samba - Mar 2015 - Debugging Samba 4 AD Setup

We're using quite successfully a samba 4.1 AD setup authenticating user. 
We have on an unregular basis
mails that can't be delivered because dovecot-pam fails to verify the 
credentials. I'm trying to debug
this and set the loglevel up to 3.

I can see an error message being spammed in the log files and can't 
figure out what causes this. I expect a configuration error somewhere
although everything else seems to work. Can someone shed some light on 
this error.

Invalid domain! Expected name in domain [ourdomain.com]. But received 
[THE-AD-HOSTNAME]!
../source4/rpc_server/netlogon/dcerpc_netlogon.c:2330(dcesrv_netr_DsrEnumerateDomainTrusts)

I don't believe this has anything to do with the initial problem, but I 
would like to resolve this one aswell.
Thank you for your time.
Joe

Setup:
Two identical servers with this samba.conf.

# Global parameters
[global]
     workgroup = OURDOMAIN
     realm = ourdomain.com
     netbios name = THE-AD-HOSTNAME
     netbios aliases = SOMETHINGELSE
     log level = 3

     server role = active directory domain controller
     dns forwarder = 192.168.1.254
[netlogon]
     path = /var/lib/samba/sysvol/ourdomain.com/scripts
     read only = No

[sysvol]
     path = /var/lib/samba/sysvol
     read only = No


-- 
Johannes Amorosa | Celluloid VFX

Hello Johannes,
Please check your kerberos realm, wiki says: _Realm:_ . It will also 
automatically be used as the Active Directory DNS domain name. The Realm 
always has to be in uppercase.
I see that your is realm = ourdomain.com
Regards,
George

On 24.3.2015 ?. 14:29 ?., Johannes Amorosa | Celluloid VFX
wrote:
> We're using quite successfully a samba 4.1 AD setup authenticating 
> user. We have on an unregular basis
> mails that can't be delivered because dovecot-pam fails to verify the 
> credentials. I'm trying to debug
> this and set the loglevel up to 3.
>
> I can see an error message being spammed in the log files and can't 
> figure out what causes this. I expect a configuration error somewhere
> although everything else seems to work. Can someone shed some light on 
> this error.
>
> Invalid domain! Expected name in domain [ourdomain.com]. But received 
> [THE-AD-HOSTNAME]!
>
../source4/rpc_server/netlogon/dcerpc_netlogon.c:2330(dcesrv_netr_DsrEnumerateDomainTrusts)
>
>
> I don't believe this has anything to do with the initial problem, but 
> I would like to resolve this one aswell.
> Thank you for your time.
> Joe
>
> Setup:
> Two identical servers with this samba.conf.
>
> # Global parameters
> [global]
>     workgroup = OURDOMAIN
>     realm = ourdomain.com
>     netbios name = THE-AD-HOSTNAME
>     netbios aliases = SOMETHINGELSE
>     log level = 3
>
>     server role = active directory domain controller
>     dns forwarder = 192.168.1.254
> [netlogon]
>     path = /var/lib/samba/sysvol/ourdomain.com/scripts
>     read only = No
>
> [sysvol]
>     path = /var/lib/samba/sysvol
>     read only = No
>
>

Realm is advices to use UPPERCASE.. not obligated. ( but very advices yes ) 

check the following outputs and post them back in the list ( if needed
anonymized )

hostname -i
hostname -s
hostname -f
hostname -d

cat /etc/resolv.conf
cat /etc/hosts
cat /etc/mailname

dig MX ourdomain.com @127.0.0.1
dig MX ourdomain.com @192.168.1.254
dig PTR IP_OF_DC

Greetz, 

Louis



>-----Oorspronkelijk bericht-----
>Van: kable at abv.bg [mailto:samba-bounces at lists.samba.org] 
>Namens Georg Georgiev
>Verzonden: dinsdag 24 maart 2015 14:27
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Debugging Samba 4 AD Setup
>
>Hello Johannes,
>Please check your kerberos realm, wiki says: _Realm:_ . It will also 
>automatically be used as the Active Directory DNS domain name. 
>The Realm 
>always has to be in uppercase.
>I see that your is realm = ourdomain.com
>Regards,
>George
>
>On 24.3.2015 ??. 14:29 ??., Johannes Amorosa | Celluloid VFX wrote:
>> We're using quite successfully a samba 4.1 AD setup authenticating 
>> user. We have on an unregular basis
>> mails that can't be delivered because dovecot-pam fails to 
>verify the 
>> credentials. I'm trying to debug
>> this and set the loglevel up to 3.
>>
>> I can see an error message being spammed in the log files and can't
>> figure out what causes this. I expect a configuration error somewhere
>> although everything else seems to work. Can someone shed 
>some light on 
>> this error.
>>
>> Invalid domain! Expected name in domain [ourdomain.com]. But 
>received 
>> [THE-AD-HOSTNAME]!
>> 
>../source4/rpc_server/netlogon/dcerpc_netlogon.c:2330(dcesrv_ne
>tr_DsrEnumerateDomainTrusts) 
>>
>>
>> I don't believe this has anything to do with the initial 
>problem, but 
>> I would like to resolve this one aswell.
>> Thank you for your time.
>> Joe
>>
>> Setup:
>> Two identical servers with this samba.conf.
>>
>> # Global parameters
>> [global]
>>     workgroup = OURDOMAIN
>>     realm = ourdomain.com
>>     netbios name = THE-AD-HOSTNAME
>>     netbios aliases = SOMETHINGELSE
>>     log level = 3
>>
>>     server role = active directory domain controller
>>     dns forwarder = 192.168.1.254
>> [netlogon]
>>     path = /var/lib/samba/sysvol/ourdomain.com/scripts
>>     read only = No
>>
>> [sysvol]
>>     path = /var/lib/samba/sysvol
>>     read only = No
>>
>>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>

Hi Louis,
answers are inline ...

On 03/24/2015 03:48 PM, L.P.H. van Belle wrote:
> Realm is advices to use UPPERCASE.. not obligated. ( but very advices yes )
I changed the config to uppercase and rebooted, no change in the
logfiles.
>
> check the following outputs and post them back in the list ( if needed
anonymized )
>
> hostname -i
192.168.1.235
> hostname -s
the-ad-hostname
> hostname -f
the-ad-hostname.ourdomain.com
> hostname -d
ourdomain.com
>
> cat /etc/resolv.conf
nameserver 192.168.1.236
nameserver 192.168.1.235
search ourdomain.com
> cat /etc/hosts
127.0.0.1    localhost
192.168.1.235    the-ad-hostname.ourdomain.com the-ad-hostname
<snip>
> cat /etc/mailname
cat: /etc/mailname: No such file or directory
>
> dig MX ourdomain.com @127.0.0.1
; <<>> DiG 9.8.1-P1 <<>> MX ourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3733
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ourdomain.com.        IN    MX

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Mar 24 15:58:44 2015
;; MSG SIZE  rcvd: 34
> dig MX ourdomain.com @192.168.1.254
; <<>> DiG 9.8.1-P1 <<>> MX ourdomain.com @192.168.1.254
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1156
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;ourdomain.com.        IN    MX

;; AUTHORITY SECTION:
.            10800    IN    SOA    a.root-servers.net. 
nstld.verisign-grs.com. 2015032400 1800 900 604800 86400

;; Query time: 73 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Tue Mar 24 16:00:07 2015
;; MSG SIZE  rcvd: 109
> dig PTR IP_OF_DC
; <<>> DiG 9.8.1-P1 <<>> PTR the-ad-hostname
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6806
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;the-ad-hostname.            IN    PTR

;; Query time: 43 msec
;; SERVER: 192.168.1.236#53(192.168.1.236)
;; WHEN: Tue Mar 24 16:00:57 2015
;; MSG SIZE  rcvd: 39
>
> Greetz,
>
> Louis
>
>
Thank you for your time.
>
>> -----Oorspronkelijk bericht-----
>> Van: kable at abv.bg [mailto:samba-bounces at lists.samba.org]
>> Namens Georg Georgiev
>> Verzonden: dinsdag 24 maart 2015 14:27
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Debugging Samba 4 AD Setup
>>
>> Hello Johannes,
>> Please check your kerberos realm, wiki says: _Realm:_ . It will also
>> automatically be used as the Active Directory DNS domain name.
>> The Realm
>> always has to be in uppercase.
>> I see that your is realm = ourdomain.com
>> Regards,
>> George
>>
>> On 24.3.2015 ??. 14:29 ??., Johannes Amorosa | Celluloid VFX wrote:
>>> We're using quite successfully a samba 4.1 AD setup
authenticating
>>> user. We have on an unregular basis
>>> mails that can't be delivered because dovecot-pam fails to
>> verify the
>>> credentials. I'm trying to debug
>>> this and set the loglevel up to 3.
>>>
>>> I can see an error message being spammed in the log files and
can't
>>> figure out what causes this. I expect a configuration error
somewhere
>>> although everything else seems to work. Can someone shed
>> some light on
>>> this error.
>>>
>>> Invalid domain! Expected name in domain [ourdomain.com]. But
>> received
>>> [THE-AD-HOSTNAME]!
>>>
>> ../source4/rpc_server/netlogon/dcerpc_netlogon.c:2330(dcesrv_ne
>> tr_DsrEnumerateDomainTrusts)
>>>
>>> I don't believe this has anything to do with the initial
>> problem, but
>>> I would like to resolve this one aswell.
>>> Thank you for your time.
>>> Joe
>>>
>>> Setup:
>>> Two identical servers with this samba.conf.
>>>
>>> # Global parameters
>>> [global]
>>>      workgroup = OURDOMAIN
>>>      realm = ourdomain.com
>>>      netbios name = THE-AD-HOSTNAME
>>>      netbios aliases = SOMETHINGELSE
>>>      log level = 3
>>>
>>>      server role = active directory domain controller
>>>      dns forwarder = 192.168.1.254
>>> [netlogon]
>>>      path = /var/lib/samba/sysvol/ourdomain.com/scripts
>>>      read only = No
>>>
>>> [sysvol]
>>>      path = /var/lib/samba/sysvol
>>>      read only = No
>>>
>>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
-- 
Johannes Amorosa | Celluloid VFX

all looks ok sofar

but can you give me the output, 
dig PTR the-ad-hostname.ourdomain.com

just to be sure. 

whats your OS running? 
is dovecot running on the same server? 
is dovecot auth running as root? 

the output of : 
cat /etc/pamd.d/imap 
cat /etc/pamd.d/pop3 
cat /etc/pamd.d/mail 

and how may auth request are you getting, default is 100 . 


Greetz, 

Louis


>-----Oorspronkelijk bericht-----
>Van: johannesa at celluloid-vfx.com 
>[mailto:samba-bounces at lists.samba.org] Namens Johannes Amorosa 
>| Celluloid VFX
>Verzonden: dinsdag 24 maart 2015 16:04
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Debugging Samba 4 AD Setup
>
>Hi Louis,
>answers are inline ...
>
>On 03/24/2015 03:48 PM, L.P.H. van Belle wrote:
>> Realm is advices to use UPPERCASE.. not obligated. ( but 
>very advices yes )
>I changed the config to uppercase and rebooted, no change in 
>the logfiles.
>>
>> check the following outputs and post them back in the list ( 
>if needed anonymized )
>>
>> hostname -i
>192.168.1.235
>> hostname -s
>the-ad-hostname
>> hostname -f
>the-ad-hostname.ourdomain.com
>> hostname -d
>ourdomain.com
>>
>> cat /etc/resolv.conf
>nameserver 192.168.1.236
>nameserver 192.168.1.235
>search ourdomain.com
>
>> cat /etc/hosts
>127.0.0.1    localhost
>192.168.1.235    the-ad-hostname.ourdomain.com the-ad-hostname
><snip>
>> cat /etc/mailname
>cat: /etc/mailname: No such file or directory
>
>>
>> dig MX ourdomain.com @127.0.0.1
>; <<>> DiG 9.8.1-P1 <<>> MX ourdomain.com @127.0.0.1
>;; global options: +cmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3733
>;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
>;; QUESTION SECTION:
>;ourdomain.com.        IN    MX
>
>;; Query time: 0 msec
>;; SERVER: 127.0.0.1#53(127.0.0.1)
>;; WHEN: Tue Mar 24 15:58:44 2015
>;; MSG SIZE  rcvd: 34
>
>> dig MX ourdomain.com @192.168.1.254
>; <<>> DiG 9.8.1-P1 <<>> MX ourdomain.com
@192.168.1.254
>;; global options: +cmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1156
>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
>;; QUESTION SECTION:
>;ourdomain.com.        IN    MX
>
>;; AUTHORITY SECTION:
>.            10800    IN    SOA    a.root-servers.net. 
>nstld.verisign-grs.com. 2015032400 1800 900 604800 86400
>
>;; Query time: 73 msec
>;; SERVER: 192.168.1.254#53(192.168.1.254)
>;; WHEN: Tue Mar 24 16:00:07 2015
>;; MSG SIZE  rcvd: 109
>
>> dig PTR IP_OF_DC
>; <<>> DiG 9.8.1-P1 <<>> PTR the-ad-hostname
>;; global options: +cmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6806
>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
>;; OPT PSEUDOSECTION:
>; EDNS: version: 0, flags:; udp: 4000
>;; QUESTION SECTION:
>;the-ad-hostname.            IN    PTR
>
>;; Query time: 43 msec
>;; SERVER: 192.168.1.236#53(192.168.1.236)
>;; WHEN: Tue Mar 24 16:00:57 2015
>;; MSG SIZE  rcvd: 39
>
>>
>> Greetz,
>>
>> Louis
>>
>>
>Thank you for your time.
>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: kable at abv.bg [mailto:samba-bounces at lists.samba.org]
>>> Namens Georg Georgiev
>>> Verzonden: dinsdag 24 maart 2015 14:27
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] Debugging Samba 4 AD Setup
>>>
>>> Hello Johannes,
>>> Please check your kerberos realm, wiki says: _Realm:_ . It will
also
>>> automatically be used as the Active Directory DNS domain name.
>>> The Realm
>>> always has to be in uppercase.
>>> I see that your is realm = ourdomain.com
>>> Regards,
>>> George
>>>
>>> On 24.3.2015 ??. 14:29 ??., Johannes Amorosa | Celluloid VFX wrote:
>>>> We're using quite successfully a samba 4.1 AD setup
authenticating
>>>> user. We have on an unregular basis
>>>> mails that can't be delivered because dovecot-pam fails to
>>> verify the
>>>> credentials. I'm trying to debug
>>>> this and set the loglevel up to 3.
>>>>
>>>> I can see an error message being spammed in the log files and
can't
>>>> figure out what causes this. I expect a configuration 
>error somewhere
>>>> although everything else seems to work. Can someone shed
>>> some light on
>>>> this error.
>>>>
>>>> Invalid domain! Expected name in domain [ourdomain.com]. But
>>> received
>>>> [THE-AD-HOSTNAME]!
>>>>
>>> ../source4/rpc_server/netlogon/dcerpc_netlogon.c:2330(dcesrv_ne
>>> tr_DsrEnumerateDomainTrusts)
>>>>
>>>> I don't believe this has anything to do with the initial
>>> problem, but
>>>> I would like to resolve this one aswell.
>>>> Thank you for your time.
>>>> Joe
>>>>
>>>> Setup:
>>>> Two identical servers with this samba.conf.
>>>>
>>>> # Global parameters
>>>> [global]
>>>>      workgroup = OURDOMAIN
>>>>      realm = ourdomain.com
>>>>      netbios name = THE-AD-HOSTNAME
>>>>      netbios aliases = SOMETHINGELSE
>>>>      log level = 3
>>>>
>>>>      server role = active directory domain controller
>>>>      dns forwarder = 192.168.1.254
>>>> [netlogon]
>>>>      path = /var/lib/samba/sysvol/ourdomain.com/scripts
>>>>      read only = No
>>>>
>>>> [sysvol]
>>>>      path = /var/lib/samba/sysvol
>>>>      read only = No
>>>>
>>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>
>-- 
>Johannes Amorosa | Celluloid VFX
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>