Koozali.org: home of the SME Server
Obsolete Releases => SME Server 8.x => Topic started by: bs_bay on April 13, 2016, 05:53:42 PM
-
When updating to the latest samba updates:
latest samba updates:
===
=== yum reports available updates:
===
libsmbclient.i386 3.0.33-3.41.el5_11 updates
samba3x.i386 3.6.23-12.el5_11 updates
samba3x-client.i386 3.6.23-12.el5_11 updates
samba3x-common.i386 3.6.23-12.el5_11 updates
samba3x-winbind.i386 3.6.23-12.el5_11 updates
ALL prior required updates have been performed prior to these.
This also comes after a Windows update. However, 2 PCs, one Win7 the other Windows 10, joined the domain and were able to login prior to the update. However, after the update neither Windows 7 or Windows 10 clients can log into the sme 8.2 Server as there is a NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE during the attempted login.
I've removed the client by force from the domain and added them back onto the domain and still I get this same error.
Rebooted the server and client PCs and still the same error.
I even performed a yum downgrade to remove these updates and I still see the same trust relationship failure error.
in the Messages file I see the following format for multiple users:
Apr 13 09:49:12 icarus smbd[12805]: [2016/04/13 09:49:12.254867, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
Apr 13 09:49:12 icarus smbd[12805]: _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client PC3 machine account PC3$
What suggestions or options should I try? What else do you need to see?
Thanks,
Bill
-
Still the same here on sme9 and win7...
-
please, fill asap a bug, thank you
-
Thanks Stefano,
I'm always a little hesitant to post a bug but -- it is now submitted!
Bill
-
I'm always a little hesitant to post a bug but -- it is now submitted!
no reason to be afraid :-)
https://bugs.contribs.org/show_bug.cgi?id=9448
-
Update:
Daniel suggested upstream report - I'll go there and submit as well...
B
Daniel B. 2016-04-13 19:39:34 CEST
This is an upstream issue, and should be reported on bugzilla.redhat.com
-
Ok,
the short and long of it is I need to roll back to the prior version of samba.
My current version is 3.6.23-12.el5_11
Does anyone know the prior version?
I've tried the downgrade version to no avail as it indicates these packages are not available. The command I used is:
yum downgrade samba3x-3.5.4-0.70.el5 samba3x-winbind-3.5.4-0.70.el5 samba3x-3.5.4-0.70.el5 samba3x-client-3.5.4-0.70.el5 samba3x-common-3.5.4-0.70.el5 *smb* -y
the result is:
No package samba3x-3.5.4-0.70.el5 available.
No package samba3x-winbind-3.5.4-0.70.el5 available.
No package samba3x-3.5.4-0.70.el5 available.
No package samba3x-client-3.5.4-0.70.el5 available.
No package samba3x-common-3.5.4-0.70.el5 available.
No Match for available package: gnome-vfs2-smb-2.16.2-12.el5_9.i386
Only Upgrade available on package: libsmbclient-3.0.33-3.40.el5_10.i386
No Match for available package: libsmbclient-devel-3.0.33-3.40.el5_10.i386
No Match for available package: pam_smb-1.1.7-7.2.1.i386
Nothing to do
The only page I was able to somehow downgrade is libsmbclient-3.0.33-3.40.el5_10.i386 which I don't want to upgrade
Any suggestions?
Thanks,
B
-
Try this procedure from RH: https://access.redhat.com/solutions/64069
-
Sorry EL6 and above only
-
Rollback to previsious version works for me:
use search and get these at http://rpm.pbone.net/
libsmbclient-3.0.33-3.40.el5_10.i386
samba3x-winbind-3.6.23-9.el5_11.i386
samba3x-common-3.6.23-9.el5_11.i386
samba3x-client-3.6.23-9.el5_11.i386
samba3x-3.6.23-9.el5_11.i386
rpm -Uvh *.rpm --force and stop+start samba from sme8admin
-
I recommend using
yum downgrade samba\* libsmbclient
Instead of getting RPMS from untrusted sources
-
Good day everyone!
I'm happy to report that Daniel B's solution worked! Simple yet precise. THANKS Daniel!
TerryF - I did find a similar solution I tried from Red Hat but it didn't work. If I could have found the old versions that Bunkobugsy listed then I could have forced the downgrade.
Thanks for the resource bunkobugsy - that seems a great solution too. However, as Daniel said, hard to trust archives of backup RPMs. Maybe you've had some experience with them?
I guess my final question is why did this update roll out? Seems I'm not the only one who has dealt with this? Consequently, I HATE Microsoft - nothing but trouble in every aspect of the design.
I guess my next move is to SME 9 as 8.2 is at EOL in July...
Thanks,
B
-
FYI, not surprising at all: this is an issue common to SME 8.2 and 9.1. For 9.1 see also here: https://forums.contribs.org/index.php/topic,52404.0.html
Regards, turandot
-
I recommend using
yum downgrade samba\* libsmbclient
Instead of getting RPMS from untrusted sources
Thanks Daniel B. Worked perfectly for me on SME 9.1
regards
Paul
-
Is the problem solved until now, I would like to update my sme 9.1 and some older 8.x server... ?
# SME 9.1
Löse Abhängigkeiten auf
--> Führe Transaktionsprüfung aus
---> Package kernel.x86_64 0:2.6.32-573.26.1.el6 will be installiert
---> Package kernel-firmware.noarch 0:2.6.32-573.22.1.el6 will be aktualisiert
---> Package kernel-firmware.noarch 0:2.6.32-573.26.1.el6 will be an update
---> Package kernel-headers.x86_64 0:2.6.32-573.22.1.el6 will be aktualisiert
---> Package kernel-headers.x86_64 0:2.6.32-573.26.1.el6 will be an update
---> Package libtalloc.x86_64 0:2.0.7-2.el6 will be aktualisiert
---> Package libtalloc.x86_64 0:2.1.5-1.el6_7 will be an update
---> Package libtdb.x86_64 0:1.2.10-1.el6 will be aktualisiert
---> Package libtdb.x86_64 0:1.3.8-1.el6_7 will be an update
---> Package libtevent.x86_64 0:0.9.18-3.el6 will be aktualisiert
---> Package libtevent.x86_64 0:0.9.26-2.el6_7 will be an update
---> Package samba.x86_64 0:3.6.23-25.el6_7 will be aktualisiert
---> Package samba.x86_64 0:3.6.23-30.el6_7 will be an update
---> Package samba-client.x86_64 0:3.6.23-25.el6_7 will be aktualisiert
---> Package samba-client.x86_64 0:3.6.23-30.el6_7 will be an update
---> Package samba-common.x86_64 0:3.6.23-25.el6_7 will be aktualisiert
---> Package samba-common.x86_64 0:3.6.23-30.el6_7 will be an update
---> Package samba-winbind.x86_64 0:3.6.23-25.el6_7 will be aktualisiert
---> Package samba-winbind.x86_64 0:3.6.23-30.el6_7 will be an update
---> Package samba-winbind-clients.x86_64 0:3.6.23-25.el6_7 will be aktualisiert
---> Package samba-winbind-clients.x86_64 0:3.6.23-30.el6_7 will be an update
---> Package tdb-tools.x86_64 0:1.2.10-1.el6 will be aktualisiert
---> Package tdb-tools.x86_64 0:1.3.8-1.el6_7 will be an update
---> Package tzdata.noarch 0:2016c-1.el6 will be aktualisiert
---> Package tzdata.noarch 0:2016d-1.el6 will be an update
--> Abhängigkeitsauflösung beendet
--> Führe Transaktionsprüfung aus
---> Package kernel.x86_64 0:2.6.32-573.12.1.el6 will be gelöscht
--> Abhängigkeitsauflösung beendet
Abhängigkeiten aufgelöst
==================================================================================================================================================
Paket Arch Version Repository Grösse
==================================================================================================================================================
Installieren:
kernel x86_64 2.6.32-573.26.1.el6 updates 30 M
Aktualisieren:
kernel-firmware noarch 2.6.32-573.26.1.el6 updates 18 M
kernel-headers x86_64 2.6.32-573.26.1.el6 updates 3.9 M
libtalloc x86_64 2.1.5-1.el6_7 updates 26 k
libtdb x86_64 1.3.8-1.el6_7 updates 43 k
libtevent x86_64 0.9.26-2.el6_7 updates 29 k
samba x86_64 3.6.23-30.el6_7 updates 5.1 M
samba-client x86_64 3.6.23-30.el6_7 updates 11 M
samba-common x86_64 3.6.23-30.el6_7 updates 10 M
samba-winbind x86_64 3.6.23-30.el6_7 updates 2.2 M
samba-winbind-clients x86_64 3.6.23-30.el6_7 updates 2.0 M
tdb-tools x86_64 1.3.8-1.el6_7 updates 24 k
tzdata noarch 2016d-1.el6 updates 451 k
Entfernen:
kernel x86_64 2.6.32-573.12.1.el6 @updates 126 M
Vorgangsübersicht
==================================================================================================================================================
Install 1 Package(s)
Upgrade 12 Package(s)
Remove 1 Package(s)
Gesamte Downloadgrösse: 83 M
Best
-
No, still not solved. You can update if you don't need domain functionnality. Or you can update everything but samba packages with:
yum update --exclude=samba\*,libtalloc,libtdb,libtevent,tdb-tools
-
Thank you Daniel.
Regards
-
I don't think so, this is the latest on the upstream bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1326918#c24
-
thanks to this post and all who have posted here
fixed problem for me :-)
-
Just to say we have the same problem on SME 8.1 and 9.1 and with Windows 7, 8.1 and 10 on 78 domain member workstations at two sites so far :(
I'm not happy about running insecure versions, but if that's what it takes...
Should I add to the report upstream or is that redundant?
Ta.
-
Just to say we have the same problem on SME 8.1 and 9.1....
You should update your SME Server 8.1 to SME Server 8.2
-
Apologies, a mistyping: SME 8.*2* and 9.1
-
Looks OK (SME9) since the update today, can anybody confirm ?
-
Looks OK (SME9) since the update today, can anybody confirm ?
I doubt it - the fix has not been released upstream as far as I can tell.
I've updated my servers using the update command from above which excludes the Samba stuff.
-
I doubt it - the fix has not been released upstream as far as I can tell.
Can't say for SME8, but on SME9 it seems to be fixed
-
Wiil do some tests asap and report back
-
here I am..
VM running SME 8.2 with samba3x-3.6.23-9.el5_11.. enabled DC, joined a VM running w2003.. all working as expected..
update SME to the last step, running on samba3x-3.6.23-12.el5_11.. I'm not able to log in anymore
so for SME8.2 the issue is still present
-
3.6.23-35 for SME 9.1 fixes this https://rhn.redhat.com/errata/RHBA-2016-0992.html
-
3.6.23-35 for SME 9.1 fixes this https://rhn.redhat.com/errata/RHBA-2016-0992.html
They slipped that out under the cover of darkness...
Not in rhsa announcements...
Edited: grammer
-
I am no expert, but the upgrades to 9.1 seem to be working fine for me for my Windows XP and Windows 7 domain logons,
regards Paul
-
bunkobugsy & pisaacs
....the upgrades to 9.1 seem to be working fine for me for my Windows XP and Windows 7 domain logons,
But this is a SME8.x forum, so your comments are not applicable here.
As Stefano says based on his tests, "....so for SME8.2 the issue is still present"
-
The Red Hat errata announcement https://rhn.redhat.com/errata/RHBA-2016-0992.html
quote
Updated samba packages that fix regressions introduced by the last security
release are now available for Red Hat Enterprise Linux 6.
end quote
So Koozali SME9 should be updated..
Still to see any update for RH v5, covers Koozali SME8
-
bunkobugsy & pisaacs
But this is a SME8.x forum, so your comments are not applicable here.
As Stefano says based on his tests, "....so for SME8.2 the issue is still present"
My apologies, but this issue also affected 9.x, yet I can find no mention of it in the 9.x forums...
-
My apologies, but this issue also affected 9.x, yet I can find no mention of it in the 9.x forums...
Keep watch :-)
-
pisaacs
.....this issue also affected 9.x, yet I can find no mention of it in the 9.x forums...
It seems you missed seeing this thread
https://forums.contribs.org/index.php/topic,52404.15.html
-
pisaacs
It seems you missed seeing this thread
https://forums.contribs.org/index.php/topic,52404.15.html
Thanks
-
As a follow up to this I yesterday upgraded the samba packages on a v8.2
I have the following mounts in an Xubuntu 14.04 LTS desktop
//server/testbay /home/user/Mounts/testbay cifs credentials=/etc/samba/user,uid=1000,gid=500,sec=ntlmv2 0 0
After the upgrade/reboot I got mount errors on the client as follows:
/var/log/kern.log
xubuntu kernel: [22743.557463] CIFS VFS: Send error in SessSetup = -22
xubuntu kernel: [22743.557856] CIFS VFS: cifs_mount failed w/return code = -22
xubuntu kernel: [22743.574662] Status code returned 0xc000000d NT_STATUS_INVALID_PARAMETER
sudo mount -a gives:
mount error(22): Invalid argument
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
I remembered seeing that ntlmv2 was going to get deprecated/disused and had a note that I should probably move at some point to using
sec=krb5(i) or sec=ntlmssp(i)
I changed to ntlmssp and mounts are not working as before.
//server/general /home/user/Mounts/general cifs credentials=/etc/samba/user,uid=1000,gid=500,sec=ntlmssp 0 0
In this case it is would not appear to be a direct issue with SME but with Xubuntu.
Server packages:
[root@server ~]# rpm -qa |grep samba
samba3x-winbind-3.6.23-12.el5_11
samba3x-3.6.23-12.el5_11
samba3x-client-3.6.23-12.el5_11
samba3x-common-3.6.23-12.el5_11
e-smith-samba-2.2.0-66.el5.sme
For those in a similar scenario I strongly suggest looking at the SSSD/LDAP pages on the wiki here https://wiki.contribs.org/Client_Authentication:Ubuntu_via_sssd/ldap (https://wiki.contribs.org/Client_Authentication:Ubuntu_via_sssd/ldap). It's fairly easy to setup, and works really well.
-
Just confirming this is still broken with Win8 and SME8.2. Did a full yum update yesterday only to find today the Win8 domain connected PC's were locked out as in original post.
Confirming Daniel b's yum downgrade worked. Just ran yum downgrade, restarted smb service, but alas I had to rejoin the PC to the domain.
Back to running Samba version 3.6.23.
BTW, I made a simple Samba users status panel for my previous server that works on this. I'll post in the Contribs forum.
-
Red Hat have at long last released samba-3x updates:
https://access.redhat.com/errata/RHBA-2016:1294
They should be available through centos mirrors soon.
-
I have just updated my SME 8.2 machine (32Bit):
[root@my-sme-server-8.2-32Bit ~]# yum list samba*
Loaded plugins: fastestmirror, protect-packages, smeserver
Loading mirror speeds from cached hostfile
* base: centos.schlundtech.de
* smeaddons: mirror.enpol-ict.net
* smeextras: mirror.enpol-ict.net
* smeos: mirror.enpol-ict.net
* smeupdates: mirror.enpol-ict.net
* updates: centos.bio.lmu.de
Excluding Packages from CentOS - os
Finished
Excluding Packages from CentOS - updates
Finished
Installed Packages
samba3x.i386 3.6.23-13.el5_11 installed
samba3x-client.i386 3.6.23-13.el5_11 installed
samba3x-common.i386 3.6.23-13.el5_11 installed
samba3x-winbind.i386 3.6.23-13.el5_11 installed
Available Packages
samba.i386 3.0.33-3.41.el5_11 updates
samba-client.i386 3.0.33-3.41.el5_11 updates
samba-common.i386 3.0.33-3.41.el5_11 updates
samba-swat.i386 3.0.33-3.41.el5_11 updates
samba3x-doc.i386 3.6.23-13.el5_11 updates
samba3x-domainjoin-gui.i386 3.6.23-13.el5_11 updates
samba3x-swat.i386 3.6.23-13.el5_11 updates
samba3x-winbind-devel.i386 3.6.23-13.el5_11 updates
[root@my-sme-server-8.2-32Bit ~]#
Domain logins now work again, in contrast to a test on June 19. :cool:
It is time to update this announcement: https://forums.contribs.org/index.php/topic,52402.0.html
Regards, turandot
-
It has been awhile since I studied SMB.
We are still using SMB version 1.
We also turn off signature and security in the SMB for our windows clients on each client using a reg edit file.
I do not know if this helps at all but it might be worth testing.
I will post our basic registry files for our windows XP sp3 clients later today.
-
We also turn off signature and security in the SMB for our windows clients on each client using a reg edit file.
I can't resist the urge, but I still do not get it why companies want to use Windows at all. (no Flame or war intended, genuine surprised). There TONS of desktop environments out there, especially when we're in the cloud age and browser age.
-
A simple fact of business. Most software businesses use is written for a Windows operating system.
As far was browsers go. Most business webpages are written for Windows Internet Explorer which I get pretty furious over them doing.
Also most utilities to do things are written for Windows only.
-
I am not going to say that SMB signing is the issue of the original poster. But I would start looking there after doing some reading.
There seems to be a lot of changing in the area of SMB signing from Microsoft.
Here a couple of links if it helps.
https://blogs.technet.microsoft.com/josebda/2010/12/01/the-basics-of-smb-signing-covering-both-smb1-and-smb2/
https://support.microsoft.com/en-us/kb/950876
We do not use device sharing on the WAN. We only share devices such as directories and files on the LAN.
Here are a couple of reg edits we make on each of our windows xp machines.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]
"EnableSecuritySignature"=dword:00000000
"RequireSecuritySignature"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters]
"EnableSecuritySignature"=dword:00000000
"RequireSecuritySignature"=dword:00000000
-
If you are a windows user please keep an eye on Gregs work on Samba 4 via the wiki/bug tracker
He will need lots of help testing it.
-
:sad: OFF TOPIC!
I can't resist the urge, but I still do not get it why companies want to use Windows at all. (no Flame or war intended, genuine surprised). There TONS of desktop environments out there, especially when we're in the cloud age and browser age.
It's because of established practices and integration of business products. Some examples: most lawyers use Word because most other lawyers use Word and due to Microsoft's stance/ineptitude/deliberate sabotage (not sure which, or all), the latest docx format still does not translate well in Open/Libre Office. Then they are using macro-integrated document templating systems that produce ready-to-fill-in forms that only work in MS Word. Often they are using macro-integrated Client management systems that only work with Word. There's no real alternative to the massive ecosystem around Word and Excel FOR THESE STANDARD TASKS.
Another example: one of our clients sells massively on Amazon. Amazon produces generated Excel spreadsheet files of sales and orders that are incompatible with Open/Libre Office, so we have had to supply Excel. And so it goes.
And then there's Exchange and its integrated calendaring. We don't use it, but many of our clients do, where secretaries are managing their boss's appointments etc. We've looked at all alternatives for years, there's nothing as good.
I detest Exchange, and I dumped Windows as a desktop 6 years ago, but I still need a virtual Windows to replicate client issues.
It's a damn shame but what do you do?
-
It's a damn shame but what do you do?
Keep pushing alternatives. I do with my clients. Just 'converted' a small team from M$ Outlook to Thunderbird, they love it.
It's the kick back in $$ that companies receive for 'knotting' their products into M$ products to create hugely profitable dependencies.
-
Keep pushing alternatives. I do with my clients. Just 'converted' a small team from M$ Outlook to Thunderbird, they love it.
Yes all our non Windows server clients are on Thunderbird. But Calendaring is not integrated so not applicable to Exchange users (yes we've looked at all the various options, still not 'integrated' as with Exchange)
It's the kick back in $$ that companies receive for 'knotting' their products into M$ products to create hugely profitable dependencies.
Not sure about that. Most small developers I know pay to get access to the MS ecosystem.
EG:
http://www.dpssoftware.co.uk/ (http://www.dpssoftware.co.uk/)
http://www.sage.co.uk/ (http://www.sage.co.uk/)
http://www.intuit.co.uk/ (http://www.intuit.co.uk/)
NOT ADVERTS! Just integration examples.
Disclosure: I was once a Sage developer, but have now recovered. All of these pay for access, and only work with the MS toolset.
I agree with you, and I have been trying to move everyone off for over twenty years, but life's too short.
However, 90% of our clients have some, or a lot, of Linux/BSD infrastructure and 40% no Windows server. The desktop ain't going to change quickly.
-
Yes all our non Windows server clients are on Thunderbird. But Calendaring is not integrated so not applicable to Exchange users (yes we've looked at all the various options, still not 'integrated' as with Exchange)
The SOGo contrib together with the lightning calendaring for Thunderbird does the job.
-
The SOGo contrib together with the lightning calendaring for Thunderbird does the job.
More than just the job ;-)
SOGo + Thunderbird + Lightning + sogo-connector + sogo-integrator + some scripts to auto configure everything using MCD makes a very good solution. I'm using this on several different sites and it's just magic. Nothing to configure, nothing to backup. Just log into a client station, run Thunderbird and TB is automatically configured, your mails/agenda/addressbooks are syncing. (Well, the only annoying thing is that you're asked for your password several times)
-
More than just the job :wink:
SOGo + Thunderbird + Lightning + sogo-connector + sogo-integrator + some scripts to auto configure everything using MCD makes a very good solution. I'm using this on several different sites and it's just magic. Nothing to configure, nothing to backup. Just log into a client station, run Thunderbird and TB is automatically configured, your mails/agenda/addressbooks are syncing. (Well, the only annoying thing is that you're asked for your password several times)
That's worth a detailed wiki page ;-)
-
More than just the job ;-)
SOGo + Thunderbird + Lightning + sogo-connector + sogo-integrator + some scripts to auto configure everything using MCD makes a very good solution. I'm using this on several different sites and it's just magic. Nothing to configure, nothing to backup. Just log into a client station, run Thunderbird and TB is automatically configured, your mails/agenda/addressbooks are syncing. (Well, the only annoying thing is that you're asked for your password several times)
I'll check it out. But getting people off Exchange (which they have barely mastered in the first place) will be like extracting winkles with a cotton bud :) But I'm happy to try.
And also, that doesn't address the system integration issues with other software... :(
-
And also, that doesn't address the system integration issues with other software... :(
Take a look at their commercial licences costs and conditions. There are alternatives for accounting, time management etc. at no licensing costs....
'Educate' your clients would be my motto.
-
Take a look at their commercial licences costs and conditions. There are alternatives for accounting, time management etc. at no licensing costs....
'Educate' your clients would be my motto.
Costs aren't the issue. Functionality is.
Cheers!
-
RequestedDeletion & others
Take a look at their commercial licences costs and conditions. There are alternatives for accounting, time management etc. at no licensing costs....
'Educate' your clients would be my motto.
Some of you guys seem ignorant of statutory lodgement requirements for various industries, including accounting & taxation, that require the use of officially approved software by the tax office & other government bodies. It depends what country you are in of course. These products are usually developed for the Windows workstation & server environments. I know of none that work on Linux or are developed for Linux. There is massive integration between functionality of these products & typically the Microsoft platform is chosen as the basis for integration eg specialised accounting applications use features of Office etc.
Nothing else available to purchase & any free or GNU options are not approved. So Linux & alternative "no licencing cost" software is not always a viable answer.
-
The topic is flying away .......
Any news abouit Samba Updates for Centos 5/Sme 8 ? In Centos 6/Sme 9 seem solved.
-
The topic is flying away .......
Any news abouit Samba Updates for Centos 5/Sme 8 ? In Centos 6/Sme 9 seem solved.
See posting by Charlie June 24th - https://access.redhat.com/errata/RHBA-2016:1294
Edit: update is in smeupdates-testing
-
Edit: update is in smeupdates-testing
?, could you please elaborate a bit more? thank you
-
https://bugs.contribs.org/show_bug.cgi?id=9448 (https://bugs.contribs.org/show_bug.cgi?id=9448)
When a bug is verified and fixed, it goes into testing
-
Bug was on upstream packages which aren't in our repos.. samba3x last release rpms are already available from upstream and installed on every updated server..
IOW, there's nothing in testing regarding this bug AFAIK
-
Fair enough.....