Prunk Dump
2017-Jun-21 17:51 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
Thank you very much Louis, Rowland, Mike ! I have made all the changes proposed by Louis but still have the same problem. -> kinit works now with /var/lib/samba/private/secrets.keytab ------------------------ ~# kinit -k -t /var/lib/samba/private/secrets.keytab FICHDC$ ~# ------------------------ -> but samba-tool authentication with machine account fail : ------------------------ ~# samba-tool time -P -d 8 INFO: Current debug levels: all: 8 tdb: 8 printdrivers: 8 lanman: 8 smb: 8 rpc_parse: 8 rpc_srv: 8 rpc_cli: 8 passdb: 8 sam: 8 auth: 8 winbind: 8 vfs: 8 idmap: 8 quota: 8 acls: 8 locking: 8 msdfs: 8 dmapi: 8 registry: 8 scavenger: 8 dns: 8 ldb: 8 tevent: 8 lpcfg_load: refreshing parameters from /etc/samba/smb.conf Processing section "[global]" Processing section "[netlogon]" Processing section "[sysvol]" pm_process() returned Yes ldb_wrap open of secrets.ldb GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered added interface lo ip=::1 bcast= netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0 added interface eth0 ip=172.16.0.20 bcast=172.16.255.255 netmask=255.255.0.0 added interface lo ip=::1 bcast= netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0 added interface eth0 ip=172.16.0.20 bcast=172.16.255.255 netmask=255.255.0.0 Mapped to DCERPC endpoint \pipe\srvsvc added interface lo ip=::1 bcast= netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0 added interface eth0 ip=172.16.0.20 bcast=172.16.255.255 netmask=255.255.0.0 added interface lo ip=::1 bcast= netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0 added interface eth0 ip=172.16.0.20 bcast=172.16.255.255 netmask=255.255.0.0 resolve_lmhosts: Attempting lmhosts lookup for name fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr<0x20> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 0 SO_SNDBUF = 2626560 SO_RCVBUF = 1061808 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 TCP_DEFER_ACCEPT = 0 Starting GENSEC mechanism spnego Starting GENSEC submechanism gssapi_krb5 Received smb_krb5 packet of length 343 Received smb_krb5 packet of length 298 Failed to get kerberos credentials: kinit for FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR failed (Preauthentication failed) Wrong username or password: kinit for FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR failed (Preauthentication failed) SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE Failed initial gensec_update with mechanism spnego: NT_STATUS_LOGON_FAILURE ERROR(runtime): uncaught exception - (-1073741715, "Connection to SRVSVC pipe of server 'fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr' failed: NT_STATUS_LOGON_FAILURE") File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/nettime.py", line 59, in run self.outf.write(net.time(server_name)+"\n") ------------------------ -> samba.log give many errors like this : ------------------------ [2017/06/21 14:20:35.371312, 0] ../source4/librpc/rpc/dcerpc_util.c:745(dcerpc_pipe_auth_recv) Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:172.16.0.21[1024,seal,krb5,target_hostname=04c6b4b0-4584-4368-831e-42aa7ac08c04._msdcs.net.lyc-guillaume-fichet.ac-grenoble.fr,target_principal=GC/fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr/net.lyc-guillaume-fichet.ac-grenoble.fr,abstract_syntax=e3514235--4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=172.16.0.20] NT_STATUS_LOGON_FAILURE ------------------------ -> my msDS-SupportedEncryptionTypes value is 31 ? Is this bad ? ------------------------ ~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=FICHDC)' # record 1 dn: CN=FICHDC,OU=Domain Controllers,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: FICHDC instanceType: 4 whenCreated: 20150630144451.0Z uSNCreated: 3583 name: FICHDC objectGUID: bfaf861f-1138-4597-beaa-c83722b86fcf userAccountControl: 532480 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 localPolicyFlags: 0 primaryGroupID: 516 objectSid: S-1-5-21-2690787391-1809550003-4172065244-1000 accountExpires: 9223372036854775807 sAMAccountName: FICHDC$ sAMAccountType: 805306369 operatingSystem: Samba operatingSystemVersion: 4.1.17-Debian dNSHostName: fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=net,DC=lyc-guillaume -fichet,DC=ac-grenoble,DC=fr isCriticalSystemObject: TRUE rIDSetReferences: CN=RID Set,CN=FICHDC,OU=Domain Controllers,DC=net,DC=lyc-gui llaume-fichet,DC=ac-grenoble,DC=fr serverReferenceBL: CN=FICHDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN =Configuration,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr msDS-SupportedEncryptionTypes: 31 pwdLastSet: 131423563752421340 servicePrincipalName: nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr servicePrincipalName: HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr servicePrincipalName: HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/FICH NET servicePrincipalName: ldap/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/FICH NET servicePrincipalName: GC/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/net.ly c-guillaume-fichet.ac-grenoble.fr servicePrincipalName: ldap/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr servicePrincipalName: HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/net. lyc-guillaume-fichet.ac-grenoble.fr servicePrincipalName: ldap/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/net. lyc-guillaume-fichet.ac-grenoble.fr servicePrincipalName: HOST/FICHDC servicePrincipalName: E3514235-4B06-11D1-AB04-00C04FC2DCD2/b339b873-f01c-4672- 8984-61e1e48422ea/net.lyc-guillaume-fichet.ac-grenoble.fr servicePrincipalName: ldap/b339b873-f01c-4672-8984-61e1e48422ea._msdcs.net.lyc -guillaume-fichet.ac-grenoble.fr servicePrincipalName: ldap/FICHDC servicePrincipalName: RestrictedKrbHost/FICHDC servicePrincipalName: RestrictedKrbHost/fichdc.net.lyc-guillaume-fichet.ac-gre noble.fr servicePrincipalName: ldap/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/Doma inDnsZones.net.lyc-guillaume-fichet.ac-grenoble.fr servicePrincipalName: ldap/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/Fore stDnsZones.net.lyc-guillaume-fichet.ac-grenoble.fr lastLogonTimestamp: 131424581015653910 whenChanged: 20170620184821.0Z uSNChanged: 12626339 lastLogon: 131425180561432210 logonCount: 70 distinguishedName: CN=FICHDC,OU=Domain Controllers,DC=net,DC=lyc-guillaume-fic het,DC=ac-grenoble,DC=fr # Referral ref: ldap://net.lyc-guillaume-fichet.ac-grenoble.fr/CN=Configuration,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr # Referral ref: ldap://net.lyc-guillaume-fichet.ac-grenoble.fr/DC=DomainDnsZones,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr # Referral ref: ldap://net.lyc-guillaume-fichet.ac-grenoble.fr/DC=ForestDnsZones,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr # returned 4 records # 1 entries # 3 referrals ------------------------------- Even if I increase the debug level. I could not get more info on the Kerberos authentication. Thanks again ! Baptiste.
Seemingly Similar Threads
- DRS stopped working after upgrade from debian Jessie to Stretch
- DRS stopped working after upgrade from debian Jessie to Stretch
- DRS stopped working after upgrade from debian Jessie to Stretch
- DRS stopped working after upgrade from debian Jessie to Stretch
- DRS stopped working after upgrade from debian Jessie to Stretch