Samba 4 AD issues with RPC

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Samba 4 AD issues with RPC

Samba - General mailing list


Hi Guys,

Setup:

Versions: Samba: 4.6.7
                Bind9:   9.10.3


Firewall disabled

AD Provision:

Migrated from samba 3 to 4 using classic upgrade.

samba-tool domain classicupgrade --dbdir=/var/lib/samba.PDC/dbdir --realm=TEST.LOCAL --dns-backend=BIND9_FLATFILE /etc/samba.PDC/smb.PDC.conf

The following was the section in regards to the upgrade

Processing section "[netlogon]"
Processing section "[sysvol]"
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol



After the upgrade we tried to promote a Windows 2008R2 server as a DC, but it fails with the following event in Server 2008R2 (Event 5719)

This computer was not able to set up a secure session with a domain controller in domain TEST due to the following:
The RPC server is unavailable.
This computer was not able to set up a secure session with a domain controller in domain TEST due to the following:
The RPC server is unavailable.

The DCPROMO command list the following error
The wizard cannot gain access to the list of the domains in the forest. The RPC server is unavailable




The following are the contents of the smb.conf file

[global]
        netbios name = TESTDC
        realm = TEST.LOCAL
        server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate, s3fs
        workgroup = TEST
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, mapiproxy

[netlogon]
        path = /var/lib/samba/sysvol/test.local/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

Tests done so far

-          Confirmed that KINIT works

-          Confirmed that SRV records resolves correctly

samba-tool testparm --suppress-prompt -v | grep '[s]erver services'
        server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate, s3fs
samba-tool testparm --suppress-prompt -v | grep '[d]cerpc endpoint servers'
        dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, mapiproxy

service --status-all
[ - ]  acpid
[ + ]  apparmor
[ + ]  apport
[ + ]  atd
[ + ]  bind9
[ - ]  console-setup.sh
[ + ]  cron
[ - ]  cryptdisks
[ - ]  cryptdisks-early
[ + ]  dbus
[ + ]  ebtables
[ + ]  grub-common
[ - ]  hwclock.sh
[ - ]  irqbalance
[ - ]  isc-dhcp-server
[ + ]  iscsid
[ - ]  keyboard-setup.sh
[ + ]  kmod
[ - ]  lvm2
[ + ]  lvm2-lvmetad
[ + ]  lvm2-lvmpolld
[ + ]  lxcfs
[ - ]  lxd
[ - ]  mdadm
[ - ]  mdadm-waitidle
[ - ]  nmbd
[ - ]  open-iscsi
[ + ]  open-vm-tools
[ - ]  plymouth
[ - ]  plymouth-log
[ + ]  procps
[ - ]  rsync
[ + ]  rsyslog
[ + ]  samba-ad-dc
[ - ]  screen-cleanup
[ - ]  smbd
[ + ]  ssh
[ + ]  udev
[ + ]  ufw
[ + ]  unattended-upgrades


Any suggestions?

Regards
PG


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4 AD issues with RPC

Samba - General mailing list
On Tue, 5 Dec 2017 05:08:24 +0000
Praveen Ghimire via samba <[hidden email]> wrote:

>
>
> Hi Guys,
>
> Setup:
>
> Versions: Samba: 4.6.7
>                 Bind9:   9.10.3
>
>
> Firewall disabled
>
> AD Provision:
>
> Migrated from samba 3 to 4 using classic upgrade.
>
> samba-tool domain classicupgrade --dbdir=/var/lib/samba.PDC/dbdir
> --realm=TEST.LOCAL
> --dns-backend=BIND9_FLATFILE /etc/samba.PDC/smb.PDC.conf
>
> Any suggestions?
>

Yes, Do not use BIND9_FLATFILE, it doesn't work.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4 AD issues with RPC

Samba - General mailing list
Hi Rowland,

Thank you.

So should I use BIND9_DLZ?



Regards,

Praveen


-------- Original message --------
From: Rowland Penny via samba <[hidden email]>
Date: 5/12/2017 6:09 PM (GMT+10:00)
To: [hidden email]
Subject: Re: [Samba] Samba 4 AD issues with RPC

On Tue, 5 Dec 2017 05:08:24 +0000
Praveen Ghimire via samba <[hidden email]> wrote:

>
>
> Hi Guys,
>
> Setup:
>
> Versions: Samba: 4.6.7
>                 Bind9:   9.10.3
>
>
> Firewall disabled
>
> AD Provision:
>
> Migrated from samba 3 to 4 using classic upgrade.
>
> samba-tool domain classicupgrade --dbdir=/var/lib/samba.PDC/dbdir
> --realm=TEST.LOCAL
> --dns-backend=BIND9_FLATFILE /etc/samba.PDC/smb.PDC.conf
>
> Any suggestions?
>

Yes, Do not use BIND9_FLATFILE, it doesn't work.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4 AD issues with RPC

Samba - General mailing list
On Tue, 5 Dec 2017 08:41:37 +0000
Praveen Ghimire <[hidden email]> wrote:

> Hi Rowland,
>
> Thank you.
>
> So should I use BIND9_DLZ?

If you are using Bind9, then yes

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4 AD issues with RPC

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hi Rowland,

Sorry, migration using BIND9_DLZ gives the same result

Not sure if the following from the migration is of a concern

Could not add posix attrs for AD entry for sid=S-1-5-21-3936576374-1604348213-1812465911-3034, ((21, 'Element loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for sid=S-1-5-21-3936576374-1604348213-1812465911-3040, ((21, 'Element loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for sid=S-1-5-21-3936576374-1604348213-1812465911-3030, ((21, 'Element loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for sid=S-1-5-21-3936576374-1604348213-1812465911-3046, ((21, 'Element loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for sid=S-1-5-21-3936576374-1604348213-1812465911-3032, ((21, 'Element loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for sid=S-1-5-21-3936576374-1604348213-1812465911-3050, ((21, 'Element loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for sid=S-1-5-21-3936576374-1604348213-1812465911-3036, ((21, 'Element loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for sid=S-1-5-21-3936576374-1604348213-1812465911-3038, ((21, 'Element loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for sid=S-1-5-21-3936576374-1604348213-1812465911-3042, ((21, 'Element loginShell has empty attribute in ldb message ()!'))
User root has been kept in the directory, it should be removed in favour of the Administrator user
Could not add posix attrs for AD entry for sid=S-1-5-21-3936576374-1604348213-1812465911-3048, ((21, 'Element loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for sid=S-1-5-21-3936576374-1604348213-1812465911-3010, ((21, 'Element loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for sid=S-1-5-21-3936576374-1604348213-1812465911-3028, ((21, 'Element loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for sid=S-1-5-21-3936576374-1604348213-1812465911-3062, ((21, 'Element loginShell has empty attribute in ldb message ()!'))
Committing 'add users' transaction to disk
Adding users to groups
Committing 'add users to groups' transaction to disk
Setting password for administrator
Administrator password has been set to password of user 'root'
Processing section "[netlogon]"
Processing section "[sysvol]"
Module 'acl_xattr' loaded
Module 'dfs_samba4' loaded
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service Unknown Service (snum == -1)
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service Unknown Service (snum == -1)
Processing section "[netlogon]"
Processing section "[sysvol]"
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol


I've tested the DNS according the Samba document, the SRV records for both domain and the realm seems to work

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller


Have tried a Server 2008 and Server 2012. In 2012 it comes up with Verification of replica failed. The wizard cannot access the list of domains in the forest. The error is: An internal error occurred

Just confirming that I am logged in as Domain Administrator and using those creds to run the AD Wizard and dcrpomo. Also tried using both realm the domain when trying the dcpromo

The following is the new smb.conf file. Have added bits about dns udpates


[global]
        netbios name = TESTDC
        realm = TEST.LOCAL
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
        workgroup = TEST
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        dcerpc endpoint servers = +mapiproxy
        allow dns updates = nonsecure
[netlogon]
        path = /var/lib/samba/sysvol/test.local/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No


The following is the krb5.conf

[libdefaults]
        default_realm = TEST.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = true

service --status-all
 [ - ]  acpid
 [ + ]  apparmor
 [ + ]  apport
 [ + ]  atd
 [ + ]  bind9
 [ - ]  console-setup.sh
 [ + ]  cron
 [ - ]  cryptdisks
 [ - ]  cryptdisks-early
 [ + ]  dbus
 [ + ]  ebtables
 [ + ]  grub-common
 [ - ]  hwclock.sh
 [ - ]  irqbalance
 [ + ]  isc-dhcp-server
 [ + ]  iscsid
 [ - ]  keyboard-setup.sh
 [ + ]  kmod
 [ - ]  lvm2
 [ + ]  lvm2-lvmetad
 [ + ]  lvm2-lvmpolld
 [ + ]  lxcfs
 [ - ]  lxd
 [ - ]  mdadm
 [ - ]  mdadm-waitidle
 [ - ]  nmbd
 [ - ]  open-iscsi
 [ + ]  open-vm-tools
 [ - ]  plymouth
 [ - ]  plymouth-log
 [ + ]  procps
 [ - ]  rsync
 [ + ]  rsyslog
 [ + ]  samba-ad-dc
 [ - ]  screen-cleanup
 [ - ]  smbd
 [ + ]  ssh
 [ + ]  udev
 [ + ]  ufw
 [ + ]  unattended-upgrades
 [ - ]  uuidd


server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, mapiproxy

Any ideas?


Regards,

Praveen Ghimire








-----Original Message-----
From: samba [mailto:[hidden email]] On Behalf Of Rowland Penny via samba
Sent: Tuesday, 5 December 2017 5:58 PM
To: [hidden email]
Subject: Re: [Samba] Samba 4 AD issues with RPC

On Tue, 5 Dec 2017 05:08:24 +0000
Praveen Ghimire via samba <[hidden email]> wrote:

>
>
> Hi Guys,
>
> Setup:
>
> Versions: Samba: 4.6.7
>                 Bind9:   9.10.3
>
>
> Firewall disabled
>
> AD Provision:
>
> Migrated from samba 3 to 4 using classic upgrade.
>
> samba-tool domain classicupgrade --dbdir=/var/lib/samba.PDC/dbdir
> --realm=TEST.LOCAL --dns-backend=BIND9_FLATFILE
> /etc/samba.PDC/smb.PDC.conf
>
> Any suggestions?
>

Yes, Do not use BIND9_FLATFILE, it doesn't work.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com ______________________________________________________________________
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4 AD issues with RPC

Samba - General mailing list
On Wed, 6 Dec 2017 04:55:03 +0000
Praveen Ghimire <[hidden email]> wrote:

> Hi Rowland,
>
> Sorry, migration using BIND9_DLZ gives the same result
>
> Not sure if the following from the migration is of a concern
>
> Could not add posix attrs for AD entry for
> sid=S-1-5-21-3936576374-1604348213-1812465911-3034, ((21, 'Element
> loginShell has empty attribute in ldb message ()!'))

You need to find out why 'loginshell' is empty for the users the
upgrade is complaining about.



>         dcerpc endpoint servers = +mapiproxy

Why have you got this line in your smb.conf ?
Are you attempting to run openchange with Samba ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4 AD issues with RPC

Samba - General mailing list
On Wed, 6 Dec 2017 09:46:56 +0000
Praveen Ghimire <[hidden email]> wrote:

> Hi Rowland,
>
> Will check the first one, that shouldn’t cause the RPC issues though
> right?
>
> Not planning to run opechange with Samba, added to see if it fixes
> the issue with RPC.
>
> Would the error be generated by something in the system or could be
> an issue with DNS?
>

It could be dns related, does the /etc/resolv.conf on the DC point to
itself as the nameserver, are your clients using the DC as their
nameserver.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4 AD issues with RPC

Samba - General mailing list
Hi,
Would the Windows 2008/2012 server be looking for a particular DNS record during DCPROMO?

Both the Samba and Windows box are on the same vlan/host/subnet. The UFW has been disabled. Stupid question,  do I need to install any RPC package in the Samba box?

Would disabling Bind9 using dnsupdate and dns in server roles help? The only issue I see with that is the SRV records will disappear and Windowsmight complain about SRV records? Maybe going to DLZ might help?


Regards,

Praveen






Regards,

Praveen Ghimire


-------- Original message --------
From: Rowland Penny via samba <[hidden email]>
Date: 6/12/2017 8:19 PM (GMT+10:00)
To: [hidden email]
Subject: Re: [Samba] Samba 4 AD issues with RPC

On Wed, 6 Dec 2017 09:46:56 +0000
Praveen Ghimire <[hidden email]> wrote:

> Hi Rowland,
>
> Will check the first one, that shouldn’t cause the RPC issues though
> right?
>
> Not planning to run opechange with Samba, added to see if it fixes
> the issue with RPC.
>
> Would the error be generated by something in the system or could be
> an issue with DNS?
>

It could be dns related, does the /etc/resolv.conf on the DC point to
itself as the nameserver, are your clients using the DC as their
nameserver.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4 AD issues with RPC

Samba - General mailing list
I think it is working now, had to start from scratch and installed Winbind as one of the comments in an old post suggested that winbind is required.  One questions answered, more have come up

- I noticed that my test Windows box had its name changed with .local (realm name) appended towards the end.  Is that  supposed to happen? Saying that there was no issue logging in with the same creds
- I had read that version 4.7 onwards of samba auto creates the SRV records for the domain (realm) post/during migration, that didn’t happen. The dcpromo was not working due to missing SRV records for the realm? I manually added a new zone file for the  realm and it seems to go through
- Once the domain is migrated does it use the krb5.conf in the /etc or does it use the krb5.conf in /lib/samba/?

Regards,

Praveen




-----Original Message-----
From: samba [mailto:[hidden email]] On Behalf Of Praveen Ghimire via samba
Sent: Thursday, 7 December 2017 7:47 PM
To: Rowland Penny; [hidden email]
Subject: Re: [Samba] Samba 4 AD issues with RPC

Hi,
Would the Windows 2008/2012 server be looking for a particular DNS record during DCPROMO?

Both the Samba and Windows box are on the same vlan/host/subnet. The UFW has been disabled. Stupid question,  do I need to install any RPC package in the Samba box?

Would disabling Bind9 using dnsupdate and dns in server roles help? The only issue I see with that is the SRV records will disappear and Windowsmight complain about SRV records? Maybe going to DLZ might help?


Regards,

Praveen






Regards,

Praveen Ghimire


-------- Original message --------
From: Rowland Penny via samba <[hidden email]>
Date: 6/12/2017 8:19 PM (GMT+10:00)
To: [hidden email]
Subject: Re: [Samba] Samba 4 AD issues with RPC

On Wed, 6 Dec 2017 09:46:56 +0000
Praveen Ghimire <[hidden email]> wrote:

> Hi Rowland,
>
> Will check the first one, that shouldn’t cause the RPC issues though
> right?
>
> Not planning to run opechange with Samba, added to see if it fixes the
> issue with RPC.
>
> Would the error be generated by something in the system or could be an
> issue with DNS?
>

It could be dns related, does the /etc/resolv.conf on the DC point to itself as the nameserver, are your clients using the DC as their nameserver.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com ______________________________________________________________________
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com ______________________________________________________________________
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba