Hi!

I am in a bit of trouble, I have moved a samba installation from one virtual host to another keeping the configuration files and filesystems. But during the transition something broke, now windows users are no longer able to access their shares. I think
it has to do with the AD integration. I do not know it it because some state is missing on this host related to the AD integration or if something has changed since the version of samba is higher on the new host. We have the same set of private files
also (passed.tbd and secrets.tbd).

Old version was 3.5.8 and the new version on the virtual host that does not work is 3.6.25.

Any ides on how to debug this is helpful, I know very little about AD integration, perhaps the virtual host needs to join the domain again and authenticate, can I check the status of the integration in any way?

Some error messages I was able to find:

[2017/03/18 15:33:21.544063, 0] auth/auth_domain.c:331(domain_client_validate) domain_client_validate: unable to validate password for user USERX in domain DOMAINX to Domain controller DCHOSTNAME. Error was NT_STATUS_ACCESS_DENIED.
[2017/03/18 15:33:21.554733, 0] rpc_client/cli_netlogon.c:459(rpccli_netlogon_sam_network_logon)
rpccli_netlogon_sam_network_logon: credentials chain check failed
[2017/03/18 15:33:21.554814, 0] auth/auth_domain.c:331(domain_client_validate)
domain_client_validate: unable to validate password for user USERX in domain DOMAINX to Domain controller DCHOSTNAME. Error was NT_STATUS_ACCESS_DENIED.
[2017/03/18 15:33:21.565235, 0] rpc_client/cli_netlogon.c:459(rpccli_netlogon_sam_network_logon)
rpccli_netlogon_sam_network_logon: credentials chain check failed
[2017/03/18 15:33:21.565330, 0] auth/auth_domain.c:331(domain_client_validate)
domain_client_validate: unable to validate password for user USERX in domain DOMAINX to Domain controller DCHOSTNAME. Error was NT_STATUS_ACCESS_DENIED


Configuration, with user names and real paths removed, only change otherwise is that we had to change to ISO8859-1 for locale, not the argument “LOCALE” that was not longer supported.

# Global parameters
[global]
log file = /var/samba/log/clientlog.%m
dns proxy = No
acl check permissions = False
netbios aliases = string1
server string = string1
name resolve order = hosts bcast
realm = DOMAIN.NET
password server = server3.string1.net sever4.string1.net
# wins server = x.x.x.x
local master = no
workgroup = WGNAME
os level = 0
domain master = no
encrypt passwords = yes
security = DOMAIN
unix charset = ISO8859-1
max log size = 50
# Fix for not to do lpstat since we don't use printers in Samba
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes


[homes]
browseable = No
comment = Home Directories
writable = yes
create mode = 775
directory mode = 775

[string2]
user = user1,user2
path = /path/string2
write list = userx,userx

[string3]
path = /string3
read only = Yes
write list = user3,user4,user5
create mask = 0760
force create mode = 0760

[home]
path = /path/home
read only = No

[string4]
path = /path
read only = Yes
write list = user9,user10,user11

[string5]
revalidate = yes
browseable = no
writeable = yes
valid users = @string5,@string6,@string7
path = /path/path

[string11]
path = /path/path2/path3
writeable = yes
valid users = @string9,string9
browseable = no
create mask = 0660
force group = groupx


[string8]
comment = Comment1 here
path = /path/string8
force group = userx
valid users = @string10, @string11
writeable = yes

Thankful for any assistance.

--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, 18 Mar 2017 16:06:28 +0100
Henrik Johansson via samba <samba@lists.samba.org> wrote:

Hi!

I am in a bit of trouble, I have moved a samba installation from one
virtual host to another keeping the configuration files and
filesystems. But during the transition something broke, now windows
users are no longer able to access their shares. I think it has to do
with the AD integration. I do not know it it because some state is
missing on this host related to the AD integration or if something
has changed since the version of samba is higher on the new host. We
have the same set of private files also (passed.tbd and secrets.tbd).

Old version was 3.5.8 and the new version on the virtual host that
does not work is 3.6.25.

What OS is this on ?
Can you upgrade to a Samba version that is not EOL ?

Any ides on how to debug this is helpful, I know very little about AD integration, perhaps the virtual host needs to join the domain again
and authenticate, can I check the status of the integration in any
way?

You will probably need to join the new domain member again.

# Global parameters
[global]
log file = /var/samba/log/clientlog.%m
dns proxy = No
acl check permissions = False
netbios aliases = string1
server string = string1
name resolve order = hosts bcast
realm = DOMAIN.NET
password server = server3.string1.net sever4.string1.net
# wins server = x.x.x.x
local master = no
workgroup = WGNAME
os level = 0
domain master = no
encrypt passwords = yes
security = DOMAIN

Try changing 'security = DOMAIN' to 'security = ADS'

Are you running winbind or are you using something else for
authentication ?

Rowland

--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Henrik,

Am 18.03.2017 um 16:06 schrieb Henrik Johansson via samba:

Old version was 3.5.8 and the new version on the virtual host that does not work is 3.6.25.

That's not really a step forward to a supported Samba version. :-) https://wiki.samba.org/index.php/Samba_Release_Planning

# Global parameters
[global]
log file = /var/samba/log/clientlog.%m
dns proxy = No
acl check permissions = False
netbios aliases = string1
server string = string1
name resolve order = hosts bcast
realm = DOMAIN.NET
password server = server3.string1.net sever4.string1.net
# wins server = x.x.x.x
local master = no
workgroup = WGNAME
os level = 0
domain master = no
encrypt passwords = yes
security = DOMAIN
unix charset = ISO8859-1
max log size = 50
# Fix for not to do lpstat since we don't use printers in Samba
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

First some nitpicks about your smb.conf:
* netbios aliases = string1
Makes no sense to set an alias to exactly the same name
as "server string" :-)

* password server: If there is not reason to only request some
specific servers, I would not limit this. If both are down,
Samba won't talk to other remaining DCs.

* encrypt passwords = yes
This is default since a longer time.

This are just some improvement suggestions, but not related to your problem.




Ok. And now the things that are incorrect for a Samba AD domain member:

* realm = DOMAIN.NET and workgroup = WGNAME
In this case, I would expect that "DOMAIN" is your NetBIOS domain
name ("workgroup" setting), not something different. If this
really matches your AD setup, it should work - but it's not
the recommended way how to set up an AD.

* security = DOMAIN
This setting is for an NT4 domain. Use "security = ADS"

* Your ID mapping configuration is missing completely.
See https://wiki.samba.org/index.php/Identity_Mapping_Back_Ends
No warranty that this works for 3.6. Our documentation only
covers supported Samba versions.




I recommend the following:

* Update Samba to a supported version (recommended: 4.6.0).
Samba 3.6 was released 2011. A lot of things regarding AD were
improved in later releases.
https://wiki.samba.org/index.php/Updating_Samba

* Read: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
I recently rewrote the doc and it works for all supported versions.



Regards,
Marc

--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Rowland and thanks for your reply,

On 18 Mar 2017, at 16:54, Rowland Penny via samba <samba@lists.samba.org> wrote:

On Sat, 18 Mar 2017 16:06:28 +0100
Henrik Johansson via samba <samba@lists.samba.org> wrote:

Hi!

I am in a bit of trouble, I have moved a samba installation from one
virtual host to another keeping the configuration files and
filesystems. But during the transition something broke, now windows
users are no longer able to access their shares. I think it has to do
with the AD integration. I do not know it it because some state is
missing on this host related to the AD integration or if something
has changed since the version of samba is higher on the new host. We
have the same set of private files also (passed.tbd and secrets.tbd).

Old version was 3.5.8 and the new version on the virtual host that
does not work is 3.6.25.

What OS is this on ?
Can you upgrade to a Samba version that is not EOL ?

Short summary; this is on a old Solaris 10 system, the virtual host is a Solaris zone, or two instance of the zone on two hosts for failover. The config is years old and I had no part in this, but we needed to upgrade Solaris Oracle has only managed to
release 3.5.8 or something close to that as patches. I could of course compile my own version or something but Samba was not the scope for this operation, it just stopped working which is a huge problem, and it can be because we needed to switch to the
other zone or because the config did not work with this slightly newer version.

Any ides on how to debug this is helpful, I know very little about AD
integration, perhaps the virtual host needs to join the domain again
and authenticate, can I check the status of the integration in any
way?

You will probably need to join the new domain member again.

I’m trying, and getting:

kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not found in Kerberos database
Failed to join domain: failed to connect to AD: Server not found in Kerberos database

# Global parameters
[global]
log file = /var/samba/log/clientlog.%m
dns proxy = No
acl check permissions = False
netbios aliases = string1
server string = string1
name resolve order = hosts bcast
realm = DOMAIN.NET
password server = server3.string1.net sever4.string1.net
# wins server = x.x.x.x
local master = no
workgroup = WGNAME
os level = 0
domain master = no
encrypt passwords = yes
security = DOMAIN

Try changing 'security = DOMAIN' to 'security = ADS'

Are you running winbind or are you using something else for
authentication ?

I am under the impression that it’s kerberos.

Rowland

--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi marc and thanks for your reply,

On 18 Mar 2017, at 17:26, Marc Muehlfeld via samba <samba@lists.samba.org> wrote:

Hi Henrik,

Am 18.03.2017 um 16:06 schrieb Henrik Johansson via samba:

Old version was 3.5.8 and the new version on the virtual host that does not work is 3.6.25.

That's not really a step forward to a supported Samba version. :-) https://wiki.samba.org/index.php/Samba_Release_Planning

I just replied the first answer I got, and wrote a bit about the background, it’s Solaris 10 with the provided samba. I will look trough your suggestion and try to create a new config, I wold however like just to get it working as it was before right
now and then take care of improvements when it’s not a disturbance for customers ( and not after a long night working in the weekend ;) ). I’ll try to see if I can recreate the “unconfigured” behaviour with id-mapping for now.

# Global parameters
[global]
log file = /var/samba/log/clientlog.%m
dns proxy = No
acl check permissions = False
netbios aliases = string1
server string = string1
name resolve order = hosts bcast
realm = DOMAIN.NET
password server = server3.string1.net sever4.string1.net
# wins server = x.x.x.x
local master = no
workgroup = WGNAME
os level = 0
domain master = no
encrypt passwords = yes
security = DOMAIN
unix charset = ISO8859-1
max log size = 50
# Fix for not to do lpstat since we don't use printers in Samba
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

First some nitpicks about your smb.conf:
* netbios aliases = string1
Makes no sense to set an alias to exactly the same name
as "server string" :-)

* password server: If there is not reason to only request some
specific servers, I would not limit this. If both are down,
Samba won't talk to other remaining DCs.

* encrypt passwords = yes
This is default since a longer time.

This are just some improvement suggestions, but not related to your problem.

Ok. And now the things that are incorrect for a Samba AD domain member:

* realm = DOMAIN.NET and workgroup = WGNAME
In this case, I would expect that "DOMAIN" is your NetBIOS domain
name ("workgroup" setting), not something different. If this
really matches your AD setup, it should work - but it's not
the recommended way how to set up an AD.

* security = DOMAIN
This setting is for an NT4 domain. Use "security = ADS"

* Your ID mapping configuration is missing completely.
See https://wiki.samba.org/index.php/Identity_Mapping_Back_Ends
No warranty that this works for 3.6. Our documentation only
covers supported Samba versions.

I recommend the following:

* Update Samba to a supported version (recommended: 4.6.0).
Samba 3.6 was released 2011. A lot of things regarding AD were
improved in later releases.
https://wiki.samba.org/index.php/Updating_Samba

* Read: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
I recently rewrote the doc and it works for all supported versions.

Thank you, it looks like I have stumbled on a old configuration that has not been maintained, I’ll do my best to get up to speed on samba and see if I can get a working configuration and/or new versin and get it to work.

Regards
Henrik


--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, 18 Mar 2017 17:26:11 +0100
Marc Muehlfeld via samba <samba@lists.samba.org> wrote:

Hi Henrik,

Am 18.03.2017 um 16:06 schrieb Henrik Johansson via samba:

Old version was 3.5.8 and the new version on the virtual host that
does not work is 3.6.25.

That's not really a step forward to a supported Samba version. :-) https://wiki.samba.org/index.php/Samba_Release_Planning

Some people cannot upgrade, so they have to use what they have, but
without knowing what OS the OP is using, we don't know if they can
upgrade easily.

First some nitpicks about your smb.conf:
* netbios aliases = string1
Makes no sense to set an alias to exactly the same name
as "server string" :-)

Why ?

* password server: If there is not reason to only request some
specific servers, I would not limit this. If both are down,
Samba won't talk to other remaining DCs.

That is correct and 'man smb.conf' tells you not to do it this way, but
who reads manpages ;-)

* encrypt passwords = yes
This is default since a longer time.

It doesn't matter if there or not.

Ok. And now the things that are incorrect for a Samba AD domain
member:

* realm = DOMAIN.NET and workgroup = WGNAME
In this case, I would expect that "DOMAIN" is your NetBIOS domain
name ("workgroup" setting), not something different. If this
really matches your AD setup, it should work - but it's not
the recommended way how to set up an AD.

Well, Microsoft says you can use a netbios domain name that is
different from the left part of the DNS name, so I suppose Samba
should as well.

* Your ID mapping configuration is missing completely.
See https://wiki.samba.org/index.php/Identity_Mapping_Back_Ends
No warranty that this works for 3.6. Our documentation only
covers supported Samba versions.

I notice it was missing as well, but the OP could be using something
else instead of winbind. 'idmap config' existed on 3.6.0, so it should
work.

I recommend the following:

* Update Samba to a supported version (recommended: 4.6.0).
Samba 3.6 was released 2011. A lot of things regarding AD were
improved in later releases.

Why recommend something, that the OP might not be able to do, without
all the facts.

Rowland




--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, 18 Mar 2017 17:49:31 +0100
Henrik Johansson <henrikj@henkis.net> wrote:

Hi Rowland and thanks for your reply,

Short summary; this is on a old Solaris 10 system, the virtual host
is a Solaris zone, or two instance of the zone on two hosts for
failover. The config is years old and I had no part in this, but we
needed to upgrade Solaris Oracle has only managed to release 3.5.8 or something close to that as patches. I could of course compile my own
version or something but Samba was not the scope for this operation,
it just stopped working which is a huge problem, and it can be
because we needed to switch to the other zone or because the config
did not work with this slightly newer version.

OK, I wonder if you are running into the result of the badlock patches ?

kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not
found in Kerberos database Failed to join domain: failed to connect
to AD: Server not found in Kerberos database

What is the DC ?
What have you got in /etc/krb5.conf (or wherever it is)
Does /etc/resolv.conf use the DC as the first nameserver

I am under the impression that it’s kerberos.

Samba uses winbind to talk to AD, so your first step will probably need
to be, adding the idmap config lines as suggested by Marc.

Rowland



--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Am 18.03.2017 um 18:27 schrieb Rowland Penny via samba:

First some nitpicks about your smb.conf:
* netbios aliases = string1
Makes no sense to set an alias to exactly the same name
as "server string" :-)

Why ?

Sorry, my fault. I mixed "server string", which is just a comment, with "netbios name".

* encrypt passwords = yes
This is default since a longer time.

It doesn't matter if there or not.

Doesn't mean "this is default" exactly that it does not matter if it's
there or not?

Ok. And now the things that are incorrect for a Samba AD domain
member:

* realm = DOMAIN.NET and workgroup = WGNAME
In this case, I would expect that "DOMAIN" is your NetBIOS domain
name ("workgroup" setting), not something different. If this
really matches your AD setup, it should work - but it's not
the recommended way how to set up an AD.

Well, Microsoft says you can use a netbios domain name that is
different from the left part of the DNS name, so I suppose Samba
should as well.

I just said that it's not recommended; neither that it's not allowed nor
that it's not working.

* Your ID mapping configuration is missing completely.
See https://wiki.samba.org/index.php/Identity_Mapping_Back_Ends
No warranty that this works for 3.6. Our documentation only
covers supported Samba versions.

I notice it was missing as well, but the OP could be using something
else instead of winbind. 'idmap config' existed on 3.6.0, so it should
work.

Samba does only support Winbind, and not not "something else". :-)

I know we had "idmap config" in 3.6, but it was still new that time.
Mentioning that the Wiki docs for the the latest versions might not work
for the 6 year old 3.6 series seems reasonable to me, because parameters
might have been added/removed and defaults changed.

I recommend the following:

* Update Samba to a supported version (recommended: 4.6.0).
Samba 3.6 was released 2011. A lot of things regarding AD were
improved in later releases.

Why recommend something, that the OP might not be able to do, without
all the facts.

Based on the facts we have (he is running 3.6), I recommend updating. If
he is not able to update, e. g. because Samba fails to built on his OS,
he will tell us.


Regards,
Marc




--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Short summary; this is on a old Solaris 10 system, the virtual host
is a Solaris zone, or two instance of the zone on two hosts for
failover. The config is years old and I had no part in this, but we
needed to upgrade Solaris Oracle has only managed to release 3.5.8 or
something close to that as patches. I could of course compile my own
version or something but Samba was not the scope for this operation,
it just stopped working which is a huge problem, and it can be
because we needed to switch to the other zone or because the config
did not work with this slightly newer version.

OK, I wonder if you are running into the result of the badlock patches ?

Yes I am having badluck! Thank you so much, I solved it not buy upgrading but downgrading below 3.6.25, so without backlock for the time being. Solved the urgen problem but we need to have a plan to go to a later version but under well tested conditions.
Tanks again!

Regards
Henrik
--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Compiling Samba on Solaris 10 is a major pain in the ...

Solaris 11 shipped with Samba 3.x but patches up to samba 4.7.x (You may need a contract to be update to pull the latest version.) There is a little bit of a learning curve with solaris 11. Editing /etc/nsswitch.conf now involves some
complicated magic commands. Samba 4.7.x worked AOK.





-----Original Message-----
From: samba [mailto:samba-bounces@lists.samba.org] On Behalf Of Henrik Johansson via samba
Sent: Saturday, March 18, 2017 2:55 PM
To: Rowland Penny <rpenny@samba.org>
Cc: samba@lists.samba.org
Subject: Re: [Samba] AD integration not working after move/version

Short summary; this is on a old Solaris 10 system, the virtual host
is a Solaris zone, or two instance of the zone on two hosts for
failover. The config is years old and I had no part in this, but we
needed to upgrade Solaris Oracle has only managed to release 3.5.8 or
something close to that as patches. I could of course compile my own
version or something but Samba was not the scope for this operation,
it just stopped working which is a huge problem, and it can be
because we needed to switch to the other zone or because the config
did not work with this slightly newer version.

OK, I wonder if you are running into the result of the badlock patches ?

Yes I am having badluck! Thank you so much, I solved it not buy upgrading but downgrading below 3.6.25, so without backlock for the time being. Solved the urgen problem but we need to have a plan to go to a later version but under well tested conditions.
Tanks again!

Regards
Henrik
--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)