[Samba] Upgrade from 4.11.6 to 4.12.2 created authentication issues

James Atwell james.atwell365 at gmail.com
Sat May 16 16:58:53 UTC 2020 

On 5/16/2020 9:55 AM, Rowland penny via samba wrote:
> On 16/05/2020 14:40, James Atwell wrote:
>>
>> On 5/16/2020 5:00 AM, Rowland penny via samba wrote:
>>> On 15/05/2020 19:52, James Atwell via samba wrote:
>>>> Hello,
>>>>
>>>>         I upgraded two DC's to 4.12.2 from 4.11.6 before I noticed 
>>>> authentication issues with a couple Netgear ReadyNAS we have. For 
>>>> reference I have a total of 6 DC's with 4 running 4.11.6 and two 
>>>> now running 4.12.2.  I ran the usual ./configure,make,make install 
>>>> from tar without issues. However running samba-tool drs showrepl I 
>>>> noticed a couple errors. Looking through the list I found someone 
>>>> else with the same initial problems.  See thread here 
>>>> https://lists.samba.org/archive/samba/2020-April/229230.html From 
>>>> this thread I did what was suggested by Alex and that resolved 
>>>> those initial errors.  This brings me back to the Netgear file 
>>>> servers. I am no longer able to authenticate the ReadyNAS with my 
>>>> domain.  I receive a join error within the Netgear dashboard with 
>>>> no additional info. No error code, nothing. I turned up the logging 
>>>> on the Samba server I pointed the ReadyNAS at and could see the log 
>>>> for the administrator user I'm using to try and join and 
>>>> authenticate. Samba shows a successful authentication but then it 
>>>> appears to end there. Additional details below about my setup.
>>>
>>> You need to see the logs for the readynas to try and find out what 
>>> is going on.
>>>
>>> This is what I would do:
>>>
>>> Seize the FSMO roles to one of the 4.11.6 DC's
>>>
>>> Demote the two 4.12.2 DC's
>>>
>>> Remove everything in /usr/local/samba
>>>
>>> Test if your readynas now connects to the domain again, try a 
>>> re-join if not
>>>
>>> If you have connection, then good, if not, you need to find out why 
>>> not and this will require seeing the readynas logs, you may have to 
>>> ask netgear about that.
>>>
>>> Once you have connection from the readynas, run 'make install' again 
>>> (No, you shouldn't have to totally build Samba again)
>>>
>>> Once Samba is installed again, try joining as a DC, hopefully it 
>>> should now work.
>>>
>>> The only major change between 4.11.x and 4.12.x is that you now need 
>>> Python 3.5, perhaps you do not have this ?
>>>
>>> Rowland
>>>
>>>
>>>
>> Thanks for the input. Before I do I want to add additional 
>> troubleshooting details.  Replication works among all DC's with no 
>> obvious samba errors or windows authentication errors.  I unjoined a 
>> Windows 10 machine and rejoined to the domain without issue. 
>
> You didn't say that before ;-)
>
> If everything is working except for your readynas, then it sounds like 
> this could be a problem with your readynas.
>
> You do not say how old the readynas is, but are there any updates 
> available for it ?
>
> Before you do anything, I would ask netgear if they are aware of this 
> problem, might be worth mentioning the word 'SMBv1'.
>
>> Everything else is working as it should (i.e, user creation, dns 
>> admin, gpo's).  The one other thing I did do different this time and 
>> I should have noted previously was use the Verified Package 
>> Dependencies from the Wiki to ensure I wasn't missing any. Other than 
>> that the build was the same.
>>
>> I haven't had to do a seize in a long time of the FSMO roles. If the 
>> DC's I upgraded appear to be working should I just transfer or seize? 
>> Thanks.
>>
> Simple answer, if you can transfer, then transfer, if not, then seize, 
> but use '--force' (this stops a useless transfer attempt).
>
> Rowland
>
>
>>
>> -James
>>
>
>
Rowland,

   I pulled the NAS logs and below is from the last time it successfully 
imported the users.

-------------------------------------------------------------------------------------------------------------------------------- 


[20-05-15 00:40:42] 3288 rndb_ads_utils.c:176 info: ADS CMD::ldap search 
open: LANG=C net -P ads search \(objectClass=group\) sAMAccountName 
objectSid distinguishedName

[20-05-15 00:40:43] 3288 rndb_account.c:1425 info: 111 domain groups found
[20-05-15 00:40:43] 3288 rndb_account.c:1470 debug: 
sAMAccountName=Incoming Forest Trust Builders sid=S-1-5-32-557 is not 
domain object. domain sid is S-1-5-21-940051827-2291820289-3341758437
[20-05-15 00:40:43] 3288 rndb_account.c:1470 debug: 
sAMAccountName=Distributed COM Users sid=S-1-5-32-562 is not domain 
object. domain sid is S-1-5-21-940051827-2291820289-3341758437
[20-05-15 00:40:43] 3288 rndb_account.c:1470 debug: 
sAMAccountName=Backup Operators sid=S-1-5-32-551 is not domain object. 
domain sid is S-1-5-21-940051827-2291820289-3341758437
[20-05-15 00:40:43] 3288 rndb_account.c:1470 debug: 
sAMAccountName=Certificate Service DCOM Access sid=S-1-5-32-574 is not 
domain object. domain sid is S-1-5-21-940051827-2291820289-3341758437
[20-05-15 00:40:43] 3288 rndb_account.c:1470 debug: 
sAMAccountName=Performance Monitor Users sid=S-1-5-32-558 is not domain 
object. domain sid is S-1-5-21-940051827-2291820289-3341758437
[20-05-15 00:40:43] 3288 rndb_account.c:1470 debug: 
sAMAccountName=Network Configuration Operators sid=S-1-5-32-556 is not 
domain object. domain sid is S-1-5-21-940051827-2291820289-3341758437
[20-05-15 00:40:43] 3288 rndb_account.c:1470 debug: sAMAccountName=Event 
Log Readers sid=S-1-5-32-573 is not domain object. domain sid is 
S-1-5-21-940051827-2291820289-3341758437
[20-05-15 00:40:43] 3288 rndb_account.c:1470 debug: 
sAMAccountName=Administrators sid=S-1-5-32-544 is not domain object. 
domain sid is S-1-5-21-940051827-2291820289-3341758437
[20-05-15 00:40:43] 3288 rndb_account.c:1470 debug: 
sAMAccountName=Account Operators sid=S-1-5-32-548 is not domain object. 
domain sid is S-1-5-21-940051827-2291820289-3341758437
[20-05-15 00:40:43] 3288 rndb_account.c:1470 debug: 
sAMAccountName=Windows Authorization Access Group sid=S-1-5-32-560 is 
not domain object. domain sid is S-1-5-21-940051827-2291820289-3341758437
[20-05-15 00:40:43] 3288 rndb_account.c:1470 debug: 
sAMAccountName=Performance Log Users sid=S-1-5-32-559 is not domain 
object. domain sid is S-1-5-21-940051827-2291820289-3341758437
[20-05-15 00:40:43] 3288 rndb_account.c:1470 debug: 
sAMAccountName=Server Operators sid=S-1-5-32-549 is not domain object. 
domain sid is S-1-5-21-940051827-2291820289-3341758437
[20-05-15 00:40:43] 3288 rndb_account.c:1470 debug: 
sAMAccountName=Replicator sid=S-1-5-32-552 is not domain object. domain 
sid is S-1-5-21-940051827-2291820289-3341758437
[20-05-15 00:40:43] 3288 rndb_account.c:1470 debug: 
sAMAccountName=Cryptographic Operators sid=S-1-5-32-569 is not domain 
object. domain sid is S-1-5-21-940051827-2291820289-3341758437
[20-05-15 00:40:44] 3288 rndb_account.c:1470 debug: sAMAccountName=Users 
sid=S-1-5-32-545 is not domain object. domain sid is 
S-1-5-21-940051827-2291820289-3341758437
[20-05-15 00:40:44] 3288 rndb_account.c:1470 debug: 
sAMAccountName=Pre-Windows 2000 Compatible Access sid=S-1-5-32-554 is 
not domain object. domain sid is S-1-5-21-940051827-2291820289-3341758437
[20-05-15 00:40:44] 3288 rndb_account.c:1470 debug: sAMAccountName=Print 
Operators sid=S-1-5-32-550 is not domain object. domain sid is 
S-1-5-21-940051827-2291820289-3341758437
[20-05-15 00:40:44] 3288 rndb_account.c:1470 debug: 
sAMAccountName=Guests sid=S-1-5-32-546 is not domain object. domain sid 
is S-1-5-21-940051827-2291820289-3341758437
[20-05-15 00:40:44] 3288 rndb_account.c:1470 debug: 
sAMAccountName=IIS_IUSRS sid=S-1-5-32-568 is not domain object. domain 
sid is S-1-5-21-940051827-2291820289-3341758437
[20-05-15 00:40:44] 3288 rndb_account.c:1451 info: 100/111 groups 
imported so far
[20-05-15 00:40:44] 3288 rndb_account.c:1470 debug: 
sAMAccountName=Remote Desktop Users sid=S-1-5-32-555 is not domain 
object. domain sid is S-1-5-21-940051827-2291820289-3341758437
[20-05-15 00:40:44] 3288 rndb_account.c:1470 debug: 
sAMAccountName=Terminal Server License Servers sid=S-1-5-32-561 is not 
domain object. domain sid is S-1-5-21-940051827-2291820289-3341758437
[20-05-15 00:40:44] 3288 rndb_account.c:1555 info: 111/111 groups 
imported in 1658ms.
[20-05-15 00:40:44] 3288 rndb_ads_utils.c:176 info: ADS CMD::ldap search 
open: LANG=C net -P ads search 
\(\&\(objectClass=user\)\(\!\(sAMAccountType=805306369\)\)\(\!\(sAMAccountType=805306370\)\)\) 
sAMAccountName objectSid distinguishedName mail primaryGroupID memberOf cn
[20-05-15 00:40:45] 3288 rndb_account.c:1136 info: 226 domain user found
[20-05-15 00:40:45] 3288 rndb_account.c:1167 info: 100/226 users 
imported so far
[20-05-15 00:40:46] 3288 rndb_account.c:1167 info: 200/226 users 
imported so far
[20-05-15 00:40:46] 3288 rndb_account.c:1362 info: 226/226 users 
imported in 2064ms.
[20-05-15 00:40:46] 3288 rndb_ads_utils.c:237 info: ADS CMD::update 
domain sid (group-admin): wbinfo --sid-to-gid 
S-1-5-21-940051827-2291820289-3341758437-512

[20-05-15 00:40:46] 3288 rndb_ads_utils.c:287 info: ADS CMD::update 
domain sid (user-admin): wbinfo --sid-to-uid 
S-1-5-21-940051827-2291820289-3341758437-500

-----------------------------------------------------------------------------------------------------------------------------

Next is when it began to fail to import after I upgraded to 4.12.2.

----------------------------------------------------------------------------------------------------------------------------

[20-05-15 10:42:01] 3288 rndb_account.c:2577 info: ******************ADS 
Import Starts*********************
[20-05-15 10:42:02] 3288 rndb_ads_utils.c:176 info: ADS CMD::ldap search 
open: LANG=C net -P ads search \(objectClass=group\) sAMAccountName 
objectSid distinguishedName
[20-05-15 10:42:05] 3288 rndb_ads_utils.c:190 error: Parse error on 
cmd=<LANG=C net -P ads search \(objectClass=group\) sAMAccountName 
objectSid distinguishedName> output:
[20-05-15 10:42:15] 3288 rndb_ads_utils.c:176 info: ADS CMD::ldap search 
open: LANG=C net -P ads search \(objectClass=group\) sAMAccountName 
objectSid distinguishedName
[20-05-15 10:42:16] 3288 rndb_ads_utils.c:190 error: Parse error on 
cmd=<LANG=C net -P ads search \(objectClass=group\) sAMAccountName 
objectSid distinguishedName> output:
[20-05-15 10:42:26] 3288 rndb_ads_utils.c:176 info: ADS CMD::ldap search 
open: LANG=C net -P ads search \(objectClass=group\) sAMAccountName 
objectSid distinguishedName
[20-05-15 10:42:29] 3288 rndb_ads_utils.c:190 error: Parse error on 
cmd=<LANG=C net -P ads search \(objectClass=group\) sAMAccountName 
objectSid distinguishedName> output:
[20-05-15 10:42:39] 3288 rndb_ads_utils.c:176 info: ADS CMD::ldap search 
open: LANG=C net -P ads search \(objectClass=group\) sAMAccountName 
objectSid distinguishedName
[20-05-15 10:42:41] 3288 rndb_ads_utils.c:190 error: Parse error on 
cmd=<LANG=C net -P ads search \(objectClass=group\) sAMAccountName 
objectSid distinguishedName> output:
[20-05-15 10:42:51] 3288 rndb_ads_utils.c:176 info: ADS CMD::ldap search 
open: LANG=C net -P ads search \(objectClass=group\) sAMAccountName 
objectSid distinguishedName
[20-05-15 10:42:54] 3288 rndb_ads_utils.c:190 error: Parse error on 
cmd=<LANG=C net -P ads search \(objectClass=group\) sAMAccountName 
objectSid distinguishedName> output:
[20-05-15 10:43:04] 3288 rndb_ads_utils.c:176 info: ADS CMD::ldap search 
open: LANG=C net -P ads search \(objectClass=group\) sAMAccountName 
objectSid distinguishedName
[20-05-15 10:43:06] 3288 rndb_ads_utils.c:190 error: Parse error on 
cmd=<LANG=C net -P ads search \(objectClass=group\) sAMAccountName 
objectSid distinguishedName> output:
[20-05-15 10:43:06] 3288 rndb_account.c:1413 error: Cannot open LDAP 
search with filter (objectClass=group). Check network.
[20-05-15 10:43:06] 3288 rndb_account.c:1563 error: 
_rndb_account_domain_group_import() ==> 9 (64047ms)
[20-05-15 10:43:06] 3288 rndb_account.c:2614 error: 
rndb_ads_account_import() ==> 1 (65553ms)
[20-05-15 10:43:06] 3288 rndb_api.c:1205 error: rndb_import_nolock() ==> 
1 (65559ms)
[20-05-15 10:47:29] 2967 rndb_ads_utils.c:97 info: ADS CMD::get domain 
sid: net getdomainsid
[20-05-15 10:47:29] 2967 rndb_account.c:623 info: Local user import has 
started
[20-05-15 10:47:29] 2967 rndb_account.c:626 info: Removing all users 
from $user table excluding ADS users if exist
[20-05-15 10:47:31] 2967 rndb_account.c:780 info: Local group import has 
started
[20-05-15 10:47:31] 2967 rndb_ads_utils.c:237 info: ADS CMD::update 
domain sid (group-admin): wbinfo --sid-to-gid 
S-1-5-21-940051827-2291820289-3341758437-512
[20-05-15 10:47:31] 2967 rndb_ads_utils.c:287 info: ADS CMD::update 
domain sid (user-admin): wbinfo --sid-to-uid 
S-1-5-21-940051827-2291820289-3341758437-500

---------------------------------------------------------------------------------------------------------------------------------------------

The above repeats with every attempt to import the users.  I have 
several Ready NAS with different model types. The oldest is around 5 
years old with the others being less than 2. All are updated to current 
firmware.  It doesn't help that the option to download the logs includes 
90 files with the filenames not being very descriptive. The logs from 
above are from a file titled ADS. Anything stand out from the ReadyNAS 
logs? Thanks.


-James

More information about the samba mailing list