Hello, with the upgrade from samba 4.6 to samba 4.8.2 our netapp storage system was not able to connect to the samba-domain-controller anymore. The samba-domain-controller said: schannel required but client failed to offer it. Client was INETAPP "server schannel = auto" in the smb.conf solved the problem. We reported this to netapp and got the answer, that samba as a domain controller is not supported. In the documentation of the smb.conf is written: "server schannel" - If you have the need for the behavior of "auto" to be kept, please file a bug at https://bugzilla.samba.org So here my bugreport, because we need "server schannel = auto" also in future versions of samba. Thanks
It seems that VMWare View also has problems with this setting as we don't support "Security Context Multiplexing" yet, see (bug #7113). When "Security Context Multiplexing Supported" is supported it uses all modern features in NetrServerAuthenticate3(0x612fffff). It not (or if NetrServerAuthenticate3(0x612fffff) fails for some reason), it falls back to use short lived named pipes over SMB. A new named pipe handle and DCERPC bind per request! And NetrServerAuthenticate3() just uses 0x00004000.
(In reply to Stefan Metzmacher from comment #1) VMWare View was the trigger behind the fix for bug #10723...
(In reply to gizmo11 from comment #0) Would you be able to test 4.10.0rc1 in a lap in order to check if "server schannel = auto" is still needed.
(In reply to Stefan Metzmacher from comment #3) Right now I don't know how without to risk the functionality of our NetApp. If we do a test, then not before summer (July, August).
In 4(In reply to Stefan Metzmacher from comment #3) We installed 4.10.8 and "server schannel = auto" is still needed for netapp. [2019/09/08 16:09:29.305879, 0] ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:635(dcesrv_netr_creds_server_step_check) dcesrv_netr_creds_server_step_check: [NETAPP] is not using schannel [2019/09/08 16:09:29.508086, 0] ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:635(dcesrv_netr_creds_server_step_check) dcesrv_netr_creds_server_step_check: [NETAPP] is not using schannel [2019/09/08 16:09:59.257817, 0] ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:635(dcesrv_netr_creds_server_step_check) dcesrv_netr_creds_server_step_check: [NETAPP] is not using schannel [2019/09/08 16:09:59.451835, 0] ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:635(dcesrv_netr_creds_server_step_check) dcesrv_netr_creds_server_step_check: [NETAPP] is not using schannel [2019/09/08 16:10:13.392080, 0] ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:635(dcesrv_netr_creds_server_step_check) dcesrv_netr_creds_server_step_check: [NETAPP] is not using schannel [2019/09/08 16:10:13.616647, 0] ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:635(dcesrv_netr_creds_server_step_check) dcesrv_netr_creds_server_step_check: [NETAPP] is not using schannel [2019/09/08 16:10:13.925653, 0] ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:635(dcesrv_netr_creds_server_step_check) dcesrv_netr_creds_server_step_check: [NETAPP] is not using schannel
(In reply to gizmo11 from comment #5) Can you please upload a network capture? See https://wiki.samba.org/index.php/Capture_Packets, we need all traffic from the client. If possible a capture against a Windows DC would be great in addition in order to see possible differences.
ontap version?
(In reply to trenta from comment #7) 8.2.5 7-Mode
Hi, now I'm testing 4.10.7 with ontap 9.1p13 cdot and seems that works, but I have to do more tests I'll keep informed
With the last os-upgrade we made, NetApp told us, for 7-mode this will be the last one. They won't develop 7-mode anymore, only clustered mode.
correct 8.2 is and old version, out of support since 31-Jan-2019 https://mysupport.netapp.com/info/web/ECMP1147223.html
(In reply to trenta from comment #11) 31.Januar 2019 is for 8.2 clustered mode. 8.2 7-Mode has support till 31.12.2020, limited support even till 31.12..2022.
Hello, we are using a Netapp storage with CDOT 9.3 in clustered mode and the "server schannel = auto" directive is still needed. Thanks Giuseppe
Hi, please consider to keep server schannel = auto in future version of Samba, NetApp Cluster Mode Release 9.3P6 still needs this directive. Thanks
(In reply to rspecchio from comment #14) Can someone please let me know if this is still needed with samba >= 4.10.7 and >= 4.11.0? My hope is that https://bugzilla.samba.org/show_bug.cgi?id=13949 may fixed this too.
(In reply to Stefan Metzmacher from comment #15) And if it is still needed I'd like to see network captures for when it fails and when it works. And a reference capture against a Windows DC would also useful to see if samba has any missing feature or if this is just a client problem
(In reply to Stefan Metzmacher from comment #16) Please notice that "server schannel = auto" or "server schannel = no" is very dangerous, see [CVE-2020-1472] [SECURITY] Samba impact of "ZeroLogin" https://bugzilla.samba.org/show_bug.cgi?id=14497
Hi, I can confirm that updating Samba solves the issue with Netapp fileserver. We updated to samba Version 4.11.17 and now the fileserver SVM based on Netapp Ontap 9.3 is working without setting server schannel = auto Thanks Giuseppe
(In reply to Giuseppe Ravasio from comment #18) Awesome, thanks for confirming this!