[Samba] Upgrade from 4.11.6 to 4.12.2 created authentication issues

Rowland penny rpenny at samba.org
Sat May 16 18:02:12 UTC 2020 

On 16/05/2020 18:41, James Atwell wrote:
>
> On 5/16/2020 9:55 AM, Rowland penny via samba wrote:
>> On 16/05/2020 14:40, James Atwell wrote:
>>>
>>> On 5/16/2020 5:00 AM, Rowland penny via samba wrote:
>>>> On 15/05/2020 19:52, James Atwell via samba wrote:
>>>>> Hello,
>>>>>
>>>>>         I upgraded two DC's to 4.12.2 from 4.11.6 before I noticed 
>>>>> authentication issues with a couple Netgear ReadyNAS we have. For 
>>>>> reference I have a total of 6 DC's with 4 running 4.11.6 and two 
>>>>> now running 4.12.2.  I ran the usual ./configure,make,make install 
>>>>> from tar without issues. However running samba-tool drs showrepl I 
>>>>> noticed a couple errors. Looking through the list I found someone 
>>>>> else with the same initial problems.  See thread here 
>>>>> https://lists.samba.org/archive/samba/2020-April/229230.html From 
>>>>> this thread I did what was suggested by Alex and that resolved 
>>>>> those initial errors.  This brings me back to the Netgear file 
>>>>> servers. I am no longer able to authenticate the ReadyNAS with my 
>>>>> domain.  I receive a join error within the Netgear dashboard with 
>>>>> no additional info. No error code, nothing. I turned up the 
>>>>> logging on the Samba server I pointed the ReadyNAS at and could 
>>>>> see the log for the administrator user I'm using to try and join 
>>>>> and authenticate. Samba shows a successful authentication but then 
>>>>> it appears to end there. Additional details below about my setup.
>>>>
>>>> You need to see the logs for the readynas to try and find out what 
>>>> is going on.
>>>>
>>>> This is what I would do:
>>>>
>>>> Seize the FSMO roles to one of the 4.11.6 DC's
>>>>
>>>> Demote the two 4.12.2 DC's
>>>>
>>>> Remove everything in /usr/local/samba
>>>>
>>>> Test if your readynas now connects to the domain again, try a 
>>>> re-join if not
>>>>
>>>> If you have connection, then good, if not, you need to find out why 
>>>> not and this will require seeing the readynas logs, you may have to 
>>>> ask netgear about that.
>>>>
>>>> Once you have connection from the readynas, run 'make install' 
>>>> again (No, you shouldn't have to totally build Samba again)
>>>>
>>>> Once Samba is installed again, try joining as a DC, hopefully it 
>>>> should now work.
>>>>
>>>> The only major change between 4.11.x and 4.12.x is that you now 
>>>> need Python 3.5, perhaps you do not have this ?
>>>>
>>>> Rowland
>>>>
>>>>
>>>>
>>> Thanks for the input. Before I do I want to add additional 
>>> troubleshooting details.  Replication works among all DC's with no 
>>> obvious samba errors or windows authentication errors.  I unjoined a 
>>> Windows 10 machine and rejoined to the domain without issue. 
>>
>> You didn't say that before ;-)
>>
>> If everything is working except for your readynas, then it sounds 
>> like this could be a problem with your readynas.
>>
>> You do not say how old the readynas is, but are there any updates 
>> available for it ?
>>
>> Before you do anything, I would ask netgear if they are aware of this 
>> problem, might be worth mentioning the word 'SMBv1'.
>>
>>> Everything else is working as it should (i.e, user creation, dns 
>>> admin, gpo's).  The one other thing I did do different this time and 
>>> I should have noted previously was use the Verified Package 
>>> Dependencies from the Wiki to ensure I wasn't missing any. Other 
>>> than that the build was the same.
>>>
>>> I haven't had to do a seize in a long time of the FSMO roles. If the 
>>> DC's I upgraded appear to be working should I just transfer or 
>>> seize? Thanks.
>>>
>> Simple answer, if you can transfer, then transfer, if not, then 
>> seize, but use '--force' (this stops a useless transfer attempt).
>>
>> Rowland
>>
>>
>>>
>>> -James
>>>
>>
>>
> So I suppose I still have trouble with my domain.
>
> root at pfdc1:/# net ads user info administrator -U administrator
>
> Enter administrator's password:
> kerberos_kinit_password SAMBA at SAMBA.LOCAL failed: Client not found in 
> Kerberos database
>
> kerberos_kinit_password SAMBA at SAMBA.LOCAL failed: Client not found in 
> Kerberos database

Well that sorts that out, '-P' isn't working ;-)

Is this on one of the 4.12 DC's or a 4.11 DC ?

Rowland

More information about the samba mailing list