Hi
Suddenly a lot of our W11 clients can't login to samba domain on ClearOs7.
The message displayed is "Trust relationship failed...". Removing / readding to domain doesn't help - we can re-add but after re-adding the msg displayed is still "Trust relationship failed...".
Our standard reg file for W11 clients is:
Windows Registry Editor Version 5.00
The culprit might be one of latest W11 updates as everything was fine for years.
Any help will be greatly appreciated.
Suddenly a lot of our W11 clients can't login to samba domain on ClearOs7.
The message displayed is "Trust relationship failed...". Removing / readding to domain doesn't help - we can re-add but after re-adding the msg displayed is still "Trust relationship failed...".
Our standard reg file for W11 clients is:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
"DomainCompatibilityMode"=dword:00000001
"DNSNameResolutionRequired"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\netlogon\parameters]
"DisablePasswordChange"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLinkedConnections"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths]
"\\\\*\\NETLOGON"="RequireMutualAuthentication=0, RequireIntegrity=0,RequirePrivacy=0"
"\\\\*\\SYSVOL"="RequireMutualAuthentication=0, RequireIntegrity=0,RequirePrivacy=0"
"\\\\CITIZEN\\netlogon"="RequireMutualAuthentication=0, RequireIntegrity=0,RequirePrivacy=0"
The culprit might be one of latest W11 updates as everything was fine for years.
Any help will be greatly appreciated.
Share this post:
Responses (22)
-
Accepted Answer
Nick Howitt wrote:
I had a quick look at Zentyal but it looks like it runs a full AD/DC if you want Samba file sharing and Samba recommend you do not use an AD/DC as a file server.
ZonderMet wrote:
[quote]tomas wrote:
We will probably move to Uninvention or Nethserver at some point, might be soon if we can't find a solution to the samba issue.
Note that Nethserver 8 will be an app server. More comparable to an Synology or QNAP NAS. Not a real gateway with firewall.
So far Zentyal served me reasonably well. Univention didn't like my old server. So I didn't really check it out.
I'll be splitting out my firewall and file server onto different machines, but I'll keep going with ClearOS for the moment patching it when needed.[/quote]
Nethserver looks the same as COS7 with structure and packages.
Netserver 8 is still in beta and needs some months to have a stable version and the required packages. And as Nick mentioned no firewall or good gateway.
I'm moving my server to VM and splitting the packages i'm using to different VM's and try to use COS a less as possible.
Only gateway with firewall and mailserver
When a good software package come along i'm move onto it.
For the mean time keep running COS7 despite there are no update and there are some vulneralities
I've gave up the hope that they will come a new release -
Accepted Answer
ZonderMet wrote:
I had a quick look at Zentyal but it looks like it runs a full AD/DC if you want Samba file sharing and Samba recommend you do not use an AD/DC as a file server.
tomas wrote:
We will probably move to Uninvention or Nethserver at some point, might be soon if we can't find a solution to the samba issue.
Note that Nethserver 8 will be an app server. More comparable to an Synology or QNAP NAS. Not a real gateway with firewall.
So far Zentyal served me reasonably well. Univention didn't like my old server. So I didn't really check it out.
I'll be splitting out my firewall and file server onto different machines, but I'll keep going with ClearOS for the moment patching it when needed. -
Accepted Answer
tomas wrote:
We will probably move to Uninvention or Nethserver at some point, might be soon if we can't find a solution to the samba issue.
Note that Nethserver 8 will be an app server. More comparable to an Synology or QNAP NAS. Not a real gateway with firewall.
So far Zentyal served me reasonably well. Univention didn't like my old server. So I didn't really check it out. -
Accepted Answer
It's been more than 4 weeks and no patch yet from ClearOS. I'm thinking this is not going to happen. We will probably move to Uninvention or Nethserver at some point, might be soon if we can't find a solution to the samba issue.
The patch is a few lines to change in two files then samba needs recompiling
Got the patch. Can it be safely applied to mainstream CentOS 'samba-4.10.16-24.el7_9.x86_64.rpm' and then that installed? If not how would we get source rmp for samba samba-4.10.16 ClearOS 7.9 runs?
An update:
runningyumdownloader --source samba
returns "No source RPM found for...[multiple packages]" and "Nothing to download".
Managed to get a copy of compiled rpm by running "yumdownloader samba". Will keep it as backup.
My main question still remains:
Can the patch be safely applied to mainstream CentOS 'samba-4.10.16-24.el7_9.x86_64.rpm'?
-
Accepted Answer
ZonderMet wrote:
notmycupoftea wrote:
So we shouldn't count on a fix for Samba 4.10 on ClearOS 7?
(My experience in Linux is close to 0, but have clients running the setup described above)
They could do that. But I find it very unlikely that COS is going to do anything, except saying there will be a fix (and everything is alright and they are live and kicking making updates and new releases)
Michael won't do business with me as he says he can't trust me because I won't say who out of Clearcenter's former employees I am in contact with, which, to me, is personal information.
It looks like trust is a one way thing when Clearcenter give out answers like:
tomas wrote:
Heard back from support. Was told:
We plan on having a fix for the issue, but until then we recommend uninstalling the problematic update within Windows.
yet, as far as I know, they have no ClearOS Server developers, their build system is broken because of their cluster failure a few weeks ago and they have no way of signing or distributing rpms to the repos, so no way of providing updates. The patch is a few lines to change in two files then samba needs recompiling and distributing. -
Accepted Answer
-
Accepted Answer
notmycupoftea wrote:
So we shouldn't count on a fix for Samba 4.10 on ClearOS 7?
(My experience in Linux is close to 0, but have clients running the setup described above)
They could do that. But I find it very unlikely that COS is going to do anything, except saying there will be a fix (and everything is alright and they are live and kicking making updates and new releases) -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
I'd love to hear how they plan on having a fix when they haven't done any updates since the end of last July despite having critical vulnerability issues on Apache/httpd, the Webconfig and ClamAV. Added to which, the route to the repos was always through their build system and their core cluster. The core cluster went down three or four weeks ago and, to my knowledge, has not been fixed. The build system certainly is not working now so I've no idea how they are going to fulfil that commitment they made to you. -
Accepted Answer
-
Accepted Answer
The path moving forward over the next week is a pretty obvious one for me
Start with all 3 Kodi Boxes, add a local admin and username account matching the kodi account on COS, remove them from the domain, set the profiles back up and let them run normally as a work group PC, then move to the wife and my laptops, those will suck but it is what it is.
Sunday, remove the DC functionality from COS, remove the windows update block and that should reduce the workload of building a new entire infrastructure.
Nick, thanks for the candor, -
Accepted Answer
If support were to suggest to you to remove KB5028166 without any expectation of fixing samba, then I would say it was irresponsible but then you are between a rock and a hard place.
That's what I was told by ClearOS support. Got back to them saying this is not good enough...Will post their reply once I get it. -
Accepted Answer
ClearOS is fine for user management. The Samba domain is subservient to it. I still use ClearOS but just for simple file sharing.
My fundamental issue is with using any NT4 type of domain. Windows last used it in SBS2003 which has been EoL for something like 10 years. Micro$oft don't particularly care about continuing support for it. About 3 years ago they broke it for new installations and took > 9 months to fix it. Samba are slowly removing support NT4 domains. I can't remember which version started having support removed but it was >= 4.16. ClearOS uses an NT4 domain.
Anyone still using an NT4 domain needs to watch their back in case M$ sticks a knife in it and you won't get any sympathy from them.
If anyone blocks M$ updates and removes KB5028166, I can understand it as a short term solution if you are waiting for a fix to ClearOS, but I don't see a fix coming. You are then not only running a insecure server, but now all your workstations become insecure as well. If support were to suggest to you to remove KB5028166 without any expectation of fixing samba, then I would say it was irresponsible but then you are between a rock and a hard place.
If you want a domain, then you really should be going for Active Directory. NT4 is past its sell-by date.
FWIW, I have managed to massage the bugfix in the thread you linked to into the upstream samba package, but I don't need it so have not tested it. -
Accepted Answer
Nick Howitt wrote:
I think there are some misconceptions here.
ClearOS7/Centos7/Redhat EL7 would never go to samba 4.16 or later, but Redhat may choose to back-port patches into 4.10.16. That is how they have always operated. In any casw 4.16, 4.17 and 4,18 all had the same issue until patched this weekend.
If Redhat do backport any fix, Centos will get it
ClearOS, as it has not been maintained since the end July last year, will not be getting any fix. Moreover, the system failure at Clearcenter has not been fixed so the build system is dead and the route to the repos has gone until the cluster is fixed.
A fix has been released by the samba team for later versions of samba and someone has backported it into EL7 running samba-4.10.16, presumably self-compiled, with a few tweaks so there is a chance that Redhat will backport the fix, but ClearOS will not get it unless things change radically.
Why does anyone pay for ClearOS? Well, anti-spam and anti-malware updates still work as do a few other services. If you have paid apps and need to reinstall or install any new apps, you will need your subscription. You may be lucky with basic support tickets. Otherwise there is little point. You are not getting the secure product you have paid for or the support.
If you keep going with ClearOS, you should be aware that there is a critical security vulnerability in ClamAV, the anti-virus package, which is used by the Gateway AntiVirus/Proxy, File Scanner and Email Anitvirus engine, and another critical vulnerability in the Webserver/Webconfig apps and the ProxyPass app. The exploit for ClamAV is trivial to trigger. The conditions for the exploit for the webconfig to be triggered are there in the webconfig configuration, I believe, and may also be there for the ProxyPass app. The Webserver vulnerability depends on how you use it. There are a whole host of other important and lower rated CVEs (Common Vulnerabilities and Exposures) which have not been fixed in ClearOS.
You also need to bear in mind that any potential for updating Clearos7 disappears in July 2024 and, fro then on, there can never be any fixes as EL7 and Centos7 go EoL then and become unmaintained. If this sort of problem were to happen then, you'd be totally on your own.
I woke to this issue Wednesday morning, every windows device in my house was unable to connect, due to a domain trust error, after a bit of TSing uninstalled the update and blocked windows update at the protocol level on my clear box .
That being said and from what I'm reading here, it's your recommendation we no longer use COS as a domain controller for device and user management? I'll be honest this has been a great product for me and some of the organizations I support, may need to rethink how I proceed moving forward as it's pretty clear we won't have a fix and the band aid I implemented will come back t haunt me soon enough.
FYI the original thread that started all this can be found here.
https://bugzilla.samba.org/show_bug.cgi?id=15418 -
Accepted Answer
I think there are some misconceptions here.
ClearOS7/Centos7/Redhat EL7 would never go to samba 4.16 or later, but Redhat may choose to back-port patches into 4.10.16. That is how they have always operated. In any casw 4.16, 4.17 and 4,18 all had the same issue until patched this weekend.
If Redhat do backport any fix, Centos will get it
ClearOS, as it has not been maintained since the end July last year, will not be getting any fix. Moreover, the system failure at Clearcenter has not been fixed so the build system is dead and the route to the repos has gone until the cluster is fixed.
A fix has been released by the samba team for later versions of samba and someone has backported it into EL7 running samba-4.10.16, presumably self-compiled, with a few tweaks so there is a chance that Redhat will backport the fix, but ClearOS will not get it unless things change radically.
Why does anyone pay for ClearOS? Well, anti-spam and anti-malware updates still work as do a few other services. If you have paid apps and need to reinstall or install any new apps, you will need your subscription. You may be lucky with basic support tickets. Otherwise there is little point. You are not getting the secure product you have paid for or the support.
If you keep going with ClearOS, you should be aware that there is a critical security vulnerability in ClamAV, the anti-virus package, which is used by the Gateway AntiVirus/Proxy, File Scanner and Email Anitvirus engine, and another critical vulnerability in the Webserver/Webconfig apps and the ProxyPass app. The exploit for ClamAV is trivial to trigger. The conditions for the exploit for the webconfig to be triggered are there in the webconfig configuration, I believe, and may also be there for the ProxyPass app. The Webserver vulnerability depends on how you use it. There are a whole host of other important and lower rated CVEs (Common Vulnerabilities and Exposures) which have not been fixed in ClearOS.
You also need to bear in mind that any potential for updating Clearos7 disappears in July 2024 and, fro then on, there can never be any fixes as EL7 and Centos7 go EoL then and become unmaintained. If this sort of problem were to happen then, you'd be totally on your own. -
Accepted Answer
tomas wrote:
Sorry to say, the permanent fix is changing to an OS that still gets updates. Zentyal and Univention don't have this issue.
We have a Business subscription so expect this resolved - we pay for verified updates.
Why would we pay them if it's not resolved? That would mean migrating what we have to other providers.
Good question. Why did you pay? There is no support.
Did you see a response from an COS employee here?
That you needed Samba 4.16 or up for 22H2 is known for quite a long time. But COS is not updating for way longer.
I also had (several) subscriptions. But stopped paying after nobody answered after I needed support.
Pretty unethical business practices. -
Accepted Answer
Sorry to say, the permanent fix is changing to an OS that still gets updates. Zentyal and Univention don't have this issue.
We have a Business subscription so expect this resolved - we pay for verified updates.
Why would we pay them if it's not resolved? That would mean migrating what we have to other providers. -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »