Ray Klassen
2023-Nov-21 00:39 UTC
[Samba] windows workstations needing reboot to validate passwords. --ADDENDUM
On Mon, 2023-11-20 at 15:19 -0500, James Atwell via samba wrote:> > -----Original Message----- > > From: samba <samba-bounces at lists.samba.org> On Behalf Of Ray > > Klassen via > > samba > > Sent: Monday, November 20, 2023 2:10 PM > > To: samba at lists.samba.org > > Subject: Re: [Samba] windows workstations needing reboot to > > validate > > passwords. --ADDENDUM > > > > > > > > On Mon, 2023-11-20 at 13:43 -0500, James Atwell via samba wrote: > > > > > > > > > > -----Original Message----- > > > > From: samba <samba-bounces at lists.samba.org> On Behalf Of Ray > > > > Klassen > > > > via samba > > > > Sent: Monday, November 20, 2023 1:09 PM > > > > To: samba at lists.samba.org > > > > Subject: Re: [Samba] windows workstations needing reboot to > > > > validate > > > > passwords. --ADDENDUM > > > > > > > > Audit logging has been a bust. The failed attempt by the > > > > workstation > > > > to validate the password does not show up in the logs. > > > > > > > > > > > > On Thu, 2023-11-16 at 10:38 -0800, Ray Klassen via samba wrote: > > > > > Thank you for the suggestion. Audit logging enabled. > > > > > > > > > > On Thu, 2023-11-16 at 13:27 -0500, James Atwell via samba > > > > > wrote: > > > > > > Have you setup Samba audit logging? This may aid in your > > > > > > efforts > > > > > > to see the reasons for not authenticating from the servers > > > > > > perspective. > > > > > > > > > > > > https://wiki.samba.org/index.php/Setting_up_Audit_Logging > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: samba <samba-bounces at lists.samba.org> On Behalf Of > > > > > > Ray > > > > > > Klassen via samba > > > > > > Sent: Thursday, November 16, 2023 1:11 PM > > > > > > To: samba at lists.samba.org > > > > > > Subject: [Samba] windows workstations needing reboot to > > > > > > validate > > > > > > passwords. --ADDENDUM > > > > > > > > > > > > I am (earlier reported under the subject "Peculiar > > > > > > Problem") > > > > > > having an issue that started several weeks ago, where > > > > > > windows > > > > > > (10 pro, server > > > > > > 2019) computers randomly get into a state where they refuse > > > > > > to > > > > > > validate passwords. Rebooting (sometimes several times) > > > > > > makes > > > > > > the problem go away. You can also log in if you disconnect > > > > > > the > > > > > > PC from the network and then reconnect. > > > > > > > > > > > > List of changes around the time it started. > > > > > > > > > > > > Samba upgrade to 4.19.2 > > > > > > Samba schema upgrade to 2012_R2 functional level Samba > > > > > > upgrade > > > > > > to > > > > > > 2008 functional level > > > > > > > > > > > > List of measures taken (hoping that if best practises are > > > > > > not > > > > > > being observed, implementing them will fix things!!) > > > > > > > > > > > > Moved DNS from SAMBA_INTERNAL to BIND_DLZ Moved ntp from > > ntpsec > > > > to > > > > > > chrony > > > > > > > > > > > > Diagnostic steps > > > > > > > > > > > > Packet dumps (decoded with keytab) and loglevel 255 show no > > > > > > glaring issues or errors. > > > > > > > > > > > > Going to try restarting all of the DC's next time it > > > > > > happens to > > > > > > determine if the miscommunication originates with windows > > > > > > or > > > > > > samba. > > > > > > > > > > > > Windows Eventviewer lists failure as Event ID 4625 Status > > > > > > 0xC000006D Sub Status 0x0 Failure reason %%2304 > > > > > > > > > > > > > > > > > > Any other suggestions welcome!! > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > To unsubscribe from this list go to the following URL and > > > > > > read > > > > > > the > > > > > > instructions:? > > > > > > https://lists.samba.org/mailman/options/samba > > > > > > > > > > > > > > > > -- > > > > To unsubscribe from this list go to the following URL and read > > > > the > > > > instructions:? https://lists.samba.org/mailman/options/samba > > > > > > You mentioned restarting all your DC's. I assume you have more > > > than 1 > > > DC and enabled audit logging on all your DC's. I also assume you > > > verified on all DC's the logs do not exist if enabled on all? > > > > > > > > > I have 4 DC's. I've got auditing enabled on all of them. And > > > seeing > > > audit entries on all of them regarding other traffic. The > > > wkstation > > > that misbehaved this morning shows entries on some of them over > > > the > > > weekend 'NT_STATUS_OK'and earlier. It looks like it doing a > > > machine > > > password update. > > > > > > > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions:? https://lists.samba.org/mailman/options/samba > > > The fact that you can unplug the device and log back in tells me the > workstation is using cached credentials to log back in.? > > Try authenticating to the netlogon share from each of your DC's with > one of the affected usernames. > > smbclient //localhost/netlogon -Uusername -c 'ls' >> I would also check replication is working as expected and all > databases match. > > https://wiki.samba.org/index.php/Samba-tool_ldapcmp > > The biggest change you made was upgrading the schema. Did you ensure > to include > > ad dc functional level = 2016 > > in the smb.conf file on all your DC's? > > Without log files its hard to troubleshoot. You need to pull the > authentication attempt failure to analyze. Do you have other services > that use your DC for authentication that exhibit similar behavior?? > >> The schema upgrade was described in the following wiki page without > reference to upping the actual domain functional level. once the > schema upgrade was successful I upped samba to the maximum allowed -- > 2008. Does samba level need to be equal to its schema? Should we > update the wiki page to include that?https://wiki.samba.org/index.php/Azure_AD_Connect_Cloud_sync> FYI samba-tool ldapcmp registers SUCCESS between the main DC and the others on all comparisons? samba-tool drs showrepl (something I check everytime I install a new version) is showing 0 failures across the board. I've got a server that has the problem... I'm looking for ways to remotely reset the machine password to see if that's the issue. I don't think it's using cached credentials for the user. If it was, it would work, as disconnecting the box from the LAN and forcing cached credentials works every time. ?
james.atwell365 at gmail.com
2023-Nov-21 17:00 UTC
[Samba] windows workstations needing reboot to validate passwords. --ADDENDUM
> -----Original Message----- > From: samba <samba-bounces at lists.samba.org> On Behalf Of Ray Klassen via > samba > Sent: Monday, November 20, 2023 7:39 PM > To: samba at lists.samba.org > Subject: Re: [Samba] windows workstations needing reboot to validate > passwords. --ADDENDUM > > > > On Mon, 2023-11-20 at 15:19 -0500, James Atwell via samba wrote: > > > -----Original Message----- > > > From: samba <samba-bounces at lists.samba.org> On Behalf Of Ray Klassen > > > via samba > > > Sent: Monday, November 20, 2023 2:10 PM > > > To: samba at lists.samba.org > > > Subject: Re: [Samba] windows workstations needing reboot to validate > > > passwords. --ADDENDUM > > > > > > > > > > > > On Mon, 2023-11-20 at 13:43 -0500, James Atwell via samba wrote: > > > > > > > > > > > > > -----Original Message----- > > > > > From: samba <samba-bounces at lists.samba.org> On Behalf Of Ray > > > > > Klassen via samba > > > > > Sent: Monday, November 20, 2023 1:09 PM > > > > > To: samba at lists.samba.org > > > > > Subject: Re: [Samba] windows workstations needing reboot to > > > > > validate passwords. --ADDENDUM > > > > > > > > > > Audit logging has been a bust. The failed attempt by the > > > > > workstation to validate the password does not show up in the > > > > > logs. > > > > > > > > > > > > > > > On Thu, 2023-11-16 at 10:38 -0800, Ray Klassen via samba wrote: > > > > > > Thank you for the suggestion. Audit logging enabled. > > > > > > > > > > > > On Thu, 2023-11-16 at 13:27 -0500, James Atwell via samba > > > > > > wrote: > > > > > > > Have you setup Samba audit logging? This may aid in your > > > > > > > efforts to see the reasons for not authenticating from the > > > > > > > servers perspective. > > > > > > > > > > > > > > https://wiki.samba.org/index.php/Setting_up_Audit_Logging > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > From: samba <samba-bounces at lists.samba.org> On Behalf Of Ray > > > > > > > Klassen via samba > > > > > > > Sent: Thursday, November 16, 2023 1:11 PM > > > > > > > To: samba at lists.samba.org > > > > > > > Subject: [Samba] windows workstations needing reboot to > > > > > > > validate passwords. --ADDENDUM > > > > > > > > > > > > > > I am (earlier reported under the subject "Peculiar > > > > > > > Problem") > > > > > > > having an issue that started several weeks ago, where > > > > > > > windows > > > > > > > (10 pro, server > > > > > > > 2019) computers randomly get into a state where they refuse > > > > > > > to validate passwords. Rebooting (sometimes several times) > > > > > > > makes the problem go away. You can also log in if you > > > > > > > disconnect the PC from the network and then reconnect. > > > > > > > > > > > > > > List of changes around the time it started. > > > > > > > > > > > > > > Samba upgrade to 4.19.2 > > > > > > > Samba schema upgrade to 2012_R2 functional level Samba > > > > > > > upgrade to > > > > > > > 2008 functional level > > > > > > > > > > > > > > List of measures taken (hoping that if best practises are > > > > > > > not being observed, implementing them will fix things!!) > > > > > > > > > > > > > > Moved DNS from SAMBA_INTERNAL to BIND_DLZ Moved ntp from > > > ntpsec > > > > > to > > > > > > > chrony > > > > > > > > > > > > > > Diagnostic steps > > > > > > > > > > > > > > Packet dumps (decoded with keytab) and loglevel 255 show no > > > > > > > glaring issues or errors. > > > > > > > > > > > > > > Going to try restarting all of the DC's next time it happens > > > > > > > to determine if the miscommunication originates with windows > > > > > > > or samba. > > > > > > > > > > > > > > Windows Eventviewer lists failure as Event ID 4625 Status > > > > > > > 0xC000006D Sub Status 0x0 Failure reason %%2304 > > > > > > > > > > > > > > > > > > > > > Any other suggestions welcome!! > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > To unsubscribe from this list go to the following URL and > > > > > > > read the > > > > > > > instructions: > > > > > > > https://lists.samba.org/mailman/options/samba > > > > > > > > > > > > > > > > > > > -- > > > > > To unsubscribe from this list go to the following URL and read > > > > > the > > > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > You mentioned restarting all your DC's. I assume you have more > > > > than 1 DC and enabled audit logging on all your DC's. I also > > > > assume you verified on all DC's the logs do not exist if enabled > > > > on all? > > > > > > > > > > > > I have 4 DC's. I've got auditing enabled on all of them. And > > > > seeing audit entries on all of them regarding other traffic. The > > > > wkstation that misbehaved this morning shows entries on some of > > > > them over the weekend 'NT_STATUS_OK'and earlier. It looks like it > > > > doing a machine password update. > > > > > > > > > > > > > > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > The fact that you can unplug the device and log back in tells me the > > workstation is using cached credentials to log back in. > > > > Try authenticating to the netlogon share from each of your DC's with > > one of the affected usernames. > > > > smbclient //localhost/netlogon -Uusername -c 'ls' > > > > > > > I would also check replication is working as expected and all > > databases match. > > > > https://wiki.samba.org/index.php/Samba-tool_ldapcmp > > > > The biggest change you made was upgrading the schema. Did you ensure > > to include > > > > ad dc functional level = 2016 > > > > in the smb.conf file on all your DC's? > > > > Without log files its hard to troubleshoot. You need to pull the > > authentication attempt failure to analyze. Do you have other services > > that use your DC for authentication that exhibit similar behavior? > > > > > > > > The schema upgrade was described in the following wiki page without > > reference to upping the actual domain functional level. once the > > schema upgrade was successful I upped samba to the maximum allowed -- > > 2008. Does samba level need to be equal to its schema? Should we > > update the wiki page to include that? > https://wiki.samba.org/index.php/Azure_AD_Connect_Cloud_sync> > > FYI samba-tool ldapcmp registers SUCCESS between the main DC and the > others on all comparisons samba-tool drs showrepl (something I check > everytime I install a new > version) is showing 0 failures across the board. > > I've got a server that has the problem... I'm looking for ways to remotely reset > the machine password to see if that's the issue. I don't think it's using cached > credentials for the user. If it was, it would work, as disconnecting the box from > the LAN and forcing cached credentials works every time. > >The link you provided refers to Azure AD Cloud Sync. For my schema upgrade I used the following link https://wiki.samba.org/index.php/AD_Schema_Version_Support and version notes from 4.19.0. https://www.samba.org/samba/history/samba-4.19.0.html