Hi list,
This is my domain enviroment and all DC are windows 2008r2
http://i.imgur.com/8cNOtm2.jpeg
When I used samba-4.0.5, I join my box to domain "HC1" , I got
trusted
domain "CHILD2" in "wbinfo -m".
[/share/Public] # wbinfo -m
BUILTIN
MYBOX
HC1
CHILD1
TREEROOT
HC2
CHILD2
Then I upgraded my box to samba-4.4.4, I lost CHILD2 in "wbinfo -m".
[/share/Public] # wbinfo -m
BUILTIN
MYBOX
HC1
CHILD1
TREEROOT
HC2
In log.wb-HC2 , I found following message:
[2016/07/26 12:02:03.981949, 5, pid=15758, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_ads.c:1594(trusted_domains)
trusted_domains: Could not open a connection to HC2 for PIPE_NETLOGON
(NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
[2016/07/26 12:02:03.981962, 3, pid=15758, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_misc.c:168(winbindd_dual_list_trusted_domains)
winbindd_dual_list_trusted_domains: trusted_domains returned
NT_STATUS_UNSUCCESSFUL
[2016/07/26 12:02:03.981971, 4, pid=15758, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_dual.c:1397(child_handler)
I compared wireshark pcapng between samba-4.0.5 and samba-4.4.4:
samba-4.0.5:
http://i.imgur.com/ytr7oMt.jpeg
samba-4.4.4:
http://i.imgur.com/f5bYOeo.jpeg
samba-4.4.4 did not send "create netlogon" , "netlogon
binding" and
DsrEnumerateDomainTrust so I can not get "CHILD2" in "wbinfo
-m".
I tried to use patch in
https://bugzilla.samba.org/show_bug.cgi?id=11830
After using this patch, samba-4.4.4 can send "create netlogon" and
"netlogon binding" but failed in NetrServerAuthenticate3.
http://i.imgur.com/vI6eB5R.jpeg
And I got these message in log.wb-HC2:
2016/07/27 16:25:50.602158, 1, pid=18689, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_cm.c:3320(cm_connect_netlogon_transport)
rpccli_setup_netlogon_creds failed for HC2, unable to setup NETLOGON
credentials: NT_STATUS_NO_TRUST_SAM_ACCOUNT
[2016/07/27 16:25:50.602169, 5, pid=18689, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_ads.c:1573(trusted_domains)
trusted_domains: Could not open a connection to HC2 for PIPE_NETLOGON
(NT_STATUS_NO_TRUST_SAM_ACCOUNT)
[2016/07/27 16:25:50.602182, 3, pid=18689, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_ads.c:1552(trusted_domains)
ads: trusted_domains
Is there any suggestion that helps to configure samba or DC?
Should I wait for new patch?
This is my smb.conf:
[global]
bind interfaces only = No
config backend = file
dos charset = CP850
enable core files = Yes
interfaces multicast dns register = Yes
netbios aliases netbios name = MYBOX
netbios scope realm = HC1.COM
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate, dns
server string share backend = classic
unix charset = UTF-8
workgroup = HC1
browse list = Yes
domain master = Auto
enhanced browsing = Yes
lm announce = Auto
lm interval = 60
local master = No
os level = 20
preferred master = No
allow dns updates = secure only
dns forwarder dns update command =
/usr/local/samba/sbin/samba_dnsupdate
machine password timeout = 604800
nsupdate command = /usr/bin/nsupdate -g
rndc command = /usr/sbin/rndc
spn update command = /usr/local/samba/sbin/samba_spnupdate
mangle prefix = 1
mangling method = hash2
max stat cache size = 256
stat cache = Yes
client ldap sasl wrapping = sign
ldap admin dn ldap connection timeout = 2
ldap delete dn = No
ldap deref = auto
ldap follow referral = Auto
ldap group suffix ldap idmap suffix ldap machine suffix
ldap page size = 1000
ldap passwd sync = no
ldap replication sleep = 1000
ldap server require strong auth = Yes
ldap ssl = start tls
ldap ssl ads = No
ldap suffix ldap timeout = 5
ldap user suffix lock spin time = 200
oplock break wait time = 0
smb2 leases = No
debug class = No
debug hires timestamp = Yes
debug pid = No
debug prefix timestamp = No
debug uid = No
ldap debug level = 0
ldap debug threshold = 10
log file logging log level = 2
max log size = 102400
syslog = 1
syslog only = No
timestamp logs = Yes
abort shutdown script add group script add machine
script add user script add user to group script allow
nt4 crypto = No
delete group script delete user from group script delete
user script domain logons = No
enable privileges = Yes
init logon delay = 100
init logon delayed hosts logon drive logon home =
\\%N\%U
logon path = \\%N\%U\profile
logon script reject md5 clients = No
set primary group script shutdown script add share
command afs token lifetime = 604800
afs username map allow insecure wide links = No
async smb echo handler = No
auto services cache directory =
/share/CACHEDEV1_DATA/.samba/cache
change notify = Yes
change share command cluster addresses clustering = No
config file ctdbd socket ctdb locktime warn threshold =
0
ctdb timeout = 0
default service delete share command homedir map =
auto.home
kernel change notify = Yes
lock directory = /share/CACHEDEV1_DATA/.samba/lock
log writeable files on exit = No
message command nbt client socket address = 0.0.0.0
ncalrpc dir = /usr/local/samba/var/run/ncalrpc
NIS homedir = No
nmbd bind explicit broadcast = Yes
panic action perfcount module pid directory = /var/lock
registry shares = No
remote announce remote browse sync reset on zero vc = No
smbd profiling level = off
state directory = /share/CACHEDEV1_DATA/.samba/state
usershare allow guests = No
usershare max shares = 0
usershare owner only = Yes
usershare path = /usr/local/samba/var/locks/usershares
usershare prefix allow list usershare prefix deny list
usershare template share utmp = No
utmp directory wtmp directory addport command
addprinter command cups connection timeout = 30
cups encrypt = No
cups server deleteprinter command disable spoolss = No
enumports command iprint server load printers = Yes
lpq cache time = 30
os2 driver map printcap cache time = 0
printcap name = /etc/printcap
show add printer wizard = No
cldap port = 389
client ipc max protocol = default
client ipc min protocol = default
client max protocol = default
client min protocol = CORE
client use spnego = Yes
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6,
backupkey, dnsserver
defer sharing violations = Yes
dgram port = 138
disable netbios = No
enable asu support = No
eventlog list large readwrite = Yes
max mux = 50
max ttl = 259200
max wins ttl = 518400
max xmit = 16644
min receivefile size = 256
min wins ttl = 21600
name resolve order = lmhosts wins host bcast
nbt port = 137
nt pipe support = Yes
nt status support = Yes
read raw = Yes
rpc big endian = No
server max protocol = SMB2_02
server min protocol = LANMAN1
server multi channel support = No
smb2 max credits = 8192
smb2 max read = 8388608
smb2 max trans = 8388608
smb2 max write = 8388608
smb ports = 445 139
svcctl list time server = No
unicode = Yes
unix extensions = No
use spnego = Yes
web port = 901
write raw = Yes
algorithmic rid base = 1000
allow dcerpc auth level connect = No
allow trusted domains = Yes
auth methods check password script client ipc signing =
No
client lanman auth = No
client NTLMv2 auth = Yes
client plaintext auth = No
client schannel = No
client signing = No
client use spnego principal = No
dedicated keytab file encrypt passwords = Yes
guest account = guest
kerberos method = default
kpasswd port = 464
krb5 port = 88
lanman auth = No
log nt token command map to guest = Bad User
map untrusted to domain = No
ntlm auth = Yes
ntp signd socket directory = /usr/local/samba/var/lib/ntp_signd
null passwords = Yes
obey pam restrictions = No
old password allowed period = 60
pam password change = Yes
passdb backend = smbpasswd
passdb expand explicit = No
passwd chat = *new*password* %n\n *new*password* %n\n *changed*
passwd chat debug = No
passwd chat timeout = 2
passwd program password server = HOST223.hc1.com
preload modules private dir = /usr/local/samba/private
raw NTLMv2 auth = No
rename user script restrict anonymous = 0
root directory samba kcc command =
/usr/local/samba/sbin/samba_kcc
security = ADS
server role = auto
server schannel = No
server signing = No
smb passwd file = /etc/config/smbpasswd
tls cafile = tls/ca.pem
tls certfile = tls/cert.pem
tls crlfile tls dh params file tls enabled = Yes
tls keyfile = tls/key.pem
tls priority = NORMAL:-VERS-SSL3.0
tls verify peer = as_strict_as_possible
unix password sync = No
username level = 0
username map = /etc/config/smbusers
username map cache time = 0
username map script aio max threads = 100
deadtime = 10
getwd cache = Yes
hostname lookups = No
keepalive = 300
max disk size = 0
max open files = 16384
max smbd processes = 0
name cache timeout = 660
socket options = TCP_NODELAY SO_KEEPALIVE
use mmap = Yes
get quota command host msdfs = Yes
set quota command create krb5 conf = Yes
idmap backend = tdb
idmap cache time = 604800
idmap gid idmap negative cache time = 120
idmap uid neutralize nt4 emulation = No
reject md5 servers = No
require strong key = No
template homedir = /share/homes/DOMAIN=%D/%U
template shell = /bin/false
winbind cache time = 1
winbindd privileged socket directory
/usr/local/samba/var/lib/winbindd_privileged
winbindd socket directory = /usr/local/samba/var/run/winbindd
winbind enum groups = Yes
winbind enum users = Yes
winbind expand groups = 0
winbind max clients = 200
winbind max domain connections = 1
winbind nested groups = Yes
winbind normalize names = No
winbind nss info = template
winbind offline logon = No
winbind reconnect delay = 30
winbind refresh tickets = No
winbind request timeout = 60
winbind rpc only = No
winbind sealed pipes = No
winbind separator = \
winbind trusted domains only = No
winbind use default domain = No
dns proxy = No
wins hook wins proxy = No
wins server wins support = No
idmap config hc2 : range = 50000001-60000000
idmap config hc2 : backend = rid
idmap config treeroot : range = 40000001-50000000
idmap config treeroot : backend = rid
idmap config child1 : range = 30000001-40000000
idmap config child1 : backend = rid
idmap config hc1 : range = 10000001-20000000
idmap config hc1 : backend = rid
idmap config * : range = 400001-500000
idmap config * : backend = tdb
comment path administrative share = No
browseable = Yes
case sensitive = Auto
default case = lower
delete veto files = Yes
hide dot files = Yes
hide files hide special files = No
hide unreadable = No
hide unwriteable files = No
mangled names = Yes
mangling char = ~
map archive = No
map hidden = No
map readonly = no
map system = No
preserve case = Yes
short preserve case = Yes
store dos attributes = Yes
veto files veto oplock files blocking locks = Yes
csc policy = manual
fake oplocks = No
kernel oplocks = No
kernel share modes = Yes
level2 oplocks = Yes
locking = Yes
oplock contention limit = 2
oplocks = Yes
posix locking = Yes
strict locking = Auto
afs share = No
available = Yes
copy delete readonly = No
dfree cache time = 0
dfree command directory name cache size = 100
dmapi support = No
dont descend dos filemode = No
dos filetime resolution = No
dos filetimes = Yes
fake directory create times = No
follow symlinks = Yes
fstype = NTFS
include magic output magic script postexec
preexec preexec close = No
root postexec root preexec root preexec close = No
spotlight = No
volume wide links = Yes
cups options default devmode = Yes
force printername = No
lppause command lpq command = %p
lpresume command lprm command max print jobs = 1000
max reported print jobs = 0
printable = No
print command printer name printing = cups
printjob username = %U
print notify backchannel = No
queuepause command queueresume command use client driver
= No
acl allow execute always = Yes
acl check permissions = Yes
acl map full control = Yes
durable handles = Yes
ea support = No
map acl inherit = No
nt acl support = Yes
profile acls = No
access based share enum = No
acl group control = No
admin users create mask = 0777
directory mask = 0777
force create mode = 0000
force directory mode = 0000
force group force unknown acl user = Yes
force user guest ok = No
guest only = No
hosts allow hosts deny inherit acls = No
inherit owner = No
inherit permissions = No
invalid users only user = No
read list read only = Yes
smb encrypt = default
username valid users write list aio read size =
1
aio write behind aio write size = 0
allocation roundup size = 1048576
block size = 1024
max connections = 0
min print space = 0
strict allocate = No
strict rename = No
strict sync = No
sync always = No
use sendfile = Yes
write cache size = 0
msdfs proxy msdfs root = No
msdfs shuffle referrals = No
ntvfs handler = unixuid, default
On 27/07/16 09:35, hy wu wrote:> Hi list, > > This is my domain enviroment and all DC are windows 2008r2 > > http://i.imgur.com/8cNOtm2.jpeg > > When I used samba-4.0.5, I join my box to domain "HC1" , I got trusted > domain "CHILD2" in "wbinfo -m". > > [/share/Public] # wbinfo -m > BUILTIN > MYBOX > HC1 > CHILD1 > TREEROOT > HC2 > CHILD2 > > Then I upgraded my box to samba-4.4.4, I lost CHILD2 in "wbinfo -m". > [/share/Public] # wbinfo -m > BUILTIN > MYBOX > HC1 > CHILD1 > TREEROOT > HC2 > > > In log.wb-HC2 , I found following message: > > [2016/07/26 12:02:03.981949, 5, pid=15758, effective(0, 0), real(0, 0), > class=winbind] ../source3/winbindd/winbindd_ads.c:1594(trusted_domains) > trusted_domains: Could not open a connection to HC2 for PIPE_NETLOGON > (NT_STATUS_CANT_ACCESS_DOMAIN_INFO) > [2016/07/26 12:02:03.981962, 3, pid=15758, effective(0, 0), real(0, 0), > class=winbind] > ../source3/winbindd/winbindd_misc.c:168(winbindd_dual_list_trusted_domains) > winbindd_dual_list_trusted_domains: trusted_domains returned > NT_STATUS_UNSUCCESSFUL > [2016/07/26 12:02:03.981971, 4, pid=15758, effective(0, 0), real(0, 0), > class=winbind] ../source3/winbindd/winbindd_dual.c:1397(child_handler) > > > I compared wireshark pcapng between samba-4.0.5 and samba-4.4.4: > samba-4.0.5: > http://i.imgur.com/ytr7oMt.jpeg > > samba-4.4.4: > http://i.imgur.com/f5bYOeo.jpeg > > samba-4.4.4 did not send "create netlogon" , "netlogon binding" and > DsrEnumerateDomainTrust so I can not get "CHILD2" in "wbinfo -m". > > I tried to use patch in > https://bugzilla.samba.org/show_bug.cgi?id=11830 > > After using this patch, samba-4.4.4 can send "create netlogon" and > "netlogon binding" but failed in NetrServerAuthenticate3. > > http://i.imgur.com/vI6eB5R.jpeg > > And I got these message in log.wb-HC2: > 2016/07/27 16:25:50.602158, 1, pid=18689, effective(0, 0), real(0, 0), > class=winbind] > ../source3/winbindd/winbindd_cm.c:3320(cm_connect_netlogon_transport) > rpccli_setup_netlogon_creds failed for HC2, unable to setup NETLOGON > credentials: NT_STATUS_NO_TRUST_SAM_ACCOUNT > [2016/07/27 16:25:50.602169, 5, pid=18689, effective(0, 0), real(0, 0), > class=winbind] ../source3/winbindd/winbindd_ads.c:1573(trusted_domains) > trusted_domains: Could not open a connection to HC2 for PIPE_NETLOGON > (NT_STATUS_NO_TRUST_SAM_ACCOUNT) > [2016/07/27 16:25:50.602182, 3, pid=18689, effective(0, 0), real(0, 0), > class=winbind] ../source3/winbindd/winbindd_ads.c:1552(trusted_domains) > ads: trusted_domains > > > Is there any suggestion that helps to configure samba or DC? > > Should I wait for new patch? > > > This is my smb.conf: > [global] > bind interfaces only = No > config backend = file > dos charset = CP850 > enable core files = Yes > interfaces > multicast dns register = Yes > netbios aliases > netbios name = MYBOX > netbios scope > realm = HC1.COM > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate, dns > server string > share backend = classic > unix charset = UTF-8 > workgroup = HC1 > browse list = Yes > domain master = Auto > enhanced browsing = Yes > lm announce = Auto > lm interval = 60 > local master = No > os level = 20 > preferred master = No > allow dns updates = secure only > dns forwarder > dns update command = /usr/local/samba/sbin/samba_dnsupdate > machine password timeout = 604800 > nsupdate command = /usr/bin/nsupdate -g > rndc command = /usr/sbin/rndc > spn update command = /usr/local/samba/sbin/samba_spnupdate > mangle prefix = 1 > mangling method = hash2 > max stat cache size = 256 > stat cache = Yes > client ldap sasl wrapping = sign > ldap admin dn > ldap connection timeout = 2 > ldap delete dn = No > ldap deref = auto > ldap follow referral = Auto > ldap group suffix > ldap idmap suffix > ldap machine suffix > ldap page size = 1000 > ldap passwd sync = no > ldap replication sleep = 1000 > ldap server require strong auth = Yes > ldap ssl = start tls > ldap ssl ads = No > ldap suffix > ldap timeout = 5 > ldap user suffix > lock spin time = 200 > oplock break wait time = 0 > smb2 leases = No > debug class = No > debug hires timestamp = Yes > debug pid = No > debug prefix timestamp = No > debug uid = No > ldap debug level = 0 > ldap debug threshold = 10 > log file > logging > log level = 2 > max log size = 102400 > syslog = 1 > syslog only = No > timestamp logs = Yes > abort shutdown script > add group script > add machine script > add user script > add user to group script > allow nt4 crypto = No > delete group script > delete user from group script > delete user script > domain logons = No > enable privileges = Yes > init logon delay = 100 > init logon delayed hosts > logon drive > logon home = \\%N\%U > logon path = \\%N\%U\profile > logon script > reject md5 clients = No > set primary group script > shutdown script > add share command > afs token lifetime = 604800 > afs username map > allow insecure wide links = No > async smb echo handler = No > auto services > cache directory = /share/CACHEDEV1_DATA/.samba/cache > change notify = Yes > change share command > cluster addresses > clustering = No > config file > ctdbd socket > ctdb locktime warn threshold = 0 > ctdb timeout = 0 > default service > delete share command > homedir map = auto.home > kernel change notify = Yes > lock directory = /share/CACHEDEV1_DATA/.samba/lock > log writeable files on exit = No > message command > nbt client socket address = 0.0.0.0 > ncalrpc dir = /usr/local/samba/var/run/ncalrpc > NIS homedir = No > nmbd bind explicit broadcast = Yes > panic action > perfcount module > pid directory = /var/lock > registry shares = No > remote announce > remote browse sync > reset on zero vc = No > smbd profiling level = off > state directory = /share/CACHEDEV1_DATA/.samba/state > usershare allow guests = No > usershare max shares = 0 > usershare owner only = Yes > usershare path = /usr/local/samba/var/locks/usershares > usershare prefix allow list > usershare prefix deny list > usershare template share > utmp = No > utmp directory > wtmp directory > addport command > addprinter command > cups connection timeout = 30 > cups encrypt = No > cups server > deleteprinter command > disable spoolss = No > enumports command > iprint server > load printers = Yes > lpq cache time = 30 > os2 driver map > printcap cache time = 0 > printcap name = /etc/printcap > show add printer wizard = No > cldap port = 389 > client ipc max protocol = default > client ipc min protocol = default > client max protocol = default > client min protocol = CORE > client use spnego = Yes > dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, > netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, > backupkey, dnsserver > defer sharing violations = Yes > dgram port = 138 > disable netbios = No > enable asu support = No > eventlog list > large readwrite = Yes > max mux = 50 > max ttl = 259200 > max wins ttl = 518400 > max xmit = 16644 > min receivefile size = 256 > min wins ttl = 21600 > name resolve order = lmhosts wins host bcast > nbt port = 137 > nt pipe support = Yes > nt status support = Yes > read raw = Yes > rpc big endian = No > server max protocol = SMB2_02 > server min protocol = LANMAN1 > server multi channel support = No > smb2 max credits = 8192 > smb2 max read = 8388608 > smb2 max trans = 8388608 > smb2 max write = 8388608 > smb ports = 445 139 > svcctl list > time server = No > unicode = Yes > unix extensions = No > use spnego = Yes > web port = 901 > write raw = Yes > algorithmic rid base = 1000 > allow dcerpc auth level connect = No > allow trusted domains = Yes > auth methods > check password script > client ipc signing = No > client lanman auth = No > client NTLMv2 auth = Yes > client plaintext auth = No > client schannel = No > client signing = No > client use spnego principal = No > dedicated keytab file > encrypt passwords = Yes > guest account = guest > kerberos method = default > kpasswd port = 464 > krb5 port = 88 > lanman auth = No > log nt token command > map to guest = Bad User > map untrusted to domain = No > ntlm auth = Yes > ntp signd socket directory = /usr/local/samba/var/lib/ntp_signd > null passwords = Yes > obey pam restrictions = No > old password allowed period = 60 > pam password change = Yes > passdb backend = smbpasswd > passdb expand explicit = No > passwd chat = *new*password* %n\n *new*password* %n\n *changed* > passwd chat debug = No > passwd chat timeout = 2 > passwd program > password server = HOST223.hc1.com > preload modules > private dir = /usr/local/samba/private > raw NTLMv2 auth = No > rename user script > restrict anonymous = 0 > root directory > samba kcc command = /usr/local/samba/sbin/samba_kcc > security = ADS > server role = auto > server schannel = No > server signing = No > smb passwd file = /etc/config/smbpasswd > tls cafile = tls/ca.pem > tls certfile = tls/cert.pem > tls crlfile > tls dh params file > tls enabled = Yes > tls keyfile = tls/key.pem > tls priority = NORMAL:-VERS-SSL3.0 > tls verify peer = as_strict_as_possible > unix password sync = No > username level = 0 > username map = /etc/config/smbusers > username map cache time = 0 > username map script > aio max threads = 100 > deadtime = 10 > getwd cache = Yes > hostname lookups = No > keepalive = 300 > max disk size = 0 > max open files = 16384 > max smbd processes = 0 > name cache timeout = 660 > socket options = TCP_NODELAY SO_KEEPALIVE > use mmap = Yes > get quota command > host msdfs = Yes > set quota command > create krb5 conf = Yes > idmap backend = tdb > idmap cache time = 604800 > idmap gid > idmap negative cache time = 120 > idmap uid > neutralize nt4 emulation = No > reject md5 servers = No > require strong key = No > template homedir = /share/homes/DOMAIN=%D/%U > template shell = /bin/false > winbind cache time = 1 > winbindd privileged socket directory > /usr/local/samba/var/lib/winbindd_privileged > winbindd socket directory = /usr/local/samba/var/run/winbindd > winbind enum groups = Yes > winbind enum users = Yes > winbind expand groups = 0 > winbind max clients = 200 > winbind max domain connections = 1 > winbind nested groups = Yes > winbind normalize names = No > winbind nss info = template > winbind offline logon = No > winbind reconnect delay = 30 > winbind refresh tickets = No > winbind request timeout = 60 > winbind rpc only = No > winbind sealed pipes = No > winbind separator = \ > winbind trusted domains only = No > winbind use default domain = No > dns proxy = No > wins hook > wins proxy = No > wins server > wins support = No > idmap config hc2 : range = 50000001-60000000 > idmap config hc2 : backend = rid > idmap config treeroot : range = 40000001-50000000 > idmap config treeroot : backend = rid > idmap config child1 : range = 30000001-40000000 > idmap config child1 : backend = rid > idmap config hc1 : range = 10000001-20000000 > idmap config hc1 : backend = rid > idmap config * : range = 400001-500000 > idmap config * : backend = tdb > comment > path > administrative share = No > browseable = Yes > case sensitive = Auto > default case = lower > delete veto files = Yes > hide dot files = Yes > hide files > hide special files = No > hide unreadable = No > hide unwriteable files = No > mangled names = Yes > mangling char = ~ > map archive = No > map hidden = No > map readonly = no > map system = No > preserve case = Yes > short preserve case = Yes > store dos attributes = Yes > veto files > veto oplock files > blocking locks = Yes > csc policy = manual > fake oplocks = No > kernel oplocks = No > kernel share modes = Yes > level2 oplocks = Yes > locking = Yes > oplock contention limit = 2 > oplocks = Yes > posix locking = Yes > strict locking = Auto > afs share = No > available = Yes > copy > delete readonly = No > dfree cache time = 0 > dfree command > directory name cache size = 100 > dmapi support = No > dont descend > dos filemode = No > dos filetime resolution = No > dos filetimes = Yes > fake directory create times = No > follow symlinks = Yes > fstype = NTFS > include > magic output > magic script > postexec > preexec > preexec close = No > root postexec > root preexec > root preexec close = No > spotlight = No > volume > wide links = Yes > cups options > default devmode = Yes > force printername = No > lppause command > lpq command = %p > lpresume command > lprm command > max print jobs = 1000 > max reported print jobs = 0 > printable = No > print command > printer name > printing = cups > printjob username = %U > print notify backchannel = No > queuepause command > queueresume command > use client driver = No > acl allow execute always = Yes > acl check permissions = Yes > acl map full control = Yes > durable handles = Yes > ea support = No > map acl inherit = No > nt acl support = Yes > profile acls = No > access based share enum = No > acl group control = No > admin users > create mask = 0777 > directory mask = 0777 > force create mode = 0000 > force directory mode = 0000 > force group > force unknown acl user = Yes > force user > guest ok = No > guest only = No > hosts allow > hosts deny > inherit acls = No > inherit owner = No > inherit permissions = No > invalid users > only user = No > read list > read only = Yes > smb encrypt = default > username > valid users > write list > aio read size = 1 > aio write behind > aio write size = 0 > allocation roundup size = 1048576 > block size = 1024 > max connections = 0 > min print space = 0 > strict allocate = No > strict rename = No > strict sync = No > sync always = No > use sendfile = Yes > write cache size = 0 > msdfs proxy > msdfs root = No > msdfs shuffle referrals = No > ntvfs handler = unixuid, defaultCan you post the smb.conf as it is stored on the computer and not the output of 'samba-tool testparm -v' The smb.conf you supplied is just too much to wade through. Rowland
Here is my smb.conf: [/usr/local/samba/var] # cat /etc/config/smb.conf [global] client schannel = false server schannel = false client ipc signing = false client signing = false server signing = false winbind sealed pipes = false require strong key = false passdb backend = smbpasswd workgroup = HC1 security = ADS server string encrypt passwords = Yes username level = 0 map to guest = Bad User null passwords = yes max log size = 102400 socket options = TCP_NODELAY SO_KEEPALIVE os level = 20 preferred master = no dns proxy = No smb passwd file=/etc/config/smbpasswd username map = /etc/config/smbusers guest account = guest directory mask = 0777 create mask = 0777 oplocks = yes locking = yes disable spoolss = no load printers=yes veto files = /.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network Trash Folder/Temporary Items/TheVolumeSettingsFolder/. at __thumb/. at __desc/:2e*/ delete veto files = yes map archive = no map system = no map hidden = no map read only = no deadtime = 10 server role = auto use sendfile = yes unix extensions = no store dos attributes = yes client ntlmv2 auth = yes dos filetime resolution = no wide links = yes force unknown acl user = yes template homedir = /share/homes/DOMAIN=%D/%U inherit acls = no domain logons = no min receivefile size = 256 case sensitive = auto domain master = auto local master = no enhance acl v1 = yes remove everyone = no conn log = no kernel oplocks = no max protocol = SMB2_02 lock directory = /share/CACHEDEV1_DATA/.samba/lock state directory = /share/CACHEDEV1_DATA/.samba/state cache directory = /share/CACHEDEV1_DATA/.samba/cache printcap cache time = 0 acl allow execute always = yes vfs objects = shadow_copy2 aio_pthread aio read size = 1 aio write size = 0 pid directory = /var/lock printcap name=/etc/printcap printing=cups show add printer wizard=no realm = hc1.com ldap timeout = 5 password server = HOST223.hc1.com pam password change = yes winbind enum users = yes winbind enum groups = yes winbind cache time = 1 idmap config * : backend = tdb idmap config * : range = 400001-500000 idmap config HC1 : backend = rid idmap config HC1 : range = 10000001-20000000 idmap config CHILD1 : backend = rid idmap config CHILD1 : range = 30000001-40000000 idmap config TREEROOT : backend = rid idmap config TREEROOT : range = 40000001-50000000 idmap config HC2 : backend = rid idmap config HC2 : range = 50000001-60000000 idmap config CHILD2 : backend = rid idmap config CHILD2 : range = 60000001-70000000 2016-07-27 16:58 GMT+08:00 Rowland penny <rpenny at samba.org>:> On 27/07/16 09:35, hy wu wrote: > >> Hi list, >> >> This is my domain enviroment and all DC are windows 2008r2 >> >> http://i.imgur.com/8cNOtm2.jpeg >> >> When I used samba-4.0.5, I join my box to domain "HC1" , I got trusted >> domain "CHILD2" in "wbinfo -m". >> >> [/share/Public] # wbinfo -m >> BUILTIN >> MYBOX >> HC1 >> CHILD1 >> TREEROOT >> HC2 >> CHILD2 >> >> Then I upgraded my box to samba-4.4.4, I lost CHILD2 in "wbinfo -m". >> [/share/Public] # wbinfo -m >> BUILTIN >> MYBOX >> HC1 >> CHILD1 >> TREEROOT >> HC2 >> >> >> In log.wb-HC2 , I found following message: >> >> [2016/07/26 12:02:03.981949, 5, pid=15758, effective(0, 0), real(0, 0), >> class=winbind] ../source3/winbindd/winbindd_ads.c:1594(trusted_domains) >> trusted_domains: Could not open a connection to HC2 for PIPE_NETLOGON >> (NT_STATUS_CANT_ACCESS_DOMAIN_INFO) >> [2016/07/26 12:02:03.981962, 3, pid=15758, effective(0, 0), real(0, 0), >> class=winbind] >> >> ../source3/winbindd/winbindd_misc.c:168(winbindd_dual_list_trusted_domains) >> winbindd_dual_list_trusted_domains: trusted_domains returned >> NT_STATUS_UNSUCCESSFUL >> [2016/07/26 12:02:03.981971, 4, pid=15758, effective(0, 0), real(0, 0), >> class=winbind] ../source3/winbindd/winbindd_dual.c:1397(child_handler) >> >> >> I compared wireshark pcapng between samba-4.0.5 and samba-4.4.4: >> samba-4.0.5: >> http://i.imgur.com/ytr7oMt.jpeg >> >> samba-4.4.4: >> http://i.imgur.com/f5bYOeo.jpeg >> >> samba-4.4.4 did not send "create netlogon" , "netlogon binding" and >> DsrEnumerateDomainTrust so I can not get "CHILD2" in "wbinfo -m". >> >> I tried to use patch in >> https://bugzilla.samba.org/show_bug.cgi?id=11830 >> >> After using this patch, samba-4.4.4 can send "create netlogon" and >> "netlogon binding" but failed in NetrServerAuthenticate3. >> >> http://i.imgur.com/vI6eB5R.jpeg >> >> And I got these message in log.wb-HC2: >> 2016/07/27 16:25:50.602158, 1, pid=18689, effective(0, 0), real(0, 0), >> class=winbind] >> ../source3/winbindd/winbindd_cm.c:3320(cm_connect_netlogon_transport) >> rpccli_setup_netlogon_creds failed for HC2, unable to setup NETLOGON >> credentials: NT_STATUS_NO_TRUST_SAM_ACCOUNT >> [2016/07/27 16:25:50.602169, 5, pid=18689, effective(0, 0), real(0, 0), >> class=winbind] ../source3/winbindd/winbindd_ads.c:1573(trusted_domains) >> trusted_domains: Could not open a connection to HC2 for PIPE_NETLOGON >> (NT_STATUS_NO_TRUST_SAM_ACCOUNT) >> [2016/07/27 16:25:50.602182, 3, pid=18689, effective(0, 0), real(0, 0), >> class=winbind] ../source3/winbindd/winbindd_ads.c:1552(trusted_domains) >> ads: trusted_domains >> >> >> Is there any suggestion that helps to configure samba or DC? >> >> Should I wait for new patch? >> >> >> This is my smb.conf: >> [global] >> bind interfaces only = No >> config backend = file >> dos charset = CP850 >> enable core files = Yes >> interfaces >> multicast dns register = Yes >> netbios aliases >> netbios name = MYBOX >> netbios scope >> realm = HC1.COM >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, >> winbindd, ntp_signd, kcc, dnsupdate, dns >> server string >> share backend = classic >> unix charset = UTF-8 >> workgroup = HC1 >> browse list = Yes >> domain master = Auto >> enhanced browsing = Yes >> lm announce = Auto >> lm interval = 60 >> local master = No >> os level = 20 >> preferred master = No >> allow dns updates = secure only >> dns forwarder >> dns update command = /usr/local/samba/sbin/samba_dnsupdate >> machine password timeout = 604800 >> nsupdate command = /usr/bin/nsupdate -g >> rndc command = /usr/sbin/rndc >> spn update command = /usr/local/samba/sbin/samba_spnupdate >> mangle prefix = 1 >> mangling method = hash2 >> max stat cache size = 256 >> stat cache = Yes >> client ldap sasl wrapping = sign >> ldap admin dn >> ldap connection timeout = 2 >> ldap delete dn = No >> ldap deref = auto >> ldap follow referral = Auto >> ldap group suffix >> ldap idmap suffix >> ldap machine suffix >> ldap page size = 1000 >> ldap passwd sync = no >> ldap replication sleep = 1000 >> ldap server require strong auth = Yes >> ldap ssl = start tls >> ldap ssl ads = No >> ldap suffix >> ldap timeout = 5 >> ldap user suffix >> lock spin time = 200 >> oplock break wait time = 0 >> smb2 leases = No >> debug class = No >> debug hires timestamp = Yes >> debug pid = No >> debug prefix timestamp = No >> debug uid = No >> ldap debug level = 0 >> ldap debug threshold = 10 >> log file >> logging >> log level = 2 >> max log size = 102400 >> syslog = 1 >> syslog only = No >> timestamp logs = Yes >> abort shutdown script >> add group script >> add machine script >> add user script >> add user to group script >> allow nt4 crypto = No >> delete group script >> delete user from group script >> delete user script >> domain logons = No >> enable privileges = Yes >> init logon delay = 100 >> init logon delayed hosts >> logon drive >> logon home = \\%N\%U >> logon path = \\%N\%U\profile >> logon script >> reject md5 clients = No >> set primary group script >> shutdown script >> add share command >> afs token lifetime = 604800 >> afs username map >> allow insecure wide links = No >> async smb echo handler = No >> auto services >> cache directory = /share/CACHEDEV1_DATA/.samba/cache >> change notify = Yes >> change share command >> cluster addresses >> clustering = No >> config file >> ctdbd socket >> ctdb locktime warn threshold = 0 >> ctdb timeout = 0 >> default service >> delete share command >> homedir map = auto.home >> kernel change notify = Yes >> lock directory = /share/CACHEDEV1_DATA/.samba/lock >> log writeable files on exit = No >> message command >> nbt client socket address = 0.0.0.0 >> ncalrpc dir = /usr/local/samba/var/run/ncalrpc >> NIS homedir = No >> nmbd bind explicit broadcast = Yes >> panic action >> perfcount module >> pid directory = /var/lock >> registry shares = No >> remote announce >> remote browse sync >> reset on zero vc = No >> smbd profiling level = off >> state directory = /share/CACHEDEV1_DATA/.samba/state >> usershare allow guests = No >> usershare max shares = 0 >> usershare owner only = Yes >> usershare path = /usr/local/samba/var/locks/usershares >> usershare prefix allow list >> usershare prefix deny list >> usershare template share >> utmp = No >> utmp directory >> wtmp directory >> addport command >> addprinter command >> cups connection timeout = 30 >> cups encrypt = No >> cups server >> deleteprinter command >> disable spoolss = No >> enumports command >> iprint server >> load printers = Yes >> lpq cache time = 30 >> os2 driver map >> printcap cache time = 0 >> printcap name = /etc/printcap >> show add printer wizard = No >> cldap port = 389 >> client ipc max protocol = default >> client ipc min protocol = default >> client max protocol = default >> client min protocol = CORE >> client use spnego = Yes >> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, >> netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, >> backupkey, dnsserver >> defer sharing violations = Yes >> dgram port = 138 >> disable netbios = No >> enable asu support = No >> eventlog list >> large readwrite = Yes >> max mux = 50 >> max ttl = 259200 >> max wins ttl = 518400 >> max xmit = 16644 >> min receivefile size = 256 >> min wins ttl = 21600 >> name resolve order = lmhosts wins host bcast >> nbt port = 137 >> nt pipe support = Yes >> nt status support = Yes >> read raw = Yes >> rpc big endian = No >> server max protocol = SMB2_02 >> server min protocol = LANMAN1 >> server multi channel support = No >> smb2 max credits = 8192 >> smb2 max read = 8388608 >> smb2 max trans = 8388608 >> smb2 max write = 8388608 >> smb ports = 445 139 >> svcctl list >> time server = No >> unicode = Yes >> unix extensions = No >> use spnego = Yes >> web port = 901 >> write raw = Yes >> algorithmic rid base = 1000 >> allow dcerpc auth level connect = No >> allow trusted domains = Yes >> auth methods >> check password script >> client ipc signing = No >> client lanman auth = No >> client NTLMv2 auth = Yes >> client plaintext auth = No >> client schannel = No >> client signing = No >> client use spnego principal = No >> dedicated keytab file >> encrypt passwords = Yes >> guest account = guest >> kerberos method = default >> kpasswd port = 464 >> krb5 port = 88 >> lanman auth = No >> log nt token command >> map to guest = Bad User >> map untrusted to domain = No >> ntlm auth = Yes >> ntp signd socket directory = /usr/local/samba/var/lib/ntp_signd >> null passwords = Yes >> obey pam restrictions = No >> old password allowed period = 60 >> pam password change = Yes >> passdb backend = smbpasswd >> passdb expand explicit = No >> passwd chat = *new*password* %n\n *new*password* %n\n *changed* >> passwd chat debug = No >> passwd chat timeout = 2 >> passwd program >> password server = HOST223.hc1.com >> preload modules >> private dir = /usr/local/samba/private >> raw NTLMv2 auth = No >> rename user script >> restrict anonymous = 0 >> root directory >> samba kcc command = /usr/local/samba/sbin/samba_kcc >> security = ADS >> server role = auto >> server schannel = No >> server signing = No >> smb passwd file = /etc/config/smbpasswd >> tls cafile = tls/ca.pem >> tls certfile = tls/cert.pem >> tls crlfile >> tls dh params file >> tls enabled = Yes >> tls keyfile = tls/key.pem >> tls priority = NORMAL:-VERS-SSL3.0 >> tls verify peer = as_strict_as_possible >> unix password sync = No >> username level = 0 >> username map = /etc/config/smbusers >> username map cache time = 0 >> username map script >> aio max threads = 100 >> deadtime = 10 >> getwd cache = Yes >> hostname lookups = No >> keepalive = 300 >> max disk size = 0 >> max open files = 16384 >> max smbd processes = 0 >> name cache timeout = 660 >> socket options = TCP_NODELAY SO_KEEPALIVE >> use mmap = Yes >> get quota command >> host msdfs = Yes >> set quota command >> create krb5 conf = Yes >> idmap backend = tdb >> idmap cache time = 604800 >> idmap gid >> idmap negative cache time = 120 >> idmap uid >> neutralize nt4 emulation = No >> reject md5 servers = No >> require strong key = No >> template homedir = /share/homes/DOMAIN=%D/%U >> template shell = /bin/false >> winbind cache time = 1 >> winbindd privileged socket directory >> /usr/local/samba/var/lib/winbindd_privileged >> winbindd socket directory = /usr/local/samba/var/run/winbindd >> winbind enum groups = Yes >> winbind enum users = Yes >> winbind expand groups = 0 >> winbind max clients = 200 >> winbind max domain connections = 1 >> winbind nested groups = Yes >> winbind normalize names = No >> winbind nss info = template >> winbind offline logon = No >> winbind reconnect delay = 30 >> winbind refresh tickets = No >> winbind request timeout = 60 >> winbind rpc only = No >> winbind sealed pipes = No >> winbind separator = \ >> winbind trusted domains only = No >> winbind use default domain = No >> dns proxy = No >> wins hook >> wins proxy = No >> wins server >> wins support = No >> idmap config hc2 : range = 50000001-60000000 >> idmap config hc2 : backend = rid >> idmap config treeroot : range = 40000001-50000000 >> idmap config treeroot : backend = rid >> idmap config child1 : range = 30000001-40000000 >> idmap config child1 : backend = rid >> idmap config hc1 : range = 10000001-20000000 >> idmap config hc1 : backend = rid >> idmap config * : range = 400001-500000 >> idmap config * : backend = tdb >> comment >> path >> administrative share = No >> browseable = Yes >> case sensitive = Auto >> default case = lower >> delete veto files = Yes >> hide dot files = Yes >> hide files >> hide special files = No >> hide unreadable = No >> hide unwriteable files = No >> mangled names = Yes >> mangling char = ~ >> map archive = No >> map hidden = No >> map readonly = no >> map system = No >> preserve case = Yes >> short preserve case = Yes >> store dos attributes = Yes >> veto files >> veto oplock files >> blocking locks = Yes >> csc policy = manual >> fake oplocks = No >> kernel oplocks = No >> kernel share modes = Yes >> level2 oplocks = Yes >> locking = Yes >> oplock contention limit = 2 >> oplocks = Yes >> posix locking = Yes >> strict locking = Auto >> afs share = No >> available = Yes >> copy >> delete readonly = No >> dfree cache time = 0 >> dfree command >> directory name cache size = 100 >> dmapi support = No >> dont descend >> dos filemode = No >> dos filetime resolution = No >> dos filetimes = Yes >> fake directory create times = No >> follow symlinks = Yes >> fstype = NTFS >> include >> magic output >> magic script >> postexec >> preexec >> preexec close = No >> root postexec >> root preexec >> root preexec close = No >> spotlight = No >> volume >> wide links = Yes >> cups options >> default devmode = Yes >> force printername = No >> lppause command >> lpq command = %p >> lpresume command >> lprm command >> max print jobs = 1000 >> max reported print jobs = 0 >> printable = No >> print command >> printer name >> printing = cups >> printjob username = %U >> print notify backchannel = No >> queuepause command >> queueresume command >> use client driver = No >> acl allow execute always = Yes >> acl check permissions = Yes >> acl map full control = Yes >> durable handles = Yes >> ea support = No >> map acl inherit = No >> nt acl support = Yes >> profile acls = No >> access based share enum = No >> acl group control = No >> admin users >> create mask = 0777 >> directory mask = 0777 >> force create mode = 0000 >> force directory mode = 0000 >> force group >> force unknown acl user = Yes >> force user >> guest ok = No >> guest only = No >> hosts allow >> hosts deny >> inherit acls = No >> inherit owner = No >> inherit permissions = No >> invalid users >> only user = No >> read list >> read only = Yes >> smb encrypt = default >> username >> valid users >> write list >> aio read size = 1 >> aio write behind >> aio write size = 0 >> allocation roundup size = 1048576 >> block size = 1024 >> max connections = 0 >> min print space = 0 >> strict allocate = No >> strict rename = No >> strict sync = No >> sync always = No >> use sendfile = Yes >> write cache size = 0 >> msdfs proxy >> msdfs root = No >> msdfs shuffle referrals = No >> ntvfs handler = unixuid, default >> > > Can you post the smb.conf as it is stored on the computer and not the > output of 'samba-tool testparm -v' > > The smb.conf you supplied is just too much to wade through. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >