samba - Oct 2015 - authentication problems sernet-samba

No, it is in production, i just change the real domain name by
DCTEST for confidentiality. 

*Avahi is not installed in our server
(print server is in an other server) 

*resolv.conf is good. 

* I read
the documentation here
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
[1] , and i can't find where it is said to modify the nsswitch.conf in
a server which is ONLY domain controller. We have modified it in an
other ubuntu server (the domain member) as descibed here
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server [2]


*We have not iTunes installed in our PC. 

When this problem occurs,
no computer can authenticate in the domain (we have actually 170 PC in
the domain and it will soon grow to 700). The only solution is to
restart samba. I can NOT reproduce the problem : i have to wait until it
occurs. This authetication problem happend 7 times from 04/06/2015 until
now. 

Cordialement,

KELMENI Lulzim
Direction des Systèmes
d'Information
Service Systèmes, Réseaux, Bases de données
Mairie de
Saint-Ouen

Le 02/10/2015 10:43, L.P.H. van Belle a écrit : 
> It this
a test environment ? 
> 
> ... dctest.local 
> 
> Dont use .local
reserved name of apples mDNS. 
> 
> Remove avahi from your server. 
>
Recheck nsswitch.conf so it starts like : passwd: compat winbind
> ( so
if needed change the order ) 
> 
> Recheck you resolv.conf 
> Should be
: 
> Search dominname 
> Nameserver IP_DC1
> 
> And i you have itunes on
your pc, remove it. 
> And try again, this is not a samba problem but a
configuration problem. 
> 
> Greetz, 
> 
> Louis
> 
>>
-----Oorspronkelijk bericht----- Van: samba
[mailto:samba-bounces at lists.samba.org] Namens Lulzim KELMENI Verzonden:
vrijdag 2 oktober 2015 10:36 Aan: samba at lists.samba.orgOnderwerp: Re:
[Samba] authentication problems sernet-samba Hello L.P.H, The "Wait for
Network" policy is already set and applied to all domain computers. By
the way, when we restart samba (service sernet-samba-ad restart) GPO are
applied and users can connect without problem and the strange logs stop
in /var/log/samba/log.samba Cordialement, KELMENI Lulzim Direction des
Systèmes d'Information Service Systèmes, Réseaux, Bases de données
Mairie de Saint-Ouen Le 02/10/2015 09:12, L.P.H. van Belle a écrit :
>>
>>> Hai, see
>> the commented. 
>> 
>>> And as extra, disable
powersaving on the network
>> card. * When users try to connect to
domain, they have a warning saying that the user session have been opend
using local copy of profile.[L.P.H. v
>> 
>>> idth:100%">[L.P.H. van
Belle] case above, solution also.
>> width:100%">* In event viewer of
client computer,
server.dctest.local/dctest.local at
DCTEST.LOCAL">ldap/server.dctest.local/dc



Links:
------
[1]
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
[2]
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server

On 02/10/15 14:34, Lulzim KELMENI wrote:
>   
>
> No, it is in production, i just change the real domain name by
> DCTEST for confidentiality.
>
> *Avahi is not installed in our server
> (print server is in an other server)
You sure about that ?
Did you remove it after installation of the OS, because it is installed 
as standard.
>
> *resolv.conf is good.
>
> * I read
> the documentation here
>
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
> [1] , and i can't find where it is said to modify the nsswitch.conf in
> a server which is ONLY domain controller. We have modified it in an
> other ubuntu server (the domain member) as descibed here
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server [2]
>
>
> *We have not iTunes installed in our PC.
>
> When this problem occurs,
> no computer can authenticate in the domain (we have actually 170 PC in
> the domain and it will soon grow to 700). The only solution is to
> restart samba. I can NOT reproduce the problem : i have to wait until it
> occurs. This authetication problem happend 7 times from 04/06/2015 until
> now.
>
>
Then it is probably not a Samba problem, can you change the log level to 
10 and then see if something pops up.
I take it that you just use the DC for authentication and no files are 
served from it (as an aside, you really should have at least two DCs, 
especially if you are planning to grow the domain), if this is the case, 
you do not need the nsswitch changes.
Have you looked in the event logs of a PC when it cannot authenticate?

Rowland

Hello Rowland, 

I think avahi-daemon is not installed as standard
in ubuntu 14.04.3 LTS 

Here is in our server : 

ROOT at SERVER:~# DPKG -L
|GREP AVAHI
II  LIBAVAHI-CLIENT3:AMD64             
0.6.31-4UBUNTU1                  AMD64        AVAHI CLIENT LIBRARY
II 
LIBAVAHI-COMMON-DATA:AMD64          0.6.31-4UBUNTU1                 
AMD64        AVAHI COMMON DATA FILES
II 
LIBAVAHI-COMMON3:AMD64              0.6.31-4UBUNTU1                 
AMD64        AVAHI COMMON LIBRARY

root at server:~# ps aux |grep -i
avah
root 9696 0.0 0.0 11740 948 pts/0 R+ 16:40 0:00 grep --color=auto
-i avah

avahi-deamon have been installed as a dependancy of cups in our
print server (which is not the same as domain controller). But we
removed it because of strange behaviour. 
> Have you looked in the
event logs of a PC when it cannot authenticate?

Yes, we can see this id
event in multiple clients : 

1)id event 40960 : System have detected
authentication problem for server
ldap/server.dctest.local/dctest.local at DCTEST.LOCAL Kerberos "No
authority could be contacted for authentication. (0x80090311)" 

this
event occurs many times

2) id event 1129 related to GPO that are not
applied ; as a consequances of authentication problem

As soon as i
restart samba, computers and users cans authenticates against the
domain.

cheers,

KELMENI Lulzim
Direction des Systèmes
d'Information
Service Systèmes, Réseaux, Bases de données
Mairie de
Saint-Ouen

Le 02/10/2015 16:06, Rowland Penny a écrit : 
> On 02/10/15
14:34, Lulzim KELMENI wrote:
> 
>> No, it is in production, i just
change the real domain name by DCTEST for confidentiality. *Avahi is not
installed in our server (print server is in an other
server)
> 
> You
sure about that ?
> Did you remove it after installation of the OS,
because it is installed 
> as standard.
> 
>> *resolv.conf is good. * I
read the documentation here
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
[1] [1] , and i can't find where it is said to modify the nsswitch.conf
in a server which is ONLY domain controller. We have modified it in an
other ubuntu server (the domain member) as descibed here
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server [2] [2]
*We have not iTunes installed in our PC. When this problem occurs, no
computer can authenticate in the domain (we have actually 170 PC in the
domain and it will soon grow to 700). The only solution is to restart
samba. I can NOT reproduce the problem : i have to wait until it occurs.
This authetication problem happend 7 times from 04/06/2015 until
now.
>
> Then it is probably not a Samba problem, can you change the log level
to 
> 10 and then see if something pops up.
> I take it that you just
use the DC for authentication and no files are 
> served from it (as an
aside, you really should have at least two DCs, 
> especially if you are
planning to grow the domain), if this is the case, 
> you do not need
the nsswitch changes.
> Have you looked in the event logs of a PC when
it cannot authenticate?
> 
> Rowland
 

Links:
------
[1]
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
[2]
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server