samba - Sep 2022 - upgrade from samba 4.13 to 4.16 broke CIFS Server Authentication

thanks for your answers,

maybe I need to specify a bit more....

mainly I'd be interested in what the error in the smbd.log means, and 
how I could get a trace what exactly the netapp or the windows client 
sent to authenticate.

Actually, since last friday all my tests are running in a virtual 
replica of the real system using the netapp ontap simulator and a copy 
of my univention ucs appliance vm.

the user "cliff" is a test user (Clifford Unger from Death Stranding
...)
so there should not be a sensible data leak when extracting logs or 
anything. I guess..

thanks again!


William Kirstaedter (PP&B) 	Fritz-Haber-Institut der MPG
Faradayweg 4-6 	14195 Berlin
Tel: 030 8413 5405 	Mail: kirstaedter at fhi-berlin.mpg.de

Am 31.08.2022 um 10:30 schrieb Ralph Boehme:
> On 8/30/22 17:12, William Kirstaedter via samba wrote:
>> I'm now asking here because neither Univention nor Netapp seem to 
>> want to help since they both say that combination is not supported / 
>> recommended. no reasons given.
>
> ouch, so you're sitting between the chairs. :/
>
> If you can share logs from the Samba DC and network traces of the SMB 
> login with the list, with a bit of luck someone has the time to look 
> into them. But given the complexity of the issue and that this is 
> going to contain sensitive data, I'm not sure community support is 
> going to cut it.
>
> If you have the option, you could consider commercial support via:
>
> https://www.samba.org/samba/support/globalsupport.html
>
> Cheers!
> -slow
>

On Wed, 2022-08-31 at 11:13 +0200, William Kirstaedter via samba
wrote:
> 	Error verifying signature: parse error
> --------------ms010907030006020404070509
> Content-Type: text/plain; charset=UTF-8; format=flowed
> Content-Transfer-Encoding: 7bit
> 
> thanks for your answers,
> 
> maybe I need to specify a bit more....
> 
> mainly I'd be interested in what the error in the smbd.log means,
> and 
> how I could get a trace what exactly the netapp or the windows
> client 
> sent to authenticate.
> 
> Actually, since last friday all my tests are running in a virtual 
> replica of the real system using the netapp ontap simulator and a
> copy 
> of my univention ucs appliance vm.
> 
> the user "cliff" is a test user (Clifford Unger from Death
Stranding
> ...)
> so there should not be a sensible data leak when extracting logs or 
> anything. I guess..
> 
> thanks again!
 I have been doing a bit of digging into this and it seems that netapp
doesn't support the use of Samba as an AD DC

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/Does_ONTAP_support_Samba_domain_controllers

I think this means that you are not going to get any help from them.

It also looks like your only hope is reverse engineering, either that,
or have an accident with a really big hammer and your netapp device
(after backing up the data) :-D

Rowland

On 8/31/22 11:13, William Kirstaedter wrote:
> mainly I'd be interested in what the error in the smbd.log means, and 
> how I could get a trace what exactly the netapp or the windows client 
> sent to authenticate.
which smbd.log? I guess you're referring to the NetAPP event log 
fragment you shared? Nobody outside NetAPP will be able to do a failure 
analysis based on the NetAPP log.

Here on planet Samba we could ony look at at SMB network trace between 
client and netapp, network traces of all traffic of the netapp appliance 
(mainly to look at DNS, the RPC connection to the DC will be encrypted) 
and a log with level 10 from the Samba DC.

With a bit of luck it's possible to find something where thing go south, 
but it's a slim chance.

-slow

-- 
Ralph Boehme, Samba Team                 https://samba.org/
SerNet Samba Team Lead      https://sernet.de/en/team-samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20220831/2f8b8fda/OpenPGP_signature.sig>

On Wed, 2022-08-31 at 11:53 +0200, Ralph Boehme via samba
wrote:
> On 8/31/22 11:13, William Kirstaedter wrote:
> > mainly I'd be interested in what the error in the smbd.log means,
> > and 
> > how I could get a trace what exactly the netapp or the windows
> > client 
> > sent to authenticate.
> 
> which smbd.log? I guess you're referring to the NetAPP event log 
> fragment you shared? Nobody outside NetAPP will be able to do a
> failure 
> analysis based on the NetAPP log.
> 
> Here on planet Samba we could ony look at at SMB network trace
> between 
> client and netapp, network traces of all traffic of the netapp
> appliance 
> (mainly to look at DNS, the RPC connection to the DC will be
> encrypted) 
> and a log with level 10 from the Samba DC.
> 
> With a bit of luck it's possible to find something where thing go
> south, 
> but it's a slim chance.
I agree.  Samba not finding a viable SPNEGO mechansim is something we
might be able to fix on our side, or at least diagnose, given a network
trace.

But I think this is likely something that needs to be worked though a
commercial support channel, because with no public test case it is
going to be a pile of back-and-forth at best, and likely new code with
backing tests.

Sorry,

Andrew,

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions