Topic: latest SAMBA YUM UPDATES gives NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE

[janet]

bunkobugsy & pisaacs

....the upgrades to 9.1 seem to be working fine for me for my Windows XP and Windows 7 domain logons,

But this is a SME8.x forum, so your comments are not applicable here.
As Stefano says based on his tests, "....so for SME8.2 the issue is still present"

[TerryF]

The Red Hat errata announcement https://rhn.redhat.com/errata/RHBA-2016-0992.html

quote
Updated samba packages that fix regressions introduced by the last security
release are now available for Red Hat Enterprise Linux 6.
end quote

So Koozali SME9 should be updated..

Still to see any update for RH v5, covers Koozali SME8

[pisaacs]

bunkobugsy & pisaacs

But this is a SME8.x forum, so your comments are not applicable here.
As Stefano says based on his tests, "....so for SME8.2 the issue is still present"

My apologies, but this issue also affected 9.x, yet I can find no mention of it in the 9.x forums...

[TerryF]

My apologies, but this issue also affected 9.x, yet I can find no mention of it in the 9.x forums...

Keep watch

[janet]

pisaacs

.....this issue also affected 9.x, yet I can find no mention of it in the 9.x forums...

It seems you missed seeing this thread
https://forums.contribs.org/index.php/topic,52404.15.html

[pisaacs]

pisaacs
It seems you missed seeing this thread
https://forums.contribs.org/index.php/topic,52404.15.html

Thanks

[ReetP]

As a follow up to this I yesterday upgraded the samba packages on a v8.2

I have the following mounts in an Xubuntu 14.04 LTS desktop

//server/testbay /home/user/Mounts/testbay cifs credentials=/etc/samba/user,uid=1000,gid=500,sec=ntlmv2 0 0

After the upgrade/reboot I got mount errors on the client as follows:

/var/log/kern.log
xubuntu kernel: [22743.557463] CIFS VFS: Send error in SessSetup = -22
xubuntu kernel: [22743.557856] CIFS VFS: cifs_mount failed w/return code = -22
xubuntu kernel: [22743.574662] Status code returned 0xc000000d NT_STATUS_INVALID_PARAMETER

sudo mount -a gives:

mount error(22): Invalid argument
Refer to the mount.cifs( manual page (e.g. man mount.cifs)

I remembered seeing that ntlmv2 was going to get deprecated/disused and had a note that I should probably move at some point to using

sec=krb5(i) or sec=ntlmssp(i)

I changed to ntlmssp and mounts are not working as before.

//server/general /home/user/Mounts/general cifs credentials=/etc/samba/user,uid=1000,gid=500,sec=ntlmssp 0 0


In this case it is would not appear to be a direct issue with SME but with Xubuntu.

Server packages:

[root@server ~]# rpm -qa |grep samba
samba3x-winbind-3.6.23-12.el5_11
samba3x-3.6.23-12.el5_11
samba3x-client-3.6.23-12.el5_11
samba3x-common-3.6.23-12.el5_11
e-smith-samba-2.2.0-66.el5.sme

For those in a similar scenario I strongly suggest looking at the SSSD/LDAP  pages on the wiki here https://wiki.contribs.org/Client_Authentication:Ubuntu_via_sssd/ldap. It's fairly easy to setup, and works really well.

[axessit]

Just confirming this is still broken with Win8 and SME8.2. Did a full yum update yesterday only to find today the Win8 domain connected PC's were locked out as in original post.

Confirming Daniel b's yum downgrade worked. Just ran yum downgrade, restarted smb service, but alas I had to rejoin the PC to the domain.

Back to running Samba version 3.6.23.

BTW, I made a simple Samba users status panel for my previous server that works on this. I'll post in the Contribs forum.

[CharlieBrady]

Red Hat have at long last released samba-3x updates:

https://access.redhat.com/errata/RHBA-2016:1294

They should be available through centos mirrors soon.

[turandot]

I have just updated my SME 8.2 machine (32Bit):

Code: [Select]

[root@my-sme-server-8.2-32Bit ~]# yum list samba*
Loaded plugins: fastestmirror, protect-packages, smeserver
Loading mirror speeds from cached hostfile
 * base: centos.schlundtech.de
 * smeaddons: mirror.enpol-ict.net
 * smeextras: mirror.enpol-ict.net
 * smeos: mirror.enpol-ict.net
 * smeupdates: mirror.enpol-ict.net
 * updates: centos.bio.lmu.de
Excluding Packages from CentOS - os
Finished
Excluding Packages from CentOS - updates
Finished
Installed Packages
samba3x.i386                            3.6.23-13.el5_11               installed
samba3x-client.i386                     3.6.23-13.el5_11               installed
samba3x-common.i386                     3.6.23-13.el5_11               installed
samba3x-winbind.i386                    3.6.23-13.el5_11               installed
Available Packages
samba.i386                              3.0.33-3.41.el5_11             updates
samba-client.i386                       3.0.33-3.41.el5_11             updates
samba-common.i386                       3.0.33-3.41.el5_11             updates
samba-swat.i386                         3.0.33-3.41.el5_11             updates
samba3x-doc.i386                        3.6.23-13.el5_11               updates
samba3x-domainjoin-gui.i386             3.6.23-13.el5_11               updates
samba3x-swat.i386                       3.6.23-13.el5_11               updates
samba3x-winbind-devel.i386              3.6.23-13.el5_11               updates
[root@my-sme-server-8.2-32Bit ~]#
Domain logins now work again, in contrast to a test on June 19. 

It is time to update this announcement: https://forums.contribs.org/index.php/topic,52402.0.html

Regards, turandot

[purvis]

It has been awhile since I studied SMB.
We are still using SMB version 1.
We also turn off signature and security in the SMB for our windows clients on each client using a reg edit file.
I do not know if this helps at all but it might be worth testing.
I will post our basic registry files for our windows XP sp3 clients later today. 

[guest22]

We also turn off signature and security in the SMB for our windows clients on each client using a reg edit file.

I can't resist the urge, but I still do not get it why companies want to use Windows at all. (no Flame or war intended, genuine surprised). There TONS of desktop environments out there, especially when we're in the cloud age and browser age.

[purvis]

A simple fact of business. Most software businesses use is written for a Windows operating system.
As far was browsers go. Most business webpages are written for Windows Internet Explorer which I get pretty furious over them doing.
Also most utilities to do things are written for Windows only.

[purvis]

I am not going to say that SMB signing is the issue of the original poster. But I would start looking there after doing some reading.
There seems to be a lot of changing in the area of SMB signing from Microsoft.
Here a couple of links if it helps.

https://blogs.technet.microsoft.com/josebda/2010/12/01/the-basics-of-smb-signing-covering-both-smb1-and-smb2/

https://support.microsoft.com/en-us/kb/950876


We do not use device sharing on the WAN. We only share devices such as directories and files on the LAN.
Here are a couple of reg edits we make on each of our windows xp machines.

Code: [Select]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]
"EnableSecuritySignature"=dword:00000000
"RequireSecuritySignature"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters]
"EnableSecuritySignature"=dword:00000000
"RequireSecuritySignature"=dword:00000000



[ReetP]

If you are a windows user please keep an eye on Gregs work on Samba 4 via the wiki/bug tracker

He will need lots of help testing it.