Package: samba Version: 2:3.6.6-6+deb7u9 Followup-For: Bug #821069 I prefere to reply to this bug, but also client cannot logon to the domain so clearly this is a duplicate of bug #820982.
As stated in #820982, the culprit came from a mismatch in ''signing'' between clent and server. Some command line sessions: BEFORE UPGRADE: root@lupus:~# net rpc testjoin Join to 'SVCORSI' is OK root@lupus:~# testparm > /tmp/smb.conf.before Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) WARNING: The "enable privileges" option is deprecated Can't find include file /etc/samba/smb.conf. Processing section "[printers]" Processing section "[baleno]" Processing section "[print$]" Processing section "[netlogon]" Processing section "[homes]" Processing section "[profiles]" Processing section "[wpkg]" Processing section "[larpch]" Processing section "[Users]" Processing section "[Media]" Processing section "[Software]" Processing section "[web]" Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions AFTER UPGRADE: root@lupus:~# net rpc testjoin Connection failed: NT_STATUS_ACCESS_DENIED Join to domain 'SVCORSI' is not valid: NT_STATUS_ACCESS_DENIED root@lupus:~# net -d 10 rpc testjoin INFO: Current debug levels: all: 10 [...] Connecting to 10.5.7.1 at port 445 Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_SNDBUF = 16384 SO_RCVBUF = 16384 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 Substituting charset 'UTF-8' for LOCALE cli_negprot: SMB signing is mandatory and the server doesn't support it. failed negprot: NT_STATUS_ACCESS_DENIED Cannot connect to server (anonymously). Error was NT_STATUS_ACCESS_DENIED lang_tdb_init: /usr/share/samba/it_IT.UTF-8.msg: File o directory non esistente Connection failed: NT_STATUS_ACCESS_DENIED Join to domain 'SVCORSI' is not valid: NT_STATUS_ACCESS_DENIED return code = -1 Note the 'cli_negprot: SMB signing is mandatory and the server doesn't support it.'. But also note that, whitout notice, a default opton changed: root@lupus:~# testparm > /tmp/smb.conf.after Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) WARNING: The "enable privileges" option is deprecated Can't find include file /etc/samba/smb.conf. Processing section "[printers]" Processing section "[baleno]" Processing section "[print$]" Processing section "[netlogon]" Processing section "[homes]" Processing section "[profiles]" Processing section "[wpkg]" Processing section "[larpch]" Processing section "[Users]" Processing section "[Media]" Processing section "[Software]" Processing section "[web]" Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions root@lupus:~# diff -ud /tmp/smb.conf.before /tmp/smb.conf.after --- /tmp/smb.conf.before 2016-04-15 17:32:57.062343755 +0200 +++ /tmp/smb.conf.after 2016-04-15 17:35:46.310718374 +0200 @@ -9,6 +9,7 @@ syslog = 0 log file = /var/log/samba/log.%m time server = Yes + client signing = required socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = cups add user script = /usr/sbin/smbldap-useradd "%u" eg, now 'client signing = required'. Instead of adding 'client signing = no' as stated in bug #820982, i've added: server signing = auto for now, and all works as expected; but i've to experiment a bit with the suggested: server signing = mandatory ntlm auth = no before implementing it. A little note: debconf of the samba3 upgrade does not warn about the upgrade as the samba4 upgrade in jessie, so users can get even more confused about. Thanks. -- System Information: Debian Release: 7.10 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages samba depends on: ii adduser 3.113+nmu3 ii debconf [debconf-2.0] 1.5.49 ii dpkg 1.16.17 ii libacl1 2.2.51-8 ii libattr1 1:2.4.46-8 ii libc6 2.13-38+deb7u10 ii libcap2 1:2.22-1.2 ii libcomerr2 1.42.5-1.1+deb7u1 ii libcups2 1.5.3-5+deb7u6 ii libgssapi-krb5-2 1.10.1+dfsg-5+deb7u7 ii libk5crypto3 1.10.1+dfsg-5+deb7u7 ii libkrb5-3 1.10.1+dfsg-5+deb7u7 ii libldap-2.4-2 2.4.31-2+deb7u1 ii libpam-modules 1.1.3-7.1 ii libpam-runtime 1.1.3-7.1 ii libpam0g 1.1.3-7.1 ii libpopt0 1.16-7 ii libtalloc2 2.0.7+git20120207-1 ii libtdb1 1.2.10-2 ii libwbclient0 2:3.6.6-6+deb7u9 ii lsb-base 4.1+Debian8+deb7u1 ii procps 1:3.3.3-3 ii samba-common 2:3.6.6-6+deb7u9 ii update-inetd 4.43 ii zlib1g 1:1.2.7.dfsg-13 Versions of packages samba recommends: ii logrotate 3.8.1-4 ii tdb-tools 1.2.10-2 Versions of packages samba suggests: pn ctdb <none> pn ldb-tools <none> ii openbsd-inetd [inet-superserver] 0.20091229-2 ii smbldap-tools 0.9.10-0gaio3.1 -- debconf information excluded