[Samba] Samba 4.3.9 member server problem in classic domain
Gaiseric Vandal
gaiseric.vandal at gmail.com
Fri May 27 16:57:07 UTC 2016
I have a Fedora Core 23 Linux machine configured as a samba member of a
"classic" domain. The DC's Samba 3.6.25 NOT patched for badlock.
Since upgrading to Samba 4.3.8 and (I think from 4.3.6 or 4.3.4) ,
domain users can no longer access resources. (upgraded to 4.3.9,
same problem) Since I had to roll back my Synology appliance to a
previous OS, and reviewing other posts, I am quite certain this is due
to the BADLOCK patch.
The BADLOCK patch seems to make signing the default behavior unless
explicitly disabled.
From a linux client
linuxclient-> smbclient -L stoic -U "MYDOMAIN\myname"
Enter MYDOMAIN\myname's password:
session setup failed: NT_STATUS_LOGON_FAILURE
linuxclient-> s
[root at memberserver1 ~]# smbd -V
Version 4.3.8
[root at memberserver1 ~]#
[root at memberserver1 ~]# net rpc testjoin
ldb: unable to stat module /usr/lib64/samba/ldb : No such file or directory
smb_signing_good: BAD SIG: seq 1
Join to 'MYDOMAIN' is OK
[root at memberserver1 ~]#
I updated smb.conf with
client signing = disabled
client ipc signing = disabled
[root at memberserver1 ~]# net rpc testjoin
ldb: unable to stat module /usr/lib64/samba/ldb : No such file or directory
Join to 'MYDOMAIN' is OK
[root at memberserver1 ~]#
But client logins still fail.
Setting "server signing = disabled" in smb.conf didn't seem to help
either. Guessing the issue is with schannel changes.
I can and prob will just downgrade to an 4.3.4 since I kept the
RPM's. The bigger issue is that at some point I will upgrade my
domain controllers. So far it seems that patched member servers will
not work with unpatched domain controllers, but I don't know if the
reverse is true. I suspect I will have problems if there is any
mismatch.
So far, my Windows clients (Windows 7, 10 , 2008) are completely
patched and have not had issues.
Thanks
More information about the samba
mailing list