On 28/03/2023 16:24, Gary Dale via samba wrote:> On 2023-03-28 04:13, Rowland Penny via samba wrote:
>>
>>
>> On 27/03/2023 23:55, Gary Dale via samba wrote:
>>> My Samba setup was working until several months ago. I didn't
do
>>> anything to it that I can recall but it stopped letting my Windows
>>> VMs connect. When I use smbclient to try to connect, I get session
>>> setup failed: NT_STATUS_NO_LOGON_SERVERS
>>>
>>> My Internet searches have revealed that this is a comon and
>>> long-standing issue: frequently reported but I've had no luck
finding
>>> anyone posting a solution.
>>>
>>> I'm running Debian/Bullseye on an AMD64 machine. This is also
an NFS
>>> server as that's how I connect from my various Linux devices. I
only
>>> discovered the issue when I tried to install a piece of software on
a
>>> Windows 10 VM. I have no problem logging into the VMs using domain
>>> accounts.
>>>
>>> I've verified that it also affects a Windows 7 VM so it's
not problem
>>> wth the VM. That led me to trying to debug the server. The Samba DC
>>> wiki suggests trying smbclient //localhost/netlogon -UAdministrator
>>> -c 'ls', which throws the error.
>>>
>>> Interestingly smbclient -L localhost -U% works:
>>> # smbclient -L localhost -U%
>>>
>>> ????????Sharename ??????Type ?????Comment
>>> ????????--------- ??????---- ?????-------
>>> ????????netlogon ???????Disk ?????Network Logon Service
>>> ????????sysvol ?????????Disk
>>> ????????shares ?????????Disk
>>> ????????archives ???????Disk
>>> ????????communications ?Disk
>>> ????????office ?????????Disk
>>> ????????graphics ???????Disk
>>> ????????hardware ???????Disk
>>> ????????install ????????Disk
>>> ????????media$ ?????????Disk
>>> ????????system ?????????Disk
>>> ????????tools ??????????Disk
>>> ????????utility ????????Disk
>>> ????????webpages$ ??????Disk
>>> ????????develop ????????Disk
>>> ????????backup ?????????Disk
>>> ????????IPC$ ???????????IPC ??????IPC Service (Samba
4.13.13-Debian)
>>> SMB1 disabled -- no workgroup available
>>>
>>> Can anyone offer any advice on what may be the problem?
>>>
>>> Below is the output with debug information turned up.
>>>
>>> smbclient -d=5 //localhost/netlogon -U Administrator
>>> INFO: Current debug levels:
>>> ??all: 5
>>> ??tdb: 5
>>> ??printdrivers: 5
>>> ??lanman: 5
>>> ??smb: 5
>>> ??rpc_parse: 5
>>> ??rpc_srv: 5
>>> ??rpc_cli: 5
>>> ??passdb: 5
>>> ??sam: 5
>>> ??auth: 5
>>> ??winbind: 5
>>> ??vfs: 5
>>> ??idmap: 5
>>> ??quota: 5
>>> ??acls: 5
>>> ??locking: 5
>>> ??msdfs: 5
>>> ??dmapi: 5
>>> ??registry: 5
>>> ??scavenger: 5
>>> ??dns: 5
>>> ??ldb: 5
>>> ??tevent: 5
>>> ??auth_audit: 5
>>> ??auth_json_audit: 5
>>> ??kerberos: 5
>>> ??drs_repl: 5
>>> ??smb2: 5
>>> ??smb2_credits: 5
>>> ??dsdb_audit: 5
>>> ??dsdb_json_audit: 5
>>> ??dsdb_password_audit: 5
>>> ??dsdb_password_json_audit: 5
>>> ??dsdb_transaction_audit: 5
>>> ??dsdb_transaction_json_audit: 5
>>> ??dsdb_group_audit: 5
>>> ??dsdb_group_json_audit: 5
>>> lp_load_ex: refreshing parameters
>>> Initialising global parameters
>>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
>>> (16384)
>>> INFO: Current debug levels:
>>> ??all: 5
>>> ??tdb: 5
>>> ??printdrivers: 5
>>> ??lanman: 5
>>> ??smb: 5
>>> ??rpc_parse: 5
>>> ??rpc_srv: 5
>>> ??rpc_cli: 5
>>> ??passdb: 5
>>> ??sam: 5
>>> ??auth: 5
>>> ??winbind: 5
>>> ??vfs: 5
>>> ??idmap: 5
>>> ??quota: 5
>>> ??acls: 5
>>> ??locking: 5
>>> ??msdfs: 5
>>> ??dmapi: 5
>>> ??registry: 5
>>> ??scavenger: 5
>>> ??dns: 5
>>> ??ldb: 5
>>> ??tevent: 5
>>> ??auth_audit: 5
>>> ??auth_json_audit: 5
>>> ??kerberos: 5
>>> ??drs_repl: 5
>>> ??smb2: 5
>>> ??smb2_credits: 5
>>> ??dsdb_audit: 5
>>> ??dsdb_json_audit: 5
>>> ??dsdb_password_audit: 5
>>> ??dsdb_password_json_audit: 5
>>> ??dsdb_transaction_audit: 5
>>> ??dsdb_transaction_json_audit: 5
>>> ??dsdb_group_audit: 5
>>> ??dsdb_group_json_audit: 5
>>> Processing section "[global]"
>>> doing parameter netbios name = THELIBRARIAN
>>> doing parameter realm = RAHIM-DALE.ORG
>>> doing parameter workgroup = RAHIM-DALE
>>> doing parameter security = ADS
>>> doing parameter dns forwarder = 8.8.8.8
>>> doing parameter server role = active directory domain controller
>>> doing parameter idmap_ldb:use rfc2307 = yes
>>> doing parameter allow dns updates = nonsecure
>>> doing parameter server role check:inhibit = yes
>>> doing parameter ntlm auth = yes
>>> doing parameter winbind enum users = yes
>>> doing parameter winbind enum groups = yes
>>> doing parameter log file = /var/log/samba/%m.log
>>> doing parameter log level = 1
>>> doing parameter idmap config * : backend = tdb
>>> doing parameter idmap config * : range = 3000-7999
>>> doing parameter idmap config RAHIM-DALE:backend = ad
>>> doing parameter idmap config RAHIM-DALE:schema_mode = rfc2307
>>> doing parameter idmap config RAHIM-DALE:range = 100000-999999
>>> doing parameter idmap config RAHIM-DALE:unix_nss_info = yes
>>> doing parameter vfs objects = dfs_samba4 acl_xattr recycle
>>> doing parameter map acl inherit = yes
>>> doing parameter store dos attributes = yes
>>> doing parameter template shell = /bin/bash
>>> doing parameter template homedir = /home/%U
>>> doing parameter username map = /etc/samba/user.map
>>> pm_process() returned Yes
>>> added interface br0 ip=192.168.1.14 bcast=192.168.1.255
>>> netmask=255.255.255.0
>>> Netbios name list:-
>>> my_netbios_names[0]="THELIBRARIAN"
>>> Client started (version 4.13.13-Debian).
>>> Opening cache file at /run/samba/gencache.tdb
>>> sitename_fetch: No stored sitename for realm
'RAHIM-DALE.ORG'
>>> name localhost#20 found.
>>> Connecting to 127.0.0.1 at port 445
>>> Socket options:
>>> ????????SO_KEEPALIVE = 0
>>> ????????SO_REUSEADDR = 0
>>> ????????SO_BROADCAST = 0
>>> ????????TCP_NODELAY = 1
>>> ????????TCP_KEEPCNT = 9
>>> ????????TCP_KEEPIDLE = 7200
>>> ????????TCP_KEEPINTVL = 75
>>> ????????IPTOS_LOWDELAY = 0
>>> ????????IPTOS_THROUGHPUT = 0
>>> ????????SO_REUSEPORT = 0
>>> ????????SO_SNDBUF = 2626560
>>> ????????SO_RCVBUF = 131072
>>> ????????SO_SNDLOWAT = 1
>>> ????????SO_RCVLOWAT = 1
>>> ????????SO_SNDTIMEO = 0
>>> ????????SO_RCVTIMEO = 0
>>> ????????TCP_QUICKACK = 1
>>> ????????TCP_DEFER_ACCEPT = 0
>>> ????????TCP_USER_TIMEOUT = 0
>>> session request ok
>>> negotiated dialect[SMB3_11] against server[localhost]
>>> Enter RAHIM-DALE\Administrator's password:
>>> cli_session_setup_spnego_send: Connect to localhost as
>>> Administrator at RAHIM-DALE.ORG using SPNEGO
>>> GENSEC backend 'gssapi_spnego' registered
>>> GENSEC backend 'gssapi_krb5' registered
>>> GENSEC backend 'gssapi_krb5_sasl' registered
>>> GENSEC backend 'spnego' registered
>>> GENSEC backend 'schannel' registered
>>> GENSEC backend 'naclrpc_as_system' registered
>>> GENSEC backend 'sasl-EXTERNAL' registered
>>> GENSEC backend 'ntlmssp' registered
>>> GENSEC backend 'ntlmssp_resume_ccache' registered
>>> GENSEC backend 'http_basic' registered
>>> GENSEC backend 'http_ntlm' registered
>>> GENSEC backend 'http_negotiate' registered
>>> GENSEC backend 'krb5' registered
>>> GENSEC backend 'fake_gssapi_krb5' registered
>>> Starting GENSEC mechanism spnego
>>> Starting GENSEC submechanism gse_krb5
>>> GSE to 'localhost' does not make sense
>>> Failed to start GENSEC client mech gse_krb5:
NT_STATUS_INVALID_PARAMETER
>>> Starting GENSEC submechanism ntlmssp
>>> Got challenge flags:
>>> Got NTLMSSP neg_flags=0x62898215
>>> ??NTLMSSP_NEGOTIATE_UNICODE
>>> ??NTLMSSP_REQUEST_TARGET
>>> ??NTLMSSP_NEGOTIATE_SIGN
>>> ??NTLMSSP_NEGOTIATE_NTLM
>>> ??NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>> ??NTLMSSP_TARGET_TYPE_DOMAIN
>>> ??NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>>> ??NTLMSSP_NEGOTIATE_TARGET_INFO
>>> ??NTLMSSP_NEGOTIATE_VERSION
>>> ??NTLMSSP_NEGOTIATE_128
>>> ??NTLMSSP_NEGOTIATE_KEY_EXCH
>>> NTLMSSP: Set final flags:
>>> Got NTLMSSP neg_flags=0x62088215
>>> ??NTLMSSP_NEGOTIATE_UNICODE
>>> ??NTLMSSP_REQUEST_TARGET
>>> ??NTLMSSP_NEGOTIATE_SIGN
>>> ??NTLMSSP_NEGOTIATE_NTLM
>>> ??NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>> ??NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>>> ??NTLMSSP_NEGOTIATE_VERSION
>>> ??NTLMSSP_NEGOTIATE_128
>>> ??NTLMSSP_NEGOTIATE_KEY_EXCH
>>> NTLMSSP Sign/Seal - Initialising with flags:
>>> Got NTLMSSP neg_flags=0x62088215
>>> ??NTLMSSP_NEGOTIATE_UNICODE
>>> ??NTLMSSP_REQUEST_TARGET
>>> ??NTLMSSP_NEGOTIATE_SIGN
>>> ??NTLMSSP_NEGOTIATE_NTLM
>>> ??NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>> ??NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>>> ??NTLMSSP_NEGOTIATE_VERSION
>>> ??NTLMSSP_NEGOTIATE_128
>>> ??NTLMSSP_NEGOTIATE_KEY_EXCH
>>> SPNEGO login failed: No logon servers are currently available to
>>> service the logon request.
>>> session setup failed: NT_STATUS_NO_LOGON_SERVERS
>>> root at TheLibrarian:/etc/samba#
>>>
>>
>> Once I picked out your smb.conf from all the above, it became apparent
>> that you are running Samba as an AD DC, not only that, but you are
>> also using it as a fileserver, this isn't recommended.
>>
>> There are a few lines in your smb.conf that shouldn't be there:
>>
>> server role check:inhibit = yes
>>
>> This is only required to run the 'nmbd' binary, you should
never run
>> this on a DC, it has its own version built in. If you are running the
>> 'nmbd' binary, I suggest you turn it off.
>>
>> winbind enum users = yes
>> winbind enum groups = yes
>>
>> Those are not required and can slow things down.
>>
>> idmap config * : backend = tdb
>> idmap config * : range = 3000-7999
>> idmap config RAHIM-DALE:backend = ad
>> idmap config RAHIM-DALE:schema_mode = rfc2307
>> idmap config RAHIM-DALE:range = 100000-999999
>> idmap config RAHIM-DALE:unix_nss_info = yes
>>
>> username map = /etc/samba/user.map
>>
>> Those are only used on a Unix domain member and do nothing on a DC.
>>
>> Having got that out of the way, You command works for myself, but I
>> only use a DC for authentication.
>>
>> Can I suggest you upgrade to a Samba supported version by using Debian
>> backports, this will get you 4.17.6. Can I also suggest you
>> investigate running Samba as a Unix domain member instead of using the
>> DC and just use the DC for authentication.
>>
>> I would also check a couple of files, /etc/resolv.conf which should
>> contain:
>>
>> search rahim-dale.org
>> nameserver 'THE_DCS_IPADDRESS'
>>
>> /etc/hosts
>>
>> 127.0.0.1 localhost
>> 'THE_DCS_IPADDRESS' thelibrarian.rahim-dale.org thelibrarian
>>
>> Please try the above and report back
>>
>> Rowland
>>
> Thanks Rowland. I was pretty sure it's a DNS issue as the various tests
> suggested in
> https://wiki.samba.org/index.php/Linux_and_Unix_DNS_Configuration fail.
> However my resolv.conf and hosts files were already as you suggested. I
> am using systemd networkd, if that makes any difference.
>
> Removing the lines you flagged from smb.conf didn't fix the issue. In
> fact, smb.conf fails testparm without a valid idmap config.
You are probably using the wrong 'testparm', you undoubtedly have a DC,
so you should be using 'samba-tool testparm'. I can assure you that
those 'idmap config' lines have no place on a DC.
< Conversely> the Samba Wiki at
> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
> warns that adding idmap config to smb.conf will cause the samba service
> to fail.
Not sure if 'fail' is correct, they will be ignored though. Idmapping on
a Samba AD DC is stored in idmap.ldb and usually uses numbers in the
3000000 range, but if you give your domain users and groups a uidNumber
or gidNumber attribute, these replace the '3000000' numbers in
idmap.ldb, so the 'idmap config' lines appear to work.
>
> So now I'm at the point that the samba service refuses to start.
I cannot see why removing the lines I suggested would stop Samba
starting, I take it that you are starting Samba with 'systemctl start
samba-ad-dc'. Is there anything in the logs that shows why it no longer
starts ?
>
> I'm loath to upgrade the samba version from the Debian version without
a
> clear benefit, It doesn't look like it would fix the problem I'm
having.
The benefit is that you would be running a Samba supported version.
> Nor does this look like it's related in any way to using the DC as a
> file server - something I've been doing for two decades without
> problems.
I do not think you could have been running a Samba AD DC for two
decades, you probably ran A PDC at the start and you could use those as
fileservers. Right from the start, Samba (like Windows) has always
recommended just using a DC for authentication, but hey, it is your
computer, use it as you like, but just be aware of the limitations.
> The Samba Wiki caveats seem more related to organizational
> issues than technical ones.
The main technical one is that, because of the ACL's setup required for
Sysvol, you must set any share permissions from Windows.
>
> I'm considering tearing down everything and starting fresh. Decades of
> accumulated crud could be real problem, since virtually everything I've
> read suggests that a simple setup like mine should just work.
It should just work, in the main it should be easier than a PDC, but
when used as a fileserver it can get a little bit harder.
Rowland