Quantcast

AD integration not working after move/version

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

AD integration not working after move/version

Samba - General mailing list
Hi!

I am in a bit of trouble, I have moved a samba installation from one virtual host to another keeping the configuration files and filesystems. But during the transition something broke, now windows users are no longer able to access their shares. I think it has to do with the AD integration. I do not know it it because some state is missing on this host related to the AD integration or if something has changed since the version of samba is higher on the new host. We have the same set of private files also (passed.tbd and secrets.tbd).

Old version was 3.5.8 and the new version on the virtual host that does not work is 3.6.25.

Any ides on how to debug this is helpful, I know very little about AD integration, perhaps the virtual host needs to join the domain again and authenticate, can I check the status of the integration in any way?

Some error messages I was able to find:

[2017/03/18 15:33:21.544063,  0] auth/auth_domain.c:331(domain_client_validate)  domain_client_validate: unable to validate password for user USERX in domain DOMAINX to Domain controller DCHOSTNAME. Error was NT_STATUS_ACCESS_DENIED.
[2017/03/18 15:33:21.554733,  0] rpc_client/cli_netlogon.c:459(rpccli_netlogon_sam_network_logon)
  rpccli_netlogon_sam_network_logon: credentials chain check failed
[2017/03/18 15:33:21.554814,  0] auth/auth_domain.c:331(domain_client_validate)
  domain_client_validate: unable to validate password for user USERX in domain DOMAINX to Domain controller DCHOSTNAME. Error was NT_STATUS_ACCESS_DENIED.
[2017/03/18 15:33:21.565235,  0] rpc_client/cli_netlogon.c:459(rpccli_netlogon_sam_network_logon)
  rpccli_netlogon_sam_network_logon: credentials chain check failed
[2017/03/18 15:33:21.565330,  0] auth/auth_domain.c:331(domain_client_validate)
  domain_client_validate: unable to validate password for user USERX in domain DOMAINX to Domain controller DCHOSTNAME. Error was NT_STATUS_ACCESS_DENIED


Configuration, with user names and real paths removed, only change otherwise is that we had to change to ISO8859-1 for locale, not the argument “LOCALE” that was not longer supported.

# Global parameters
[global]
        log file = /var/samba/log/clientlog.%m
        dns proxy = No
        acl check permissions = False
        netbios aliases = string1
        server string = string1
        name resolve order = hosts bcast
        realm = DOMAIN.NET
        password server = server3.string1.net sever4.string1.net
#       wins server = x.x.x.x
        local master = no
        workgroup = WGNAME
        os level = 0
        domain master = no
        encrypt passwords = yes
        security = DOMAIN
        unix charset = ISO8859-1
        max log size = 50
        # Fix for not to do lpstat since we don't use printers in Samba
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes


[homes]
        browseable = No
        comment = Home Directories
        writable = yes
        create mode = 775
        directory mode = 775

[string2]
        user = user1,user2
        path = /path/string2
        write list = userx,userx

[string3]
        path = /string3
        read only = Yes
        write list = user3,user4,user5
        create mask = 0760
        force create mode = 0760

[home]
        path = /path/home
        read only = No

[string4]
        path = /path
        read only = Yes
        write list = user9,user10,user11

[string5]
        revalidate = yes
        browseable = no
        writeable = yes
        valid users = @string5,@string6,@string7
        path = /path/path

[string11]
        path = /path/path2/path3
        writeable = yes
        valid users = @string9,string9
        browseable = no
        create mask = 0660
        force group = groupx


[string8]
        comment = Comment1 here
        path = /path/string8
        force group = userx
        valid users = @string10, @string11
        writeable = yes

Thankful for any assistance.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: AD integration not working after move/version

Samba - General mailing list
On Sat, 18 Mar 2017 16:06:28 +0100
Henrik Johansson via samba <[hidden email]> wrote:

> Hi!
>
> I am in a bit of trouble, I have moved a samba installation from one
> virtual host to another keeping the configuration files and
> filesystems. But during the transition something broke, now windows
> users are no longer able to access their shares. I think it has to do
> with the AD integration. I do not know it it because some state is
> missing on this host related to the AD integration or if something
> has changed since the version of samba is higher on the new host. We
> have the same set of private files also (passed.tbd and secrets.tbd).
>
> Old version was 3.5.8 and the new version on the virtual host that
> does not work is 3.6.25.

What OS is this on ?
Can you upgrade to a Samba version that is not EOL ?

>
> Any ides on how to debug this is helpful, I know very little about AD
> integration, perhaps the virtual host needs to join the domain again
> and authenticate, can I check the status of the integration in any
> way?

You will probably need to join the new domain member again.


> # Global parameters
> [global]
>         log file = /var/samba/log/clientlog.%m
>         dns proxy = No
>         acl check permissions = False
>         netbios aliases = string1
>         server string = string1
>         name resolve order = hosts bcast
>         realm = DOMAIN.NET
>         password server = server3.string1.net sever4.string1.net
> #       wins server = x.x.x.x
>         local master = no
>         workgroup = WGNAME
>         os level = 0
>         domain master = no
>         encrypt passwords = yes
>         security = DOMAIN

Try changing 'security = DOMAIN' to 'security = ADS'

Are you running winbind or are you using something else for
authentication ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: AD integration not working after move/version

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hi Henrik,

Am 18.03.2017 um 16:06 schrieb Henrik Johansson via samba:
> Old version was 3.5.8 and the new version on the virtual host that does not work is 3.6.25.

That's not really a step forward to a supported Samba version. :-)
https://wiki.samba.org/index.php/Samba_Release_Planning



> # Global parameters
> [global]
>         log file = /var/samba/log/clientlog.%m
>         dns proxy = No
>         acl check permissions = False
>         netbios aliases = string1
>         server string = string1
>         name resolve order = hosts bcast
>         realm = DOMAIN.NET
>         password server = server3.string1.net sever4.string1.net
> #       wins server = x.x.x.x
>         local master = no
>         workgroup = WGNAME
>         os level = 0
>         domain master = no
>         encrypt passwords = yes
>         security = DOMAIN
>         unix charset = ISO8859-1
>         max log size = 50
>         # Fix for not to do lpstat since we don't use printers in Samba
>         load printers = no
>         printing = bsd
>         printcap name = /dev/null
>         disable spoolss = yes



First some nitpicks about your smb.conf:
* netbios aliases = string1
   Makes no sense to set an alias to exactly the same name
   as "server string" :-)

* password server: If there is not reason to only request some
   specific servers, I would not limit this. If both are down,
   Samba won't talk to other remaining DCs.

* encrypt passwords = yes
   This is default since a longer time.

This are just some improvement suggestions, but not related to your problem.




Ok. And now the things that are incorrect for a Samba AD domain member:

* realm = DOMAIN.NET   and   workgroup = WGNAME
   In this case, I would expect that "DOMAIN" is your NetBIOS domain
   name ("workgroup" setting), not something different. If this
   really matches your AD setup, it should work - but it's not
   the recommended way how to set up an AD.

* security = DOMAIN
   This setting is for an NT4 domain. Use "security = ADS"

* Your ID mapping configuration is missing completely.
   See https://wiki.samba.org/index.php/Identity_Mapping_Back_Ends
   No warranty that this works for 3.6. Our documentation only
   covers supported Samba versions.




I recommend the following:

* Update Samba to a supported version (recommended: 4.6.0).
   Samba 3.6 was released 2011. A lot of things regarding AD were
   improved in later releases.
   https://wiki.samba.org/index.php/Updating_Samba

* Read: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
   I recently rewrote the doc and it works for all supported versions.



Regards,
Marc

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: AD integration not working after move/version

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hi Rowland and thanks for your reply,

> On 18 Mar 2017, at 16:54, Rowland Penny via samba <[hidden email]> wrote:
>
> On Sat, 18 Mar 2017 16:06:28 +0100
> Henrik Johansson via samba <[hidden email]> wrote:
>
>> Hi!
>>
>> I am in a bit of trouble, I have moved a samba installation from one
>> virtual host to another keeping the configuration files and
>> filesystems. But during the transition something broke, now windows
>> users are no longer able to access their shares. I think it has to do
>> with the AD integration. I do not know it it because some state is
>> missing on this host related to the AD integration or if something
>> has changed since the version of samba is higher on the new host. We
>> have the same set of private files also (passed.tbd and secrets.tbd).
>>
>> Old version was 3.5.8 and the new version on the virtual host that
>> does not work is 3.6.25.
>
> What OS is this on ?
> Can you upgrade to a Samba version that is not EOL ?

Short summary; this is on a old Solaris 10 system, the virtual host is a Solaris zone, or two instance of the zone on two hosts for failover. The config is years old and I had no part in this, but we needed to upgrade Solaris Oracle has only managed to release 3.5.8 or something close to that as patches. I could of course compile my own version or something but Samba was not the scope for this operation, it just stopped working which is a huge problem, and it can be because we needed to switch to the other zone or because the config did not work with this slightly newer version.

>
>>
>> Any ides on how to debug this is helpful, I know very little about AD
>> integration, perhaps the virtual host needs to join the domain again
>> and authenticate, can I check the status of the integration in any
>> way?
>
> You will probably need to join the new domain member again.

I’m trying, and getting:

kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not found in Kerberos database
Failed to join domain: failed to connect to AD: Server not found in Kerberos database


>
>
>> # Global parameters
>> [global]
>>        log file = /var/samba/log/clientlog.%m
>>        dns proxy = No
>>        acl check permissions = False
>>        netbios aliases = string1
>>        server string = string1
>>        name resolve order = hosts bcast
>>        realm = DOMAIN.NET
>>        password server = server3.string1.net sever4.string1.net
>> #       wins server = x.x.x.x
>>        local master = no
>>        workgroup = WGNAME
>>        os level = 0
>>        domain master = no
>>        encrypt passwords = yes
>>        security = DOMAIN
>
> Try changing 'security = DOMAIN' to 'security = ADS'
>
> Are you running winbind or are you using something else for
> authentication ?

I am under the impression that it’s kerberos.

>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: AD integration not working after move/version

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hi marc and thanks for your reply,


> On 18 Mar 2017, at 17:26, Marc Muehlfeld via samba <[hidden email]> wrote:
>
> Hi Henrik,
>
> Am 18.03.2017 um 16:06 schrieb Henrik Johansson via samba:
>> Old version was 3.5.8 and the new version on the virtual host that does not work is 3.6.25.
>
> That's not really a step forward to a supported Samba version. :-)
> https://wiki.samba.org/index.php/Samba_Release_Planning
>

I just replied the first answer I got, and wrote a bit about the background, it’s Solaris 10 with the provided samba. I will look trough your suggestion and try to create a new config, I wold however like just to get it working as it was before right now and then take care of improvements when it’s not a disturbance for customers ( and not after a long night working in the weekend ;) ). I’ll try to see if I can recreate the “unconfigured” behaviour with id-mapping for now.

>
>
>> # Global parameters
>> [global]
>>        log file = /var/samba/log/clientlog.%m
>>        dns proxy = No
>>        acl check permissions = False
>>        netbios aliases = string1
>>        server string = string1
>>        name resolve order = hosts bcast
>>        realm = DOMAIN.NET
>>        password server = server3.string1.net sever4.string1.net
>> #       wins server = x.x.x.x
>>        local master = no
>>        workgroup = WGNAME
>>        os level = 0
>>        domain master = no
>>        encrypt passwords = yes
>>        security = DOMAIN
>>        unix charset = ISO8859-1
>>        max log size = 50
>>        # Fix for not to do lpstat since we don't use printers in Samba
>>        load printers = no
>>        printing = bsd
>>        printcap name = /dev/null
>>        disable spoolss = yes
>
>
>
> First some nitpicks about your smb.conf:
> * netbios aliases = string1
>  Makes no sense to set an alias to exactly the same name
>  as "server string" :-)
>
> * password server: If there is not reason to only request some
>  specific servers, I would not limit this. If both are down,
>  Samba won't talk to other remaining DCs.
>
> * encrypt passwords = yes
>  This is default since a longer time.
>
> This are just some improvement suggestions, but not related to your problem.
>
>
>
>
> Ok. And now the things that are incorrect for a Samba AD domain member:
>
> * realm = DOMAIN.NET   and   workgroup = WGNAME
>  In this case, I would expect that "DOMAIN" is your NetBIOS domain
>  name ("workgroup" setting), not something different. If this
>  really matches your AD setup, it should work - but it's not
>  the recommended way how to set up an AD.
>
> * security = DOMAIN
>  This setting is for an NT4 domain. Use "security = ADS"
>
> * Your ID mapping configuration is missing completely.
>  See https://wiki.samba.org/index.php/Identity_Mapping_Back_Ends
>  No warranty that this works for 3.6. Our documentation only
>  covers supported Samba versions.
>
>
>
>
> I recommend the following:
>
> * Update Samba to a supported version (recommended: 4.6.0).
>  Samba 3.6 was released 2011. A lot of things regarding AD were
>  improved in later releases.
>  https://wiki.samba.org/index.php/Updating_Samba
>
> * Read: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>  I recently rewrote the doc and it works for all supported versions.
>


Thank you, it looks like I have stumbled on a old configuration that has not been maintained, I’ll do my best to get up to speed on samba and see if I can get a working configuration and/or new versin and get it to work.

Regards
Henrik


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: AD integration not working after move/version

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Sat, 18 Mar 2017 17:26:11 +0100
Marc Muehlfeld via samba <[hidden email]> wrote:

> Hi Henrik,
>
> Am 18.03.2017 um 16:06 schrieb Henrik Johansson via samba:
> > Old version was 3.5.8 and the new version on the virtual host that
> > does not work is 3.6.25.
>
> That's not really a step forward to a supported Samba version. :-)
> https://wiki.samba.org/index.php/Samba_Release_Planning

Some people cannot upgrade, so they have to use what they have, but
without knowing what OS the OP is using, we don't know if they can
upgrade easily.

>
> First some nitpicks about your smb.conf:
> * netbios aliases = string1
>    Makes no sense to set an alias to exactly the same name
>    as "server string" :-)

Why ?

>
> * password server: If there is not reason to only request some
>    specific servers, I would not limit this. If both are down,
>    Samba won't talk to other remaining DCs.

That is correct and 'man smb.conf' tells you not to do it this way, but
who reads manpages ;-)

>
> * encrypt passwords = yes
>    This is default since a longer time.

It doesn't matter if there or not.

>
> Ok. And now the things that are incorrect for a Samba AD domain
> member:
>
> * realm = DOMAIN.NET   and   workgroup = WGNAME
>    In this case, I would expect that "DOMAIN" is your NetBIOS domain
>    name ("workgroup" setting), not something different. If this
>    really matches your AD setup, it should work - but it's not
>    the recommended way how to set up an AD.

Well, Microsoft says you can use a netbios domain name that is
different from the left part of the DNS name, so I suppose Samba
should as well.
 
 
> * Your ID mapping configuration is missing completely.
>    See https://wiki.samba.org/index.php/Identity_Mapping_Back_Ends
>    No warranty that this works for 3.6. Our documentation only
>    covers supported Samba versions.

I notice it was missing as well, but the OP could be using something
else instead of winbind. 'idmap config' existed on 3.6.0, so it should
work.

> I recommend the following:
>
> * Update Samba to a supported version (recommended: 4.6.0).
>    Samba 3.6 was released 2011. A lot of things regarding AD were
>    improved in later releases.

Why recommend something, that the OP might not be able to do, without
all the facts.

Rowland




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: AD integration not working after move/version

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Sat, 18 Mar 2017 17:49:31 +0100
Henrik Johansson <[hidden email]> wrote:

> Hi Rowland and thanks for your reply,
>

>
> Short summary; this is on a old Solaris 10 system, the virtual host
> is a Solaris zone, or two instance of the zone on two hosts for
> failover. The config is years old and I had no part in this, but we
> needed to upgrade Solaris Oracle has only managed to release 3.5.8 or
> something close to that as patches. I could of course compile my own
> version or something but Samba was not the scope for this operation,
> it just stopped working which is a huge problem, and it can be
> because we needed to switch to the other zone or because the config
> did not work with this slightly newer version.
>

OK, I wonder if you are running into the result of the badlock patches ?

>
> kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not
> found in Kerberos database Failed to join domain: failed to connect
> to AD: Server not found in Kerberos database

What is the DC ?
What have you got in /etc/krb5.conf (or wherever it is)
Does /etc/resolv.conf use the DC as the first nameserver

>
> I am under the impression that it’s kerberos.
>

Samba uses winbind to talk to AD, so your first step will probably need
to be, adding the idmap config lines as suggested by Marc.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: AD integration not working after move/version

Samba - General mailing list
In reply to this post by Samba - General mailing list
Am 18.03.2017 um 18:27 schrieb Rowland Penny via samba:
>> First some nitpicks about your smb.conf:
>> * netbios aliases = string1
>>    Makes no sense to set an alias to exactly the same name
>>    as "server string" :-)
>
> Why ?

Sorry, my fault. I mixed "server string", which is just a comment, with
"netbios name".




>> * encrypt passwords = yes
>>    This is default since a longer time.
>
> It doesn't matter if there or not.

Doesn't mean "this is default" exactly that it does not matter if it's
there or not?




>> Ok. And now the things that are incorrect for a Samba AD domain
>> member:
>>
>> * realm = DOMAIN.NET   and   workgroup = WGNAME
>>    In this case, I would expect that "DOMAIN" is your NetBIOS domain
>>    name ("workgroup" setting), not something different. If this
>>    really matches your AD setup, it should work - but it's not
>>    the recommended way how to set up an AD.
>
> Well, Microsoft says you can use a netbios domain name that is
> different from the left part of the DNS name, so I suppose Samba
> should as well.

I just said that it's not recommended; neither that it's not allowed nor
that it's not working.




>> * Your ID mapping configuration is missing completely.
>>    See https://wiki.samba.org/index.php/Identity_Mapping_Back_Ends
>>    No warranty that this works for 3.6. Our documentation only
>>    covers supported Samba versions.
>
> I notice it was missing as well, but the OP could be using something
> else instead of winbind. 'idmap config' existed on 3.6.0, so it should
> work.

Samba does only support Winbind, and not not "something else". :-)

I know we had "idmap config" in 3.6, but it was still new that time.
Mentioning that the Wiki docs for the the latest versions might not work
for the 6 year old 3.6 series seems reasonable to me, because parameters
might have been added/removed and defaults changed.




>> I recommend the following:
>>
>> * Update Samba to a supported version (recommended: 4.6.0).
>>    Samba 3.6 was released 2011. A lot of things regarding AD were
>>    improved in later releases.
>
> Why recommend something, that the OP might not be able to do, without
> all the facts.

Based on the facts we have (he is running 3.6), I recommend updating. If
he is not able to update, e. g. because Samba fails to built on his OS,
he will tell us.


Regards,
Marc




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: AD integration not working after move/version

Samba - General mailing list
In reply to this post by Samba - General mailing list

>>
>> Short summary; this is on a old Solaris 10 system, the virtual host
>> is a Solaris zone, or two instance of the zone on two hosts for
>> failover. The config is years old and I had no part in this, but we
>> needed to upgrade Solaris Oracle has only managed to release 3.5.8 or
>> something close to that as patches. I could of course compile my own
>> version or something but Samba was not the scope for this operation,
>> it just stopped working which is a huge problem, and it can be
>> because we needed to switch to the other zone or because the config
>> did not work with this slightly newer version.
>>
>
> OK, I wonder if you are running into the result of the badlock patches ?
>

Yes I am having badluck! Thank you so much, I solved it not buy upgrading but downgrading below 3.6.25, so without backlock for the time being. Solved the urgen problem but we need to have a plan to go to a later version but under well tested conditions. Tanks again!

Regards
Henrik
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: AD integration not working after move/version

Samba - General mailing list
Compiling   Samba on Solaris 10 is a major pain in the ...

Solaris 11 shipped with Samba 3.x but patches up to samba 4.7.x    (You may need a contract to be update to pull the latest version.)     There is a little bit of a learning curve with solaris 11.   Editing /etc/nsswitch.conf now involves some complicated magic commands.      Samba 4.7.x worked AOK.  





-----Original Message-----
From: samba [mailto:[hidden email]] On Behalf Of Henrik Johansson via samba
Sent: Saturday, March 18, 2017 2:55 PM
To: Rowland Penny <[hidden email]>
Cc: [hidden email]
Subject: Re: [Samba] AD integration not working after move/version


>>
>> Short summary; this is on a old Solaris 10 system, the virtual host
>> is a Solaris zone, or two instance of the zone on two hosts for
>> failover. The config is years old and I had no part in this, but we
>> needed to upgrade Solaris Oracle has only managed to release 3.5.8 or
>> something close to that as patches. I could of course compile my own
>> version or something but Samba was not the scope for this operation,
>> it just stopped working which is a huge problem, and it can be
>> because we needed to switch to the other zone or because the config
>> did not work with this slightly newer version.
>>
>
> OK, I wonder if you are running into the result of the badlock patches ?
>

Yes I am having badluck! Thank you so much, I solved it not buy upgrading but downgrading below 3.6.25, so without backlock for the time being. Solved the urgen problem but we need to have a plan to go to a later version but under well tested conditions. Tanks again!

Regards
Henrik
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...