We're using quite successfully a samba 4.1 AD setup authenticating user.
We have on an unregular basis
mails that can't be delivered because dovecot-pam fails to verify the
credentials. I'm trying to debug
this and set the loglevel up to 3.
I can see an error message being spammed in the log files and can't
figure out what causes this. I expect a configuration error somewhere
although everything else seems to work. Can someone shed some light on
this error.
Invalid domain! Expected name in domain [ourdomain.com]. But received
[THE-AD-HOSTNAME]!
../source4/rpc_server/netlogon/dcerpc_netlogon.c:2330(dcesrv_netr_DsrEnumerateDomainTrusts)
I don't believe this has anything to do with the initial problem, but I
would like to resolve this one aswell.
Thank you for your time.
Joe
Setup:
Two identical servers with this samba.conf.
# Global parameters
[global]
workgroup = OURDOMAIN
realm = ourdomain.com
netbios name = THE-AD-HOSTNAME
netbios aliases = SOMETHINGELSE
log level = 3
server role = active directory domain controller
dns forwarder = 192.168.1.254
[netlogon]
path = /var/lib/samba/sysvol/ourdomain.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
--
Johannes Amorosa | Celluloid VFX
Hello Johannes, Please check your kerberos realm, wiki says: _Realm:_ . It will also automatically be used as the Active Directory DNS domain name. The Realm always has to be in uppercase. I see that your is realm = ourdomain.com Regards, George On 24.3.2015 ?. 14:29 ?., Johannes Amorosa | Celluloid VFX wrote:> We're using quite successfully a samba 4.1 AD setup authenticating > user. We have on an unregular basis > mails that can't be delivered because dovecot-pam fails to verify the > credentials. I'm trying to debug > this and set the loglevel up to 3. > > I can see an error message being spammed in the log files and can't > figure out what causes this. I expect a configuration error somewhere > although everything else seems to work. Can someone shed some light on > this error. > > Invalid domain! Expected name in domain [ourdomain.com]. But received > [THE-AD-HOSTNAME]! > ../source4/rpc_server/netlogon/dcerpc_netlogon.c:2330(dcesrv_netr_DsrEnumerateDomainTrusts) > > > I don't believe this has anything to do with the initial problem, but > I would like to resolve this one aswell. > Thank you for your time. > Joe > > Setup: > Two identical servers with this samba.conf. > > # Global parameters > [global] > workgroup = OURDOMAIN > realm = ourdomain.com > netbios name = THE-AD-HOSTNAME > netbios aliases = SOMETHINGELSE > log level = 3 > > server role = active directory domain controller > dns forwarder = 192.168.1.254 > [netlogon] > path = /var/lib/samba/sysvol/ourdomain.com/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > >
Realm is advices to use UPPERCASE.. not obligated. ( but very advices yes ) check the following outputs and post them back in the list ( if needed anonymized ) hostname -i hostname -s hostname -f hostname -d cat /etc/resolv.conf cat /etc/hosts cat /etc/mailname dig MX ourdomain.com @127.0.0.1 dig MX ourdomain.com @192.168.1.254 dig PTR IP_OF_DC Greetz, Louis>-----Oorspronkelijk bericht----- >Van: kable at abv.bg [mailto:samba-bounces at lists.samba.org] >Namens Georg Georgiev >Verzonden: dinsdag 24 maart 2015 14:27 >Aan: samba at lists.samba.org >Onderwerp: Re: [Samba] Debugging Samba 4 AD Setup > >Hello Johannes, >Please check your kerberos realm, wiki says: _Realm:_ . It will also >automatically be used as the Active Directory DNS domain name. >The Realm >always has to be in uppercase. >I see that your is realm = ourdomain.com >Regards, >George > >On 24.3.2015 ??. 14:29 ??., Johannes Amorosa | Celluloid VFX wrote: >> We're using quite successfully a samba 4.1 AD setup authenticating >> user. We have on an unregular basis >> mails that can't be delivered because dovecot-pam fails to >verify the >> credentials. I'm trying to debug >> this and set the loglevel up to 3. >> >> I can see an error message being spammed in the log files and can't >> figure out what causes this. I expect a configuration error somewhere >> although everything else seems to work. Can someone shed >some light on >> this error. >> >> Invalid domain! Expected name in domain [ourdomain.com]. But >received >> [THE-AD-HOSTNAME]! >> >../source4/rpc_server/netlogon/dcerpc_netlogon.c:2330(dcesrv_ne >tr_DsrEnumerateDomainTrusts) >> >> >> I don't believe this has anything to do with the initial >problem, but >> I would like to resolve this one aswell. >> Thank you for your time. >> Joe >> >> Setup: >> Two identical servers with this samba.conf. >> >> # Global parameters >> [global] >> workgroup = OURDOMAIN >> realm = ourdomain.com >> netbios name = THE-AD-HOSTNAME >> netbios aliases = SOMETHINGELSE >> log level = 3 >> >> server role = active directory domain controller >> dns forwarder = 192.168.1.254 >> [netlogon] >> path = /var/lib/samba/sysvol/ourdomain.com/scripts >> read only = No >> >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> >> > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba >
Hi Louis, answers are inline ... On 03/24/2015 03:48 PM, L.P.H. van Belle wrote:> Realm is advices to use UPPERCASE.. not obligated. ( but very advices yes )I changed the config to uppercase and rebooted, no change in the logfiles.> > check the following outputs and post them back in the list ( if needed anonymized ) > > hostname -i192.168.1.235> hostname -sthe-ad-hostname> hostname -fthe-ad-hostname.ourdomain.com> hostname -dourdomain.com> > cat /etc/resolv.confnameserver 192.168.1.236 nameserver 192.168.1.235 search ourdomain.com> cat /etc/hosts127.0.0.1 localhost 192.168.1.235 the-ad-hostname.ourdomain.com the-ad-hostname <snip>> cat /etc/mailnamecat: /etc/mailname: No such file or directory> > dig MX ourdomain.com @127.0.0.1; <<>> DiG 9.8.1-P1 <<>> MX ourdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3733 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ourdomain.com. IN MX ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Mar 24 15:58:44 2015 ;; MSG SIZE rcvd: 34> dig MX ourdomain.com @192.168.1.254; <<>> DiG 9.8.1-P1 <<>> MX ourdomain.com @192.168.1.254 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1156 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;ourdomain.com. IN MX ;; AUTHORITY SECTION: . 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2015032400 1800 900 604800 86400 ;; Query time: 73 msec ;; SERVER: 192.168.1.254#53(192.168.1.254) ;; WHEN: Tue Mar 24 16:00:07 2015 ;; MSG SIZE rcvd: 109> dig PTR IP_OF_DC; <<>> DiG 9.8.1-P1 <<>> PTR the-ad-hostname ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6806 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;the-ad-hostname. IN PTR ;; Query time: 43 msec ;; SERVER: 192.168.1.236#53(192.168.1.236) ;; WHEN: Tue Mar 24 16:00:57 2015 ;; MSG SIZE rcvd: 39> > Greetz, > > Louis > >Thank you for your time.> >> -----Oorspronkelijk bericht----- >> Van: kable at abv.bg [mailto:samba-bounces at lists.samba.org] >> Namens Georg Georgiev >> Verzonden: dinsdag 24 maart 2015 14:27 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Debugging Samba 4 AD Setup >> >> Hello Johannes, >> Please check your kerberos realm, wiki says: _Realm:_ . It will also >> automatically be used as the Active Directory DNS domain name. >> The Realm >> always has to be in uppercase. >> I see that your is realm = ourdomain.com >> Regards, >> George >> >> On 24.3.2015 ??. 14:29 ??., Johannes Amorosa | Celluloid VFX wrote: >>> We're using quite successfully a samba 4.1 AD setup authenticating >>> user. We have on an unregular basis >>> mails that can't be delivered because dovecot-pam fails to >> verify the >>> credentials. I'm trying to debug >>> this and set the loglevel up to 3. >>> >>> I can see an error message being spammed in the log files and can't >>> figure out what causes this. I expect a configuration error somewhere >>> although everything else seems to work. Can someone shed >> some light on >>> this error. >>> >>> Invalid domain! Expected name in domain [ourdomain.com]. But >> received >>> [THE-AD-HOSTNAME]! >>> >> ../source4/rpc_server/netlogon/dcerpc_netlogon.c:2330(dcesrv_ne >> tr_DsrEnumerateDomainTrusts) >>> >>> I don't believe this has anything to do with the initial >> problem, but >>> I would like to resolve this one aswell. >>> Thank you for your time. >>> Joe >>> >>> Setup: >>> Two identical servers with this samba.conf. >>> >>> # Global parameters >>> [global] >>> workgroup = OURDOMAIN >>> realm = ourdomain.com >>> netbios name = THE-AD-HOSTNAME >>> netbios aliases = SOMETHINGELSE >>> log level = 3 >>> >>> server role = active directory domain controller >>> dns forwarder = 192.168.1.254 >>> [netlogon] >>> path = /var/lib/samba/sysvol/ourdomain.com/scripts >>> read only = No >>> >>> [sysvol] >>> path = /var/lib/samba/sysvol >>> read only = No >>> >>> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>-- Johannes Amorosa | Celluloid VFX
all looks ok sofar but can you give me the output, dig PTR the-ad-hostname.ourdomain.com just to be sure. whats your OS running? is dovecot running on the same server? is dovecot auth running as root? the output of : cat /etc/pamd.d/imap cat /etc/pamd.d/pop3 cat /etc/pamd.d/mail and how may auth request are you getting, default is 100 . Greetz, Louis>-----Oorspronkelijk bericht----- >Van: johannesa at celluloid-vfx.com >[mailto:samba-bounces at lists.samba.org] Namens Johannes Amorosa >| Celluloid VFX >Verzonden: dinsdag 24 maart 2015 16:04 >Aan: samba at lists.samba.org >Onderwerp: Re: [Samba] Debugging Samba 4 AD Setup > >Hi Louis, >answers are inline ... > >On 03/24/2015 03:48 PM, L.P.H. van Belle wrote: >> Realm is advices to use UPPERCASE.. not obligated. ( but >very advices yes ) >I changed the config to uppercase and rebooted, no change in >the logfiles. >> >> check the following outputs and post them back in the list ( >if needed anonymized ) >> >> hostname -i >192.168.1.235 >> hostname -s >the-ad-hostname >> hostname -f >the-ad-hostname.ourdomain.com >> hostname -d >ourdomain.com >> >> cat /etc/resolv.conf >nameserver 192.168.1.236 >nameserver 192.168.1.235 >search ourdomain.com > >> cat /etc/hosts >127.0.0.1 localhost >192.168.1.235 the-ad-hostname.ourdomain.com the-ad-hostname ><snip> >> cat /etc/mailname >cat: /etc/mailname: No such file or directory > >> >> dig MX ourdomain.com @127.0.0.1 >; <<>> DiG 9.8.1-P1 <<>> MX ourdomain.com @127.0.0.1 >;; global options: +cmd >;; Got answer: >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3733 >;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 > >;; QUESTION SECTION: >;ourdomain.com. IN MX > >;; Query time: 0 msec >;; SERVER: 127.0.0.1#53(127.0.0.1) >;; WHEN: Tue Mar 24 15:58:44 2015 >;; MSG SIZE rcvd: 34 > >> dig MX ourdomain.com @192.168.1.254 >; <<>> DiG 9.8.1-P1 <<>> MX ourdomain.com @192.168.1.254 >;; global options: +cmd >;; Got answer: >;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1156 >;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > >;; QUESTION SECTION: >;ourdomain.com. IN MX > >;; AUTHORITY SECTION: >. 10800 IN SOA a.root-servers.net. >nstld.verisign-grs.com. 2015032400 1800 900 604800 86400 > >;; Query time: 73 msec >;; SERVER: 192.168.1.254#53(192.168.1.254) >;; WHEN: Tue Mar 24 16:00:07 2015 >;; MSG SIZE rcvd: 109 > >> dig PTR IP_OF_DC >; <<>> DiG 9.8.1-P1 <<>> PTR the-ad-hostname >;; global options: +cmd >;; Got answer: >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6806 >;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > >;; OPT PSEUDOSECTION: >; EDNS: version: 0, flags:; udp: 4000 >;; QUESTION SECTION: >;the-ad-hostname. IN PTR > >;; Query time: 43 msec >;; SERVER: 192.168.1.236#53(192.168.1.236) >;; WHEN: Tue Mar 24 16:00:57 2015 >;; MSG SIZE rcvd: 39 > >> >> Greetz, >> >> Louis >> >> >Thank you for your time. > >> >>> -----Oorspronkelijk bericht----- >>> Van: kable at abv.bg [mailto:samba-bounces at lists.samba.org] >>> Namens Georg Georgiev >>> Verzonden: dinsdag 24 maart 2015 14:27 >>> Aan: samba at lists.samba.org >>> Onderwerp: Re: [Samba] Debugging Samba 4 AD Setup >>> >>> Hello Johannes, >>> Please check your kerberos realm, wiki says: _Realm:_ . It will also >>> automatically be used as the Active Directory DNS domain name. >>> The Realm >>> always has to be in uppercase. >>> I see that your is realm = ourdomain.com >>> Regards, >>> George >>> >>> On 24.3.2015 ??. 14:29 ??., Johannes Amorosa | Celluloid VFX wrote: >>>> We're using quite successfully a samba 4.1 AD setup authenticating >>>> user. We have on an unregular basis >>>> mails that can't be delivered because dovecot-pam fails to >>> verify the >>>> credentials. I'm trying to debug >>>> this and set the loglevel up to 3. >>>> >>>> I can see an error message being spammed in the log files and can't >>>> figure out what causes this. I expect a configuration >error somewhere >>>> although everything else seems to work. Can someone shed >>> some light on >>>> this error. >>>> >>>> Invalid domain! Expected name in domain [ourdomain.com]. But >>> received >>>> [THE-AD-HOSTNAME]! >>>> >>> ../source4/rpc_server/netlogon/dcerpc_netlogon.c:2330(dcesrv_ne >>> tr_DsrEnumerateDomainTrusts) >>>> >>>> I don't believe this has anything to do with the initial >>> problem, but >>>> I would like to resolve this one aswell. >>>> Thank you for your time. >>>> Joe >>>> >>>> Setup: >>>> Two identical servers with this samba.conf. >>>> >>>> # Global parameters >>>> [global] >>>> workgroup = OURDOMAIN >>>> realm = ourdomain.com >>>> netbios name = THE-AD-HOSTNAME >>>> netbios aliases = SOMETHINGELSE >>>> log level = 3 >>>> >>>> server role = active directory domain controller >>>> dns forwarder = 192.168.1.254 >>>> [netlogon] >>>> path = /var/lib/samba/sysvol/ourdomain.com/scripts >>>> read only = No >>>> >>>> [sysvol] >>>> path = /var/lib/samba/sysvol >>>> read only = No >>>> >>>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> > >-- >Johannes Amorosa | Celluloid VFX > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >