Oliver Freyd
2016-Mar-25 14:15 UTC
[Samba] interdomain trust broken after upgrade to 4.1.17
Hi samba folks, I'm running an NT$-style samba PDC and 2 BDCs. They are all on samba 3.6.25 (the SERNET packages on debian wheezy) I have a domain trust with another server on another subnet, I think they run samba 3.5, also NT4-style domain. Everything ran fine, they can login to our machines and vice versa, winbind can resolve their usernames etc. Now I upgraded the PDC to debian jessie, and the samba to 4.1.17. Everything seems to be fine, except the domain trust. winbind does not list their users, wbinfo -u only shows my users, not the other domain. this is the output of net rpc trustdom list -U netzadmin Enter netzadmin's password: Trusted domains list: TESTDOM S-1-5-21-4290508083-233918025-494574875 TASCON S-1-5-21-917896259-2246452459-4243388401 Trusting domains list: Unable to find a suitable server for domain TASCON domain controller is not responding: NT_STATUS_UNSUCCESSFUL TASCON couldn't get domain's sid Unable to find a suitable server for domain TESTDOM domain controller is not responding: NT_STATUS_UNSUCCESSFUL TESTDOM couldn't get domain's sid (TESTDOM was a test domain I used to setup this domain trust thingie, is is offline, but tascon should work. the same thing on a BDC that was not upgraded: net rpc trustdom list -U netzadmin Enter netzadmin's password: Trusted domains list: TESTDOM S-1-5-21-4290508083-233918025-494574875 TASCON S-1-5-21-917896259-2246452459-4243388401 Trusting domains list: TASCON S-1-5-21-917896259-2246452459-4243388401 Unable to find a suitable server for domain TESTDOM domain controller is not responding: NT_STATUS_UNSUCCESSFUL TESTDOM couldn't get domain's sid So that machine finds the trusting domain. raising the debug level shows samba 4.1.17 somehow can't find the domain controller of the trusting domain TASCON: .... no entry for TASCON#1B found. name_resolve_bcast: Attempting broadcast lookup for name TASCON<0x1b> S ... I suppose it is looking in gencache.tdb for TASCON#1B and then it tries a broadcast that fails because that domain is on another subnet. Strangely, using nmblookup succeeds: nmblookup -U localhost -R TASCON#1b WARNING: The "enable privileges" option is deprecated added interface eth0 ip=192.168.0.250 bcast=192.168.0.255 netmask=255.255.255.0 querying TASCON on 127.0.0.1 Got a positive name query response from 127.0.0.1 ( 192.168.128.1 ) 192.168.128.1 TASCON<1b> So I'm somewhat at a loss here. Any ideas of where I could dig into to fix this, if it is a misconfiguration or a bug in samba? Thanks in advance, Oliver Freyd -------------- next part -------------- INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 scavenger: 5 dns: 5 ldb: 5 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 scavenger: 5 dns: 5 ldb: 5 params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" Processing section "[global]" doing parameter netbios name = sambapdc doing parameter os level = 100 doing parameter preferred master = yes doing parameter local master = yes doing parameter domain master = yes doing parameter domain logons = yes doing parameter workgroup = IONTOF doing parameter server string = %h doing parameter wins support = yes doing parameter dns proxy = no doing parameter remote browse sync = 192.168.128.1 doing parameter name resolve order = wins bcast host doing parameter log file = /var/log/samba/log.%m doing parameter max log size = 1000 doing parameter syslog = 0 doing parameter log level = 2 doing parameter panic action = /usr/share/samba/panic-action %d doing parameter security = user doing parameter encrypt passwords = true doing parameter passdb backend = ldapsam:ldap://127.0.0.1 doing parameter ldap admin dn = cn=admin,dc=iontof,dc=com doing parameter ldap suffix = dc=iontof,dc=com doing parameter ldap machine suffix = ou=machines doing parameter ldap user suffix = ou=users doing parameter ldap group suffix = ou=groups doing parameter ldap idmap suffix = ou=Idmap doing parameter ldap delete dn = no doing parameter enable privileges = yes WARNING: The "enable privileges" option is deprecated doing parameter ldap password sync = yes doing parameter ldap ssl = no doing parameter ldap timeout = 20 doing parameter idmap config * : backend = ldap doing parameter idmap config * : range = 30000-40000 doing parameter idmap config * : ldap_url = ldap://localhost/ doing parameter idmap config * : ldap_base_dn = ou=Idmap,dc=iontof,dc=com doing parameter idmap config * : ldap_user_dn = cn=admin,dc=iontof,dc=com doing parameter idmap config IONTOF : backend = nss doing parameter idmap config IONTOF : range = 1000-9999 doing parameter winbind nested groups = Yes doing parameter ea support = Yes doing parameter map acl inherit = Yes doing parameter passwd program = /usr/bin/passwd %u doing parameter passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* . doing parameter logon path = doing parameter logon script = scripts\logon.cmd doing parameter add user script = /usr/sbin/smbldap-useradd -m '%u' doing parameter add group script = /usr/sbin/smbldap-groupadd '%g' doing parameter add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' doing parameter set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' doing parameter add machine script = /usr/sbin/smbldap-useradd -w '%u' doing parameter add machine script = /usr/sbin/smbldap-useradd -w "%u" doing parameter add share command = /usr/local/sbin/modify_samba_config.pl doing parameter username map = /etc/samba/smbusers doing parameter printing = lprng doing parameter printcap name = /etc/printcap doing parameter socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192 doing parameter winbind enum groups = yes doing parameter winbind enum users = yes doing parameter winbind trusted domains only = yes doing parameter obey pam restrictions = yes pm_process() returned Yes Netbios name list:- my_netbios_names[0]="SAMBAPDC" added interface eth0 ip=192.168.0.250 bcast=192.168.0.255 netmask=255.255.255.0 Registering messaging pointer for type 2 - private_data=(nil) Registering messaging pointer for type 9 - private_data=(nil) Registered MSG_REQ_POOL_USAGE Registering messaging pointer for type 11 - private_data=(nil) Registering messaging pointer for type 12 - private_data=(nil) Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED Registering messaging pointer for type 1 - private_data=(nil) Registering messaging pointer for type 5 - private_data=(nil) Opening cache file at /var/cache/samba/gencache.tdb Opening cache file at /var/run/samba/gencache_notrans.tdb name IONTOF#1B found. namecache_status_fetch: key NBT/IONTOF#1B.20.192.168.0.250 -> SAMBAPDC Enter netzadmin's password:Connecting to 192.168.0.250 at port 445 Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 16 IPTOS_THROUGHPUT = 16 SO_REUSEPORT = 0 SO_SNDBUF = 16384 SO_RCVBUF = 16384 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 TCP_DEFER_ACCEPT = 0 Doing spnego session setup (blob length=74) got OID=1.3.6.1.4.1.311.2.2.10 got principal=not_defined_in_RFC4178 at please_ignore Got challenge flags: Got NTLMSSP neg_flags=0x60898215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_TARGET_INFO NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH Bind RPC Pipe: host SAMBAPDC auth_type 0, auth_level 1 rpc_api_pipe: host SAMBAPDC rpc_read_send: data_to_read: 52 check_bind_response: accepted! rpc_api_pipe: host SAMBAPDC rpc_read_send: data_to_read: 32 rpc_api_pipe: host SAMBAPDC rpc_read_send: data_to_read: 84 rpc_api_pipe: host SAMBAPDC rpc_read_send: data_to_read: 160 rpc_api_pipe: host SAMBAPDC rpc_read_send: data_to_read: 32 Bind RPC Pipe: host SAMBAPDC auth_type 0, auth_level 1 rpc_api_pipe: host SAMBAPDC rpc_read_send: data_to_read: 52 check_bind_response: accepted! rpc_api_pipe: host SAMBAPDC rpc_read_send: data_to_read: 32 rpc_api_pipe: host SAMBAPDC rpc_read_send: data_to_read: 32 rpc_api_pipe: host SAMBAPDC rpc_read_send: data_to_read: 116 no entry for TASCON#1B found. name_resolve_bcast: Attempting broadcast lookup for name TASCON<0x1b> Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 1 SO_BROADCAST = 1 Could not test socket option TCP_NODELAY. Could not test socket option TCP_KEEPCNT. Could not test socket option TCP_KEEPIDLE. Could not test socket option TCP_KEEPINTVL. IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 1 SO_SNDBUF = 212992 SO_RCVBUF = 212992 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 Could not test socket option TCP_QUICKACK. Could not test socket option TCP_DEFER_ACCEPT. samba_tevent: EPOLL_CTL_DEL EBADF for fde[0x7fb0bdf99b50] mpx_fde[(nil)] fd[14] - disabling resolve_hosts: not appropriate for name type <0x1b> Unable to resolve PDC server address Unable to find a suitable server for domain TASCON domain controller is not responding: NT_STATUS_UNSUCCESSFUL no entry for TESTDOM#1B found. name_resolve_bcast: Attempting broadcast lookup for name TESTDOM<0x1b> Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 1 SO_BROADCAST = 1 Could not test socket option TCP_NODELAY. Could not test socket option TCP_KEEPCNT. Could not test socket option TCP_KEEPIDLE. Could not test socket option TCP_KEEPINTVL. IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 1 SO_SNDBUF = 212992 SO_RCVBUF = 212992 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 Could not test socket option TCP_QUICKACK. Could not test socket option TCP_DEFER_ACCEPT. samba_tevent: EPOLL_CTL_DEL EBADF for fde[0x7fb0bdf99b50] mpx_fde[(nil)] fd[14] - disabling resolve_hosts: not appropriate for name type <0x1b> Unable to resolve PDC server address Unable to find a suitable server for domain TESTDOM domain controller is not responding: NT_STATUS_UNSUCCESSFUL rpc_api_pipe: host SAMBAPDC rpc_read_send: data_to_read: 32 rpc_api_pipe: host SAMBAPDC rpc_read_send: data_to_read: 32 return code = 0 Freeing parametrics: Trusted domains list: TESTDOM S-1-5-21-4290508083-233918025-494574875 TASCON S-1-5-21-917896259-2246452459-4243388401 Trusting domains list: TASCON couldn't get domain's sid TESTDOM couldn't get domain's sid
Rowland penny
2016-Mar-25 15:25 UTC
[Samba] interdomain trust broken after upgrade to 4.1.17
On 25/03/16 14:15, Oliver Freyd wrote:> Hi samba folks, > > I'm running an NT$-style samba PDC and 2 BDCs. They are all on > samba 3.6.25 (the SERNET packages on debian wheezy) > > I have a domain trust with another server on another subnet, > I think they run samba 3.5, also NT4-style domain. > > Everything ran fine, they can login to our machines and vice versa, > winbind can resolve their usernames etc. > > Now I upgraded the PDC to debian jessie, and the samba to 4.1.17. > > Everything seems to be fine, except the domain trust. > > winbind does not list their users, wbinfo -u only shows my users, > not the other domain. > > > > this is the output of > net rpc trustdom list -U netzadmin > Enter netzadmin's password: > Trusted domains list: > > TESTDOM S-1-5-21-4290508083-233918025-494574875 > TASCON S-1-5-21-917896259-2246452459-4243388401 > > Trusting domains list: > > Unable to find a suitable server for domain TASCON > domain controller is not responding: NT_STATUS_UNSUCCESSFUL > TASCON couldn't get domain's sid > Unable to find a suitable server for domain TESTDOM > domain controller is not responding: NT_STATUS_UNSUCCESSFUL > TESTDOM couldn't get domain's sid > > (TESTDOM was a test domain I used to setup this domain trust thingie, > is is offline, but tascon should work. > > the same thing on a BDC that was not upgraded: > > net rpc trustdom list -U netzadmin > Enter netzadmin's password: > Trusted domains list: > > TESTDOM S-1-5-21-4290508083-233918025-494574875 > TASCON S-1-5-21-917896259-2246452459-4243388401 > > Trusting domains list: > > TASCON S-1-5-21-917896259-2246452459-4243388401 > Unable to find a suitable server for domain TESTDOM > domain controller is not responding: NT_STATUS_UNSUCCESSFUL > TESTDOM couldn't get domain's sid > > > So that machine finds the trusting domain. > > raising the debug level shows samba 4.1.17 somehow can't find the > domain controller of the trusting domain TASCON: > > .... > no entry for TASCON#1B found. > name_resolve_bcast: Attempting broadcast lookup for name TASCON<0x1b> > S > ... > I suppose it is looking in gencache.tdb for TASCON#1B and then it > tries a broadcast that fails because that domain is on another subnet. > > Strangely, using nmblookup succeeds: > nmblookup -U localhost -R TASCON#1b > WARNING: The "enable privileges" option is deprecated > added interface eth0 ip=192.168.0.250 bcast=192.168.0.255 > netmask=255.255.255.0 > querying TASCON on 127.0.0.1 > Got a positive name query response from 127.0.0.1 ( 192.168.128.1 ) > 192.168.128.1 TASCON<1b> > > > So I'm somewhat at a loss here. > Any ideas of where I could dig into to fix this, if it is a > misconfiguration or a bug in samba? > > Thanks in advance, > > Oliver Freyd > > > >Can you post your smb.conf ? Rowland
Oliver Freyd
2016-Mar-25 16:22 UTC
[Samba] interdomain trust broken after upgrade to 4.1.17
> > Can you post your smb.conf ? > > Rowland >Here it is, thanks, Oliver -------------- next part -------------- # # Samba configuration for ION-TOF sambapdc # #======================= Global Settings ====================== [global] netbios name = sambapdc os level = 100 preferred master = yes local master = yes domain master = yes domain logons = yes ## Browsing/Identification ### workgroup = IONTOF server string = %h # Windows Internet Name Serving Support Section: # WINS Support - Tells the NMBD component of Samba to enable its WINS Server wins support = yes dns proxy = no # sync my browsing tables with TASCON samba PDC, Oliver Freyd, 1.2.2013 remote browse sync = 192.168.128.1 name resolve order = wins bcast host #### Networking #### ;interfaces = eth0 lo ; bind interfaces only = true #### Debugging/Accounting #### log file = /var/log/samba/log.%m max log size = 1000 ; syslog only = no syslog = 0 log level = 2 # Do something sensible when Samba crashes: mail the admin a backtrace panic action = /usr/share/samba/panic-action %d ####### Authentication ####### security = user encrypt passwords = true passdb backend = ldapsam:ldap://127.0.0.1 ldap admin dn = cn=admin,dc=iontof,dc=com ldap suffix = dc=iontof,dc=com ldap machine suffix = ou=machines ldap user suffix = ou=users ldap group suffix = ou=groups ldap idmap suffix = ou=Idmap ldap delete dn = no enable privileges = yes ldap password sync = yes ldap ssl = no ldap timeout = 20 idmap config * : backend = ldap idmap config * : range = 30000-40000 idmap config * : ldap_url = ldap://localhost/ idmap config * : ldap_base_dn = ou=Idmap,dc=iontof,dc=com idmap config * : ldap_user_dn = cn=admin,dc=iontof,dc=com idmap config IONTOF : backend = nss idmap config IONTOF : range = 1000-9999 winbind nested groups = Yes ea support = Yes map acl inherit = Yes ; guest account = nobody ; unix password sync = no passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* . ; pam password change = no ########## Domains ########### # Is this machine able to authenticate users. Both PDC and BDC # must have this setting enabled. If you are the BDC you must # change the 'domain master' setting to no # ; domain logons = yes #logon path = \\%N\profiles\%U # disable roaming profiles logon path #logon drive = H: #logon home = \\%L\%U # NOTE: Must be store in 'DOS' file format convention ; logon script = logon.cmd logon script = scripts\logon.cmd add user script = /usr/sbin/smbldap-useradd -m '%u' #delete user script = /usr/sbin/smbldap-userdel '%u' add group script = /usr/sbin/smbldap-groupadd '%g' #delete group script = /usr/sbin/smbldap-groupdel '%u' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' #delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' add machine script = /usr/sbin/smbldap-useradd -w '%u' add machine script = /usr/sbin/smbldap-useradd -w "%u" #add share command = /usr/local/sbin/modify_samba_config.pl /etc/samba/imported-shares.conf %S /data/ add share command = /usr/local/sbin/modify_samba_config.pl #add share command = /usr/bin/touch /tmp/test username map = /etc/samba/smbusers ########## Printing ########## # If you want to automatically load your printer list rather # than setting them up individually then you'll need this ; load printers = yes # lpr(ng) printing. You may wish to override the location of the # printcap file ; printing = bsd ; printcap name = /etc/printcap # CUPS printing. See also the cupsaddsmb(8) manpage in the # cupsys-client package. ; printing = cups ; printcap name = cups # When using [print$], root is implicitly a 'printer admin', but you can # also give this right to other users to add drivers and set printer # properties ; printer admin = @ntadmin #to silence warnings about "unable to connect to CUPS print server" #if you want printing, take this about and configure CUPS properly. printing = lprng printcap name =/etc/printcap ############ Misc ############ socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192 ; message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' & ; domain master = auto # Some defaults for winbind (make sure you're not using the ranges # for something else.) ; idmap uid = 10000-20000 ; idmap gid = 10000-20000 ; template shell = /bin/bash ; ; The following was the default behaviour in sarge ; but samba upstream reverted the default because it might induce ; performance issues in large organizations ; See #368251 for some of the consequences of *not* having ; this setting and smb.conf(5) for all details ; winbind enum groups = yes winbind enum users = yes winbind trusted domains only = yes #use pam for mk_homedir to work, auto create homedir on first login! obey pam restrictions = yes #======================= Share Definitions ====================== #[homes] # # %U is case-insensitive (converts to lowercase), %u is case-sensitive # path = /home/%u # comment = Home Directories # browseable = no # writable = yes # read only = no # guest ok = no # create mask = 0700 # directory mask = 0700 # valid users = %S [netlogon] comment = Network Logon Share path = /data/netlogon guest ok = no read only = yes browseable = no locking = no [profiles] comment = Network Profile Share path = /data/profiles writeable = yes browseable = no default case = lower preserve case = no short preserve case = no case sensitive = no hide files = /desktop.ini/ntuser.ini/NTUSER.*/ create mask = 0600 directory mask = 0700 csc policy = disable profile acls = Yes [inout] include = /etc/samba/global-share-settings.conf comment = Testshare fuer Migration path = /data/inout
Possibly Parallel Threads
- interdomain trust broken after upgrade to 4.1.17
- winbind trusted domain regression after upgrade to samba 4.2.10
- I can't join the new AD server with Samba4
- Failed to join domain: failed to connect to AD: No logon servers
- I can't join the new AD server with Samba4