[Samba] Upgrade from 4.11.6 to 4.12.2 created authentication issues

James Atwell james.atwell365 at gmail.com
Mon May 18 00:59:43 UTC 2020 

On 5/17/2020 5:17 PM, Rowland penny via samba wrote:
> On 17/05/2020 21:54, James Atwell wrote:
>> I assume it's trying to create a tmp krb5.conf because the user I'm 
>> logged into the domain member isn't a domain user? The tmp krb5.conf 
>> never gets created even if I run as sudo. etc/krb5.conf does exist 
>> though.
>
> You are logging into a domain joined machine as a local user and then 
> wonder why you are having problems ?
>
> Unless the user is root, there is a line like this in the smb.conf 
> 'username map = /etc/samba/user.map' and the 'user.map' contains 
> '!root = DOMAIN\Administrator', where 'DOMAIN' is your netbios domain.
>
>>
>> I'm not tied to Ubuntu or Ubuntu 16.04 or 18.04.
>
> It should work on 16.04, try sorting the above problem out first.
>
> Rowland
>
>
>
I got the issue with the ReadyNAS resolved. I decided to stop messing 
with the broken DC and just remove it. I transferred all the FSMO and 
demoted the DC.  This immediately allowed the ReadyNAS to join and 
import users and groups. Oddly enough the errors I mentioned earlier 
that I initially had when I ran samba-tool drs showrepl came back. 
Probably because the kinit ticket I generated had expired.  For 
reference I'm posting below.

root at pfdc1:~# samba-tool drs showrepl
Wrong username or password: kinit for PFDC1$@SAMBA.LOCAL failed (Client 
not found in Kerberos database)

Wrong username or password: kinit for PFDC1$@SAMBA.LOCAL failed (Client 
not found in Kerberos database)

Default-First-Site-Name\PFDC1
DSA Options: 0x00000001
DSA object GUID: acc2392f-9567-450f-bcb3-4fb1034b8753
DSA invocationId: d3644219-dbcd-43ff-815e-8850f94192e1

root at pfdc1:~# samba-tool drs showrepl
GSS client Update(krb5)(1) Update failed:  Miscellaneous failure (see 
text): encryption type 3 not supported
GSS client Update(krb5)(1) Update failed:  Miscellaneous failure (see 
text): encryption type 3 not supported

I'll mention the other DC I upgraded to 4.12.2 is still in the forest 
and not having any troubles. Rowland appreciate you taking your time to 
review.

-James

More information about the samba mailing list