Discussion:
[Samba] problem with domain and samba3x
peter lawrie
2016-06-17 21:31:17 UTC
Permalink
Hi all
About 18 months ago I connected 14 new Windows 7 PCs to a Centos5.1 server
with samba3x as domain members. There are no other servers on site.
Today, I had to visit to connect up a PC in a new location. As I would
normally do I checked for Centos updates and found 35 outstanding including
samba3x 3.6.23-12.el5_11 and samba3x-client, samba3x-common, samba3x-doc,
samba3x-domainjoin-gui, samba3x-swat, samba3x-winbind, samba3x-winbind-devel

Having completed the cabling I tried to log the PC in but received 'trust
relationship between this workstation and primary domain failed'. Several
times I removed it from the domain and added it back again - this made no
difference. I noted the time on the PC was 7 minutes out from the server,
so corrected that, removed from the domain, added it in again but had the
same message.
Thinking it was just related to this PC, I left it configured as a
workgroup member, created a new local user to match the domain username it
had been using and connected it to the server shares.

Then I went to another PC which had an unrelated issue which needed
attention but when I tried to logon to the domain received the same domain
trust failure message.
Only then did I suspect that the samba3x update may have been the cause so
I removed it installed 3x 3.6.23-9 - now when I tried to login I get "there
are no login servers available to service the login request"

As other users were complaining about losing access to the server shares, I
then had to visit every PC, remove each of them from the domain into a
workgroup, create a local user on each to match the samba username and copy
the profile. Needless to say, a job which should have taken 1 to 2 hours
took 7.

I still have no idea why the problem occurred, is there an issue with the
latest samba update. All I could find online was that the update related to
a fix for badlock vulnerability.
Peter Lawrie
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Dale Schroeder
2016-06-20 18:53:29 UTC
Permalink
Post by peter lawrie
Hi all
About 18 months ago I connected 14 new Windows 7 PCs to a Centos5.1 server
with samba3x as domain members. There are no other servers on site.
Today, I had to visit to connect up a PC in a new location. As I would
normally do I checked for Centos updates and found 35 outstanding including
samba3x 3.6.23-12.el5_11 and samba3x-client, samba3x-common, samba3x-doc,
samba3x-domainjoin-gui, samba3x-swat, samba3x-winbind, samba3x-winbind-devel
Having completed the cabling I tried to log the PC in but received 'trust
relationship between this workstation and primary domain failed'. Several
times I removed it from the domain and added it back again - this made no
difference. I noted the time on the PC was 7 minutes out from the server,
so corrected that, removed from the domain, added it in again but had the
same message.
Thinking it was just related to this PC, I left it configured as a
workgroup member, created a new local user to match the domain username it
had been using and connected it to the server shares.
Then I went to another PC which had an unrelated issue which needed
attention but when I tried to logon to the domain received the same domain
trust failure message.
Only then did I suspect that the samba3x update may have been the cause so
I removed it installed 3x 3.6.23-9 - now when I tried to login I get "there
are no login servers available to service the login request"
As other users were complaining about losing access to the server shares, I
then had to visit every PC, remove each of them from the domain into a
workgroup, create a local user on each to match the samba username and copy
the profile. Needless to say, a job which should have taken 1 to 2 hours
took 7.
I still have no idea why the problem occurred, is there an issue with the
latest samba update. All I could find online was that the update related to
a fix for badlock vulnerability.
Peter Lawrie
Peter,

The badlock patches have been a big problem for Samba classic domains.
Many have posted asking for help, but I have seen no solution presented
on this list; i.e. the silence is deafening. It may be that NT4 classic
domains will not work going forward.

For example, refer to the post by Peter Tuharsky:
http://www.spinics.net/lists/samba/msg134710.html

In all actuality, Samba 4.3.x pre-badlock had already broken classic
ldap domains.

So, if anyone has a working Samba/openldap NT4 classic domain
post-badlock patches, would you please share your config to help these
people?

And, if you have a working 4.3 or 4.4 classic domain config, please help
me out.

Thanks,
Dale
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Luca Olivetti
2016-06-20 20:03:29 UTC
Permalink
I think one of the problems is that nobody has logged a bug report for
this problem, so nobody is looking in to it, another problem is that
windows is trying to deter the use of NT4-style domains, it is my
understanding that Win10 will not connect to one out-of-the-box. They
could (and probably will) make the use of NT4 domains impossible at any
time.
Meanwhile, those windows 10 workstation have no problem joining my NT
domain managed by a very old samba (I know, I know, an update is planned
but not right now), while badlock patched samba cannot[*] :-(


[*] I'm referring to the distro provided version, in this case ubuntu
14.04.4 LTS.

Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es/
Tel. +34 93 5883004 (Ext.3010) Fax +34 93 5883007
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Gaiseric Vandal
2016-06-20 21:32:09 UTC
Permalink
Post by Dale Schroeder
Post by peter lawrie
Hi all
About 18 months ago I connected 14 new Windows 7 PCs to a Centos5.1 server
with samba3x as domain members. There are no other servers on site.
Today, I had to visit to connect up a PC in a new location. As I would
normally do I checked for Centos updates and found 35 outstanding including
samba3x 3.6.23-12.el5_11 and samba3x-client, samba3x-common,
samba3x-doc,
samba3x-domainjoin-gui, samba3x-swat, samba3x-winbind,
samba3x-winbind-devel
Having completed the cabling I tried to log the PC in but received 'trust
relationship between this workstation and primary domain failed'. Several
times I removed it from the domain and added it back again - this made no
difference. I noted the time on the PC was 7 minutes out from the server,
so corrected that, removed from the domain, added it in again but had the
same message.
Thinking it was just related to this PC, I left it configured as a
workgroup member, created a new local user to match the domain username it
had been using and connected it to the server shares.
Then I went to another PC which had an unrelated issue which needed
attention but when I tried to logon to the domain received the same domain
trust failure message.
Only then did I suspect that the samba3x update may have been the cause so
I removed it installed 3x 3.6.23-9 - now when I tried to login I get "there
are no login servers available to service the login request"
As other users were complaining about losing access to the server shares, I
then had to visit every PC, remove each of them from the domain into a
workgroup, create a local user on each to match the samba username and copy
the profile. Needless to say, a job which should have taken 1 to 2 hours
took 7.
I still have no idea why the problem occurred, is there an issue with the
latest samba update. All I could find online was that the update related to
a fix for badlock vulnerability.
Peter Lawrie
Peter,
The badlock patches have been a big problem for Samba classic
domains. Many have posted asking for help, but I have seen no
solution presented on this list; i.e. the silence is deafening. It
may be that NT4 classic domains will not work going forward.
http://www.spinics.net/lists/samba/msg134710.html
In all actuality, Samba 4.3.x pre-badlock had already broken classic
ldap domains.
I did some testing before the badlock patches and did manage to get an
ldap based NT4 PDC running and connected a Unix client to it, but this
was a test domain and it didn't use smbldap-tools.
I think one of the problems is that nobody has logged a bug report for
this problem, so nobody is looking in to it, another problem is that
windows is trying to deter the use of NT4-style domains, it is my
understanding that Win10 will not connect to one out-of-the-box. They
could (and probably will) make the use of NT4 domains impossible at
any time.
Rowland
Post by Dale Schroeder
So, if anyone has a working Samba/openldap NT4 classic domain
post-badlock patches, would you please share your config to help
these people?
And, if you have a working 4.3 or 4.4 classic domain config, please
help me out.
Thanks,
Dale
Windows 10 clients can be connected to a non-badlock patched
classic-domain. Requires the same registry changes as Windows 7 to
set "DomainCompatibilityMode" = 1

(I think this would be same as disabling RequireSignOrSeal in group
policy.) The samba badlock patches change the default behavior of
samba server to require signing. It may be that you need to explicitly
set "server signing" and "client signing" to auto to force the older
behavior.

I was never able to make patch domain members work with a non-patch
domain controller. (Also running Samba 3.x as classic domain. ) I
suspect the reverse is true. Even with disabling signing on the samba
member servers, I was getting schannel and spnego errors so something
changed there too. I could get the patched member servers to join
the domain but domain users from windows or samba would not be allowed
to access resources.


I had expected that patched domain controller would would with a patched
member server and that the windows machines would auto-negotiate
everything but now I doubt that.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Luca Olivetti
2016-06-20 21:59:26 UTC
Permalink
Post by Gaiseric Vandal
I could get the patched member servers to join
the domain but domain users from windows or samba would not be allowed
to access resources.
I couldn't even manage to join the domain.
OTOH smbclient (patched I guess[*]) has no problem accessing the server.


[*]
$ dpkg -l samba smbclient
Desitjat=desconegUt/Instaŀla/supRimeix/Purga/retín(H)
|
Estat=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Estat,Err: majúsc.=dolent)
||/ Nom Versió
Arquitectura Descripció
+++-====================================================-===============================-===============================-=============================================================================================================
ii samba
2:4.3.9+dfsg-0ubuntu0.14.04.3 amd64 SMB/CIFS
file, print, and login server for Unix
ii smbclient
2:4.3.9+dfsg-0ubuntu0.14.04.3 amd64
command-line SMB/CIFS clients for Unix

Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es/
Tel. +34 93 5883004 (Ext.3010) Fax +34 93 5883007
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Continue reading on narkive:
Loading...