Since a bit more than a year I run a Samba4 AD server on a Debian
testing box. During that period I did update and dist-update the
box about twice a week, and also did update and recompile Sambe,
i.e. Samba and Debian Jessie are on their latest stage. I use Bind
9.9.3 as name server, which works absolutely smooth.
But two days ago something got broken, and I am totally clueless,
what went wrong. Samba starts up without any uncommon entries in
log.samba. 1) kinit and klist look absolutely normal. 2) However
trying to access a Samba share fails with some complaints I don't
understand enough to find the root cause of all this troubles. 3)
I clearly see, that this syndrome is way to unclear, to be pinpointed
remotely. But I hope for advice on how to systematically debug the
problem.
I have installed nslcd and pam/winbind and k5start. I did rerun
the tests I did during the last reinstall in March last year, and
all these test for the auxiliary blocks seem to work. I have the
impression that something is wrong with GSSAPI calls, and I also
saw SPNEGO calls failing. But I don't have a clue on how to
debug that. Maybe someone can point me into the right direction
here. And a point to corresponding information would also be
grately appreciated. I found some references on the errors like
NT_STATUS_OBJECT_NAME_NOT_FOUND, but I was missing the context.
Maybe someone can point me in a more detailed step-by-step
approach.
Thank You in Advance!
Best regards
Peter
----------------------- attachments --------------------------
1) log.samba:
[2014/02/14 11:59:16.526562, 0]
../source4/dsdb/kcc/kcc_periodic.c:664(kccsrv_samba_kcc)
Calling samba_kcc script
[2014/02/14 12:03:59.088334, 0]
../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: Traceback (most recent call last):
[2014/02/14 12:03:59.088425, 0]
../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: File
"/usr/local/samba/sbin/samba_dnsupdate", line 469, in <module>
[2014/02/14 12:03:59.088465, 0]
../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: d = parse_dns_line(line, sub_vars)
[2014/02/14 12:03:59.088486, 0]
../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: File
"/usr/local/samba/sbin/samba_dnsupdate", line 174, in parse_dns_line
[2014/02/14 12:03:59.088527, 0]
../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: return dnsobj(subline)
[2014/02/14 12:03:59.088553, 0]
../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: File
"/usr/local/samba/sbin/samba_dnsupdate", line 152, in __init__
[2014/02/14 12:03:59.088579, 0]
../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: raise Exception("Received
unexpected DNS reply of type %s" % self.type)
[2014/02/14 12:03:59.088601, 0]
../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: Exception: Received unexpected DNS
reply of type TXT
[2014/02/14 12:04:16.590173, 0]
../source4/dsdb/kcc/kcc_periodic.c:664(kccsrv_samba_kcc)
----------------------- attachments --------------------------
2) kinit, klist
root at ulysses:/etc# kinit administrator
Password for administrator at SERBE.LOCAL:
root at ulysses:/etc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at SERBE.LOCAL
Valid starting Expires Service principal
14.02.2014 12:07:15 14.02.2014 22:07:15 krbtgt/SERBE.LOCAL at SERBE.LOCAL
renew until 15.02.2014 12:07:12
Calling samba_kcc script
----------------------- attachments --------------------------
3) smbclient //localhost/netlogon -U% -d3
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file
"/usr/local/samba/etc/smb.conf"
Processing section "[global]"
added interface eth0 ip=192.168.41.10 bcast=192.168.41.255 netmask=255.255.255.0
Client started (version 4.2.0pre1-GIT-0535f73).
Connecting to ::1 at port 445
session setup failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
----------------------- attachments --------------------------
smb.conf-excerpt:
[global]
workgroup = SERBE
realm = SERBE.LOCAL
netbios name = ULYSSES
server string = Ulysses
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate
wins support = yes
security = user
public = no
username map = /usr/local/samba/etc/users.map
local master = yes
preferred master = yes
os level = 65
template shell = /bin/bash
passdb backend = samba4
socket options = TCP_NODELAY IPTOS_LOWDELAY
[netlogon]
path = /usr/local/samba/var/locks/sysvol/serbe.local/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[video]
path = /srv/raid/video
comment = video on raid
read only = no
inherit acls = yes
----------------------- attachments --------------------------
krb5.conf (note: it doesn't log, don't know why...):
[libdefaults]
debug = true
default_realm = SERBE.LOCAL
kdc_timesync = 1
forwardable = true
proxiable = true
forward = true
renewable = true
encrypt = true
krb4_get_tickets = false
krb4_convert = false
krb5_get_tickets = true
[realms]
SERBE.LOCAL = {
kdc = ULYSSES.SERBE.LOCAL:88
admin_server = ULYSSES.SERBE.LOCAL:749
default_domain = SERBE.LOCAL
}
[domain_realm]
.serbe.local = SERBE.LOCAL
serbe.local = SERBE.LOCAL
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/kadmin.log
[kdc]
check-ticket-addresses = false
----------------------- attachments --------------------------
nsswitch.conf:
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: files winbind ldap
group: files winbind ldap
shadow: files ldap
hosts: dns files ldap
networks: files ldap
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
----------------------- attachments --------------------------
transscript from the provisioning process
root at ulysses:/usr/src/samba4# /usr/local/samba/bin/samba-tool domain
provision
Realm [HOME.LOCAL]: SERBE.LOCAL
Domain [SERBE]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
BIND9_DLZ
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=serbe,DC=local
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=serbe,DC=local
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Unable to find group id for BIND,
set permissions to sam.ldb* files manually
See /usr/local/samba/private/named.conf for an example configuration include
file for BIND
and /usr/local/samba/private/named.txt for further documentation required for
secure DNS updates
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at
/usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: ulysses
NetBIOS Domain: SERBE
DNS Domain: serbe.local
DOMAIN SID: S-1-5-21-**********-**********-**********
On 14/02/14 11:37, Peter Serbe wrote:> Since a bit more than a year I run a Samba4 AD server on a Debian > testing box. During that period I did update and dist-update the > box about twice a week, and also did update and recompile Sambe, > i.e. Samba and Debian Jessie are on their latest stage. I use Bind > 9.9.3 as name server, which works absolutely smooth. > > But two days ago something got broken, and I am totally clueless, > what went wrong. Samba starts up without any uncommon entries in > log.samba. 1) kinit and klist look absolutely normal. 2) However > trying to access a Samba share fails with some complaints I don't > understand enough to find the root cause of all this troubles. 3) > > I clearly see, that this syndrome is way to unclear, to be pinpointed > remotely. But I hope for advice on how to systematically debug the > problem. > > I have installed nslcd and pam/winbind and k5start. I did rerun > the tests I did during the last reinstall in March last year, and > all these test for the auxiliary blocks seem to work. I have the > impression that something is wrong with GSSAPI calls, and I also > saw SPNEGO calls failing. But I don't have a clue on how to > debug that. Maybe someone can point me into the right direction > here. And a point to corresponding information would also be > grately appreciated. I found some references on the errors like > NT_STATUS_OBJECT_NAME_NOT_FOUND, but I was missing the context. > Maybe someone can point me in a more detailed step-by-step > approach. > > Thank You in Advance! > > Best regards > Peter > > > ----------------------- attachments -------------------------- > > 1) log.samba: > [2014/02/14 11:59:16.526562, 0] ../source4/dsdb/kcc/kcc_periodic.c:664(kccsrv_samba_kcc) > Calling samba_kcc script > [2014/02/14 12:03:59.088334, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler) > /usr/local/samba/sbin/samba_dnsupdate: Traceback (most recent call last): > [2014/02/14 12:03:59.088425, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler) > /usr/local/samba/sbin/samba_dnsupdate: File "/usr/local/samba/sbin/samba_dnsupdate", line 469, in <module> > [2014/02/14 12:03:59.088465, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler) > /usr/local/samba/sbin/samba_dnsupdate: d = parse_dns_line(line, sub_vars) > [2014/02/14 12:03:59.088486, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler) > /usr/local/samba/sbin/samba_dnsupdate: File "/usr/local/samba/sbin/samba_dnsupdate", line 174, in parse_dns_line > [2014/02/14 12:03:59.088527, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler) > /usr/local/samba/sbin/samba_dnsupdate: return dnsobj(subline) > [2014/02/14 12:03:59.088553, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler) > /usr/local/samba/sbin/samba_dnsupdate: File "/usr/local/samba/sbin/samba_dnsupdate", line 152, in __init__ > [2014/02/14 12:03:59.088579, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler) > /usr/local/samba/sbin/samba_dnsupdate: raise Exception("Received unexpected DNS reply of type %s" % self.type) > [2014/02/14 12:03:59.088601, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler) > /usr/local/samba/sbin/samba_dnsupdate: Exception: Received unexpected DNS reply of type TXT > [2014/02/14 12:04:16.590173, 0] ../source4/dsdb/kcc/kcc_periodic.c:664(kccsrv_samba_kcc) >Seems like a dns problem ???> ----------------------- attachments -------------------------- > > 2) kinit, klist > root at ulysses:/etc# kinit administrator > Password for administrator at SERBE.LOCAL: > root at ulysses:/etc# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: administrator at SERBE.LOCAL > > Valid starting Expires Service principal > 14.02.2014 12:07:15 14.02.2014 22:07:15 krbtgt/SERBE.LOCAL at SERBE.LOCAL > renew until 15.02.2014 12:07:12 > > Calling samba_kcc script > > > ----------------------- attachments -------------------------- > > 3) smbclient //localhost/netlogon -U% -d3 > lp_load_ex: refreshing parameters > Initialising global parameters > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > params.c:pm_process() - Processing configuration file "/usr/local/samba/etc/smb.conf" > Processing section "[global]" > added interface eth0 ip=192.168.41.10 bcast=192.168.41.255 netmask=255.255.255.0 > Client started (version 4.2.0pre1-GIT-0535f73). > Connecting to ::1 at port 445 > session setup failed: NT_STATUS_OBJECT_NAME_NOT_FOUNDIf I run your command I get: Connecting to 127.0.0.1 at port 445 Domain=[HOME] OS=[Unix] Server=[Samba 4.1.4] tree connect failed: NT_STATUS_ACCESS_DENIED Yours seems to be trying to connect via ipv6 only.> > > ----------------------- attachments -------------------------- > > smb.conf-excerpt: > [global] > workgroup = SERBE > realm = SERBE.LOCAL > netbios name = ULYSSES > server string = Ulysses > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate > wins support = yes > security = user > public = no > username map = /usr/local/samba/etc/users.map > local master = yes > preferred master = yes > os level = 65 > template shell = /bin/bash > passdb backend = samba4 > socket options = TCP_NODELAY IPTOS_LOWDELAY > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/serbe.local/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > [video] > path = /srv/raid/video > comment = video on raid > read only = no > inherit acls = yesRemove these lines, I am sure that you do not need them: server string = Ulysses wins support = yes security = user public = no username map = /usr/local/samba/etc/users.map local master = yes preferred master = yes os level = 65 socket options = TCP_NODELAY IPTOS_LOWDELAY> > ----------------------- attachments -------------------------- > > krb5.conf (note: it doesn't log, don't know why...): > [libdefaults] > debug = true > default_realm = SERBE.LOCAL > kdc_timesync = 1 > forwardable = true > proxiable = true > forward = true > renewable = true > encrypt = true > krb4_get_tickets = false > krb4_convert = false > krb5_get_tickets = true > > [realms] > SERBE.LOCAL = { > kdc = ULYSSES.SERBE.LOCAL:88 > admin_server = ULYSSES.SERBE.LOCAL:749 > default_domain = SERBE.LOCAL > } > > [domain_realm] > .serbe.local = SERBE.LOCAL > serbe.local = SERBE.LOCAL > > [logging] > kdc = FILE:/var/log/kdc.log > admin_server = FILE:/var/log/kadmin.log > default = FILE:/var/log/kadmin.log > > [kdc] > check-ticket-addresses = false >krb5.conf only needs to contain this: [libdefaults] dns_lookup_realm = true dns_lookup_kdc = true default_realm = SERBE.LOCAL> ----------------------- attachments -------------------------- > > nsswitch.conf: > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: files winbind ldap > group: files winbind ldap > shadow: files ldap > > hosts: dns files ldap > networks: files ldap > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis >Remove all references to ldap, you are not running an LDAP server The only other thing that I would suggest is to not run the master branch of samba4, this is where the development is happening, you would probably be better off using the latest tarball (4.1.4 at present) or seeing as how you are using Jessie, just 'apt-get install samba' Rowland> ----------------------- attachments -------------------------- > > transscript from the provisioning process > root at ulysses:/usr/src/samba4# /usr/local/samba/bin/samba-tool domain provision > Realm [HOME.LOCAL]: SERBE.LOCAL > Domain [SERBE]: > Server Role (dc, member, standalone) [dc]: > DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_DLZ > Administrator password: > Retype password: > Looking up IPv4 addresses > Looking up IPv6 addresses > No IPv6 address will be assigned > Setting up share.ldb > Setting up secrets.ldb > Setting up the registry > Setting up the privileges database > Setting up idmap db > Setting up SAM db > Setting up sam.ldb partitions and settings > Setting up sam.ldb rootDSE > Pre-loading the Samba 4 and AD schema > Adding DomainDN: DC=serbe,DC=local > Adding configuration container > Setting up sam.ldb schema > Setting up sam.ldb configuration data > Setting up display specifiers > Modifying display specifiers > Adding users container > Modifying users container > Adding computers container > Modifying computers container > Setting up sam.ldb data > Setting up well known security principals > Setting up sam.ldb users and groups > Setting up self join > Adding DNS accounts > Creating CN=MicrosoftDNS,CN=System,DC=serbe,DC=local > Creating DomainDnsZones and ForestDnsZones partitions > Populating DomainDnsZones and ForestDnsZones partitions > Unable to find group id for BIND, > set permissions to sam.ldb* files manually > See /usr/local/samba/private/named.conf for an example configuration include file for BIND > and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates > Setting up sam.ldb rootDSE marking as synchronized > Fixing provision GUIDs > A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf > Once the above files are installed, your Samba4 server will be ready to use > Server Role: active directory domain controller > Hostname: ulysses > NetBIOS Domain: SERBE > DNS Domain: serbe.local > DOMAIN SID: S-1-5-21-**********-**********-********** > >
Maybe this is because testing is testing and as scary as it can be concerning upgrading. its better to use backports or recompile to wheezy. the changes between wheezy and jessie are big for what im seeing atm. serbe.local can give problems. .local is reserved TLD all below looks good but a few small things.. passwd: files winbind ldap whats ldap doing there? should work but for testing this, maybe you can remove it temporarly. If you have resolvconf installed, remove it and manualy set your /etc/resolv.conf you should check resolv.conf. i myself use wheezy with samba 4.1.x from backports, sernet and recompiled versions. All work fine with bind9 from wheezy, and a bind9 from jessie if you really need it, recompile is quickly done. Best regards, Louis>-----Oorspronkelijk bericht----- >Van: peter at serbe.ch [mailto:samba-bounces at lists.samba.org] >Namens Peter Serbe >Verzonden: vrijdag 14 februari 2014 12:38 >Aan: samba at lists.samba.org >Onderwerp: [Samba] smbclient broken after update > >Since a bit more than a year I run a Samba4 AD server on a Debian >testing box. During that period I did update and dist-update the >box about twice a week, and also did update and recompile Sambe, >i.e. Samba and Debian Jessie are on their latest stage. I use Bind >9.9.3 as name server, which works absolutely smooth. > >But two days ago something got broken, and I am totally clueless, >what went wrong. Samba starts up without any uncommon entries in >log.samba. 1) kinit and klist look absolutely normal. 2) However >trying to access a Samba share fails with some complaints I don't >understand enough to find the root cause of all this troubles. 3) > >I clearly see, that this syndrome is way to unclear, to be pinpointed >remotely. But I hope for advice on how to systematically debug the >problem. > >I have installed nslcd and pam/winbind and k5start. I did rerun >the tests I did during the last reinstall in March last year, and >all these test for the auxiliary blocks seem to work. I have the >impression that something is wrong with GSSAPI calls, and I also >saw SPNEGO calls failing. But I don't have a clue on how to >debug that. Maybe someone can point me into the right direction >here. And a point to corresponding information would also be >grately appreciated. I found some references on the errors like >NT_STATUS_OBJECT_NAME_NOT_FOUND, but I was missing the context. >Maybe someone can point me in a more detailed step-by-step >approach. > >Thank You in Advance! > >Best regards >Peter > > >----------------------- attachments -------------------------- > >1) log.samba: >[2014/02/14 11:59:16.526562, 0] >../source4/dsdb/kcc/kcc_periodic.c:664(kccsrv_samba_kcc) > Calling samba_kcc script >[2014/02/14 12:03:59.088334, 0] >../lib/util/util_runcmd.c:317(samba_runcmd_io_handler) > /usr/local/samba/sbin/samba_dnsupdate: Traceback (most >recent call last): >[2014/02/14 12:03:59.088425, 0] >../lib/util/util_runcmd.c:317(samba_runcmd_io_handler) > /usr/local/samba/sbin/samba_dnsupdate: File >"/usr/local/samba/sbin/samba_dnsupdate", line 469, in <module> >[2014/02/14 12:03:59.088465, 0] >../lib/util/util_runcmd.c:317(samba_runcmd_io_handler) > /usr/local/samba/sbin/samba_dnsupdate: d = >parse_dns_line(line, sub_vars) >[2014/02/14 12:03:59.088486, 0] >../lib/util/util_runcmd.c:317(samba_runcmd_io_handler) > /usr/local/samba/sbin/samba_dnsupdate: File >"/usr/local/samba/sbin/samba_dnsupdate", line 174, in parse_dns_line >[2014/02/14 12:03:59.088527, 0] >../lib/util/util_runcmd.c:317(samba_runcmd_io_handler) > /usr/local/samba/sbin/samba_dnsupdate: return dnsobj(subline) >[2014/02/14 12:03:59.088553, 0] >../lib/util/util_runcmd.c:317(samba_runcmd_io_handler) > /usr/local/samba/sbin/samba_dnsupdate: File >"/usr/local/samba/sbin/samba_dnsupdate", line 152, in __init__ >[2014/02/14 12:03:59.088579, 0] >../lib/util/util_runcmd.c:317(samba_runcmd_io_handler) > /usr/local/samba/sbin/samba_dnsupdate: raise >Exception("Received unexpected DNS reply of type %s" % self.type) >[2014/02/14 12:03:59.088601, 0] >../lib/util/util_runcmd.c:317(samba_runcmd_io_handler) > /usr/local/samba/sbin/samba_dnsupdate: Exception: Received >unexpected DNS reply of type TXT >[2014/02/14 12:04:16.590173, 0] >../source4/dsdb/kcc/kcc_periodic.c:664(kccsrv_samba_kcc) > > >----------------------- attachments -------------------------- > >2) kinit, klist >root at ulysses:/etc# kinit administrator >Password for administrator at SERBE.LOCAL: >root at ulysses:/etc# klist >Ticket cache: FILE:/tmp/krb5cc_0 >Default principal: administrator at SERBE.LOCAL > >Valid starting Expires Service principal >14.02.2014 12:07:15 14.02.2014 22:07:15 >krbtgt/SERBE.LOCAL at SERBE.LOCAL > renew until 15.02.2014 12:07:12 > > Calling samba_kcc script > > >----------------------- attachments -------------------------- > >3) smbclient //localhost/netlogon -U% -d3 >lp_load_ex: refreshing parameters >Initialising global parameters >rlimit_max: increasing rlimit_max (1024) to minimum Windows >limit (16384) >params.c:pm_process() - Processing configuration file >"/usr/local/samba/etc/smb.conf" >Processing section "[global]" >added interface eth0 ip=192.168.41.10 bcast=192.168.41.255 >netmask=255.255.255.0 >Client started (version 4.2.0pre1-GIT-0535f73). >Connecting to ::1 at port 445 >session setup failed: NT_STATUS_OBJECT_NAME_NOT_FOUND > > >----------------------- attachments -------------------------- > >smb.conf-excerpt: >[global] > workgroup = SERBE > realm = SERBE.LOCAL > netbios name = ULYSSES > server string = Ulysses > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, >kdc, drepl, winbind, ntp_signd, kcc, dnsupdate > wins support = yes > security = user > public = no > username map = /usr/local/samba/etc/users.map > local master = yes > preferred master = yes > os level = 65 > template shell = /bin/bash > passdb backend = samba4 > socket options = TCP_NODELAY IPTOS_LOWDELAY > >[netlogon] > path = /usr/local/samba/var/locks/sysvol/serbe.local/scripts > read only = No > >[sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > >[video] > path = /srv/raid/video > comment = video on raid > read only = no > inherit acls = yes > > >----------------------- attachments -------------------------- > >krb5.conf (note: it doesn't log, don't know why...): >[libdefaults] > debug = true > default_realm = SERBE.LOCAL > kdc_timesync = 1 > forwardable = true > proxiable = true > forward = true > renewable = true > encrypt = true > krb4_get_tickets = false > krb4_convert = false > krb5_get_tickets = true > >[realms] > SERBE.LOCAL = { > kdc = ULYSSES.SERBE.LOCAL:88 > admin_server = ULYSSES.SERBE.LOCAL:749 > default_domain = SERBE.LOCAL > } > >[domain_realm] > .serbe.local = SERBE.LOCAL > serbe.local = SERBE.LOCAL > >[logging] > kdc = FILE:/var/log/kdc.log > admin_server = FILE:/var/log/kadmin.log > default = FILE:/var/log/kadmin.log > >[kdc] >check-ticket-addresses = false > > >----------------------- attachments -------------------------- > >nsswitch.conf: ># /etc/nsswitch.conf ># ># Example configuration of GNU Name Service Switch functionality. ># If you have the `glibc-doc-reference' and `info' packages >installed, try: ># `info libc "Name Service Switch"' for information about this file. > >passwd: files winbind ldap >group: files winbind ldap >shadow: files ldap > >hosts: dns files ldap >networks: files ldap > >protocols: db files >services: db files >ethers: db files >rpc: db files > >netgroup: nis > > >----------------------- attachments -------------------------- > >transscript from the provisioning process >root at ulysses:/usr/src/samba4# /usr/local/samba/bin/samba-tool >domain provision >Realm [HOME.LOCAL]: SERBE.LOCAL > Domain [SERBE]: > Server Role (dc, member, standalone) [dc]: > DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) >[SAMBA_INTERNAL]: BIND9_DLZ >Administrator password: >Retype password: >Looking up IPv4 addresses >Looking up IPv6 addresses >No IPv6 address will be assigned >Setting up share.ldb >Setting up secrets.ldb >Setting up the registry >Setting up the privileges database >Setting up idmap db >Setting up SAM db >Setting up sam.ldb partitions and settings >Setting up sam.ldb rootDSE >Pre-loading the Samba 4 and AD schema >Adding DomainDN: DC=serbe,DC=local >Adding configuration container >Setting up sam.ldb schema >Setting up sam.ldb configuration data >Setting up display specifiers >Modifying display specifiers >Adding users container >Modifying users container >Adding computers container >Modifying computers container >Setting up sam.ldb data >Setting up well known security principals >Setting up sam.ldb users and groups >Setting up self join >Adding DNS accounts >Creating CN=MicrosoftDNS,CN=System,DC=serbe,DC=local >Creating DomainDnsZones and ForestDnsZones partitions >Populating DomainDnsZones and ForestDnsZones partitions >Unable to find group id for BIND, > set permissions to sam.ldb* files manually >See /usr/local/samba/private/named.conf for an example >configuration include file for BIND >and /usr/local/samba/private/named.txt for further >documentation required for secure DNS updates >Setting up sam.ldb rootDSE marking as synchronized >Fixing provision GUIDs >A Kerberos configuration suitable for Samba 4 has been >generated at /usr/local/samba/private/krb5.conf >Once the above files are installed, your Samba4 server will be >ready to use >Server Role: active directory domain controller >Hostname: ulysses >NetBIOS Domain: SERBE >DNS Domain: serbe.local >DOMAIN SID: S-1-5-21-**********-**********-********** > > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
Am 14.02.2014 12:37, schrieb Peter Serbe:> Since a bit more than a year I run a Samba4 AD server on a Debian > testing box. During that period I did update and dist-update the > box about twice a week, and also did update and recompile Sambe, > i.e. Samba and Debian Jessie are on their latest stage. I use Bind > 9.9.3 as name server, which works absolutely smooth. > > But two days ago something got broken, and I am totally clueless, > what went wrong. Samba starts up without any uncommon entries in > log.samba. 1) kinit and klist look absolutely normal. 2) However > trying to access a Samba share fails with some complaints I don't > understand enough to find the root cause of all this troubles. 3) > > I clearly see, that this syndrome is way to unclear, to be pinpointed > remotely. But I hope for advice on how to systematically debug the > problem. > > I have installed nslcd and pam/winbind and k5start. I did rerun > the tests I did during the last reinstall in March last year, and > all these test for the auxiliary blocks seem to work. I have the > impression that something is wrong with GSSAPI calls, and I also > saw SPNEGO calls failing. But I don't have a clue on how to > debug that. Maybe someone can point me into the right direction > here. And a point to corresponding information would also be > grately appreciated. I found some references on the errors like > NT_STATUS_OBJECT_NAME_NOT_FOUND, but I was missing the context. > Maybe someone can point me in a more detailed step-by-step > approach. > > Thank You in Advance! > > Best regards > Peter > > > ----------------------- attachments -------------------------- > > 1) log.samba: > [2014/02/14 11:59:16.526562, 0] ../source4/dsdb/kcc/kcc_periodic.c:664(kccsrv_samba_kcc) > Calling samba_kcc script > [2014/02/14 12:03:59.088334, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler) > /usr/local/samba/sbin/samba_dnsupdate: Traceback (most recent call last): > [2014/02/14 12:03:59.088425, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler) > /usr/local/samba/sbin/samba_dnsupdate: File "/usr/local/samba/sbin/samba_dnsupdate", line 469, in <module> > [2014/02/14 12:03:59.088465, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler) > /usr/local/samba/sbin/samba_dnsupdate: d = parse_dns_line(line, sub_vars) > [2014/02/14 12:03:59.088486, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler) > /usr/local/samba/sbin/samba_dnsupdate: File "/usr/local/samba/sbin/samba_dnsupdate", line 174, in parse_dns_line > [2014/02/14 12:03:59.088527, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler) > /usr/local/samba/sbin/samba_dnsupdate: return dnsobj(subline) > [2014/02/14 12:03:59.088553, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler) > /usr/local/samba/sbin/samba_dnsupdate: File "/usr/local/samba/sbin/samba_dnsupdate", line 152, in __init__ > [2014/02/14 12:03:59.088579, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler) > /usr/local/samba/sbin/samba_dnsupdate: raise Exception("Received unexpected DNS reply of type %s" % self.type) > [2014/02/14 12:03:59.088601, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler) > /usr/local/samba/sbin/samba_dnsupdate: Exception: Received unexpected DNS reply of type TXT > [2014/02/14 12:04:16.590173, 0] ../source4/dsdb/kcc/kcc_periodic.c:664(kccsrv_samba_kcc) > > > ----------------------- attachments -------------------------- > > 2) kinit, klist > root at ulysses:/etc# kinit administrator > Password for administrator at SERBE.LOCAL: > root at ulysses:/etc# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: administrator at SERBE.LOCAL > > Valid starting Expires Service principal > 14.02.2014 12:07:15 14.02.2014 22:07:15 krbtgt/SERBE.LOCAL at SERBE.LOCAL > renew until 15.02.2014 12:07:12 > > Calling samba_kcc script > > > ----------------------- attachments -------------------------- > > 3) smbclient //localhost/netlogon -U% -d3 > lp_load_ex: refreshing parameters > Initialising global parameters > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > params.c:pm_process() - Processing configuration file "/usr/local/samba/etc/smb.conf" > Processing section "[global]" > added interface eth0 ip=192.168.41.10 bcast=192.168.41.255 netmask=255.255.255.0 > Client started (version 4.2.0pre1-GIT-0535f73). > Connecting to ::1 at port 445 > session setup failed: NT_STATUS_OBJECT_NAME_NOT_FOUND > > > ----------------------- attachments -------------------------- > > smb.conf-excerpt: > [global] > workgroup = SERBE > realm = SERBE.LOCAL > netbios name = ULYSSES > server string = Ulysses > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate > wins support = yes > security = user > public = no > username map = /usr/local/samba/etc/users.map > local master = yes > preferred master = yes > os level = 65 > template shell = /bin/bash > passdb backend = samba4 > socket options = TCP_NODELAY IPTOS_LOWDELAY > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/serbe.local/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > [video] > path = /srv/raid/video > comment = video on raid > read only = no > inherit acls = yes > > > ----------------------- attachments -------------------------- > > krb5.conf (note: it doesn't log, don't know why...): > [libdefaults] > debug = true > default_realm = SERBE.LOCAL > kdc_timesync = 1 > forwardable = true > proxiable = true > forward = true > renewable = true > encrypt = true > krb4_get_tickets = false > krb4_convert = false > krb5_get_tickets = true > > [realms] > SERBE.LOCAL = { > kdc = ULYSSES.SERBE.LOCAL:88 > admin_server = ULYSSES.SERBE.LOCAL:749 > default_domain = SERBE.LOCAL > } > > [domain_realm] > .serbe.local = SERBE.LOCAL > serbe.local = SERBE.LOCAL > > [logging] > kdc = FILE:/var/log/kdc.log > admin_server = FILE:/var/log/kadmin.log > default = FILE:/var/log/kadmin.log > > [kdc] > check-ticket-addresses = false > > > ----------------------- attachments -------------------------- > > nsswitch.conf: > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: files winbind ldap > group: files winbind ldap > shadow: files ldap > > hosts: dns files ldap > networks: files ldap > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > > ----------------------- attachments -------------------------- > > transscript from the provisioning process > root at ulysses:/usr/src/samba4# /usr/local/samba/bin/samba-tool domain provision > Realm [HOME.LOCAL]: SERBE.LOCAL > Domain [SERBE]: > Server Role (dc, member, standalone) [dc]: > DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_DLZ > Administrator password: > Retype password: > Looking up IPv4 addresses > Looking up IPv6 addresses > No IPv6 address will be assigned > Setting up share.ldb > Setting up secrets.ldb > Setting up the registry > Setting up the privileges database > Setting up idmap db > Setting up SAM db > Setting up sam.ldb partitions and settings > Setting up sam.ldb rootDSE > Pre-loading the Samba 4 and AD schema > Adding DomainDN: DC=serbe,DC=local > Adding configuration container > Setting up sam.ldb schema > Setting up sam.ldb configuration data > Setting up display specifiers > Modifying display specifiers > Adding users container > Modifying users container > Adding computers container > Modifying computers container > Setting up sam.ldb data > Setting up well known security principals > Setting up sam.ldb users and groups > Setting up self join > Adding DNS accounts > Creating CN=MicrosoftDNS,CN=System,DC=serbe,DC=local > Creating DomainDnsZones and ForestDnsZones partitions > Populating DomainDnsZones and ForestDnsZones partitions > Unable to find group id for BIND, > set permissions to sam.ldb* files manually > See /usr/local/samba/private/named.conf for an example configuration include file for BIND > and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates > Setting up sam.ldb rootDSE marking as synchronized > Fixing provision GUIDs > A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf > Once the above files are installed, your Samba4 server will be ready to use > Server Role: active directory domain controller > Hostname: ulysses > NetBIOS Domain: SERBE > DNS Domain: serbe.local > DOMAIN SID: S-1-5-21-**********-**********-********** > >Hi Peter, some commits have been reverted and smbclient's NT_STATUS_OBJECT_NAME_NOT_FOUND should be gone now when you build with latest git master. Cheers, G?nter --