Matthias Busch
2015-Mar-12 21:08 UTC
[Samba] samba 4.1.17 on raspberry pi as ad dc - internal dns problems
>Hi, please don't use .local, you say that no apple devices will come >near, but what about an iphone ? and what about avahi ?>When you ran configure, you might as well just run it like this: ./configure>All the rest are defaults and you do not really need debug.>You only need to alter /etc/nsswitch.conf (yes that's the one) if you >want/need your users to log into the DC.>RowlandPeter convinced me to not use .local from now on. But the .local should not be able to cause my problems? And yeah, for now, this is for testing/learning purposes, if it works (good/reliable enough) I plan to use it for my home network, maybe add radius for wifi And I can guarantee that no apple devices are coming near that network. and if some guest would bring one, he can survive without bonjour and zeroconf Avahi is running, ive seen that. wouldnt miss it if it were gone either. When configure, I did not know which were the default switches. and since I had trouble in the first place I enabled debug my nsswitch.conf I posted down below. I have no clue how to interpret the content... --->At least w.r.t. the Bind backend this fear is not necessary. It is indeed >exactly what I do. The AD-DNS is only authoritative to "domain.samdom.com", >not to "samdom.com". There is only one little trick necessary if You got >a slave nameserver, which is tied to Your AD-DC server.>Note the line "forwarders{}", which will ensure, that the local DNS server >doesn't ask the public DNS, which is authoritative for the public >"samdom.com". You would then get the IP of "samdom.com" when looking up >a local host.>But I agree, that this is a bit of perfectionsm. One can do things simpler. >On the other hand: one of my two DCs was down for a week (the one 70km away >in the "weekend"-appartment), but the whole network worked flawlessly. These >Arm based appliances are definitely less reliable than ordinary PC H/W. I >use slave DNS servers on my file servers, which keep at least DNS working >whatever the Raspi or the Cubieboard do (better: don't do...).As I said before, I would like to stay clear of bind if I can. At least for now. It adds one more level to configure, administer and troubleshoot. I think adding components like a 2nd DC or a slave ns or a second dhcp* for redundancy may be a great idea later when the system is in production and does not perform as reliable as expected. In the meantime, Clients still work without DC, static ips or router dhcp can push corrected ip/dns settings and radius can be configured to use fallback user/pass if AD goes down... *DHCP: Still havent decided if I should change router dhcp to push out AD DNS and domain name or disable router dhcp and get my own dhcp going - including dynamic dns updates... --- kerberos still isnt working and I dont know enough about kerberos yet to really trouble shoot or see problems in logs... after further googling I think I may have been in the wrong when I copied the samba supplied krb5.conf over the one in /etc. so i restored the one in etc and added the samba one... the change(s) in the krb5.conf did not help... --- this is my /etc/krb5.conf [libdefaults] default_realm = MY-DOMAIN.LOCAL dns_lookup_realm = false dns_lookup_kdc = true # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # The following libdefaults parameters are only for Heimdal Kerberos. v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] MY-DOMAIN.LOCAL = { kdc = adserver.my-domain.local <-- tried with adserver admin_server = adserver.my-domain.local and adserver.my-domain.local } ... lots of .MIT.EDU entries ... [domain_realm] .mit.edu = ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU .media.mit.edu = MEDIA-LAB.MIT.EDU media.mit.edu = MEDIA-LAB.MIT.EDU .csail.mit.edu = CSAIL.MIT.EDU csail.mit.edu = CSAIL.MIT.EDU .whoi.edu = ATHENA.MIT.EDU whoi.edu = ATHENA.MIT.EDU .stanford.edu = stanford.edu .slac.stanford.edu = SLAC.STANFORD.EDU .toronto.edu = UTORONTO.CA .utoronto.ca = UTORONTO.CA [login] krb4_convert = true krb4_get_tickets = false --- this is my /etc/nsswitch.conf: passwd: compat group: compat shadow: compat hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis --- Matze
Rowland Penny
2015-Mar-12 21:31 UTC
[Samba] samba 4.1.17 on raspberry pi as ad dc - internal dns problems
On 12/03/15 21:08, Matthias Busch wrote:>> Hi, please don't use .local, you say that no apple devices will come >> near, but what about an iphone ? and what about avahi ? > >> When you ran configure, you might as well just run it like this: >> ./configure > >> All the rest are defaults and you do not really need debug. > >> You only need to alter /etc/nsswitch.conf (yes that's the one) if you >> want/need your users to log into the DC. > >> Rowland > > Peter convinced me to not use .local from now on. > > But the .local should not be able to cause my problems? > > And yeah, for now, this is for testing/learning purposes, if it works > (good/reliable enough) I plan to use it for my home network, maybe add > radius for wifi > And I can guarantee that no apple devices are coming near that > network. and if some guest would bring one, he can survive without > bonjour and zeroconf > Avahi is running, ive seen that. wouldnt miss it if it were gone either. > > When configure, I did not know which were the default switches. and > since I had trouble in the first place I enabled debug > > my nsswitch.conf I posted down below. I have no clue how to interpret > the content... > > --- > >> At least w.r.t. the Bind backend this fear is not necessary. It is >> indeed >> exactly what I do. The AD-DNS is only authoritative to >> "domain.samdom.com", >> not to "samdom.com". There is only one little trick necessary if You got >> a slave nameserver, which is tied to Your AD-DC server. > >> Note the line "forwarders{}", which will ensure, that the local DNS >> server >> doesn't ask the public DNS, which is authoritative for the public >> "samdom.com". You would then get the IP of "samdom.com" when looking up >> a local host. > >> But I agree, that this is a bit of perfectionsm. One can do things >> simpler. >> On the other hand: one of my two DCs was down for a week (the one >> 70km away >> in the "weekend"-appartment), but the whole network worked >> flawlessly. These >> Arm based appliances are definitely less reliable than ordinary PC >> H/W. I >> use slave DNS servers on my file servers, which keep at least DNS >> working >> whatever the Raspi or the Cubieboard do (better: don't do...). > > As I said before, I would like to stay clear of bind if I can. At > least for now. It adds one more level to configure, administer and > troubleshoot. > > I think adding components like a 2nd DC or a slave ns or a second > dhcp* for redundancy may be a great idea later when the system is in > production and does not perform as reliable as expected. > In the meantime, Clients still work without DC, static ips or router > dhcp can push corrected ip/dns settings and radius can be configured > to use fallback user/pass if AD goes down... > > *DHCP: Still havent decided if I should change router dhcp to push out > AD DNS and domain name or disable router dhcp and get my own dhcp > going - including dynamic dns updates... >The AD dns must be handled by the DC, you can use either the internal dns server or bind9, the choice is yours. DHCP can be from your router or on the DC, but if you do go down the later path, you will need to use Bind9 as there seems to be a problem with the internal dns server & DHCP.> --- > > kerberos still isnt working and I dont know enough about kerberos yet > to really trouble shoot or see problems in logs... > > after further googling I think I may have been in the wrong when I > copied the samba supplied krb5.conf over the one in /etc. > so i restored the one in etc and added the samba one... >No you weren't wrong, put krb5.conf back to how you had it, you only need 4 lines.> the change(s) in the krb5.conf did not help... > > --- this is my /etc/krb5.conf > > [libdefaults] > default_realm = MY-DOMAIN.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = true > > > # The following krb5.conf variables are only for MIT Kerberos. > krb4_config = /etc/krb.conf > krb4_realms = /etc/krb.realms > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > > # The following libdefaults parameters are only for Heimdal Kerberos. > v4_instance_resolve = false > v4_name_convert = { > host = { > rcmd = host > ftp = ftp > } > plain = { > something = something-else > } > } > fcc-mit-ticketflags = true > > [realms] > MY-DOMAIN.LOCAL = { > kdc = adserver.my-domain.local <-- tried > with adserver > admin_server = adserver.my-domain.local and > adserver.my-domain.local > } > > ... lots of .MIT.EDU entries ... > > [domain_realm] > .mit.edu = ATHENA.MIT.EDU > mit.edu = ATHENA.MIT.EDU > .media.mit.edu = MEDIA-LAB.MIT.EDU > media.mit.edu = MEDIA-LAB.MIT.EDU > .csail.mit.edu = CSAIL.MIT.EDU > csail.mit.edu = CSAIL.MIT.EDU > .whoi.edu = ATHENA.MIT.EDU > whoi.edu = ATHENA.MIT.EDU > .stanford.edu = stanford.edu > .slac.stanford.edu = SLAC.STANFORD.EDU > .toronto.edu = UTORONTO.CA > .utoronto.ca = UTORONTO.CA > > [login] > krb4_convert = true > krb4_get_tickets = false > > > > --- this is my /etc/nsswitch.conf: > > passwd: compat > group: compat > shadow: compat > > hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > --- > > Matze >Have a look here: https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server particularly the 'Make domain users/groups available locally through Winbind' part Rowland
Matthias Busch
2015-Mar-12 21:37 UTC
[Samba] samba 4.1.17 on raspberry pi as ad dc - kerbal problem / ipv6?
further testing, log reading and googling has revealed further possible problem sources... with ipv6? my syslog shows the following errors: --- Mar 12 18:08:10 ADServer samba[2161]: [2015/03/12 18:08:10.134418, 0] ../source4/smbd/server.c:488(binary_smbd_main) Mar 12 18:08:10 ADServer samba[2161]: samba: using 'standard' process model Mar 12 18:08:10 ADServer samba[2238]: [2015/03/12 18:08:10.480443, 0] ../source4/cldap_server/cldap_server.c:122(cldapd_add_socket) Mar 12 18:08:10 ADServer samba[2238]: Failed to bind to ipv6::::389 - NT_STATUS_INVALID_PARAMETER_MIX Mar 12 18:08:10 ADServer samba[2233]: [2015/03/12 18:08:10.524957, 0] ../source4/rpc_server/dcerpc_server.c:1708(add_socket_rpc_tcp_iface) Mar 12 18:08:10 ADServer samba[2233]: service_setup_stream_socket(address=::,port=0) failed - NT_STATUS_INVALID_PARAMETER_MIX Mar 12 18:08:10 ADServer samba[2233]: [2015/03/12 18:08:10.584816, 0] ../source4/rpc_server/dcerpc_server.c:1708(add_socket_rpc_tcp_iface) Mar 12 18:08:10 ADServer samba[2233]: service_setup_stream_socket(address=::,port=135) failed - NT_STATUS_INVALID_PARAMETER_MIX Mar 12 18:08:10 ADServer samba[2161]: [2015/03/12 18:08:10.862890, 0] ../lib/util/become_daemon.c:136(daemon_ready) Mar 12 18:08:10 ADServer samba[2239]: [2015/03/12 18:08:10.998189, 0] ../source4/kdc/kdc.c:672(kdc_add_socket) Mar 12 18:08:11 ADServer samba[2239]: Failed to bind to :::88 TCP - NT_STATUS_INVALID_PARAMETER_MIX Mar 12 18:08:11 ADServer samba[2239]: [2015/03/12 18:08:11.047385, 0] ../source4/kdc/kdc.c:672(kdc_add_socket) Mar 12 18:08:11 ADServer samba[2239]: Failed to bind to :::464 TCP - NT_STATUS_INVALID_PARAMETER_MIX Mar 12 18:08:11 ADServer samba[2251]: [2015/03/12 18:08:11.307424, 0] ../source4/dns_server/dns_server.c:629(dns_add_socket) Mar 12 18:08:11 ADServer samba[2251]: Failed to bind to :::53 TCP - NT_STATUS_INVALID_PARAMETER_MIX Mar 12 18:08:20 ADServer smbd[2235]: [2015/03/12 18:08:20.566000, 0] ../lib/util/become_daemon.c:136(daemon_ready) Mar 12 18:08:20 ADServer smbd[2235]: STATUS=daemon 'smbd' finished starting up and ready to serve connectionsopen_socket_in(): socket() call failed: Address family not supported by protocol Mar 12 18:08:20 ADServer smbd[2235]: [2015/03/12 18:08:20.636667, 0] ../source3/smbd/server.c:673(smbd_open_one_socket) Mar 12 18:08:20 ADServer smbd[2235]: smbd_open_once_socket: open_socket_in: Address family not supported by protocol Mar 12 18:08:20 ADServer smbd[2235]: [2015/03/12 18:08:20.687569, 0] ../source3/lib/util_sock.c:423(open_socket_in) Mar 12 18:08:20 ADServer smbd[2235]: open_socket_in(): socket() call failed: Address family not supported by protocol Mar 12 18:08:20 ADServer smbd[2235]: [2015/03/12 18:08:20.690615, 0] ../source3/smbd/server.c:673(smbd_open_one_socket) Mar 12 18:08:20 ADServer smbd[2235]: smbd_open_once_socket: open_socket_in: Address family not supported by protocol Mar 12 18:08:31 ADServer samba[2250]: [2015/03/12 18:08:31.153311, 0] ../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done) Mar 12 18:08:31 ADServer samba[2250]: ../source4/dsdb/dns/dns_update.c:294: Failed DNS update - NT_STATUS_IO_TIMEOUT Mar 12 18:08:31 ADServer samba[2250]: [2015/03/12 18:08:31.202635, 0] ../source4/dsdb/dns/dns_update.c:323(dnsupdate_spnupdate_done) Mar 12 18:08:31 ADServer samba[2250]: ../source4/dsdb/dns/dns_update.c:323: Failed SPN update - NT_STATUS_IO_TIMEOUT Mar 12 18:08:34 ADServer samba[2237]: [2015/03/12 18:08:34.649153, 0] ../source4/ldap_server/ldap_server.c:821(add_socket) Mar 12 18:08:34 ADServer samba[2237]: ldapsrv failed to bind to :::389 - NT_STATUS_INVALID_PARAMETER_MIX --- those errors look to me like they are ipv6 related. which I think I disabled during configurate... And it may be that those can all be ignored. but i am not certain that this is not a symptom for something more serious... --- netstat -n -l -p -u -t output Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:3268 0.0.0.0:* LISTEN 2237/samba tcp 0 0 0.0.0.0:3269 0.0.0.0:* LISTEN 2237/samba tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 2237/samba tcp 0 0 0.0.0.0:135 0.0.0.0:* LISTEN 2233/samba tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 2235/smbd tcp 0 0 0.0.0.0:464 0.0.0.0:* LISTEN 2239/samba tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 2251/samba tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2187/sshd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2031/cupsd tcp 0 0 0.0.0.0:88 0.0.0.0:* LISTEN 2239/samba tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 2237/samba tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 2235/smbd tcp 0 0 0.0.0.0:1024 0.0.0.0:* LISTEN 2233/samba udp 0 0 192.168.7.254:464 0.0.0.0:* 2239/samba udp 0 0 0.0.0.0:464 0.0.0.0:* 2239/samba udp 0 0 0.0.0.0:53 0.0.0.0:* 2251/samba udp 0 0 192.168.7.254:88 0.0.0.0:* 2239/samba udp 0 0 0.0.0.0:88 0.0.0.0:* 2239/samba udp 0 0 0.0.0.0:631 0.0.0.0:* 2031/cupsd udp 0 0 192.168.7.254:123 0.0.0.0:* 2081/ntpd udp 0 0 127.0.0.1:123 0.0.0.0:* 2081/ntpd udp 0 0 0.0.0.0:123 0.0.0.0:* 2081/ntpd udp 0 0 192.168.7.254:389 0.0.0.0:* 2238/samba udp 0 0 0.0.0.0:389 0.0.0.0:* 2238/samba udp 0 0 192.168.7.254:137 0.0.0.0:* 2234/samba udp 0 0 192.168.7.255:137 0.0.0.0:* 2234/samba udp 0 0 0.0.0.0:137 0.0.0.0:* 2234/samba udp 0 0 192.168.7.254:138 0.0.0.0:* 2234/samba udp 0 0 192.168.7.255:138 0.0.0.0:* 2234/samba udp 0 0 0.0.0.0:138 0.0.0.0:* 2234/samba doesnt look to bad... but i dont see kerberos ?
Matthias Busch
2015-Mar-12 21:38 UTC
[Samba] samba 4.1.17 on raspberry pi as ad dc - krb5 problem / ipv6?
further testing, log reading and googling has revealed further possible problem sources... with ipv6? my syslog shows the following errors: --- Mar 12 18:08:10 ADServer samba[2161]: [2015/03/12 18:08:10.134418, 0] ../source4/smbd/server.c:488(binary_smbd_main) Mar 12 18:08:10 ADServer samba[2161]: samba: using 'standard' process model Mar 12 18:08:10 ADServer samba[2238]: [2015/03/12 18:08:10.480443, 0] ../source4/cldap_server/cldap_server.c:122(cldapd_add_socket) Mar 12 18:08:10 ADServer samba[2238]: Failed to bind to ipv6::::389 - NT_STATUS_INVALID_PARAMETER_MIX Mar 12 18:08:10 ADServer samba[2233]: [2015/03/12 18:08:10.524957, 0] ../source4/rpc_server/dcerpc_server.c:1708(add_socket_rpc_tcp_iface) Mar 12 18:08:10 ADServer samba[2233]: service_setup_stream_socket(address=::,port=0) failed - NT_STATUS_INVALID_PARAMETER_MIX Mar 12 18:08:10 ADServer samba[2233]: [2015/03/12 18:08:10.584816, 0] ../source4/rpc_server/dcerpc_server.c:1708(add_socket_rpc_tcp_iface) Mar 12 18:08:10 ADServer samba[2233]: service_setup_stream_socket(address=::,port=135) failed - NT_STATUS_INVALID_PARAMETER_MIX Mar 12 18:08:10 ADServer samba[2161]: [2015/03/12 18:08:10.862890, 0] ../lib/util/become_daemon.c:136(daemon_ready) Mar 12 18:08:10 ADServer samba[2239]: [2015/03/12 18:08:10.998189, 0] ../source4/kdc/kdc.c:672(kdc_add_socket) Mar 12 18:08:11 ADServer samba[2239]: Failed to bind to :::88 TCP - NT_STATUS_INVALID_PARAMETER_MIX Mar 12 18:08:11 ADServer samba[2239]: [2015/03/12 18:08:11.047385, 0] ../source4/kdc/kdc.c:672(kdc_add_socket) Mar 12 18:08:11 ADServer samba[2239]: Failed to bind to :::464 TCP - NT_STATUS_INVALID_PARAMETER_MIX Mar 12 18:08:11 ADServer samba[2251]: [2015/03/12 18:08:11.307424, 0] ../source4/dns_server/dns_server.c:629(dns_add_socket) Mar 12 18:08:11 ADServer samba[2251]: Failed to bind to :::53 TCP - NT_STATUS_INVALID_PARAMETER_MIX Mar 12 18:08:20 ADServer smbd[2235]: [2015/03/12 18:08:20.566000, 0] ../lib/util/become_daemon.c:136(daemon_ready) Mar 12 18:08:20 ADServer smbd[2235]: STATUS=daemon 'smbd' finished starting up and ready to serve connectionsopen_socket_in(): socket() call failed: Address family not supported by protocol Mar 12 18:08:20 ADServer smbd[2235]: [2015/03/12 18:08:20.636667, 0] ../source3/smbd/server.c:673(smbd_open_one_socket) Mar 12 18:08:20 ADServer smbd[2235]: smbd_open_once_socket: open_socket_in: Address family not supported by protocol Mar 12 18:08:20 ADServer smbd[2235]: [2015/03/12 18:08:20.687569, 0] ../source3/lib/util_sock.c:423(open_socket_in) Mar 12 18:08:20 ADServer smbd[2235]: open_socket_in(): socket() call failed: Address family not supported by protocol Mar 12 18:08:20 ADServer smbd[2235]: [2015/03/12 18:08:20.690615, 0] ../source3/smbd/server.c:673(smbd_open_one_socket) Mar 12 18:08:20 ADServer smbd[2235]: smbd_open_once_socket: open_socket_in: Address family not supported by protocol Mar 12 18:08:31 ADServer samba[2250]: [2015/03/12 18:08:31.153311, 0] ../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done) Mar 12 18:08:31 ADServer samba[2250]: ../source4/dsdb/dns/dns_update.c:294: Failed DNS update - NT_STATUS_IO_TIMEOUT Mar 12 18:08:31 ADServer samba[2250]: [2015/03/12 18:08:31.202635, 0] ../source4/dsdb/dns/dns_update.c:323(dnsupdate_spnupdate_done) Mar 12 18:08:31 ADServer samba[2250]: ../source4/dsdb/dns/dns_update.c:323: Failed SPN update - NT_STATUS_IO_TIMEOUT Mar 12 18:08:34 ADServer samba[2237]: [2015/03/12 18:08:34.649153, 0] ../source4/ldap_server/ldap_server.c:821(add_socket) Mar 12 18:08:34 ADServer samba[2237]: ldapsrv failed to bind to :::389 - NT_STATUS_INVALID_PARAMETER_MIX --- those errors look to me like they are ipv6 related. which I think I disabled during configurate... And it may be that those can all be ignored. but i am not certain that this is not a symptom for something more serious... --- netstat -n -l -p -u -t output Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:3268 0.0.0.0:* LISTEN 2237/samba tcp 0 0 0.0.0.0:3269 0.0.0.0:* LISTEN 2237/samba tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 2237/samba tcp 0 0 0.0.0.0:135 0.0.0.0:* LISTEN 2233/samba tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 2235/smbd tcp 0 0 0.0.0.0:464 0.0.0.0:* LISTEN 2239/samba tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 2251/samba tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2187/sshd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2031/cupsd tcp 0 0 0.0.0.0:88 0.0.0.0:* LISTEN 2239/samba tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 2237/samba tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 2235/smbd tcp 0 0 0.0.0.0:1024 0.0.0.0:* LISTEN 2233/samba udp 0 0 192.168.7.254:464 0.0.0.0:* 2239/samba udp 0 0 0.0.0.0:464 0.0.0.0:* 2239/samba udp 0 0 0.0.0.0:53 0.0.0.0:* 2251/samba udp 0 0 192.168.7.254:88 0.0.0.0:* 2239/samba udp 0 0 0.0.0.0:88 0.0.0.0:* 2239/samba udp 0 0 0.0.0.0:631 0.0.0.0:* 2031/cupsd udp 0 0 192.168.7.254:123 0.0.0.0:* 2081/ntpd udp 0 0 127.0.0.1:123 0.0.0.0:* 2081/ntpd udp 0 0 0.0.0.0:123 0.0.0.0:* 2081/ntpd udp 0 0 192.168.7.254:389 0.0.0.0:* 2238/samba udp 0 0 0.0.0.0:389 0.0.0.0:* 2238/samba udp 0 0 192.168.7.254:137 0.0.0.0:* 2234/samba udp 0 0 192.168.7.255:137 0.0.0.0:* 2234/samba udp 0 0 0.0.0.0:137 0.0.0.0:* 2234/samba udp 0 0 192.168.7.254:138 0.0.0.0:* 2234/samba udp 0 0 192.168.7.255:138 0.0.0.0:* 2234/samba udp 0 0 0.0.0.0:138 0.0.0.0:* 2234/samba doesnt look to bad... but i dont see kerberos ?
Peter Serbe
2015-Mar-12 21:57 UTC
[Samba] samba 4.1.17 on raspberry pi as ad dc - internal dns problems
Matthias Busch schrieb am 12.03.2015 22:08:> --- this is my /etc/krb5.conf > > [libdefaults] > default_realm = MY-DOMAIN.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = trueadd these (partly done below) forwardable = true renewable = true ticket_lifetime = 24h renew_lifetime = 7d debug = false delete from here .....> > > # The following krb5.conf variables are only for MIT Kerberos. > krb4_config = /etc/krb.conf > krb4_realms = /etc/krb.realms > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > > # The following libdefaults parameters are only for Heimdal Kerberos. > v4_instance_resolve = false > v4_name_convert = { > host = { > rcmd = host > ftp = ftp > } > plain = { > something = something-else > } > } > fcc-mit-ticketflags = true.... to here.> > [realms] > MY-DOMAIN.LOCAL = { > kdc = adserver.my-domain.local <-- tried with adserver > admin_server = adserver.my-domain.local and > adserver.my-domain.localadd: default_domain = my-domain.local> }delete from here ......> > ... lots of .MIT.EDU entries ... >.... to here> [domain_realm]should be: .my-domain.local = MY-DOMAIN.LOCAL my-domain.local = MY-DOMAIN.LOCAL [logging] # kdc = /var/log/kdc.log # admin_server = /var/log/kadmin.log default = /var/log/kdc.log delete the remaining stuff...> .mit.edu = ATHENA.MIT.EDU > mit.edu = ATHENA.MIT.EDU > .media.mit.edu = MEDIA-LAB.MIT.EDU > media.mit.edu = MEDIA-LAB.MIT.EDU > .csail.mit.edu = CSAIL.MIT.EDU > csail.mit.edu = CSAIL.MIT.EDU > .whoi.edu = ATHENA.MIT.EDU > whoi.edu = ATHENA.MIT.EDU > .stanford.edu = stanford.edu > .slac.stanford.edu = SLAC.STANFORD.EDU > .toronto.edu = UTORONTO.CA > .utoronto.ca = UTORONTO.CA > > [login] > krb4_convert = true > krb4_get_tickets = false > >Regarding the nsswitch.conf I am a bit clueless. I use sssd, and therefore nearly all the lines got an sss as second entry. Maybe winbind would be the correct one for You. But this should be examined _after_ Kerberos is working OK. At least we now know, that Kerberos couldn't have worked with this configuration. Btw, we would like to check the smb.conf, too... HTH Peter> --- this is my /etc/nsswitch.conf: > > passwd: compat > group: compat > shadow: compat > > hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > --- > > Matze > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Peter Serbe
2015-Mar-12 22:01 UTC
[Samba] samba 4.1.17 on raspberry pi as ad dc - krb5 problem / ipv6?
Matthias Busch schrieb am 12.03.2015 22:38:> further testing, log reading and googling has revealed further possible > problem sources... with ipv6? >I think to remember vaguely... on my very first tests running Samba 4.0 I used the home.local as domain name - and I had to completely disable IP v6. This has vanished when I switched over to home.serbe.ch... but maybe I eradicated lots of other errors, too...
Rowland Penny
2015-Mar-12 22:05 UTC
[Samba] samba 4.1.17 on raspberry pi as ad dc - internal dns problems
On 12/03/15 21:57, Peter Serbe wrote:> > Matthias Busch schrieb am 12.03.2015 22:08: > > >> --- this is my /etc/krb5.conf >> >> [libdefaults] >> default_realm = MY-DOMAIN.LOCAL >> dns_lookup_realm = false >> dns_lookup_kdc = true > add these (partly done below) > forwardable = true > renewable = true > ticket_lifetime = 24h > renew_lifetime = 7d > debug = false > > delete from here ..... > >> >> # The following krb5.conf variables are only for MIT Kerberos. >> krb4_config = /etc/krb.conf >> krb4_realms = /etc/krb.realms >> kdc_timesync = 1 >> ccache_type = 4 >> forwardable = true >> proxiable = true >> >> # The following libdefaults parameters are only for Heimdal Kerberos. >> v4_instance_resolve = false >> v4_name_convert = { >> host = { >> rcmd = host >> ftp = ftp >> } >> plain = { >> something = something-else >> } >> } >> fcc-mit-ticketflags = true > .... to here. > >> [realms] >> MY-DOMAIN.LOCAL = { >> kdc = adserver.my-domain.local <-- tried with adserver >> admin_server = adserver.my-domain.local and >> adserver.my-domain.local > add: > default_domain = my-domain.local > >> } > delete from here ...... > > >> ... lots of .MIT.EDU entries ... >> > .... to here > >> [domain_realm] > should be: > .my-domain.local = MY-DOMAIN.LOCAL > my-domain.local = MY-DOMAIN.LOCAL > > [logging] > # kdc = /var/log/kdc.log > # admin_server = /var/log/kadmin.log > default = /var/log/kdc.log > > delete the remaining stuff... > > >> .mit.edu = ATHENA.MIT.EDU >> mit.edu = ATHENA.MIT.EDU >> .media.mit.edu = MEDIA-LAB.MIT.EDU >> media.mit.edu = MEDIA-LAB.MIT.EDU >> .csail.mit.edu = CSAIL.MIT.EDU >> csail.mit.edu = CSAIL.MIT.EDU >> .whoi.edu = ATHENA.MIT.EDU >> whoi.edu = ATHENA.MIT.EDU >> .stanford.edu = stanford.edu >> .slac.stanford.edu = SLAC.STANFORD.EDU >> .toronto.edu = UTORONTO.CA >> .utoronto.ca = UTORONTO.CA >> >> [login] >> krb4_convert = true >> krb4_get_tickets = false >> >> > Regarding the nsswitch.conf I am a bit clueless. I use sssd, and therefore > nearly all the lines got an sss as second entry. Maybe winbind would be > the correct one for You. But this should be examined _after_ Kerberos is > working OK. At least we now know, that Kerberos couldn't have worked with > this configuration. Btw, we would like to check the smb.conf, too... > > HTH > Peter > >> --- this is my /etc/nsswitch.conf: >> >> passwd: compat >> group: compat >> shadow: compat >> >> hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 >> networks: files >> >> protocols: db files >> services: db files >> ethers: db files >> rpc: db files >> >> netgroup: nis >> >> --- >> >> Matze >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>Don't add the lines to krb5.conf, you only need the top four lines: [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = true and yes, you do need winbind adding to the passwd & group lines in /etc/nsswitch.conf, but you need more, see the wiki page I posted earlier. Rowland
Rowland Penny
2015-Mar-12 22:11 UTC
[Samba] samba 4.1.17 on raspberry pi as ad dc - krb5 problem / ipv6?
On 12/03/15 21:38, Matthias Busch wrote:> further testing, log reading and googling has revealed further > possible problem sources... with ipv6? > > my syslog shows the following errors: > --- > Mar 12 18:08:10 ADServer samba[2161]: [2015/03/12 18:08:10.134418, 0] > ../source4/smbd/server.c:488(binary_smbd_main) > Mar 12 18:08:10 ADServer samba[2161]: samba: using 'standard' > process model > Mar 12 18:08:10 ADServer samba[2238]: [2015/03/12 18:08:10.480443, 0] > ../source4/cldap_server/cldap_server.c:122(cldapd_add_socket) > Mar 12 18:08:10 ADServer samba[2238]: Failed to bind to ipv6::::389 > - NT_STATUS_INVALID_PARAMETER_MIX > Mar 12 18:08:10 ADServer samba[2233]: [2015/03/12 18:08:10.524957, 0] > ../source4/rpc_server/dcerpc_server.c:1708(add_socket_rpc_tcp_iface) > Mar 12 18:08:10 ADServer samba[2233]: > service_setup_stream_socket(address=::,port=0) failed - > NT_STATUS_INVALID_PARAMETER_MIX > Mar 12 18:08:10 ADServer samba[2233]: [2015/03/12 18:08:10.584816, 0] > ../source4/rpc_server/dcerpc_server.c:1708(add_socket_rpc_tcp_iface) > Mar 12 18:08:10 ADServer samba[2233]: > service_setup_stream_socket(address=::,port=135) failed - > NT_STATUS_INVALID_PARAMETER_MIX > Mar 12 18:08:10 ADServer samba[2161]: [2015/03/12 18:08:10.862890, 0] > ../lib/util/become_daemon.c:136(daemon_ready) > Mar 12 18:08:10 ADServer samba[2239]: [2015/03/12 18:08:10.998189, 0] > ../source4/kdc/kdc.c:672(kdc_add_socket) > Mar 12 18:08:11 ADServer samba[2239]: Failed to bind to :::88 TCP - > NT_STATUS_INVALID_PARAMETER_MIX > Mar 12 18:08:11 ADServer samba[2239]: [2015/03/12 18:08:11.047385, 0] > ../source4/kdc/kdc.c:672(kdc_add_socket) > Mar 12 18:08:11 ADServer samba[2239]: Failed to bind to :::464 TCP - > NT_STATUS_INVALID_PARAMETER_MIX > Mar 12 18:08:11 ADServer samba[2251]: [2015/03/12 18:08:11.307424, 0] > ../source4/dns_server/dns_server.c:629(dns_add_socket) > Mar 12 18:08:11 ADServer samba[2251]: Failed to bind to :::53 TCP - > NT_STATUS_INVALID_PARAMETER_MIX > Mar 12 18:08:20 ADServer smbd[2235]: [2015/03/12 18:08:20.566000, 0] > ../lib/util/become_daemon.c:136(daemon_ready) > Mar 12 18:08:20 ADServer smbd[2235]: STATUS=daemon 'smbd' finished > starting up and ready to serve connectionsopen_socket_in(): socket() > call failed: Address family not supported by protocol > Mar 12 18:08:20 ADServer smbd[2235]: [2015/03/12 18:08:20.636667, 0] > ../source3/smbd/server.c:673(smbd_open_one_socket) > Mar 12 18:08:20 ADServer smbd[2235]: smbd_open_once_socket: > open_socket_in: Address family not supported by protocol > Mar 12 18:08:20 ADServer smbd[2235]: [2015/03/12 18:08:20.687569, 0] > ../source3/lib/util_sock.c:423(open_socket_in) > Mar 12 18:08:20 ADServer smbd[2235]: open_socket_in(): socket() call > failed: Address family not supported by protocol > Mar 12 18:08:20 ADServer smbd[2235]: [2015/03/12 18:08:20.690615, 0] > ../source3/smbd/server.c:673(smbd_open_one_socket) > Mar 12 18:08:20 ADServer smbd[2235]: smbd_open_once_socket: > open_socket_in: Address family not supported by protocol > Mar 12 18:08:31 ADServer samba[2250]: [2015/03/12 18:08:31.153311, 0] > ../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done) > Mar 12 18:08:31 ADServer samba[2250]: > ../source4/dsdb/dns/dns_update.c:294: Failed DNS update - > NT_STATUS_IO_TIMEOUT > Mar 12 18:08:31 ADServer samba[2250]: [2015/03/12 18:08:31.202635, 0] > ../source4/dsdb/dns/dns_update.c:323(dnsupdate_spnupdate_done) > Mar 12 18:08:31 ADServer samba[2250]: > ../source4/dsdb/dns/dns_update.c:323: Failed SPN update - > NT_STATUS_IO_TIMEOUT > Mar 12 18:08:34 ADServer samba[2237]: [2015/03/12 18:08:34.649153, 0] > ../source4/ldap_server/ldap_server.c:821(add_socket) > Mar 12 18:08:34 ADServer samba[2237]: ldapsrv failed to bind to > :::389 - NT_STATUS_INVALID_PARAMETER_MIX > > --- >There is something going on there, how are you starting samba ?> those errors look to me like they are ipv6 related. which I think I > disabled during configurate... > And it may be that those can all be ignored. but i am not certain that > this is not a symptom for something more serious... > > --- netstat -n -l -p -u -t output > Proto Recv-Q Send-Q Local Address Foreign Address > State PID/Program name > tcp 0 0 0.0.0.0:3268 0.0.0.0:* LISTEN 2237/samba > tcp 0 0 0.0.0.0:3269 0.0.0.0:* LISTEN 2237/samba > tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 2237/samba > tcp 0 0 0.0.0.0:135 0.0.0.0:* LISTEN 2233/samba > tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 2235/smbd > tcp 0 0 0.0.0.0:464 0.0.0.0:* LISTEN 2239/samba > tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 2251/samba > tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2187/sshd > tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2031/cupsd > tcp 0 0 0.0.0.0:88 0.0.0.0:* LISTEN 2239/samba > tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 2237/samba > tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 2235/smbd > tcp 0 0 0.0.0.0:1024 0.0.0.0:* LISTEN 2233/samba > udp 0 0 192.168.7.254:464 > 0.0.0.0:* 2239/samba > udp 0 0 0.0.0.0:464 0.0.0.0:* 2239/samba > udp 0 0 0.0.0.0:53 0.0.0.0:* 2251/samba > udp 0 0 192.168.7.254:88 > 0.0.0.0:* 2239/samba > udp 0 0 0.0.0.0:88 0.0.0.0:* 2239/samba > udp 0 0 0.0.0.0:631 0.0.0.0:* 2031/cupsd > udp 0 0 192.168.7.254:123 > 0.0.0.0:* 2081/ntpd > udp 0 0 127.0.0.1:123 0.0.0.0:* > 2081/ntpd > udp 0 0 0.0.0.0:123 0.0.0.0:* 2081/ntpd > udp 0 0 192.168.7.254:389 > 0.0.0.0:* 2238/samba > udp 0 0 0.0.0.0:389 0.0.0.0:* 2238/samba > udp 0 0 192.168.7.254:137 > 0.0.0.0:* 2234/samba > udp 0 0 192.168.7.255:137 > 0.0.0.0:* 2234/samba > udp 0 0 0.0.0.0:137 0.0.0.0:* 2234/samba > udp 0 0 192.168.7.254:138 > 0.0.0.0:* 2234/samba > udp 0 0 192.168.7.255:138 > 0.0.0.0:* 2234/samba > udp 0 0 0.0.0.0:138 0.0.0.0:* 2234/samba > > doesnt look to bad... but i dont see kerberos ?OH yes you do! tcp 0 0 0.0.0.0:88 0.0.0.0:* LISTEN 2239/samba udp 0 0 192.168.7.254:88 0.0.0.0:* 2239/samba Rowland