[Samba] Upgrade from 4.11.6 to 4.12.2 created authentication issues

[James Atwell]

On 5/16/2020 5:00 AM, Rowland penny via samba wrote:
> On 15/05/2020 19:52, James Atwell via samba wrote:
>> Hello,
>>
>>         I upgraded two DC's to 4.12.2 from 4.11.6 before I noticed 
>> authentication issues with a couple Netgear ReadyNAS we have. For 
>> reference I have a total of 6 DC's with 4 running 4.11.6 and two now 
>> running 4.12.2.  I ran the usual ./configure,make,make install from 
>> tar without issues. However running samba-tool drs showrepl I noticed 
>> a couple errors. Looking through the list I found someone else with 
>> the same initial problems.  See thread here 
>> https://lists.samba.org/archive/samba/2020-April/229230.html From 
>> this thread I did what was suggested by Alex and that resolved those 
>> initial errors.  This brings me back to the Netgear file servers. I 
>> am no longer able to authenticate the ReadyNAS with my domain.  I 
>> receive a join error within the Netgear dashboard with no additional 
>> info. No error code, nothing. I turned up the logging on the Samba 
>> server I pointed the ReadyNAS at and could see the log for the 
>> administrator user I'm using to try and join and authenticate. Samba 
>> shows a successful authentication but then it appears to end there. 
>> Additional details below about my setup.
>
> You need to see the logs for the readynas to try and find out what is 
> going on.
>
> This is what I would do:
>
> Seize the FSMO roles to one of the 4.11.6 DC's
>
> Demote the two 4.12.2 DC's
>
> Remove everything in /usr/local/samba
>
> Test if your readynas now connects to the domain again, try a re-join 
> if not
>
> If you have connection, then good, if not, you need to find out why 
> not and this will require seeing the readynas logs, you may have to 
> ask netgear about that.
>
> Once you have connection from the readynas, run 'make install' again 
> (No, you shouldn't have to totally build Samba again)
>
> Once Samba is installed again, try joining as a DC, hopefully it 
> should now work.
>
> The only major change between 4.11.x and 4.12.x is that you now need 
> Python 3.5, perhaps you do not have this ?
>
> Rowland
>
>
>
Thanks for the input. Before I do I want to add additional 
troubleshooting details.  Replication works among all DC's with no 
obvious samba errors or windows authentication errors.  I unjoined a 
Windows 10 machine and rejoined to the domain without issue. Everything 
else is working as it should (i.e, user creation, dns admin, gpo's).  
The one other thing I did do different this time and I should have noted 
previously was use the Verified Package Dependencies from the Wiki to 
ensure I wasn't missing any. Other than that the build was the same.

I haven't had to do a seize in a long time of the FSMO roles. If the 
DC's I upgraded appear to be working should I just transfer or seize? 
Thanks.


-James