thr3ads.net - samba - [Samba] Mac/Win Login after sleep mode, Sync Problem for Access Control List between DCs, AccountLock [Mar 2016]

If this information is useful, please help other people find it:
Share via:

Oliver Werner

2016-Mar-03 12:21 UTC

[Samba] Mac/Win Login after sleep mode, Sync Problem for Access Control List between DCs, AccountLock

Hi,

i have three problems in my AD.

i have three DCs, four samba members and some Mac and Windows clients.

first problem

After some times my Windows and Mac clients can not login with the account
cendentials. So i need to reboot the system and works fine.

When the problem exists i got on my DC following log:

[2016/03/03 12:39:10.029089,  3]
../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2016/03/03 12:39:10.038056,  3]
../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2016/03/03 12:39:10.042656,  3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
  Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED'
[2016/03/03 12:39:10.043148,  3]
../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED]
[2016/03/03 12:39:10.047746,  3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
  Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED'
[2016/03/03 12:39:10.048298,  3]
../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED]
[2016/03/03 12:39:10.126816,  3]
../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2016/03/03 12:39:10.131704,  3]
../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2016/03/03 12:39:10.136052,  3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
  Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED'
[2016/03/03 12:39:10.136580,  3]
../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED]
[2016/03/03 12:39:10.142548,  3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
  Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED'
[2016/03/03 12:39:10.143076,  3]
../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED]


second problem

i have add deny rules for fields on user object like personal information,
street postalcode… for Domain Users in dc=hq,dc=kontrast

on cn=Users,dc=hq,dc=kontrast i have allow a specify user to read and write this
fields for user objects.

but my DCs don’t sync this changes.

first DC where i changed it works correct but on DC1 and DC2 have only sync
dc=hq,dc=kontrast


third problem

is there a default setting for account lock in samba 4? when i use AD in
subversion with wrong credentials and samba will revoke next requests.

i have uses samba-tool domain password settings show for informations:

Password informations for domain 'DC=hq,DC=kontrast'

Password complexity: off
Store plaintext passwords: off
Password history length: 24
Minimum password length: 16
Minimum password age (days): 90
Maximum password age (days): 100


HERE IS DC CONFIG:

more /etc/samba/smb.conf
# Global parameters
[global]
	workgroup = HQKONTRAST
	realm = HQ.KONTRAST
	netbios name = VL0227
	server role = active directory domain controller
	idmap_ldb:use rfc2307 = yes
   interfaces=eth0:35
   bind interfaces only=yes
	log level = 3

	kdc:service ticket lifetime = 1
	kdc:user ticket lifetime = 24
	kdc:renewal lifetime = 120

	tls enabled  = yes
	tls keyfile  = /var/lib/samba/private/tls/key.pem
	tls certfile = /var/lib/samba/private/tls/cert.pem
	tls cafile   = /var/lib/samba/private/tls/ca.pem

[netlogon]
	path = /var/lib/samba/sysvol/hq.kontrast/scripts
	read only = No

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No


my /etc/krb5.conf DC0
[libdefaults]
	default_realm = HQ.KONTRAST
	dns_lookup_realm = false
	dns_lookup_kdc = true

[realms]
   HQ.KONTRAST = {
      kdc = vl0227.hq.kontrast
      admin_server = vl0227.hq.kontrast
   }
[logging]
	default 		= FILE:/var/log/krb5libs.log
	kdc 			= FILE:/var/log/kdc.log
   admin_server            = FILE:/var/log/kadmind.log


my krb5.conf on second/third DC and Member
[libdefaults]
	default_realm = HQ.KONTRAST
	dns_lookup_realm = false
	dns_lookup_kdc = true

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL:
<http://lists.samba.org/pipermail/samba/attachments/20160303/ce8951e2/signature.sig>

L.P.H. van Belle

2016-Mar-03 16:19 UTC

head link

[Samba] Mac/Win Login after sleep mode, Sync Problem for Access Control List between DCs, AccountLock

Commented between..   some extra info can help.. 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oliver Werner
> Verzonden: donderdag 3 maart 2016 13:21
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Mac/Win Login after sleep mode, Sync Problem for Access
> Control List between DCs, AccountLock
> 
> 
> Hi,
> 
> i have three problems in my AD.
> 
> i have three DCs, four samba members and some Mac and Windows clients.
> 
> first problem
> 
> After some times my Windows and Mac clients can not login with the account
> cendentials. So i need to reboot the system and works fine.[L.P.H. van Belle] 

What are you rebooting the server of pc's. both? 
Are the pc's always on? 
And did you check the timesync before the reboot between server <-> client

Have you tried increasing : > 	kdc:service ticket lifetime = 1
> 	kdc:user ticket lifetime = 24
> 	kdc:renewal lifetime = 120

> 
> When the problem exists i got on my DC following log:
> 
> [2016/03/03 12:39:10.029089,  3] ../lib/ldb-
> samba/ldb_wrap.c:320(ldb_wrap_connect)
>   ldb_wrap open of secrets.ldb
> [2016/03/03 12:39:10.038056,  3] ../lib/ldb-
> samba/ldb_wrap.c:320(ldb_wrap_connect)
>   ldb_wrap open of secrets.ldb
> [2016/03/03 12:39:10.042656,  3]
> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
>   Terminating connection - 'ldapsrv_call_loop:
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
> [2016/03/03 12:39:10.043148,  3]
> ../source4/smbd/process_single.c:114(single_terminate)
>   single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED]
> [2016/03/03 12:39:10.047746,  3]
> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
>   Terminating connection - 'ldapsrv_call_loop:
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
> [2016/03/03 12:39:10.048298,  3]
> ../source4/smbd/process_single.c:114(single_terminate)
>   single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED]
> [2016/03/03 12:39:10.126816,  3] ../lib/ldb-
> samba/ldb_wrap.c:320(ldb_wrap_connect)
>   ldb_wrap open of secrets.ldb
> [2016/03/03 12:39:10.131704,  3] ../lib/ldb-
> samba/ldb_wrap.c:320(ldb_wrap_connect)
>   ldb_wrap open of secrets.ldb
> [2016/03/03 12:39:10.136052,  3]
> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
>   Terminating connection - 'ldapsrv_call_loop:
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
> [2016/03/03 12:39:10.136580,  3]
> ../source4/smbd/process_single.c:114(single_terminate)
>   single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED]
> [2016/03/03 12:39:10.142548,  3]
> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
>   Terminating connection - 'ldapsrv_call_loop:
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
> [2016/03/03 12:39:10.143076,  3]
> ../source4/smbd/process_single.c:114(single_terminate)
>   single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED]
> 
> 
> second problem
> 
> i have add deny rules for fields on user object like personal information,
> street postalcode… for Domain Users in dc=hq,dc=kontrast
> 
> on cn=Users,dc=hq,dc=kontrast i have allow a specify user to read and
> write this fields for user objects.
> 
> but my DCs don’t sync this changes.
> 
> first DC where i changed it works correct but on DC1 and DC2 have only
> sync dc=hq,dc=kontrast[L.P.H. van Belle] 

Does this involve a schema change ? > i have add deny rules for fields on user object like personal information, How did you do that ? 


> 
> 
> third problem
> 
> is there a default setting for account lock in samba 4? when i use AD in
> subversion with wrong credentials and samba will revoke next requests.
> 
> i have uses samba-tool domain password settings show for informations:
> 
> Password informations for domain 'DC=hq,DC=kontrast'
> 
> Password complexity: off
> Store plaintext passwords: off
> Password history length: 24
> Minimum password length: 16
> Minimum password age (days): 90
> Maximum password age (days): 100
> 
> 
> HERE IS DC CONFIG:
> 
> more /etc/samba/smb.conf
> # Global parameters
> [global]
> 	workgroup = HQKONTRAST
> 	realm = HQ.KONTRAST
> 	netbios name = VL0227
> 	server role = active directory domain controller
> 	idmap_ldb:use rfc2307 = yes
>    interfaces=eth0:35
>    bind interfaces only=yes
> 	log level = 3
> 
> 	kdc:service ticket lifetime = 1
> 	kdc:user ticket lifetime = 24
> 	kdc:renewal lifetime = 120
> 
> 	tls enabled  = yes
> 	tls keyfile  = /var/lib/samba/private/tls/key.pem
> 	tls certfile = /var/lib/samba/private/tls/cert.pem
> 	tls cafile   = /var/lib/samba/private/tls/ca.pem
> 
> [netlogon]
> 	path = /var/lib/samba/sysvol/hq.kontrast/scripts
> 	read only = No
> 
> [sysvol]
> 	path = /var/lib/samba/sysvol
> 	read only = No
> 
> 
> my /etc/krb5.conf DC0
> [libdefaults]
> 	default_realm = HQ.KONTRAST
> 	dns_lookup_realm = false
> 	dns_lookup_kdc = true
> 
> [realms]
>    HQ.KONTRAST = {
>       kdc = vl0227.hq.kontrast
>       admin_server = vl0227.hq.kontrast
>    }
> [logging]
> 	default 		= FILE:/var/log/krb5libs.log
> 	kdc 			= FILE:/var/log/kdc.log
>    admin_server            = FILE:/var/log/kadmind.log
> 
> 
> my krb5.conf on second/third DC and Member
> [libdefaults]
> 	default_realm = HQ.KONTRAST
> 	dns_lookup_realm = false
> 	dns_lookup_kdc = true
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Seemingly Similar Threads

Search for more reasonably related threads

samba - Mar 2016 - Mac/Win Login after sleep mode, Sync Problem for Access Control List between DCs, AccountLock

[Samba] Mac/Win Login after sleep mode, Sync Problem for Access Control List between DCs, AccountLock

[Samba] Mac/Win Login after sleep mode, Sync Problem for Access Control List between DCs, AccountLock

Seemingly Similar Threads