[Samba] Upgrading from Samba 4.0.1 to 4.1.6
Jason Waters
jwaters at h2os.com
Sat Mar 15 19:32:24 MDT 2014
Got a little further. I removed the pem files and then the one(PDC)
started and stayed working. The BDC did not. I got this when I grep the
log file.
root at fsZZ:/usr/local/samba-4.1.6/var# grep error log.samba
/usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
/usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
/usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
/usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
/usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
/usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
/usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
/usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
/usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
/usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
/usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
/usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
/usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
/usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
/usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
/usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
/usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
/usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
/usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint violation (19)
Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint violation (19)
Failed to modify SPNs on CN=VSERVER,CN=Computers,DC=abc,DC=local: error
in module acl: Constraint violation (19)
Failed to modify SPNs on CN=VSERVER,CN=Computers,DC=abc,DC=local: error
in module acl: Constraint violation (19)
Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint violation (19)
Failed to modify SPNs on CN=VSERVER,CN=Computers,DC=abc,DC=local: error
in module acl: Constraint violation (19)
Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint violation (19)
Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint violation (19)
Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint violation (19)
Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint violation (19)
Failed to modify SPNs on CN=VSERVER,CN=Computers,DC=abc,DC=local: error
in module acl: Constraint violation (19)
Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint violation (19)
Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint violation (19)
Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint violation (19)
Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint violation (19)
Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint violation (19)
Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint violation (19)
YYNIC: ZZternal error
YYNIC: ZZternal error
YYNIC: ZZternal error
YYNIC: ZZternal error
YYNIC: ZZternal error
Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint violation (19)
YYNIC: ZZternal error
YYNIC: ZZternal error
YYNIC: ZZternal error
YYNIC: ZZternal error
Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint violation (19)
Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint violation (19)
Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint violation (19)
Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint violation (19)
Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint violation (19)
Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint violation (19)
Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint violation (19)
Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint violation (19)
Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint violation (19)
Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint violation (19)
Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint violation (19)
Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint violation (19)
Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint violation (19)
Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint violation (19)
Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint violation (19)
Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint violation (19)
Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint violation (19)
Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint violation (19)
Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint violation (19)
root at fsZZ:/usr/local/samba-4.1.6/var#
Any thoughts?
I put 4.0.1 back in place and everything just works. If you have any ideas
I will put 4.1.6 back and work through the problems. Thanks.
Jason
On Fri, Mar 14, 2014 at 12:28 PM, Jason Waters <jwaters at h2os.com> wrote:
> I just grep'd the log file and found this, so I think you are correct
>
> root at blhblahblah:/usr/local/samba-4.1.6/var# grep pem *
> log.samba: invalid permissions on file
> '/usr/local/samba/private/tls/key.pem': has 0644 should be 0600
> log.samba: Invalid permissions on TLS private key file
> '/usr/local/samba/private/tls/key.pem':
> log.samba: Removing all tls .pem files will cause an auto-regeneration
> with the correct permissions.
>
>
>
>
> On Fri, Mar 14, 2014 at 11:53 AM, Jason Waters <jwaters at h2os.com> wrote:
>
>> Marc,
>> Great I will try that tonight. Thank you for the help! I will make
>> sure I let you know if that fixed it or not.
>>
>> Jason
>>
>>
>> On Fri, Mar 14, 2014 at 11:50 AM, Marc Muehlfeld <samba at marc-muehlfeld.de
>> > wrote:
>>
>>> Hello Jason
>>>
>>> Am 14.03.2014 16:18, schrieb Jason Waters:
>>>
>>> Took a quick look in /usr/local/samba/var/samba.log and saw the ldap
>>>> error.
>>>>
>>>
>>> I guess you hit this fix:
>>> http://www.samba.org/samba/history/samba-4.0.11.html
>>>
>>> CVE-2013-4476:
>>> In setups which provide ldap(s) and/or https services, the private
>>> key for SSL/TLS encryption might be world readable. This typically
>>> happens in active directory domain controller setups.
>>>
>>>
>>> You would have this in your logs, then:
>>>
>>> [2014/01/29 20:19:14.836873, 0, pid=4311] ../lib/util/util.c:161(file_
>>> check_permissions)
>>> invalid permissions on file '/usr/local/samba/private/tls/key.pem':
>>> has 0644 should be 0600
>>> [2014/01/29 20:19:14.843206, 0, pid=4311] ../source4/lib/tls/tls_
>>> tstream.c:1125(tstream_tls_params_server)
>>> Invalid permissions on TLS private key file
>>> '/usr/local/samba/private/tls/key.pem':
>>> owner uid 0 should be 0, mode 0644 should be 0600
>>> This is known as CVE-2013-4476.
>>> Removing all tls .pem files will cause an auto-regeneration with the
>>> correct permissions.
>>>
>>>
>>> This is about the TLS keys for LDAP encryption. Remove the key files and
>>> restart Samba.
>>>
>>>
>>> I've added this to the Wiki page, too, as we often had this problem on
>>> the list in the past:
>>> https://wiki.samba.org/index.php/Updating_Samba
>>>
>>>
>>> Regards,
>>> Marc
>>>
>>
>>
>
More information about the samba
mailing list