Regression on 4.3.8 upgrade: clients fail to connect

Bug #1573221 reported by Marco van Zwetselaar on 2016-04-21
68
This bug affects 12 people
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
High
Ubuntu Security Team

Bug Description

Since the upgrade from 4.1.6 to 4.3.8 on our Samba domain controllers on Ubuntu 14.04, clients fail to connect. Tested with Windows 7, Windows Server 12 and Samba clients.

$ smbclient -L dc01 -U Administrator
session setup failed: NT_STATUS_OBJECT_NAME_NOT_FOUND

In the server logs I see:
    smbd[20632]: [2016/04/21 21:05:43.093606, 1] ../source3/smbd/sesssetup.c:281(reply_sesssetup_and_X_spnego)
    smbd[20632]: Failed to generate session_info (user and group token) for session setup: NT_STATUS_OBJECT_NAME_NOT_FOUND

The Windows clients cannot access shares and (quite critically) the RSAT tools such as ADUC can't be used to manage the domain.

May be related to bug #1572301 where issues from other client platforms are reported.

description: updated
description: updated
Mike Rogers (neonpolaris) wrote :

I noticed that after the update to 4.3.8 my smbd would not run at all.

testparm gave me this:
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
WARNING: Ignoring invalid value 'share' for parameter 'security'
Error loading services.

smbd would stay running with a barebones config, so I started trimming away at mine until it worked. It turns out that removing the line:
security = share ;
fixed my problem, even though it was supposedly being ignored.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in samba (Ubuntu):
status: New → Confirmed
Marco van Zwetselaar (zwets) wrote :

Attaching the smbd log file at debuglevel 10.

Marco van Zwetselaar (zwets) wrote :

Attaching smbclient debug output at log level 10

Marco van Zwetselaar (zwets) wrote :

I just downgraded back to 4.1.6, hoping to get our domain controllers operational again, but the samba-ad-dc service fails to start with: Unknown process model 'standard'.

In the smbd log file (attached) I note entries "msg: schema: metadata tdb not initialized at ../source4/dsdb/samdb/ldb_modules/schema_load.c:117". This seems to suggest a backwards-incompatible database change from 4.1.6 to 4.3.8 makes reverting impossible?

Is there a way to return to a working situation while this bug is being fixed? These are production domain controllers ...

agent_rocket (bernd-eg) wrote :

I had similar problems. Installing winbind and libnss-winbind seems to have fixed it. Before that, i tried upgrading to Ubuntu 16.04 and switching dns backend from bind9_flatfile to samba internal, maybe that helped as well.

Marco van Zwetselaar (zwets) wrote :

Confirming that installing winbind resolves the issue. Thank you @bernd-eg.

I would propose that winbind be upgraded to a Recommends rather than a Suggests for the Samba package.

tags: added: regression-update
Marc MAURICE (mmaurice) wrote :

Winbind already installed and I still have the problem.

We solved it by adding this in global section, in /etc/samba/smb.conf :

client use spnego = no

Marco van Zwetselaar (zwets) wrote :

@mmaurice Have you checked that winbindd is actually running?

IIRC between 4.1 and 4.2 the parameter for winbindd in the 'server services =' line in /etc/samba/smb.conf changed from 'winbind' to 'winbindd'. This will have been picked up automatically if the line only had "+" and "-" entries, or was absent altogether. However if you explicitly specified the services, then if 'winbind' was there, you'll need to change it to 'winbindd'.

Joel Ferris (3-joel) wrote :

Adding windbind is not a fix. I use samba at the most basic level, and the last thing I want to do is add more dependencies to it to patch broken basic functionality.

Changed in samba (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
importance: Undecided → High
Chris Puttick (cputtick) wrote :

Have tried both workarounds listed above, doesn't appear to resolve the issue. Setting client use spnego = no does change the error message though, from:

NT_STATUS_OBJECT_NAME_NOT_FOUND

to

 NT_STATUS_INVALID_PARAMETER

Chris Puttick (cputtick) wrote :

Update: can confirm installing winbind works, but has to be all DCs and must restart samba-ad-dc afterwards.

NB currently remote testing only so no Windows tests; however per server testing with

smbclient -L ip.add.re.ss -U <test user>

works where before add winbind and restarting samba-ad-dc it fails

Marc Deslauriers (mdeslaur) wrote :

Today's Samba update may contain the fix for this issue:

http://www.ubuntu.com/usn/usn-2950-2/

Could the original bug reporter please test the update and comment here? Thanks!

Nahuel (nahueljose) wrote :

Not the original bug reporter, but I can confirm that I can now access shares on Windows 7 servers. It prompted for a password (even though the Windows machines are setup to not ask for credentials), but entering my password for my own system worked. Shared printers are working again too.

Thanks!

No the original reporter either, but I can confirm that my Win7+ and Ubuntu clients can access shares on my Samba file servers after this update was applied.

Marco van Zwetselaar (zwets) wrote :

Original reporter here: the issue is resolved, with the qualification that at my site (AD configuration) this required the installation of winbind. Installing winbind was necessary and sufficient to resolve the issue both in 4.3.8 and 4.3.9.

Marc Deslauriers (mdeslaur) wrote :

Yes, installing winbind is now required in more scenarios than before when using 4.3.x.

Thanks for reporting back. I am going to mark this bug as being fixed.

If anyone is still experiencing issues, please file a new bug. Thanks.

Changed in samba (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers