[Samba] Problem after update version 4.15.0

L.P.H. van Belle belle at bazuin.nl
Wed Sep 29 09:22:52 UTC 2021


> -----Oorspronkelijk bericht-----
> Van: rme at bluemail.ch [mailto:rme at bluemail.ch] 
> Verzonden: woensdag 29 september 2021 10:48
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] Problem after update version 4.15.0
> Hello
> On 29.09.2021 10:08, L.P.H. van Belle via samba wrote:
> > This.
> >> ../../source4/auth/ntlm/auth.c:241(auth_check_password_send)
> >>     auth_check_password_send: Checking password for unmapped user
> > 
> > I would have expected
> Actually right. Would expect the same. But in Samba 4.14.7 no such 
> problem appearing.
> > I see this so now and then here also that, suddenly a 
> computer/user cant login.
> > Common causes..
> > 1) PC time out of sync with DC.
> No, Time is NTP-Synchronized.

Yeah, same here, but still, for some reason, sometimes 1 pc is off.. 
Thats why im asking.. Check, dont assume.. 

> > 2) Computer account its password expired.
> Not sure but Samba 4.14.7 does not complain at all - even if 
> reverting 
> just Samba binaries I am perfectly able to log on. Passwords are 
> supposed to renew automatically as of my knowledge. The machine is in 
> use almost daily so it's not a machine which was not connected or off 
> for months.
> > 3) Lots domain trust.
> Right after Samba 4.15 upgrade? On 80% of my machines? And machines 
> re-gain trust after Samba downgrade? Hmmm

Definitly strange, but im thinking, are these pc's syspreped. 
And was there SID reset at that time. 

> > But what does the evenlog show and i assume the same user 
> on an other computer can login?
> Good point, let me try to dig up some logs from my attempts yesterday 
> (meanwhile my Samba is rolled back).
> Here is what I found in the event logs:
> Log Name:      System
> Source:        NETLOGON
> Date:          9/28/2021 9:44:07 PM
> Event ID:      3210
> Task Category: None
> Level:         Error
> Keywords:      Classic
> User:          N/A
> Computer:      cyb64w10-test.ad.cyberdyne.local
> Description:
> This computer could not authenticate with 
> \\skynet.ad.cyberdyne.local, a 
> Windows domain controller for domain CYBERDYNE, and therefore this 
> computer might deny logon requests. This inability to 
> authenticate might 
> be caused by another computer on the same network using the 
> same name or 
> the password for this computer account is not recognized. If this 
> message appears again, contact your system administrator.
> Event Xml:
> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
>    <System>
>      <Provider Name="NETLOGON" />
>      <EventID Qualifiers="0">3210</EventID>
>      <Version>0</Version>
>      <Level>2</Level>
>      <Task>0</Task>
>      <Opcode>0</Opcode>
>      <Keywords>0x80000000000000</Keywords>
>      <TimeCreated SystemTime="2021-09-28T19:44:07.3916682Z" />
>      <EventRecordID>24124</EventRecordID>
>      <Correlation />
>      <Execution ProcessID="0" ThreadID="0" />
>      <Channel>System</Channel>
>      <Computer>cyb64w10-test.ad.cyberdyne.local</Computer>
>      <Security />
>    </System>
>    <EventData>
>      <Data>CYBERDYNE</Data>
>      <Data>\\skynet.ad.cyberdyne.local</Data>
>      <Binary>220000C0</Binary>
>    </EventData>
> </Event>
> Again, this completely disappeared after rolling back, without domain 
> re-join or anything else. Samba 4.15 seems just to refuse 
> authentication for no good reason.
> >> I also compared "samba-tool computer show" of a working and one
> >> non-working machine and can't find any differences other than
> >> timestamps.
> > Hmm, is this an "old" domain, like from before 4.9?
> Yes, even older. I was even using SAMBA-ldap on pre-4.0 releases. But 
> this particular machine was added later, for sure after 4.0 
> AD upgrade. 
> Sure I don't remember exact dates of upgrade. But yes this Domain was 
> upgraded all the way since first Samba 4.x releases. However 
> I don't see 
> why this should cause such issues and why there is no proper 
> migration. 
> So we might be looking at some upgrade/migration issues but my 
> understanding was that Samba should actually handle this and not just 
> start denying computer account logins on upgrade.
> Sure if the machine using some legacy authentication method 
> or anything 
> like this, then I would expect Samba first to force the 
> client to update 
> the password or authentication method before completely 
> locking it out.

Ah, im pretty sure your "source" of the problem is this. 

> > 
> > Did you use
> > 'samba-tool dns zoneoptions' for aging control
> > ----------------------------------------------
> > Or
> > Marking old records as static or dynamic with 'samba-tool'
> > 
> >  From : https://www.samba.org/samba/history/samba-4.15.0.html
> Yes, I did this. Set my servers to static entries and clients 
> to dynamic using regex.

So, it seems there must be more thats off, 

> > If i have to gamble on this, 2 options.
> > Windows 10 bug or Samba fix in 4.15 that triggered it.
> Guessing the second one too. But I seem not to be the only one having 
> this issue. As meintioned it seems to happen only to machines 
> which are joined to the domain since quite a while (2 years+). 
> Another  machine I  just joined a few days ago on Samba 4.14.7 
> is not affected and still allows login after 4.15 upgrade.

And what if you compair the 2 ldap objects of a working and not working
There IS a difference somewhere.

> So I would be fine if anyone could either:
> - Provide a fix in Samba
> - Provide a procedure to be run before the upgrade
> - Provide a procedure to be run after the upgrade
>    (preferably no manual actions on clients like re-join)
> Obviously I would like to avoid having to re-join all the 
> machines but if I would have to run some database-update command or 
> migration script
> I would be totally fine.

Im thinking what we can do here.. 

> > And if you dont want to re-register 1 pc..
> > (You can do this with a script at login for the whole domain. )
> At login?
> First of all no user can log on to the affected machines 
> (except local user accounts). 

While on Samba 4.17.. Then users can login. 

> Users don't have any admin privileges on the  machines, 
> logon scripts run in user context and cannot perform domain join. 

Then you run the script in the "computer" context" and a computer
 can maintain its own records as far i know. 
You might needed to add an xlm file locally first *can be done with GPO's.

I just found this one, 
Read it, that might give the idea on howto rejoin them. 
Because, i think its really needed.. 

Your domain is even older then mine, i started with 4.1.x 
And im even thinking currenlty to, setup a complete new fresh domain. 

> Moreover the users can't even log on.
> I might be able to use psexec to execute commands remotely 
> but did not 
> try if this works if the domain machine account is denied 
> actually. Also 
> I don't want to do this as if I roll out Samba 4.15 in an environment 
> with hundreds of machines I would rather prefer not having to 
> sync witht 
> the users to bring the machines online and run commands in 
> background. 
> It's also just not acceptable to send a technician to all 
> users to log on locally and perform a domain re-join.
> This machine is in my personal lab. I am holding on with Samba 4.15 
> deployment in any larger customer environment I am 
> maintaining for this reason.
> > Increase the debugging and post it, maybe we see more in 
> these loggings.
> I could re-deploy 4.15 in my personal environment trying to reproduce 
> but I am not sure to which log levels I should increase.
> For me it certainly looks like changed behavior or Samba bug as 
> downgrading to 4.14.7 resolves the problem entirely.
> Thanks for your hints and help.

Your welkom.. 

More information about the samba mailing list