[Samba] Upgrade from 4.11.6 to 4.12.2 created authentication issues

James Atwell james.atwell365 at gmail.com
Sat May 16 23:20:19 UTC 2020 

On 5/16/2020 2:02 PM, Rowland penny via samba wrote:
> On 16/05/2020 18:41, James Atwell wrote:
>>
>> On 5/16/2020 9:55 AM, Rowland penny via samba wrote:
>>> On 16/05/2020 14:40, James Atwell wrote:
>>>>
>>>> On 5/16/2020 5:00 AM, Rowland penny via samba wrote:
>>>>> On 15/05/2020 19:52, James Atwell via samba wrote:
>>>>>> Hello,
>>>>>>
>>>>>>         I upgraded two DC's to 4.12.2 from 4.11.6 before I 
>>>>>> noticed authentication issues with a couple Netgear ReadyNAS we 
>>>>>> have. For reference I have a total of 6 DC's with 4 running 
>>>>>> 4.11.6 and two now running 4.12.2.  I ran the usual 
>>>>>> ./configure,make,make install from tar without issues. However 
>>>>>> running samba-tool drs showrepl I noticed a couple errors. 
>>>>>> Looking through the list I found someone else with the same 
>>>>>> initial problems.  See thread here 
>>>>>> https://lists.samba.org/archive/samba/2020-April/229230.html From 
>>>>>> this thread I did what was suggested by Alex and that resolved 
>>>>>> those initial errors.  This brings me back to the Netgear file 
>>>>>> servers. I am no longer able to authenticate the ReadyNAS with my 
>>>>>> domain.  I receive a join error within the Netgear dashboard with 
>>>>>> no additional info. No error code, nothing. I turned up the 
>>>>>> logging on the Samba server I pointed the ReadyNAS at and could 
>>>>>> see the log for the administrator user I'm using to try and join 
>>>>>> and authenticate. Samba shows a successful authentication but 
>>>>>> then it appears to end there. Additional details below about my 
>>>>>> setup.
>>>>>
>>>>> You need to see the logs for the readynas to try and find out what 
>>>>> is going on.
>>>>>
>>>>> This is what I would do:
>>>>>
>>>>> Seize the FSMO roles to one of the 4.11.6 DC's
>>>>>
>>>>> Demote the two 4.12.2 DC's
>>>>>
>>>>> Remove everything in /usr/local/samba
>>>>>
>>>>> Test if your readynas now connects to the domain again, try a 
>>>>> re-join if not
>>>>>
>>>>> If you have connection, then good, if not, you need to find out 
>>>>> why not and this will require seeing the readynas logs, you may 
>>>>> have to ask netgear about that.
>>>>>
>>>>> Once you have connection from the readynas, run 'make install' 
>>>>> again (No, you shouldn't have to totally build Samba again)
>>>>>
>>>>> Once Samba is installed again, try joining as a DC, hopefully it 
>>>>> should now work.
>>>>>
>>>>> The only major change between 4.11.x and 4.12.x is that you now 
>>>>> need Python 3.5, perhaps you do not have this ?
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>>
>>>> Thanks for the input. Before I do I want to add additional 
>>>> troubleshooting details.  Replication works among all DC's with no 
>>>> obvious samba errors or windows authentication errors.  I unjoined 
>>>> a Windows 10 machine and rejoined to the domain without issue. 
>>>
>>> You didn't say that before ;-)
>>>
>>> If everything is working except for your readynas, then it sounds 
>>> like this could be a problem with your readynas.
>>>
>>> You do not say how old the readynas is, but are there any updates 
>>> available for it ?
>>>
>>> Before you do anything, I would ask netgear if they are aware of 
>>> this problem, might be worth mentioning the word 'SMBv1'.
>>>
>>>> Everything else is working as it should (i.e, user creation, dns 
>>>> admin, gpo's).  The one other thing I did do different this time 
>>>> and I should have noted previously was use the Verified Package 
>>>> Dependencies from the Wiki to ensure I wasn't missing any. Other 
>>>> than that the build was the same.
>>>>
>>>> I haven't had to do a seize in a long time of the FSMO roles. If 
>>>> the DC's I upgraded appear to be working should I just transfer or 
>>>> seize? Thanks.
>>>>
>>> Simple answer, if you can transfer, then transfer, if not, then 
>>> seize, but use '--force' (this stops a useless transfer attempt).
>>>
>>> Rowland
>>>
>>>
>>>>
>>>> -James
>>>>
>>>
>>>
>> So I suppose I still have trouble with my domain.
>>
>> root at pfdc1:/# net ads user info administrator -U administrator
>>
>> Enter administrator's password:
>> kerberos_kinit_password SAMBA at SAMBA.LOCAL failed: Client not found in 
>> Kerberos database
>>
>> kerberos_kinit_password SAMBA at SAMBA.LOCAL failed: Client not found in 
>> Kerberos database
>
> Well that sorts that out, '-P' isn't working ;-)
>
> Is this on one of the 4.12 DC's or a 4.11 DC ?
>
> Rowland
>
>
>
>
The issue exists with all of them.  I tried with several different 
usernames and the same thing.


-James

More information about the samba mailing list