samba - Jan 2018 - User Permissions issue

Hi Denis

Thanks for your advise I will not use these wordings here.

Please check the result below when I run the command on the DC-1 when DC-2
is off or on
smbclient -k //IUMSVRAPP01/Pastel12 -d 9
INFO: Current debug levels:
  all: 9
  tdb: 9
  printdrivers: 9
  lanman: 9
  smb: 9
  rpc_parse: 9
  rpc_srv: 9
  rpc_cli: 9
  passdb: 9
  sam: 9
  auth: 9
  winbind: 9
  vfs: 9
  idmap: 9
  quota: 9
  acls: 9
  locking: 9
  msdfs: 9
  dmapi: 9
  registry: 9
  scavenger: 9
  dns: 9
  ldb: 9
  tevent: 9
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 9
  tdb: 9
  printdrivers: 9
  lanman: 9
  smb: 9
  rpc_parse: 9
  rpc_srv: 9
  rpc_cli: 9
  passdb: 9
  sam: 9
  auth: 9
  winbind: 9
  vfs: 9
  idmap: 9
  quota: 9
  acls: 9
  locking: 9
  msdfs: 9
  dmapi: 9
  registry: 9
  scavenger: 9
  dns: 9
  ldb: 9
  tevent: 9
Processing section "[global]"
doing parameter workgroup = IUMNET
doing parameter realm = IUMNET.EDU.NA
doing parameter netbios name = IUMDCDP01
doing parameter server role = active directory domain controller
doing parameter dns forwarder = 172.16.10.254
doing parameter domain master = yes
doing parameter preferred master = yes
doing parameter password server = 172.16.10.5
doing parameter allow dns updates = nonsecure and secure
doing parameter ntlm auth = yes
doing parameter client use spnego = no
doing parameter client ldap sasl wrapping = sign
doing parameter ldap server require strong auth = no
doing parameter time server = Yes
doing parameter template shell = /bin/bash
doing parameter template homedir = /home/%U
doing parameter full_audit:prefix = %u|%I|%m|%S
doing parameter full_audit:failure = connect
doing parameter full_audit:success = connect disconnect
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface eth0 ip=172.16.10.5 bcast=172.16.10.255
netmask=255.255.255.0
added interface eth2 ip=192.29.0.5 bcast=192.29.255.255 netmask=255.255.0.0
Netbios name list:-
my_netbios_names[0]="IUMDCDP01"
Client started (version 4.6.12-SerNet-Ubuntu-14.precise).
Opening cache file at /var/cache/samba/gencache.tdb
Opening cache file at /var/cache/samba/gencache_notrans.tdb
sitename_fetch: Returning sitename for realm 'IUMNET.EDU.NA':
"Default-First-Site-Name"
no entry for IUMSVRAPP01#20 found.
resolve_lmhosts: Attempting lmhosts lookup for name IUMSVRAPP01<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such
file or directory
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name IUMSVRAPP01<0x20>
namecache_store: storing 1 address for IUMSVRAPP01#20: 172.16.10.21
Connecting to 172.16.10.21 at port 445
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_SNDBUF = 24040
        SO_RCVBUF = 87380
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        SO_SNDTIMEO = 0
        SO_RCVTIMEO = 0
        TCP_QUICKACK = 1
        TCP_DEFER_ACCEPT = 0
 session request ok
session setup failed: NT_STATUS_INVALID_PARAMETER_MIX

*Here is the smb.conf dump from DC-1:*
# Global parameters
[global]
        workgroup = IUMNET
        realm = IUMNET.EDU.NA
        netbios name = IUMDCDP01
        server role = active directory domain controller
        dns forwarder = 172.16.10.254
        domain master = yes
        preferred master = yes
#       server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap
        password server = 172.16.10.5
        allow dns updates = nonsecure and secure
#       lanman auth = Yes
#       client lanman auth = Yes
        ntlm auth = yes
        client use spnego = no
        client ldap sasl wrapping = sign
#       ldap ssl ads = yes
#       ldap ssl = start tls
        ldap server require strong auth = no
#       wins server = iumnet.edu.na
#       wins support = Yes
        time server = Yes
        template shell = /bin/bash
        template homedir = /home/%U
#       idmap config * : backend = tdb
#       idmap config *:range = 50000-1000000
        full_audit:prefix = %u|%I|%m|%S
        full_audit:failure = connect
        full_audit:success = connect disconnect
#       log level = 9 dns:0

[netlogon]
path = /var/lib/samba/sysvol/iumnet.edu.na/scripts
        read only = No
        browsable = no

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[softshare]
        path = /home/administrator/ad
        read only = No


*When I ran the same command on DC-2 ( Samba 4.7.4) *

smbclient -k //172.16.10.21/Pastel12 -d 9
INFO: Current debug levels:
  all: 9
  tdb: 9
  printdrivers: 9
  lanman: 9
  smb: 9
  rpc_parse: 9
  rpc_srv: 9
  rpc_cli: 9
  passdb: 9
  sam: 9
  auth: 9
  winbind: 9
  vfs: 9
  idmap: 9
  quota: 9
  acls: 9
  locking: 9
  msdfs: 9
  dmapi: 9
  registry: 9
  scavenger: 9
  dns: 9
  ldb: 9
  tevent: 9
  auth_audit: 9
  auth_json_audit: 9
  kerberos: 9
  drs_repl: 9
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 9
  tdb: 9
  printdrivers: 9
  lanman: 9
  smb: 9
  rpc_parse: 9
  rpc_srv: 9
  rpc_cli: 9
  passdb: 9
  sam: 9
  auth: 9
  winbind: 9
  vfs: 9
  idmap: 9
  quota: 9
  acls: 9
  locking: 9
  msdfs: 9
  dmapi: 9
  registry: 9
  scavenger: 9
  dns: 9
  ldb: 9
  tevent: 9
  auth_audit: 9
  auth_json_audit: 9
  kerberos: 9
  drs_repl: 9
Processing section "[global]"
doing parameter netbios name = IUMSVRPDC
doing parameter realm = IUMNET.EDU.NA
doing parameter workgroup = IUMNET
doing parameter server role = active directory domain controller
doing parameter dns forwarder = 172.16.10.254
doing parameter allow dns updates = nonsecure and secure
doing parameter ntlm auth = yes
doing parameter ldap server require strong auth = no
doing parameter time server = Yes
doing parameter template shell = /bin/bash
doing parameter template homedir = /home/%U
doing parameter full_audit:prefix = %u|%I|%m|%S
doing parameter full_audit:failure = connect
doing parameter full_audit:success = connect disconnect
doing parameter tls enabled = yes
doing parameter tls keyfile = tls/key.pem
doing parameter tls certfile = tls/cert.pem
doing parameter tls cafile = tls/ca.pem
doing parameter log level = 9 dns:0
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface ens18 ip=172.16.100.5 bcast=172.16.100.255
netmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="IUMSVRPDC"
Client started (version 4.7.4-SerNet-Ubuntu-6.trusty).
Connecting to 172.16.10.21 at port 445
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_REUSEPORT = 0
        SO_SNDBUF = 87040
        SO_RCVBUF = 372480
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        SO_SNDTIMEO = 0
        SO_RCVTIMEO = 0
        TCP_QUICKACK = 1
        TCP_DEFER_ACCEPT = 0
 session request ok
 negotiated dialect[SMB2_02] against server[172.16.10.21]
got OID=1.2.840.48018.1.2.2
Kerberos auth with 'administrator at IUMNET.EDU.NA' (IUMNET\root) to
access
'172.16.10.21' not possible
SPNEGO login failed: {Access Denied} A process has requested access to an
object but has not been granted those access rights.
session setup failed: NT_STATUS_ACCESS_DENIED

*Here is the smb.conf dump from DC-2:*

# Global parameters
[global]
        netbios name = IUMSVRPDC
        realm = IUMNET.EDU.NA
        workgroup = IUMNET
        server role = active directory domain controller
        dns forwarder = 172.16.10.254
#       server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap
        allow dns updates = nonsecure and secure
        ntlm auth = yes
        ldap server require strong auth = no
        time server = Yes
        template shell = /bin/bash
        template homedir = /home/%U
#       idmap config * : backend = tdb
#       idmap config *:range = 50000-1000000
        full_audit:prefix = %u|%I|%m|%S
        full_audit:failure = connect
        full_audit:success = connect disconnect
        tls enabled = yes
        tls keyfile  = tls/key.pem
        tls certfile = tls/cert.pem
        tls cafile   = tls/ca.pem
        log level = 9 dns:0

[netlogon]
        path = /var/lib/samba/sysvol/iumnet.edu.na/scripts
        read only = No
         browsable = no

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

*samba-tool drs showrepl on DC-1 is replicating successfully except for
below under INBOUND NEIGHBOR: *

DC=iumnet,DC=edu,DC=na
        Default-First-Site-Name\IUMSVRPDC via RPC
                DSA object GUID: 27182378-a9c7-451e-bb95-7b2172a5f311
                Last attempt @ Tue Jan 16 14:24:05 2018 WAST failed, result
58 (WERR_BAD_NET_RESP)
                17863 consecutive failure(s).
                Last success @ Sat Jan 13 23:16:52 2018 WAST



*samba-tool drs showrepl on DC-2 is replicating successfully except for
below under INBOUND NEIGHBOR: *

CN=Configuration,DC=iumnet,DC=edu,DC=na
        Default-First-Site-Name\IUMDCDP01 via RPC
                DSA object GUID: 8bf63977-f3b3-445e-8eb3-ff74cdd7e0fe
                Last attempt @ Tue Jan 16 14:26:56 2018 CAT failed, result
58 (WERR_BAD_NET_RESP)
                1926 consecutive failure(s).
                Last success @ Tue Jan  9 14:15:43 2018 CAT



*Harsh Kukreja *Systems Administrator
*International University of Namibia *Tel: 061-4336000 - E-mail: h.kukreja
@ium.edu.na - Web:
*http://www.ium.edu.na <http://www.ium.edu.na/>*Private Bag
14005,Bachbrech. 21-31 Hercules Street, Dorado Park, Windhoek, NAMIBIA






On Tue, Jan 16, 2018 at 11:49 AM, Denis Cardon <dcardon at tranquil.it>
wrote:
> Hi Harsh,
>
>>
>> I have two Samba 4 DC’s as below
>> server-1 with all FSMO roles running Samba 4.6.12 on Ubuntu 12.04
>> server-2 joined to server-1 as a DC running Samba 4.7.4 Ubuntu  16.04
>>
>> The problem is when I share files from my Windows 2008 file sharing
server
>> which shows it is logged on to Server-2 DC and the  client PC which
logs
>> on
>> to the server-1 DC cannot access the shared folder and gives an error
>> Logon
>> Failure: The target account name is incorrect.
>>
>
> Windows error messages are not very sysadmin friendly. Could you please
> use instead smbclient command line from a domain member linux client to do
> your debugging:
>  kinit myusername
>  smbclient -k //win2k8server/sharename -d 9
>
> And do it with both with dc1 on and off.
>
> To fix the problem I have to shutdown server-2 DC and restart my Windows
>> File server which logs on to the server-1 and then the client can
access
>> the shared folder.
>>
>
> Could you check if replication is working properly?
>  samba-tool drs showrepl
>
> Please assist to fix this issue as I have to run both the DC’s in the
>> network.
>>
>
> You should avoid wordings like "please assist for fix". It is
deemed rude
> (at least in my culture) to give orders to people who don't owe you
> anything... They are many kind people on this mailing list that would be
> happy to help, but this kind of wording just make them dismiss your message
> directly.
>
> Cheers,
>
> Denis
>
>
>> *Harsh Kukreja *Systems Administrator
>> *International University of Namibia *Tel: 061-4336000 - E-mail:
h.kukreja
>> @ium.edu.na - Web:
>> *http://www.ium.edu.na <http://www.ium.edu.na/>*Private Bag
>> 14005,Bachbrech. 21-31 Hercules Street, Dorado Park, Windhoek, NAMIBIA
>>
>>
> --
> Denis Cardon
> Tranquil IT Systems
> Les Espaces Jules Verne, bâtiment A
> 12 avenue Jules Verne
> 44230 Saint Sébastien sur Loire
> tel : +33 (0) 2.40.97.57.55
> http://www.tranquil-it-systems.fr
>
>

On Tue, 16 Jan 2018 14:31:09 +0200
Harsh Kukreja via samba <samba at lists.samba.org> wrote:
> Hi Denis
> 
> Thanks for your advise I will not use these wordings here.
> 
> Please check the result below when I run the command on the DC-1 when
> DC-2 is off or on
> smbclient -k //IUMSVRAPP01/Pastel12 -d 9
> INFO: Current debug levels:
>   all: 9
>   tdb: 9
>   printdrivers: 9
>   lanman: 9
>   smb: 9
>   rpc_parse: 9
>   rpc_srv: 9
>   rpc_cli: 9
>   passdb: 9
>   sam: 9
>   auth: 9
>   winbind: 9
>   vfs: 9
>   idmap: 9
>   quota: 9
>   acls: 9
>   locking: 9
>   msdfs: 9
>   dmapi: 9
>   registry: 9
>   scavenger: 9
>   dns: 9
>   ldb: 9
>   tevent: 9
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384) INFO: Current debug levels:
>   all: 9
>   tdb: 9
>   printdrivers: 9
>   lanman: 9
>   smb: 9
>   rpc_parse: 9
>   rpc_srv: 9
>   rpc_cli: 9
>   passdb: 9
>   sam: 9
>   auth: 9
>   winbind: 9
>   vfs: 9
>   idmap: 9
>   quota: 9
>   acls: 9
>   locking: 9
>   msdfs: 9
>   dmapi: 9
>   registry: 9
>   scavenger: 9
>   dns: 9
>   ldb: 9
>   tevent: 9
> Processing section "[global]"
> doing parameter workgroup = IUMNET
> doing parameter realm = IUMNET.EDU.NA
> doing parameter netbios name = IUMDCDP01
> doing parameter server role = active directory domain controller
> doing parameter dns forwarder = 172.16.10.254
> doing parameter domain master = yes
> doing parameter preferred master = yes
> doing parameter password server = 172.16.10.5
> doing parameter allow dns updates = nonsecure and secure
> doing parameter ntlm auth = yes
> doing parameter client use spnego = no
> doing parameter client ldap sasl wrapping = sign
> doing parameter ldap server require strong auth = no
> doing parameter time server = Yes
> doing parameter template shell = /bin/bash
> doing parameter template homedir = /home/%U
> doing parameter full_audit:prefix = %u|%I|%m|%S
> doing parameter full_audit:failure = connect
> doing parameter full_audit:success = connect disconnect
> pm_process() returned Yes
> lp_servicenumber: couldn't find homes
> added interface eth0 ip=172.16.10.5 bcast=172.16.10.255
> netmask=255.255.255.0
> added interface eth2 ip=192.29.0.5 bcast=192.29.255.255
> netmask=255.255.0.0 Netbios name list:-
> my_netbios_names[0]="IUMDCDP01"
> Client started (version 4.6.12-SerNet-Ubuntu-14.precise).
> Opening cache file at /var/cache/samba/gencache.tdb
> Opening cache file at /var/cache/samba/gencache_notrans.tdb
> sitename_fetch: Returning sitename for realm 'IUMNET.EDU.NA':
> "Default-First-Site-Name"
> no entry for IUMSVRAPP01#20 found.
> resolve_lmhosts: Attempting lmhosts lookup for name IUMSVRAPP01<0x20>
> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was
> No such file or directory
> resolve_wins: WINS server resolution selected and no WINS servers
> listed. resolve_hosts: Attempting host lookup for name
> IUMSVRAPP01<0x20> namecache_store: storing 1 address for
> IUMSVRAPP01#20: 172.16.10.21 Connecting to 172.16.10.21 at port 445
> Socket options:
>         SO_KEEPALIVE = 0
>         SO_REUSEADDR = 0
>         SO_BROADCAST = 0
>         TCP_NODELAY = 1
>         TCP_KEEPCNT = 9
>         TCP_KEEPIDLE = 7200
>         TCP_KEEPINTVL = 75
>         IPTOS_LOWDELAY = 0
>         IPTOS_THROUGHPUT = 0
>         SO_SNDBUF = 24040
>         SO_RCVBUF = 87380
>         SO_SNDLOWAT = 1
>         SO_RCVLOWAT = 1
>         SO_SNDTIMEO = 0
>         SO_RCVTIMEO = 0
>         TCP_QUICKACK = 1
>         TCP_DEFER_ACCEPT = 0
>  session request ok
> session setup failed: NT_STATUS_INVALID_PARAMETER_MIX
> 
> *Here is the smb.conf dump from DC-1:*
> # Global parameters
> [global]
>         workgroup = IUMNET
>         realm = IUMNET.EDU.NA
>         netbios name = IUMDCDP01
>         server role = active directory domain controller
>         dns forwarder = 172.16.10.254
>         domain master = yes
>         preferred master = yes
> #       server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap
>         password server = 172.16.10.5
>         allow dns updates = nonsecure and secure
> #       lanman auth = Yes
> #       client lanman auth = Yes
>         ntlm auth = yes
>         client use spnego = no
>         client ldap sasl wrapping = sign
> #       ldap ssl ads = yes
> #       ldap ssl = start tls
>         ldap server require strong auth = no
> #       wins server = iumnet.edu.na
> #       wins support = Yes
>         time server = Yes
>         template shell = /bin/bash
>         template homedir = /home/%U
> #       idmap config * : backend = tdb
> #       idmap config *:range = 50000-1000000
>         full_audit:prefix = %u|%I|%m|%S
>         full_audit:failure = connect
>         full_audit:success = connect disconnect
> #       log level = 9 dns:0
> 
> [netlogon]
> path = /var/lib/samba/sysvol/iumnet.edu.na/scripts
>         read only = No
>         browsable = no
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 
> [softshare]
>         path = /home/administrator/ad
>         read only = No
> 
> 
> *When I ran the same command on DC-2 ( Samba 4.7.4) *
> 
> smbclient -k //172.16.10.21/Pastel12 -d 9
> INFO: Current debug levels:
>   all: 9
>   tdb: 9
>   printdrivers: 9
>   lanman: 9
>   smb: 9
>   rpc_parse: 9
>   rpc_srv: 9
>   rpc_cli: 9
>   passdb: 9
>   sam: 9
>   auth: 9
>   winbind: 9
>   vfs: 9
>   idmap: 9
>   quota: 9
>   acls: 9
>   locking: 9
>   msdfs: 9
>   dmapi: 9
>   registry: 9
>   scavenger: 9
>   dns: 9
>   ldb: 9
>   tevent: 9
>   auth_audit: 9
>   auth_json_audit: 9
>   kerberos: 9
>   drs_repl: 9
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384) INFO: Current debug levels:
>   all: 9
>   tdb: 9
>   printdrivers: 9
>   lanman: 9
>   smb: 9
>   rpc_parse: 9
>   rpc_srv: 9
>   rpc_cli: 9
>   passdb: 9
>   sam: 9
>   auth: 9
>   winbind: 9
>   vfs: 9
>   idmap: 9
>   quota: 9
>   acls: 9
>   locking: 9
>   msdfs: 9
>   dmapi: 9
>   registry: 9
>   scavenger: 9
>   dns: 9
>   ldb: 9
>   tevent: 9
>   auth_audit: 9
>   auth_json_audit: 9
>   kerberos: 9
>   drs_repl: 9
> Processing section "[global]"
> doing parameter netbios name = IUMSVRPDC
> doing parameter realm = IUMNET.EDU.NA
> doing parameter workgroup = IUMNET
> doing parameter server role = active directory domain controller
> doing parameter dns forwarder = 172.16.10.254
> doing parameter allow dns updates = nonsecure and secure
> doing parameter ntlm auth = yes
> doing parameter ldap server require strong auth = no
> doing parameter time server = Yes
> doing parameter template shell = /bin/bash
> doing parameter template homedir = /home/%U
> doing parameter full_audit:prefix = %u|%I|%m|%S
> doing parameter full_audit:failure = connect
> doing parameter full_audit:success = connect disconnect
> doing parameter tls enabled = yes
> doing parameter tls keyfile = tls/key.pem
> doing parameter tls certfile = tls/cert.pem
> doing parameter tls cafile = tls/ca.pem
> doing parameter log level = 9 dns:0
> pm_process() returned Yes
> lp_servicenumber: couldn't find homes
> added interface ens18 ip=172.16.100.5 bcast=172.16.100.255
> netmask=255.255.255.0
> Netbios name list:-
> my_netbios_names[0]="IUMSVRPDC"
> Client started (version 4.7.4-SerNet-Ubuntu-6.trusty).
> Connecting to 172.16.10.21 at port 445
> Socket options:
>         SO_KEEPALIVE = 0
>         SO_REUSEADDR = 0
>         SO_BROADCAST = 0
>         TCP_NODELAY = 1
>         TCP_KEEPCNT = 9
>         TCP_KEEPIDLE = 7200
>         TCP_KEEPINTVL = 75
>         IPTOS_LOWDELAY = 0
>         IPTOS_THROUGHPUT = 0
>         SO_REUSEPORT = 0
>         SO_SNDBUF = 87040
>         SO_RCVBUF = 372480
>         SO_SNDLOWAT = 1
>         SO_RCVLOWAT = 1
>         SO_SNDTIMEO = 0
>         SO_RCVTIMEO = 0
>         TCP_QUICKACK = 1
>         TCP_DEFER_ACCEPT = 0
>  session request ok
>  negotiated dialect[SMB2_02] against server[172.16.10.21]
> got OID=1.2.840.48018.1.2.2
> Kerberos auth with 'administrator at IUMNET.EDU.NA' (IUMNET\root)
to
> access '172.16.10.21' not possible
> SPNEGO login failed: {Access Denied} A process has requested access
> to an object but has not been granted those access rights.
> session setup failed: NT_STATUS_ACCESS_DENIED
> 
> *Here is the smb.conf dump from DC-2:*
> 
> # Global parameters
> [global]
>         netbios name = IUMSVRPDC
>         realm = IUMNET.EDU.NA
>         workgroup = IUMNET
>         server role = active directory domain controller
>         dns forwarder = 172.16.10.254
> #       server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap
>         allow dns updates = nonsecure and secure
>         ntlm auth = yes
>         ldap server require strong auth = no
>         time server = Yes
>         template shell = /bin/bash
>         template homedir = /home/%U
> #       idmap config * : backend = tdb
> #       idmap config *:range = 50000-1000000
>         full_audit:prefix = %u|%I|%m|%S
>         full_audit:failure = connect
>         full_audit:success = connect disconnect
>         tls enabled = yes
>         tls keyfile  = tls/key.pem
>         tls certfile = tls/cert.pem
>         tls cafile   = tls/ca.pem
>         log level = 9 dns:0
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/iumnet.edu.na/scripts
>         read only = No
>          browsable = no
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 
I would make some changes to your smb.conf files:

On DC-1, I would remove these lines:

        domain master = yes
        preferred master = yes
        password server = 172.16.10.5
        client use spnego = no
        client ldap sasl wrapping = sign
        full_audit:prefix = %u|%I|%m|%S
        full_audit:failure = connect
        full_audit:success = connect disconnect

They are either default settings, shouldn't be used, or in the case of
the 'full_audit' lines, they will do nothing because you haven't set
'vfs objects = full_audit' 

On DC-2 I would remove the 'full_audit' lines for the same reason as
DC-1

I would change (on both DCs) 'allow dns updates = nonsecure and secure'
to 'allow dns updates = nonsecure'

Rowland

Hi Harsh,
>
> Thanks for your advise I will not use these wordings here.
thanks!
> Please check the result below when I run the command on the DC-1 when
> DC-2 is off or on
> smbclient -k //IUMSVRAPP01/Pastel12 -d 9
 > ...
> session setup failed: NT_STATUS_INVALID_PARAMETER_MIX
Looking at this message, I would start with doing some cleanup in your 
smb.conf. I would trim your smb.conf like below:
> *Here is the smb.conf dump from DC-1:*
> # Global parameters
[global]
          workgroup = IUMNET
          realm = IUMNET.EDU.NA
          netbios name = IUMDCDP01
          server role = active directory domain controller
          dns forwarder = 172.16.10.254
          allow dns updates = nonsecure and secure
          ntlm auth = yes
          client use spnego = no
          client ldap sasl wrapping = sign
          ldap server require strong auth = no
          full_audit:prefix = %u|%I|%m|%S
          full_audit:failure = connect
          full_audit:success = connect disconnect
          log level = 9 dns:0

[netlogon]
          path = /var/lib/samba/sysvol/iumnet.edu.na/scripts
          read only = No
          browsable = no

[sysvol]
          path = /var/lib/samba/sysvol
          read only = No

You'd better switch your DNS to Bind-DLZ. Internal DNS is not that good 
for larger site (looking at your DNS domain name, I guess it might be a 
university). You can take a look there [1]

And I wouldn't store anything else than AD stuff on an AD like below:
> [softshare]
>        path = /home/administrator/ad
>        read only = No

> *When I ran the same command on DC-2 ( Samba 4.7.4) *
>
> smbclient -k //172.16.10.21/Pastel12 -d 9
When doing Kerberos authentication, you shouldn't use ip address, 
otherwise kerberos won't work. Try it again with real DNS name.

 > ...
> got OID=1.2.840.48018.1.2.2
> Kerberos auth with 'administrator at IUMNET.EDU.NA
> <mailto:administrator at IUMNET.EDU.NA>' (IUMNET\root) to access
> '172.16.10.21' not possible
> SPNEGO login failed: {Access Denied} A process has requested access to
> an object but has not been granted those access rights.
> session setup failed: NT_STATUS_ACCESS_DENIED
>
You can cleanup your smb.conf the same way as pointed before.
> *Here is the smb.conf dump from DC-2:*
>
> # Global parameters
> [global]
>         netbios name = IUMSVRPDC
>         realm = IUMNET.EDU.NA <http://IUMNET.EDU.NA>
>         workgroup = IUMNET
>         server role = active directory domain controller
>         dns forwarder = 172.16.10.254
> #       server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap
>         allow dns updates = nonsecure and secure
>         ntlm auth = yes
>         ldap server require strong auth = no
>         time server = Yes
>         template shell = /bin/bash
>         template homedir = /home/%U
> #       idmap config * : backend = tdb
> #       idmap config *:range = 50000-1000000
>         full_audit:prefix = %u|%I|%m|%S
>         full_audit:failure = connect
>         full_audit:success = connect disconnect
>         tls enabled = yes
>         tls keyfile  = tls/key.pem
>         tls certfile = tls/cert.pem
>         tls cafile   = tls/ca.pem
>         log level = 9 dns:0
>
> [netlogon]
>         path = /var/lib/samba/sysvol/iumnet.edu.na/scripts
>         read only = No
>          browsable = no
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>
> *samba-tool drs showrepl on DC-1 is replicating successfully except for
> below under INBOUND NEIGHBOR: *
>
> DC=iumnet,DC=edu,DC=na
>         Default-First-Site-Name\IUMSVRPDC via RPC
>                 DSA object GUID: 27182378-a9c7-451e-bb95-7b2172a5f311
>                 Last attempt @ Tue Jan 16 14:24:05 2018 WAST failed,
> result 58 (WERR_BAD_NET_RESP)
>                 17863 consecutive failure(s).
>                 Last success @ Sat Jan 13 23:16:52 2018 WAST

This is probably your error. Replication of your main partition is not 
working. Domain members are changing their machine password one a month. 
If it has been changed on one of the server, but the replication didn't 
went throught to the other, it is normal to get the failure you are having.

You should look at your samba log when trying replication for that 
partition. There is probably a corrupted entry somewhere that is 
preventing replication.

> *samba-tool drs showrepl on DC-2 is replicating successfully except for
> below under INBOUND NEIGHBOR: *
>
> CN=Configuration,DC=iumnet,DC=edu,DC=na
>         Default-First-Site-Name\IUMDCDP01 via RPC
>                 DSA object GUID: 8bf63977-f3b3-445e-8eb3-ff74cdd7e0fe
>                 Last attempt @ Tue Jan 16 14:26:56 2018 CAT failed,
> result 58 (WERR_BAD_NET_RESP)
>                 1926 consecutive failure(s).
>                 Last success @ Tue Jan  9 14:15:43 2018 CAT
this is not good either, and should be resolved too.

Cheers,

Denis

[1] it is in French, but your favorite search engine should be able to 
translate it for you : 
https://dev.tranquil.it/wiki/SAMBA_-_Integration_avec_bind9
>
>
>
> *Harsh Kukreja *Systems Administrator
>
> **International University of Namibia* *Tel: 061-4336000 -
> E-mail: h.kukreja at ium.edu.na
> <mailto:h.kukreja at ium.edu.na> - Web: _http://www.ium.edu.na
> <http://www.ium.edu.na/>
> _Private Bag 14005,Bachbrech. 21-31 Hercules Street, Dorado Park,
> Windhoek, NAMIBIA
>
> ____
>
> 	
>
>
> 	
>
>
>
>
>
> On Tue, Jan 16, 2018 at 11:49 AM, Denis Cardon <dcardon at tranquil.it
> <mailto:dcardon at tranquil.it>> wrote:
>
>     Hi Harsh,
>
>
>         I have two Samba 4 DC’s as below
>         server-1 with all FSMO roles running Samba 4.6.12 on Ubuntu 12.04
>         server-2 joined to server-1 as a DC running Samba 4.7.4 Ubuntu
>         16.04
>
>         The problem is when I share files from my Windows 2008 file
>         sharing server
>         which shows it is logged on to Server-2 DC and the  client PC
>         which logs on
>         to the server-1 DC cannot access the shared folder and gives an
>         error Logon
>         Failure: The target account name is incorrect.
>
>
>     Windows error messages are not very sysadmin friendly. Could you
>     please use instead smbclient command line from a domain member linux
>     client to do your debugging:
>      kinit myusername
>      smbclient -k //win2k8server/sharename -d 9
>
>     And do it with both with dc1 on and off.
>
>         To fix the problem I have to shutdown server-2 DC and restart my
>         Windows
>         File server which logs on to the server-1 and then the client
>         can access
>         the shared folder.
>
>
>     Could you check if replication is working properly?
>      samba-tool drs showrepl
>
>         Please assist to fix this issue as I have to run both the DC’s
>         in the
>         network.
>
>
>     You should avoid wordings like "please assist for fix". It is
deemed
>     rude (at least in my culture) to give orders to people who don't
owe
>     you anything... They are many kind people on this mailing list that
>     would be happy to help, but this kind of wording just make them
>     dismiss your message directly.
>
>     Cheers,
>
>     Denis
>
>
>         *Harsh Kukreja *Systems Administrator
>         *International University of Namibia *Tel: 061-4336000 - E-mail:
>         h.kukreja
>         @ium.edu.na <http://ium.edu.na> - Web:
>         *http://www.ium.edu.na <http://www.ium.edu.na/>*Private Bag
>         14005,Bachbrech. 21-31 Hercules Street, Dorado Park, Windhoek,
>         NAMIBIA
>
>
>     --
>     Denis Cardon
>     Tranquil IT Systems
>     Les Espaces Jules Verne, bâtiment A
>     12 avenue Jules Verne
>     44230 Saint Sébastien sur Loire
>     tel : +33 (0) 2.40.97.57.55 <tel:%2B33%20%280%29%202.40.97.57.55>
>     http://www.tranquil-it-systems.fr
<http://www.tranquil-it-systems.fr>
>
>
-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr

Hi Denis & Rowland

Thanks for the suggestion to trim the smb.conf after which the DC-1 is
connecting to the Windows Server 2008 shared folder smbclient -k
//IUMSVRAPP01/Pastel12 -d 9
and DC-2 is also connecting after using the DNS name of the Windows server.

*You'd better switch your DNS to Bind-DLZ. Internal DNS is not that good
for larger site (looking at your DNS domain name, I guess it might be a
university). You can take a look there [1]
Yes you are right we are a University which is growing every year and I
want to switch from INTERNAL DNS to BIND-DLZ. I will follow the
instructions given in your wiki link but before doing I like to clear few
doubts:
1. Can I migrate from Internal to Bind-DLZ in a running samba environment.
2. Will it migrate all the current DNS records.
3. Do I have to do the same migration for other samba DC's in the network.
4. I also have samba RODC in the network so do I have to migrate it from
Internal to Bind-DLZ.
5. Do I have to install Bind-DLZ package on a different machine or it can
be installed on the same Samba machine.


> samba-tool drs showrepl on DC-1 is replicating successfully except for
> below under INBOUND NEIGHBOR: *
>
> DC=iumnet,DC=edu,DC=na
>         Default-First-Site-Name\IUMSVRPDC via RPC
>                 DSA object GUID: 27182378-a9c7-451e-bb95-7b2172a5f311
>                 Last attempt @ Tue Jan 16 14:24:05 2018 WAST failed,
> result 58 (WERR_BAD_NET_RESP)
>                 17863 consecutive failure(s).
>                 Last success @ Sat Jan 13 23:16:52 2018 WAST
>

This is probably your error. Replication of your main partition is not
working. Domain members are changing their machine password one a month. If
it has been changed on one of the server, but the replication didn't went
throught to the other, it is normal to get the failure you are having.

You should look at your samba log when trying replication for that
partition. There is probably a corrupted entry somewhere that is preventing
replication.

Can you please give few steps on how to check the drs replication logs and
find out the corrupted entry and how to remove it.

Also I am trying to remove one offline RODC which I joined last month for
testing by using the command which is failing
samba-tool domain demote --remove-other-dead-server='
iumong-rodc.iumnet.edu.na' -UAdministrator
ERROR: Demote failed: DemoteException: iumong-rodc.iumnet.edu.na is not an
AD DC in iumnet.edu.na
A transaction is still active in ldb context [0x22b0b20] on
tdb:///var/lib/samba/private/sam.ldb

Also I am trying to remove the offline RODC record manually which is failing
ldbedit -e nano -H tdb:///var/lib/samba/private/sam.ldb 'IUMONG-RODC'
failed to delete CN=IUMONG-RODC,OU=Domain
Controllers,DC=iumnet,DC=edu,DC=na -
../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:3643: Failed to remove
backlink of msDS-RevealedDSAs when deleting CN=IUMONG-RODC,OU=Domain
Controllers,DC=iumnet,DC=edu,DC=na: (null)

How can I manually remove the records for the offline DC.

Regards

Harsh



*Harsh Kukreja *Systems Administrator
*International University of Namibia *Tel: 061-4336000 - E-mail: h.kukreja
@ium.edu.na - Web:
*http://www.ium.edu.na <http://www.ium.edu.na/>*Private Bag
14005,Bachbrech. 21-31 Hercules Street, Dorado Park, Windhoek, NAMIBIA






On Tue, Jan 16, 2018 at 3:31 PM, Denis Cardon <dcardon at tranquil.it>
wrote:
> Hi Harsh,
>
>>
>> Thanks for your advise I will not use these wordings here.
>>
>
> thanks!
>
> Please check the result below when I run the command on the DC-1 when
>> DC-2 is off or on
>> smbclient -k //IUMSVRAPP01/Pastel12 -d 9
>>
> > ...
>
>> session setup failed: NT_STATUS_INVALID_PARAMETER_MIX
>>
>
> Looking at this message, I would start with doing some cleanup in your
> smb.conf. I would trim your smb.conf like below:
>
> *Here is the smb.conf dump from DC-1:*
>> # Global parameters
>>
> [global]
>          workgroup = IUMNET
>          realm = IUMNET.EDU.NA
>          netbios name = IUMDCDP01
>          server role = active directory domain controller
>          dns forwarder = 172.16.10.254
>          allow dns updates = nonsecure and secure
>          ntlm auth = yes
>          client use spnego = no
>          client ldap sasl wrapping = sign
>          ldap server require strong auth = no
>          full_audit:prefix = %u|%I|%m|%S
>          full_audit:failure = connect
>          full_audit:success = connect disconnect
>          log level = 9 dns:0
>
> [netlogon]
>          path = /var/lib/samba/sysvol/iumnet.edu.na/scripts
>          read only = No
>          browsable = no
>
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
>
> You'd better switch your DNS to Bind-DLZ. Internal DNS is not that good
> for larger site (looking at your DNS domain name, I guess it might be a
> university). You can take a look there [1]
>
> And I wouldn't store anything else than AD stuff on an AD like below:
>
> [softshare]
>>        path = /home/administrator/ad
>>        read only = No
>>
>
>
>
> *When I ran the same command on DC-2 ( Samba 4.7.4) *
>>
>> smbclient -k //172.16.10.21/Pastel12 -d 9
>>
>
> When doing Kerberos authentication, you shouldn't use ip address,
> otherwise kerberos won't work. Try it again with real DNS name.
>
> > ...
>
>> got OID=1.2.840.48018.1.2.2
>> Kerberos auth with 'administrator at IUMNET.EDU.NA
>> <mailto:administrator at IUMNET.EDU.NA>' (IUMNET\root) to
access
>> '172.16.10.21' not possible
>> SPNEGO login failed: {Access Denied} A process has requested access to
>> an object but has not been granted those access rights.
>> session setup failed: NT_STATUS_ACCESS_DENIED
>>
>>
> You can cleanup your smb.conf the same way as pointed before.
>
> *Here is the smb.conf dump from DC-2:*
>>
>> # Global parameters
>> [global]
>>         netbios name = IUMSVRPDC
>>         realm = IUMNET.EDU.NA <http://IUMNET.EDU.NA>
>>
>>         workgroup = IUMNET
>>         server role = active directory domain controller
>>         dns forwarder = 172.16.10.254
>> #       server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap
>>         allow dns updates = nonsecure and secure
>>         ntlm auth = yes
>>         ldap server require strong auth = no
>>         time server = Yes
>>         template shell = /bin/bash
>>         template homedir = /home/%U
>> #       idmap config * : backend = tdb
>> #       idmap config *:range = 50000-1000000
>>         full_audit:prefix = %u|%I|%m|%S
>>         full_audit:failure = connect
>>         full_audit:success = connect disconnect
>>         tls enabled = yes
>>         tls keyfile  = tls/key.pem
>>         tls certfile = tls/cert.pem
>>         tls cafile   = tls/ca.pem
>>         log level = 9 dns:0
>>
>> [netlogon]
>>         path = /var/lib/samba/sysvol/iumnet.edu.na/scripts
>>         read only = No
>>          browsable = no
>>
>> [sysvol]
>>         path = /var/lib/samba/sysvol
>>         read only = No
>>
>> *samba-tool drs showrepl on DC-1 is replicating successfully except for
>> below under INBOUND NEIGHBOR: *
>>
>> DC=iumnet,DC=edu,DC=na
>>         Default-First-Site-Name\IUMSVRPDC via RPC
>>                 DSA object GUID: 27182378-a9c7-451e-bb95-7b2172a5f311
>>                 Last attempt @ Tue Jan 16 14:24:05 2018 WAST failed,
>> result 58 (WERR_BAD_NET_RESP)
>>                 17863 consecutive failure(s).
>>                 Last success @ Sat Jan 13 23:16:52 2018 WAST
>>
>
>
> This is probably your error. Replication of your main partition is not
> working. Domain members are changing their machine password one a month. If
> it has been changed on one of the server, but the replication didn't
went
> throught to the other, it is normal to get the failure you are having.
>
> You should look at your samba log when trying replication for that
> partition. There is probably a corrupted entry somewhere that is preventing
> replication.
>
>
> *samba-tool drs showrepl on DC-2 is replicating successfully except for
>> below under INBOUND NEIGHBOR: *
>>
>> CN=Configuration,DC=iumnet,DC=edu,DC=na
>>         Default-First-Site-Name\IUMDCDP01 via RPC
>>                 DSA object GUID: 8bf63977-f3b3-445e-8eb3-ff74cdd7e0fe
>>                 Last attempt @ Tue Jan 16 14:26:56 2018 CAT failed,
>> result 58 (WERR_BAD_NET_RESP)
>>                 1926 consecutive failure(s).
>>                 Last success @ Tue Jan  9 14:15:43 2018 CAT
>>
>
> this is not good either, and should be resolved too.
>
> Cheers,
>
> Denis
>
> [1] it is in French, but your favorite search engine should be able to
> translate it for you : https://dev.tranquil.it/wiki/S
> AMBA_-_Integration_avec_bind9
>
>
>>
>>
>> *Harsh Kukreja *Systems Administrator
>>
>> **International University of Namibia* *Tel: 061-4336000 -
>> E-mail: h.kukreja at ium.edu.na
>> <mailto:h.kukreja at ium.edu.na> - Web: _http://www.ium.edu.na
>> <http://www.ium.edu.na/>
>> _Private Bag 14005,Bachbrech. 21-31 Hercules Street, Dorado Park,
>> Windhoek, NAMIBIA
>>
>> ____
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Tue, Jan 16, 2018 at 11:49 AM, Denis Cardon <dcardon at
tranquil.it
>> <mailto:dcardon at tranquil.it>> wrote:
>>
>>     Hi Harsh,
>>
>>
>>         I have two Samba 4 DC’s as below
>>         server-1 with all FSMO roles running Samba 4.6.12 on Ubuntu
12.04
>>         server-2 joined to server-1 as a DC running Samba 4.7.4 Ubuntu
>>         16.04
>>
>>         The problem is when I share files from my Windows 2008 file
>>         sharing server
>>         which shows it is logged on to Server-2 DC and the  client PC
>>         which logs on
>>         to the server-1 DC cannot access the shared folder and gives an
>>         error Logon
>>         Failure: The target account name is incorrect.
>>
>>
>>     Windows error messages are not very sysadmin friendly. Could you
>>     please use instead smbclient command line from a domain member
linux
>>     client to do your debugging:
>>      kinit myusername
>>      smbclient -k //win2k8server/sharename -d 9
>>
>>     And do it with both with dc1 on and off.
>>
>>         To fix the problem I have to shutdown server-2 DC and restart
my
>>         Windows
>>         File server which logs on to the server-1 and then the client
>>         can access
>>         the shared folder.
>>
>>
>>     Could you check if replication is working properly?
>>      samba-tool drs showrepl
>>
>>         Please assist to fix this issue as I have to run both the DC’s
>>         in the
>>         network.
>>
>>
>>     You should avoid wordings like "please assist for fix".
It is deemed
>>     rude (at least in my culture) to give orders to people who
don't owe
>>     you anything... They are many kind people on this mailing list that
>>     would be happy to help, but this kind of wording just make them
>>     dismiss your message directly.
>>
>>     Cheers,
>>
>>     Denis
>>
>>
>>         *Harsh Kukreja *Systems Administrator
>>         *International University of Namibia *Tel: 061-4336000 -
E-mail:
>>         h.kukreja
>>         @ium.edu.na <http://ium.edu.na> - Web:
>>         *http://www.ium.edu.na <http://www.ium.edu.na/>*Private
Bag
>>         14005,Bachbrech. 21-31 Hercules Street, Dorado Park, Windhoek,
>>         NAMIBIA
>>
>>
>>     --
>>     Denis Cardon
>>     Tranquil IT Systems
>>     Les Espaces Jules Verne, bâtiment A
>>     12 avenue Jules Verne
>>     44230 Saint Sébastien sur Loire
>>     tel : +33 (0) 2.40.97.57.55
<tel:%2B33%20%280%29%202.40.97.57.55>
>>     http://www.tranquil-it-systems.fr
<http://www.tranquil-it-systems.fr>
>>
>>
>>
> --
> Denis Cardon
> Tranquil IT Systems
> Les Espaces Jules Verne, bâtiment A
> 12 avenue Jules Verne
> 44230 Saint Sébastien sur Loire
> tel : +33 (0) 2.40.97.57.55
> http://www.tranquil-it-systems.fr
>
>