samba - Oct 2020 - new dc does not allow login..?

In installed a new DC (Samba 4.12.8 on Ubuntu 20.4) and initially everything
appeared to work smoothly. Now I experience issues:

 

DCDIAG /s:cobra.samba.lindenberg.one

 

Directory Server Diagnosis

 

Performing initial setup:

   [cobra.samba.lindenberg.one] LDAP bind failed with error 1326,

   The user name or password is incorrect..

 

With the other DC (still samba 4.11.14 on Ubuntu 18.4) many test succeed, but
replication is obviously stuck due to the authentication issue.

 

Systemctl status samba-ad-dc reports

 

Oct 22 16:17:17 cobra samba[824]: [2020/10/22 16:17:17.907065,  0]
../../source4/librpc/rpc/dcerpc_util.c:681(dcerpc_pipe_auth_recv)

Oct 22 16:17:17 cobra samba[824]:   Failed to bind to uuid
e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
ncacn_ip_tcp:192.168.177.18[49153,seal,krb5,target_hostname=53959b67-65fb-493d-8fde-4880ac599>

 

On both DCs, of course with different names and ids.

 

Please advise.

Thanks, Joachim

On 22/10/2020 17:27, Joachim Lindenberg via samba wrote:
> In installed a new DC (Samba 4.12.8 on Ubuntu 20.4) and initially
everything appeared to work smoothly. Now I experience issues:
>
> DCDIAG /s:cobra.samba.lindenberg.one
>
> Directory Server Diagnosis
>
> Performing initial setup:
>
>     [cobra.samba.lindenberg.one] LDAP bind failed with error 1326,
>
>     The user name or password is incorrect..
>
>
> With the other DC (still samba 4.11.14 on Ubuntu 18.4) many test succeed,
but replication is obviously stuck due to the authentication issue.
>
> Systemctl status samba-ad-dc reports
>
> Oct 22 16:17:17 cobra samba[824]: [2020/10/22 16:17:17.907065,  0]
../../source4/librpc/rpc/dcerpc_util.c:681(dcerpc_pipe_auth_recv)
>
> Oct 22 16:17:17 cobra samba[824]:   Failed to bind to uuid
e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
ncacn_ip_tcp:192.168.177.18[49153,seal,krb5,target_hostname=53959b67-65fb-493d-8fde-4880ac599>
>
> On both DCs, of course with different names and ids.
Who are you logged in as ? and what Windows is this ?

Have you tried the Samba tools on the new DC ?

Rowland

On 22/10/2020 17:56, Joachim Lindenberg wrote:
> I am domain admin on Windows. Windows 10 Pro 1909.
> Samba-tool computer list reports my computers on both DCs, but how can I be
sure it tried that local? I also tried samba-tool --ipaddress= but that reported
option does not exist.
> Thanks, Joachim
It should work, but obviously isn't, so, for a start, can you go here:

https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh

Download the script and run it on your Samba AD DC, sanitise it (if 
required) and post the output into a reply to this. Do not add it as an 
attachment, this list strips attachments.

Rowland

Please see replies inline:

On 22/10/2020 19:06, Joachim Lindenberg wrote:
> root at cobra:/home/joachim# cat /tmp/samba-debug-info.txt
> Collected config  --- 2020-10-22-17:57 -----------
>
> Hostname: cobra
> DNS Domain:
> FQDN: cobra
> ipaddress: 192.168.177.19
I actually expected more output, but lets start with what we have :-)

You do not seem to have a domain name, you need to fix this, not sure 
just what Ubuntu 20.04 uses, but you need to fix it so that the 
following commands print the following output

hostname -s

cobra

hostname -d

samba.lindenberg.one

hostname -f

cobra.samba.lindenberg.one

hostname -i

192.168.177.19
>
> -----------
>
> WARNING: kinit Administrator will fail and this needs to be fixed first.
> unable to verify DNS kerberos._tcp SRV records
>
> Server:         192.168.177.18
> Address:        192.168.177.18#53
>
> ** server can't find _kerberos._tcp: NXDOMAIN
This could be because it isn't asking itself, the DC should use its own 
IP as the first nameserver in /etc/resolv.conf, so what is 
'192.168.177.19' ?
>
> kinit Adminstrator done manually does work or at least does not report any
error.
>
> when I dig manually I get SRV records:
>
> root at cobra:/home/joachim# dig -t SRV _kerberos._tcp.samba.lindenberg.one
>
> ; <<>> DiG 9.16.1-Ubuntu <<>> -t SRV
_kerberos._tcp.samba.lindenberg.one
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9893
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: c60e03fcc592f9949fb4fc8e5f91c878ed0f2c5c525380ca (good)
> ;; QUESTION SECTION:
> ;_kerberos._tcp.samba.lindenberg.one. IN        SRV
>
> ;; ANSWER SECTION:
> _kerberos._tcp.samba.lindenberg.one. 900 IN SRV 0 100 88
boa.samba.lindenberg.one.
> _kerberos._tcp.samba.lindenberg.one. 900 IN SRV 0 100 88
cobra.samba.lindenberg.one.
>
> ;; Query time: 4 msec
> ;; SERVER: 192.168.177.18#53(192.168.177.18)
> ;; WHEN: Thu Oct 22 17:59:20 UTC 2020
> ;; MSG SIZE  rcvd: 182
>
> (actually I missed them initially as dns_update did not work, and fixed
both)
Again that is using '192.168.177.18'
> Just in case, my smb.conf looks as follows:
>
> # Global parameters
> [global]
>          netbios name = COBRA
>          realm = SAMBA.LINDENBERG.ONE
>          server role = active directory domain controller
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
>          workgroup = SAMBA
>
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
>
> [netlogon]
>          path = /var/lib/samba/sysvol/samba.lindenberg.one/scripts
>          read only = No
About all I can tell from that is that you are using Bind9, so you will 
manually have to set /var/lib/samba/bind-dns/named.conf.

Open it in an editor and check if any of the lines that have 'database' 
in them have been uncommented (I don't think they will have), if not, 
uncomment the last one, under '# For BIND 9.11.x'

Once you have fixed the problems highlighted above, re-run the script.

Rowland

On 22/10/2020 19:49, Joachim Lindenberg wrote:
> Password for Administrator at SAMBA.LINDENBERG.ONE:
>
> Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for
ncacn_ip_tcp:192.168.177.19[49153,sign,target_hostname=cobra.samba.lindenberg.one,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=192.168.177.19]
NT_STATUS_LOGON_FAILURE
> ERROR: Connecting to DNS RPC server cobra.samba.lindenberg.one failed with
(3221225581, 'The attempted logon is invalid. This is either due to a bad
username or authentication information.')
> Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for
ncacn_ip_tcp:192.168.177.19[49153,sign,target_hostname=cobra.samba.lindenberg.one,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=192.168.177.19]
NT_STATUS_LOGON_FAILURE
> ERROR: Connecting to DNS RPC server cobra.samba.lindenberg.one failed with
(3221225581, 'The attempted logon is invalid. This is either due to a bad
username or authentication information.')
The above could just be caused by incorrect replication.
>
>
>
>
>
>
> Kerberos SRV _kerberos._tcp.samba.lindenberg.one record verified ok, sample
output:
> Server:         192.168.177.18
> Address:        192.168.177.18#53
>
> _kerberos._tcp.samba.lindenberg.one     service = 0 100 88
boa.samba.lindenberg.one.
I take it that boa.samba.lindenberg.one' has the IP '192.168.177.18'

But what is 'boa' ?
> -----------
>         Checking file: /etc/hosts
>
> 127.0.0.1 localhost
> 192.168.177.19 cobra.samba.lindenberg.one cobra
>
> -----------
>
>         Checking file: /etc/resolv.conf
>
> nameserver 192.168.177.18
> search samba.lindenberg.one
You need to change the? '18' to '19'

The DC must use itself as its nameserver

Make the suggested changes and if replication doesn't kick in, try 
adding this to smb.conf:

 ??????? dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool

You could also try running these commands:

samba-tool drs showrepl

samba-tool dbcheck

Rowland

On 22/10/2020 20:45, Joachim Lindenberg wrote:
> Boa is the other DC.
What other DC ?

Is it a Windows DC or a Samba DC ?

Rowland

On 22/10/2020 20:52, Joachim Lindenberg wrote:
> Boa is the other DC. There was a rule that DCs should use another DC, but I
think the arguments behind that deteriorated over time..
I think you are referring to 'islanding', but this doesn't occur and
I
am not sure it ever did.
> samba-tool drs showrepl reports errros w/o the change to smb.conf
Then make the change. It may be that various dns records do not exist 
and samba-dnsupdate needs to create them

I also think you may have to copy 'dns.keytab' from 
/var/lib/samba/private/ to /var/lib/samba/binddns/

Rowland

Sorry for my blundess.. 

The correct lines, i forgot the echo's.. :-// 

First DC1 
SERVER_IP=$(ip -o route get to 8.8.8.8 | sed -n 's/.*src
\([0-9.]\+\).*/\1/p')
echo "search  $(hostname -d)" > resolv.conf.new
echo "nameserver ${SERVER_IP}" >> resolv.conf.new
echo "nameserver 8.8.8.8 # because we want a fallback to internet, for
now."  >> resolv.conf.new
mv /etc/resolv.conf{,.backup}
mv /etc/resolv.conf.new /etc/resolv.conf
# Check resolv.conf before you reboot ! 


Then DC2 before the reboot of DC2. 
SERVER_IP=$(ip -o route get to 8.8.8.8 | sed -n 's/.*src
\([0-9.]\+\).*/\1/p')
echo "search  $(hostname -d)" > resolv.conf.new
for x in `host $(hostname -d) |grep -Evi mail|grep -v ${SERVER_IP} |awk '{
print $NF }'` ; \
 do echo "nameserver ${x}" >> /etc/resolv.conf.new ; done
echo "nameserver ${SERVER_IP}" >> resolv.conf.new

mv /etc/resolv.conf{,.backup-1}
mv /etc/resolv.conf.new /etc/resolv.conf
# Check resolv.conf before you reboot ! 


Then DC2 after the reboot of DC2. 
SERVER_IP=$(ip -o route get to 8.8.8.8 | sed -n 's/.*src
\([0-9.]\+\).*/\1/p')
echo "search  $(hostname -d)" > resolv.conf.new
echo "nameserver ${SERVER_IP}" >> resolv.conf.new

for x in `host $(hostname -d) |grep -Evi mail|grep -v ${SERVER_IP} |awk '{
print $NF }'` ; \
 do echo "nameserver ${x}" >> /etc/resolv.conf.new ; done

mv /etc/resolv.conf{,.backup-2}
mv /etc/resolv.conf.new /etc/resolv.conf

# Check resolv.conf before you reboot ! 


 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> L.P.H. van Belle via samba
> Verzonden: vrijdag 23 oktober 2020 10:42
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] new dc does not allow login..?
> 
> To fix this, i would start with. 
> 
> First, set the first AD-DC its resolv.conf to 
> 
> SERVER_IP=$(ip -o route get to 8.8.8.8 | sed -n 's/.*src 
> \([0-9.]\+\).*/\1/p')
> search  $(hostname -d) > resolv.conf.new
> nameserver ${SERVER_IP} >> resolv.conf.new
> nameserver 8.8.8.8 # because we want a fallback to internet, 
> for now.  >> resolv.conf.new
> mv /etc/resolv.conf{,.backup}
> mv /etc/resolv.conf.new /etc/resolv.conf
> 
> Verify /etc/resolv.conf and reboot DC1. 
> 
> Wait few min untill DC1 is fully online again. 
> Then on the second DC. 
> 
> SERVER_IP=$(ip -o route get to 8.8.8.8 | sed -n 's/.*src 
> \([0-9.]\+\).*/\1/p')
> search  $(hostname -d) > resolv.conf.new
> for x in `host $(hostname -d) |grep -Evi mail|grep -v 
> ${SERVER_IP} |awk '{ print $NF }'` ; \
>  do echo "nameserver ${x}" >> /etc/resolv.conf.new ; done
> nameserver ${SERVER_IP} >> resolv.conf.new
> 
> mv /etc/resolv.conf{,.backup}
> mv /etc/resolv.conf.new /etc/resolv.conf
> 
> Verify /etc/resolv.conf and reboot DC2
> Wait few min untill DC2 is fully online again. 
> 
> Now check replication again, should be fixed and if fixed. 
> Correct resolv.conf again. 
> 
> SERVER_IP=$(ip -o route get to 8.8.8.8 | sed -n 's/.*src 
> \([0-9.]\+\).*/\1/p')
> search  $(hostname -d) > resolv.conf.new
> nameserver ${SERVER_IP} >> resolv.conf.new
> for x in `host $(hostname -d) |grep -Evi mail|grep -v 
> ${SERVER_IP} |awk '{ print $NF }'` ; \
>  do echo "nameserver ${x}" >> /etc/resolv.conf.new ; done
> 
> mv /etc/resolv.conf{,.backup-2}
> mv /etc/resolv.conf.new /etc/resolv.conf
> 
> Above should help. 
> 
> If people dont see what i did here. 
> DC1, points to itself for the DNS. 
> DC2, when joining MUST HAVE DC1 as first DNS resolver. 
> DC2, after the join and a reboot after the replication check, 
> Only then you can change the resolver order. 
> 
> If you change resolv.conf to early, your not getting replication
> And that results in missing things in the ad like.. 
> Like the UUID as shown here. 
> > Oct 22 16:17:17 cobra samba[824]:   Failed to bind to uuid 
> e3514235-4b06-11d1-ab04-00c04fc2dcd2 for 
> ncacn_ip_tcp:192.168.177.18[49153,seal,krb5,target_hostname=53
959b67-65fb-493d-8fde-4880ac599> 
> 
> And adding to that, if you use bind9 you have extra steps todo. 
> But i cant tell if you use it. 
> 
> 
> Greetz, 
> 
> Louis
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> > Rowland penny via samba
> > Verzonden: donderdag 22 oktober 2020 22:00
> > Aan: sambalist
> > Onderwerp: Re: [Samba] new dc does not allow login..?
> > 
> > On 22/10/2020 20:52, Joachim Lindenberg wrote:
> > > Boa is the other DC. There was a rule that DCs should use 
> > another DC, but I think the arguments behind that 
> > deteriorated over time..
> > I think you are referring to 'islanding', but this doesn't
> > occur and I 
> > am not sure it ever did.
> > > samba-tool drs showrepl reports errros w/o the change to smb.conf
> > 
> > Then make the change. It may be that various dns records do 
> not exist 
> > and samba-dnsupdate needs to create them
> > 
> > I also think you may have to copy 'dns.keytab' from 
> > /var/lib/samba/private/ to /var/lib/samba/binddns/
> > 
> > Rowland
> > 
> > 
> > 
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> > 
> > 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

( the copy of the list, but i've added the bind9 steps. ) 


The correct lines, i forgot the echo's.. :-// 

First DC1 
SERVER_IP=$(ip -o route get to 8.8.8.8 | sed -n 's/.*src
\([0-9.]\+\).*/\1/p')
echo "search  $(hostname -d)" > resolv.conf.new
echo "nameserver ${SERVER_IP}" >> resolv.conf.new
echo "nameserver 8.8.8.8 # because we want a fallback to internet, for
now."  >> resolv.conf.new
mv /etc/resolv.conf{,.backup}
mv /etc/resolv.conf.new /etc/resolv.conf
# Check resolv.conf before you reboot ! 

samba_upgradedns --dns-backend=BIND9_DLZ
And just to make sure.. 

install -d /var/lib/samba/bind-dns -o root -g bind -m 750 
# If already exits (/var/lib/samba/bind-dns) , just run it doesnt heart

chgrp bind /var/lib/samba/bind-dns
chgrp bind /var/lib/samba/bind-dns/dns

mv /var/lib/samba/private/dns.keytab /var/lib/samba/bind-dns/dns.keytab
chown root:bind /var/lib/samba/bind-dns/dns.keytab

In /etc/bind/named.conf.options 
dnssec-validation no;
auth-nxdomain yes; 
notify no;
minimal-responses yes;
empty-zones-enable no;
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";

And in /etc/bind/named.conf.local 
include "/var/lib/samba/bind-dns/named.conf"; 
# Change the path in that line (you might see private in there ) 

Now you can reboot DC1. 


Then DC2 before the reboot of DC2. 
SERVER_IP=$(ip -o route get to 8.8.8.8 | sed -n 's/.*src
\([0-9.]\+\).*/\1/p')
echo "search  $(hostname -d)" > resolv.conf.new
for x in `host $(hostname -d) |grep -Evi mail|grep -v ${SERVER_IP} |awk '{
print $NF }'` ; \
 do echo "nameserver ${x}" >> /etc/resolv.conf.new ; done
echo "nameserver ${SERVER_IP}" >> resolv.conf.new

mv /etc/resolv.conf{,.backup-1}
mv /etc/resolv.conf.new /etc/resolv.conf
# Check resolv.conf before you reboot ! 

samba_upgradedns --dns-backend=BIND9_DLZ
And just to make sure.. 

install -d /var/lib/samba/bind-dns -o root -g bind -m 750 
# If already exits (/var/lib/samba/bind-dns) , just run it doesnt heart

chgrp bind /var/lib/samba/bind-dns
chgrp bind /var/lib/samba/bind-dns/dns

mv /var/lib/samba/private/dns.keytab /var/lib/samba/bind-dns/dns.keytab
chown root:bind /var/lib/samba/bind-dns/dns.keytab

In /etc/bind/named.conf.options 
dnssec-validation no;
auth-nxdomain yes; 
notify no;
minimal-responses yes;
empty-zones-enable no;
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";

include "/var/lib/samba/bind-dns/named.conf"; 
# Change the path in that line (you might see private in there ) 

Now you can reboot DC2

Then DC2 after the reboot of DC2. 
SERVER_IP=$(ip -o route get to 8.8.8.8 | sed -n 's/.*src
\([0-9.]\+\).*/\1/p')
echo "search  $(hostname -d)" > resolv.conf.new
echo "nameserver ${SERVER_IP}" >> resolv.conf.new

for x in `host $(hostname -d) |grep -Evi mail|grep -v ${SERVER_IP} |awk '{
print $NF }'` ; \
 do echo "nameserver ${x}" >> /etc/resolv.conf.new ; done

mv /etc/resolv.conf{,.backup-2}
mv /etc/resolv.conf.new /etc/resolv.conf

# Check resolv.conf before you reboot ! 
 
> -----Oorspronkelijk bericht-----
> Van: Joachim Lindenberg [mailto:samba at lindenberg.one] 
> Verzonden: donderdag 22 oktober 2020 20:49
> Aan: 'Rowland penny'
> Onderwerp: AW: [Samba] new dc does not allow login..?
> 
> Ok, /etc/hosts was incomplete. Hostnames now as expected. 
> Actually the test script "checks /etc/hostname", but likely 
> later than you.
> 
> root at cobra:/home/joachim# ./samba-collect-debug-info.sh
> Please wait, collecting debug info.
> 
> Password for Administrator at SAMBA.LINDENBERG.ONE:
> INFO 2020-10-22 18:41:27,361 pid:2037 
> /usr/lib/python3/dist-packages/samba/netcmd/testparm.py #96: 
> Loaded smb config files from /etc/samba/smb.conf
> INFO 2020-10-22 18:41:27,361 pid:2037 
> /usr/lib/python3/dist-packages/samba/netcmd/testparm.py #97: 
> Loaded services file OK.
> Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 
> for 
> ncacn_ip_tcp:192.168.177.19[49153,sign,target_hostname=cobra.s
> amba.lindenberg.one,abstract_syntax=50abc2a4-574d-40b3-9d66-ee
> 4fd5fba076/0x00000005,localaddress=192.168.177.19] 
> NT_STATUS_LOGON_FAILURE
> ERROR: Connecting to DNS RPC server 
> cobra.samba.lindenberg.one failed with (3221225581, 'The 
> attempted logon is invalid. This is either due to a bad 
> username or authentication information.')
> Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 
> for 
> ncacn_ip_tcp:192.168.177.19[49153,sign,target_hostname=cobra.s
> amba.lindenberg.one,abstract_syntax=50abc2a4-574d-40b3-9d66-ee
> 4fd5fba076/0x00000005,localaddress=192.168.177.19] 
> NT_STATUS_LOGON_FAILURE
> ERROR: Connecting to DNS RPC server 
> cobra.samba.lindenberg.one failed with (3221225581, 'The 
> attempted logon is invalid. This is either due to a bad 
> username or authentication information.')
> The debug info about your system can be found in this file: 
> /tmp/samba-debug-info.txt
> Please check this and if required, sanitise it.
> Then copy & paste it into an  email to the samba list
> Do not attach it to the email, the Samba mailing list strips 
> attachments.
> 
> root at cobra:/home/joachim# cat /tmp/samba-debug-info.txt
> Collected config  --- 2020-10-22-18:41 -----------
> 
> Hostname: cobra
> DNS Domain: samba.lindenberg.one
> FQDN: cobra.samba.lindenberg.one
> ipaddress: 192.168.177.19
> 
> -----------
> 
> Kerberos SRV _kerberos._tcp.samba.lindenberg.one record 
> verified ok, sample output:
> Server:         192.168.177.18
> Address:        192.168.177.18#53
> 
> _kerberos._tcp.samba.lindenberg.one     service = 0 100 88 
> boa.samba.lindenberg.one.
> _kerberos._tcp.samba.lindenberg.one     service = 0 100 88 
> cobra.samba.lindenberg.one.
> Samba is running as an AD DC
> 
> -----------
>        Checking file: /etc/os-release
> 
> NAME="Ubuntu"
> VERSION="20.04.1 LTS (Focal Fossa)"
> ID=ubuntu
> ID_LIKE=debian
> PRETTY_NAME="Ubuntu 20.04.1 LTS"
> VERSION_ID="20.04"
> HOME_URL="https://www.ubuntu.com/"
> SUPPORT_URL="https://help.ubuntu.com/"
> BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
> PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-pol
> icies/privacy-policy"
> VERSION_CODENAME=focal
> UBUNTU_CODENAME=focal
> 
> -----------
> 
> 
> This computer is running Ubuntu 20.04.1 LTS x86_64
> 
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state 
> UNKNOWN group default qlen 1000
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
>     inet6 ::1/128 scope host
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq 
> state UP group default qlen 1000
>     link/ether 00:15:5d:b1:0c:50 brd ff:ff:ff:ff:ff:ff
>     inet 192.168.177.19/24 brd 192.168.177.255 scope global eth0
>     inet6 fe80::215:5dff:feb1:c50/64 scope link
> 
> -----------
>        Checking file: /etc/hosts
> 
> 127.0.0.1 localhost
> 192.168.177.19 cobra.samba.lindenberg.one cobra
> 
> # The following lines are desirable for IPv6 capable hosts
> ::1     ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff00::0 ip6-mcastprefix
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> 
> -----------
> 
>        Checking file: /etc/resolv.conf
> 
> nameserver 192.168.177.18
> search samba.lindenberg.one
> 
> -----------
> 
>        Checking file: /etc/krb5.conf
> 
> [libdefaults]
>         default_realm = SAMBA.LINDENBERG.ONE
> 
> # The following krb5.conf variables are only for MIT Kerberos.
>         kdc_timesync = 1
>         ccache_type = 4
>         forwardable = true
>         proxiable = true
> 
> # The following encryption type specification will be used by 
> MIT Kerberos
> # if uncommented.  In general, the defaults in the MIT 
> Kerberos code are
> # correct and overriding these specifications only serves to 
> disable new
> # encryption types as they are added, creating 
> interoperability problems.
> #
> # The only time when you might need to uncomment these lines 
> and change
> # the enctypes is if you have local software that will break on ticket
> # caches containing ticket encryption types it doesn't know 
> about (such as
> # old versions of Sun Java).
> 
> #       default_tgs_enctypes = des3-hmac-sha1
> #       default_tkt_enctypes = des3-hmac-sha1
> #       permitted_enctypes = des3-hmac-sha1
> 
> # The following libdefaults parameters are only for Heimdal Kerberos.
>         fcc-mit-ticketflags = true
> 
> [realms]
>         ATHENA.MIT.EDU = {
>                 kdc = kerberos.mit.edu
>                 kdc = kerberos-1.mit.edu
>                 kdc = kerberos-2.mit.edu:88
>                 admin_server = kerberos.mit.edu
>                 default_domain = mit.edu
>         }
>         ZONE.MIT.EDU = {
>                 kdc = casio.mit.edu
>                 kdc = seiko.mit.edu
>                 admin_server = casio.mit.edu
>         }
>         CSAIL.MIT.EDU = {
>                 admin_server = kerberos.csail.mit.edu
>                 default_domain = csail.mit.edu
>         }
>         IHTFP.ORG = {
>                 kdc = kerberos.ihtfp.org
>                 admin_server = kerberos.ihtfp.org
>         }
>         1TS.ORG = {
>                 kdc = kerberos.1ts.org
>                 admin_server = kerberos.1ts.org
>         }
>         ANDREW.CMU.EDU = {
>                 admin_server = kerberos.andrew.cmu.edu
>                 default_domain = andrew.cmu.edu
>         }
>         CS.CMU.EDU = {
>                 kdc = kerberos-1.srv.cs.cmu.edu
>                 kdc = kerberos-2.srv.cs.cmu.edu
>                 kdc = kerberos-3.srv.cs.cmu.edu
>                 admin_server = kerberos.cs.cmu.edu
>         }
>         DEMENTIA.ORG = {
>                 kdc = kerberos.dementix.org
>                 kdc = kerberos2.dementix.org
>                 admin_server = kerberos.dementix.org
>         }
>         stanford.edu = {
>                 kdc = krb5auth1.stanford.edu
>                 kdc = krb5auth2.stanford.edu
>                 kdc = krb5auth3.stanford.edu
>                 master_kdc = krb5auth1.stanford.edu
>                 admin_server = krb5-admin.stanford.edu
>                 default_domain = stanford.edu
>         }
>         UTORONTO.CA = {
>                 kdc = kerberos1.utoronto.ca
>                 kdc = kerberos2.utoronto.ca
>                 kdc = kerberos3.utoronto.ca
>                 admin_server = kerberos1.utoronto.ca
>                 default_domain = utoronto.ca
>         }
> 
> [domain_realm]
>         .mit.edu = ATHENA.MIT.EDU
>         mit.edu = ATHENA.MIT.EDU
>         .media.mit.edu = MEDIA-LAB.MIT.EDU
>         media.mit.edu = MEDIA-LAB.MIT.EDU
>         .csail.mit.edu = CSAIL.MIT.EDU
>         csail.mit.edu = CSAIL.MIT.EDU
>         .whoi.edu = ATHENA.MIT.EDU
>         whoi.edu = ATHENA.MIT.EDU
>         .stanford.edu = stanford.edu
>         .slac.stanford.edu = SLAC.STANFORD.EDU
>         .toronto.edu = UTORONTO.CA
>         .utoronto.ca = UTORONTO.CA
> 
> -----------
> 
>        Checking file: /etc/nsswitch.conf
> 
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages 
> installed, try:
> # `info libc "Name Service Switch"' for information about
this file.
> 
> passwd:         files systemd
> group:          files systemd
> shadow:         files
> gshadow:        files
> 
> hosts:          files dns
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup:       nis
> 
> -----------
> 
>        Checking file: /etc/samba/smb.conf
> 
> # Global parameters
> [global]
>         netbios name = COBRA
>         realm = SAMBA.LINDENBERG.ONE
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, 
> kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
>         workgroup = SAMBA
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/samba.lindenberg.one/scripts
>         read only = No
> 
> -----------
> 
> Detected bind DLZ enabled..
>        Checking file: /etc/bind/named.conf
> 
> // This is the primary configuration file for the BIND DNS 
> server named.
> //
> // Please read /usr/share/doc/bind9/README.Debian.gz for 
> information on the
> // structure of BIND configuration files in Debian, *BEFORE* 
> you customize
> // this configuration file.
> //
> // If you are just adding zones, please do that in 
> /etc/bind/named.conf.local
> 
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> 
> -----------
> 
>        Checking file: /etc/bind/named.conf.options
> 
> acl "trusted" {
>   192.168.0.0/16;
> };
> 
> options {
>         directory "/var/cache/bind";
> 
>         // If there is a firewall between you and nameservers you want
>         // to talk to, you may need to fix the firewall to 
> allow multiple
>         // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
> 
>         // If your ISP provided one or more IP addresses for stable
>         // nameservers, you probably want to use them as forwarders.
>         // Uncomment the following block, and insert the 
> addresses replacing
>         // the all-0's placeholder.
> 
> forwarders {
>         192.168.177.7;
> };
> 
>         
> //===========================================================>
===========>         // If BIND logs error messages about the root key
> being expired,
>         // you will need to update your keys.  See 
> https://www.isc.org/bind-keys
>         
> //===========================================================>
===========>         dnssec-validation auto;
> 
>         listen-on-v6 { none; };
>         recursion yes;
>         allow-recursion { trusted;localhost; };
>         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>         minimal-responses yes;
>         allow-transfer { none; };
> };
> 
> -----------
> 
>        Checking file: /etc/bind/named.conf.local
> 
> //
> // Do any local configuration here
> //
> 
> // Consider adding the 1918 zones here, if they are not used in your
> // organization
> //include "/etc/bind/zones.rfc1918";
> 
> include "/var/lib/samba/bind-dns/named.conf";
> 
> -----------
> 
>        Checking file: /etc/bind/named.conf.default-zones
> 
> // prime the server with knowledge of the root servers
> zone "." {
>         type hint;
>         file "/usr/share/dns/root.hints";
> };
> 
> // be authoritative for the localhost forward and reverse 
> zones, and for
> // broadcast zones as per RFC 1912
> 
> zone "localhost" {
>         type master;
>         file "/etc/bind/db.local";
> };
> 
> zone "127.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.127";
> };
> 
> zone "0.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.0";
> };
> 
> zone "255.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.255";
> };
> 
> -----------
> 
> Samba DNS zone list:
> Samba DNS zone list Automated check :
> 
> Installed packages:
> ii  acl                                  2.2.53-6             
>                  amd64        access control list - utilities
> ii  attr                                 1:2.4.48-5           
>                  amd64        utilities for manipulating 
> filesystem extended attributes
> ii  bind9                                1:9.16.1-0ubuntu2.3  
>                  amd64        Internet Domain Name Server
> ii  bind9-dnsutils                       1:9.16.1-0ubuntu2.3  
>                  amd64        Clients provided with BIND 9
> ii  bind9-doc                            1:9.16.1-0ubuntu2.3  
>                  all          Documentation for BIND 9
> ii  bind9-host                           1:9.16.1-0ubuntu2.3  
>                  amd64        DNS Lookup Utility
> ii  bind9-libs:amd64                     1:9.16.1-0ubuntu2.3  
>                  amd64        Shared Libraries used by BIND 9
> ii  bind9-utils                          1:9.16.1-0ubuntu2.3  
>                  amd64        Utilities for BIND 9
> ii  bind9utils                           1:9.16.1-0ubuntu2.3  
>                  all          Transitional package for bind9-utils
> ii  dnsutils                             1:9.16.1-0ubuntu2.3  
>                  all          Transitional package for bind9-dnsutils
> ii  krb5-config                          2.6ubuntu1           
>                  all          Configuration files for 
> Kerberos Version 5
> ii  krb5-locales                         1.17-6ubuntu4        
>                  all          internationalization support 
> for MIT Kerberos
> ii  krb5-user                            1.17-6ubuntu4        
>                  amd64        basic programs to authenticate 
> using MIT Kerberos
> ii  libacl1:amd64                        2.2.53-6             
>                  amd64        access control list - shared library
> ii  libattr1:amd64                       1:2.4.48-5           
>                  amd64        extended attribute handling - 
> shared library
> ii  libgssapi-krb5-2:amd64               1.17-6ubuntu4        
>                  amd64        MIT Kerberos runtime libraries 
> - krb5 GSS-API Mechanism
> ii  libkrb5-26-heimdal:amd64             7.7.0+dfsg-1ubuntu1  
>                  amd64        Heimdal Kerberos - libraries
> ii  libkrb5-3:amd64                      1.17-6ubuntu4        
>                  amd64        MIT Kerberos runtime libraries
> ii  libkrb5support0:amd64                1.17-6ubuntu4        
>                  amd64        MIT Kerberos runtime libraries 
> - Support library
> ii  libnss-winbind:amd64                 
> 2:4.12.8+dfsg-0.1focal1               amd64        Samba 
> nameservice integration plugins
> ii  libpam-krb5:amd64                    4.8-2ubuntu1         
>                  amd64        PAM module for MIT Kerberos
> ii  libpam-winbind:amd64                 
> 2:4.12.8+dfsg-0.1focal1               amd64        Windows 
> domain authentication integration plugin
> ii  libsmbclient:amd64                   
> 2:4.12.8+dfsg-0.1focal1               amd64        shared 
> library for communication with SMB/CIFS servers
> ii  libwbclient0:amd64                   
> 2:4.12.8+dfsg-0.1focal1               amd64        Samba 
> winbind client library
> ii  python3-attr                         19.3.0-2             
>                  all          Attributes without boilerplate 
> (Python 3)
> ii  python3-nacl                         1.3.0-5              
>                  amd64        Python bindings to libsodium (Python 3)
> ii  python3-samba                        
> 2:4.12.8+dfsg-0.1focal1               amd64        Python 3 
> bindings for Samba
> ii  samba                                
> 2:4.12.8+dfsg-0.1focal1               amd64        SMB/CIFS 
> file, print, and login server for Unix
> ii  samba-common                         
> 2:4.12.8+dfsg-0.1focal1               all          common 
> files used by both the Samba server and client
> ii  samba-common-bin                     
> 2:4.12.8+dfsg-0.1focal1               amd64        Samba 
> common files used by both the server and the client
> ii  samba-dsdb-modules:amd64             
> 2:4.12.8+dfsg-0.1focal1               amd64        Samba 
> Directory Services Database
> ii  samba-libs:amd64                     
> 2:4.12.8+dfsg-0.1focal1               amd64        Samba core 
> libraries
> ii  samba-vfs-modules:amd64              
> 2:4.12.8+dfsg-0.1focal1               amd64        Samba 
> Virtual FileSystem plugins
> ii  smbclient                            
> 2:4.12.8+dfsg-0.1focal1               amd64        
> command-line SMB/CIFS clients for Unix
> ii  winbind                              
> 2:4.12.8+dfsg-0.1focal1               amd64        service to 
> resolve user and group information from Windows NT servers
> 
> 
> Thanks, Joachim
> 
> 
> -----Urspr?ngliche Nachricht-----
> Von: samba <samba-bounces at lists.samba.org> Im Auftrag von 
> Rowland penny via samba
> Gesendet: Thursday, 22 October 2020 20:28
> An: sambalist <samba at lists.samba.org>
> Betreff: Re: [Samba] new dc does not allow login..?
> 
> Please see replies inline:
> 
> On 22/10/2020 19:06, Joachim Lindenberg wrote:
> > root at cobra:/home/joachim# cat /tmp/samba-debug-info.txt Collected 
> > config  --- 2020-10-22-17:57 -----------
> >
> > Hostname: cobra
> > DNS Domain:
> > FQDN: cobra
> > ipaddress: 192.168.177.19
> 
> I actually expected more output, but lets start with what we have :-)
> 
> You do not seem to have a domain name, you need to fix this, 
> not sure just what Ubuntu 20.04 uses, but you need to fix it 
> so that the following commands print the following output
> 
> hostname -s
> 
> cobra
> 
> hostname -d
> 
> samba.lindenberg.one
> 
> hostname -f
> 
> cobra.samba.lindenberg.one
> 
> hostname -i
> 
> 192.168.177.19
> 
> >
> > -----------
> >
> > WARNING: kinit Administrator will fail and this needs to be 
> fixed first.
> > unable to verify DNS kerberos._tcp SRV records
> >
> > Server:         192.168.177.18
> > Address:        192.168.177.18#53
> >
> > ** server can't find _kerberos._tcp: NXDOMAIN
> This could be because it isn't asking itself, the DC should 
> use its own IP as the first nameserver in /etc/resolv.conf, 
> so what is '192.168.177.19' ?
> >
> > kinit Adminstrator done manually does work or at least does 
> not report any error.
> >
> > when I dig manually I get SRV records:
> >
> > root at cobra:/home/joachim# dig -t SRV 
> > _kerberos._tcp.samba.lindenberg.one
> >
> > ; <<>> DiG 9.16.1-Ubuntu <<>> -t SRV 
> > _kerberos._tcp.samba.lindenberg.one
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9893
;;
> flags: qr 
> > aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
> >
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags:; udp: 4096
> > ; COOKIE: c60e03fcc592f9949fb4fc8e5f91c878ed0f2c5c525380ca 
> (good) ;; 
> > QUESTION SECTION:
> > ;_kerberos._tcp.samba.lindenberg.one. IN        SRV
> >
> > ;; ANSWER SECTION:
> > _kerberos._tcp.samba.lindenberg.one. 900 IN SRV 0 100 88 
> boa.samba.lindenberg.one.
> > _kerberos._tcp.samba.lindenberg.one. 900 IN SRV 0 100 88 
> cobra.samba.lindenberg.one.
> >
> > ;; Query time: 4 msec
> > ;; SERVER: 192.168.177.18#53(192.168.177.18) ;; WHEN: Thu Oct 22 
> > 17:59:20 UTC 2020 ;; MSG SIZE  rcvd: 182
> >
> > (actually I missed them initially as dns_update did not work, and 
> > fixed both)
> Again that is using '192.168.177.18'
> > Just in case, my smb.conf looks as follows:
> >
> > # Global parameters
> > [global]
> >          netbios name = COBRA
> >          realm = SAMBA.LINDENBERG.ONE
> >          server role = active directory domain controller
> >          server services = s3fs, rpc, nbt, wrepl, ldap, 
> cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
> >          workgroup = SAMBA
> >
> > [sysvol]
> >          path = /var/lib/samba/sysvol
> >          read only = No
> >
> > [netlogon]
> >          path = /var/lib/samba/sysvol/samba.lindenberg.one/scripts
> >          read only = No
> 
> About all I can tell from that is that you are using Bind9, 
> so you will manually have to set /var/lib/samba/bind-dns/named.conf.
> 
> Open it in an editor and check if any of the lines that have 
> 'database' 
> in them have been uncommented (I don't think they will have), 
> if not, uncomment the last one, under '# For BIND 9.11.x'
> 
> Once you have fixed the problems highlighted above, re-run the script.
> 
> Rowland
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>