Samba ADS-member-server: FQDNs in /etc/hosts

classic Classic list List threaded Threaded
49 messages Options
123
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Samba ADS-member-server: FQDNs in /etc/hosts

Samba - General mailing list

(new thread, same migration project)

I see GPOs applied, but network drives sometimes mapped, sometimes not.

Found something around hardened UNC paths, applied some GPO, dunno if
that is necessary or helps (I still have to check where to apply that
GPO, computer or user ...).

While debugging that I find in log.smbd on the member server:

[2017/07/10 11:22:20.290018,  1] ../source3/lib/util.c:1974(name_to_fqdn)
  WARNING: your /etc/hosts file may be broken!
      Full qualified domain names (FQDNs) should not be specified
      as an alias in /etc/hosts. FQDN should be the first name
      prior to any aliases.
[2017/07/10 11:23:15.561739,  1] ../source3/lib/util.c:1974(name_to_fqdn)
  WARNING: your /etc/hosts file may be broken!
      Full qualified domain names (FQDNs) should not be specified
      as an alias in /etc/hosts. FQDN should be the first name
      prior to any aliases.
[2017/07/10 11:23:15.602520,  1]
../source3/auth/token_util.c:430(add_local_groups)
  SID S-1-5-21-2940660672-4062535256-4144655499-1031 -> getpwuid(11031)
failed
[2017/07/10 11:23:15.602534,  1]
../source3/auth/auth_generic.c:172(auth3_generate_session_info_pac)
  Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL)


Yes, I have FQDNs in /etc/hosts and I *really* hesitate to edit these
right now when so far most of things work.

I paste my /etc/hosts and ask for hints.

pre01svdeb01 = member server
pre01svbmd01 = a windows server (member)
pre01svdeb02 = samba ADS DC, not even listed here (192.168.16.205)

->

127.0.0.1       localhost
127.0.1.1       pre01svdeb01.my.tld     pre01svdeb01

::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

192.168.16.111 ipfire.my.tld ipfire
192.168.16.203 backup backup.my.tld dc.my.tld dc
192.168.16.226 server-bmd.my.tld server-bmd

192.168.16.230  pre01svbmd01

Step2: understood and fixed something:

dc-entry was wrong!

krb5.conf points to dc.my.tld ... was wrong IP.

fixed

Now I can look up that mentioned SID from both servers. Good, right?





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba ADS-member-server: FQDNs in /etc/hosts

Samba - General mailing list
On Mon, 10 Jul 2017 11:45:31 +0200
"Stefan G. Weichinger via samba" <[hidden email]> wrote:

>
> (new thread, same migration project)
>
> I see GPOs applied, but network drives sometimes mapped, sometimes
> not.
>
> Found something around hardened UNC paths, applied some GPO, dunno if
> that is necessary or helps (I still have to check where to apply that
> GPO, computer or user ...).
>
> While debugging that I find in log.smbd on the member server:
>
> [2017/07/10 11:22:20.290018,
> 1] ../source3/lib/util.c:1974(name_to_fqdn) WARNING: your /etc/hosts
> file may be broken! Full qualified domain names (FQDNs) should not be
> specified as an alias in /etc/hosts. FQDN should be the first name
>       prior to any aliases.
> [2017/07/10 11:23:15.561739,
> 1] ../source3/lib/util.c:1974(name_to_fqdn) WARNING: your /etc/hosts
> file may be broken! Full qualified domain names (FQDNs) should not be
> specified as an alias in /etc/hosts. FQDN should be the first name
>       prior to any aliases.
> [2017/07/10 11:23:15.602520,  1]
> ../source3/auth/token_util.c:430(add_local_groups)
>   SID S-1-5-21-2940660672-4062535256-4144655499-1031 ->
> getpwuid(11031) failed
> [2017/07/10 11:23:15.602534,  1]
> ../source3/auth/auth_generic.c:172(auth3_generate_session_info_pac)
>   Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL)
>
>
> Yes, I have FQDNs in /etc/hosts and I *really* hesitate to edit these
> right now when so far most of things work.
>
> I paste my /etc/hosts and ask for hints.
>
> pre01svdeb01 = member server
> pre01svbmd01 = a windows server (member)
> pre01svdeb02 = samba ADS DC, not even listed here (192.168.16.205)
>
> ->
>
> 127.0.0.1       localhost
> 127.0.1.1       pre01svdeb01.my.tld     pre01svdeb01
>
> ::1     localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> 192.168.16.111 ipfire.my.tld ipfire
> 192.168.16.203 backup backup.my.tld dc.my.tld dc
> 192.168.16.226 server-bmd.my.tld server-bmd
>
> 192.168.16.230  pre01svbmd01

I would change /etc/hosts to this:

127.0.0.1       localhost
127.0.1.1       pre01svdeb01.my.tld     pre01svdeb01

::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

But replace '127.0.0.1' with the real ipaddress of pre01svdeb01.my.tld
if it has a fixed IP, if it hasn't, you can remove the entire line.
You don't need anything else, the DNS provided by your AD DC should
provide everything else.

>
> Step2: understood and fixed something:
>
> dc-entry was wrong!
>
> krb5.conf points to dc.my.tld ... was wrong IP.
>
> fixed

Probably not, /etc/krb5.conf should only contain something like this:

[libdefaults]
    default_realm = MY.TLD
    dns_lookup_realm = false
    dns_lookup_kdc = true

Rowland
>
> Now I can look up that mentioned SID from both servers. Good, right?
>
>
>
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba ADS-member-server: FQDNs in /etc/hosts

Samba - General mailing list
Am 2017-07-10 um 12:08 schrieb Rowland Penny via samba:

> I would change /etc/hosts to this:
>
> 127.0.0.1       localhost
> 127.0.1.1       pre01svdeb01.my.tld     pre01svdeb01
>
> ::1     localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> But replace '127.0.0.1' with the real ipaddress of pre01svdeb01.my.tld
> if it has a fixed IP, if it hasn't, you can remove the entire line.
> You don't need anything else, the DNS provided by your AD DC should
> provide everything else.

Thanks, I consider doing so after work hours ... right now I am quite
happy that they all can work so far.

> Probably not, /etc/krb5.conf should only contain something like this:
>
> [libdefaults]
>     default_realm = MY.TLD
>     dns_lookup_realm = false
>     dns_lookup_kdc = true

Yes, sure, understand.

Seems that the [realms] clause slipped in as I installed some krb5 package.

btw: the list of packages to be installed on debian might be worth
documenting. It was a bit of trial and error for me to get all the
needed krb5-stuff onto that machine. ( krb5-config krb5-locales
libkrb5-3 libpam-krb5 krb5-user ... )


And what does this tell me, please:

[2017/07/10 13:07:48.593400,  1]
../source3/auth/token_util.c:430(add_local_groups)
  SID S-1-5-21-2940660672-4062535256-4144655499-1008 -> getpwuid(11008)
failed
[2017/07/10 13:07:48.593415,  1]
../source3/auth/auth_generic.c:172(auth3_generate_session_info_pac)
  Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL)

?

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba ADS-member-server: FQDNs in /etc/hosts

Samba - General mailing list
In reply to this post by Samba - General mailing list
Am 2017-07-10 um 11:45 schrieb Stefan G. Weichinger via samba:

> Now I can look up that mentioned SID from both servers. Good, right?

Should that query return instantly on the domain member as well?
Takes a few seconds here, 6 to be detailled.

(rm-ed [realms] in krb5.conf already)



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba ADS-member-server: FQDNs in /etc/hosts

Samba - General mailing list
In reply to this post by Samba - General mailing list
Am 2017-07-10 um 13:08 schrieb Stefan G. Weichinger via samba:

> And what does this tell me, please:
>
> [2017/07/10 13:07:48.593400,  1]
> ../source3/auth/token_util.c:430(add_local_groups)
>   SID S-1-5-21-2940660672-4062535256-4144655499-1008 -> getpwuid(11008)
> failed
> [2017/07/10 13:07:48.593415,  1]
> ../source3/auth/auth_generic.c:172(auth3_generate_session_info_pac)
>   Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL)

I get this all over and can't connect from systems that worked yesterday.

pls advise


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba ADS-member-server: FQDNs in /etc/hosts

Samba - General mailing list
Am 2017-07-11 um 09:04 schrieb Stefan G. Weichinger via samba:

> Am 2017-07-10 um 13:08 schrieb Stefan G. Weichinger via samba:
>
>> And what does this tell me, please:
>>
>> [2017/07/10 13:07:48.593400,  1]
>> ../source3/auth/token_util.c:430(add_local_groups)
>>   SID S-1-5-21-2940660672-4062535256-4144655499-1008 -> getpwuid(11008)
>> failed
>> [2017/07/10 13:07:48.593415,  1]
>> ../source3/auth/auth_generic.c:172(auth3_generate_session_info_pac)
>>   Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL)
>
> I get this all over and can't connect from systems that worked yesterday.
>
> pls advise

more logs:

[2017/07/11 09:11:00.926522,  1] ../source3/lib/util.c:1960(name_to_fqdn)
  getaddrinfo: Zu diesem Hostnamen gehört keine Adresse
[2017/07/11 09:11:01.012504,  1] ../source3/lib/util.c:1960(name_to_fqdn)
  getaddrinfo: Zu diesem Hostnamen gehört keine Adresse
[2017/07/11 09:11:01.061100,  1] ../source3/lib/util.c:1960(name_to_fqdn)
  getaddrinfo: Zu diesem Hostnamen gehört keine Adresse
[2017/07/11 09:11:01.102653,  2]
../source3/param/loadparm.c:2685(lp_do_section)
  Processing section "[homes]"
[2017/07/11 09:11:01.102711,  2]
../source3/param/loadparm.c:2685(lp_do_section)
  Processing section "[daten]"
[2017/07/11 09:11:01.102784,  2]
../source3/param/loadparm.c:2685(lp_do_section)
  Processing section "[scan_og]"
[2017/07/11 09:11:01.102870,  2]
../source3/param/loadparm.c:2685(lp_do_section)
  Processing section "[daten_archiv]"
[2017/07/11 09:11:01.102917,  2]
../source3/param/loadparm.c:2685(lp_do_section)
  Processing section "[software]"
[2017/07/11 09:11:01.102953,  2]
../source3/param/loadparm.c:2685(lp_do_section)
  Processing section "[teamviewer]"
[2017/07/11 09:11:01.102994,  2]
../source3/param/loadparm.c:2685(lp_do_section)
  Processing section "[Klinger]"
[2017/07/11 09:11:01.103320,  1]
../source3/auth/token_util.c:430(add_local_groups)
  SID S-1-5-21-2940660672-4062535256-4144655499-1041 -> getpwuid(11041)
failed
[2017/07/11 09:11:01.103335,  1]
../source3/auth/auth_generic.c:172(auth3_generate_session_info_pac)
  Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL)
[2017/07/11 09:11:01.178731,  1] ../source3/lib/util.c:1960(name_to_fqdn)
  getaddrinfo: Zu diesem Hostnamen gehört keine Adresse
[2017/07/11 09:11:01.220711,  1] ../source3/lib/util.c:1960(name_to_fqdn)
  getaddrinfo: Zu diesem Hostnamen gehört keine Adresse
[2017/07/11 09:11:01.257794,  2]
../source3/param/loadparm.c:2685(lp_do_section)
  Processing section "[homes]"
[2017/07/11 09:11:01.257855,  2]
../source3/param/loadparm.c:2685(lp_do_section)
  Processing section "[daten]"
[2017/07/11 09:11:01.257947,  2]
../source3/param/loadparm.c:2685(lp_do_section)
  Processing section "[scan_og]"
[2017/07/11 09:11:01.258046,  2]
../source3/param/loadparm.c:2685(lp_do_section)
  Processing section "[daten_archiv]"
[2017/07/11 09:11:01.258095,  2]
../source3/param/loadparm.c:2685(lp_do_section)
  Processing section "[software]"
[2017/07/11 09:11:01.258144,  2]
../source3/param/loadparm.c:2685(lp_do_section)
  Processing section "[teamviewer]"
[2017/07/11 09:11:01.258172,  2]
../source3/param/loadparm.c:2685(lp_do_section)
  Processing section "[Klinger]"
[2017/07/11 09:11:01.258524,  1]
../source3/auth/token_util.c:430(add_local_groups)
  SID S-1-5-21-2940660672-4062535256-4144655499-1041 -> getpwuid(11041)
failed
[2017/07/11 09:11:01.258539,  1]
../source3/auth/auth_generic.c:172(auth3_generate_session_info_pac)
  Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL)
[2017/07/11 09:11:01.301422,  1] ../source3/lib/util.c:1960(name_to_fqdn)
  getaddrinfo: Zu diesem Hostnamen gehört keine Adresse


if I run "net use" on a client, I am asked for user/pw and that fails as
well.

Some kerberos issue?




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba ADS-member-server: FQDNs in /etc/hosts

Samba - General mailing list

And the DC says:


[2017/07/11 09:27:08.050367,  2]
../source4/auth/ntlm/auth.c:430(auth_check_password_recv)
  auth_check_password_recv: sam_ignoredomain authentication for user
[BUERO\kern] FAILED with error NT_STATUS_WRONG_PASSWORD
[2017/07/11 09:27:08.057801,  2]
../source4/auth/ntlm/auth.c:430(auth_check_password_recv)
  auth_check_password_recv: sam_ignoredomain authentication for user
[BUERO\kern] FAILED with error NT_STATUS_WRONG_PASSWORD
[2017/07/11 09:27:08.065377,  2]
../source4/auth/ntlm/auth.c:430(auth_check_password_recv)


And DNS stuff:


[2017/07/11 09:31:17.790046,  2]
../source4/dns_server/dns_query.c:1019(dns_server_process_query_send)
  Not authoritative for 'SERVER', forwarding
[2017/07/11 09:31:17.826966,  2]
../source4/dns_server/dns_query.c:1019(dns_server_process_query_send)
  Not authoritative for 'SERVER', forwarding


Note: the old netbios name of the DM server is "SERVER", and that is
what all the users use in their UNC paths.

For some it works, for others not.

I checked /etc/resolv.conf on DC and DM:

nameserver 192.168.16.205 # IP of DC
domain my.tld

# nmblookup SERVER
added interface eth0 ip=192.168.16.202 bcast=192.168.16.255
netmask=255.255.255.0
Got a positive name query response from 192.168.16.202 ( 192.168.16.202 )
192.168.16.202 SERVER<00>

= OK





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba ADS-member-server: FQDNs in /etc/hosts

Samba - General mailing list
Am 2017-07-11 um 09:34 schrieb Stefan G. Weichinger via samba:

> [2017/07/11 09:31:17.790046,  2]
> ../source4/dns_server/dns_query.c:1019(dns_server_process_query_send)
>   Not authoritative for 'SERVER', forwarding
> [2017/07/11 09:31:17.826966,  2]
> ../source4/dns_server/dns_query.c:1019(dns_server_process_query_send)
>   Not authoritative for 'SERVER', forwarding
>
> Note: the old netbios name of the DM server is "SERVER", and that is
> what all the users use in their UNC paths.
>
> For some it works, for others not.
>
> I checked /etc/resolv.conf on DC and DM:
>
> nameserver 192.168.16.205 # IP of DC
> domain my.tld

is it

search my.tld

or

domain my.tld

?

Should "dig server" work on both DC and DM, right?
It does not right now.

There was no A-record for it (anymore?), created it, no change so far.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba ADS-member-server: FQDNs in /etc/hosts

Samba - General mailing list

[2017/07/11 10:28:51.553290,  3]
../source3/auth/auth.c:249(auth_check_ntlm_password)
  check_ntlm_password: winbind authentication for user [mueller] succeeded
[2017/07/11 10:28:51.553324,  2]
../source3/auth/auth.c:305(auth_check_ntlm_password)
  check_ntlm_password:  authentication for user [mueller] -> [mueller]
-> [mueller] succeeded
[2017/07/11 10:28:51.553493,  1]
../source3/auth/token_util.c:430(add_local_groups)
  SID S-1-5-21-2940660672-4062535256-4144655499-1029 -> getpwuid(11029)
failed
[2017/07/11 10:28:51.553518,  3]
../source3/auth/token_util.c:316(create_local_nt_token_from_info3)
  Failed to finalize nt token
[2017/07/11 10:28:51.553552,  3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
  NTLMSSP Sign/Seal - Initialising with flags:
[2017/07/11 10:28:51.553562,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62088215
[2017/07/11 10:28:51.553601,  3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
  NTLMSSP Sign/Seal - Initialising with flags:
[2017/07/11 10:28:51.553611,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62088215
[2017/07/11 10:28:51.553782,  1]
../source3/auth/token_util.c:430(add_local_groups)
  SID S-1-5-21-2940660672-4062535256-4144655499-1029 -> getpwuid(11029)
failed
[2017/07/11 10:28:51.553808,  3]
../source3/auth/token_util.c:316(create_local_nt_token_from_info3)
  Failed to finalize nt token
[2017/07/11 10:28:51.553818,  1]
../source3/smbd/sesssetup.c:290(reply_sesssetup_and_X_spnego)
  Failed to generate session_info (user and group token) for session
setup: NT_STATUS_UNSUCCESSFUL
[2017/07/11 10:28:51.553864,  3]
../source3/smbd/error.c:82(error_packet_set)
  NT error packet at ../source3/smbd/sesssetup.c(293) cmd=115
(SMBsesssetupX) NT_STATUS_UNSUCCESSFUL
[2017/07/11 10:28:51.554117,  3]
../source3/smbd/server_exit.c:246(exit_server_common)
  Server exit (failed to receive smb request)



---


getpwuid(11029)  fails, local group 11029 does not exist.

the SID looks like:# net ads sid
S-1-5-21-2940660672-4062535256-4144655499-1029
Got 1 replies

cn: mueller
instanceType: 4
whenCreated: 20170524093910.0Z
uSNCreated: 4231
name: mueller
objectGUID: ddbb9928-167d-4cfb-a667-ef4a24600fef
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
primaryGroupID: 513
objectSid: S-1-5-21-2940660672-4062535256-4144655499-1029
sAMAccountName: mueller
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=secret,DC=at
pwdLastSet: 130414131350000000
accountExpires: 137303967990000000
lastLogoff: 137303967990000000
userAccountControl: 512
uidNumber: 1070
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
unixHomeDirectory: /home/mueller
loginShell: /bin/bash
gidNumber: 1070
msSFU30NisDomain: buero
lastLogonTimestamp: 131439211510194450
whenChanged: 20170707171231.0Z
uSNChanged: 6300
memberOf: CN=Mitarbeiter,OU=secret-Benutzer,DC=secret,DC=at
lastLogon: 131442246304847030
logonCount: 14
distinguishedName: CN=mueller,OU=secret-Benutzer,DC=secret,DC=at


created a local group "rettung" with GID 11029 ... no change

I don't find that 11029 in the SID infos ...







--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba ADS-member-server: FQDNs in /etc/hosts

Samba - General mailing list
In reply to this post by Samba - General mailing list

found this:

Jul 11 10:44:02 pre01svdeb01 winbindd[21976]: [2017/07/11
10:44:02.336493,  0]
../source3/lib/util_tdb.c:497(tdb_chainlock_with_timeout_internal)
Jul 11 10:44:02 pre01svdeb01 winbindd[21976]:
tdb_chainlock_with_timeout_internal: alarm (40) timed out for key
dc.pilsbacher.at in tdb /var/run/samba/mutex.tdb
Jul 11 10:44:02 pre01svdeb01 winbindd[21976]: [2017/07/11
10:44:02.336658,  0]
../source3/winbindd/winbindd_cm.c:1023(cm_prepare_connection)
Jul 11 10:44:02 pre01svdeb01 winbindd[21976]: cm_prepare_connection:
mutex grab failed for dc.pilsbacher.at


restarting winbind didn't help

may/should I stop winbind, rm that file and restart?

This one sounds like:

https://bugzilla.samba.org/show_bug.cgi?id=11962

pls advise! I have customers waiting for their files ............

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba ADS-member-server: FQDNs in /etc/hosts

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Tue, 11 Jul 2017 10:21:37 +0200
"Stefan G. Weichinger via samba" <[hidden email]> wrote:

> Am 2017-07-11 um 09:34 schrieb Stefan G. Weichinger via samba:
>
> > [2017/07/11 09:31:17.790046,  2]
> > ../source4/dns_server/dns_query.c:1019(dns_server_process_query_send)
> >   Not authoritative for 'SERVER', forwarding
> > [2017/07/11 09:31:17.826966,  2]
> > ../source4/dns_server/dns_query.c:1019(dns_server_process_query_send)
> >   Not authoritative for 'SERVER', forwarding
> >
> > Note: the old netbios name of the DM server is "SERVER", and that is
> > what all the users use in their UNC paths.
> >
> > For some it works, for others not.
> >
> > I checked /etc/resolv.conf on DC and DM:
> >
> > nameserver 192.168.16.205 # IP of DC
> > domain my.tld
>
> is it
>
> search my.tld
>
> or
>
> domain my.tld
>
> ?
>
> Should "dig server" work on both DC and DM, right?
> It does not right now.

dig 'shorthostname' works on my DC, but I have to use dig FQDN on a
Unix domain member

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba ADS-member-server: FQDNs in /etc/hosts

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Tue, 11 Jul 2017 10:36:08 +0200
"Stefan G. Weichinger via samba" <[hidden email]> wrote:

>
> [2017/07/11 10:28:51.553290,  3]
> ../source3/auth/auth.c:249(auth_check_ntlm_password)
>   check_ntlm_password: winbind authentication for user [mueller]
> succeeded [2017/07/11 10:28:51.553324,  2]
> ../source3/auth/auth.c:305(auth_check_ntlm_password)
>   check_ntlm_password:  authentication for user [mueller] -> [mueller]
> -> [mueller] succeeded
> [2017/07/11 10:28:51.553493,  1]
> ../source3/auth/token_util.c:430(add_local_groups)
>   SID S-1-5-21-2940660672-4062535256-4144655499-1029 ->
> getpwuid(11029) failed
> [2017/07/11 10:28:51.553518,  3]
> ../source3/auth/token_util.c:316(create_local_nt_token_from_info3)
>   Failed to finalize nt token
> [2017/07/11 10:28:51.553552,  3]
> ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
>   NTLMSSP Sign/Seal - Initialising with flags:
> [2017/07/11 10:28:51.553562,  3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0x62088215
> [2017/07/11 10:28:51.553601,  3]
> ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
>   NTLMSSP Sign/Seal - Initialising with flags:
> [2017/07/11 10:28:51.553611,  3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0x62088215
> [2017/07/11 10:28:51.553782,  1]
> ../source3/auth/token_util.c:430(add_local_groups)
>   SID S-1-5-21-2940660672-4062535256-4144655499-1029 ->
> getpwuid(11029) failed
> [2017/07/11 10:28:51.553808,  3]
> ../source3/auth/token_util.c:316(create_local_nt_token_from_info3)
>   Failed to finalize nt token
> [2017/07/11 10:28:51.553818,  1]
> ../source3/smbd/sesssetup.c:290(reply_sesssetup_and_X_spnego)
>   Failed to generate session_info (user and group token) for session
> setup: NT_STATUS_UNSUCCESSFUL
> [2017/07/11 10:28:51.553864,  3]
> ../source3/smbd/error.c:82(error_packet_set)
>   NT error packet at ../source3/smbd/sesssetup.c(293) cmd=115
> (SMBsesssetupX) NT_STATUS_UNSUCCESSFUL
> [2017/07/11 10:28:51.554117,  3]
> ../source3/smbd/server_exit.c:246(exit_server_common)
>   Server exit (failed to receive smb request)
>
>
>
> ---
>
>
> getpwuid(11029)  fails, local group 11029 does not exist.
>
> the SID looks like:# net ads sid
> S-1-5-21-2940660672-4062535256-4144655499-1029
> Got 1 replies
>
> cn: mueller
> instanceType: 4
> whenCreated: 20170524093910.0Z
> uSNCreated: 4231
> name: mueller
> objectGUID: ddbb9928-167d-4cfb-a667-ef4a24600fef
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-2940660672-4062535256-4144655499-1029
> sAMAccountName: mueller
> sAMAccountType: 805306368
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=secret,DC=at
> pwdLastSet: 130414131350000000
> accountExpires: 137303967990000000
> lastLogoff: 137303967990000000
> userAccountControl: 512
> uidNumber: 1070
> objectClass: top
> objectClass: posixAccount
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> unixHomeDirectory: /home/mueller
> loginShell: /bin/bash
> gidNumber: 1070
> msSFU30NisDomain: buero
> lastLogonTimestamp: 131439211510194450
> whenChanged: 20170707171231.0Z
> uSNChanged: 6300
> memberOf: CN=Mitarbeiter,OU=secret-Benutzer,DC=secret,DC=at
> lastLogon: 131442246304847030
> logonCount: 14
> distinguishedName: CN=mueller,OU=secret-Benutzer,DC=secret,DC=at
>
>
> created a local group "rettung" with GID 11029 ... no change

Remove this local Unix group, you cannot have a group (or a user) in AD
and /etc/group

>
> I don't find that 11029 in the SID infos ...

Probably because '11029' isn't a 'RID', it will be a uidNumber.

Try running this on your DC:

ldbsearch -H /path/to/sam.ldb -b "dc=secret,dc=at" -s sub
"(&(objectclass=group)(gidnumber=11029))"

Rowland





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba ADS-member-server: FQDNs in /etc/hosts

Samba - General mailing list
In reply to this post by Samba - General mailing list
Am 2017-07-11 um 11:43 schrieb Rowland Penny:

> On Tue, 11 Jul 2017 10:21:37 +0200
> "Stefan G. Weichinger via samba" <[hidden email]> wrote:
>
>> Am 2017-07-11 um 09:34 schrieb Stefan G. Weichinger via samba:
>>
>>> [2017/07/11 09:31:17.790046,  2]
>>> ../source4/dns_server/dns_query.c:1019(dns_server_process_query_send)
>>>   Not authoritative for 'SERVER', forwarding
>>> [2017/07/11 09:31:17.826966,  2]
>>> ../source4/dns_server/dns_query.c:1019(dns_server_process_query_send)
>>>   Not authoritative for 'SERVER', forwarding
>>>
>>> Note: the old netbios name of the DM server is "SERVER", and that is
>>> what all the users use in their UNC paths.
>>>
>>> For some it works, for others not.
>>>
>>> I checked /etc/resolv.conf on DC and DM:
>>>
>>> nameserver 192.168.16.205 # IP of DC
>>> domain my.tld
>>
>> is it
>>
>> search my.tld
>>
>> or
>>
>> domain my.tld
>>
>> ?
>>
>> Should "dig server" work on both DC and DM, right?
>> It does not right now.
>
> dig 'shorthostname' works on my DC, but I have to use dig FQDN on a
> Unix domain member


search
or
domain

?


// I set "guest OK" now and let the guy there connect the problematic PCs.

maybe relevant:

DC: debian 9, samba 4.6.5
DM: debian 8.8, samba 4.5.10

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba ADS-member-server: FQDNs in /etc/hosts

Samba - General mailing list
In reply to this post by Samba - General mailing list
Am 2017-07-11 um 11:57 schrieb Rowland Penny:

> Remove this local Unix group, you cannot have a group (or a user) in AD
> and /etc/group

ok, done

> Probably because '11029' isn't a 'RID', it will be a uidNumber.
>
> Try running this on your DC:
>
> ldbsearch -H /path/to/sam.ldb -b "dc=secret,dc=at" -s sub
> "(&(objectclass=group)(gidnumber=11029))"


# Referral
ref: ldap://secret.at/CN=Configuration,DC=secret,DC=at

# Referral
ref: ldap://secret.at/DC=DomainDnsZones,DC=secret,DC=at

# Referral
ref: ldap://secret.at/DC=ForestDnsZones,DC=secret,DC=at

# returned 3 records
# 0 entries
# 3 referrals

so not there ....

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba ADS-member-server: FQDNs in /etc/hosts

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Tue, 11 Jul 2017 11:59:24 +0200
"Stefan G. Weichinger" <[hidden email]> wrote:

> Am 2017-07-11 um 11:43 schrieb Rowland Penny:
> > On Tue, 11 Jul 2017 10:21:37 +0200
> > "Stefan G. Weichinger via samba" <[hidden email]> wrote:
> >
> >> Am 2017-07-11 um 09:34 schrieb Stefan G. Weichinger via samba:
> >>
> >>> [2017/07/11 09:31:17.790046,  2]
> >>> ../source4/dns_server/dns_query.c:1019(dns_server_process_query_send)
> >>>   Not authoritative for 'SERVER', forwarding
> >>> [2017/07/11 09:31:17.826966,  2]
> >>> ../source4/dns_server/dns_query.c:1019(dns_server_process_query_send)
> >>>   Not authoritative for 'SERVER', forwarding
> >>>
> >>> Note: the old netbios name of the DM server is "SERVER", and that
> >>> is what all the users use in their UNC paths.
> >>>
> >>> For some it works, for others not.
> >>>
> >>> I checked /etc/resolv.conf on DC and DM:
> >>>
> >>> nameserver 192.168.16.205 # IP of DC
> >>> domain my.tld
> >>
> >> is it
> >>
> >> search my.tld
> >>
> >> or
> >>
> >> domain my.tld
> >>
> >> ?
> >>
> >> Should "dig server" work on both DC and DM, right?
> >> It does not right now.
> >
> > dig 'shorthostname' works on my DC, but I have to use dig FQDN on a
> > Unix domain member
>
>
> search
> or
> domain
>
> ?

I use 'search'

>
>
> // I set "guest OK" now and let the guy there connect the problematic
> PCs.
>
> maybe relevant:
>
> DC: debian 9, samba 4.6.5
> DM: debian 8.8, samba 4.5.10

One way to find out, upgrade the DM with Louis's 4.6.5 packages

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba ADS-member-server: FQDNs in /etc/hosts

Samba - General mailing list
Am 2017-07-11 um 12:05 schrieb Rowland Penny:

>>>> is it
>>>>
>>>> search my.tld
>>>>
>>>> or
>>>>
>>>> domain my.tld
>>>>
>>>> ?

> I use 'search'

thanks, me too

>> maybe relevant:
>>
>> DC: debian 9, samba 4.6.5
>> DM: debian 8.8, samba 4.5.10
>
> One way to find out, upgrade the DM with Louis's 4.6.5 packages

sure... I have ~10 users working right now and ~5 waiting to connect to
their shares ... not exactly the best point in time. Maybe when they
have lunch ...

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba ADS-member-server: FQDNs in /etc/hosts

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Tue, 11 Jul 2017 12:05:28 +0200
"Stefan G. Weichinger" <[hidden email]> wrote:

> Am 2017-07-11 um 11:57 schrieb Rowland Penny:
>
> > Remove this local Unix group, you cannot have a group (or a user)
> > in AD and /etc/group
>
> ok, done
>
> > Probably because '11029' isn't a 'RID', it will be a uidNumber.
> >
> > Try running this on your DC:
> >
> > ldbsearch -H /path/to/sam.ldb -b "dc=secret,dc=at" -s sub
> > "(&(objectclass=group)(gidnumber=11029))"
>
>
> # Referral
> ref: ldap://secret.at/CN=Configuration,DC=secret,DC=at
>
> # Referral
> ref: ldap://secret.at/DC=DomainDnsZones,DC=secret,DC=at
>
> # Referral
> ref: ldap://secret.at/DC=ForestDnsZones,DC=secret,DC=at
>
> # returned 3 records
> # 0 entries
> # 3 referrals
>
> so not there ....

Try running this:

ldbsearch -H /path/to/sam.ldb -b "dc=secret,dc=at" -s sub
"(&(objectclass=user)(uidnumber=11029))"

This will check if it is a user.

Can you post the smb.conf from the DM (and the DC)

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba ADS-member-server: FQDNs in /etc/hosts

Samba - General mailing list
Am 2017-07-11 um 12:16 schrieb Rowland Penny:

> Try running this:
>
> ldbsearch -H /path/to/sam.ldb -b "dc=secret,dc=at" -s sub
> "(&(objectclass=user)(uidnumber=11029))"
>
> This will check if it is a user.

Did so, no entry returned.

--

plus: please note that yesterday all users could work normally ....

> Can you post the smb.conf from the DM (and the DC)

DC:

root@pre01svdeb02:~# cat /etc/samba/smb.conf
# Global parameters
[global]
        workgroup = BUERO
        realm = secret.AT
        netbios name = DC
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        load printers = No
        printcap name = /dev/null
        log level = 2
        dns forwarder = 192.168.16.111

        # lph
        template shell = /bin/bash
        sdb:schema update allowed = no
        time server = yes
        usershare path =

[netlogon]
        path = /var/lib/samba/sysvol/secret.at/scripts
        read only = No
        acl_xattr:ignore system acls = Yes

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No
        acl_xattr:ignore system acls = Yes


----


DM:


root@pre01svdeb01:~# cat /etc/samba/smb.conf
# This file is managed remotely, all changes will be lost

[global]
workgroup = BUERO
realm = secret.AT
netbios name = SERVER

security = ADS
map to guest = Bad User
username map = /etc/samba/smbusers

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes

winbind trusted domains only = no
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes

winbind nss info = template
template shell = /usr/sbin/nologin

map untrusted to domain = Yes

# Default idmap config used for BUILTIN and local accounts/groups
idmap config *:backend = tdb
idmap config *:range = 2000-9999

# idmap config for domain BUERO
idmap config BUERO:backend = rid
idmap config BUERO:range = 10000-99999
idmap config BUERO:schema_mode = rfc2307

load printers = no
printing = bsd
printcap name = /dev/null

# turn off roaming profiles
logon path = ""
logon home = ""

#hosts allow = localhost 192.168.16. 172.32.99.

log level = 3

.... skipped shares, OK ?


thanks a lot ...

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba ADS-member-server: FQDNs in /etc/hosts

Samba - General mailing list
On Tue, 11 Jul 2017 12:22:36 +0200
"Stefan G. Weichinger" <[hidden email]> wrote:

> Am 2017-07-11 um 12:16 schrieb Rowland Penny:
>
> > Try running this:
> >
> > ldbsearch -H /path/to/sam.ldb -b "dc=secret,dc=at" -s sub
> > "(&(objectclass=user)(uidnumber=11029))"
> >
> > This will check if it is a user.
>
> Did so, no entry returned.
>
> --
>
> plus: please note that yesterday all users could work normally ....
>
> > Can you post the smb.conf from the DM (and the DC)
>
> DC:
>
> root@pre01svdeb02:~# cat /etc/samba/smb.conf
> # Global parameters
> [global]
> workgroup = BUERO
> realm = secret.AT
> netbios name = DC
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> load printers = No
> printcap name = /dev/null
> log level = 2
> dns forwarder = 192.168.16.111
>
> # lph
> template shell = /bin/bash
> sdb:schema update allowed = no
> time server = yes
> usershare path =
>
> [netlogon]
> path = /var/lib/samba/sysvol/secret.at/scripts
> read only = No
> acl_xattr:ignore system acls = Yes
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
> acl_xattr:ignore system acls = Yes
>
>
> ----
>
>
> DM:
>
>
> root@pre01svdeb01:~# cat /etc/samba/smb.conf
> # This file is managed remotely, all changes will be lost
>
> [global]
> workgroup = BUERO
> realm = secret.AT
> netbios name = SERVER
>
> security = ADS
> map to guest = Bad User
> username map = /etc/samba/smbusers
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind refresh tickets = yes
>
> winbind trusted domains only = no
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
>
> winbind nss info = template
> template shell = /usr/sbin/nologin
>
> map untrusted to domain = Yes
>
> # Default idmap config used for BUILTIN and local accounts/groups
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
>
> # idmap config for domain BUERO
> idmap config BUERO:backend = rid
> idmap config BUERO:range = 10000-99999
> idmap config BUERO:schema_mode = rfc2307

Well, that explains where '11029' is coming from, you are using the
'rid' backend. The users (or group) ID will be calculated using this
formula:

ID = RID - BASE_RID + LOW_RANGE_ID

BASE_RID is by default '0', so it becomes:

ID = RID + LOW_RANGE_ID

So, in your case it becomes

11029 = 1029 + 10000

Of course, using the 'rid' backend means that you do not need to add
anything to AD and you do not need this line in smb.conf:

  idmap config BUERO:schema_mode = rfc2307

Or you could just change 'idmap config BUERO:backend = rid' to 'idmap
config BUERO:backend = ad' and use the rfc2307 attributes in AD.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba ADS-member-server: FQDNs in /etc/hosts

Samba - General mailing list
Am 2017-07-11 um 12:51 schrieb Rowland Penny:

> Well, that explains where '11029' is coming from, you are using the
> 'rid' backend. The users (or group) ID will be calculated using this
> formula:
>
> ID = RID - BASE_RID + LOW_RANGE_ID
>
> BASE_RID is by default '0', so it becomes:
>
> ID = RID + LOW_RANGE_ID
>
> So, in your case it becomes
>
> 11029 = 1029 + 10000

wow

Does that explain in some way why some users work and others not?
And why that worked yesterday?

> Of course, using the 'rid' backend means that you do not need to add
> anything to AD and you do not need this line in smb.conf:
>
>   idmap config BUERO:schema_mode = rfc2307
>
> Or you could just change 'idmap config BUERO:backend = rid' to 'idmap
> config BUERO:backend = ad' and use the rfc2307 attributes in AD.

I would prefer not to have to decide this. You understand? ;-)

What's the recommendation here, I don't have a clue, I would just like
to be able to change this to a working config without doing damage to
active sessions, if possible. This is productive environment right now.

To me it sounds preferable to have everything in AD, right? At least
that is what I expect from having all that: all in one place somehow

-

Can't remember exactly where rid comes from, I think it was a
recommendation by Louis for my test VM (which then was migrated to this DC).

Pls also advise if there are any additional steps needed for any of
these solutions. I always feel unsure if and if not to add some ids and
mappings somewhere ....

Thanks a lot, Stefan

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
123
Loading...