[Samba] Problem after update version 4.15.0
rme at bluemail.ch
rme at bluemail.ch
Wed Sep 29 10:26:20 UTC 2021
Hello
>> No, Time is NTP-Synchronized.
>
> Yeah, same here, but still, for some reason, sometimes 1 pc is off..
> Thats why im asking.. Check, dont assume..
You are totally right and I couldn't agree more. But yes I have checked.
The time is 100% correct and synchronized. "net time" also properly
updates the clock.
> Definitly strange, but im thinking, are these pc's syspreped.
> And was there SID reset at that time.
No. I am using remote installation. The machines are all PXE-booted and
launching setup with unattended.xml with a minimum configuration only
(like license keys, time zone and local account). There is no image
adjustments, just the basic Windows 10 Professional WIM/ESD image and
specifially no cloning involved.
And again, this seems to happen only on a fraction of my existing
machines. Not on one which is also installed since a longer time but
joined to the domain just a few days before 4.14.7 to 4.15 upgrade.
>> Yes, even older. I was even using SAMBA-ldap on pre-4.0 releases. But
>> this particular machine was added later, for sure after 4.0
>> AD upgrade.
>> Sure I don't remember exact dates of upgrade. But yes this Domain was
>> upgraded all the way since first Samba 4.x releases. However
>> I don't see
>> why this should cause such issues and why there is no proper
>> migration.
>> So we might be looking at some upgrade/migration issues but my
>> understanding was that Samba should actually handle this and not just
>> start denying computer account logins on upgrade.
>> Sure if the machine using some legacy authentication method
>> or anything
>> like this, then I would expect Samba first to force the
>> client to update
>> the password or authentication method before completely
>> locking it out.
>
> Ah, im pretty sure your "source" of the problem is this.
This is working fine since years and I would still call it a Samba bug
if after an upgrade it suddenly stops working for some machines. I would
assume at least an upgrade path. It's not like I want to upgrade from
4.0 to 4.15. I am actually running a fully working installation on
4.14.7 and just do the upgrade to 4.15 where it stops working.
Though I know that there are some maintenance tasks to be done on
upgrading. I also did upgrade from older domain levels to newer ones in
previous releases.
Actually we had some nice discussions on upgrading topics already the
two of us:
<https://lists.samba.org/archive/samba/2016-August/201773.html>
Thanks again :-)
I did also have a nice discussion on domain level upgrade and bug in
Samba (failing to set proper msDS-SupportedEncryptionTypes). At this
point in time I had do to "samba-tool domain level raise" and
"samba-tool domain schemaupgrade" but still Samba would not properly
upgrade msDS-SupportedEncryptionTypes from the set value of 31 to the
expected value of 28 (RC4,AES128,AES256) so I needed to do this
manually. See here:
<https://bugs.archlinux.org/task/66023#comment190563>
I would however have expected that the "samba-tool domain schemaupgrade"
would have handled this properly, updating the domain controller AD
object with proper attributes supported by the Samba version installed.
Perhaps we are looking at a similar problem now. However I already
checked the values of msDS-SupportedEncryptionTypes for all objects
yesterday. They all report value 28 for all involved machines:
- Domain controller: msDS-SupportedEncryptionTypes: 28
- Non-Working client: msDS-SupportedEncryptionTypes: 28
- Working client: msDS-SupportedEncryptionTypes: 28
as reported by "samba-tool computer show <name>"
Also as reported yesterday the diff of "samba-tool computer show <name>"
for a working and a non-working machine only shows differences in names
and timestamps, not in encryption values or other attributes.
>> Yes, I did this. Set my servers to static entries and clients
>> to dynamic using regex.
>
> So, it seems there must be more thats off,
Also I am not sure how this could be related and why Samba would
suddenly report the machine account password to be wrong even if DNS
entries would be incorrect.
> And what if you compair the 2 ldap objects of a working and not working
> There IS a difference somewhere.
"samba-tool computer show <computername>"
should show those attributes. And as mentioned there is no single
difference in any attribute (also not in the number of attributes) on a
working and a non-working machine. Of course names and timestamps of
last logon, last change etc. are not identical too.
>> At login?
>> First of all no user can log on to the affected machines
>> (except local user accounts).
>
> While on Samba 4.17.. Then users can login.
Valid point, but actually impractical. I would have to make sure that
every single machine gets an admin-login before I could do the upgrade.
In an environment where you have machines which might not be used for
months it's not really practical to do.
Moreover none of the users do have admin privileges, so I can't use a
logon script.
I might be able to use a GPO machine startup script or my software
deployment system which runs in the background. But still I would need
to be sure each machine is re-joined before starting the upgrade.
So at best this is an ugly work-around. But still think the issue should
be tracked down in Samba.
> Then you run the script in the "computer" context" and a computer
> can maintain its own records as far i know.
> You might needed to add an xlm file locally first *can be done with GPO's.
>
> I just found this one,
> https://mcpmag.com/articles/2015/03/05/rejoin-a-computer-from-a-domain.aspx
> Read it, that might give the idea on howto rejoin them.
> Because, i think its really needed..
Thank you for the input. But I think we might get lost in such
workarounds rather than tracking down the root cause. We can't really
ask all administrators using Samba domain controllers anywhere in the
world to do this pre-preparation to re-join all machines before doing
any Samba upgrades to 4.15. Moreover the Arch Linux link you provides
indicates that it might not even help to re-join the machine.
> Your domain is even older then mine, i started with 4.1.x
> And im even thinking currenlty to, setup a complete new fresh domain.
I don't see why it should be necessary. Samba provides backwards
compatibility and the database files are just fine after the upgrade.
Samba also provides samba-tool domain level and domain upgrade tools for
exactly this purpose. If the tools don't work, the tools should be fixed.
> Your welkom..
Much appreciated.
Rainer
More information about the samba
mailing list