Problem with adding an Samba Member Server to a Samba AD Domain

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Problem with adding an Samba Member Server to a Samba AD Domain

Samba - General mailing list
Hi List,

I found some threads here in the list with similar problems, but nothing
helped to solve my problem.

We have a very much to old Samba DC (Version 4.1.x) and a new Samba
4.5.6 which should act as a member server.

The first problem we had during joining the domain:

"net ads join -k" didn't work.

The Error Message said: Failed to join domain: failed to lookup DC info
for domain 'BAETTENHAUSEN.LOCAL' over rpc: An internal error occurred.

Joining with "net ads join -S s4ad.baettenhausen.local -U
[hidden email]" worked.

After this it wasn't possible to connect to any share of this server. I
found the following message in the logs:

[2017/03/18 01:48:18.760431,  1]
../source3/librpc/crypto/gse.c:498(gse_get_server_auth_token)
   gss_accept_sec_context failed with [ Miscellaneous failure (see
text): Failed to find
cifs/[hidden email](kvno 2) in
keytab MEMORY:cifs_srv_keytab
  (arcfour-hmac-md5)]

Trying to search the keytab for "arcfour-hmac-md5" with "klist -e -k
/etc/krb5.keytab | grep arcfour-hmac-md5" delivers no matches.

Trying to connect with the Domain admins Account with smbclient didn't work:

smbclient -L 127.0.0.1 -U [hidden email]
Enter [hidden email]'s password:
session setup failed: NT_STATUS_LOGON_FAILURE

The log shows:

[2017/03/18 07:35:01.529313,  3]
../source3/auth/auth.c:178(auth_check_ntlm_password)
   check_ntlm_password:  Checking password for unmapped user
[BAETTENHAUSEN]\[administrator]@[FILESERVER] with the new password interface
[2017/03/18 07:35:01.529339,  3]
../source3/auth/auth.c:181(auth_check_ntlm_password)
   check_ntlm_password:  mapped user is:
[BAETTENHAUSEN]\[administrator]@[FILESERVER]
[2017/03/18 07:35:01.552411,  3]
../source3/auth/auth_util.c:1233(check_account)
   Failed to find authenticated user BAETTENHAUSEN\administrator via
getpwnam(), denying access.
[2017/03/18 07:35:01.552450,  2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
   check_ntlm_password:  Authentication for user [administrator] ->
[administrator] FAILED with error NT_STATUS_NO_SUCH_USER
[2017/03/18 07:35:01.552482,  2]
../auth/gensec/spnego.c:720(gensec_spnego_server_negTokenTarg)
   SPNEGO login failed: NT_STATUS_NO_SUCH_USER
[2017/03/18 07:35:01.552546,  3]
../source3/smbd/error.c:82(error_packet_set)
   NT error packet at ../source3/smbd/sesssetup.c(277) cmd=115
(SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2017/03/18 07:35:01.552988,  3]
../source3/smbd/server_exit.c:246(exit_server_common)
   Server exit (failed to receive smb request)
[2017/03/18 07:35:01.577737,  3]
../source3/lib/util_procid.c:54(pid_to_procid)
   pid_to_procid: messaging_dgm_get_unique failed: No such file or directory

kinit instead works fine and wbinfo -u is able to show all domain users

My smb.conf:

[global]
         workgroup = BAETTENHAUSEN
         interfaces = 127.0.0.1 eth0
         bind interfaces only = true
         printing = cups
         printcap name = cups
         load printers = yes
         user share allow guests = no
         log level = 3

## keine Offline Dateien
#       csc policy = disable

## Domain Settings
         security = ADS
         realm = BAETTENHAUSEN.LOCAL
#       server signing = auto
         kerberos method = secrets and keytab
         client signing = yes
         client use spnego = yes

         ntlm auth = yes

         winbind trusted domains only = no
         winbind use default domain = yes

## Winbind Settings
         #winbind separator = +
         # ID-Mapping mit RFC2307 Erweiterung
         # Builtin und lokale Benutzer/Gruppen
         idmap config *:backend = tdb
         idmap config *:range = 40000-49999

         # BAETTENHAUSEN
         idmap config BAETTENHAUSEN:backend = ad
         #idmap config BAETTENHAUSEN:schema_mode = rfc2307
         idmap config BAETTENHAUSEN:range = 500-30000

         winbind enum users = yes
         winbind enum groups = yes
         winbind refresh tickets = yes
         template homedir = /home/%D/%U

## Charset Settings
         unix charset = UTF8
#       display charset = UTF8
         dos charset = ASCII

....

Here the krb5.conf

[libdefaults]
         default_realm = BAETTENHAUSEN.LOCAL
         dns_lookup_realm = true
         dns_lookup_kdc = true

[realms]
         BAETTENHAUSEN.LOCAL = {
                 kdc = s4ad.baettenhausen.local
                 admin_server = s4ad.baettenhausen.local
         }

Resolving the DNS service records for LDAP and Kerberos works:

fileserver:~ # dig SRV _ldap._tcp.baettenhausen.local

; <<>> DiG 9.9.9-P1 <<>> SRV _ldap._tcp.baettenhausen.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46492
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_ldap._tcp.baettenhausen.local.        IN      SRV

;; ANSWER SECTION:
_ldap._tcp.baettenhausen.local. 900 IN  SRV     0 100 389
s4ad.baettenhausen.local.

;; AUTHORITY SECTION:
baettenhausen.local.    900     IN      NS s4ad.baettenhausen.local.

;; ADDITIONAL SECTION:
s4ad.baettenhausen.local. 900   IN      A       192.168.1.10

;; Query time: 8 msec
;; SERVER: 192.168.1.10#53(192.168.1.10)
;; WHEN: Sat Mar 18 07:45:39 CET 2017
;; MSG SIZE  rcvd: 133


fileserver:~ # dig SRV _kerberos._tcp.baettenhausen.local

; <<>> DiG 9.9.9-P1 <<>> SRV _kerberos._tcp.baettenhausen.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33727
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_kerberos._tcp.baettenhausen.local. IN SRV

;; ANSWER SECTION:
_kerberos._tcp.baettenhausen.local. 900 IN SRV  0 100 88
s4ad.baettenhausen.local.

;; AUTHORITY SECTION:
baettenhausen.local.    900     IN      NS s4ad.baettenhausen.local.

;; ADDITIONAL SECTION:
s4ad.baettenhausen.local. 900   IN      A       192.168.1.10

;; Query time: 7 msec
;; SERVER: 192.168.1.10#53(192.168.1.10)
;; WHEN: Sat Mar 18 07:46:58 CET 2017
;; MSG SIZE  rcvd: 137

Resolving the Hostnames of the AD-DC and the new Member Server works in
both directions.

Any Ideas?

Stefan



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problem with adding an Samba Member Server to a Samba AD Domain

Samba - General mailing list
On Sat, 18 Mar 2017 07:48:27 +0100
Stefan Schäfer via samba <[hidden email]> wrote:

> Hi List,
>
> I found some threads here in the list with similar problems, but
> nothing helped to solve my problem.
>
> We have a very much to old Samba DC (Version 4.1.x) and a new Samba
> 4.5.6 which should act as a member server.

Don't suppose you can update the DC to a newer Samba version ?


>
> smbclient -L 127.0.0.1 -U [hidden email]
> Enter [hidden email]'s password:
> session setup failed: NT_STATUS_LOGON_FAILURE
>

You should be able to fix this by adding this line to smb.conf:

    username map = /etc/samba/user.map

Then create the user.map:

nano /etc/samba/user.map
!root = BAETTENHAUSEN\Administrator BAETTENHAUSEN\administrator
Administrator administrator

>
> Here the krb5.conf

You only need:

[libdefaults]
         default_realm = BAETTENHAUSEN.LOCAL
         dns_lookup_realm = false
         dns_lookup_kdc = true

If your TLD really is '.local' turn off Avahi on the domain member

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problem with adding an Samba Member Server to a Samba AD Domain

Samba - General mailing list


Am 18.03.2017 um 10:43 schrieb Rowland Penny via samba:

> On Sat, 18 Mar 2017 07:48:27 +0100
> Stefan Schäfer via samba <[hidden email]> wrote:
>
>> Hi List,
>>
>> I found some threads here in the list with similar problems, but
>> nothing helped to solve my problem.
>>
>> We have a very much to old Samba DC (Version 4.1.x) and a new Samba
>> 4.5.6 which should act as a member server.
> Don't suppose you can update the DC to a newer Samba version ?
I know, I have to....

>
>
>> smbclient -L 127.0.0.1 -U [hidden email]
>> Enter [hidden email]'s password:
>> session setup failed: NT_STATUS_LOGON_FAILURE
>>
> You should be able to fix this by adding this line to smb.conf:
>
>      username map = /etc/samba/user.map
>
> Then create the user.map:
>
> nano /etc/samba/user.map
> !root = BAETTENHAUSEN\Administrator BAETTENHAUSEN\administrator
> Administrator administrator
This works for the Administrator account, but I have this Problem with
all users.
It's a user mapping problem?
>
>> Here the krb5.conf
> You only need:
>
> [libdefaults]
>           default_realm = BAETTENHAUSEN.LOCAL
>           dns_lookup_realm = false
>           dns_lookup_kdc = true
I tested this before, makes no difference.
> If your TLD really is '.local' turn off Avahi on the domain member
Avahi isn't running.
>
> Rowland
>
Stefan

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problem with adding an Samba Member Server to a Samba AD Domain

Samba - General mailing list
On Sat, 18 Mar 2017 13:23:29 +0100
Stefan Schäfer via samba <[hidden email]> wrote:


> This works for the Administrator account, but I have this Problem
> with all users.
> It's a user mapping problem?

You are using the winbind 'ad' backend, Have you given Domain Users a
gidNumber attribute containing a number inside the '500-30000' range?
(by the way, this range isn't a good idea, no space for ANY local Unix
users).

Have you also given your users a uidNumber attribute containing a
unique number inside the same range ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problem with adding an Samba Member Server to a Samba AD Domain

Samba - General mailing list
Got it!

There was "pam-32bit" installed on the server but without
"/lib/security/pam_winbind.so". Removing pam-32bit was the solution.

Thanx for your help Rowland.

Stefan


Am 18.03.2017 um 13:32 schrieb Rowland Penny via samba:

> On Sat, 18 Mar 2017 13:23:29 +0100
> Stefan Schäfer via samba <[hidden email]> wrote:
>
>
>> This works for the Administrator account, but I have this Problem
>> with all users.
>> It's a user mapping problem?
> You are using the winbind 'ad' backend, Have you given Domain Users a
> gidNumber attribute containing a number inside the '500-30000' range?
> (by the way, this range isn't a good idea, no space for ANY local Unix
> users).
>
> Have you also given your users a uidNumber attribute containing a
> unique number inside the same range ?
>
> Rowland
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...