[Samba] Upgrade from 4.11.6 to 4.12.2 created authentication issues

James Atwell james.atwell365 at gmail.com
Sun May 17 15:54:02 UTC 2020 

On 5/17/2020 5:29 AM, Rowland penny via samba wrote:
> On 17/05/2020 00:24, James Atwell wrote:
>>>> So I suppose I still have trouble with my domain.
>>>>
>>>> root at pfdc1:/# net ads user info administrator -U administrator
>>>>
>>>> Enter administrator's password:
>>>> kerberos_kinit_password SAMBA at SAMBA.LOCAL failed: Client not found 
>>>> in Kerberos database
>>>>
>>>> kerberos_kinit_password SAMBA at SAMBA.LOCAL failed: Client not found 
>>>> in Kerberos database
>
> No, you might not have anything wrong with the domain.
>
> Does this look familiar ?
>
> root at dc01:~# net ads user info administrator -U administrator
> Enter administrator's password:
> kerberos_kinit_password SAMDOM at SAMDOM.EXAMPLE.COM failed: Client not 
> found in Kerberos database
> kerberos_kinit_password SAMDOM at SAMDOM.EXAMPLE.COM failed: Client not 
> found in Kerberos database
>
> This happens on both my DC's, one is running 4.10.14, the other 4.11.7
>
> But on a domain joined rpi running 4.11.7:
>
> pi at raspberrypi:~ $ sudo net ads user info administrator -U administrator
> Enter administrator's password:
> Domain Users
> Domain Admins
> Administrators
> Enterprise Admins
> Group Policy Creator Owners
> Schema Admins
>
> Do you have a Unix domain member you could test from ?
>
> It is looking like it is a problem with your readynas.
>
> Rowland
>
>
>
Strange results on a domain member

jatwell at osticket:~$ net ads user info administrator -U administrator
Enter administrator's password:
create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file 
/var/run /samba/smb_tmp_krb5.Bgy6b4. Errno Permission denied
create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file 
/var/run /samba/smb_tmp_krb5.M1pz6T. Errno Permission denied
Domain Users
Administrators
Group Policy Creator Owners
Enterprise Admins
Schema Admins
Remote Desktop Users Group
Domain Admins

If run as root I get this.

root at osticket:~# net ads user info administrator -U administrator
Enter administrator's password:
gss_init_sec_context failed with [ Miscellaneous failure (see text): 
encryption type 3 not supported]
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An 
internal error occurred.
gss_init_sec_context failed with [ Miscellaneous failure (see text): 
encryption type 3 not supported]
gss_init_sec_context failed with [ Miscellaneous failure (see text): 
encryption type 3 not supported]
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An 
internal error occurred.

Running this command on all my DC's looks exactly like what you 
mentioned on yours.  Maybe if I talk this out something will spring to 
mind. The following are the steps I took to do an in place upgrade on 2 
DC's that caused all 4 of my Netgear ReadyNAS to no longer import the 
users and groups.

The first DC I chose to upgrade was my DC that holds all my FSMO roles.  
I ran apt-get update followed by apt-get dist-upgrade. Rebooted and ran 
the dependencies scripts(first time) from the wiki on an Ubuntu 16.04. 
Downloaded samba source and ran ./configure --mandir=/usr/share/man, 
make, shutdown samba and install.  After reboot went to check 
replication with samba-tool drs showrepl and noticed an error 
immediately as the screen scrolled to show replication working 
correctly. Scrolled to the top and seen the following error;

ldb: unable to dlopen /usr/lib64/samba/ldb/local_password.so :
/usr/lib64/samba/libsamdb-common-samba4.so: version `SAMBA_4.11.6' not
found (required by /usr/lib64/samba/ldb/local_password.so)
ldb: unable to dlopen /usr/lib64/samba/ldb/simple_dn.so :
/usr/lib64/samba/libdsdb-module-samba4.so: version `SAMBA_4.11.6' not found
(required by /usr/lib64/samba/ldb/simple_dn.so)
ldb: unable to dlopen /usr/lib64/samba/ldb/simple_ldap_map.so :
/usr/lib64/samba/libsamdb-common-samba4.so: version `SAMBA_4.11.6' not
found (required by /usr/lib64/samba/ldb/simple_ldap_map.so)

A google search of the error landed me on the samba list with mention to 
this error.  Reading the thread I see a member mention moving the samba 
folder and building again. So I did. After the build and install I 
copied back the following files folders from my original samba folder

  * etc
  * private
  * sysvol

I then rebooted and ran samba-tool drs showrepl. The previous error was 
gone but now a new error displayed, but I can't recall what it said. 
Keep in my replication still showed as working. I do recall the error 
was complaining about Kerberos or the keytab. I can't recall exactly.  
But from the error I chose to run  kinit administrator to resolve. That 
much I took from the error. Kinit and klist succeeded and and I reran 
samba-tool drs showrepl. This time no errors reported. Did the exact 
same steps on another server running Ubuntu 18.04 when I began to notice 
I had issues with my ReadyNAS.   Did I forget to copy something from my 
original samba folder?

-James

More information about the samba mailing list