[Samba] Problem after update version 4.15.0
L.P.H. van Belle
belle at bazuin.nl
Wed Sep 29 09:22:52 UTC 2021
> -----Oorspronkelijk bericht-----
> Van: rme at bluemail.ch [mailto:rme at bluemail.ch]
> Verzonden: woensdag 29 september 2021 10:48
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] Problem after update version 4.15.0
>
> Hello
>
> On 29.09.2021 10:08, L.P.H. van Belle via samba wrote:
> > This.
> >> ../../source4/auth/ntlm/auth.c:241(auth_check_password_send)
> >> auth_check_password_send: Checking password for unmapped user
> >> [CYBERDYNE]\[CYB64W10-TEST$]@[CYB64W10-TEST]
> >
> > I would have expected
> >> [CYBERDYNE]\[CYB64W10-TEST$]@[AD.CYBERDYNE.LOCAL]
>
> Actually right. Would expect the same. But in Samba 4.14.7 no such
> problem appearing.
>
> > I see this so now and then here also that, suddenly a
> computer/user cant login.
> > Common causes..
> > 1) PC time out of sync with DC.
>
> No, Time is NTP-Synchronized.
Yeah, same here, but still, for some reason, sometimes 1 pc is off..
Thats why im asking.. Check, dont assume..
>
> > 2) Computer account its password expired.
>
> Not sure but Samba 4.14.7 does not complain at all - even if
> reverting
> just Samba binaries I am perfectly able to log on. Passwords are
> supposed to renew automatically as of my knowledge. The machine is in
> use almost daily so it's not a machine which was not connected or off
> for months.
>
> > 3) Lots domain trust.
>
> Right after Samba 4.15 upgrade? On 80% of my machines? And machines
> re-gain trust after Samba downgrade? Hmmm
Definitly strange, but im thinking, are these pc's syspreped.
And was there SID reset at that time.
>
>
> > But what does the evenlog show and i assume the same user
> on an other computer can login?
>
> Good point, let me try to dig up some logs from my attempts yesterday
> (meanwhile my Samba is rolled back).
>
> Here is what I found in the event logs:
>
> Log Name: System
> Source: NETLOGON
> Date: 9/28/2021 9:44:07 PM
> Event ID: 3210
> Task Category: None
> Level: Error
> Keywords: Classic
> User: N/A
> Computer: cyb64w10-test.ad.cyberdyne.local
> Description:
> This computer could not authenticate with
> \\skynet.ad.cyberdyne.local, a
> Windows domain controller for domain CYBERDYNE, and therefore this
> computer might deny logon requests. This inability to
> authenticate might
> be caused by another computer on the same network using the
> same name or
> the password for this computer account is not recognized. If this
> message appears again, contact your system administrator.
> Event Xml:
> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
> <System>
> <Provider Name="NETLOGON" />
> <EventID Qualifiers="0">3210</EventID>
> <Version>0</Version>
> <Level>2</Level>
> <Task>0</Task>
> <Opcode>0</Opcode>
> <Keywords>0x80000000000000</Keywords>
> <TimeCreated SystemTime="2021-09-28T19:44:07.3916682Z" />
> <EventRecordID>24124</EventRecordID>
> <Correlation />
> <Execution ProcessID="0" ThreadID="0" />
> <Channel>System</Channel>
> <Computer>cyb64w10-test.ad.cyberdyne.local</Computer>
> <Security />
> </System>
> <EventData>
> <Data>CYBERDYNE</Data>
> <Data>\\skynet.ad.cyberdyne.local</Data>
> <Binary>220000C0</Binary>
> </EventData>
> </Event>
>
>
> Again, this completely disappeared after rolling back, without domain
> re-join or anything else. Samba 4.15 seems just to refuse
> authentication for no good reason.
>
>
> >> I also compared "samba-tool computer show" of a working and one
> >> non-working machine and can't find any differences other than
> >> timestamps.
> > Hmm, is this an "old" domain, like from before 4.9?
>
> Yes, even older. I was even using SAMBA-ldap on pre-4.0 releases. But
> this particular machine was added later, for sure after 4.0
> AD upgrade.
> Sure I don't remember exact dates of upgrade. But yes this Domain was
> upgraded all the way since first Samba 4.x releases. However
> I don't see
> why this should cause such issues and why there is no proper
> migration.
> So we might be looking at some upgrade/migration issues but my
> understanding was that Samba should actually handle this and not just
> start denying computer account logins on upgrade.
> Sure if the machine using some legacy authentication method
> or anything
> like this, then I would expect Samba first to force the
> client to update
> the password or authentication method before completely
> locking it out.
Ah, im pretty sure your "source" of the problem is this.
>
>
> >
> > Did you use
> > 'samba-tool dns zoneoptions' for aging control
> > ----------------------------------------------
> > Or
> > Marking old records as static or dynamic with 'samba-tool'
> >
> > From : https://www.samba.org/samba/history/samba-4.15.0.html
>
> Yes, I did this. Set my servers to static entries and clients
> to dynamic using regex.
So, it seems there must be more thats off,
>
>
> > If i have to gamble on this, 2 options.
> > Windows 10 bug or Samba fix in 4.15 that triggered it.
>
> Guessing the second one too. But I seem not to be the only one having
> this issue. As meintioned it seems to happen only to machines
> which are joined to the domain since quite a while (2 years+).
> Another machine I just joined a few days ago on Samba 4.14.7
> is not affected and still allows login after 4.15 upgrade.
And what if you compair the 2 ldap objects of a working and not working
There IS a difference somewhere.
>
> So I would be fine if anyone could either:
> - Provide a fix in Samba
> - Provide a procedure to be run before the upgrade
> - Provide a procedure to be run after the upgrade
> (preferably no manual actions on clients like re-join)
>
> Obviously I would like to avoid having to re-join all the
> machines but if I would have to run some database-update command or
> migration script
> I would be totally fine.
Im thinking what we can do here..
>
>
> > And if you dont want to re-register 1 pc..
> > (You can do this with a script at login for the whole domain. )
>
> At login?
> First of all no user can log on to the affected machines
> (except local user accounts).
While on Samba 4.17.. Then users can login.
> Users don't have any admin privileges on the machines,
> logon scripts run in user context and cannot perform domain join.
Then you run the script in the "computer" context" and a computer
can maintain its own records as far i know.
You might needed to add an xlm file locally first *can be done with GPO's.
I just found this one,
https://mcpmag.com/articles/2015/03/05/rejoin-a-computer-from-a-domain.aspx
Read it, that might give the idea on howto rejoin them.
Because, i think its really needed..
Your domain is even older then mine, i started with 4.1.x
And im even thinking currenlty to, setup a complete new fresh domain.
> Moreover the users can't even log on.
> I might be able to use psexec to execute commands remotely
> but did not
> try if this works if the domain machine account is denied
> actually. Also
> I don't want to do this as if I roll out Samba 4.15 in an environment
> with hundreds of machines I would rather prefer not having to
> sync witht
> the users to bring the machines online and run commands in
> background.
> It's also just not acceptable to send a technician to all
> users to log on locally and perform a domain re-join.
>
> This machine is in my personal lab. I am holding on with Samba 4.15
> deployment in any larger customer environment I am
> maintaining for this reason.
>
>
> > Increase the debugging and post it, maybe we see more in
> these loggings.
>
> I could re-deploy 4.15 in my personal environment trying to reproduce
> but I am not sure to which log levels I should increase.
>
> For me it certainly looks like changed behavior or Samba bug as
> downgrading to 4.14.7 resolves the problem entirely.
>
> Thanks for your hints and help.
Your welkom..
More information about the samba
mailing list