[Samba] Office 365, Windows 10 and Samba AD

[Dirk Laurenz (Samba Mailinglisten Account)]

Hello everybody,



i found out, that there's a problem with Windows 10, Office 365 and Samba
AD. A Win 10 Client, joined to a Samba AD Domain does not allow office 365
to connect to an IMAP Based Mail service.

If the AD controller is a windows 2012 R2, this works. See:
https://social.technet.microsoft.com/Forums/de-DE/9983a475-856a-4ff8-8aa2-1e
430ebd293a/outlook-2013-window-10-imap-domne?forum=office_generalde (is only
german)



Has anyone else this problem? Working with a local account on the same
windows 10 system works (as described in the workaround).



Regards,



Dirk



---
Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft.
https://www.avast.com/antivirus
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[David Disseldorp]

On Sun, 30 Aug 2015 12:49:09 +0200, Dirk Laurenz \(Samba Mailinglisten Account\) wrote:

> i found out, that there's a problem with Windows 10, Office 365 and Samba
> AD. A Win 10 Client, joined to a Samba AD Domain does not allow office 365
> to connect to an IMAP Based Mail service.
>
> If the AD controller is a windows 2012 R2, this works. See:
> https://social.technet.microsoft.com/Forums/de-DE/9983a475-856a-4ff8-8aa2-1e
> 430ebd293a/outlook-2013-window-10-imap-domne?forum=office_generalde (is only
> german)

Thanks for the report Dirk. Please raise a bug at bugzilla.samba.org
track this issue.

Cheers, David

[Dirk Laurenz (Samba Mailinglisten Account)]

Hi,

the same with Office 2016 from Officec 365. I will raise a bug report this weekend.

Level 10 Debug Log?

-----Ursprüngliche Nachricht-----
Von: samba [mailto:samba-...@lists.samba.org] Im Auftrag von David Disseldorp
Gesendet: Dienstag, 1. September 2015 12:02
An: Dirk Laurenz (Samba Mailinglisten Account) <sa...@laurenz.ws>
Cc: sa...@lists.samba.org
Betreff: Re: [Samba] Office 365, Windows 10 and Samba AD

---
Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft.
https://www.avast.com/antivirus

[Dirk Laurenz (Samba Mailinglisten Account]

Hi,

i managed to create a level 10 debug log - bug id 11538

-----Ursprüngliche Nachricht-----
Von: Dirk Laurenz [mailto:di...@laurenz.ws]
Gesendet: Freitag, 25. September 2015 11:58
An: 'Dirk Laurenz (Samba Mailinglisten Account)' <sa...@laurenz.ws>; 'David Disseldorp' <dd...@suse.de>
Cc: sa...@lists.samba.org
Betreff: AW: [Samba] Office 365, Windows 10 and Samba AD

Unfortunately level 10 debug log is empty - it seems to be a local problem only on windows 10

-----Ursprüngliche Nachricht-----
Von: samba [mailto:samba-...@lists.samba.org] Im Auftrag von Dirk Laurenz (Samba Mailinglisten Account)
Gesendet: Freitag, 25. September 2015 06:43
An: 'David Disseldorp' <dd...@suse.de>; 'Dirk Laurenz (Samba Mailinglisten Account)' <sa...@laurenz.ws>

[Stefan G. Weichinger]

Am 2015-10-02 um 09:07 schrieb Dirk Laurenz (Samba Mailinglisten Account:
> Hi,
>
> i managed to create a level 10 debug log - bug id 11538

I hit this bug yesterday in a NT-based domain with samba-3.6.25.
Is there any patch or workaround for samba-3.x as well? The patch in the
mentioned bug does some LDAP-change ... I don't have any LDAP there.

Sure, migration to samba-4 and/or ADS-based domain has to be sooner or
later, I assume ;-)

[Garming Sam]

Hi,

As you should know, 3.x is out of support. Assuming this is related to
the KB2992611 MS update, basically the bar was raised for clients in
response to a security issue, and caused havoc for people on Windows as
well. In order to fix 3.x, a good chunk of the infrastructure written
for Samba 4 (AD) would likely have to be moved across because the bar
really just has been raised unfortunately. There really isn't any
trivial fix, besides uninstalling the KB2992611 but I wouldn't really
recommend it as it probably exposes you to a serious security vulnerability.


Cheers,

Garming Sam

On 22/03/2016 6:07 p.m., Stefan G. Weichinger wrote:
> Am 2015-10-02 um 09:07 schrieb Dirk Laurenz (Samba Mailinglisten Account:
>> Hi,
>>
>> i managed to create a level 10 debug log - bug id 11538
> I hit this bug yesterday in a NT-based domain with samba-3.6.25.
> Is there any patch or workaround for samba-3.x as well? The patch in the
> mentioned bug does some LDAP-change ... I don't have any LDAP there.
>
> Sure, migration to samba-4 and/or ADS-based domain has to be sooner or
> later, I assume ;-)
>
>
>

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

[Stefan G. Weichinger]

Am 2016-03-22 um 10:45 schrieb Garming Sam:
> Hi,
>
> As you should know, 3.x is out of support. Assuming this is related to
> the KB2992611 MS update, basically the bar was raised for clients in
> response to a security issue, and caused havoc for people on Windows as
> well. In order to fix 3.x, a good chunk of the infrastructure written
> for Samba 4 (AD) would likely have to be moved across because the bar
> really just has been raised unfortunately. There really isn't any
> trivial fix, besides uninstalling the KB2992611 but I wouldn't really
> recommend it as it probably exposes you to a serious security
> vulnerability.

Thanks for pointing this out.

To keep the momentary changes as small as possible I consider upgrading
to samba-4.x at first, without touching the NT4-style domain for now.

gentoo linux provides samba-4.2.9 as unstable package, I assume this
would run OK as well for our rather simple use case. Would the move to
4.2.9 help around that specific bug as well?

thanks for helping, Stefan

[Andrew Bartlett]

On Tue, 2016-03-22 at 14:07 +0100, Stefan G. Weichinger wrote:
> Am 2016-03-22 um 10:45 schrieb Garming Sam:
> >
> > Hi,
> >
> > As you should know, 3.x is out of support. Assuming this is related
> > to
> > the KB2992611 MS update, basically the bar was raised for clients
> > in
> > response to a security issue, and caused havoc for people on
> > Windows as
> > well. In order to fix 3.x, a good chunk of the infrastructure
> > written
> > for Samba 4 (AD) would likely have to be moved across because the
> > bar
> > really just has been raised unfortunately. There really isn't any
> > trivial fix, besides uninstalling the KB2992611 but I wouldn't
> > really
> > recommend it as it probably exposes you to a serious security
> > vulnerability.
> Thanks for pointing this out.
>
> To keep the momentary changes as small as possible I consider
> upgrading
> to samba-4.x at first, without touching the NT4-style domain for now.

My understanding is that this issue not only requires a current codebae
(and Samba 4.2), but also an AD DC.

> gentoo linux provides samba-4.2.9 as unstable package, I assume this
> would run OK as well for our rather simple use case. Would the move
> to
> 4.2.9 help around that specific bug as well?
>
> thanks for helping, Stefan

There is a way to tell windows not to use BackupKey, see 

https://wiki.samba.org/index.php/Required_settings_for_NT4-style_domain
s#Windows_8.1:_Encountering_Error_code_0x80090345_launching_Windows_Cre
dential_Manager

This will avoid windows attempting to store a backup of the user
password store master key remotely.  That means if you change the
user's password on the DC, saved passwords will become inaccessible,
which may or may not matter.

Andrew Bartlett

--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba

[Stefan G. Weichinger]

Am 2016-03-23 um 01:44 schrieb Andrew Bartlett:
> There is a way to tell windows not to use BackupKey, see
>
> https://wiki.samba.org/index.php/Required_settings_for_NT4-style_domain
> s#Windows_8.1:_Encountering_Error_code_0x80090345_launching_Windows_Cre
> dential_Manager
>
> This will avoid windows attempting to store a backup of the user
> password store master key remotely. That means if you change the
> user's password on the DC, saved passwords will become inaccessible,
> which may or may not matter.

I will try this setting later today, thanks.

[Stefan G. Weichinger]

Am 2016-03-23 um 01:44 schrieb Andrew Bartlett:

>> To keep the momentary changes as small as possible I consider
>> upgrading
>> to samba-4.x at first, without touching the NT4-style domain for now.
>
> My understanding is that this issue not only requires a current codebae
> (and Samba 4.2), but also an AD DC.

The patch, yes. But even without any AD in the domain I get that Error
Code 0x8004011c there.

[L.P.H. van Belle]

Did you also remove : KB2992611 ?


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Stefan G.
> Weichinger
> Verzonden: woensdag 23 maart 2016 9:49
> Aan: Andrew Bartlett; Garming Sam; sa...@lists.samba.org
> Onderwerp: Re: [Samba] Office 365, Windows 10 and Samba AD

[Stefan G. Weichinger]

Am 2016-03-23 um 10:06 schrieb L.P.H. van Belle:
> Did you also remove : KB2992611 ?

not yet, no. I will be there again next week and also try that.
The registry entry mentioned by Andrew did not help today ...

[Stefan G. Weichinger]

Am 2016-03-23 um 20:06 schrieb Andrew Bartlett:

> On Wed, 2016-03-23 at 15:05 +0100, Stefan G. Weichinger wrote:
>> Am 2016-03-23 um 10:06 schrieb L.P.H. van Belle:
>>> Did you also remove : KB2992611 ?
>>
>> not yet, no. I will be there again next week and also try that.
>> The registry entry mentioned by Andrew did not help today ...
>

> If that doesn't help, then you need to upgrade to Samba as an AD DC.

Now *that* sounds scary ;-)

[Andrew Bartlett]

On Wed, 2016-03-23 at 15:05 +0100, Stefan G. Weichinger wrote:
> Am 2016-03-23 um 10:06 schrieb L.P.H. van Belle:
> > Did you also remove : KB2992611 ?
>
> not yet, no. I will be there again next week and also try that.
> The registry entry mentioned by Andrew did not help today ...

If that doesn't help, then you need to upgrade to Samba as an AD DC.

Andrew Bartlett

--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba

[Stefan G. Weichinger]

Am 2016-03-23 um 20:12 schrieb Stefan G. Weichinger:

>> If that doesn't help, then you need to upgrade to Samba as an AD DC.
>
> Now *that* sounds scary ;-)

Is the step from NT4-based domain on 3.6.x to ADS-based domain on 4.x a
very risky and complicated one or should it be rather standard procedure?

Can it be tested and prepared in a way?

[Rowland penny]

On 29/03/16 08:03, Stefan G. Weichinger wrote:
> Am 2016-03-23 um 20:12 schrieb Stefan G. Weichinger:
>
>>> If that doesn't help, then you need to upgrade to Samba as an AD DC.
>> Now *that* sounds scary ;-)
> Is the step from NT4-based domain on 3.6.x to ADS-based domain on 4.x a
> very risky and complicated one or should it be rather standard procedure?
>
> Can it be tested and prepared in a way?
>
>
>

Well, very little in life is without risk :-)

There is however a tool to help you with this and a wiki page that
describes how to use it:

https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_domain_to_a_Samba_AD_domain_%28classic_upgrade%29

I would create a VM to test this in, rather than just ploughing in :-)

There are a few gotchas, such as you will need to change any normal user
& group SIDs that have RIDs less than 1000, note that I am not talking
about users like 'Administrator' or groups like 'Domain Users', just
normal users & groups.

Try to use the latest supported version of Samba that you can.

Any questions, problems etc, just ask.

Rowland

[Stefan G. Weichinger]

Am 2016-03-29 um 10:44 schrieb Rowland penny:

> Well, very little in life is without risk :-)

oh, yes, how true

> There is however a tool to help you with this and a wiki page that
> describes how to use it:
>
> https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_domain_to_a_Samba_AD_domain_%28classic_upgrade%29
>
>
> I would create a VM to test this in, rather than just ploughing in :-)
>
> There are a few gotchas, such as you will need to change any normal user
> & group SIDs that have RIDs less than 1000, note that I am not talking
> about users like 'Administrator' or groups like 'Domain Users', just
> normal users & groups.
>
> Try to use the latest supported version of Samba that you can.
>
> Any questions, problems etc, just ask.

thanks for the pointer and the URL, I had my try with that some months
ago already ... and yes, in a test VM.

I will maybe retry this soon and report/ask back here.

[Stefan G. Weichinger]

Am 2016-03-29 um 10:44 schrieb Rowland penny:

> There are a few gotchas, such as you will need to change any normal user
> & group SIDs that have RIDs less than 1000, note that I am not talking
> about users like 'Administrator' or groups like 'Domain Users', just
> normal users & groups.
>
> Try to use the latest supported version of Samba that you can.

I am starting a new test of this in a current Debian-Jessie-VM.
Took me some time to get the initial setup of "source" and "target" dirs
correctly ... now the samba-tool runs through at last.

a) question regarding the groups (seems the main problem here):

I get something like this for one group

Exporting groups
Ignoring group 'mygroup' S-1-5-21-2940660672-4062535256-4144655499-1010
listed but then not found: Unable to enumerate group members,
(-1073741722,No such group)

and something like this for all users:

Exporting users
Ignoring group memberships of 'user'
S-1-5-21-2940660672-4062535256-4144655499-1036: Unable to enumerate
group memberships, (-1073741724,No such user)

What does that mean? That the users and the group don't exist in
/etc/passwd and /etc/group on the new server? I realize I could try as I
write this ... no, does not change a thing.

b) I want to change the stupid workgroup-name from OFFICE to something
useful ... I assume that's problematic as the clients would have to be
rejoined then?

thanks, Stefan

[Andrew Bartlett]

That is what it means. The upgrade needs that NSS data to import the
information into the AD database.

> b) I want to change the stupid workgroup-name from OFFICE to
> something
> useful ... I assume that's problematic as the clients would have to
> be
> rejoined then?

Sadly yes.

Andrew Bartlett

--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba

[Stefan G. Weichinger]

Am 07.04.2016 um 16:34 schrieb Andrew Bartlett:

>> What does that mean? That the users and the group don't exist in
>> /etc/passwd and /etc/group on the new server? I realize I could try
>> as I
>> write this ... no, does not change a thing.
>
> That is what it means. The upgrade needs that NSS data to import the
> information into the AD database.

I had added the problematic group to /etc/group and re-ran samba-tool
(after deleting the generated files/tdbs), same error again.

I will retry that later in my test setup ...

copying over the lines from the old samba-server might help, maybe with
a little editing?

>> b) I want to change the stupid workgroup-name from OFFICE to
>> something
>> useful ... I assume that's problematic as the clients would have to
>> be
>> rejoined then?
>
> Sadly yes.

ok, cosmetics. Not really important.

thanks!

[Stefan G. Weichinger]

Am 07.04.2016 um 16:45 schrieb Stefan G. Weichinger:

> I had added the problematic group to /etc/group and re-ran samba-tool
> (after deleting the generated files/tdbs), same error again.
>
> I will retry that later in my test setup ...

correction: solved now. It was an upper/lowercase issue in the group
name. Thanks.

Now for the kerberos in debian. It seems not to be started somehow, and
I am still looking for a working and up-to-date debian-related howto.
Any pointers?

[Rowland penny]

On 07/04/16 18:33, Stefan G. Weichinger wrote:
> Am 07.04.2016 um 16:45 schrieb Stefan G. Weichinger:
>
>> I had added the problematic group to /etc/group and re-ran samba-tool
>> (after deleting the generated files/tdbs), same error again.
>>
>> I will retry that later in my test setup ...
> correction: solved now. It was an upper/lowercase issue in the group
> name. Thanks.
>
> Now for the kerberos in debian. It seems not to be started somehow, and
> I am still looking for a working and up-to-date debian-related howto.
> Any pointers?

What do you mean kerberos isn't started ?
On a Samba AD DC, kerberos is part of the whole system and a separate
kerberos server isn't started.

As for pointers, what do you need to know ?
You could do worse than browse the Samba wiki:
https://wiki.samba.org/index.php/Main_Page

Rowland

[Stefan G. Weichinger]

Am 2016-04-07 um 19:44 schrieb Rowland penny:

> What do you mean kerberos isn't started ?
> On a Samba AD DC, kerberos is part of the whole system and a separate
> kerberos server isn't started.
>
> As for pointers, what do you need to know ?
> You could do worse than browse the Samba wiki:
> https://wiki.samba.org/index.php/Main_Page

yes, I know, thanks for the reminder. Been there, done that ;-)
On my way .. digging.