[Samba] Upgrade 4.2.14 --> 4.3.11
Rowland Penny
rpenny at samba.org
Tue Aug 23 08:33:32 UTC 2016
On Tue, 23 Aug 2016 00:37:50 +0200
Grzegorz Bieniasz via samba <samba at lists.samba.org> wrote:
>
> Hi,
>
> I had Samba 4.2.14 working as AD DC with shares. After upgrade to
> version 4.3.11 AD DC authentication, ADUC, etc, stopped working.
> Shares still work fine.
>
> OS. Oracle Linux 6.x with UEK, uptodate. Samba compiled from source.
>
> Upgrade procedure (nothing special):
>
> ./configure --enable-selftest
> make
> make install
>
> Testparm output:
> # Global parameters
> [global]
> workgroup = EXAMPLE
> realm = CORP.EXAMPLE.COM.PL
> server role = active directory domain controller
> passdb backend = samba_dsdb
> logging = syslog at 10
> template shell = /sbin/nologin
> dns forwarder = 192.168.132.10
> rpc_server:tcpip = no
> rpc_server:winreg = embedded
> rpc_server:ntsvcs = embedded
> rpc_server:eventlog = embedded
> rpc_server:srvsvc = embedded
> rpc_server:svcctl = embedded
> rpc_server:default = external
> winbindd:use external pipes = true
> idmap config * : range = 16777216-33554431
> full_audit:priority = notice
> full_audit:facility = local5
> full_audit:prefix = %u|%I|%m|%S
> full_audit:success = connect read write mkdir rename unlink
> rmdir open pwrite chmod mknod link readlink chown full_audit:failure
> = connect read write mkdir rename unlink rmdir open pwrite chmod
> mknod link readlink chown rpc_daemon:spoolssd = embedded
> rpc_server:spoolss = embedded idmap config * : backend = tdb
> force create mode = 0664
> force directory mode = 0775
> map acl inherit = Yes
> map archive = No
> map readonly = no
> store dos attributes = Yes
> dfree command = /usr/local/samba/bin/dfree
> vfs objects = dfs_samba4 acl_xattr
>
>
> [netlogon]
> path
> = /usr/local/samba/var/locks/sysvol/corp.example.com.pl/scripts read
> only = No
>
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
> browseable = No
>
>
> [profiles]
> path = /srv/profiles
> read only = No
> browseable = No
> vfs objects = btrfs
>
>
> [public]
> path = /srv/public
>
>
> [home]
> path = /srv/home
> read only = No
> browseable = No
> vfs objects = btrfs full_audit
>
>
> [printers]
> path = /srv/printers
> read only = No
> printable = Yes
> browseable = No
>
>
> [print$]
> comment = Printer Drivers
> path = /srv/printer_driver
> read only = No
>
>
> [marketing]
> comment = Marketing
> path = /srv/uslugi/marketing
> read only = No
> vfs objects = btrfs full_audit
>
> [other shares]
> ......
>
> Smbclient test output:
> [root at ad private]# smbclient -L localhost -U test
> Enter test's password:
> Domain=[EXAMPLE] OS=[Windows 6.1] Server=[Samba 4.3.11]
>
> Sharename Type Comment
> --------- ---- -------
> netlogon Disk
> public Disk
> print$ Disk Printer Drivers
> marketing Disk Marketing
> ……
> …….
> IPC$ IPC IPC Service (Samba 4.3.11)
> HP2055dn Printer HP2055dn
> Brother Printer Brother
> Domain=[EXAMPLE] OS=[Windows 6.1] Server=[Samba 4.3.11]
>
> Server Comment
> --------- -------
>
> Workgroup Master
> --------- -------
>
>
> krdb.conf
> [root at ad private]# cat /etc/krb5.conf
>
>
> [libdefaults]
> default_realm = CORP.EXAMPLE.COM.PL
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> [realms]
> CORP.EXAMPLE.COM.PL = {
> }
>
> [domain_realm]
> corp.example.com.pl = CORP.EXAMPLE.COM.PL
> .corp.example.com.pl = CORP.EXAMPLE.COM.PL
>
>
> klist outputs:
> [root at ad private]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administrator at CORP.EXAMPLE.COM.PL
>
> Valid starting Expires Service principal
> 08/22/16 13:00:43 08/22/16 23:00:43
> krbtgt/CORP.EXAMPLE.COM.PL at CORP.EXAMPLE.COM.PL renew until 08/23/16
> 13:00:38
>
> [root at ad private]# klist -ke /usr/local/samba/private/secrets.keytab
> Keytab name: FILE:/usr/local/samba/private/secrets.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 1 HOST/ad at CORP.EXAMPLE.COM.PL (des-cbc-crc) 1
> HOST/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL (des-cbc-crc) 1
> AD$@CORP.EXAMPLE.COM.PL (des-cbc-crc) 1 HOST/ad at CORP.EXAMPLE.COM.PL
> (des-cbc-md5) 1 HOST/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL
> (des-cbc-md5) 1 AD$@CORP.EXAMPLE.COM.PL (des-cbc-md5)
> 1 HOST/ad at CORP.EXAMPLE.COM.PL (arcfour-hmac)
> 1 HOST/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL (arcfour-hmac)
> 1 AD$@CORP.EXAMPLE.COM.PL (arcfour-hmac)
> 1 HOST/ad at CORP.EXAMPLE.COM.PL (aes128-cts-hmac-sha1-96)
> 1 HOST/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL
> (aes128-cts-hmac-sha1-96) 1 AD$@CORP.EXAMPLE.COM.PL
> (aes128-cts-hmac-sha1-96) 1 HOST/ad at CORP.EXAMPLE.COM.PL
> (aes256-cts-hmac-sha1-96) 1
> HOST/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL
> (aes256-cts-hmac-sha1-96) 1 AD$@CORP.EXAMPLE.COM.PL
> (aes256-cts-hmac-sha1-96) 2 HOST/ad at CORP.EXAMPLE.COM.PL (des-cbc-crc)
> 2 HOST/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL (des-cbc-crc) 2
> AD$@CORP.EXAMPLE.COM.PL (des-cbc-crc) 2 HOST/ad at CORP.EXAMPLE.COM.PL
> (des-cbc-md5) 2 HOST/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL
> (des-cbc-md5) 2 AD$@CORP.EXAMPLE.COM.PL (des-cbc-md5)
> 2 HOST/ad at CORP.EXAMPLE.COM.PL (arcfour-hmac)
> 2 HOST/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL (arcfour-hmac)
> 2 AD$@CORP.EXAMPLE.COM.PL (arcfour-hmac)
> 2 HOST/ad at CORP.EXAMPLE.COM.PL (aes128-cts-hmac-sha1-96)
> 2 HOST/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL
> (aes128-cts-hmac-sha1-96) 2 AD$@CORP.EXAMPLE.COM.PL
> (aes128-cts-hmac-sha1-96) 2 HOST/ad at CORP.EXAMPLE.COM.PL
> (aes256-cts-hmac-sha1-96) 2
> HOST/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL
> (aes256-cts-hmac-sha1-96) 2 AD$@CORP.EXAMPLE.COM.PL
> (aes256-cts-hmac-sha1-96) 2 HOST/ad at CORP.EXAMPLE.COM.PL (des-cbc-crc)
> 2 HOST/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL (des-cbc-crc) 2
> AD$@CORP.EXAMPLE.COM.PL (des-cbc-crc) 2 HOST/ad at CORP.EXAMPLE.COM.PL
> (des-cbc-md5) 2 HOST/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL
> (des-cbc-md5) 2 AD$@CORP.EXAMPLE.COM.PL (des-cbc-md5)
> 2 HOST/ad at CORP.EXAMPLE.COM.PL (arcfour-hmac)
> 2 HOST/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL (arcfour-hmac)
> 2 AD$@CORP.EXAMPLE.COM.PL (arcfour-hmac)
> 2 HOST/ad at CORP.EXAMPLE.COM.PL (aes128-cts-hmac-sha1-96)
> 2 HOST/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL
> (aes128-cts-hmac-sha1-96) 2 AD$@CORP.EXAMPLE.COM.PL
> (aes128-cts-hmac-sha1-96) 2 HOST/ad at CORP.EXAMPLE.COM.PL
> (aes256-cts-hmac-sha1-96) 2
> HOST/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL
> (aes256-cts-hmac-sha1-96) 2 AD$@CORP.EXAMPLE.COM.PL
> (aes256-cts-hmac-sha1-96)
>
> LDBSearch output:
> [root at ad private]# ldbsearch -H ldap://ad.corp.example.com.pl
> "cb=Administrator" -k yes INFO: Current debug levels:
> all: 6
> tdb: 6
> printdrivers: 6
> lanman: 6
> smb: 6
> rpc_parse: 6
> rpc_srv: 6
> rpc_cli: 6
> passdb: 6
> sam: 6
> auth: 6
> winbind: 6
> vfs: 6
> idmap: 6
> quota: 6
> acls: 6
> locking: 6
> msdfs: 6
> dmapi: 6
> registry: 6
> scavenger: 6
> dns: 6
> ldb: 6
> tevent: 6
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Processing section "[profiles]"
> Processing section "[public]"
> Processing section "[home]"
> Processing section "[printers]"
> Processing section "[print$]"
> Processing section "[marketing]"
> …….
> pm_process() returned Yes
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> added interface eth0 ip=192.168.70.215 bcast=192.168.70.255
> netmask=255.255.255.0 added interface eth0 ip=192.168.70.215
> bcast=192.168.70.255 netmask=255.255.255.0 resolve_lmhosts:
> Attempting lmhosts lookup for name ad.corp.example.com.pl<0x20>
> getlmhostsent: lmhost entry: 192.168.70.215 ad.corp.example.com.pl#20
> Starting GENSEC mechanism spnego Starting GENSEC submechanism
> gssapi_krb5 Ticket in credentials cache for
> administrator at CORP.EXAMPLE.COM.PL will expire in 31814 secs GSS
> client Update(krb5)(1) Update failed: Miscellaneous failure (see
> text): <unknown error: 22> SPNEGO(gssapi_krb5) creating
> NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE Failed to bind - LDAP
> client internal error: NT_STATUS_LOGON_FAILURE Failed to connect to
> 'ldap://ad.corp.example.com.pl' with backend 'ldap': (null) Failed to
> connect to ldap://ad.corp.example.com.pl - (null)
>
>
> Samba log:
> Aug 22 14:07:46 ad samba[15167]: [2016/08/22 14:07:46.570925,
> 3] ../lib/ldb-samba/ldb_wrap.c:321(ldb_wrap_connect) Aug 22 14:07:46
> ad samba[15167]: ldb_wrap open of secrets.ldb Aug 22 14:07:46 ad
> samba[15167]: [2016/08/22 14:07:46.578832,
> 5] ../source4/ldap_server/ldap_backend.c:576(ldapsrv_SearchRequest)
> Aug 22 14:07:46 ad samba[15167]: ldb_request BASE dn=
> filter=(|(objectClass=*)(distinguishedName=*)) Aug 22 14:07:46 ad
> samba[15169]: [2016/08/22 14:07:46.585286,
> 6] ../lib/util/util_ldb.c:60(gendb_search_v) Aug 22 14:07:46 ad
> samba[15169]: gendb_search_v: DC=corp,DC=example,DC=com,DC=pl NULL
> -> 1 Aug 22 14:07:46 ad samba[15169]: [2016/08/22 14:07:46.585776,
> 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Aug 22 14:07:46 ad samba[15169]: Kerberos: TGS-REQ
> administrator at CORP.EXAMPLE.COM.PL from ipv4:192.168.70.215:40996 for
> ldap/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL [canonicalize] Aug 22
> 14:07:46 ad samba[15169]: [2016/08/22 14:07:46.590042,
> 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Aug 22 14:07:46 ad samba[15169]: Kerberos: Searching referral for
> ad.corp.example.com.pl Aug 22 14:07:46 ad samba[15169]: [2016/08/22
> 14:07:46.590137,
> 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Aug 22 14:07:46 ad samba[15169]: Kerberos: Server not found in
> database: ldap/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL: <unknown
> error: 22> Aug 22 14:07:46 ad samba[15169]: [2016/08/22
> 14:07:46.590227,
> 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Aug 22 14:07:46 ad samba[15169]: Kerberos: Failed building TGS-REP
> to ipv4:192.168.70.215:40996 Aug 22 14:07:46 ad samba[15169]:
> [2016/08/22 14:07:46.590495,
> 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection)
> Aug 22 14:07:46 ad samba[15169]: Terminating connection -
> 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> NT_STATUS_CONNECTION_DISCONNECTED' Aug 22 14:07:46 ad samba[15169]:
> [2016/08/22 14:07:46.590587,
> 3] ../source4/smbd/process_single.c:114(single_terminate) Aug 22
> 14:07:46 ad samba[15169]: single_terminate:
> reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> NT_STATUS_CONNECTION_DISCONNECTED] Aug 22 14:07:46 ad samba[15169]:
> [2016/08/22 14:07:46.593694,
> 6] ../lib/util/util_ldb.c:60(gendb_search_v) Aug 22 14:07:46 ad
> samba[15169]: gendb_search_v: DC=corp,DC=example,DC=com,DC=pl NULL
> -> 1 Aug 22 14:07:46 ad samba[15169]: [2016/08/22 14:07:46.594091,
> 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Aug 22 14:07:46 ad samba[15169]: Kerberos: TGS-REQ
> administrator at CORP.EXAMPLE.COM.PL from ipv4:192.168.70.215:40997 for
> ldap/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL Aug 22 14:07:46 ad
> samba[15169]: [2016/08/22 14:07:46.598053,
> 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Aug 22 14:07:46 ad samba[15169]: Kerberos: Server not found in
> database: ldap/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL: <unknown
> error: 22> Aug 22 14:07:46 ad samba[15169]: [2016/08/22
> 14:07:46.598135,
> 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Aug 22 14:07:46 ad samba[15169]: Kerberos: Failed building TGS-REP
> to ipv4:192.168.70.215:40997 Aug 22 14:07:46 ad samba[15169]:
> [2016/08/22 14:07:46.598320,
> 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection)
> Aug 22 14:07:46 ad samba[15169]: Terminating connection -
> 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> NT_STATUS_CONNECTION_DISCONNECTED' Aug 22 14:07:46 ad samba[15169]:
> [2016/08/22 14:07:46.598417,
> 3] ../source4/smbd/process_single.c:114(single_terminate) Aug 22
> 14:07:46 ad samba[15169]: single_terminate:
> reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> NT_STATUS_CONNECTION_DISCONNECTED] Aug 22 14:07:46 ad samba[15169]:
> [2016/08/22 14:07:46.601411,
> 6] ../lib/util/util_ldb.c:60(gendb_search_v) Aug 22 14:07:46 ad
> samba[15169]: gendb_search_v: DC=corp,DC=example,DC=com,DC=pl NULL
> -> 1 Aug 22 14:07:46 ad samba[15169]: [2016/08/22 14:07:46.601778,
> 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Aug 22 14:07:46 ad samba[15169]: Kerberos: TGS-REQ
> administrator at CORP.EXAMPLE.COM.PL from ipv4:192.168.70.215:40998 for
> ldap/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL [canonicalize] Aug 22
> 14:07:46 ad samba[15169]: [2016/08/22 14:07:46.605478,
> 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Aug 22 14:07:46 ad samba[15169]: Kerberos: Searching referral for
> ad.corp.example.com.pl Aug 22 14:07:46 ad samba[15169]: [2016/08/22
> 14:07:46.605536,
> 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Aug 22 14:07:46 ad samba[15169]: Kerberos: Server not found in
> database: ldap/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL: <unknown
> error: 22> Aug 22 14:07:46 ad samba[15169]: [2016/08/22
> 14:07:46.605565,
> 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Aug 22 14:07:46 ad samba[15169]: Kerberos: Failed building TGS-REP
> to ipv4:192.168.70.215:40998 Aug 22 14:07:46 ad samba[15169]:
> [2016/08/22 14:07:46.605815,
> 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection)
> Aug 22 14:07:46 ad samba[15169]: Terminating connection -
> 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> NT_STATUS_CONNECTION_DISCONNECTED' Aug 22 14:07:46 ad samba[15169]:
> [2016/08/22 14:07:46.605908,
> 3] ../source4/smbd/process_single.c:114(single_terminate) Aug 22
> 14:07:46 ad samba[15169]: single_terminate:
> reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> NT_STATUS_CONNECTION_DISCONNECTED] Aug 22 14:07:46 ad samba[15169]:
> [2016/08/22 14:07:46.608647,
> 6] ../lib/util/util_ldb.c:60(gendb_search_v) Aug 22 14:07:46 ad
> samba[15169]: gendb_search_v: DC=corp,DC=example,DC=com,DC=pl NULL
> -> 1 Aug 22 14:07:46 ad samba[15169]: [2016/08/22 14:07:46.608965,
> 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Aug 22 14:07:46 ad samba[15169]: Kerberos: TGS-REQ
> administrator at CORP.EXAMPLE.COM.PL from ipv4:192.168.70.215:40999 for
> ldap/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL Aug 22 14:07:46 ad
> samba[15169]: [2016/08/22 14:07:46.612547,
> 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Aug 22 14:07:46 ad samba[15169]: Kerberos: Server not found in
> database: ldap/ad.corp.example.com.pl at CORP.EXAMPLE.COM.PL: <unknown
> error: 22> Aug 22 14:07:46 ad samba[15169]: [2016/08/22
> 14:07:46.612602,
> 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Aug 22 14:07:46 ad samba[15169]: Kerberos: Failed building TGS-REP
> to ipv4:192.168.70.215:40999 Aug 22 14:07:46 ad samba[15169]:
> [2016/08/22 14:07:46.612771,
> 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection)
> Aug 22 14:07:46 ad samba[15167]: [2016/08/22 14:07:46.613028,
> 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection)
> Aug 22 14:07:46 ad samba[15167]: Terminating connection -
> 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() -
> NT_STATUS_CONNECTION_DISCONNECTED' Aug 22 14:07:46 ad samba[15167]:
> [2016/08/22 14:07:46.613127,
> 3] ../source4/smbd/process_single.c:114(single_terminate) Aug 22
> 14:07:46 ad samba[15167]: single_terminate:
> reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() -
> NT_STATUS_CONNECTION_DISCONNECTED] Aug 22 14:07:46 ad samba[15169]:
> Terminating connection - 'kdc_tcp_call_loop:
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' Aug
> 22 14:07:46 ad samba[15169]: [2016/08/22 14:07:46.613708,
> 3] ../source4/smbd/process_single.c:114(single_terminate) Aug 22
> 14:07:46 ad samba[15169]: single_terminate:
> reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> NT_STATUS_CONNECTION_DISCONNECTED]
>
>
>
> Do you know what went wrong? I did upgrades the same way starting 4.1
> to last 4.2 without any problems.
>
> Regards,
> Grzegorz
>
>
>
Can I suggest you put your smb.conf back to what it was just after the
provision and try again. If it does work (and it should), before you
start adding lines again, can I also suggest you read 'man smb_conf',
most of the lines you have added are the defaults, others do nothing on
a DC and some are just plain wrong.
Rowland
More information about the samba
mailing list