Hi list, This is my domain enviroment and all DC are windows 2008r2 http://i.imgur.com/8cNOtm2.jpeg When I used samba-4.0.5, I join my box to domain "HC1" , I got trusted domain "CHILD2" in "wbinfo -m". [/share/Public] # wbinfo -m BUILTIN MYBOX HC1 CHILD1 TREEROOT HC2 CHILD2 Then I upgraded my box to samba-4.4.4, I lost CHILD2 in "wbinfo -m". [/share/Public] # wbinfo -m BUILTIN MYBOX HC1 CHILD1 TREEROOT HC2 In log.wb-HC2 , I found following message: [2016/07/26 12:02:03.981949, 5, pid=15758, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_ads.c:1594(trusted_domains) trusted_domains: Could not open a connection to HC2 for PIPE_NETLOGON (NT_STATUS_CANT_ACCESS_DOMAIN_INFO) [2016/07/26 12:02:03.981962, 3, pid=15758, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:168(winbindd_dual_list_trusted_domains) winbindd_dual_list_trusted_domains: trusted_domains returned NT_STATUS_UNSUCCESSFUL [2016/07/26 12:02:03.981971, 4, pid=15758, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:1397(child_handler) I compared wireshark pcapng between samba-4.0.5 and samba-4.4.4: samba-4.0.5: http://i.imgur.com/ytr7oMt.jpeg samba-4.4.4: http://i.imgur.com/f5bYOeo.jpeg samba-4.4.4 did not send "create netlogon" , "netlogon binding" and DsrEnumerateDomainTrust so I can not get "CHILD2" in "wbinfo -m". I tried to use patch in https://bugzilla.samba.org/show_bug.cgi?id=11830 After using this patch, samba-4.4.4 can send "create netlogon" and "netlogon binding" but failed in NetrServerAuthenticate3. http://i.imgur.com/vI6eB5R.jpeg And I got these message in log.wb-HC2: 2016/07/27 16:25:50.602158, 1, pid=18689, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:3320(cm_connect_netlogon_transport) rpccli_setup_netlogon_creds failed for HC2, unable to setup NETLOGON credentials: NT_STATUS_NO_TRUST_SAM_ACCOUNT [2016/07/27 16:25:50.602169, 5, pid=18689, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_ads.c:1573(trusted_domains) trusted_domains: Could not open a connection to HC2 for PIPE_NETLOGON (NT_STATUS_NO_TRUST_SAM_ACCOUNT) [2016/07/27 16:25:50.602182, 3, pid=18689, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_ads.c:1552(trusted_domains) ads: trusted_domains Is there any suggestion that helps to configure samba or DC? Should I wait for new patch? This is my smb.conf: [global] bind interfaces only = No config backend = file dos charset = CP850 enable core files = Yes interfaces multicast dns register = Yes netbios aliases netbios name = MYBOX netbios scope realm = HC1.COM server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate, dns server string share backend = classic unix charset = UTF-8 workgroup = HC1 browse list = Yes domain master = Auto enhanced browsing = Yes lm announce = Auto lm interval = 60 local master = No os level = 20 preferred master = No allow dns updates = secure only dns forwarder dns update command = /usr/local/samba/sbin/samba_dnsupdate machine password timeout = 604800 nsupdate command = /usr/bin/nsupdate -g rndc command = /usr/sbin/rndc spn update command = /usr/local/samba/sbin/samba_spnupdate mangle prefix = 1 mangling method = hash2 max stat cache size = 256 stat cache = Yes client ldap sasl wrapping = sign ldap admin dn ldap connection timeout = 2 ldap delete dn = No ldap deref = auto ldap follow referral = Auto ldap group suffix ldap idmap suffix ldap machine suffix ldap page size = 1000 ldap passwd sync = no ldap replication sleep = 1000 ldap server require strong auth = Yes ldap ssl = start tls ldap ssl ads = No ldap suffix ldap timeout = 5 ldap user suffix lock spin time = 200 oplock break wait time = 0 smb2 leases = No debug class = No debug hires timestamp = Yes debug pid = No debug prefix timestamp = No debug uid = No ldap debug level = 0 ldap debug threshold = 10 log file logging log level = 2 max log size = 102400 syslog = 1 syslog only = No timestamp logs = Yes abort shutdown script add group script add machine script add user script add user to group script allow nt4 crypto = No delete group script delete user from group script delete user script domain logons = No enable privileges = Yes init logon delay = 100 init logon delayed hosts logon drive logon home = \\%N\%U logon path = \\%N\%U\profile logon script reject md5 clients = No set primary group script shutdown script add share command afs token lifetime = 604800 afs username map allow insecure wide links = No async smb echo handler = No auto services cache directory = /share/CACHEDEV1_DATA/.samba/cache change notify = Yes change share command cluster addresses clustering = No config file ctdbd socket ctdb locktime warn threshold = 0 ctdb timeout = 0 default service delete share command homedir map = auto.home kernel change notify = Yes lock directory = /share/CACHEDEV1_DATA/.samba/lock log writeable files on exit = No message command nbt client socket address = 0.0.0.0 ncalrpc dir = /usr/local/samba/var/run/ncalrpc NIS homedir = No nmbd bind explicit broadcast = Yes panic action perfcount module pid directory = /var/lock registry shares = No remote announce remote browse sync reset on zero vc = No smbd profiling level = off state directory = /share/CACHEDEV1_DATA/.samba/state usershare allow guests = No usershare max shares = 0 usershare owner only = Yes usershare path = /usr/local/samba/var/locks/usershares usershare prefix allow list usershare prefix deny list usershare template share utmp = No utmp directory wtmp directory addport command addprinter command cups connection timeout = 30 cups encrypt = No cups server deleteprinter command disable spoolss = No enumports command iprint server load printers = Yes lpq cache time = 30 os2 driver map printcap cache time = 0 printcap name = /etc/printcap show add printer wizard = No cldap port = 389 client ipc max protocol = default client ipc min protocol = default client max protocol = default client min protocol = CORE client use spnego = Yes dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver defer sharing violations = Yes dgram port = 138 disable netbios = No enable asu support = No eventlog list large readwrite = Yes max mux = 50 max ttl = 259200 max wins ttl = 518400 max xmit = 16644 min receivefile size = 256 min wins ttl = 21600 name resolve order = lmhosts wins host bcast nbt port = 137 nt pipe support = Yes nt status support = Yes read raw = Yes rpc big endian = No server max protocol = SMB2_02 server min protocol = LANMAN1 server multi channel support = No smb2 max credits = 8192 smb2 max read = 8388608 smb2 max trans = 8388608 smb2 max write = 8388608 smb ports = 445 139 svcctl list time server = No unicode = Yes unix extensions = No use spnego = Yes web port = 901 write raw = Yes algorithmic rid base = 1000 allow dcerpc auth level connect = No allow trusted domains = Yes auth methods check password script client ipc signing = No client lanman auth = No client NTLMv2 auth = Yes client plaintext auth = No client schannel = No client signing = No client use spnego principal = No dedicated keytab file encrypt passwords = Yes guest account = guest kerberos method = default kpasswd port = 464 krb5 port = 88 lanman auth = No log nt token command map to guest = Bad User map untrusted to domain = No ntlm auth = Yes ntp signd socket directory = /usr/local/samba/var/lib/ntp_signd null passwords = Yes obey pam restrictions = No old password allowed period = 60 pam password change = Yes passdb backend = smbpasswd passdb expand explicit = No passwd chat = *new*password* %n\n *new*password* %n\n *changed* passwd chat debug = No passwd chat timeout = 2 passwd program password server = HOST223.hc1.com preload modules private dir = /usr/local/samba/private raw NTLMv2 auth = No rename user script restrict anonymous = 0 root directory samba kcc command = /usr/local/samba/sbin/samba_kcc security = ADS server role = auto server schannel = No server signing = No smb passwd file = /etc/config/smbpasswd tls cafile = tls/ca.pem tls certfile = tls/cert.pem tls crlfile tls dh params file tls enabled = Yes tls keyfile = tls/key.pem tls priority = NORMAL:-VERS-SSL3.0 tls verify peer = as_strict_as_possible unix password sync = No username level = 0 username map = /etc/config/smbusers username map cache time = 0 username map script aio max threads = 100 deadtime = 10 getwd cache = Yes hostname lookups = No keepalive = 300 max disk size = 0 max open files = 16384 max smbd processes = 0 name cache timeout = 660 socket options = TCP_NODELAY SO_KEEPALIVE use mmap = Yes get quota command host msdfs = Yes set quota command create krb5 conf = Yes idmap backend = tdb idmap cache time = 604800 idmap gid idmap negative cache time = 120 idmap uid neutralize nt4 emulation = No reject md5 servers = No require strong key = No template homedir = /share/homes/DOMAIN=%D/%U template shell = /bin/false winbind cache time = 1 winbindd privileged socket directory /usr/local/samba/var/lib/winbindd_privileged winbindd socket directory = /usr/local/samba/var/run/winbindd winbind enum groups = Yes winbind enum users = Yes winbind expand groups = 0 winbind max clients = 200 winbind max domain connections = 1 winbind nested groups = Yes winbind normalize names = No winbind nss info = template winbind offline logon = No winbind reconnect delay = 30 winbind refresh tickets = No winbind request timeout = 60 winbind rpc only = No winbind sealed pipes = No winbind separator = \ winbind trusted domains only = No winbind use default domain = No dns proxy = No wins hook wins proxy = No wins server wins support = No idmap config hc2 : range = 50000001-60000000 idmap config hc2 : backend = rid idmap config treeroot : range = 40000001-50000000 idmap config treeroot : backend = rid idmap config child1 : range = 30000001-40000000 idmap config child1 : backend = rid idmap config hc1 : range = 10000001-20000000 idmap config hc1 : backend = rid idmap config * : range = 400001-500000 idmap config * : backend = tdb comment path administrative share = No browseable = Yes case sensitive = Auto default case = lower delete veto files = Yes hide dot files = Yes hide files hide special files = No hide unreadable = No hide unwriteable files = No mangled names = Yes mangling char = ~ map archive = No map hidden = No map readonly = no map system = No preserve case = Yes short preserve case = Yes store dos attributes = Yes veto files veto oplock files blocking locks = Yes csc policy = manual fake oplocks = No kernel oplocks = No kernel share modes = Yes level2 oplocks = Yes locking = Yes oplock contention limit = 2 oplocks = Yes posix locking = Yes strict locking = Auto afs share = No available = Yes copy delete readonly = No dfree cache time = 0 dfree command directory name cache size = 100 dmapi support = No dont descend dos filemode = No dos filetime resolution = No dos filetimes = Yes fake directory create times = No follow symlinks = Yes fstype = NTFS include magic output magic script postexec preexec preexec close = No root postexec root preexec root preexec close = No spotlight = No volume wide links = Yes cups options default devmode = Yes force printername = No lppause command lpq command = %p lpresume command lprm command max print jobs = 1000 max reported print jobs = 0 printable = No print command printer name printing = cups printjob username = %U print notify backchannel = No queuepause command queueresume command use client driver = No acl allow execute always = Yes acl check permissions = Yes acl map full control = Yes durable handles = Yes ea support = No map acl inherit = No nt acl support = Yes profile acls = No access based share enum = No acl group control = No admin users create mask = 0777 directory mask = 0777 force create mode = 0000 force directory mode = 0000 force group force unknown acl user = Yes force user guest ok = No guest only = No hosts allow hosts deny inherit acls = No inherit owner = No inherit permissions = No invalid users only user = No read list read only = Yes smb encrypt = default username valid users write list aio read size = 1 aio write behind aio write size = 0 allocation roundup size = 1048576 block size = 1024 max connections = 0 min print space = 0 strict allocate = No strict rename = No strict sync = No sync always = No use sendfile = Yes write cache size = 0 msdfs proxy msdfs root = No msdfs shuffle referrals = No ntvfs handler = unixuid, default
On 27/07/16 09:35, hy wu wrote:> Hi list, > > This is my domain enviroment and all DC are windows 2008r2 > > http://i.imgur.com/8cNOtm2.jpeg > > When I used samba-4.0.5, I join my box to domain "HC1" , I got trusted > domain "CHILD2" in "wbinfo -m". > > [/share/Public] # wbinfo -m > BUILTIN > MYBOX > HC1 > CHILD1 > TREEROOT > HC2 > CHILD2 > > Then I upgraded my box to samba-4.4.4, I lost CHILD2 in "wbinfo -m". > [/share/Public] # wbinfo -m > BUILTIN > MYBOX > HC1 > CHILD1 > TREEROOT > HC2 > > > In log.wb-HC2 , I found following message: > > [2016/07/26 12:02:03.981949, 5, pid=15758, effective(0, 0), real(0, 0), > class=winbind] ../source3/winbindd/winbindd_ads.c:1594(trusted_domains) > trusted_domains: Could not open a connection to HC2 for PIPE_NETLOGON > (NT_STATUS_CANT_ACCESS_DOMAIN_INFO) > [2016/07/26 12:02:03.981962, 3, pid=15758, effective(0, 0), real(0, 0), > class=winbind] > ../source3/winbindd/winbindd_misc.c:168(winbindd_dual_list_trusted_domains) > winbindd_dual_list_trusted_domains: trusted_domains returned > NT_STATUS_UNSUCCESSFUL > [2016/07/26 12:02:03.981971, 4, pid=15758, effective(0, 0), real(0, 0), > class=winbind] ../source3/winbindd/winbindd_dual.c:1397(child_handler) > > > I compared wireshark pcapng between samba-4.0.5 and samba-4.4.4: > samba-4.0.5: > http://i.imgur.com/ytr7oMt.jpeg > > samba-4.4.4: > http://i.imgur.com/f5bYOeo.jpeg > > samba-4.4.4 did not send "create netlogon" , "netlogon binding" and > DsrEnumerateDomainTrust so I can not get "CHILD2" in "wbinfo -m". > > I tried to use patch in > https://bugzilla.samba.org/show_bug.cgi?id=11830 > > After using this patch, samba-4.4.4 can send "create netlogon" and > "netlogon binding" but failed in NetrServerAuthenticate3. > > http://i.imgur.com/vI6eB5R.jpeg > > And I got these message in log.wb-HC2: > 2016/07/27 16:25:50.602158, 1, pid=18689, effective(0, 0), real(0, 0), > class=winbind] > ../source3/winbindd/winbindd_cm.c:3320(cm_connect_netlogon_transport) > rpccli_setup_netlogon_creds failed for HC2, unable to setup NETLOGON > credentials: NT_STATUS_NO_TRUST_SAM_ACCOUNT > [2016/07/27 16:25:50.602169, 5, pid=18689, effective(0, 0), real(0, 0), > class=winbind] ../source3/winbindd/winbindd_ads.c:1573(trusted_domains) > trusted_domains: Could not open a connection to HC2 for PIPE_NETLOGON > (NT_STATUS_NO_TRUST_SAM_ACCOUNT) > [2016/07/27 16:25:50.602182, 3, pid=18689, effective(0, 0), real(0, 0), > class=winbind] ../source3/winbindd/winbindd_ads.c:1552(trusted_domains) > ads: trusted_domains > > > Is there any suggestion that helps to configure samba or DC? > > Should I wait for new patch? > > > This is my smb.conf: > [global] > bind interfaces only = No > config backend = file > dos charset = CP850 > enable core files = Yes > interfaces > multicast dns register = Yes > netbios aliases > netbios name = MYBOX > netbios scope > realm = HC1.COM > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate, dns > server string > share backend = classic > unix charset = UTF-8 > workgroup = HC1 > browse list = Yes > domain master = Auto > enhanced browsing = Yes > lm announce = Auto > lm interval = 60 > local master = No > os level = 20 > preferred master = No > allow dns updates = secure only > dns forwarder > dns update command = /usr/local/samba/sbin/samba_dnsupdate > machine password timeout = 604800 > nsupdate command = /usr/bin/nsupdate -g > rndc command = /usr/sbin/rndc > spn update command = /usr/local/samba/sbin/samba_spnupdate > mangle prefix = 1 > mangling method = hash2 > max stat cache size = 256 > stat cache = Yes > client ldap sasl wrapping = sign > ldap admin dn > ldap connection timeout = 2 > ldap delete dn = No > ldap deref = auto > ldap follow referral = Auto > ldap group suffix > ldap idmap suffix > ldap machine suffix > ldap page size = 1000 > ldap passwd sync = no > ldap replication sleep = 1000 > ldap server require strong auth = Yes > ldap ssl = start tls > ldap ssl ads = No > ldap suffix > ldap timeout = 5 > ldap user suffix > lock spin time = 200 > oplock break wait time = 0 > smb2 leases = No > debug class = No > debug hires timestamp = Yes > debug pid = No > debug prefix timestamp = No > debug uid = No > ldap debug level = 0 > ldap debug threshold = 10 > log file > logging > log level = 2 > max log size = 102400 > syslog = 1 > syslog only = No > timestamp logs = Yes > abort shutdown script > add group script > add machine script > add user script > add user to group script > allow nt4 crypto = No > delete group script > delete user from group script > delete user script > domain logons = No > enable privileges = Yes > init logon delay = 100 > init logon delayed hosts > logon drive > logon home = \\%N\%U > logon path = \\%N\%U\profile > logon script > reject md5 clients = No > set primary group script > shutdown script > add share command > afs token lifetime = 604800 > afs username map > allow insecure wide links = No > async smb echo handler = No > auto services > cache directory = /share/CACHEDEV1_DATA/.samba/cache > change notify = Yes > change share command > cluster addresses > clustering = No > config file > ctdbd socket > ctdb locktime warn threshold = 0 > ctdb timeout = 0 > default service > delete share command > homedir map = auto.home > kernel change notify = Yes > lock directory = /share/CACHEDEV1_DATA/.samba/lock > log writeable files on exit = No > message command > nbt client socket address = 0.0.0.0 > ncalrpc dir = /usr/local/samba/var/run/ncalrpc > NIS homedir = No > nmbd bind explicit broadcast = Yes > panic action > perfcount module > pid directory = /var/lock > registry shares = No > remote announce > remote browse sync > reset on zero vc = No > smbd profiling level = off > state directory = /share/CACHEDEV1_DATA/.samba/state > usershare allow guests = No > usershare max shares = 0 > usershare owner only = Yes > usershare path = /usr/local/samba/var/locks/usershares > usershare prefix allow list > usershare prefix deny list > usershare template share > utmp = No > utmp directory > wtmp directory > addport command > addprinter command > cups connection timeout = 30 > cups encrypt = No > cups server > deleteprinter command > disable spoolss = No > enumports command > iprint server > load printers = Yes > lpq cache time = 30 > os2 driver map > printcap cache time = 0 > printcap name = /etc/printcap > show add printer wizard = No > cldap port = 389 > client ipc max protocol = default > client ipc min protocol = default > client max protocol = default > client min protocol = CORE > client use spnego = Yes > dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, > netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, > backupkey, dnsserver > defer sharing violations = Yes > dgram port = 138 > disable netbios = No > enable asu support = No > eventlog list > large readwrite = Yes > max mux = 50 > max ttl = 259200 > max wins ttl = 518400 > max xmit = 16644 > min receivefile size = 256 > min wins ttl = 21600 > name resolve order = lmhosts wins host bcast > nbt port = 137 > nt pipe support = Yes > nt status support = Yes > read raw = Yes > rpc big endian = No > server max protocol = SMB2_02 > server min protocol = LANMAN1 > server multi channel support = No > smb2 max credits = 8192 > smb2 max read = 8388608 > smb2 max trans = 8388608 > smb2 max write = 8388608 > smb ports = 445 139 > svcctl list > time server = No > unicode = Yes > unix extensions = No > use spnego = Yes > web port = 901 > write raw = Yes > algorithmic rid base = 1000 > allow dcerpc auth level connect = No > allow trusted domains = Yes > auth methods > check password script > client ipc signing = No > client lanman auth = No > client NTLMv2 auth = Yes > client plaintext auth = No > client schannel = No > client signing = No > client use spnego principal = No > dedicated keytab file > encrypt passwords = Yes > guest account = guest > kerberos method = default > kpasswd port = 464 > krb5 port = 88 > lanman auth = No > log nt token command > map to guest = Bad User > map untrusted to domain = No > ntlm auth = Yes > ntp signd socket directory = /usr/local/samba/var/lib/ntp_signd > null passwords = Yes > obey pam restrictions = No > old password allowed period = 60 > pam password change = Yes > passdb backend = smbpasswd > passdb expand explicit = No > passwd chat = *new*password* %n\n *new*password* %n\n *changed* > passwd chat debug = No > passwd chat timeout = 2 > passwd program > password server = HOST223.hc1.com > preload modules > private dir = /usr/local/samba/private > raw NTLMv2 auth = No > rename user script > restrict anonymous = 0 > root directory > samba kcc command = /usr/local/samba/sbin/samba_kcc > security = ADS > server role = auto > server schannel = No > server signing = No > smb passwd file = /etc/config/smbpasswd > tls cafile = tls/ca.pem > tls certfile = tls/cert.pem > tls crlfile > tls dh params file > tls enabled = Yes > tls keyfile = tls/key.pem > tls priority = NORMAL:-VERS-SSL3.0 > tls verify peer = as_strict_as_possible > unix password sync = No > username level = 0 > username map = /etc/config/smbusers > username map cache time = 0 > username map script > aio max threads = 100 > deadtime = 10 > getwd cache = Yes > hostname lookups = No > keepalive = 300 > max disk size = 0 > max open files = 16384 > max smbd processes = 0 > name cache timeout = 660 > socket options = TCP_NODELAY SO_KEEPALIVE > use mmap = Yes > get quota command > host msdfs = Yes > set quota command > create krb5 conf = Yes > idmap backend = tdb > idmap cache time = 604800 > idmap gid > idmap negative cache time = 120 > idmap uid > neutralize nt4 emulation = No > reject md5 servers = No > require strong key = No > template homedir = /share/homes/DOMAIN=%D/%U > template shell = /bin/false > winbind cache time = 1 > winbindd privileged socket directory > /usr/local/samba/var/lib/winbindd_privileged > winbindd socket directory = /usr/local/samba/var/run/winbindd > winbind enum groups = Yes > winbind enum users = Yes > winbind expand groups = 0 > winbind max clients = 200 > winbind max domain connections = 1 > winbind nested groups = Yes > winbind normalize names = No > winbind nss info = template > winbind offline logon = No > winbind reconnect delay = 30 > winbind refresh tickets = No > winbind request timeout = 60 > winbind rpc only = No > winbind sealed pipes = No > winbind separator = \ > winbind trusted domains only = No > winbind use default domain = No > dns proxy = No > wins hook > wins proxy = No > wins server > wins support = No > idmap config hc2 : range = 50000001-60000000 > idmap config hc2 : backend = rid > idmap config treeroot : range = 40000001-50000000 > idmap config treeroot : backend = rid > idmap config child1 : range = 30000001-40000000 > idmap config child1 : backend = rid > idmap config hc1 : range = 10000001-20000000 > idmap config hc1 : backend = rid > idmap config * : range = 400001-500000 > idmap config * : backend = tdb > comment > path > administrative share = No > browseable = Yes > case sensitive = Auto > default case = lower > delete veto files = Yes > hide dot files = Yes > hide files > hide special files = No > hide unreadable = No > hide unwriteable files = No > mangled names = Yes > mangling char = ~ > map archive = No > map hidden = No > map readonly = no > map system = No > preserve case = Yes > short preserve case = Yes > store dos attributes = Yes > veto files > veto oplock files > blocking locks = Yes > csc policy = manual > fake oplocks = No > kernel oplocks = No > kernel share modes = Yes > level2 oplocks = Yes > locking = Yes > oplock contention limit = 2 > oplocks = Yes > posix locking = Yes > strict locking = Auto > afs share = No > available = Yes > copy > delete readonly = No > dfree cache time = 0 > dfree command > directory name cache size = 100 > dmapi support = No > dont descend > dos filemode = No > dos filetime resolution = No > dos filetimes = Yes > fake directory create times = No > follow symlinks = Yes > fstype = NTFS > include > magic output > magic script > postexec > preexec > preexec close = No > root postexec > root preexec > root preexec close = No > spotlight = No > volume > wide links = Yes > cups options > default devmode = Yes > force printername = No > lppause command > lpq command = %p > lpresume command > lprm command > max print jobs = 1000 > max reported print jobs = 0 > printable = No > print command > printer name > printing = cups > printjob username = %U > print notify backchannel = No > queuepause command > queueresume command > use client driver = No > acl allow execute always = Yes > acl check permissions = Yes > acl map full control = Yes > durable handles = Yes > ea support = No > map acl inherit = No > nt acl support = Yes > profile acls = No > access based share enum = No > acl group control = No > admin users > create mask = 0777 > directory mask = 0777 > force create mode = 0000 > force directory mode = 0000 > force group > force unknown acl user = Yes > force user > guest ok = No > guest only = No > hosts allow > hosts deny > inherit acls = No > inherit owner = No > inherit permissions = No > invalid users > only user = No > read list > read only = Yes > smb encrypt = default > username > valid users > write list > aio read size = 1 > aio write behind > aio write size = 0 > allocation roundup size = 1048576 > block size = 1024 > max connections = 0 > min print space = 0 > strict allocate = No > strict rename = No > strict sync = No > sync always = No > use sendfile = Yes > write cache size = 0 > msdfs proxy > msdfs root = No > msdfs shuffle referrals = No > ntvfs handler = unixuid, defaultCan you post the smb.conf as it is stored on the computer and not the output of 'samba-tool testparm -v' The smb.conf you supplied is just too much to wade through. Rowland
Here is my smb.conf: [/usr/local/samba/var] # cat /etc/config/smb.conf [global] client schannel = false server schannel = false client ipc signing = false client signing = false server signing = false winbind sealed pipes = false require strong key = false passdb backend = smbpasswd workgroup = HC1 security = ADS server string encrypt passwords = Yes username level = 0 map to guest = Bad User null passwords = yes max log size = 102400 socket options = TCP_NODELAY SO_KEEPALIVE os level = 20 preferred master = no dns proxy = No smb passwd file=/etc/config/smbpasswd username map = /etc/config/smbusers guest account = guest directory mask = 0777 create mask = 0777 oplocks = yes locking = yes disable spoolss = no load printers=yes veto files = /.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network Trash Folder/Temporary Items/TheVolumeSettingsFolder/. at __thumb/. at __desc/:2e*/ delete veto files = yes map archive = no map system = no map hidden = no map read only = no deadtime = 10 server role = auto use sendfile = yes unix extensions = no store dos attributes = yes client ntlmv2 auth = yes dos filetime resolution = no wide links = yes force unknown acl user = yes template homedir = /share/homes/DOMAIN=%D/%U inherit acls = no domain logons = no min receivefile size = 256 case sensitive = auto domain master = auto local master = no enhance acl v1 = yes remove everyone = no conn log = no kernel oplocks = no max protocol = SMB2_02 lock directory = /share/CACHEDEV1_DATA/.samba/lock state directory = /share/CACHEDEV1_DATA/.samba/state cache directory = /share/CACHEDEV1_DATA/.samba/cache printcap cache time = 0 acl allow execute always = yes vfs objects = shadow_copy2 aio_pthread aio read size = 1 aio write size = 0 pid directory = /var/lock printcap name=/etc/printcap printing=cups show add printer wizard=no realm = hc1.com ldap timeout = 5 password server = HOST223.hc1.com pam password change = yes winbind enum users = yes winbind enum groups = yes winbind cache time = 1 idmap config * : backend = tdb idmap config * : range = 400001-500000 idmap config HC1 : backend = rid idmap config HC1 : range = 10000001-20000000 idmap config CHILD1 : backend = rid idmap config CHILD1 : range = 30000001-40000000 idmap config TREEROOT : backend = rid idmap config TREEROOT : range = 40000001-50000000 idmap config HC2 : backend = rid idmap config HC2 : range = 50000001-60000000 idmap config CHILD2 : backend = rid idmap config CHILD2 : range = 60000001-70000000 2016-07-27 16:58 GMT+08:00 Rowland penny <rpenny at samba.org>:> On 27/07/16 09:35, hy wu wrote: > >> Hi list, >> >> This is my domain enviroment and all DC are windows 2008r2 >> >> http://i.imgur.com/8cNOtm2.jpeg >> >> When I used samba-4.0.5, I join my box to domain "HC1" , I got trusted >> domain "CHILD2" in "wbinfo -m". >> >> [/share/Public] # wbinfo -m >> BUILTIN >> MYBOX >> HC1 >> CHILD1 >> TREEROOT >> HC2 >> CHILD2 >> >> Then I upgraded my box to samba-4.4.4, I lost CHILD2 in "wbinfo -m". >> [/share/Public] # wbinfo -m >> BUILTIN >> MYBOX >> HC1 >> CHILD1 >> TREEROOT >> HC2 >> >> >> In log.wb-HC2 , I found following message: >> >> [2016/07/26 12:02:03.981949, 5, pid=15758, effective(0, 0), real(0, 0), >> class=winbind] ../source3/winbindd/winbindd_ads.c:1594(trusted_domains) >> trusted_domains: Could not open a connection to HC2 for PIPE_NETLOGON >> (NT_STATUS_CANT_ACCESS_DOMAIN_INFO) >> [2016/07/26 12:02:03.981962, 3, pid=15758, effective(0, 0), real(0, 0), >> class=winbind] >> >> ../source3/winbindd/winbindd_misc.c:168(winbindd_dual_list_trusted_domains) >> winbindd_dual_list_trusted_domains: trusted_domains returned >> NT_STATUS_UNSUCCESSFUL >> [2016/07/26 12:02:03.981971, 4, pid=15758, effective(0, 0), real(0, 0), >> class=winbind] ../source3/winbindd/winbindd_dual.c:1397(child_handler) >> >> >> I compared wireshark pcapng between samba-4.0.5 and samba-4.4.4: >> samba-4.0.5: >> http://i.imgur.com/ytr7oMt.jpeg >> >> samba-4.4.4: >> http://i.imgur.com/f5bYOeo.jpeg >> >> samba-4.4.4 did not send "create netlogon" , "netlogon binding" and >> DsrEnumerateDomainTrust so I can not get "CHILD2" in "wbinfo -m". >> >> I tried to use patch in >> https://bugzilla.samba.org/show_bug.cgi?id=11830 >> >> After using this patch, samba-4.4.4 can send "create netlogon" and >> "netlogon binding" but failed in NetrServerAuthenticate3. >> >> http://i.imgur.com/vI6eB5R.jpeg >> >> And I got these message in log.wb-HC2: >> 2016/07/27 16:25:50.602158, 1, pid=18689, effective(0, 0), real(0, 0), >> class=winbind] >> ../source3/winbindd/winbindd_cm.c:3320(cm_connect_netlogon_transport) >> rpccli_setup_netlogon_creds failed for HC2, unable to setup NETLOGON >> credentials: NT_STATUS_NO_TRUST_SAM_ACCOUNT >> [2016/07/27 16:25:50.602169, 5, pid=18689, effective(0, 0), real(0, 0), >> class=winbind] ../source3/winbindd/winbindd_ads.c:1573(trusted_domains) >> trusted_domains: Could not open a connection to HC2 for PIPE_NETLOGON >> (NT_STATUS_NO_TRUST_SAM_ACCOUNT) >> [2016/07/27 16:25:50.602182, 3, pid=18689, effective(0, 0), real(0, 0), >> class=winbind] ../source3/winbindd/winbindd_ads.c:1552(trusted_domains) >> ads: trusted_domains >> >> >> Is there any suggestion that helps to configure samba or DC? >> >> Should I wait for new patch? >> >> >> This is my smb.conf: >> [global] >> bind interfaces only = No >> config backend = file >> dos charset = CP850 >> enable core files = Yes >> interfaces >> multicast dns register = Yes >> netbios aliases >> netbios name = MYBOX >> netbios scope >> realm = HC1.COM >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, >> winbindd, ntp_signd, kcc, dnsupdate, dns >> server string >> share backend = classic >> unix charset = UTF-8 >> workgroup = HC1 >> browse list = Yes >> domain master = Auto >> enhanced browsing = Yes >> lm announce = Auto >> lm interval = 60 >> local master = No >> os level = 20 >> preferred master = No >> allow dns updates = secure only >> dns forwarder >> dns update command = /usr/local/samba/sbin/samba_dnsupdate >> machine password timeout = 604800 >> nsupdate command = /usr/bin/nsupdate -g >> rndc command = /usr/sbin/rndc >> spn update command = /usr/local/samba/sbin/samba_spnupdate >> mangle prefix = 1 >> mangling method = hash2 >> max stat cache size = 256 >> stat cache = Yes >> client ldap sasl wrapping = sign >> ldap admin dn >> ldap connection timeout = 2 >> ldap delete dn = No >> ldap deref = auto >> ldap follow referral = Auto >> ldap group suffix >> ldap idmap suffix >> ldap machine suffix >> ldap page size = 1000 >> ldap passwd sync = no >> ldap replication sleep = 1000 >> ldap server require strong auth = Yes >> ldap ssl = start tls >> ldap ssl ads = No >> ldap suffix >> ldap timeout = 5 >> ldap user suffix >> lock spin time = 200 >> oplock break wait time = 0 >> smb2 leases = No >> debug class = No >> debug hires timestamp = Yes >> debug pid = No >> debug prefix timestamp = No >> debug uid = No >> ldap debug level = 0 >> ldap debug threshold = 10 >> log file >> logging >> log level = 2 >> max log size = 102400 >> syslog = 1 >> syslog only = No >> timestamp logs = Yes >> abort shutdown script >> add group script >> add machine script >> add user script >> add user to group script >> allow nt4 crypto = No >> delete group script >> delete user from group script >> delete user script >> domain logons = No >> enable privileges = Yes >> init logon delay = 100 >> init logon delayed hosts >> logon drive >> logon home = \\%N\%U >> logon path = \\%N\%U\profile >> logon script >> reject md5 clients = No >> set primary group script >> shutdown script >> add share command >> afs token lifetime = 604800 >> afs username map >> allow insecure wide links = No >> async smb echo handler = No >> auto services >> cache directory = /share/CACHEDEV1_DATA/.samba/cache >> change notify = Yes >> change share command >> cluster addresses >> clustering = No >> config file >> ctdbd socket >> ctdb locktime warn threshold = 0 >> ctdb timeout = 0 >> default service >> delete share command >> homedir map = auto.home >> kernel change notify = Yes >> lock directory = /share/CACHEDEV1_DATA/.samba/lock >> log writeable files on exit = No >> message command >> nbt client socket address = 0.0.0.0 >> ncalrpc dir = /usr/local/samba/var/run/ncalrpc >> NIS homedir = No >> nmbd bind explicit broadcast = Yes >> panic action >> perfcount module >> pid directory = /var/lock >> registry shares = No >> remote announce >> remote browse sync >> reset on zero vc = No >> smbd profiling level = off >> state directory = /share/CACHEDEV1_DATA/.samba/state >> usershare allow guests = No >> usershare max shares = 0 >> usershare owner only = Yes >> usershare path = /usr/local/samba/var/locks/usershares >> usershare prefix allow list >> usershare prefix deny list >> usershare template share >> utmp = No >> utmp directory >> wtmp directory >> addport command >> addprinter command >> cups connection timeout = 30 >> cups encrypt = No >> cups server >> deleteprinter command >> disable spoolss = No >> enumports command >> iprint server >> load printers = Yes >> lpq cache time = 30 >> os2 driver map >> printcap cache time = 0 >> printcap name = /etc/printcap >> show add printer wizard = No >> cldap port = 389 >> client ipc max protocol = default >> client ipc min protocol = default >> client max protocol = default >> client min protocol = CORE >> client use spnego = Yes >> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, >> netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, >> backupkey, dnsserver >> defer sharing violations = Yes >> dgram port = 138 >> disable netbios = No >> enable asu support = No >> eventlog list >> large readwrite = Yes >> max mux = 50 >> max ttl = 259200 >> max wins ttl = 518400 >> max xmit = 16644 >> min receivefile size = 256 >> min wins ttl = 21600 >> name resolve order = lmhosts wins host bcast >> nbt port = 137 >> nt pipe support = Yes >> nt status support = Yes >> read raw = Yes >> rpc big endian = No >> server max protocol = SMB2_02 >> server min protocol = LANMAN1 >> server multi channel support = No >> smb2 max credits = 8192 >> smb2 max read = 8388608 >> smb2 max trans = 8388608 >> smb2 max write = 8388608 >> smb ports = 445 139 >> svcctl list >> time server = No >> unicode = Yes >> unix extensions = No >> use spnego = Yes >> web port = 901 >> write raw = Yes >> algorithmic rid base = 1000 >> allow dcerpc auth level connect = No >> allow trusted domains = Yes >> auth methods >> check password script >> client ipc signing = No >> client lanman auth = No >> client NTLMv2 auth = Yes >> client plaintext auth = No >> client schannel = No >> client signing = No >> client use spnego principal = No >> dedicated keytab file >> encrypt passwords = Yes >> guest account = guest >> kerberos method = default >> kpasswd port = 464 >> krb5 port = 88 >> lanman auth = No >> log nt token command >> map to guest = Bad User >> map untrusted to domain = No >> ntlm auth = Yes >> ntp signd socket directory = /usr/local/samba/var/lib/ntp_signd >> null passwords = Yes >> obey pam restrictions = No >> old password allowed period = 60 >> pam password change = Yes >> passdb backend = smbpasswd >> passdb expand explicit = No >> passwd chat = *new*password* %n\n *new*password* %n\n *changed* >> passwd chat debug = No >> passwd chat timeout = 2 >> passwd program >> password server = HOST223.hc1.com >> preload modules >> private dir = /usr/local/samba/private >> raw NTLMv2 auth = No >> rename user script >> restrict anonymous = 0 >> root directory >> samba kcc command = /usr/local/samba/sbin/samba_kcc >> security = ADS >> server role = auto >> server schannel = No >> server signing = No >> smb passwd file = /etc/config/smbpasswd >> tls cafile = tls/ca.pem >> tls certfile = tls/cert.pem >> tls crlfile >> tls dh params file >> tls enabled = Yes >> tls keyfile = tls/key.pem >> tls priority = NORMAL:-VERS-SSL3.0 >> tls verify peer = as_strict_as_possible >> unix password sync = No >> username level = 0 >> username map = /etc/config/smbusers >> username map cache time = 0 >> username map script >> aio max threads = 100 >> deadtime = 10 >> getwd cache = Yes >> hostname lookups = No >> keepalive = 300 >> max disk size = 0 >> max open files = 16384 >> max smbd processes = 0 >> name cache timeout = 660 >> socket options = TCP_NODELAY SO_KEEPALIVE >> use mmap = Yes >> get quota command >> host msdfs = Yes >> set quota command >> create krb5 conf = Yes >> idmap backend = tdb >> idmap cache time = 604800 >> idmap gid >> idmap negative cache time = 120 >> idmap uid >> neutralize nt4 emulation = No >> reject md5 servers = No >> require strong key = No >> template homedir = /share/homes/DOMAIN=%D/%U >> template shell = /bin/false >> winbind cache time = 1 >> winbindd privileged socket directory >> /usr/local/samba/var/lib/winbindd_privileged >> winbindd socket directory = /usr/local/samba/var/run/winbindd >> winbind enum groups = Yes >> winbind enum users = Yes >> winbind expand groups = 0 >> winbind max clients = 200 >> winbind max domain connections = 1 >> winbind nested groups = Yes >> winbind normalize names = No >> winbind nss info = template >> winbind offline logon = No >> winbind reconnect delay = 30 >> winbind refresh tickets = No >> winbind request timeout = 60 >> winbind rpc only = No >> winbind sealed pipes = No >> winbind separator = \ >> winbind trusted domains only = No >> winbind use default domain = No >> dns proxy = No >> wins hook >> wins proxy = No >> wins server >> wins support = No >> idmap config hc2 : range = 50000001-60000000 >> idmap config hc2 : backend = rid >> idmap config treeroot : range = 40000001-50000000 >> idmap config treeroot : backend = rid >> idmap config child1 : range = 30000001-40000000 >> idmap config child1 : backend = rid >> idmap config hc1 : range = 10000001-20000000 >> idmap config hc1 : backend = rid >> idmap config * : range = 400001-500000 >> idmap config * : backend = tdb >> comment >> path >> administrative share = No >> browseable = Yes >> case sensitive = Auto >> default case = lower >> delete veto files = Yes >> hide dot files = Yes >> hide files >> hide special files = No >> hide unreadable = No >> hide unwriteable files = No >> mangled names = Yes >> mangling char = ~ >> map archive = No >> map hidden = No >> map readonly = no >> map system = No >> preserve case = Yes >> short preserve case = Yes >> store dos attributes = Yes >> veto files >> veto oplock files >> blocking locks = Yes >> csc policy = manual >> fake oplocks = No >> kernel oplocks = No >> kernel share modes = Yes >> level2 oplocks = Yes >> locking = Yes >> oplock contention limit = 2 >> oplocks = Yes >> posix locking = Yes >> strict locking = Auto >> afs share = No >> available = Yes >> copy >> delete readonly = No >> dfree cache time = 0 >> dfree command >> directory name cache size = 100 >> dmapi support = No >> dont descend >> dos filemode = No >> dos filetime resolution = No >> dos filetimes = Yes >> fake directory create times = No >> follow symlinks = Yes >> fstype = NTFS >> include >> magic output >> magic script >> postexec >> preexec >> preexec close = No >> root postexec >> root preexec >> root preexec close = No >> spotlight = No >> volume >> wide links = Yes >> cups options >> default devmode = Yes >> force printername = No >> lppause command >> lpq command = %p >> lpresume command >> lprm command >> max print jobs = 1000 >> max reported print jobs = 0 >> printable = No >> print command >> printer name >> printing = cups >> printjob username = %U >> print notify backchannel = No >> queuepause command >> queueresume command >> use client driver = No >> acl allow execute always = Yes >> acl check permissions = Yes >> acl map full control = Yes >> durable handles = Yes >> ea support = No >> map acl inherit = No >> nt acl support = Yes >> profile acls = No >> access based share enum = No >> acl group control = No >> admin users >> create mask = 0777 >> directory mask = 0777 >> force create mode = 0000 >> force directory mode = 0000 >> force group >> force unknown acl user = Yes >> force user >> guest ok = No >> guest only = No >> hosts allow >> hosts deny >> inherit acls = No >> inherit owner = No >> inherit permissions = No >> invalid users >> only user = No >> read list >> read only = Yes >> smb encrypt = default >> username >> valid users >> write list >> aio read size = 1 >> aio write behind >> aio write size = 0 >> allocation roundup size = 1048576 >> block size = 1024 >> max connections = 0 >> min print space = 0 >> strict allocate = No >> strict rename = No >> strict sync = No >> sync always = No >> use sendfile = Yes >> write cache size = 0 >> msdfs proxy >> msdfs root = No >> msdfs shuffle referrals = No >> ntvfs handler = unixuid, default >> > > Can you post the smb.conf as it is stored on the computer and not the > output of 'samba-tool testparm -v' > > The smb.conf you supplied is just too much to wade through. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >