[Samba] upgrade from samba 4.13 to 4.16 broke CIFS Server Authentication
William Kirstaedter
kirstaedter at fhi-berlin.mpg.de
Wed Aug 31 10:05:43 UTC 2022
@Ralph
I was referring to this line in the /var/log/samba/log.smbd on the AD
Server:
[2022/08/30 17:11:39.808445, 1, pid=8018]
../../auth/gensec/spnego.c:1341(gensec_spnego_server_negTokenInit_step)
gensec_spnego_server_negTokenInit_step: Could not find a suitable
mechtype in NEG_TOKEN_INIT
@Rowland
Well the hammer is not an option, my colleague would cut my head off :D
he likes them for their resilience and these machines are really
expensive...
@Louis / all
heres the extracted smb.conf which compiles from several templates:
root at wayland:~# cat /etc/samba/smb.conf
# Warning: This file is auto-generated and might be overwritten by
# univention-config-registry.
# Please edit the following file(s) instead:
# Warnung: Diese Datei wurde automatisch generiert und kann durch
# univention-config-registry ueberschrieben werden.
# Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):
#
# /etc/univention/templates/files/etc/samba/smb.conf.d/10global
#
/etc/univention/templates/files/etc/samba/smb.conf.d/11univention-smb-service
#
/etc/univention/templates/files/etc/samba/smb.conf.d/21univention-samba_winbind
#
/etc/univention/templates/files/etc/samba/smb.conf.d/31univention-samba_password
#
/etc/univention/templates/files/etc/samba/smb.conf.d/41univention-samba_printing
#
/etc/univention/templates/files/etc/samba/smb.conf.d/51univention-samba_domain
#
/etc/univention/templates/files/etc/samba/smb.conf.d/61univention-samba_misc
#
/etc/univention/templates/files/etc/samba/smb.conf.d/71univention-samba_users
#
/etc/univention/templates/files/etc/samba/smb.conf.d/81univention-quota_scripts
#
/etc/univention/templates/files/etc/samba/smb.conf.d/90univention-samba_user_shares
#
/etc/univention/templates/files/etc/samba/smb.conf.d/91univention-samba_shares
#
/etc/univention/templates/files/etc/samba/smb.conf.d/92univention-samba_shares
#
/etc/univention/templates/files/etc/samba/smb.conf.d/95univention-samba_local_config
#
/etc/univention/templates/files/etc/samba/smb.conf.d/99univention-samba_local_shares
#
; ---------------------<10global>------------------------
[global]
debug level = 1
logging = file
max log size = 0
netbios name = wayland
server role = active directory domain controller
name resolve order = wins host bcast
server string = Univention Corporate Server
server services = -dns -smb +s3fs -nbt
server role check:inhibit = yes
# use nmbd; to disable set samba4/service/nmb to s4
nmbd_proxy_logon:cldap_server=127.0.0.1
workgroup = FHI
realm = FHI.MPG.DE
tls enabled = yes
tls keyfile =
/etc/univention/ssl/wayland.fhi.mpg.de/private.key
tls certfile = /etc/univention/ssl/wayland.fhi.mpg.de/cert.pem
tls cafile = /etc/univention/ssl/ucsCA/CAcert.pem
tls verify peer = ca_and_name
ldap server require strong auth = allow_sasl_over_tls
dsdb:schema update allowed = no
max open files = 32808
interfaces = lo ens192
bind interfaces only = yes
server signing = yes
ntlm auth = yes
machine password timeout = 0
acl allow execute always = True
kccsrv:samba_kcc = False
; ---------------------</10global>------------------------
; ---------------------<smb service configuration>-----------------------
debug hirestimestamp = yes
debug pid = yes
; ---------------------</smb service configuration>----------------------
; idmap/winbind
winbind separator = +
template shell = /bin/bash
template homedir = /home/%D-%U
idmap config * : backend = tdb
idmap config * : range = 300000-400000
passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n
*password*changed*
obey pam restrictions = yes
spoolss: architecture = Windows x64
; domain service lookup related settings
preferred master = yes
local master = yes
domain master = yes
wins support = yes
; miscellaneous settings, mostly for file services
oplocks = yes
large readwrite = yes
read raw = yes
write raw = yes
max xmit = 65535
acl:search = yes
host msdfs = yes
kernel oplocks = yes
deadtime = 15
getwd cache = yes
wide links = no
store dos attributes = yes
max protocol = smb2
client max protocol = smb2
logon home = \\wayland\%U
logon drive = I:
logon path = \\wayland\%U\windows-profiles\%a
preserve case = yes
short preserve case = yes
guest account = nobody
map to guest = Bad User
admin users = administrator join-backup
usershare max shares = 0
;
-----------------------------------------------------------------------------------------------------------
include = /etc/samba/base.conf
include = /etc/samba/shares.conf
include = /etc/samba/printers.conf
include = /etc/samba/local.config.conf
and the includes...:
base.conf
# Warning: This file is auto-generated and might be overwritten by
# univention-config-registry.
# Please edit the following file(s) instead:
# Warnung: Diese Datei wurde automatisch generiert und kann durch
# univention-config-registry ueberschrieben werden.
# Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):
#
# /etc/univention/templates/files/etc/samba/base.conf
#
[netlogon]
comment = Domain logon service
path = /var/lib/samba/sysvol/fhi.mpg.de/scripts
public = no
preserve case = yes
case sensitive = no
vfs objects = dfs_samba4 acl_xattr
read only = no
[sysvol]
path = /var/lib/samba/sysvol
public = no
preserve case = yes
case sensitive = no
vfs objects = dfs_samba4 acl_xattr
read only = no
acl xattr update mtime = yes
[homes]
comment = Heimatverzeichnisse
hide files = /windows-profiles/
browsable = no
read only = no
create mask = 0700
directory mask = 0700
vfs objects = acl_xattr
[printers]
comment = Drucker
browseable = no
path = /tmp
printable = yes
public = no
writable = no
create mode = 0700
# use client driver = true
# lpq command = lpstat -o %p
# lprm command = cancel %p-%j
# using windows printer drivers
# print command = lpr -P %p -o raw %s -r
# using cups drivers (PostScript on Windows)
# print command = lpr -P %p %s
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
browseable = yes
guest ok = no
read only = no
write list = root, Administrator, @Printer-Admins
------------------------------------------------------------------------------
share.conf (only used for login wallpaper)
[share]
path = /share
msdfs root = no
writeable = yes
browseable = yes
public = yes
dos filemode = no
hide unreadable = no
create mode = 0744
directory mode = 0755
force create mode = 00
force directory mode = 00
locking = 1
strict locking = Auto
oplocks = 1
level2 oplocks = 1
fake oplocks = 0
csc policy = manual
nt acl support = 1
inherit acls = 1
vfs objects = acl_xattr
inherit owner = no
inherit permissions = no
map acl inherit = yes
------------------------------------------------------------------------------
homedirs.conf (this should not be of interest since all homes are on the
netapp)
[homedirs]
path = /home
msdfs root = no
writeable = yes
browseable = yes
public = no
dos filemode = no
hide unreadable = no
create mode = 0744
directory mode = 0755
force create mode = 00
force directory mode = 00
locking = 1
strict locking = Auto
oplocks = 1
level2 oplocks = 1
fake oplocks = 0
csc policy = manual
nt acl support = 1
inherit acls = 1
vfs objects = acl_xattr
inherit owner = no
inherit permissions = no
map acl inherit = yes
------------------------------------------------------------------------------
global.local.config.conf (this was their fix for a previous upgrade)
[global]
auth methods = sam winbind sam_ignoredomain
server require schannel:141.14.140.32 = no
server require schannel:141.14.143.33 = no
server require schannel:nap32.fhi.mpg.de = no
server require schannel:nap32.rz-berlin.mpg.de = no
server require schannel:nap33.fhi.mpg.de = no
server require schannel:nap33.rz-berlin.mpg.de = no
server schannel = yes
------------------------------------------------------------------------------
do you need more?
I can also put log level to 10 and post a link to that huge file if you
want to read through that...
really thanks!
William Kirstaedter (PP&B) Fritz-Haber-Institut der MPG
Faradayweg 4-6 14195 Berlin
Tel: 030 8413 5405 Mail: kirstaedter at fhi-berlin.mpg.de
Am 31.08.2022 um 11:32 schrieb L. van Belle via samba:
> He needs to get the smb.conf from the Univetion server and show it in the list.
> Only when we see that, we can give an estimate whats going on.
>
> Just like the Synology, im assuming univention used "unsupported" settings..
> They work in lower samba version but the higher the samba version to more problems they wil get.
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba <samba-bounces at lists.samba.org> Namens Ralph Boehme via
>> samba
>> Verzonden: woensdag 31 augustus 2022 10:31
>> Aan: William Kirstaedter <kirstaedter at fhi-berlin.mpg.de>;
>> samba at lists.samba.org
>> Onderwerp: Re: [Samba] upgrade from samba 4.13 to 4.16 broke CIFS Server
>> Authentication
>>
>> On 8/30/22 17:12, William Kirstaedter via samba wrote:
>>> I'm now asking here because neither Univention nor Netapp seem to want
>>> to help since they both say that combination is not supported /
>>> recommended. no reasons given.
>> ouch, so you're sitting between the chairs. :/
>>
>> If you can share logs from the Samba DC and network traces of the SMB login
>> with the list, with a bit of luck someone has the time to look into them. But
>> given the complexity of the issue and that this is going to contain sensitive
>> data, I'm not sure community support is going to cut it.
>>
>> If you have the option, you could consider commercial support via:
>>
>> https://www.samba.org/samba/support/globalsupport.html
>>
>> Cheers!
>> -slow
>>
>> --
>> Ralph Boehme, Samba Team https://samba.org/
>> SerNet Samba Team Lead https://sernet.de/en/team-samba
>
More information about the samba
mailing list