserver after latest MS updates