[Samba] Samba 3.6 member server auth problems after DC upgrade 2012 R2 -> 2019

Rowland penny rpenny at samba.org
Thu Oct 29 18:09:06 UTC 2020 

On 29/10/2020 17:13, Pim Zandbergen via samba wrote:
> I have this old Centos 6 server running Samba 3.6 as a member server
> in a domain with two Windows Server 2012R2 DC's.
>
> Through a series of promotions and demotions, the DC's were replaced
> with Windows Server 2019 DC's.
>
> Although I expected problems to arise from that, this has been working
> fine for months, until the Samba server was reset by the server's
> watchdog card.
>
> Suddenly, clients would no longer be able to authenticate to the Samba
> server. "getent passwd" would only list local users.
> Users could no longer ssh to the samba server using AD credentials.
>
> Yet, "net ads testjoin" would report the AD join is OK.
> And "wbinfo -u" would successfully list all AD users.
> No messages were logged in /var/log/samba/* that indicated an error.
>
> Normal operation would resume after reintroducing a third DC running
> 2012R2, and have Samba explicitly use that DC using
> "password server = the2012r2dc".
>
> I am assuming that Windows Server 2019 security needs to be
> compromised to accommodate a Samba 3.6 member server. Probably some
> Kerberos parameter. I would prefer to do that, and demote the 2012R2
> DC, until I can replace/update the Samba 3.6 server.
>
> What would I need to change to the Server 2019's security to make
> this work?
>
> smb.conf:
>
> [global]
> workgroup                  = EXAMPLE
> realm                      = EXAMPLE.COM
> security                   = ads
> server string              = CentOS 6 - Samba %v
> printing                   = cups
> printcap name              = cups
> load printers              = yes
> socket options             = TCP_NODELAY
> dns proxy                  = no
> time server                = yes
> encrypt passwords          = yes
> disable netbios            = yes
> smb ports                  = 445
> idmap config * : backend   = rid
> idmap config * : range     = 200000-299999
> template homedir           = /home/%U
> template shell             = /bin/bash
> winbind use default domain = yes
> winbind offline logon      = false
> follow symlinks            = yes
> wide links                 = yes
> unix extensions            = no
> max protocol               = SMB2
> server signing             = auto
>
> [homes]
> comment             = Home Directories
> browseable          = no
> writable            = yes
> guest ok            = no
>
I suggest you upgrade your Centos 6 server, it will go EOL in a month 
and Samba 3.6 went EOL quite a few years ago. Your problem is possibly 
something to do SMBv1, Samba 3.6 will be using it (along with ntlm 
auth), but you Windows DC's probably aren't.

Rowland

More information about the samba mailing list