On 2023-03-28 12:02, Rowland Penny via samba wrote:>
>
> On 28/03/2023 16:24, Gary Dale via samba wrote:
>> On 2023-03-28 04:13, Rowland Penny via samba wrote:
>>>
>>>
>>> On 27/03/2023 23:55, Gary Dale via samba wrote:
>>>> My Samba setup was working until several months ago. I
didn't do
>>>> anything to it that I can recall but it stopped letting my
Windows
>>>> VMs connect. When I use smbclient to try to connect, I get
session
>>>> setup failed: NT_STATUS_NO_LOGON_SERVERS
>>>>
>>>> My Internet searches have revealed that this is a comon and
>>>> long-standing issue: frequently reported but I've had no
luck
>>>> finding anyone posting a solution.
>>>>
>>>> I'm running Debian/Bullseye on an AMD64 machine. This is
also an
>>>> NFS server as that's how I connect from my various Linux
devices. I
>>>> only discovered the issue when I tried to install a piece of
>>>> software on a Windows 10 VM. I have no problem logging into the
VMs
>>>> using domain accounts.
>>>>
>>>> I've verified that it also affects a Windows 7 VM so
it's not
>>>> problem wth the VM. That led me to trying to debug the server.
The
>>>> Samba DC wiki suggests trying smbclient //localhost/netlogon
>>>> -UAdministrator -c 'ls', which throws the error.
>>>>
>>>> Interestingly smbclient -L localhost -U% works:
>>>> # smbclient -L localhost -U%
>>>>
>>>> ????????Sharename ??????Type ?????Comment
>>>> ????????--------- ??????---- ?????-------
>>>> ????????netlogon ???????Disk ?????Network Logon Service
>>>> ????????sysvol ?????????Disk
>>>> ????????shares ?????????Disk
>>>> ????????archives ???????Disk
>>>> ????????communications ?Disk
>>>> ????????office ?????????Disk
>>>> ????????graphics ???????Disk
>>>> ????????hardware ???????Disk
>>>> ????????install ????????Disk
>>>> ????????media$ ?????????Disk
>>>> ????????system ?????????Disk
>>>> ????????tools ??????????Disk
>>>> ????????utility ????????Disk
>>>> ????????webpages$ ??????Disk
>>>> ????????develop ????????Disk
>>>> ????????backup ?????????Disk
>>>> ????????IPC$ ???????????IPC ??????IPC Service (Samba
4.13.13-Debian)
>>>> SMB1 disabled -- no workgroup available
>>>>
>>>> Can anyone offer any advice on what may be the problem?
>>>>
>>>> Below is the output with debug information turned up.
>>>>
>>>> smbclient -d=5 //localhost/netlogon -U Administrator
>>>> INFO: Current debug levels:
>>>> ??all: 5
>>>> ??tdb: 5
>>>> ??printdrivers: 5
>>>> ??lanman: 5
>>>> ??smb: 5
>>>> ??rpc_parse: 5
>>>> ??rpc_srv: 5
>>>> ??rpc_cli: 5
>>>> ??passdb: 5
>>>> ??sam: 5
>>>> ??auth: 5
>>>> ??winbind: 5
>>>> ??vfs: 5
>>>> ??idmap: 5
>>>> ??quota: 5
>>>> ??acls: 5
>>>> ??locking: 5
>>>> ??msdfs: 5
>>>> ??dmapi: 5
>>>> ??registry: 5
>>>> ??scavenger: 5
>>>> ??dns: 5
>>>> ??ldb: 5
>>>> ??tevent: 5
>>>> ??auth_audit: 5
>>>> ??auth_json_audit: 5
>>>> ??kerberos: 5
>>>> ??drs_repl: 5
>>>> ??smb2: 5
>>>> ??smb2_credits: 5
>>>> ??dsdb_audit: 5
>>>> ??dsdb_json_audit: 5
>>>> ??dsdb_password_audit: 5
>>>> ??dsdb_password_json_audit: 5
>>>> ??dsdb_transaction_audit: 5
>>>> ??dsdb_transaction_json_audit: 5
>>>> ??dsdb_group_audit: 5
>>>> ??dsdb_group_json_audit: 5
>>>> lp_load_ex: refreshing parameters
>>>> Initialising global parameters
>>>> rlimit_max: increasing rlimit_max (1024) to minimum Windows
limit
>>>> (16384)
>>>> INFO: Current debug levels:
>>>> ??all: 5
>>>> ??tdb: 5
>>>> ??printdrivers: 5
>>>> ??lanman: 5
>>>> ??smb: 5
>>>> ??rpc_parse: 5
>>>> ??rpc_srv: 5
>>>> ??rpc_cli: 5
>>>> ??passdb: 5
>>>> ??sam: 5
>>>> ??auth: 5
>>>> ??winbind: 5
>>>> ??vfs: 5
>>>> ??idmap: 5
>>>> ??quota: 5
>>>> ??acls: 5
>>>> ??locking: 5
>>>> ??msdfs: 5
>>>> ??dmapi: 5
>>>> ??registry: 5
>>>> ??scavenger: 5
>>>> ??dns: 5
>>>> ??ldb: 5
>>>> ??tevent: 5
>>>> ??auth_audit: 5
>>>> ??auth_json_audit: 5
>>>> ??kerberos: 5
>>>> ??drs_repl: 5
>>>> ??smb2: 5
>>>> ??smb2_credits: 5
>>>> ??dsdb_audit: 5
>>>> ??dsdb_json_audit: 5
>>>> ??dsdb_password_audit: 5
>>>> ??dsdb_password_json_audit: 5
>>>> ??dsdb_transaction_audit: 5
>>>> ??dsdb_transaction_json_audit: 5
>>>> ??dsdb_group_audit: 5
>>>> ??dsdb_group_json_audit: 5
>>>> Processing section "[global]"
>>>> doing parameter netbios name = THELIBRARIAN
>>>> doing parameter realm = RAHIM-DALE.ORG
>>>> doing parameter workgroup = RAHIM-DALE
>>>> doing parameter security = ADS
>>>> doing parameter dns forwarder = 8.8.8.8
>>>> doing parameter server role = active directory domain
controller
>>>> doing parameter idmap_ldb:use rfc2307 = yes
>>>> doing parameter allow dns updates = nonsecure
>>>> doing parameter server role check:inhibit = yes
>>>> doing parameter ntlm auth = yes
>>>> doing parameter winbind enum users = yes
>>>> doing parameter winbind enum groups = yes
>>>> doing parameter log file = /var/log/samba/%m.log
>>>> doing parameter log level = 1
>>>> doing parameter idmap config * : backend = tdb
>>>> doing parameter idmap config * : range = 3000-7999
>>>> doing parameter idmap config RAHIM-DALE:backend = ad
>>>> doing parameter idmap config RAHIM-DALE:schema_mode = rfc2307
>>>> doing parameter idmap config RAHIM-DALE:range = 100000-999999
>>>> doing parameter idmap config RAHIM-DALE:unix_nss_info = yes
>>>> doing parameter vfs objects = dfs_samba4 acl_xattr recycle
>>>> doing parameter map acl inherit = yes
>>>> doing parameter store dos attributes = yes
>>>> doing parameter template shell = /bin/bash
>>>> doing parameter template homedir = /home/%U
>>>> doing parameter username map = /etc/samba/user.map
>>>> pm_process() returned Yes
>>>> added interface br0 ip=192.168.1.14 bcast=192.168.1.255
>>>> netmask=255.255.255.0
>>>> Netbios name list:-
>>>> my_netbios_names[0]="THELIBRARIAN"
>>>> Client started (version 4.13.13-Debian).
>>>> Opening cache file at /run/samba/gencache.tdb
>>>> sitename_fetch: No stored sitename for realm
'RAHIM-DALE.ORG'
>>>> name localhost#20 found.
>>>> Connecting to 127.0.0.1 at port 445
>>>> Socket options:
>>>> ????????SO_KEEPALIVE = 0
>>>> ????????SO_REUSEADDR = 0
>>>> ????????SO_BROADCAST = 0
>>>> ????????TCP_NODELAY = 1
>>>> ????????TCP_KEEPCNT = 9
>>>> ????????TCP_KEEPIDLE = 7200
>>>> ????????TCP_KEEPINTVL = 75
>>>> ????????IPTOS_LOWDELAY = 0
>>>> ????????IPTOS_THROUGHPUT = 0
>>>> ????????SO_REUSEPORT = 0
>>>> ????????SO_SNDBUF = 2626560
>>>> ????????SO_RCVBUF = 131072
>>>> ????????SO_SNDLOWAT = 1
>>>> ????????SO_RCVLOWAT = 1
>>>> ????????SO_SNDTIMEO = 0
>>>> ????????SO_RCVTIMEO = 0
>>>> ????????TCP_QUICKACK = 1
>>>> ????????TCP_DEFER_ACCEPT = 0
>>>> ????????TCP_USER_TIMEOUT = 0
>>>> session request ok
>>>> negotiated dialect[SMB3_11] against server[localhost]
>>>> Enter RAHIM-DALE\Administrator's password:
>>>> cli_session_setup_spnego_send: Connect to localhost as
>>>> Administrator at RAHIM-DALE.ORG using SPNEGO
>>>> GENSEC backend 'gssapi_spnego' registered
>>>> GENSEC backend 'gssapi_krb5' registered
>>>> GENSEC backend 'gssapi_krb5_sasl' registered
>>>> GENSEC backend 'spnego' registered
>>>> GENSEC backend 'schannel' registered
>>>> GENSEC backend 'naclrpc_as_system' registered
>>>> GENSEC backend 'sasl-EXTERNAL' registered
>>>> GENSEC backend 'ntlmssp' registered
>>>> GENSEC backend 'ntlmssp_resume_ccache' registered
>>>> GENSEC backend 'http_basic' registered
>>>> GENSEC backend 'http_ntlm' registered
>>>> GENSEC backend 'http_negotiate' registered
>>>> GENSEC backend 'krb5' registered
>>>> GENSEC backend 'fake_gssapi_krb5' registered
>>>> Starting GENSEC mechanism spnego
>>>> Starting GENSEC submechanism gse_krb5
>>>> GSE to 'localhost' does not make sense
>>>> Failed to start GENSEC client mech gse_krb5:
>>>> NT_STATUS_INVALID_PARAMETER
>>>> Starting GENSEC submechanism ntlmssp
>>>> Got challenge flags:
>>>> Got NTLMSSP neg_flags=0x62898215
>>>> ??NTLMSSP_NEGOTIATE_UNICODE
>>>> ??NTLMSSP_REQUEST_TARGET
>>>> ??NTLMSSP_NEGOTIATE_SIGN
>>>> ??NTLMSSP_NEGOTIATE_NTLM
>>>> ??NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>>> ??NTLMSSP_TARGET_TYPE_DOMAIN
>>>> ??NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>>>> ??NTLMSSP_NEGOTIATE_TARGET_INFO
>>>> ??NTLMSSP_NEGOTIATE_VERSION
>>>> ??NTLMSSP_NEGOTIATE_128
>>>> ??NTLMSSP_NEGOTIATE_KEY_EXCH
>>>> NTLMSSP: Set final flags:
>>>> Got NTLMSSP neg_flags=0x62088215
>>>> ??NTLMSSP_NEGOTIATE_UNICODE
>>>> ??NTLMSSP_REQUEST_TARGET
>>>> ??NTLMSSP_NEGOTIATE_SIGN
>>>> ??NTLMSSP_NEGOTIATE_NTLM
>>>> ??NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>>> ??NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>>>> ??NTLMSSP_NEGOTIATE_VERSION
>>>> ??NTLMSSP_NEGOTIATE_128
>>>> ??NTLMSSP_NEGOTIATE_KEY_EXCH
>>>> NTLMSSP Sign/Seal - Initialising with flags:
>>>> Got NTLMSSP neg_flags=0x62088215
>>>> ??NTLMSSP_NEGOTIATE_UNICODE
>>>> ??NTLMSSP_REQUEST_TARGET
>>>> ??NTLMSSP_NEGOTIATE_SIGN
>>>> ??NTLMSSP_NEGOTIATE_NTLM
>>>> ??NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>>> ??NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>>>> ??NTLMSSP_NEGOTIATE_VERSION
>>>> ??NTLMSSP_NEGOTIATE_128
>>>> ??NTLMSSP_NEGOTIATE_KEY_EXCH
>>>> SPNEGO login failed: No logon servers are currently available
to
>>>> service the logon request.
>>>> session setup failed: NT_STATUS_NO_LOGON_SERVERS
>>>> root at TheLibrarian:/etc/samba#
>>>>
>>>
>>> Once I picked out your smb.conf from all the above, it became
>>> apparent that you are running Samba as an AD DC, not only that, but
>>> you are also using it as a fileserver, this isn't recommended.
>>>
>>> There are a few lines in your smb.conf that shouldn't be there:
>>>
>>> server role check:inhibit = yes
>>>
>>> This is only required to run the 'nmbd' binary, you should
never run
>>> this on a DC, it has its own version built in. If you are running
>>> the 'nmbd' binary, I suggest you turn it off.
>>>
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>>
>>> Those are not required and can slow things down.
>>>
>>> idmap config * : backend = tdb
>>> idmap config * : range = 3000-7999
>>> idmap config RAHIM-DALE:backend = ad
>>> idmap config RAHIM-DALE:schema_mode = rfc2307
>>> idmap config RAHIM-DALE:range = 100000-999999
>>> idmap config RAHIM-DALE:unix_nss_info = yes
>>>
>>> username map = /etc/samba/user.map
>>>
>>> Those are only used on a Unix domain member and do nothing on a DC.
>>>
>>> Having got that out of the way, You command works for myself, but I
>>> only use a DC for authentication.
>>>
>>> Can I suggest you upgrade to a Samba supported version by using
>>> Debian backports, this will get you 4.17.6. Can I also suggest you
>>> investigate running Samba as a Unix domain member instead of using
>>> the DC and just use the DC for authentication.
>>>
>>> I would also check a couple of files, /etc/resolv.conf which should
>>> contain:
>>>
>>> search rahim-dale.org
>>> nameserver 'THE_DCS_IPADDRESS'
>>>
>>> /etc/hosts
>>>
>>> 127.0.0.1 localhost
>>> 'THE_DCS_IPADDRESS' thelibrarian.rahim-dale.org
thelibrarian
>>>
>>> Please try the above and report back
>>>
>>> Rowland
>>>
>> Thanks Rowland. I was pretty sure it's a DNS issue as the various
>> tests suggested in
>> https://wiki.samba.org/index.php/Linux_and_Unix_DNS_Configuration
>> fail. However my resolv.conf and hosts files were already as you
>> suggested. I am using systemd networkd, if that makes any difference.
>>
>> Removing the lines you flagged from smb.conf didn't fix the issue.
In
>> fact, smb.conf fails testparm without a valid idmap config.
>
> You are probably using the wrong 'testparm', you undoubtedly have a
> DC, so you should be using 'samba-tool testparm'. I can assure you
> that those 'idmap config' lines have no place on a DC.
>
> < Conversely
>> the Samba Wiki at
>> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
>> warns that adding idmap config to smb.conf will cause the samba
>> service to fail.
>
> Not sure if 'fail' is correct, they will be ignored though.
Idmapping
> on a Samba AD DC is stored in idmap.ldb and usually uses numbers in
> the 3000000 range, but if you give your domain users and groups a
> uidNumber or gidNumber attribute, these replace the '3000000'
numbers
> in idmap.ldb, so the 'idmap config' lines appear to work.
It reports an error and samba doesn't start.>
>>
>> So now I'm at the point that the samba service refuses to start.
>
> I cannot see why removing the lines I suggested would stop Samba
> starting, I take it that you are starting Samba with 'systemctl start
> samba-ad-dc'. Is there anything in the logs that shows why it no
> longer starts ?
It seems to think it isn't a DC. I tried removing the current smb.conf
and re-provisioning the domain but that has failed.>
>>
>> I'm loath to upgrade the samba version from the Debian version
>> without a clear benefit, It doesn't look like it would fix the
>> problem I'm having.
>
> The benefit is that you would be running a Samba supported version.
And losing the Debian/Stable one....>
>> Nor does this look like it's related in any way to using the DC as
a
>> file server - something I've been doing for two decades without
>> problems.
>
> I do not think you could have been running a Samba AD DC for two
> decades, you probably ran A PDC at the start and you could use those
> as fileservers. Right from the start, Samba (like Windows) has always
> recommended just using a DC for authentication, but hey, it is your
> computer, use it as you like, but just be aware of the limitations.
It wasn't an AD DC but it was the DC for my Domain.>
>> The Samba Wiki caveats seem more related to organizational issues
>> than technical ones.
>
> The main technical one is that, because of the ACL's setup required
> for Sysvol, you must set any share permissions from Windows.
And that's not organizational?>
>>
>> I'm considering tearing down everything and starting fresh. Decades
>> of accumulated crud could be real problem, since virtually everything
>> I've read suggests that a simple setup like mine should just work.
>
> It should just work, in the main it should be easier than a PDC, but
> when used as a fileserver it can get a little bit harder.
>
> Rowland
Something is seriously wrong now. I had some memory go bad on the server
not too long ago. Possibly that screwed up something.? I don't think
I've got any real choice now but to purge.