[Samba] Upgrading from Samba 4.0.1 to 4.1.6

Jason Waters jwaters at h2os.com
Sat Mar 15 19:32:24 MDT 2014 

Got a little further.  I removed the pem files and then the one(PDC)
started and stayed working.  The BDC did not.  I got this when I grep the
log file.

root at fsZZ:/usr/local/samba-4.1.6/var# grep error log.samba
  /usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
  /usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
  /usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
  /usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
  /usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
  /usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
  /usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
  /usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
  /usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
  /usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
  /usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
  /usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
  /usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
  /usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
  /usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
  /usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
  /usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
  /usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
  /usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
  Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint  violation (19)
  Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint  violation (19)
  Failed to modify SPNs on CN=VSERVER,CN=Computers,DC=abc,DC=local: error
in module acl: Constraint  violation (19)
  Failed to modify SPNs on CN=VSERVER,CN=Computers,DC=abc,DC=local: error
in module acl: Constraint  violation (19)
  Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint  violation (19)
  Failed to modify SPNs on CN=VSERVER,CN=Computers,DC=abc,DC=local: error
in module acl: Constraint  violation (19)
  Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint  violation (19)
  Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint  violation (19)
  Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint  violation (19)
  Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint  violation (19)
  Failed to modify SPNs on CN=VSERVER,CN=Computers,DC=abc,DC=local: error
in module acl: Constraint  violation (19)
  Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint  violation (19)
  Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint  violation (19)
  Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint  violation (19)
  Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint  violation (19)
  Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint  violation (19)
  Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint  violation (19)
  YYNIC: ZZternal error
  YYNIC: ZZternal error
  YYNIC: ZZternal error
  YYNIC: ZZternal error
  YYNIC: ZZternal error
  Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint  violation (19)
  YYNIC: ZZternal error
  YYNIC: ZZternal error
  YYNIC: ZZternal error
  YYNIC: ZZternal error
  Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint  violation (19)
  Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint  violation (19)
  Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint  violation (19)
  Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint  violation (19)
  Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint  violation (19)
  Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint  violation (19)
  Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint  violation (19)
  Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint  violation (19)
  Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint  violation (19)
  Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint  violation (19)
  Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint  violation (19)
  Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint  violation (19)
  Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint  violation (19)
  Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint  violation (19)
  Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint  violation (19)
  Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint  violation (19)
  Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint  violation (19)
  Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint  violation (19)
  Failed to modify SPNs on CN=ZZ-OFFICE-4,CN=Computers,DC=abc,DC=local:
error in module acl: Constraint  violation (19)
root at fsZZ:/usr/local/samba-4.1.6/var#

Any thoughts?

I put 4.0.1 back in place and everything just works.  If you have any ideas
I will put 4.1.6 back and work through the problems.  Thanks.

Jason


On Fri, Mar 14, 2014 at 12:28 PM, Jason Waters <jwaters at h2os.com> wrote:

> I just grep'd the log file and found this, so I think you are correct
>
> root at blhblahblah:/usr/local/samba-4.1.6/var# grep pem *
> log.samba:  invalid permissions on file
> '/usr/local/samba/private/tls/key.pem': has 0644 should be 0600
> log.samba:  Invalid permissions on TLS private key file
> '/usr/local/samba/private/tls/key.pem':
> log.samba:  Removing all tls .pem files will cause an auto-regeneration
> with the correct permissions.
>
>
>
>
> On Fri, Mar 14, 2014 at 11:53 AM, Jason Waters <jwaters at h2os.com> wrote:
>
>> Marc,
>>     Great I will try that tonight.  Thank you for the help!  I will make
>> sure I let you know if that fixed it or not.
>>
>> Jason
>>
>>
>> On Fri, Mar 14, 2014 at 11:50 AM, Marc Muehlfeld <samba at marc-muehlfeld.de
>> > wrote:
>>
>>> Hello Jason
>>>
>>> Am 14.03.2014 16:18, schrieb Jason Waters:
>>>
>>>  Took a quick look in /usr/local/samba/var/samba.log and saw the ldap
>>>> error.
>>>>
>>>
>>> I guess you hit this fix:
>>> http://www.samba.org/samba/history/samba-4.0.11.html
>>>
>>> CVE-2013-4476:
>>>    In setups which provide ldap(s) and/or https services, the private
>>>    key for SSL/TLS encryption might be world readable. This typically
>>>    happens in active directory domain controller setups.
>>>
>>>
>>> You would have this in your logs, then:
>>>
>>> [2014/01/29 20:19:14.836873,  0, pid=4311] ../lib/util/util.c:161(file_
>>> check_permissions)
>>>   invalid permissions on file '/usr/local/samba/private/tls/key.pem':
>>> has 0644 should be 0600
>>> [2014/01/29 20:19:14.843206,  0, pid=4311] ../source4/lib/tls/tls_
>>> tstream.c:1125(tstream_tls_params_server)
>>>   Invalid permissions on TLS private key file
>>> '/usr/local/samba/private/tls/key.pem':
>>>   owner uid 0 should be 0, mode 0644 should be 0600
>>>   This is known as CVE-2013-4476.
>>>   Removing all tls .pem files will cause an auto-regeneration with the
>>> correct permissions.
>>>
>>>
>>> This is about the TLS keys for LDAP encryption. Remove the key files and
>>> restart Samba.
>>>
>>>
>>> I've added this to the Wiki page, too, as we often had this problem on
>>> the list in the past:
>>> https://wiki.samba.org/index.php/Updating_Samba
>>>
>>>
>>> Regards,
>>> Marc
>>>
>>
>>
>

More information about the samba mailing list