[Pkg-samba-maint] Bug#821069: samba: Client and server side signing mismatches after upgrade...

Marco Gaiarin gaio at sv.lnf.it
Fri Apr 15 15:56:42 UTC 2016 

Package: samba
Version: 2:3.6.6-6+deb7u9
Followup-For: Bug #821069

I prefere to reply to this bug, but also client cannot logon to the domain
so clearly this is a duplicate of bug #820982.

As stated in #820982, the culprit came from a mismatch in ''signing''
between clent and server. Some command line sessions:


BEFORE UPGRADE:

root at lupus:~# net rpc testjoin
Join to 'SVCORSI' is OK

root at lupus:~# testparm > /tmp/smb.conf.before
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
WARNING: The "enable privileges" option is deprecated
Can't find include file /etc/samba/smb.conf.
Processing section "[printers]"
Processing section "[baleno]"
Processing section "[print$]"
Processing section "[netlogon]"
Processing section "[homes]"
Processing section "[profiles]"
Processing section "[wpkg]"
Processing section "[larpch]"
Processing section "[Users]"
Processing section "[Media]"
Processing section "[Software]"
Processing section "[web]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions


AFTER UPGRADE:

root at lupus:~# net rpc testjoin
Connection failed: NT_STATUS_ACCESS_DENIED
Join to domain 'SVCORSI' is not valid: NT_STATUS_ACCESS_DENIED
root at lupus:~# net -d 10 rpc testjoin
INFO: Current debug levels:
  all: 10
[...]
Connecting to 10.5.7.1 at port 445
Socket options:
	SO_KEEPALIVE = 0
	SO_REUSEADDR = 0
	SO_BROADCAST = 0
	TCP_NODELAY = 1
	TCP_KEEPCNT = 9
	TCP_KEEPIDLE = 7200
	TCP_KEEPINTVL = 75
	IPTOS_LOWDELAY = 0
	IPTOS_THROUGHPUT = 0
	SO_SNDBUF = 16384
	SO_RCVBUF = 16384
	SO_SNDLOWAT = 1
	SO_RCVLOWAT = 1
	SO_SNDTIMEO = 0
	SO_RCVTIMEO = 0
	TCP_QUICKACK = 1
Substituting charset 'UTF-8' for LOCALE
cli_negprot: SMB signing is mandatory and the server doesn't support it.
failed negprot: NT_STATUS_ACCESS_DENIED
Cannot connect to server (anonymously).  Error was NT_STATUS_ACCESS_DENIED
lang_tdb_init: /usr/share/samba/it_IT.UTF-8.msg: File o directory non esistente
Connection failed: NT_STATUS_ACCESS_DENIED
Join to domain 'SVCORSI' is not valid: NT_STATUS_ACCESS_DENIED
return code = -1

Note the 'cli_negprot: SMB signing is mandatory and the server doesn't
support it.'.
But also note that, whitout notice, a default opton changed:


root at lupus:~# testparm > /tmp/smb.conf.after
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
WARNING: The "enable privileges" option is deprecated
Can't find include file /etc/samba/smb.conf.
Processing section "[printers]"
Processing section "[baleno]"
Processing section "[print$]"
Processing section "[netlogon]"
Processing section "[homes]"
Processing section "[profiles]"
Processing section "[wpkg]"
Processing section "[larpch]"
Processing section "[Users]"
Processing section "[Media]"
Processing section "[Software]"
Processing section "[web]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

root at lupus:~# diff -ud /tmp/smb.conf.before /tmp/smb.conf.after
--- /tmp/smb.conf.before	2016-04-15 17:32:57.062343755 +0200
+++ /tmp/smb.conf.after	2016-04-15 17:35:46.310718374 +0200
@@ -9,6 +9,7 @@
 	syslog = 0
 	log file = /var/log/samba/log.%m
 	time server = Yes
+	client signing = required
 	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
 	printcap name = cups
 	add user script = /usr/sbin/smbldap-useradd "%u"


eg, now 'client signing = required'.


Instead of adding 'client signing = no' as stated in bug #820982, i've
added:
	server signing = auto

for now, and all works as expected; but i've to experiment a bit with the
suggested:

	server signing = mandatory
	ntlm auth = no

before implementing it.


A little note: debconf of the samba3 upgrade does not warn about the upgrade
as the samba4 upgrade in jessie, so users can get even more confused about.

Thanks.

-- System Information:
Debian Release: 7.10
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages samba depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.49
ii  dpkg                   1.16.17
ii  libacl1                2.2.51-8
ii  libattr1               1:2.4.46-8
ii  libc6                  2.13-38+deb7u10
ii  libcap2                1:2.22-1.2
ii  libcomerr2             1.42.5-1.1+deb7u1
ii  libcups2               1.5.3-5+deb7u6
ii  libgssapi-krb5-2       1.10.1+dfsg-5+deb7u7
ii  libk5crypto3           1.10.1+dfsg-5+deb7u7
ii  libkrb5-3              1.10.1+dfsg-5+deb7u7
ii  libldap-2.4-2          2.4.31-2+deb7u1
ii  libpam-modules         1.1.3-7.1
ii  libpam-runtime         1.1.3-7.1
ii  libpam0g               1.1.3-7.1
ii  libpopt0               1.16-7
ii  libtalloc2             2.0.7+git20120207-1
ii  libtdb1                1.2.10-2
ii  libwbclient0           2:3.6.6-6+deb7u9
ii  lsb-base               4.1+Debian8+deb7u1
ii  procps                 1:3.3.3-3
ii  samba-common           2:3.6.6-6+deb7u9
ii  update-inetd           4.43
ii  zlib1g                 1:1.2.7.dfsg-13

Versions of packages samba recommends:
ii  logrotate  3.8.1-4
ii  tdb-tools  1.2.10-2

Versions of packages samba suggests:
pn  ctdb                              <none>
pn  ldb-tools                         <none>
ii  openbsd-inetd [inet-superserver]  0.20091229-2
ii  smbldap-tools                     0.9.10-0gaio3.1

-- debconf information excluded

More information about the Pkg-samba-maint mailing list