samba - Aug 2017 - Windows pre-requisites for login with winbind?

Hi!

Indeed!, this sounds like good advice... there are certainly bugs, I had to get
the 7.04.5 package from "proposed" to get resolve a PAM library
issue!... although I suppose that's a packaging problem.

What is the best way to get an updated Samba package here, I'm trying to
make this system reproduceable, I have a single script that builds the entire
container, and sets up an Xrdp terminal server with everything configured...
Ideally I'd like to do it in a sustainable way!...

Perhaps migrating to 17.10 would be a good move at this point since 4.6.5 is
available there, and ultimately my goal would be to have this built on 18.04 for
some level of stability.... I'm sitting on 17.04 right now since the move to
Gnome is not popular around here....

I guess I could install the 17.10 package on 17.04 for testing, watch this
space... feedback to follow.

James


August 22, 2017 8:13 AM, "L.P.H. van Belle via samba" <samba at
lists.samba.org> wrote:
> Hai
> 
> Since your on ubuntu 17.04 (zesty) and samba 2:4.5.8+dfsg-0ubuntu0.17.04.5.
> Now i dont know if your able to upgrade you samba to 4.5.12 or at least
4.6.5.
> 
> But I would really recommend trying to upgrade to a higher version. 
> I suggest go through the changelogs, and see the winbind and kerberos
related fixes so you
> understand why i say upgrade. 
> I suspect you have hit one or more of these bugs. 
> 
> Greetz, 
> 
> Louis
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Rowland Penny via samba
>> Verzonden: maandag 21 augustus 2017 19:28
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Windows pre-requisites for login with winbind?
>> 
>> On Mon, 21 Aug 2017 17:13:12 +0000
>> "A. James Lewis" <james at fsck.co.uk> wrote:
>> 
>> I'm inclined to agree with you regarding resolveconf, but I
don't
>> think that's the issue here, clearly it was able to get the
>> name and
>> IP of the AD server.... and connect to it.
>> 
>> The error from kinit had the hostname of one of the AD
>> servers in it,
>> that name is not in the config, and that address was
>> reachable... so I
>> can't think that it's DNS.
>> 
>> What is worrying me is if this is valid, to have the domain in
>> twice:- cifs/LOCAL_AD02.domain.local at DOMAIN.LOCAL in the
>> kinit error
>> from auth.log
>> 
>> I'd love to solve this issue too... but I started with one
>> issue, and
>> now I have 2... LOL!
>> 
>> That is perfectly normal, so stop worrying
>> 
>> There is an easy way to try and prove if it is a dns problem
>> (which i am sure it is)
>> 
>> ADD
>> 
>> <the DCs ipaddress> <the DCs hostname>.domain.local <the
DCs hostname>
>> 
>> to /etc/hosts
>> 
>> Rowland
>> 
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

On Tue, 22 Aug 2017 10:27:24 +0000
"A. James Lewis via samba" <samba at lists.samba.org> wrote:
> Hi!
> 
> Indeed!, this sounds like good advice... there are certainly bugs, I
> had to get the 7.04.5 package from "proposed" to get resolve a
PAM
> library issue!... although I suppose that's a packaging problem.
> 
> What is the best way to get an updated Samba package here, I'm trying
> to make this system reproduceable, I have a single script that builds
> the entire container, and sets up an Xrdp terminal server with
> everything configured... Ideally I'd like to do it in a sustainable
> way!... 
> 
> Perhaps migrating to 17.10 would be a good move at this point since
> 4.6.5 is available there, and ultimately my goal would be to have
> this built on 18.04 for some level of stability.... I'm sitting on
> 17.04 right now since the move to Gnome is not popular around
> here.... 
> 
> I guess I could install the 17.10 package on 17.04 for testing, watch
> this space... feedback to follow.
> 
> James
> 
Probably the best way to get up to date Samba Packages, use Debian
instead of Ubuntu, you will then be able to use Louis's packages.

Rowland

Hai, 

Few extra checks/questions. 

Have you checked if the server time is in sync with the AD DC server? 

Check if : /etc/ldap/ldap.conf , Contains : TLS_REQCERT allow
Are you using own certificates or samba generated (selfsigned) certs? 

If you use bind_dlz as dns, take note that you need to set in the global
options:
check-names ignore; 
Although underscores in hostnames are "illegal", according to RFC 952,
and RFC 1123,
also RFC about SRV records should be taken into account) they are complying to
name restrictions for windows hostname.


Can you get this script. 
https://github.com/thctlo/samba4/blob/master/samba-check-db-repl.sh 

Set : SAMBA_LDAPCMD_FILTER="whenChanged,dc,cn" 
And run it on the dc with FSMO roles. 
( ! Note, only works if you have only samba DC's. ) 

What is does. 
It checks which DC has the FSMO roles. 
Then it checks your database replication with all other DC's. 
It runs 2 check. 
Samba-tool dbcheck and samba-tool ldapcmd ... 
Let see if you have any errors there. 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: A. James Lewis [mailto:james at fsck.co.uk] 
> Verzonden: dinsdag 22 augustus 2017 13:10
> Aan: A. James Lewis via samba; L.P.H. van Belle
> Onderwerp: Re: [Samba] Windows pre-requisites for login with winbind?
> 
> Ahh, upgrading to 4.6.5 did not change my problem 
> significantly, but it DID change the error message 
> significantly... this might give some much better information 
> to someone who knows how the code works!
> 
> Aug 22 11:59:01 hostname01 winbindd[451]: [2017/08/22 
> 11:59:01.055174,  0] 
> ../source3/libads/sasl.c:786(ads_sasl_spnego_bind)
> Aug 22 11:59:01 hostname01 winbindd[451]:   kinit succeeded 
> but ads_sasl_spnego_gensec_bind(KRB5) failed for 
> ldap/local_ad01.domain.local with user[HOSTNAME01$] 
> realm[DOMAIN.LOCAL]: No logon servers
> 
> I am still able to log in and list groups for long standing 
> users, and not log in for more recently created users... but 
> I am no-longer able to list groups for the users I can't log in with!
> 
> James
> 
> 
> August 22, 2017 11:31 AM, "A. James Lewis via samba" 
> <samba at lists.samba.org> wrote:
> 
> > Hi!
> > 
> > Indeed!, this sounds like good advice... there are 
> certainly bugs, I 
> > had to get the 7.04.5 package from "proposed" to get resolve
a PAM
> > library issue!... although I suppose that's a packaging problem.
> > 
> > What is the best way to get an updated Samba package here, 
> I'm trying 
> > to make this system reproduceable, I have a single script 
> that builds 
> > the entire container, and sets up an Xrdp terminal server 
> with everything configured... Ideally I'd like to do it in a 
> sustainable way!...
> > 
> > Perhaps migrating to 17.10 would be a good move at this point since 
> > 4.6.5 is available there, and ultimately my goal would be 
> to have this 
> > built on 18.04 for some level of stability.... I'm sitting 
> on 17.04 right now since the move to Gnome is not popular 
> around here....
> > 
> > I guess I could install the 17.10 package on 17.04 for 
> testing, watch 
> > this space... feedback to follow.
> > 
> > James
> > 
> > August 22, 2017 8:13 AM, "L.P.H. van Belle via samba" 
> <samba at lists.samba.org> wrote:
> > 
> >> Hai
> >> 
> >> Since your on ubuntu 17.04 (zesty) and samba 
> 2:4.5.8+dfsg-0ubuntu0.17.04.5.
> >> Now i dont know if your able to upgrade you samba to 
> 4.5.12 or at least 4.6.5.
> >> 
> >> But I would really recommend trying to upgrade to a higher
version.
> >> I suggest go through the changelogs, and see the winbind 
> and kerberos 
> >> related fixes so you understand why i say upgrade.
> >> I suspect you have hit one or more of these bugs.
> >> 
> >> Greetz,
> >> 
> >> Louis
> >> 
> >>> -----Oorspronkelijk bericht-----
> >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
Rowland
> >>> Penny via samba
> >>> Verzonden: maandag 21 augustus 2017 19:28
> >>> Aan: samba at lists.samba.org
> >>> Onderwerp: Re: [Samba] Windows pre-requisites for login 
> with winbind?
> >>> 
> >>> On Mon, 21 Aug 2017 17:13:12 +0000
> >>> "A. James Lewis" <james at fsck.co.uk> wrote:
> >>> 
> >>> I'm inclined to agree with you regarding resolveconf, but
I don't
> >>> think that's the issue here, clearly it was able to get 
> the name and 
> >>> IP of the AD server.... and connect to it.
> >>> 
> >>> The error from kinit had the hostname of one of the AD servers
in
> >>> it, that name is not in the config, and that address was 
> >>> reachable... so I can't think that it's DNS.
> >>> 
> >>> What is worrying me is if this is valid, to have the domain in
> >>> twice:- cifs/LOCAL_AD02.domain.local at DOMAIN.LOCAL in the 
> kinit error 
> >>> from auth.log
> >>> 
> >>> I'd love to solve this issue too... but I started with one
issue,
> >>> and now I have 2... LOL!
> >>> 
> >>> That is perfectly normal, so stop worrying
> >>> 
> >>> There is an easy way to try and prove if it is a dns 
> problem (which 
> >>> i am sure it is)
> >>> 
> >>> ADD
> >>> 
> >>> <the DCs ipaddress> <the DCs
hostname>.domain.local <the DCs
> >>> hostname>
> >>> 
> >>> to /etc/hosts
> >>> 
> >>> Rowland
> >>> 
> >>> --
> >>> To unsubscribe from this list go to the following URL and read
the
> >>> instructions: https://lists.samba.org/mailman/options/samba
> >> 
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> > 
> > --
> > A. James Lewis (james at fsck.co.uk)
> > "Engineering does not require science. Science helps a lot 
> but people 
> > built perfectly good brick walls long before they knew why 
> cement works."
> > 
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> 
> --
> A. James Lewis (james at fsck.co.uk)
> "Engineering does not require science. Science helps a lot 
> but people built perfectly good brick walls long before they 
> knew why cement works."
> 
>

Well damn!, that's embarrassing... kerberos issues with suggested config now
solved... HOWEVER, I'm back down to the 1 original issue where some users
cannot log in.

I narrowed down the kerberos issue to an issue looking up the SRV record and I
might actually end up logging a bug for that too... so apologies Rowland, you
highlighted resolveconf as a possible issue before... and it seems that it's
strictly following the DNS standard and denying "_" (which I am sure
you will agree will cause issues here!).  My initial testing is on a
workstation, so it's hard to avoid, but with that put to bed, I'm back
to this issue:-

# wbinfo --user-groups user02
failed to call wbcGetGroups: WBC_ERR_DOMAIN_NOT_FOUND
Could not get groups for user user02

# 
# wbinfo --user-groups user01
54239
5513
43669
12786
17412
--- SNIP ---

The AD is controlled by another team, but both these users are valid, and are
able to log in to the workstations on their desk with that username... however
when I try to log in with certain users I get this:-

# su - user02
No passwd entry for user 'user02'

It behaves exactly as if that user does not exist!... and I don't see how it
can be a local configuration issue, it seems like it has to be inside AD, but I
don't know enough about AD to know what it could be.

James


August 22, 2017 12:10 PM, "Rowland Penny via samba" <samba at
lists.samba.org> wrote:
> On Tue, 22 Aug 2017 10:27:24 +0000
> "A. James Lewis via samba" <samba at lists.samba.org>
wrote:
> 
>> Hi!
>> 
>> Indeed!, this sounds like good advice... there are certainly bugs, I
>> had to get the 7.04.5 package from "proposed" to get resolve
a PAM
>> library issue!... although I suppose that's a packaging problem.
>> 
>> What is the best way to get an updated Samba package here, I'm
trying
>> to make this system reproduceable, I have a single script that builds
>> the entire container, and sets up an Xrdp terminal server with
>> everything configured... Ideally I'd like to do it in a sustainable
>> way!...
>> 
>> Perhaps migrating to 17.10 would be a good move at this point since
>> 4.6.5 is available there, and ultimately my goal would be to have
>> this built on 18.04 for some level of stability.... I'm sitting on
>> 17.04 right now since the move to Gnome is not popular around
>> here....
>> 
>> I guess I could install the 17.10 package on 17.04 for testing, watch
>> this space... feedback to follow.
>> 
>> James
> 
> Probably the best way to get up to date Samba Packages, use Debian
> instead of Ubuntu, you will then be able to use Louis's packages.
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

Indeed!... you are correct... this does appear to be the kerberos issue
uncovered by Rowlands pointing out that I should not need to be manually
defining "kdc =", in my krb5.conf.... so with that resolved, I'm
hoping we can also find the cause of my original problem.

Incidentally, this was my solution to upgrading Samba on my 17.04 test server, I
think moving to 17.10 will ultimately have to be the solution, but this let me
carry on debugging this problem quickly.

apt-get remove libnss-winbind libpam-winbind samba winbind
apt-get autoremove
cd /etc/apt/
sed -i "s,zesty,artful,g" sources.list
apt-get install samba libnss-winbind libpam-winbind winbind
sed -i "s,artful,zesty,g" sources.list
apt-get update
apt-get dist-upgrade

James

August 22, 2017 12:51 PM, "L.P.H. van Belle via samba" <samba at
lists.samba.org> wrote:
> Hai, 
> 
> Few extra checks/questions. 
> 
> Have you checked if the server time is in sync with the AD DC server? 
> 
> Check if : /etc/ldap/ldap.conf , Contains : TLS_REQCERT allow
> Are you using own certificates or samba generated (selfsigned) certs? 
> 
> If you use bind_dlz as dns, take note that you need to set in the global
options:
> check-names ignore; 
> Although underscores in hostnames are "illegal", according to RFC
952, and RFC 1123,
> also RFC about SRV records should be taken into account) they are complying
to name restrictions
> for windows hostname.
> 
> Can you get this script. 
> https://github.com/thctlo/samba4/blob/master/samba-check-db-repl.sh 
> 
> Set : SAMBA_LDAPCMD_FILTER="whenChanged,dc,cn" 
> And run it on the dc with FSMO roles. 
> ( ! Note, only works if you have only samba DC's. ) 
> 
> What is does. 
> It checks which DC has the FSMO roles. 
> Then it checks your database replication with all other DC's. 
> It runs 2 check. 
> Samba-tool dbcheck and samba-tool ldapcmd ... 
> Let see if you have any errors there. 
> 
> Greetz, 
> 
> Louis
> 
>> -----Oorspronkelijk bericht-----
>> Van: A. James Lewis [mailto:james at fsck.co.uk]
>> Verzonden: dinsdag 22 augustus 2017 13:10
>> Aan: A. James Lewis via samba; L.P.H. van Belle
>> Onderwerp: Re: [Samba] Windows pre-requisites for login with winbind?
>> 
>> Ahh, upgrading to 4.6.5 did not change my problem
>> significantly, but it DID change the error message
>> significantly... this might give some much better information
>> to someone who knows how the code works!
>> 
>> Aug 22 11:59:01 hostname01 winbindd[451]: [2017/08/22
>> 11:59:01.055174, 0]
>> ../source3/libads/sasl.c:786(ads_sasl_spnego_bind)
>> Aug 22 11:59:01 hostname01 winbindd[451]: kinit succeeded
>> but ads_sasl_spnego_gensec_bind(KRB5) failed for
>> ldap/local_ad01.domain.local with user[HOSTNAME01$]
>> realm[DOMAIN.LOCAL]: No logon servers
>> 
>> I am still able to log in and list groups for long standing
>> users, and not log in for more recently created users... but
>> I am no-longer able to list groups for the users I can't log in
with!
>> 
>> James
>> 
>> August 22, 2017 11:31 AM, "A. James Lewis via samba"
>> <samba at lists.samba.org> wrote:
>> 
>> Hi!
>> 
>> Indeed!, this sounds like good advice... there are
>> certainly bugs, I
>> had to get the 7.04.5 package from "proposed" to get resolve
a PAM
>> library issue!... although I suppose that's a packaging problem.
>> 
>> What is the best way to get an updated Samba package here,
>> I'm trying
>> to make this system reproduceable, I have a single script
>> that builds
>> the entire container, and sets up an Xrdp terminal server
>> with everything configured... Ideally I'd like to do it in a
>> sustainable way!...
>> 
>> Perhaps migrating to 17.10 would be a good move at this point since
>> 4.6.5 is available there, and ultimately my goal would be
>> to have this
>> built on 18.04 for some level of stability.... I'm sitting
>> on 17.04 right now since the move to Gnome is not popular
>> around here....
>> 
>> I guess I could install the 17.10 package on 17.04 for
>> testing, watch
>> this space... feedback to follow.
>> 
>> James
>> 
>> August 22, 2017 8:13 AM, "L.P.H. van Belle via samba"
>> <samba at lists.samba.org> wrote:
>> 
>> Hai
>> 
>> Since your on ubuntu 17.04 (zesty) and samba
>> 2:4.5.8+dfsg-0ubuntu0.17.04.5.
>> Now i dont know if your able to upgrade you samba to
>> 4.5.12 or at least 4.6.5.
>> 
>> But I would really recommend trying to upgrade to a higher version.
>> I suggest go through the changelogs, and see the winbind
>> and kerberos
>> related fixes so you understand why i say upgrade.
>> I suspect you have hit one or more of these bugs.
>> 
>> Greetz,
>> 
>> Louis
>> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland
>> Penny via samba
>> Verzonden: maandag 21 augustus 2017 19:28
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Windows pre-requisites for login
>> with winbind?
>> 
>> On Mon, 21 Aug 2017 17:13:12 +0000
>> "A. James Lewis" <james at fsck.co.uk> wrote:
>> 
>> I'm inclined to agree with you regarding resolveconf, but I
don't
>> think that's the issue here, clearly it was able to get
>> the name and
>> IP of the AD server.... and connect to it.
>> 
>> The error from kinit had the hostname of one of the AD servers in
>> it, that name is not in the config, and that address was
>> reachable... so I can't think that it's DNS.
>> 
>> What is worrying me is if this is valid, to have the domain in
>> twice:- cifs/LOCAL_AD02.domain.local at DOMAIN.LOCAL in the
>> kinit error
>> from auth.log
>> 
>> I'd love to solve this issue too... but I started with one issue,
>> and now I have 2... LOL!
>> 
>> That is perfectly normal, so stop worrying
>> 
>> There is an easy way to try and prove if it is a dns
>> problem (which
>> i am sure it is)
>> 
>> ADD
>> 
>> <the DCs ipaddress> <the DCs hostname>.domain.local <the
DCs
>> hostname>
>> 
>> to /etc/hosts
>> 
>> Rowland
>> 
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>> 
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>> 
>> --
>> A. James Lewis (james at fsck.co.uk)
>> "Engineering does not require science. Science helps a lot
>> but people
>> built perfectly good brick walls long before they knew why
>> cement works."
>> 
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>> 
>> --
>> A. James Lewis (james at fsck.co.uk)
>> "Engineering does not require science. Science helps a lot
>> but people built perfectly good brick walls long before they
>> knew why cement works."
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

On Tue, 22 Aug 2017 12:01:20 +0000
"A. James Lewis via samba" <samba at lists.samba.org> wrote:
> Indeed!... you are correct... this does appear to be the kerberos
> issue uncovered by Rowlands pointing out that I should not need to be
> manually defining "kdc =", in my krb5.conf.... so with that
resolved,
> I'm hoping we can also find the cause of my original problem.
> 
> Incidentally, this was my solution to upgrading Samba on my 17.04
> test server, I think moving to 17.10 will ultimately have to be the
> solution, but this let me carry on debugging this problem quickly.
> 
> apt-get remove libnss-winbind libpam-winbind samba winbind
> apt-get autoremove
> cd /etc/apt/
> sed -i "s,zesty,artful,g" sources.list
> apt-get install samba libnss-winbind libpam-winbind winbind
> sed -i "s,artful,zesty,g" sources.list
> apt-get update
> apt-get dist-upgrade
> 
> James
> 
Do you also have the following packages installed:

libpam-krb5 krb5-config krb5-user

Rowland

I have krb5-config krb5-user, but not libpam-krb5... I'm slightly fuzzy
about how this works, but I thought the interaction with kerberos was
implemented via winbind, so I wasn't expecting this package to be
installed... certainly there is no dependency that has pulled it in.

James


August 22, 2017 1:15 PM, "Rowland Penny via samba" <samba at
lists.samba.org> wrote:
> On Tue, 22 Aug 2017 12:01:20 +0000
> "A. James Lewis via samba" <samba at lists.samba.org>
wrote:
> 
>> Indeed!... you are correct... this does appear to be the kerberos
>> issue uncovered by Rowlands pointing out that I should not need to be
>> manually defining "kdc =", in my krb5.conf.... so with that
resolved,
>> I'm hoping we can also find the cause of my original problem.
>> 
>> Incidentally, this was my solution to upgrading Samba on my 17.04
>> test server, I think moving to 17.10 will ultimately have to be the
>> solution, but this let me carry on debugging this problem quickly.
>> 
>> apt-get remove libnss-winbind libpam-winbind samba winbind
>> apt-get autoremove
>> cd /etc/apt/
>> sed -i "s,zesty,artful,g" sources.list
>> apt-get install samba libnss-winbind libpam-winbind winbind
>> sed -i "s,artful,zesty,g" sources.list
>> apt-get update
>> apt-get dist-upgrade
>> 
>> James
> 
> Do you also have the following packages installed:
> 
> libpam-krb5 krb5-config krb5-user
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."