[Samba] upgrade from samba 4.13 to 4.16 broke CIFS Server Authentication
L. van Belle
belle at samba.org
Wed Aug 31 11:13:27 UTC 2022
I suggest 1 change to start with.
look If can change this from within univention somewhere..
ntlm_auth = yes
to
ntlm auth = mschapv2-and-ntlmv2-only
Small steps in these changes since univention has here own way of setting up things.
Few small things that might help a bit.
netbios name = wayland
to
netbios name = WAYLAND
And start using \\FQ.DN\share everywhere.
> logon home = \\wayland\%U
> logon drive = I:
> logon path = \\wayland\%U\windows-profiles\%a
to
> logon home = \\wayland.your.dnsdomain.tld\%U
> logon drive = I:
> logon path = \\wayland your.dnsdomain.tld \%U\windows-profiles\%a
> max protocol = smb2
> client max protocol = smb2
To
> max protocol = smb3 # or remove this one.
> client max protocol = smb3 # or remove this one.
add if possible
client min protocol = smb2
Start with that, maybe Rowland has more but as said..
The setup is way out of the "normal" scope of settings.
Not your doing but how its setup.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba <samba-bounces at lists.samba.org> Namens William Kirstaedter
> via samba
> Verzonden: woensdag 31 augustus 2022 12:06
> Aan: samba at lists.samba.org
> CC: belle at samba.org
> Onderwerp: Re: [Samba] upgrade from samba 4.13 to 4.16 broke CIFS Server
> Authentication
>
> @Ralph
>
> I was referring to this line in the /var/log/samba/log.smbd on the AD
> Server:
>
> [2022/08/30 17:11:39.808445, 1, pid=8018]
> ../../auth/gensec/spnego.c:1341(gensec_spnego_server_negTokenInit_step
> )
> gensec_spnego_server_negTokenInit_step: Could not find a suitable
> mechtype in NEG_TOKEN_INIT
>
> @Rowland
>
> Well the hammer is not an option, my colleague would cut my head off :D he
> likes them for their resilience and these machines are really expensive...
>
> @Louis / all
>
> heres the extracted smb.conf which compiles from several templates:
>
> root at wayland:~# cat /etc/samba/smb.conf
> # Warning: This file is auto-generated and might be overwritten by
> # univention-config-registry.
> # Please edit the following file(s) instead:
> # Warnung: Diese Datei wurde automatisch generiert und kann durch
> # univention-config-registry ueberschrieben werden.
> # Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):
> #
> # /etc/univention/templates/files/etc/samba/smb.conf.d/10global
> #
> /etc/univention/templates/files/etc/samba/smb.conf.d/11univention-smb-
> service
> #
> /etc/univention/templates/files/etc/samba/smb.conf.d/21univention-
> samba_winbind
> #
> /etc/univention/templates/files/etc/samba/smb.conf.d/31univention-
> samba_password
> #
> /etc/univention/templates/files/etc/samba/smb.conf.d/41univention-
> samba_printing
> #
> /etc/univention/templates/files/etc/samba/smb.conf.d/51univention-
> samba_domain
> #
> /etc/univention/templates/files/etc/samba/smb.conf.d/61univention-
> samba_misc
> #
> /etc/univention/templates/files/etc/samba/smb.conf.d/71univention-
> samba_users
> #
> /etc/univention/templates/files/etc/samba/smb.conf.d/81univention-
> quota_scripts
> #
> /etc/univention/templates/files/etc/samba/smb.conf.d/90univention-
> samba_user_shares
> #
> /etc/univention/templates/files/etc/samba/smb.conf.d/91univention-
> samba_shares
> #
> /etc/univention/templates/files/etc/samba/smb.conf.d/92univention-
> samba_shares
> #
> /etc/univention/templates/files/etc/samba/smb.conf.d/95univention-
> samba_local_config
> #
> /etc/univention/templates/files/etc/samba/smb.conf.d/99univention-
> samba_local_shares
> #
>
> ; ---------------------<10global>------------------------
> [global]
> debug level = 1
> logging = file
> max log size = 0
>
> netbios name = wayland
> server role = active directory domain controller
> name resolve order = wins host bcast
> server string = Univention Corporate Server
> server services = -dns -smb +s3fs -nbt
> server role check:inhibit = yes
> # use nmbd; to disable set samba4/service/nmb to s4
> nmbd_proxy_logon:cldap_server=127.0.0.1
> workgroup = FHI
> realm = FHI.MPG.DE
>
> tls enabled = yes
> tls keyfile =
> /etc/univention/ssl/wayland.fhi.mpg.de/private.key
> tls certfile = /etc/univention/ssl/wayland.fhi.mpg.de/cert.pem
> tls cafile = /etc/univention/ssl/ucsCA/CAcert.pem
> tls verify peer = ca_and_name
> ldap server require strong auth = allow_sasl_over_tls
> dsdb:schema update allowed = no
> max open files = 32808
> interfaces = lo ens192
> bind interfaces only = yes
> server signing = yes
> ntlm auth = yes
> machine password timeout = 0
> acl allow execute always = True
> kccsrv:samba_kcc = False
>
> ; ---------------------</10global>------------------------
> ; ---------------------<smb service configuration>-----------------------
>
> debug hirestimestamp = yes
> debug pid = yes
> ; ---------------------</smb service configuration>----------------------
>
>
> ; idmap/winbind
>
> winbind separator = +
> template shell = /bin/bash
> template homedir = /home/%D-%U
>
> idmap config * : backend = tdb
> idmap config * : range = 300000-400000
>
> passwd chat = *New*password* %n\n *Re-enter*new*password*
> %n\n
> *password*changed*
>
> obey pam restrictions = yes
>
> spoolss: architecture = Windows x64
>
> ; domain service lookup related settings
> preferred master = yes
> local master = yes
> domain master = yes
> wins support = yes
>
> ; miscellaneous settings, mostly for file services
> oplocks = yes
> large readwrite = yes
> read raw = yes
> write raw = yes
> max xmit = 65535
> acl:search = yes
> host msdfs = yes
> kernel oplocks = yes
> deadtime = 15
> getwd cache = yes
> wide links = no
> store dos attributes = yes
> max protocol = smb2
> client max protocol = smb2
> logon home = \\wayland\%U
> logon drive = I:
> logon path = \\wayland\%U\windows-profiles\%a
> preserve case = yes
> short preserve case = yes
>
> guest account = nobody
> map to guest = Bad User
> admin users = administrator join-backup
>
>
> usershare max shares = 0
>
>
> ;
> ----------------------------------------------------------------------------------------------
> -------------
> include = /etc/samba/base.conf
>
> include = /etc/samba/shares.conf
> include = /etc/samba/printers.conf
>
> include = /etc/samba/local.config.conf
>
>
> and the includes...:
>
> base.conf
>
> # Warning: This file is auto-generated and might be overwritten by
> # univention-config-registry.
> # Please edit the following file(s) instead:
> # Warnung: Diese Datei wurde automatisch generiert und kann durch
> # univention-config-registry ueberschrieben werden.
> # Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):
> #
> # /etc/univention/templates/files/etc/samba/base.conf
> #
>
> [netlogon]
> comment = Domain logon service
> path = /var/lib/samba/sysvol/fhi.mpg.de/scripts
> public = no
> preserve case = yes
> case sensitive = no
> vfs objects = dfs_samba4 acl_xattr
> read only = no
>
> [sysvol]
> path = /var/lib/samba/sysvol
> public = no
> preserve case = yes
> case sensitive = no
> vfs objects = dfs_samba4 acl_xattr
> read only = no
> acl xattr update mtime = yes
>
> [homes]
> comment = Heimatverzeichnisse
> hide files = /windows-profiles/
> browsable = no
> read only = no
> create mask = 0700
> directory mask = 0700
> vfs objects = acl_xattr
>
>
> [printers]
> comment = Drucker
> browseable = no
> path = /tmp
> printable = yes
> public = no
> writable = no
> create mode = 0700
> # use client driver = true
> # lpq command = lpstat -o %p
> # lprm command = cancel %p-%j
> # using windows printer drivers
> # print command = lpr -P %p -o raw %s -r
> # using cups drivers (PostScript on Windows)
> # print command = lpr -P %p %s
>
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/drivers
> browseable = yes
> guest ok = no
> read only = no
> write list = root, Administrator, @Printer-Admins
>
> ------------------------------------------------------------------------------
>
> share.conf (only used for login wallpaper)
>
> [share]
> path = /share
> msdfs root = no
> writeable = yes
> browseable = yes
> public = yes
> dos filemode = no
> hide unreadable = no
> create mode = 0744
> directory mode = 0755
> force create mode = 00
> force directory mode = 00
> locking = 1
> strict locking = Auto
> oplocks = 1
> level2 oplocks = 1
> fake oplocks = 0
> csc policy = manual
> nt acl support = 1
> inherit acls = 1
> vfs objects = acl_xattr
> inherit owner = no
> inherit permissions = no
> map acl inherit = yes
>
> ------------------------------------------------------------------------------
>
> homedirs.conf (this should not be of interest since all homes are on the
> netapp)
>
> [homedirs]
> path = /home
> msdfs root = no
> writeable = yes
> browseable = yes
> public = no
> dos filemode = no
> hide unreadable = no
> create mode = 0744
> directory mode = 0755
> force create mode = 00
> force directory mode = 00
> locking = 1
> strict locking = Auto
> oplocks = 1
> level2 oplocks = 1
> fake oplocks = 0
> csc policy = manual
> nt acl support = 1
> inherit acls = 1
> vfs objects = acl_xattr
> inherit owner = no
> inherit permissions = no
> map acl inherit = yes
>
> ------------------------------------------------------------------------------
>
> global.local.config.conf (this was their fix for a previous upgrade)
>
> [global]
> auth methods = sam winbind sam_ignoredomain server require
> schannel:141.14.140.32 = no server require schannel:141.14.143.33 = no
> server require schannel:nap32.fhi.mpg.de = no server require
> schannel:nap32.rz-berlin.mpg.de = no server require
> schannel:nap33.fhi.mpg.de = no server require schannel:nap33.rz-
> berlin.mpg.de = no server schannel = yes
>
> ------------------------------------------------------------------------------
>
> do you need more?
>
> I can also put log level to 10 and post a link to that huge file if you want to
> read through that...
>
> really thanks!
>
>
> William Kirstaedter (PP&B) Fritz-Haber-Institut der MPG
> Faradayweg 4-6 14195 Berlin
> Tel: 030 8413 5405 Mail: kirstaedter at fhi-berlin.mpg.de
>
> Am 31.08.2022 um 11:32 schrieb L. van Belle via samba:
> > He needs to get the smb.conf from the Univetion server and show it in the
> list.
> > Only when we see that, we can give an estimate whats going on.
> >
> > Just like the Synology, im assuming univention used "unsupported"
> settings..
> > They work in lower samba version but the higher the samba version to
> more problems they wil get.
> >
> > Greetz,
> >
> > Louis
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba <samba-bounces at lists.samba.org> Namens Ralph Boehme
> via
> >> samba
> >> Verzonden: woensdag 31 augustus 2022 10:31
> >> Aan: William Kirstaedter <kirstaedter at fhi-berlin.mpg.de>;
> >> samba at lists.samba.org
> >> Onderwerp: Re: [Samba] upgrade from samba 4.13 to 4.16 broke CIFS
> >> Server Authentication
> >>
> >> On 8/30/22 17:12, William Kirstaedter via samba wrote:
> >>> I'm now asking here because neither Univention nor Netapp seem to
> >>> want to help since they both say that combination is not supported /
> >>> recommended. no reasons given.
> >> ouch, so you're sitting between the chairs. :/
> >>
> >> If you can share logs from the Samba DC and network traces of the SMB
> >> login with the list, with a bit of luck someone has the time to look
> >> into them. But given the complexity of the issue and that this is
> >> going to contain sensitive data, I'm not sure community support is going to
> cut it.
> >>
> >> If you have the option, you could consider commercial support via:
> >>
> >> https://www.samba.org/samba/support/globalsupport.html
> >>
> >> Cheers!
> >> -slow
> >>
> >> --
> >> Ralph Boehme, Samba Team https://samba.org/
> >> SerNet Samba Team Lead https://sernet.de/en/team-samba
> >
More information about the samba
mailing list