L.P.H. van Belle
2016-May-24 07:55 UTC
[Samba] After some time 4.3.9 Member Server in different Subnet than ADS controller loses trust
Upgrade to 4.4.3 that fixes a lot, like.> - net ads testjoin > > ads_connect: No logon servers > > Join to domain is not valid: No logon servers > > - wbinfo -g and wbinfo -u > > provide no output anymore.And dont forget to setup the ldap certificate part as described in the change log of 4.4.2. Anyone should avoid the version 4.2.9-4.2.11 4.3.7-4.3.9 4.4.2 and lower. That helps, after the big upgrade, some new bug entered. Most of them are fixed in the latest version 4.4.3. I cant tell about the 4.2/4.3 versions. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Thomas Burger > (tburger at eritron.de) > Verzonden: dinsdag 24 mei 2016 9:26 > Aan: samba at lists.samba.org > Onderwerp: [Samba] After some time 4.3.9 Member Server in different Subnet > than ADS controller loses trust > > Hello everybody, > > I hope someone can help me with this or point me into the right > direction since I am not being able to solve it since weeks. > > Since last year I was running Samba 4.1.6 on Ubuntu 14.04 LTS without > issues as a active directory domain controller as well as member > servers. Trouble started with the upgrade to Samba 4.3.8 (now 4.3.9). > > The ADS controller and most member servers are sharing the same subnet. > For > security reasons I pushed one of the member servers into a DMZ. I am > using Kerberos, Winbind and Samba to integrate to the ADS. > What has worked with 4.1.6 seems not to work anymore with 4.3.8 and > 4.3.9. While all member servers on the same subnet work fine the machine > in the DMZ looses connection to the ADS after some time. > > On the member server in the DMZ, from a shell I can successfully > - obtain Kerberos tickets > - join to the domain via (net ads join ...) > - After join do a testjoin > - obtain domain information > - get users via >wbinfo -u< and groups via >wbinfo -g< > - create a keytab file for kerberos ticket update > > After some time (several hours, I found it hard to track) I experience > the following issues: > - net ads testjoin > > ads_connect: No logon servers > > Join to domain is not valid: No logon servers > - wbinfo -g and wbinfo -u > > provide no output anymore. > > What I checked and did not change situation: > - name resolution (forward, backward, all ok to ADS controller as well > as domain name) > - disabled ALL firewall rules between the systems (ADS controller and > member server) > > > > > My kerberos configuration on the client looks like this: > [libdefaults] > default_realm = DOMAIN.DE > dns_lookup_realm = false # also tried this to set to true > dns_lookup_kdc = true > > [realms] > DOMAIN.DE = { > kdc = dc.domain.de > admin_server = dc.domain.de > master_kdc = dc.domain.de > } > > [domain_realm] > domain.de = DOMAIN.DE > > > This is the smb.conf: > ######## GLOBAL > [global] > #### GLOBAL SETTINGS > netbios name = HOSTNAME > server string = HOSTNAME > workgroup = DOMAIN > realm = DOMAIN.DE > server role = MEMBER SERVER > name resolve order = hosts wins bcast > > #### SECURITY SETTINGS > security = ads > allow trusted domains = Yes > map untrusted to domain = Yes > encrypt passwords = yes > client use spnego = yes > client ntlmv2 auth = yes > client ldap sasl wrapping = sign > restrict anonymous = 2 > acl map full control = yes > > #### SERVER SETTINGS > dns proxy = yes > domain master = no > local master = no > preferred master = no > os level = 0 > follow symlinks = yes > veto files > /.AppleDouble/.DS_Store/._.DS_Store/.fseventsd/.notfirsttime/.Spotlight- > V100/.TemporaryItems/.Trash/.Trashes/Thumbs.db/thumbs.db/._*/~$*/System\ > > Volume\ Information/ > delete veto files = yes > server min protocol = SMB2 > server max protocol = SMB3 > > #### KERBEROS > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > #### WINBIND CONFIGURATION > winbind enum users = yes > winbind enum groups = yes > winbind offline logon = no > winbind reconnect delay = 30 > winbind refresh tickets = yes > winbind nested groups = yes > idmap config *:backend = tdb > idmap config *:range = 70001-80000 > idmap config DOMAIN:backend = rid > idmap config DOMAIN:schema_mode = rfc2307 > idmap config DOMAIN:range = 20000-40000 > idmap cache time = 604800 > winbind separator = / > winbind use default domain = no > #### HOME DIRECTORIES > template shell = /bin/bash > template homedir = /home/%U > > #### PRINTING > disable spoolss = yes > load printers = no > idmap_ldb:use rfc2307 = yes > > #### LOGGING > log level = 2 > username level = 3 > log file = /var/log/samba/log.%m > max log size = 50 > syslog only = no > syslog = 2 > panic action = /usr/share/samba/panic-action %d > > > the resolv.conf: > nameserver 10.14.11.5 # This is the ADS Controller > nameserver 10.14.12.1 # This is an alternate nameserver > search domain.de > > > > > In /var/log/syslog I can see various messages that caught my attention > but neither of those helped me in my research. Don´t give to much about > date/time. I just copied them as I found them: > > 1. "Could not receive Trustdoms". > May 16 06:58:43 hostname winbindd[820]: [2016/05/16 06:58:43.776831, 1] > ../source3/winbindd/winbindd_util.c:351(trustdom_list_done) > May 16 06:58:43 hostname winbindd[820]: Could not receive trustdoms > > 2. "Check connection to trusted domain" > May 22 06:10:23 hostname winbindd[840]: [2016/05/22 06:10:23.784860, 0] > ../source3/winbindd/winbindd_group.c:45(fill_grent) > May 22 06:10:23 hostname winbindd[840]: Failed to find domain 'Unix > Group'. Check connection to trusted domains! > > 3. This is indicating a name resolution issue but I have checked that > already: > May 22 06:44:52 hostname winbindd[24623]: ads_find_dc: name resolution > for realm 'domain.de' (domain 'DOMAIN') failed: NT_STATUS_NO_LOGON_SERVERS > > 4. "failed to reconnect (No logon servers)" > May 22 21:09:51 hostname winbindd[971]: [2016/05/22 21:09:51.487192, 1] > ../source3/libads/ldap_utils.c:107(ads_do_search_retry_internal) > May 22 21:09:51 hostname winbindd[971]: ads_search_retry: failed to > reconnect (No logon servers) > > 5. "ads_connect for domain DOMAIN failed: No logon servers" > May 22 21:10:07 hostname winbindd[971]: [2016/05/22 21:10:07.493461, 1] > ../source3/winbindd/winbindd_ads.c:136(ads_cached_connection_connect) > May 22 21:10:07 hostname winbindd[971]: ads_connect for domain DOMAIN > failed: No logon servers > > > > > Any pointers are greatly appreciated. > Best regards > > Thomas > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Thomas Burger (tburger@eritron.de)
2016-May-26 05:36 UTC
[Samba] After some time 4.3.9 Member Server in different Subnet than ADS controller loses trust
Hello Louis, thanks for your answer. I was afraid of an answer like this though. I hoped to stay with the distribution packages so a maintenance is more comfortable and easier. At least a manual installation of 4.4.3 looks quite complicated to me. I am not unexperienced in terms of Linux but have not risked it yet to compile software. What I have found is this guide: http://www.linuxfromscratch.org/blfs/view/cvs/basicnet/samba.html Is this the approach you would take as well? Are there any packages maintained I can use "right away" for the underlying Ubuntu 14.04 LTS I am using? My research was not successful and it seems from the Ubuntu side none are provided newer than 4.3.9. Even on the 16.04 LTS branch. Thanks for your help Best regards Thomas
L.P.H. van Belle
2016-May-26 07:24 UTC
[Samba] After some time 4.3.9 Member Server in different Subnet than ADS controller loses trust
Hai Thomas. Its not that hard to get a good 4.4.3. here is how to do this. And is really easy, as long you dont run into compile problems. I’ve tested below in debian jessie, and should work on ubuntu also. The short/simple rebuild a samba version from debian jessie to ubuntu. ## 1 ## Get the packages needed for a rebuild. sudo apt-get install -y --no-install-recommends devscripts dpkg-dev build-essential fakeroot debhelper dh-systemd ## !! KEEP NOTICE OF THE ORDER HERE, ITS VERY IMPORTANT !! ## Get the source packages needed for a samba rebuild. PACKAGES="libtalloc-dev libtevent-dev libtdb-dev libldb-dev libcmocka-dev libnss-wrapper libresolv-wrapper libuid-wrapper socket-wrapper samba" ## 2 # add the jessie sources echo "deb-src http://ftp.nl.debian.org/debian/ stretch main non-free contrib" | sudo tee -a /etc/apt/sources.list.d/debian-stretch.list ## 3 # update and install needed build software. sudo apt-get update sudo apt-get install -y --no-install-recommends devscripts dpkg-dev build-essential fakeroot debhelper dh-systemd ## 4 # Get the sources to rebuild (a one liner) apt-get source $PACKAGES ## 5 # now per package and keep the order of the PACKAGES line. # get the build dependecies. sudo apt-get build-dep libtalloc-dev ## 6 # cd the extracted folder. cd talloc-... ## 7 # change the change log. dch –n “No changes.” ## 8 # rebuild the package. cd .. apt-get source –b libtalloc-dev # Result, debs in this folder. # next package, as of here repeat step 5-6-7-8 for every packages. # One thing.. nss-wrapper when your there to compile that one, then run : sed -i 's/libcmocka-dev/libcmocka-dev (>= 1.0.1~)/g' debian/control dch -n "Changed debian/control depends on cmocka 1.0.1~." # Now one example. Repait step 5 for libtevent-dev. libtevent-dev wil complaint about missing dependecies. ( you just compiled them ( the libtalloc-dev ..) So look at whats missing and install manualy with dpkg –i XXX.deb or setup a local file apt. # a simple local file apt. # apt-get install apache2 # a very simple local file repo. mkdir -p /var/www/html/ubuntu/local echo “deb [trusted=yes] http://localhost/ubuntu/ local/” | tee –a /etc/apt/sources.list.d/localrepo.list # OPTIONAL step 9 for every rebuilded package. HERE=`pwd` cp *.deb /var/www/html/ubuntu/local cd /var/www/html/ubuntu dpkg-scanpackages local /dev/null | gzip -9c > local/Packages.gz apt-get update cd $HERE I suggest start here and wait untill a 4.4.x version enters ubuntu. Greetz, Louis> -----Oorspronkelijk bericht-----> Van: Thomas Burger (tburger at eritron.de) [mailto:tburger at eritron.de]> Verzonden: donderdag 26 mei 2016 7:36> Aan: L.P.H. van Belle; samba at lists.samba.org> Onderwerp: Re: [Samba] After some time 4.3.9 Member Server in different> Subnet than ADS controller loses trust>> Hello Louis,>> thanks for your answer. I was afraid of an answer like this though. I> hoped to stay with the distribution packages so a maintenance is more> comfortable and easier.>> At least a manual installation of 4.4.3 looks quite complicated to me. I> am not unexperienced in terms of Linux but have not risked it yet to> compile software.>> What I have found is this guide:> http://www.linuxfromscratch.org/blfs/view/cvs/basicnet/samba.html>> Is this the approach you would take as well? Are there any packages> maintained I can use "right away" for the underlying Ubuntu 14.04 LTS I> am using? My research was not successful and it seems from the Ubuntu> side none are provided newer than 4.3.9. Even on the 16.04 LTS branch.>> Thanks for your help>> Best regards>> Thomas
Rowland penny
2016-May-26 07:43 UTC
[Samba] After some time 4.3.9 Member Server in different Subnet than ADS controller loses trust
On 26/05/16 06:36, Thomas Burger (tburger at eritron.de) wrote:> Hello Louis, > > thanks for your answer. I was afraid of an answer like this though. I > hoped to stay with the distribution packages so a maintenance is more > comfortable and easier. > > At least a manual installation of 4.4.3 looks quite complicated to me. > I am not unexperienced in terms of Linux but have not risked it yet to > compile software.No, it is very easy, it just takes up some of your time :-)> > What I have found is this guide: > http://www.linuxfromscratch.org/blfs/view/cvs/basicnet/samba.html > > Is this the approach you would take as well?If you follow that, it will replace your already installed samba files and an update to these could again replace your samba files.> Are there any packages maintained I can use "right away" for the > underlying Ubuntu 14.04 LTS I am using? My research was not successful > and it seems from the Ubuntu side none are provided newer than 4.3.9. > Even on the 16.04 LTS branch.You seem to be correct, Ubuntu doesn't seem to have noticed that 4.4.3 is in debian sid and I thought Ubuntu was based on sid. Your best plan would be to just: sudo apt-get install acl attr autoconf bison build-essential \ debhelper dnsutils docbook-xml docbook-xsl flex gdb krb5-user \ libacl1-dev libaio-dev libattr1-dev libblkid-dev libbsd-dev \ libcap-dev libcups2-dev libgnutls28-dev libjson-perl \ libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl \ libpopt-dev libreadline-dev perl perl-modules pkg-config \ python-all-dev python-dev python-dnspython python-crypto \ xsltproc zlib1g-dev As a normal user: cd /usr/src wget https://download.samba.org/pub/samba/stable/samba-4.4.3.tar.gz tar zxf samba-4.4.3.tar.gz ./configure make sudo make install This will install Samba into /usr/local/samba and you will now need to alter $Path so that /usr/local/samba gets searched first: echo "PATH=/usr/local/samba/bin:/usr/local/samba/sbin:\$PATH" > /etc/profile.d/samba4.sh export PATH=/usr/local/samba/bin:/usr/local/samba/sbin:$PATH Now create a domain member smb.conf in /usr/local/samba/etc Alter the paths in the Samba init files to start the smbd, nmbd and winbindd binaries in /usr/local/samba/sbin instead of the ones in /usr/sbin Start Samba Rowland> > > Thanks for your help > > Best regards > > Thomas > >
Thomas Burger (tburger@eritron.de)
2016-May-26 16:36 UTC
[Samba] After some time 4.3.9 Member Server in different Subnet than ADS controller loses trust
Thanks so much for the detailed description Louis. From the current point of view this seems a reasonable way to go because I don´t only have 2 servers to provide an updated Samba (if I start with one or two, I´ll bring all up to date). An Apache web service for hosting a local Ubuntu repository is already there. Hope I can find some time this weekend to try it out. Best regards and many thanks again for your help Thomas
Reasonably Related Threads
- After some time 4.3.9 Member Server in different Subnet than ADS controller loses trust
- After some time 4.3.9 Member Server in different Subnet than ADS controller loses trust
- Ubuntu SSSD Active Directory Authorization issue (group membership is not honored)
- samba's source code won't compile on ubuntu 14.04 LTS
- Ubuntu SSSD Active Directory Authorization issue (group membership is not honored)