[Samba] Upgrade 4.2.14 --> 4.3.11
Grzegorz Bieniasz
gbieniasz at wp.pl
Mon Aug 22 22:37:50 UTC 2016
Hi,
I had Samba 4.2.14 working as AD DC with shares. After upgrade to version 4.3.11 AD DC authentication, ADUC, etc, stopped working. Shares still work fine.
OS. Oracle Linux 6.x with UEK, uptodate. Samba compiled from source.
Upgrade procedure (nothing special):
./configure --enable-selftest
make
make install
Testparm output:
# Global parameters
[global]
workgroup = EXAMPLE
realm = CORP.EXAMPLE.COM.PL
server role = active directory domain controller
passdb backend = samba_dsdb
logging = syslog at 10
template shell = /sbin/nologin
dns forwarder = 192.168.132.10
rpc_server:tcpip = no
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap config * : range = 16777216-33554431
full_audit:priority = notice
full_audit:facility = local5
full_audit:prefix = %u|%I|%m|%S
full_audit:success = connect read write mkdir rename unlink rmdir open pwrite chmod mknod link readlink chown
full_audit:failure = connect read write mkdir rename unlink rmdir open pwrite chmod mknod link readlink chown
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
idmap config * : backend = tdb
force create mode = 0664
force directory mode = 0775
map acl inherit = Yes
map archive = No
map readonly = no
store dos attributes = Yes
dfree command = /usr/local/samba/bin/dfree
vfs objects = dfs_samba4 acl_xattr
[netlogon]
path = /usr/local/samba/var/locks/sysvol/corp.example.com.pl/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
browseable = No
[profiles]
path = /srv/profiles
read only = No
browseable = No
vfs objects = btrfs
[public]
path = /srv/public
[home]
path = /srv/home
read only = No
browseable = No
vfs objects = btrfs full_audit
[printers]
path = /srv/printers
read only = No
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /srv/printer_driver
read only = No
[marketing]
comment = Marketing
path = /srv/uslugi/marketing
read only = No
vfs objects = btrfs full_audit
[other shares]
......
Smbclient test output:
[root at ad private]# smbclient -L localhost -U test
Enter test's password:
Domain=[EXAMPLE] OS=[Windows 6.1] Server=[Samba 4.3.11]
Sharename Type Comment
--------- ---- -------
netlogon Disk
public Disk
print$ Disk Printer Drivers
marketing Disk Marketing
……
…….
IPC$ IPC IPC Service (Samba 4.3.11)
HP2055dn Printer HP2055dn
Brother Printer Brother
Domain=[EXAMPLE] OS=[Windows 6.1] Server=[Samba 4.3.11]
Server Comment
--------- -------
Workgroup Master
--------- -------
krdb.conf
[root at ad private]# cat /etc/krb5.conf
[libdefaults]
default_realm = CORP.EXAMPLE.COM.PL
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
CORP.EXAMPLE.COM.PL = {
}
[domain_realm]
corp.example.com.pl = CORP.EXAMPLE.COM.PL
.corp.example.com.pl = CORP.EXAMPLE.COM.PL
klist outputs:
[root at ad private]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at CORP.EXAMPLE.COM.PL
Valid starting Expires Service principal
08/22/16 13:00:43 08/22/16 23:00:43 krbtgt/CORP.EXAMPLE.COM.PL at CORP.EXAMPLE.COM.PL
renew until 08/23/16 13:00:38
[root at ad private]# klist -ke /usr/local/samba/private/secrets.keytab
Keytab name: FILE:/usr/local/samba/private/secrets.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 HOST/ad at CORP.EXAMPLE.COM.PL (des-cbc-crc)
1 HOST/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL (des-cbc-crc)
1 AD$@CORP.EXAMPLE.COM.PL (des-cbc-crc)
1 HOST/ad at CORP.EXAMPLE.COM.PL (des-cbc-md5)
1 HOST/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL (des-cbc-md5)
1 AD$@CORP.EXAMPLE.COM.PL (des-cbc-md5)
1 HOST/ad at CORP.EXAMPLE.COM.PL (arcfour-hmac)
1 HOST/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL (arcfour-hmac)
1 AD$@CORP.EXAMPLE.COM.PL (arcfour-hmac)
1 HOST/ad at CORP.EXAMPLE.COM.PL (aes128-cts-hmac-sha1-96)
1 HOST/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL (aes128-cts-hmac-sha1-96)
1 AD$@CORP.EXAMPLE.COM.PL (aes128-cts-hmac-sha1-96)
1 HOST/ad at CORP.EXAMPLE.COM.PL (aes256-cts-hmac-sha1-96)
1 HOST/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL (aes256-cts-hmac-sha1-96)
1 AD$@CORP.EXAMPLE.COM.PL (aes256-cts-hmac-sha1-96)
2 HOST/ad at CORP.EXAMPLE.COM.PL (des-cbc-crc)
2 HOST/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL (des-cbc-crc)
2 AD$@CORP.EXAMPLE.COM.PL (des-cbc-crc)
2 HOST/ad at CORP.EXAMPLE.COM.PL (des-cbc-md5)
2 HOST/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL (des-cbc-md5)
2 AD$@CORP.EXAMPLE.COM.PL (des-cbc-md5)
2 HOST/ad at CORP.EXAMPLE.COM.PL (arcfour-hmac)
2 HOST/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL (arcfour-hmac)
2 AD$@CORP.EXAMPLE.COM.PL (arcfour-hmac)
2 HOST/ad at CORP.EXAMPLE.COM.PL (aes128-cts-hmac-sha1-96)
2 HOST/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL (aes128-cts-hmac-sha1-96)
2 AD$@CORP.EXAMPLE.COM.PL (aes128-cts-hmac-sha1-96)
2 HOST/ad at CORP.EXAMPLE.COM.PL (aes256-cts-hmac-sha1-96)
2 HOST/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL (aes256-cts-hmac-sha1-96)
2 AD$@CORP.EXAMPLE.COM.PL (aes256-cts-hmac-sha1-96)
2 HOST/ad at CORP.EXAMPLE.COM.PL (des-cbc-crc)
2 HOST/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL (des-cbc-crc)
2 AD$@CORP.EXAMPLE.COM.PL (des-cbc-crc)
2 HOST/ad at CORP.EXAMPLE.COM.PL (des-cbc-md5)
2 HOST/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL (des-cbc-md5)
2 AD$@CORP.EXAMPLE.COM.PL (des-cbc-md5)
2 HOST/ad at CORP.EXAMPLE.COM.PL (arcfour-hmac)
2 HOST/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL (arcfour-hmac)
2 AD$@CORP.EXAMPLE.COM.PL (arcfour-hmac)
2 HOST/ad at CORP.EXAMPLE.COM.PL (aes128-cts-hmac-sha1-96)
2 HOST/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL (aes128-cts-hmac-sha1-96)
2 AD$@CORP.EXAMPLE.COM.PL (aes128-cts-hmac-sha1-96)
2 HOST/ad at CORP.EXAMPLE.COM.PL (aes256-cts-hmac-sha1-96)
2 HOST/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL (aes256-cts-hmac-sha1-96)
2 AD$@CORP.EXAMPLE.COM.PL (aes256-cts-hmac-sha1-96)
LDBSearch output:
[root at ad private]# ldbsearch -H ldap://ad.corp.example.com.pl "cb=Administrator" -k yes
INFO: Current debug levels:
all: 6
tdb: 6
printdrivers: 6
lanman: 6
smb: 6
rpc_parse: 6
rpc_srv: 6
rpc_cli: 6
passdb: 6
sam: 6
auth: 6
winbind: 6
vfs: 6
idmap: 6
quota: 6
acls: 6
locking: 6
msdfs: 6
dmapi: 6
registry: 6
scavenger: 6
dns: 6
ldb: 6
tevent: 6
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[profiles]"
Processing section "[public]"
Processing section "[home]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[marketing]"
…….
pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
added interface eth0 ip=192.168.70.215 bcast=192.168.70.255 netmask=255.255.255.0
added interface eth0 ip=192.168.70.215 bcast=192.168.70.255 netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name ad.corp.example.com.pl<0x20>
getlmhostsent: lmhost entry: 192.168.70.215 ad.corp.example.com.pl#20
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Ticket in credentials cache for administrator at CORP.EXAMPLE.COM.PL will expire in 31814 secs
GSS client Update(krb5)(1) Update failed: Miscellaneous failure (see text): <unknown error: 22>
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
Failed to bind - LDAP client internal error: NT_STATUS_LOGON_FAILURE
Failed to connect to 'ldap://ad.corp.example.com.pl' with backend 'ldap': (null)
Failed to connect to ldap://ad.corp.example.com.pl - (null)
Samba log:
Aug 22 14:07:46 ad samba[15167]: [2016/08/22 14:07:46.570925, 3] ../lib/ldb-samba/ldb_wrap.c:321(ldb_wrap_connect)
Aug 22 14:07:46 ad samba[15167]: ldb_wrap open of secrets.ldb
Aug 22 14:07:46 ad samba[15167]: [2016/08/22 14:07:46.578832, 5] ../source4/ldap_server/ldap_backend.c:576(ldapsrv_SearchRequest)
Aug 22 14:07:46 ad samba[15167]: ldb_request BASE dn= filter=(|(objectClass=*)(distinguishedName=*))
Aug 22 14:07:46 ad samba[15169]: [2016/08/22 14:07:46.585286, 6] ../lib/util/util_ldb.c:60(gendb_search_v)
Aug 22 14:07:46 ad samba[15169]: gendb_search_v: DC=corp,DC=example,DC=com,DC=pl NULL -> 1
Aug 22 14:07:46 ad samba[15169]: [2016/08/22 14:07:46.585776, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Aug 22 14:07:46 ad samba[15169]: Kerberos: TGS-REQ administrator at CORP.EXAMPLE.COM.PL from ipv4:192.168.70.215:40996 for ldap/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL [canonicalize]
Aug 22 14:07:46 ad samba[15169]: [2016/08/22 14:07:46.590042, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Aug 22 14:07:46 ad samba[15169]: Kerberos: Searching referral for ad.corp.example.com.pl
Aug 22 14:07:46 ad samba[15169]: [2016/08/22 14:07:46.590137, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Aug 22 14:07:46 ad samba[15169]: Kerberos: Server not found in database: ldap/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL: <unknown error: 22>
Aug 22 14:07:46 ad samba[15169]: [2016/08/22 14:07:46.590227, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Aug 22 14:07:46 ad samba[15169]: Kerberos: Failed building TGS-REP to ipv4:192.168.70.215:40996
Aug 22 14:07:46 ad samba[15169]: [2016/08/22 14:07:46.590495, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection)
Aug 22 14:07:46 ad samba[15169]: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
Aug 22 14:07:46 ad samba[15169]: [2016/08/22 14:07:46.590587, 3] ../source4/smbd/process_single.c:114(single_terminate)
Aug 22 14:07:46 ad samba[15169]: single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
Aug 22 14:07:46 ad samba[15169]: [2016/08/22 14:07:46.593694, 6] ../lib/util/util_ldb.c:60(gendb_search_v)
Aug 22 14:07:46 ad samba[15169]: gendb_search_v: DC=corp,DC=example,DC=com,DC=pl NULL -> 1
Aug 22 14:07:46 ad samba[15169]: [2016/08/22 14:07:46.594091, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Aug 22 14:07:46 ad samba[15169]: Kerberos: TGS-REQ administrator at CORP.EXAMPLE.COM.PL from ipv4:192.168.70.215:40997 for ldap/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL
Aug 22 14:07:46 ad samba[15169]: [2016/08/22 14:07:46.598053, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Aug 22 14:07:46 ad samba[15169]: Kerberos: Server not found in database: ldap/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL: <unknown error: 22>
Aug 22 14:07:46 ad samba[15169]: [2016/08/22 14:07:46.598135, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Aug 22 14:07:46 ad samba[15169]: Kerberos: Failed building TGS-REP to ipv4:192.168.70.215:40997
Aug 22 14:07:46 ad samba[15169]: [2016/08/22 14:07:46.598320, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection)
Aug 22 14:07:46 ad samba[15169]: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
Aug 22 14:07:46 ad samba[15169]: [2016/08/22 14:07:46.598417, 3] ../source4/smbd/process_single.c:114(single_terminate)
Aug 22 14:07:46 ad samba[15169]: single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
Aug 22 14:07:46 ad samba[15169]: [2016/08/22 14:07:46.601411, 6] ../lib/util/util_ldb.c:60(gendb_search_v)
Aug 22 14:07:46 ad samba[15169]: gendb_search_v: DC=corp,DC=example,DC=com,DC=pl NULL -> 1
Aug 22 14:07:46 ad samba[15169]: [2016/08/22 14:07:46.601778, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Aug 22 14:07:46 ad samba[15169]: Kerberos: TGS-REQ administrator at CORP.EXAMPLE.COM.PL from ipv4:192.168.70.215:40998 for ldap/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL [canonicalize]
Aug 22 14:07:46 ad samba[15169]: [2016/08/22 14:07:46.605478, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Aug 22 14:07:46 ad samba[15169]: Kerberos: Searching referral for ad.corp.example.com.pl
Aug 22 14:07:46 ad samba[15169]: [2016/08/22 14:07:46.605536, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Aug 22 14:07:46 ad samba[15169]: Kerberos: Server not found in database: ldap/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL: <unknown error: 22>
Aug 22 14:07:46 ad samba[15169]: [2016/08/22 14:07:46.605565, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Aug 22 14:07:46 ad samba[15169]: Kerberos: Failed building TGS-REP to ipv4:192.168.70.215:40998
Aug 22 14:07:46 ad samba[15169]: [2016/08/22 14:07:46.605815, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection)
Aug 22 14:07:46 ad samba[15169]: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
Aug 22 14:07:46 ad samba[15169]: [2016/08/22 14:07:46.605908, 3] ../source4/smbd/process_single.c:114(single_terminate)
Aug 22 14:07:46 ad samba[15169]: single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
Aug 22 14:07:46 ad samba[15169]: [2016/08/22 14:07:46.608647, 6] ../lib/util/util_ldb.c:60(gendb_search_v)
Aug 22 14:07:46 ad samba[15169]: gendb_search_v: DC=corp,DC=example,DC=com,DC=pl NULL -> 1
Aug 22 14:07:46 ad samba[15169]: [2016/08/22 14:07:46.608965, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Aug 22 14:07:46 ad samba[15169]: Kerberos: TGS-REQ administrator at CORP.EXAMPLE.COM.PL from ipv4:192.168.70.215:40999 for ldap/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL
Aug 22 14:07:46 ad samba[15169]: [2016/08/22 14:07:46.612547, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Aug 22 14:07:46 ad samba[15169]: Kerberos: Server not found in database: ldap/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL: <unknown error: 22>
Aug 22 14:07:46 ad samba[15169]: [2016/08/22 14:07:46.612602, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Aug 22 14:07:46 ad samba[15169]: Kerberos: Failed building TGS-REP to ipv4:192.168.70.215:40999
Aug 22 14:07:46 ad samba[15169]: [2016/08/22 14:07:46.612771, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection)
Aug 22 14:07:46 ad samba[15167]: [2016/08/22 14:07:46.613028, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection)
Aug 22 14:07:46 ad samba[15167]: Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
Aug 22 14:07:46 ad samba[15167]: [2016/08/22 14:07:46.613127, 3] ../source4/smbd/process_single.c:114(single_terminate)
Aug 22 14:07:46 ad samba[15167]: single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
Aug 22 14:07:46 ad samba[15169]: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
Aug 22 14:07:46 ad samba[15169]: [2016/08/22 14:07:46.613708, 3] ../source4/smbd/process_single.c:114(single_terminate)
Aug 22 14:07:46 ad samba[15169]: single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
Do you know what went wrong? I did upgrades the same way starting 4.1 to last 4.2 without any problems.
Regards,
Grzegorz
More information about the samba
mailing list