[Samba] upgrade from samba 4.13 to 4.16 broke CIFS Server Authentication
Rowland Penny
rpenny at samba.org
Wed Aug 31 11:21:53 UTC 2022
On Wed, 2022-08-31 at 12:05 +0200, William Kirstaedter wrote:
> @Ralph
>
> I was referring to this line in the /var/log/samba/log.smbd on the
> AD
> Server:
>
> [2022/08/30 17:11:39.808445, 1, pid=8018]
> ../../auth/gensec/spnego.c:1341(gensec_spnego_server_negTokenInit_ste
> p)
> gensec_spnego_server_negTokenInit_step: Could not find a suitable
> mechtype in NEG_TOKEN_INIT
>
> @Rowland
>
> Well the hammer is not an option, my colleague would cut my head off
> :D
> he likes them for their resilience and these machines are really
> expensive...
They become really expensive if they do not work with Samba and most of
your computers use Samba. If I was considering buying some piece of
computer equipment, one of my questions would be, 'does this work with
open source programs such as Samba ?'. If the answer was no, I wouldn't
buy it.
>
> @Louis / all
>
> heres the extracted smb.conf which compiles from several templates:
>
> root at wayland:~# cat /etc/samba/smb.conf
> # Warning: This file is auto-generated and might be overwritten by
> # univention-config-registry.
> # Please edit the following file(s) instead:
> # Warnung: Diese Datei wurde automatisch generiert und kann durch
> # univention-config-registry ueberschrieben werden.
> #
> # /etc/univention/templates/files/etc/samba/smb.conf.d/10global
> #
>
> ; ---------------------<10global>------------------------
> [global]
> debug level = 1
> logging = file
> max log size = 0
>
> netbios name = wayland
> server role = active directory domain controller
> name resolve order = wins host bcast
> server string = Univention Corporate Server
> server services = -dns -smb +s3fs -nbt
> server role check:inhibit = yes
> # use nmbd; to disable set samba4/service/nmb to s4
> nmbd_proxy_logon:cldap_server=127.0.0.1
> workgroup = FHI
> realm = FHI.MPG.DE
>
> tls enabled = yes
> tls keyfile =
> /etc/univention/ssl/wayland.fhi.mpg.de/private.key
> tls certfile =
> /etc/univention/ssl/wayland.fhi.mpg.de/cert.pem
> tls cafile = /etc/univention/ssl/ucsCA/CAcert.pem
> tls verify peer = ca_and_name
> ldap server require strong auth = allow_sasl_over_tls
> dsdb:schema update allowed = no
> max open files = 32808
> interfaces = lo ens192
> bind interfaces only = yes
> server signing = yes
> ntlm auth = yes
> machine password timeout = 0
> acl allow execute always = True
> kccsrv:samba_kcc = False
>
> ; ---------------------</10global>------------------------
> ; ---------------------<smb service configuration>-------------------
> ----
>
> debug hirestimestamp = yes
> debug pid = yes
> ; ---------------------</smb service configuration>----------------
> ------
>
>
> ; idmap/winbind
>
> winbind separator = +
> template shell = /bin/bash
> template homedir = /home/%D-%U
>
> idmap config * : backend = tdb
> idmap config * : range = 300000-400000
>
> passwd chat = *New*password* %n\n *Re-enter*new*password*
> %n\n
> *password*changed*
>
> obey pam restrictions = yes
>
> spoolss: architecture = Windows x64
>
> ; domain service lookup related settings
> preferred master = yes
> local master = yes
> domain master = yes
> wins support = yes
>
> ; miscellaneous settings, mostly for file services
> oplocks = yes
> large readwrite = yes
> read raw = yes
> write raw = yes
> max xmit = 65535
> acl:search = yes
> host msdfs = yes
> kernel oplocks = yes
> deadtime = 15
> getwd cache = yes
> wide links = no
> store dos attributes = yes
> max protocol = smb2
> client max protocol = smb2
> logon home = \\wayland\%U
> logon drive = I:
> logon path = \\wayland\%U\windows-profiles\%a
> preserve case = yes
> short preserve case = yes
>
> guest account = nobody
> map to guest = Bad User
> admin users = administrator join-backup
>
>
> usershare max shares = 0
>
>
> ;
> -------------------------------------------------------------------
> ----------------------------------------
> include = /etc/samba/base.conf
>
> include = /etc/samba/shares.conf
> include = /etc/samba/printers.conf
>
> include = /etc/samba/local.config.conf
>
>
> and the includes...:
>
> base.conf
>
> # Warning: This file is auto-generated and might be overwritten by
> # univention-config-registry.
> # Please edit the following file(s) instead:
> # Warnung: Diese Datei wurde automatisch generiert und kann durch
> # univention-config-registry ueberschrieben werden.
> # Bitte bearbeiten Sie an Stelle dessen die folgende(n)
> Datei(en):
> #
> # /etc/univention/templates/files/etc/samba/base.conf
> #
>
> [netlogon]
> comment = Domain logon service
> path = /var/lib/samba/sysvol/fhi.mpg.de/scripts
> public = no
> preserve case = yes
> case sensitive = no
> vfs objects = dfs_samba4 acl_xattr
> read only = no
>
> [sysvol]
> path = /var/lib/samba/sysvol
> public = no
> preserve case = yes
> case sensitive = no
> vfs objects = dfs_samba4 acl_xattr
> read only = no
> acl xattr update mtime = yes
>
> [homes]
> comment = Heimatverzeichnisse
> hide files = /windows-profiles/
> browsable = no
> read only = no
> create mask = 0700
> directory mask = 0700
> vfs objects = acl_xattr
>
>
> [printers]
> comment = Drucker
> browseable = no
> path = /tmp
> printable = yes
> public = no
> writable = no
> create mode = 0700
> # use client driver = true
> # lpq command = lpstat -o %p
> # lprm command = cancel %p-%j
> # using windows printer drivers
> # print command = lpr -P %p -o raw %s -r
> # using cups drivers (PostScript on Windows)
> # print command = lpr -P %p %s
>
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/drivers
> browseable = yes
> guest ok = no
> read only = no
> write list = root, Administrator, @Printer-Admins
>
> -------------------------------------------------------------------
> -----------
>
> share.conf (only used for login wallpaper)
>
> [share]
> path = /share
> msdfs root = no
> writeable = yes
> browseable = yes
> public = yes
> dos filemode = no
> hide unreadable = no
> create mode = 0744
> directory mode = 0755
> force create mode = 00
> force directory mode = 00
> locking = 1
> strict locking = Auto
> oplocks = 1
> level2 oplocks = 1
> fake oplocks = 0
> csc policy = manual
> nt acl support = 1
> inherit acls = 1
> vfs objects = acl_xattr
> inherit owner = no
> inherit permissions = no
> map acl inherit = yes
>
> -------------------------------------------------------------------
> -----------
>
> homedirs.conf (this should not be of interest since all homes are on
> the
> netapp)
>
> [homedirs]
> path = /home
> msdfs root = no
> writeable = yes
> browseable = yes
> public = no
> dos filemode = no
> hide unreadable = no
> create mode = 0744
> directory mode = 0755
> force create mode = 00
> force directory mode = 00
> locking = 1
> strict locking = Auto
> oplocks = 1
> level2 oplocks = 1
> fake oplocks = 0
> csc policy = manual
> nt acl support = 1
> inherit acls = 1
> vfs objects = acl_xattr
> inherit owner = no
> inherit permissions = no
> map acl inherit = yes
>
> -------------------------------------------------------------------
> -----------
>
> global.local.config.conf (this was their fix for a previous upgrade)
>
> [global]
> auth methods = sam winbind sam_ignoredomain
> server require schannel:141.14.140.32 = no
> server require schannel:141.14.143.33 = no
> server require schannel:nap32.fhi.mpg.de = no
> server require schannel:nap32.rz-berlin.mpg.de = no
> server require schannel:nap33.fhi.mpg.de = no
> server require schannel:nap33.rz-berlin.mpg.de = no
> server schannel = yes
>
> -------------------------------------------------------------------
> -----------
That is quite possibly the WORST smb.conf that I have ever seen, lots
of default settings (I can sort of understand that), but there are
things that shouldn't be set on a DC (never mind that you really
shouldn't be using a DC as a fileserver). Why on Earth is nmbd being
used ????
>
> do you need more?
>
> I can also put log level to 10 and post a link to that huge file if
> you
> want to read through that...
>
> really thanks!
as Ralph as said, network traces might help and level 10 logs
(sanitised) never hurt.
Rowland
More information about the samba
mailing list