After Yum Upgrade - Shares no more accessible

Did you also try

YourUser,domain=YourDomain

for example

michael,domain=michaelsDomain.local

To those who found issues: what about your DCs? Do you have the legacy ntlm auth = yes setting?

grep -R ntlm /var/lib/machines/nsdc/etc/samba/

no ansswer from this command
should i have it in the global section of the smb.conf?

No, but those who upgraded from ns6 could have it… (ref https://docs.nethserver.org/en/v7/upgrade.html#smb-access)

same here @davidep.

no ntlm auth in smb config files (but I never upgraded from 6 to 7. Mine is a native 7 installation).

Thanks for the feedback. Could you provide some log files?

Please, follow these steps: https://wiki.samba.org/index.php/Client_specific_logging

Then send me back the log file by uploading it to https://nethservice.nethesis.it/nextcloud/index.php/s/yi9JTxo8GHCeFqG

@davidep

Nope. I returned to nightly backups.

It’s server in production and today it’s my last work day before holidays with family.
Sorry

1 Like

i willl prepere it

1 Like

Just for the record, this is the latest Samba bugfix released by CentOS

https://access.redhat.com/errata/RHBA-2019:1875

Bugzilla references are not publicly accessible:

I did as mentioned
The Logfiles will be created but they stay empty ?

/var/lib/machines/nsdc/etc/samba/smb.conf: ntlm auth = ntlmv1-permitted

So the ns6 upgrade condition (or any manual legacy ntlm setup) is not relevant.

Hi @allefm are you still experiencing this issue?

Could you try to connect the domain controller IP instead?

Let’s increase the debugging level to 10, too…

smbclient -d10 -U pks@dundaga.lv -L <DC_IP_ADDRESS_>
1 Like

done
retudns (what does this mean?):


Starting GENSEC submechanism gse_krb5
Cannot do GSE to an IP address
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INVALID_PARAMETER
Starting GENSEC submechanism ntlmssp
negotiate: struct NEGOTIATE_MESSAGE
Signature : ‘NTLMSSP’
MessageType : NtLmNegotiate (1)
NegotiateFlags : 0x62088215 (1644724757)

I don’t know!

Please attach the complete command output.

INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
tevent: 10
auth_audit: 10
auth_json_audit: 10
kerberos: 10
drs_repl: 10
smb2: 10
smb2_credits: 10
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
tevent: 10
auth_audit: 10
auth_json_audit: 10
kerberos: 10
drs_repl: 10
smb2: 10
smb2_credits: 10
Processing section “[global]”
doing parameter workgroup = DOMAIN
doing parameter server string = NethServer 7.6.1810 final (Samba %v)
doing parameter security = ADS
doing parameter realm = DOMAIN.MY.DOM
doing parameter kerberos method = secrets and keytab
doing parameter password server = *
doing parameter netbios name = MY-DC
Processing section “[global]”
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 50
doing parameter deadtime = 10080
doing parameter netbios aliases =
doing parameter wins server =
doing parameter remote announce =
doing parameter remote browse sync =
doing parameter map to guest = Bad User
doing parameter obey pam restrictions = yes
doing parameter acl allow execute always = True
doing parameter idmap config * : backend = tdb
doing parameter idmap config * : range = 10000-99999
doing parameter idmap config INSTITUT : backend = nss
doing parameter idmap config INSTITUT : range = 200000-2147483647
doing parameter inherit owner = yes
doing parameter full_audit:prefix = smbauditlog|%T|%u|%I|%S|%U
doing parameter full_audit:success = read write open unlink mkdir rmdir rename chmod
doing parameter full_audit:failure = read write open unlink mkdir rmdir rename chmod
doing parameter full_audit:facility = LOCAL7
doing parameter full_audit:priority = INFO
Processing section “[global]”
pm_process() returned Yes
lp_servicenumber: couldn’t find homes
added interface br0 ip=192.168.0.xxx bcast=192.168.0.255 netmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]=“MY-DC”
Client started (version 4.8.3).
Connecting to 192.168.0.xxx at port 445
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 2626560
SO_RCVBUF = 1061296
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
session request ok
negotiated dialect[SMB3_11] against server[192.168.0.xxx]
got OID=1.2.840.48018.1.2.2
Enter myuser@domain.my.dom’s password:
GENSEC backend ‘gssapi_spnego’ registered
GENSEC backend ‘gssapi_krb5’ registered
GENSEC backend ‘gssapi_krb5_sasl’ registered
GENSEC backend ‘spnego’ registered
GENSEC backend ‘schannel’ registered
GENSEC backend ‘naclrpc_as_system’ registered
GENSEC backend ‘sasl-EXTERNAL’ registered
GENSEC backend ‘ntlmssp’ registered
GENSEC backend ‘ntlmssp_resume_ccache’ registered
GENSEC backend ‘http_basic’ registered
GENSEC backend ‘http_ntlm’ registered
GENSEC backend ‘http_negotiate’ registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
Cannot do GSE to an IP address
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INVALID_PARAMETER
Starting GENSEC submechanism ntlmssp
negotiate: struct NEGOTIATE_MESSAGE
Signature : ‘NTLMSSP’
MessageType : NtLmNegotiate (1)
NegotiateFlags : 0x62088215 (1644724757)
1: NTLMSSP_NEGOTIATE_UNICODE
0: NTLMSSP_NEGOTIATE_OEM
1: NTLMSSP_REQUEST_TARGET
1: NTLMSSP_NEGOTIATE_SIGN
0: NTLMSSP_NEGOTIATE_SEAL
0: NTLMSSP_NEGOTIATE_DATAGRAM
0: NTLMSSP_NEGOTIATE_LM_KEY
0: NTLMSSP_NEGOTIATE_NETWARE
1: NTLMSSP_NEGOTIATE_NTLM
0: NTLMSSP_NEGOTIATE_NT_ONLY
0: NTLMSSP_ANONYMOUS
0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
0: NTLMSSP_TARGET_TYPE_DOMAIN
0: NTLMSSP_TARGET_TYPE_SERVER
0: NTLMSSP_TARGET_TYPE_SHARE
1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
0: NTLMSSP_NEGOTIATE_IDENTIFY
0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
0: NTLMSSP_NEGOTIATE_TARGET_INFO
1: NTLMSSP_NEGOTIATE_VERSION
1: NTLMSSP_NEGOTIATE_128
1: NTLMSSP_NEGOTIATE_KEY_EXCH
0: NTLMSSP_NEGOTIATE_56
DomainNameLen : 0x0000 (0)
DomainNameMaxLen : 0x0000 (0)
DomainName : *
DomainName : ‘’
WorkstationLen : 0x0000 (0)
WorkstationMaxLen : 0x0000 (0)
Workstation : *
Workstation : ‘’
Version: struct ntlmssp_VERSION
ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6)
ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1)
ProductBuild : 0x0000 (0)
Reserved: ARRAY(3)
[0] : 0x00 (0)
[1] : 0x00 (0)
[2] : 0x00 (0)
NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15)
gensec_update_send: ntlmssp[0x55af21805a60]: subreq: 0x55af21806030
gensec_update_send: spnego[0x55af21802600]: subreq: 0x55af218051b0
gensec_update_done: ntlmssp[0x55af21805a60]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x55af21806030/…/auth/ntlmssp/ntlmssp.c:181]: state[2] error[0 (0x0)] state[struct gensec_ntlmssp_update_state (0x55af218061c0)] timer[(nil)] finish[…/auth/ntlmssp/ntlmssp.c:215]
gensec_update_done: spnego[0x55af21802600]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x55af218051b0/…/auth/gensec/spnego.c:1601]: state[2] error[0 (0x0)] state[struct gensec_spnego_update_state (0x55af21805340)] timer[(nil)] finish[…/auth/gensec/spnego.c:2070]
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_TARGET_TYPE_DOMAIN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
gensec_update_send: ntlmssp[0x55af21805a60]: subreq: 0x55af218178b0
gensec_update_send: spnego[0x55af21802600]: subreq: 0x55af21804e80
gensec_update_done: ntlmssp[0x55af21805a60]: NT_STATUS_OK tevent_req[0x55af218178b0/…/auth/ntlmssp/ntlmssp.c:181]: state[2] error[0 (0x0)] state[struct gensec_ntlmssp_update_state (0x55af21817a40)] timer[(nil)] finish[…/auth/ntlmssp/ntlmssp.c:222]
gensec_update_done: spnego[0x55af21802600]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x55af21804e80/…/auth/gensec/spnego.c:1601]: state[2] error[0 (0x0)] state[struct gensec_spnego_update_state (0x55af21805010)] timer[(nil)] finish[…/auth/gensec/spnego.c:2070]
SPNEGO login failed: The attempted logon is invalid. This is either due to a bad username or authentication information.
session setup failed: NT_STATUS_LOGON_FAILURE

Could you post the issued command?

It seems the user name syntax is not in DOMAIN\user format. Ensure special backslash character is either escaped or protected by single quotes correctly. Please run

smbclient -L <DC_IP_ADDRESS> -U 'DOMAIN\user' -d10

Then try with the file server (NethServer) IP address

smbclient -L <FILESERVER_IP_ADDRESS> -U 'DOMAIN\user' -d10
1 Like

do you have a posebility for secure upload for your eys only ?

The first upload link has probably expired. Please try with this one!

https://nethservice.nethesis.it/nextcloud/index.php/s/xBx5yggxjqMmk7n

done
both ends with

session setup failed: NT_STATUS_LOGON_FAILURE