[Samba] Problem after update version 4.15.0

[rme at bluemail.ch]

Hello

On 29.09.2021 10:08, L.P.H. van Belle via samba wrote:
> This.
>> ../../source4/auth/ntlm/auth.c:241(auth_check_password_send)
>>     auth_check_password_send: Checking password for unmapped user
>> [CYBERDYNE]\[CYB64W10-TEST$]@[CYB64W10-TEST]
> 
> I would have expected
>> [CYBERDYNE]\[CYB64W10-TEST$]@[AD.CYBERDYNE.LOCAL]

Actually right. Would expect the same. But in Samba 4.14.7 no such 
problem appearing.

> I see this so now and then here also that, suddenly a computer/user cant login.
> Common causes..
> 1) PC time out of sync with DC.

No, Time is NTP-Synchronized.

> 2) Computer account its password expired.

Not sure but Samba 4.14.7 does not complain at all - even if reverting 
just Samba binaries I am perfectly able to log on. Passwords are 
supposed to renew automatically as of my knowledge. The machine is in 
use almost daily so it's not a machine which was not connected or off 
for months.

> 3) Lots domain trust.

Right after Samba 4.15 upgrade? On 80% of my machines? And machines 
re-gain trust after Samba downgrade? hmmm


> But what does the evenlog show and i assume the same user on an other computer can login?

Good point, let me try to dig up some logs from my attempts yesterday 
(meanwhile my Samba is rolled back).

Here is what I found in the event logs:

Log Name:      System
Source:        NETLOGON
Date:          9/28/2021 9:44:07 PM
Event ID:      3210
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      cyb64w10-test.ad.cyberdyne.local
Description:
This computer could not authenticate with \\skynet.ad.cyberdyne.local, a 
Windows domain controller for domain CYBERDYNE, and therefore this 
computer might deny logon requests. This inability to authenticate might 
be caused by another computer on the same network using the same name or 
the password for this computer account is not recognized. If this 
message appears again, contact your system administrator.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
   <System>
     <Provider Name="NETLOGON" />
     <EventID Qualifiers="0">3210</EventID>
     <Version>0</Version>
     <Level>2</Level>
     <Task>0</Task>
     <Opcode>0</Opcode>
     <Keywords>0x80000000000000</Keywords>
     <TimeCreated SystemTime="2021-09-28T19:44:07.3916682Z" />
     <EventRecordID>24124</EventRecordID>
     <Correlation />
     <Execution ProcessID="0" ThreadID="0" />
     <Channel>System</Channel>
     <Computer>cyb64w10-test.ad.cyberdyne.local</Computer>
     <Security />
   </System>
   <EventData>
     <Data>CYBERDYNE</Data>
     <Data>\\skynet.ad.cyberdyne.local</Data>
     <Binary>220000C0</Binary>
   </EventData>
</Event>


Again, this completely disappeared after rolling back, without domain 
re-join or anything else. Samba 4.15 seems just to refuse authentication 
for no good reason.


>> I also compared "samba-tool computer show" of a working and one
>> non-working machine and can't find any differences other than
>> timestamps.
> Hmm, is this an "old" domain, like from before 4.9?

Yes, even older. I was even using SAMBA-ldap on pre-4.0 releases. But 
this particular machine was added later, for sure after 4.0 AD upgrade. 
Sure I don't remember exact dates of upgrade. But yes this Domain was 
upgraded all the way since first Samba 4.x releases. However I don't see 
why this should cause such issues and why there is no proper migration. 
So we might be looking at some upgrade/migration issues but my 
understanding was that Samba should actually handle this and not just 
start denying computer account logins on upgrade.
Sure if the machine using some legacy authentication method or anything 
like this, then I would expect Samba first to force the client to update 
the password or authentication method before completely locking it out.


> 
> Did you use
> 'samba-tool dns zoneoptions' for aging control
> ----------------------------------------------
> Or
> Marking old records as static or dynamic with 'samba-tool'
> 
>  From : https://www.samba.org/samba/history/samba-4.15.0.html

Yes, I did this. Set my servers to static entries and clients to dynamic 
using regex.


> If i have to gamble on this, 2 options.
> Windows 10 bug or Samba fix in 4.15 that triggered it.

Guessing the second one too. But I seem not to be the only one having 
this issue. As meintioned it seems to happen only to machines which are 
joined to the domain since quite a while (2 years+). Another machine I 
just joined a few days ago on Samba 4.14.7 is not affected and still 
allows login after 4.15 upgrade.

So I would be fine if anyone could either:
- Provide a fix in Samba
- Provide a procedure to be run before the upgrade
- Provide a procedure to be run after the upgrade
   (preferably no manual actions on clients like re-join)

Obviously I would like to avoid having to re-join all the machines but 
if I would have to run some database-update command or migration script 
I would be totally fine.


> And if you dont want to re-register 1 pc..
> (You can do this with a script at login for the whole domain. )

At login?
First of all no user can log on to the affected machines (except local 
user accounts). Users don't have any admin privileges on the machines, 
logon scripts run in user context and cannot perform domain join. 
Moreover the users can't even log on.
I might be able to use psexec to execute commands remotely but did not 
try if this works if the domain machine account is denied actually. Also 
I don't want to do this as if I roll out Samba 4.15 in an environment 
with hundreds of machines I would rather prefer not having to sync witht 
the users to bring the machines online and run commands in background. 
It's also just not acceptable to send a technician to all users to log 
on locally and perform a domain re-join.

This machine is in my personal lab. I am holding on with Samba 4.15 
deployment in any larger customer environment I am maintaining for this 
reason.


> Increase the debugging and post it, maybe we see more in these loggings.

I could re-deploy 4.15 in my personal environment trying to reproduce 
but I am not sure to which log levels I should increase.

For me it certainly looks like changed behavior or Samba bug as 
downgrading to 4.14.7 resolves the problem entirely.

Thanks for your hints and help.