Bug 13464 - smb.conf-configuration "server schannel = auto" needed in future versions
Summary: smb.conf-configuration "server schannel = auto" needed in future versions
Status: NEEDINFO
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other (show other bugs)
Version: unspecified
Hardware: All All
: P5 critical (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-06-06 11:14 UTC by gizmo11
Modified: 2020-12-23 08:01 UTC (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description gizmo11 2018-06-06 11:14:38 UTC
Hello,
with the upgrade from samba 4.6 to samba 4.8.2 our netapp storage system was not able to connect to the samba-domain-controller anymore. The samba-domain-controller said:

schannel required but client failed to offer it. Client was INETAPP

"server schannel = auto" in the smb.conf solved the problem.
We reported this to netapp and got the answer, that samba as a domain controller is not supported.

In the documentation of the smb.conf is written:
"server schannel" - If you have the need for the behavior of "auto" to be kept, please file a bug at https://bugzilla.samba.org

So here my bugreport, because we need "server schannel = auto" also in future versions of samba.

Thanks
Comment 1 Stefan Metzmacher 2018-10-02 14:08:07 UTC
It seems that VMWare View also has problems with this setting
as we don't support "Security Context Multiplexing" yet,
see (bug #7113).

When "Security Context Multiplexing Supported" is supported
it uses all modern features in NetrServerAuthenticate3(0x612fffff).

It not (or if NetrServerAuthenticate3(0x612fffff) fails for some reason),
it falls back to use short lived named pipes over SMB.
A new named pipe handle and DCERPC bind per request!
And NetrServerAuthenticate3() just uses 0x00004000.
Comment 2 Stefan Metzmacher 2018-10-02 14:09:06 UTC
(In reply to Stefan Metzmacher from comment #1)

VMWare View was the trigger behind the fix for bug #10723...
Comment 3 Stefan Metzmacher 2019-01-24 12:37:41 UTC
(In reply to gizmo11 from comment #0)

Would you be able to test 4.10.0rc1 in a lap in order to
check if "server schannel = auto" is still needed.
Comment 4 gizmo11 2019-01-25 08:02:37 UTC
(In reply to Stefan Metzmacher from comment #3)
Right now I don't know how without to risk the functionality of our NetApp.
If we do a test, then not before summer (July, August).
Comment 5 gizmo11 2019-09-08 14:26:29 UTC
In 4(In reply to Stefan Metzmacher from comment #3)

We installed 4.10.8 and "server schannel = auto" is still needed for
netapp.

[2019/09/08 16:09:29.305879,  0] ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:635(dcesrv_netr_creds_server_step_check)
  dcesrv_netr_creds_server_step_check: [NETAPP] is not using schannel
[2019/09/08 16:09:29.508086,  0] ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:635(dcesrv_netr_creds_server_step_check)
  dcesrv_netr_creds_server_step_check: [NETAPP] is not using schannel
[2019/09/08 16:09:59.257817,  0] ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:635(dcesrv_netr_creds_server_step_check)
  dcesrv_netr_creds_server_step_check: [NETAPP] is not using schannel
[2019/09/08 16:09:59.451835,  0] ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:635(dcesrv_netr_creds_server_step_check)
  dcesrv_netr_creds_server_step_check: [NETAPP] is not using schannel
[2019/09/08 16:10:13.392080,  0] ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:635(dcesrv_netr_creds_server_step_check)
  dcesrv_netr_creds_server_step_check: [NETAPP] is not using schannel
[2019/09/08 16:10:13.616647,  0] ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:635(dcesrv_netr_creds_server_step_check)
  dcesrv_netr_creds_server_step_check: [NETAPP] is not using schannel
[2019/09/08 16:10:13.925653,  0] ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:635(dcesrv_netr_creds_server_step_check)
  dcesrv_netr_creds_server_step_check: [NETAPP] is not using schannel
Comment 6 Stefan Metzmacher 2019-09-08 17:15:27 UTC
(In reply to gizmo11 from comment #5)

Can you please upload a network capture?
See https://wiki.samba.org/index.php/Capture_Packets,
we need all traffic from the client.
If possible a capture against a Windows DC would be great
in addition in order to see possible differences.
Comment 7 trenta 2019-09-09 06:36:38 UTC
ontap version?
Comment 8 gizmo11 2019-09-09 07:08:50 UTC
(In reply to trenta from comment #7)
8.2.5 7-Mode
Comment 9 trenta 2019-09-09 07:22:48 UTC
Hi,

now I'm testing 4.10.7 with ontap 9.1p13 cdot and seems that works, but I have to do more tests

I'll keep informed
Comment 10 gizmo11 2019-09-09 08:31:06 UTC
With the last os-upgrade we made, NetApp told us, for 7-mode this will be the last one. They won't develop 7-mode anymore, only clustered mode.
Comment 11 trenta 2019-09-09 08:40:35 UTC
correct 8.2 is and old version, out of support since 31-Jan-2019

https://mysupport.netapp.com/info/web/ECMP1147223.html
Comment 12 gizmo11 2019-09-09 08:49:59 UTC
(In reply to trenta from comment #11)
31.Januar 2019 is for 8.2 clustered mode.
8.2 7-Mode has support till 31.12.2020, limited support even till 31.12..2022.
Comment 13 Giuseppe Ravasio 2019-11-04 16:06:57 UTC
Hello, 
we are using a Netapp storage with CDOT 9.3 in clustered mode and the "server schannel = auto" directive is still needed.

Thanks
Giuseppe
Comment 14 rspecchio 2019-11-13 16:30:44 UTC
Hi,
please consider to keep server schannel = auto in future version of Samba, NetApp Cluster Mode Release 9.3P6 still needs this directive.

Thanks
Comment 15 Stefan Metzmacher 2019-11-14 10:39:30 UTC
(In reply to rspecchio from comment #14)

Can someone please let me know if this is still needed with

samba >= 4.10.7 and >= 4.11.0?

My hope is that https://bugzilla.samba.org/show_bug.cgi?id=13949 may fixed this too.
Comment 16 Stefan Metzmacher 2019-11-14 10:47:46 UTC
(In reply to Stefan Metzmacher from comment #15)

And if it is still needed I'd like to see network captures
for when it fails and when it works. And a reference capture
against a Windows DC would also useful to see if samba has any missing feature
or if this is just a client problem
Comment 17 Stefan Metzmacher 2020-09-16 10:11:37 UTC
(In reply to Stefan Metzmacher from comment #16)

Please notice that "server schannel = auto" or "server schannel = no"
is very dangerous, see
[CVE-2020-1472] [SECURITY] Samba impact of "ZeroLogin"
https://bugzilla.samba.org/show_bug.cgi?id=14497
Comment 18 Giuseppe Ravasio 2020-12-22 14:47:27 UTC
Hi, 
I can confirm that updating Samba solves the issue with Netapp fileserver.
We updated to samba Version 4.11.17 and now the fileserver SVM based on Netapp Ontap 9.3 is working without setting 
server schannel = auto

Thanks
Giuseppe
Comment 19 Andrew Bartlett 2020-12-23 08:01:38 UTC
(In reply to Giuseppe Ravasio from comment #18)
Awesome, thanks for confirming this!