[Samba] upgrade from samba 4.13 to 4.16 broke CIFS Server Authentication
William Kirstaedter
kirstaedter at fhi-berlin.mpg.de
Wed Aug 31 12:33:55 UTC 2022
Thank you all for your input,
I'll try to set things accordingly.
my UCS appliance originally started with Version 4.3 and got several
upgrades which might be the reason why there are so many strange settings.
regarding the purchase decision on the netapps, I fully agree with you
guys but they were acquired long before my start here and got some
upgrades here and there in between...
anyways, I'll figure out how to set everything univention-persistent and
then see what happens.
thanks so far.
I'll be on vacation for the next 3 weeks, so I'd say I come back to you
in october. :)
- William
PS: I thought Univention Staff is reading here too and even commiting
code to samba....
William Kirstaedter (PP&B) Fritz-Haber-Institut der MPG
Faradayweg 4-6 14195 Berlin
Tel: 030 8413 5405 Mail: kirstaedter at fhi-berlin.mpg.de
Am 31.08.2022 um 13:21 schrieb Rowland Penny via samba:
> On Wed, 2022-08-31 at 12:05 +0200, William Kirstaedter wrote:
>> @Ralph
>>
>> I was referring to this line in the /var/log/samba/log.smbd on the
>> AD
>> Server:
>>
>> [2022/08/30 17:11:39.808445, 1, pid=8018]
>> ../../auth/gensec/spnego.c:1341(gensec_spnego_server_negTokenInit_ste
>> p)
>> gensec_spnego_server_negTokenInit_step: Could not find a suitable
>> mechtype in NEG_TOKEN_INIT
>>
>> @Rowland
>>
>> Well the hammer is not an option, my colleague would cut my head off
>> :D
>> he likes them for their resilience and these machines are really
>> expensive...
> They become really expensive if they do not work with Samba and most of
> your computers use Samba. If I was considering buying some piece of
> computer equipment, one of my questions would be, 'does this work with
> open source programs such as Samba ?'. If the answer was no, I wouldn't
> buy it.
>
>> @Louis / all
>>
>> heres the extracted smb.conf which compiles from several templates:
>>
>> root at wayland:~# cat /etc/samba/smb.conf
>> # Warning: This file is auto-generated and might be overwritten by
>> # univention-config-registry.
>> # Please edit the following file(s) instead:
>> # Warnung: Diese Datei wurde automatisch generiert und kann durch
>> # univention-config-registry ueberschrieben werden.
>> #
>> # /etc/univention/templates/files/etc/samba/smb.conf.d/10global
>> #
>>
>> ; ---------------------<10global>------------------------
>> [global]
>> debug level = 1
>> logging = file
>> max log size = 0
>>
>> netbios name = wayland
>> server role = active directory domain controller
>> name resolve order = wins host bcast
>> server string = Univention Corporate Server
>> server services = -dns -smb +s3fs -nbt
>> server role check:inhibit = yes
>> # use nmbd; to disable set samba4/service/nmb to s4
>> nmbd_proxy_logon:cldap_server=127.0.0.1
>> workgroup = FHI
>> realm = FHI.MPG.DE
>>
>> tls enabled = yes
>> tls keyfile =
>> /etc/univention/ssl/wayland.fhi.mpg.de/private.key
>> tls certfile =
>> /etc/univention/ssl/wayland.fhi.mpg.de/cert.pem
>> tls cafile = /etc/univention/ssl/ucsCA/CAcert.pem
>> tls verify peer = ca_and_name
>> ldap server require strong auth = allow_sasl_over_tls
>> dsdb:schema update allowed = no
>> max open files = 32808
>> interfaces = lo ens192
>> bind interfaces only = yes
>> server signing = yes
>> ntlm auth = yes
>> machine password timeout = 0
>> acl allow execute always = True
>> kccsrv:samba_kcc = False
>>
>> ; ---------------------</10global>------------------------
>> ; ---------------------<smb service configuration>-------------------
>> ----
>>
>> debug hirestimestamp = yes
>> debug pid = yes
>> ; ---------------------</smb service configuration>----------------
>> ------
>>
>>
>> ; idmap/winbind
>>
>> winbind separator = +
>> template shell = /bin/bash
>> template homedir = /home/%D-%U
>>
>> idmap config * : backend = tdb
>> idmap config * : range = 300000-400000
>>
>> passwd chat = *New*password* %n\n *Re-enter*new*password*
>> %n\n
>> *password*changed*
>>
>> obey pam restrictions = yes
>>
>> spoolss: architecture = Windows x64
>>
>> ; domain service lookup related settings
>> preferred master = yes
>> local master = yes
>> domain master = yes
>> wins support = yes
>>
>> ; miscellaneous settings, mostly for file services
>> oplocks = yes
>> large readwrite = yes
>> read raw = yes
>> write raw = yes
>> max xmit = 65535
>> acl:search = yes
>> host msdfs = yes
>> kernel oplocks = yes
>> deadtime = 15
>> getwd cache = yes
>> wide links = no
>> store dos attributes = yes
>> max protocol = smb2
>> client max protocol = smb2
>> logon home = \\wayland\%U
>> logon drive = I:
>> logon path = \\wayland\%U\windows-profiles\%a
>> preserve case = yes
>> short preserve case = yes
>>
>> guest account = nobody
>> map to guest = Bad User
>> admin users = administrator join-backup
>>
>>
>> usershare max shares = 0
>>
>>
>> ;
>> -------------------------------------------------------------------
>> ----------------------------------------
>> include = /etc/samba/base.conf
>>
>> include = /etc/samba/shares.conf
>> include = /etc/samba/printers.conf
>>
>> include = /etc/samba/local.config.conf
>>
>>
>> and the includes...:
>>
>> base.conf
>>
>> # Warning: This file is auto-generated and might be overwritten by
>> # univention-config-registry.
>> # Please edit the following file(s) instead:
>> # Warnung: Diese Datei wurde automatisch generiert und kann durch
>> # univention-config-registry ueberschrieben werden.
>> # Bitte bearbeiten Sie an Stelle dessen die folgende(n)
>> Datei(en):
>> #
>> # /etc/univention/templates/files/etc/samba/base.conf
>> #
>>
>> [netlogon]
>> comment = Domain logon service
>> path = /var/lib/samba/sysvol/fhi.mpg.de/scripts
>> public = no
>> preserve case = yes
>> case sensitive = no
>> vfs objects = dfs_samba4 acl_xattr
>> read only = no
>>
>> [sysvol]
>> path = /var/lib/samba/sysvol
>> public = no
>> preserve case = yes
>> case sensitive = no
>> vfs objects = dfs_samba4 acl_xattr
>> read only = no
>> acl xattr update mtime = yes
>>
>> [homes]
>> comment = Heimatverzeichnisse
>> hide files = /windows-profiles/
>> browsable = no
>> read only = no
>> create mask = 0700
>> directory mask = 0700
>> vfs objects = acl_xattr
>>
>>
>> [printers]
>> comment = Drucker
>> browseable = no
>> path = /tmp
>> printable = yes
>> public = no
>> writable = no
>> create mode = 0700
>> # use client driver = true
>> # lpq command = lpstat -o %p
>> # lprm command = cancel %p-%j
>> # using windows printer drivers
>> # print command = lpr -P %p -o raw %s -r
>> # using cups drivers (PostScript on Windows)
>> # print command = lpr -P %p %s
>>
>> [print$]
>> comment = Printer Drivers
>> path = /var/lib/samba/drivers
>> browseable = yes
>> guest ok = no
>> read only = no
>> write list = root, Administrator, @Printer-Admins
>>
>> -------------------------------------------------------------------
>> -----------
>>
>> share.conf (only used for login wallpaper)
>>
>> [share]
>> path = /share
>> msdfs root = no
>> writeable = yes
>> browseable = yes
>> public = yes
>> dos filemode = no
>> hide unreadable = no
>> create mode = 0744
>> directory mode = 0755
>> force create mode = 00
>> force directory mode = 00
>> locking = 1
>> strict locking = Auto
>> oplocks = 1
>> level2 oplocks = 1
>> fake oplocks = 0
>> csc policy = manual
>> nt acl support = 1
>> inherit acls = 1
>> vfs objects = acl_xattr
>> inherit owner = no
>> inherit permissions = no
>> map acl inherit = yes
>>
>> -------------------------------------------------------------------
>> -----------
>>
>> homedirs.conf (this should not be of interest since all homes are on
>> the
>> netapp)
>>
>> [homedirs]
>> path = /home
>> msdfs root = no
>> writeable = yes
>> browseable = yes
>> public = no
>> dos filemode = no
>> hide unreadable = no
>> create mode = 0744
>> directory mode = 0755
>> force create mode = 00
>> force directory mode = 00
>> locking = 1
>> strict locking = Auto
>> oplocks = 1
>> level2 oplocks = 1
>> fake oplocks = 0
>> csc policy = manual
>> nt acl support = 1
>> inherit acls = 1
>> vfs objects = acl_xattr
>> inherit owner = no
>> inherit permissions = no
>> map acl inherit = yes
>>
>> -------------------------------------------------------------------
>> -----------
>>
>> global.local.config.conf (this was their fix for a previous upgrade)
>>
>> [global]
>> auth methods = sam winbind sam_ignoredomain
>> server require schannel:141.14.140.32 = no
>> server require schannel:141.14.143.33 = no
>> server require schannel:nap32.fhi.mpg.de = no
>> server require schannel:nap32.rz-berlin.mpg.de = no
>> server require schannel:nap33.fhi.mpg.de = no
>> server require schannel:nap33.rz-berlin.mpg.de = no
>> server schannel = yes
>>
>> -------------------------------------------------------------------
>> -----------
> That is quite possibly the WORST smb.conf that I have ever seen, lots
> of default settings (I can sort of understand that), but there are
> things that shouldn't be set on a DC (never mind that you really
> shouldn't be using a DC as a fileserver). Why on Earth is nmbd being
> used ????
>
>> do you need more?
>>
>> I can also put log level to 10 and post a link to that huge file if
>> you
>> want to read through that...
>>
>> really thanks!
> as Ralph as said, network traces might help and level 10 logs
> (sanitised) never hurt.
>
> Rowland
>
>
>
>
>
More information about the samba
mailing list