On Sun, Nov 10, 2019 at 11:00:20AM +0000, Rowland penny via samba
wrote:> On 10/11/2019 10:49, andi via samba wrote:
> > Hello,
> >
> > I have configured an samba AD DC for use with
> > some windows and linux machines. The linux machines use
> > samba for user auth and also as kerberos kdc for
> > nfs mounts. This works fine so far but after a while
> > the user can not access the nfs shares anymore.
> >
> > I tried to analyze the problem and finally found, that
> > the obtaining a ticket for nfs service failes in this
> > case because of a wrong spn: nfs/servername at ... instead of
> > nfs/fqdnservername at ... is used by the clients to get the
> > ticket.
> >
> > I tracked the problem down to an invalid PTR record for
> > the DC in the reverse lookup zone. The ptr record
> > had only the hostname but not the fqdn set.
> >
> > I manually fixed this using samba-tool dns add/delete and nfs
> > mount worked again. Unfortunately after a while the record
> > gets changed back again. I was unable to figure out how this
> > happens. It seems that the change occurs while
'samba_dnsupdate'
> > tool is running but I didn't found were in
'samba_dnsupdate'
> > the PTR record is set. I didn't found a suitable log
> > setting in smb.conf which would help me to find the origin
> > of the dns change (loglevel 12 for dns produces lots of output
> > but nothing related to setting PTR records)
> >
> > samba version is 4.9.5-Debian
> >
> > Any ideas/help?
> >
> > cheers,
> > Andreas
> >
> OK, lets start by making sure your DC and clients are set up correctly, can
> you download this:
>
> https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh
>
> Run it on the Samba AD DC and a Unix client, then post the output into a
> reply to this thread, do not attach it, this list strips attachments.
Maybe one thing in advance: I'm using a typical DSL wallbox which is doing
telephone, dhcp and dns (.183.1 address) I have setup its internal DNS so that
ad.home.arpa, .ad.home.arpa and 183.168.192.in-addr.arpa are forwarded
to the DC (.183.5 address)
Here is the output for the server:
Collected config --- 2019-11-10-18:30 -----------
Hostname: kronos
DNS Domain: ad.home.arpa
FQDN: kronos.ad.home.arpa
ipaddress: 192.168.183.5 2003:e3:570b:9400:f6xx:xxff:fexx:xxxx
2003:e3:5705:5200:f6xx:xxff:fexx:xxxxxx fd1f:6d10:24a0:1:f6xx:xxff:fexx:xxxx
-----------
Kerberos SRV _kerberos._tcp.ad.home.arpa record verified ok, sample output:
Server: 192.168.183.1
Address: 192.168.183.1#53
_kerberos._tcp.ad.home.arpa service = 0 100 88 kronos.ad.home.arpa.
Samba is running as an AD DC
-----------
Checking file: /etc/os-release
PRETTY_NAME="Devuan GNU/Linux 3 (beowulf)"
NAME="Devuan GNU/Linux"
VERSION_ID="3"
VERSION="3 (beowulf)"
VERSION_CODENAME=beowulf
ID=debian
ID_LIKE=debian
HOME_URL="https://www.devuan.org/"
SUPPORT_URL="https://devuan.org/os/community"
BUG_REPORT_URL="https://bugs.devuan.org/"
-----------
This computer is running Devuan beowulf/ceres x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP group default qlen 1000
link/ether f4:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
inet 192.168.183.5/24 brd 192.168.183.255 scope global dynamic eth0
valid_lft 800299sec preferred_lft 800299sec
inet6 2003:e3:570b:9400:f6xx:xxff:fexx:xxxx/64 scope global dynamic
mngtmpaddr
valid_lft 6558sec preferred_lft 1158sec
inet6 2003:e3:5705:5200:f6xx:xxff:fexx:xxxx/64 scope global deprecated
dynamic mngtmpaddr
valid_lft 3695sec preferred_lft 0sec
inet6 fd1f:6d10:24a0:1:f6xx:xxff:fexx:xxxx/64 scope global dynamic
mngtmpaddr
valid_lft 6558sec preferred_lft 2958sec
inet6 fe80::f6xx:xxff:fexx:xxxx/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
domain ad.home.arpa
search ad.home.arpa
nameserver 192.168.183.1
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = AD.HOME.ARPA
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: files sss
group: files sss
shadow: files sss
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: files sss
-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
# dns forwarder = 192.168.183.1
netbios name = KRONOS
realm = AD.HOME.ARPA
server role = active directory domain controller
workgroup = OLYMP
idmap_ldb:use rfc2307 = yes
#idmap config * : backend = tdb
#idmap config * : range = 4000 - 8999
#idmap config OLYMP:backend = ad
#idmap config OLYMP:schema_mode = rfc2307
#idmap config OLYMP:range = 1100-4000
#idmap config OLYMP:unix_nss_info = yes
#idmap config OLYMP:unix_primary_group = yes
vfs objects = acl_xattr
map acl inherit = yes
#store dos attributes = yes
kerberos method = system keytab
# log level = 1 kerberos:12
log level = 3 dns:2
[netlogon]
path = /var/lib/samba/sysvol/ad.home.arpa/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
-----------
BIND_DLZ not detected in smb.conf
-----------
Installed packages:
ii attr 1:2.4.48-4
amd64 utilities for manipulating filesystem extended attributes
ii krb5-admin-server 1.17-3
amd64 MIT Kerberos master server (kadmind)
ii krb5-config 2.6
all Configuration files for Kerberos Version 5
ii krb5-kdc 1.17-3
amd64 MIT Kerberos key server (KDC)
ii krb5-kdc-ldap 1.17-3
amd64 MIT Kerberos key server (KDC) LDAP plugin
ii krb5-locales 1.17-3
all internationalization support for MIT Kerberos
ii krb5-user 1.17-3
amd64 basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-4
amd64 access control list - shared library
ii libacl1-dev:amd64 2.2.53-4
amd64 access control list - static libraries and headers
ii libattr1:amd64 1:2.4.48-4
amd64 extended attribute handling - shared library
ii libattr1-dev:amd64 1:2.4.48-4
amd64 extended attributes handling - static libraries and headers
ii libcrypt-smbhash-perl 0.12-4
all generate LM/NT hash of a password for samba
ii libgssapi-krb5-2:amd64 1.17-3
amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.17-3
amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.17-3
amd64 MIT Kerberos runtime libraries - Support library
ii libpam-krb5:amd64 4.8-2
amd64 PAM module for MIT Kerberos
ii libsmbclient:amd64 2:4.9.5+dfsg-5+deb10u1
amd64 shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.9.5+dfsg-5+deb10u1
amd64 Samba winbind client library
ii python-samba 2:4.9.5+dfsg-5+deb10u1
amd64 Python bindings for Samba
ii samba 2:4.9.5+dfsg-5+deb10u1
amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.9.5+dfsg-5+deb10u1
all common files used by both the Samba server and client
ii samba-common-bin 2:4.9.5+dfsg-5+deb10u1
amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.9.5+dfsg-5+deb10u1
amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.9.5+dfsg-5+deb10u1
amd64 Samba core libraries
ii samba-vfs-modules:amd64 2:4.9.5+dfsg-5+deb10u1
amd64 Samba Virtual FileSystem plugins
ii smbclient 2:4.9.5+dfsg-5+deb10u1
amd64 command-line SMB/CIFS clients for Unix
ii sssd-krb5 1.16.3-3.1
amd64 System Security Services Daemon -- Kerberos back end
ii sssd-krb5-common 1.16.3-3.1
amd64 System Security Services Daemon -- Kerberos helpers
ii winbind 2:4.9.5+dfsg-5+deb10u1
amd64 service to resolve user and group information from Windows NT
servers
-----------
And for the client:
Collected config --- 2019-11-10-18:36 -----------
Hostname: iris
DNS Domain: ad.home.arpa
FQDN: iris.ad.home.arpa
ipaddress: 192.168.183.22 2003:e3:570b:9400:4exx:xxff:fexx:xxxx
fd1f:6d10:24a0:1:4exx:xxff:fexx:xxxx
-----------
Kerberos SRV _kerberos._tcp.ad.home.arpa record verified ok, sample output:
Server: 127.0.0.1
Address: 127.0.0.1#53
_kerberos._tcp.ad.home.arpa service = 0 100 88 kronos.ad.home.arpa.
Samba is not being run as a DC or a Unix domain member.
-----------
Checking file: /etc/os-release
PRETTY_NAME="Devuan GNU/Linux ascii"
NAME="Devuan GNU/Linux"
ID=devuan
ID_LIKE=debian
HOME_URL="https://www.devuan.org/"
SUPPORT_URL="https://devuan.org/os/community"
BUG_REPORT_URL="https://bugs.devuan.org/"
-----------
This computer is running Devuan ascii x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
group default qlen 1000
link/ether 4c:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
inet 192.168.183.22/24 brd 192.168.183.255 scope global dynamic wlan0
valid_lft 863507sec preferred_lft 863507sec
inet6 2003:e3:570b:9400:4exx:xxff:fexx:xxxx/128 scope global dynamic
valid_lft 6964sec preferred_lft 1564sec
inet6 fd1f:6d10:24a0:1:4exx:xxff:fexx:xxxx/64 scope global noprefixroute
dynamic
valid_lft 6964sec preferred_lft 3364sec
inet6 fe80::4exx:xxff:fexx:xxxx/64 scope link
3: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast
state DOWN group default qlen 1000
link/ether 50:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
4: enx000011121314: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast state DOWN group default qlen 1000
link/ether 00:00:11:12:13:14 brd ff:ff:ff:ff:ff:ff
-----------
Checking file: /etc/hosts
127.0.0.1 iris.ad.home.arpa iris
127.0.0.1 localhost.localdomain localhost
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
# Generated by NetworkManager
search ad.home.arpa
nameserver 127.0.0.1
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = AD.HOME.ARPA
dns_lookup_realm = false
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
AD.HOME.ARPA = {
kdc = kronos.ad.home.arpa
default_domain = ad.home.arpa
}
[domain_realm]
ad.home.arpa = AD.HOME.ARPA
.ad.home.arpa = AD.HOME.ARPA
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: files sss
group: files sss
shadow: files sss
gshadow: files
hosts: files mdns4_minimal dns myhostname
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: files sss
-----------
Warning, does not exist
-----------
Installed packages:
ii acl 2.2.52-3+b1
amd64 Access control list utilities
ii krb5-config 2.6
all Configuration files for Kerberos Version 5
ii krb5-locales 1.15-1+deb9u1
all internationalization support for MIT Kerberos
ii krb5-user 1.15-1+deb9u1
amd64 basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.52-3+b1
amd64 Access control list shared library
ii libattr1:amd64 1:2.4.47-2+b2
amd64 Extended attribute shared library
ii libdb-je-java 3.3.98-1
all Oracle Berkeley Database Java Edition
ii libgssapi-krb5-2:amd64 1.15-1+deb9u1
amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libgssapi-krb5-2:i386 1.15-1+deb9u1
i386 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.15-1+deb9u1
amd64 MIT Kerberos runtime libraries
ii libkrb5-3:i386 1.15-1+deb9u1
i386 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.15-1+deb9u1
amd64 MIT Kerberos runtime libraries - Support library
ii libkrb5support0:i386 1.15-1+deb9u1
i386 MIT Kerberos runtime libraries - Support library
ii libsmbclient:amd64 2:4.5.16+dfsg-1+deb9u2
amd64 shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.5.16+dfsg-1+deb9u2
amd64 Samba winbind client library
ii python-samba 2:4.5.16+dfsg-1+deb9u2
amd64 Python bindings for Samba
ii samba-common 2:4.5.16+dfsg-1+deb9u2
all common files used by both the Samba server and client
ii samba-common-bin 2:4.5.16+dfsg-1+deb9u2
amd64 Samba common files used by both the server and the client
ii samba-libs:amd64 2:4.5.16+dfsg-1+deb9u2
amd64 Samba core libraries
ii spice-client-glib-usb-acl-helper 0.33-3.3+deb9u1
amd64 Helper tool to validate usb ACLs
ii sssd-krb5 1.15.0-3
amd64 System Security Services Daemon -- Kerberos back end
ii sssd-krb5-common 1.15.0-3
amd64 System Security Services Daemon -- Kerberos helpers
ii vlc-plugin-samba:amd64 3.0.8-0+deb9u1
amd64 Samba plugin for VLC
-----------
cheers,
Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL:
<http://lists.samba.org/pipermail/samba/attachments/20191110/79381974/signature.sig>