Guy-Laurent Subri
2015-Oct-28 13:03 UTC
[Samba] net ads info: failed to get server's current time
On Wed, Oct 28, 2015 at 10:32:31AM +0000, Rowland Penny wrote:>On 28/10/15 10:09, Guy-Laurent Subri wrote: > >> My version of Samba is 4.1.17. I don't think this changes anything, but >> I can try to upgrade if needed. > >OK, looks like you are running Debian, either wheezy using backports or >Jessie and my old DC is running wheezy and net ads info works on that. > >> Here are the files: >> >> /etc/ntp.conf >> ------------- >> driftfile /var/lib/ntp/ntp.drift >> ntpsigndsocket /var/lib/samba/ntp_signd >> >> statsdir /var/log/ntpstats/ >> >> server 0.ch.pool.ntp.org >> server 1.ch.pool.ntp.org >> server 2.ch.pool.ntp.org >> server 3.ch.pool.ntp.org >> >> restrict -4 default kod notrap nomodify nopeer noquery mssntp >> restrict -6 default kod notrap nomodify nopeer noquery mssntp >> >> restrict 127.0.0.1 >> restrict ::1 >> >> restrict 0.ch.pool.ntp.org mask 255.255.255 nomodify notrap nopeer >> noquery >> >> broadcast 192.168.123.255 >> > >I would suggest that you either remove the last 3 'server' lines or add >another 3 'restrict' lines to cover them. > >> /etc/bind/named.conf >> -------------------- >> include "/etc/bind/named.conf.options"; >> include "/etc/bind/named.conf.local"; >> include "/etc/bind/named.conf.default-zones"; >> include "/var/lib/samba/private/named.conf"; >> >> /etc/bind/named.conf.options >> ---------------------------- >> options { >> directory "/var/cache/bind"; >> >> forwarders { >> 192.168.1.185; >> }; > >What is the forwarder ?I deleted the forwarder as we don't need it anymore. Thanks for reminding me it was there!>> dnssec-validation auto; >> >> auth-nxdomain no; >> allow-query { localhost; any; }; >> listen-on port 53 { 127.0.0.1; 192.168.1.17; }; >> listen-on-v6 { any; }; >> }; >> >> /etc/bind/named.conf.local -------------------------- >> is empty >> >> /etc/bind/named.conf.default-zones >> ---------------------------------- >> zone "." { >> type hint; >> file "/etc/bind/db.root"; >> }; >> >> zone "localhost" { >> type master; >> file "/etc/bind/db.local"; >> }; >> >> zone "127.in-addr.arpa" { >> type master; >> file "/etc/bind/db.127"; >> }; >> >> zone "0.in-addr.arpa" { >> type master; >> file "/etc/bind/db.0"; >> }; >> >> zone "255.in-addr.arpa" { >> type master; >> file "/etc/bind/db.255"; >> }; >> >> /var/lib/samba/private/named.conf >> --------------------------------- >> zone "trs-ch.com." IN { >> type master; >> file "/var/lib/samba/private/dns/trs-ch.com.zone"; >> include "/var/lib/samba/private/named.conf.update"; >> check-names ignore; >> }; > >This is wrong, /var/lib/samba/private/named.conf should be: > >dlz "AD DNS Zone" { > # For BIND 9.8.0 > #database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so"; > > # For BIND 9.9.0 > database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so"; >};Ok. I tried this but I've got an error: samba_dlz: Unable to get basedn for /var/lib/samba/private/dns/sam.ldb - NULL Base DN invalid for a base search>> >> resolv.conf >> ----------- >> search trs-ch.com >> nameserver 192.168.1.17 >> nameserver 192.168.1.7 >> > >What is the second nameserver ? if it is a second DC, swap them around, >otherwise remove it.It's another DC, but not for the same realm. I swaped them.>> krb5.conf >> --------- >> [libdefaults] >> default_realm = TRS-CH.COM >> dns_lookup_realm = false >> dns_lookup_kdc = true >> [realms] >> TRS-CH.COM = { >> kdc = 192.168.1.17 >> admin_server = 192.168.1.17 >> default_domain = trs-ch.com >> } >> [TRS-CH.COM] >> .trs-ch.com = TRS-CH.COM >> trs.ch.com >> TRS-CH.COM >> > >You only need this in /etc/krb5.conf > >[libdefaults] >default_realm = TRS-CH.COM >dns_lookup_realm = false >dns_lookup_kdc = trueOk, I modified it accordingly Do you know why I have this error ? BTW, sam.ldb is owned by root:root and is set to rw for user and none to group and world, is this ok ? Thanks again, Guy-Laurent
Rowland Penny
2015-Oct-28 13:25 UTC
[Samba] net ads info: failed to get server's current time
On 28/10/15 13:03, Guy-Laurent Subri wrote:> On Wed, Oct 28, 2015 at 10:32:31AM +0000, Rowland Penny wrote: >> On 28/10/15 10:09, Guy-Laurent Subri wrote: >> >>> My version of Samba is 4.1.17. I don't think this changes anything, but >>> I can try to upgrade if needed. >> >> OK, looks like you are running Debian, either wheezy using backports or >> Jessie and my old DC is running wheezy and net ads info works on that. >> >>> Here are the files: >>> >>> /etc/ntp.conf >>> ------------- >>> driftfile /var/lib/ntp/ntp.drift >>> ntpsigndsocket /var/lib/samba/ntp_signd >>> >>> statsdir /var/log/ntpstats/ >>> >>> server 0.ch.pool.ntp.org >>> server 1.ch.pool.ntp.org >>> server 2.ch.pool.ntp.org >>> server 3.ch.pool.ntp.org >>> >>> restrict -4 default kod notrap nomodify nopeer noquery mssntp >>> restrict -6 default kod notrap nomodify nopeer noquery mssntp >>> >>> restrict 127.0.0.1 >>> restrict ::1 >>> >>> restrict 0.ch.pool.ntp.org mask 255.255.255 nomodify notrap nopeer >>> noquery >>> >>> broadcast 192.168.123.255 >>> >> >> I would suggest that you either remove the last 3 'server' lines or add >> another 3 'restrict' lines to cover them. >> >>> /etc/bind/named.conf >>> -------------------- >>> include "/etc/bind/named.conf.options"; >>> include "/etc/bind/named.conf.local"; >>> include "/etc/bind/named.conf.default-zones"; >>> include "/var/lib/samba/private/named.conf"; >>> >>> /etc/bind/named.conf.options >>> ---------------------------- >>> options { >>> directory "/var/cache/bind"; >>> >>> forwarders { >>> 192.168.1.185; >>> }; >> >> What is the forwarder ? > I deleted the forwarder as we don't need it anymore. Thanks for > reminding me it was there!If you are running Samba4 as an AD DC with bind9, then you do need the forwarder, so make sure you have one and it must be one outside the Samba4 domain that resolve the rest of the internet.>>> dnssec-validation auto; >>> >>> auth-nxdomain no; >>> allow-query { localhost; any; }; >>> listen-on port 53 { 127.0.0.1; 192.168.1.17; }; >>> listen-on-v6 { any; }; >>> }; >>> >>> /etc/bind/named.conf.local -------------------------- >>> is empty >>> >>> /etc/bind/named.conf.default-zones >>> ---------------------------------- >>> zone "." { >>> type hint; >>> file "/etc/bind/db.root"; >>> }; >>> >>> zone "localhost" { >>> type master; >>> file "/etc/bind/db.local"; >>> }; >>> >>> zone "127.in-addr.arpa" { >>> type master; >>> file "/etc/bind/db.127"; >>> }; >>> >>> zone "0.in-addr.arpa" { >>> type master; >>> file "/etc/bind/db.0"; >>> }; >>> >>> zone "255.in-addr.arpa" { >>> type master; >>> file "/etc/bind/db.255"; >>> }; >>> >>> /var/lib/samba/private/named.conf >>> --------------------------------- >>> zone "trs-ch.com." IN { >>> type master; >>> file "/var/lib/samba/private/dns/trs-ch.com.zone"; >>> include "/var/lib/samba/private/named.conf.update"; >>> check-names ignore; >>> }; >> >> This is wrong, /var/lib/samba/private/named.conf should be: >> >> dlz "AD DNS Zone" { >> # For BIND 9.8.0 >> #database "dlopen >> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so"; >> >> # For BIND 9.9.0 >> database "dlopen >> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so"; >> }; > Ok. I tried this but I've got an error: > samba_dlz: Unable to get basedn for /var/lib/samba/private/dns/sam.ldb > - NULL Base DN invalid for a base searchOK, How did you provision Samba4 ? Does /var/lib/samba/private/dns/sam.ldb exist ? if it does (and it should) it should belong to root:bind with 0660 permissions (-rw-rw----)>>> >>> resolv.conf >>> ----------- >>> search trs-ch.com >>> nameserver 192.168.1.17 >>> nameserver 192.168.1.7 >>> >> >> What is the second nameserver ? if it is a second DC, swap them around, >> otherwise remove it. > It's another DC, but not for the same realm. I swaped them.Remove it, your DC should only ask other DCs in its own domain for DNS info>>> krb5.conf >>> --------- >>> [libdefaults] >>> default_realm = TRS-CH.COM >>> dns_lookup_realm = false >>> dns_lookup_kdc = true >>> [realms] >>> TRS-CH.COM = { >>> kdc = 192.168.1.17 >>> admin_server = 192.168.1.17 >>> default_domain = trs-ch.com >>> } >>> [TRS-CH.COM] >>> .trs-ch.com = TRS-CH.COM >>> trs.ch.com >>> TRS-CH.COM >>> >> >> You only need this in /etc/krb5.conf >> >> [libdefaults] >> default_realm = TRS-CH.COM >> dns_lookup_realm = false >> dns_lookup_kdc = true > > Ok, I modified it accordingly > > Do you know why I have this error ? BTW, sam.ldb is owned by root:root > and is set to rw for user and none to group and world, is this ok ?If you are talking /var/lib/samba/private/sam.ldb then this is correct. Rowland> > Thanks again, Guy-Laurent >
Guy-Laurent Subri
2015-Oct-28 13:43 UTC
[Samba] net ads info: failed to get server's current time
On Wed, Oct 28, 2015 at 01:25:33PM +0000, Rowland Penny wrote:>On 28/10/15 13:03, Guy-Laurent Subri wrote: >> On Wed, Oct 28, 2015 at 10:32:31AM +0000, Rowland Penny wrote: >>> On 28/10/15 10:09, Guy-Laurent Subri wrote: >>> >>>> My version of Samba is 4.1.17. I don't think this changes anything, but >>>> I can try to upgrade if needed. >>> >>> OK, looks like you are running Debian, either wheezy using backports or >>> Jessie and my old DC is running wheezy and net ads info works on that. >>> >>>> Here are the files: >>>> >>>> /etc/ntp.conf >>>> ------------- >>>> driftfile /var/lib/ntp/ntp.drift >>>> ntpsigndsocket /var/lib/samba/ntp_signd >>>> >>>> statsdir /var/log/ntpstats/ >>>> >>>> server 0.ch.pool.ntp.org >>>> server 1.ch.pool.ntp.org >>>> server 2.ch.pool.ntp.org >>>> server 3.ch.pool.ntp.org >>>> >>>> restrict -4 default kod notrap nomodify nopeer noquery mssntp >>>> restrict -6 default kod notrap nomodify nopeer noquery mssntp >>>> >>>> restrict 127.0.0.1 >>>> restrict ::1 >>>> >>>> restrict 0.ch.pool.ntp.org mask 255.255.255 nomodify notrap nopeer >>>> noquery >>>> >>>> broadcast 192.168.123.255 >>>> >>> >>> I would suggest that you either remove the last 3 'server' lines or add >>> another 3 'restrict' lines to cover them. >>> >>>> /etc/bind/named.conf >>>> -------------------- >>>> include "/etc/bind/named.conf.options"; >>>> include "/etc/bind/named.conf.local"; >>>> include "/etc/bind/named.conf.default-zones"; >>>> include "/var/lib/samba/private/named.conf"; >>>> >>>> /etc/bind/named.conf.options >>>> ---------------------------- >>>> options { >>>> directory "/var/cache/bind"; >>>> >>>> forwarders { >>>> 192.168.1.185; >>>> }; >>> >>> What is the forwarder ? >> I deleted the forwarder as we don't need it anymore. Thanks for >> reminding me it was there! > >If you are running Samba4 as an AD DC with bind9, then you do need the >forwarder, so make sure you have one and it must be one outside the >Samba4 domain that resolve the rest of the internet. > >>>> dnssec-validation auto; >>>> >>>> auth-nxdomain no; >>>> allow-query { localhost; any; }; >>>> listen-on port 53 { 127.0.0.1; 192.168.1.17; }; >>>> listen-on-v6 { any; }; >>>> }; >>>> >>>> /etc/bind/named.conf.local -------------------------- >>>> is empty >>>> >>>> /etc/bind/named.conf.default-zones >>>> ---------------------------------- >>>> zone "." { >>>> type hint; >>>> file "/etc/bind/db.root"; >>>> }; >>>> >>>> zone "localhost" { >>>> type master; >>>> file "/etc/bind/db.local"; >>>> }; >>>> >>>> zone "127.in-addr.arpa" { >>>> type master; >>>> file "/etc/bind/db.127"; >>>> }; >>>> >>>> zone "0.in-addr.arpa" { >>>> type master; >>>> file "/etc/bind/db.0"; >>>> }; >>>> >>>> zone "255.in-addr.arpa" { >>>> type master; >>>> file "/etc/bind/db.255"; >>>> }; >>>> >>>> /var/lib/samba/private/named.conf >>>> --------------------------------- >>>> zone "trs-ch.com." IN { >>>> type master; >>>> file "/var/lib/samba/private/dns/trs-ch.com.zone"; >>>> include "/var/lib/samba/private/named.conf.update"; >>>> check-names ignore; >>>> }; >>> >>> This is wrong, /var/lib/samba/private/named.conf should be: >>> >>> dlz "AD DNS Zone" { >>> # For BIND 9.8.0 >>> #database "dlopen >>> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so"; >>> >>> # For BIND 9.9.0 >>> database "dlopen >>> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so"; >>> }; >> Ok. I tried this but I've got an error: >> samba_dlz: Unable to get basedn for /var/lib/samba/private/dns/sam.ldb >> - NULL Base DN invalid for a base search > >OK, How did you provision Samba4 ? >Does /var/lib/samba/private/dns/sam.ldb exist ? if it does (and it >should) it should belong to root:bind with 0660 permissions (-rw-rw----)I don't remember how I provisionned Samba exactly, but I'm sure I provisioned with BIND9 instead of internal DNS. The file exists but is bind:bind with 0664.>>>> >>>> resolv.conf >>>> ----------- >>>> search trs-ch.com >>>> nameserver 192.168.1.17 >>>> nameserver 192.168.1.7 >>>> >>> >>> What is the second nameserver ? if it is a second DC, swap them around, >>> otherwise remove it. >> It's another DC, but not for the same realm. I swaped them. > >Remove it, your DC should only ask other DCs in its own domain for DNS infoOk, done. Why is it a problem if my DC asks for DNS info in another domain ?>>>> krb5.conf >>>> --------- >>>> [libdefaults] >>>> default_realm = TRS-CH.COM >>>> dns_lookup_realm = false >>>> dns_lookup_kdc = true >>>> [realms] >>>> TRS-CH.COM = { >>>> kdc = 192.168.1.17 >>>> admin_server = 192.168.1.17 >>>> default_domain = trs-ch.com >>>> } >>>> [TRS-CH.COM] >>>> .trs-ch.com = TRS-CH.COM >>>> trs.ch.com >>>> TRS-CH.COM >>>> >>> >>> You only need this in /etc/krb5.conf >>> >>> [libdefaults] >>> default_realm = TRS-CH.COM >>> dns_lookup_realm = false >>> dns_lookup_kdc = true >> >> Ok, I modified it accordingly >> >> Do you know why I have this error ? BTW, sam.ldb is owned by root:root >> and is set to rw for user and none to group and world, is this ok ? > >If you are talking /var/lib/samba/private/sam.ldb then this is correct.I was, but I misread the path. Guy-Laurent