admins aixtema
2016-Sep-21 08:32 UTC
[Samba] Samba loose the user forward as member Server
Hi,
i am at the end of my knowledge.
Our PDC works fine all user can access the Samba Shares, Windows Logins
are Working, all fine.
But our Member Server makes me ($=%§=(%(§=.
When i join the Domain all is fine and all Shares are working
net rpc join -S DOMAINSERVER -U Administrator
Using short domain name -- DOMAIN
Joined 'SERVER1' to domain 'DOMAIN'
net rpc testjoin -S DOMAINSERVER -U ADMINISTRATOR
Join to 'DOMAIN' is OK
but after some time, mostly over night the User forward to the PDC wont
work anymore
[2016/08/31 08:29:14.347232, 2]
../source3/rpc_server/samr/srv_samr_nt.c:4004(_samr_LookupDomain)
Returning domain sid for domain DOMAIN ->
S-1-5-21-1978212312-4363474585695-122580615
2016/08/31 08:27:51.706586, 2]
../source3/lib/smbldap.c:794(smbldap_open_connection)
smbldap_open_connection: connection opened
[2016/08/31 08:27:51.707693, 2]
../source3/passdb/pdb_ldap.c:524(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: isso-dev-back$
[2016/08/31 08:27:51.709160, 0]
../source3/passdb/lookup_sid.c:1556(get_primary_group_sid)
Failed to find a Unix account for isso-dev-back$
[2016/08/31 08:27:51.710181, 0]
../source3/passdb/lookup_sid.c:1556(get_primary_group_sid)
Failed to find a Unix account for isso-dev-back$
[2016/08/31 08:27:51.711121, 0]
../source3/passdb/lookup_sid.c:1556(get_primary_group_sid)
Failed to find a Unix account for isso-dev-back$
[2016/08/31 08:27:51.711919, 0]
../source3/passdb/lookup_sid.c:1556(get_primary_group_sid)
Failed to find a Unix account for isso-dev-back$
[2016/08/31 08:27:51.712797, 0]
../source3/passdb/lookup_sid.c:1556(get_primary_group_sid)
Failed to find a Unix account for isso-dev-back$
[2016/08/31 08:27:51.717828, 2]
../source3/passdb/pdb_ldap.c:524(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: proggi4$
[2016/08/31 08:27:51.718747, 0]
../source3/passdb/lookup_sid.c:1556(get_primary_group_sid)
Failed to find a Unix account for proggi4$
[2016/08/31 08:27:51.719473, 1]
../source3/auth/server_info_sam.c:85(make_server_info_sam)
User proggi4$ in passdb, but getpwnam() fails!
[2016/08/31 08:27:51.719513, 0]
../source3/auth/check_samsec.c:494(check_sam_security)
check_sam_security: make_server_info_sam() failed with
'NT_STATUS_NO_SUCH_USER'
[2016/08/31 08:27:51.719549, 2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
check_sam_security: make_server_info_sam() failed with
'NT_STATUS_NO_SUCH_USER'
[2016/08/31 08:29:28.291279, 2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [PC1$] -> [PC1$]
FAILED with error NT_STATUS_NO_SUCH_USER
the only thing what then works is to rejoin the domain
net rpc join -S DOMAINSERVER -U Administrator
after that all Shares work again, but that is not a solotuin to work with.
smbclient -L \\memberserver -N
Anonymous login successful
Domain=[DOMAIn] OS=[Windows 6.1] Server=[Samba 4.5.0]
Sharename Type Comment
--------- ---- -------
dev Disk Develop
IPC$ IPC IPC Service (Samba Server Version
4.5.0)
gives this and after around 1 min he stops
after domain join
Domain=[GALAXY] OS=[Windows 6.1] Server=[Samba 4.5.0]
Sharename Type Comment
--------- ---- -------
dev Disk dev
IPC$ IPC IPC Service (Samba Server Version
4.5.0)
Anonymous login successful
Domain=[DOMAIN] OS=[Windows 6.1] Server=[Samba 4.5.0]
Server Comment
--------- -------
MEMBERSERVER Samba Server Version 4.5.0
DOMAIN DOMAIN
Workgroup Master
--------- -------
DOMAIN PDC
and all works fine
Does anyone of you have a idea what is wrong?
The last idea i have is to change from member Server to Standalone
Server but this is only a workaround not a solution
Systems (booth gentoo)
PDC (NOT AD DC still old samba DC)
net-fs/samba-4.2.12 USE="acl aio client cups fam gnutls ldap pam
system-mitkrb5 systemd winbind -addc -addns -ads -avahi -cluster -dmapi
-iprint -quota (-selinux) -syslog {-test}" ABI_X86="32 (64)
(-x32)"
PYTHON_TARGETS="python2_7"
memberserver
net-fs/samba-4.5.0::gentoo USE="acl client fam gnutls ldap pam
system-mitkrb5 systemd -addc -addns -ads -avahi -cluster -cups -dmapi
-iprint -quota (-selinux) -syslog {-test} -winbind" ABI_X86="32 (64)
(-x32)" PYTHON_TARGETS="python2_7" 0 KiB
Samba PDC 4.1.12
global]
panic action = /usr/share/samba/panic-action %d
dos charset = cp1255
unix charset = utf-8
workgroup = DOMAIN
netbios name = HOSTNAME
# interfaces = bond0 lo eth5
interfaces = 192.168.1.2/24
bind interfaces only = yes
hosts allow = 192.168.1.
socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=4096
SO_RCVBUF=4096
# new from samba 3.6
client ntlmv2 auth = yes
#client use spnego principal = no
#send spnego principal = no
#max protocol = smb2
## notwendig für Windows 10
max protocol = NT1
# use client driver = no
# WINNT specific
# security = domain
# domain logins = yes
server string = PHOENIX
load printers = yes
printing = cups
printcap = cups
syslog only = no
syslog = 1
log level = 2
log file = /var/log/samba/log.%m
max log size = 1000
encrypt passwords = true
# null passwords = no
wins support = yes
domain master = yes
local master = yes
# preferred master = yes
enhanced browsing = yes
browse list = yes
name resolve order = lmhosts host wins bcast
domain logons = yes
os level = 64
# Domain Config
allow trusted domains = yes
logon home = \\%L\homes
logon drive = H:
logon script = %U.bat
logon path = \\%L\%U\profiles
dns proxy = no
preserve case = yes
short preserve case = yes
## getpeername fails
# use sendfile = no
# large readwrite = no
# max xmit = 16644
# LDAP
# ldap trust ids = Yes
# ldapsam:trusted=yes
ldap ssl = off
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=admin,o=company,c=de
ldap suffix = ou=company,o=company,c=de
ldap user suffix = ou=people
ldap group suffix = ou=group
ldap machine suffix = ou=computers
idmap backend = ldap:ldap://127.0.0.1/
ldap idmap suffix = ou=idMap
idmap uid = 40000-50000
idmap gid = 40000-50000
ldap passwd sync = yes
check password script = /sbin/crackcheck -c -d
/usr/lib64/cracklib_dict
MEMBER SERVER
Samba 4.1.12 /.14 / 4.5.0
[global]
workgroup = DOMAIN
realm = DOMAIN
#netbios name = %h
server string = Samba Server Version %v
#security = user
security = domain
server role = member server
ntlm auth = No
log file = /var/log/samba/log.%m
max log size = 50
idmap config * : backend = tdb
cups options = raw
interfaces = 192.168.1.20/24
hosts allow = 192.168.1.
#wins support = Yes
[dev]
comment = dev
browsable = yes
writeable = yes
public = yes
read only = no
valid users = USER
# delete readonly = yes
create mode = 0774
directory mode = 0775
create mode = 0774
directory mode = 0775
force create mode = 0600
force group = USER
path = /mnt/folder
Mit freundlichen Grüßen,
René Fuchs
--
***********************************************
aixtema GmbH
René Fuchs
Philipsstr. 8, 52068 Aachen, Germany
Tel.: +49 241 70515-1323, Fax: +49 241 70515-15
mailto:r.fuchs at aixtema.de
WWW: http://www.aixtema.de
Shop: http://shop.aixtema.de
Geschaeftsfuehrer: Oliver Rossbruch
HRB 8201, Amtsgericht Aachen
USt.-Id-Nr. DE 210 906 744
St.-Nr. 201/5942/3737, Finanzamt Aachen Stadt
***********************************************
Hi, Is your replication between you PDC and you member server working? You can run "samba-tool drs showrepl". Which should help you determine if the replication is functioning correctly. Here is a related link to the Samba wiki that may help :-) https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting Best Regards, - Rylan On Wed, Sep 21, 2016 at 2:32 AM, admins aixtema via samba <samba at lists.samba.org> wrote:> Hi, > i am at the end of my knowledge. > Our PDC works fine all user can access the Samba Shares, Windows Logins are > Working, all fine. > > But our Member Server makes me ($=%§=(%(§=. > > When i join the Domain all is fine and all Shares are working > > net rpc join -S DOMAINSERVER -U Administrator > Using short domain name -- DOMAIN > Joined 'SERVER1' to domain 'DOMAIN' > > net rpc testjoin -S DOMAINSERVER -U ADMINISTRATOR > Join to 'DOMAIN' is OK > > but after some time, mostly over night the User forward to the PDC wont work > anymore > > [2016/08/31 08:29:14.347232, 2] > ../source3/rpc_server/samr/srv_samr_nt.c:4004(_samr_LookupDomain) > Returning domain sid for domain DOMAIN -> > S-1-5-21-1978212312-4363474585695-122580615 > 2016/08/31 08:27:51.706586, 2] > ../source3/lib/smbldap.c:794(smbldap_open_connection) > smbldap_open_connection: connection opened > [2016/08/31 08:27:51.707693, 2] > ../source3/passdb/pdb_ldap.c:524(init_sam_from_ldap) > init_sam_from_ldap: Entry found for user: isso-dev-back$ > [2016/08/31 08:27:51.709160, 0] > ../source3/passdb/lookup_sid.c:1556(get_primary_group_sid) > Failed to find a Unix account for isso-dev-back$ > [2016/08/31 08:27:51.710181, 0] > ../source3/passdb/lookup_sid.c:1556(get_primary_group_sid) > Failed to find a Unix account for isso-dev-back$ > [2016/08/31 08:27:51.711121, 0] > ../source3/passdb/lookup_sid.c:1556(get_primary_group_sid) > Failed to find a Unix account for isso-dev-back$ > [2016/08/31 08:27:51.711919, 0] > ../source3/passdb/lookup_sid.c:1556(get_primary_group_sid) > Failed to find a Unix account for isso-dev-back$ > [2016/08/31 08:27:51.712797, 0] > ../source3/passdb/lookup_sid.c:1556(get_primary_group_sid) > Failed to find a Unix account for isso-dev-back$ > [2016/08/31 08:27:51.717828, 2] > ../source3/passdb/pdb_ldap.c:524(init_sam_from_ldap) > init_sam_from_ldap: Entry found for user: proggi4$ > [2016/08/31 08:27:51.718747, 0] > ../source3/passdb/lookup_sid.c:1556(get_primary_group_sid) > Failed to find a Unix account for proggi4$ > [2016/08/31 08:27:51.719473, 1] > ../source3/auth/server_info_sam.c:85(make_server_info_sam) > User proggi4$ in passdb, but getpwnam() fails! > [2016/08/31 08:27:51.719513, 0] > ../source3/auth/check_samsec.c:494(check_sam_security) > check_sam_security: make_server_info_sam() failed with > 'NT_STATUS_NO_SUCH_USER' > [2016/08/31 08:27:51.719549, 2] > ../source3/auth/auth.c:315(auth_check_ntlm_password) > check_sam_security: make_server_info_sam() failed with > 'NT_STATUS_NO_SUCH_USER' > [2016/08/31 08:29:28.291279, 2] > ../source3/auth/auth.c:315(auth_check_ntlm_password) > check_ntlm_password: Authentication for user [PC1$] -> [PC1$] FAILED > with error NT_STATUS_NO_SUCH_USER > > the only thing what then works is to rejoin the domain > net rpc join -S DOMAINSERVER -U Administrator > after that all Shares work again, but that is not a solotuin to work with. > > smbclient -L \\memberserver -N > Anonymous login successful > Domain=[DOMAIn] OS=[Windows 6.1] Server=[Samba 4.5.0] > > Sharename Type Comment > --------- ---- ------- > dev Disk Develop > IPC$ IPC IPC Service (Samba Server Version 4.5.0) > > gives this and after around 1 min he stops > > after domain join > Domain=[GALAXY] OS=[Windows 6.1] Server=[Samba 4.5.0] > > Sharename Type Comment > --------- ---- ------- > dev Disk dev > IPC$ IPC IPC Service (Samba Server Version 4.5.0) > Anonymous login successful > Domain=[DOMAIN] OS=[Windows 6.1] Server=[Samba 4.5.0] > > Server Comment > --------- ------- > MEMBERSERVER Samba Server Version 4.5.0 > DOMAIN DOMAIN > > Workgroup Master > --------- ------- > DOMAIN PDC > > and all works fine > > > Does anyone of you have a idea what is wrong? > The last idea i have is to change from member Server to Standalone Server > but this is only a workaround not a solution > > Systems (booth gentoo) > > PDC (NOT AD DC still old samba DC) > net-fs/samba-4.2.12 USE="acl aio client cups fam gnutls ldap pam > system-mitkrb5 systemd winbind -addc -addns -ads -avahi -cluster -dmapi > -iprint -quota (-selinux) -syslog {-test}" ABI_X86="32 (64) (-x32)" > PYTHON_TARGETS="python2_7" > > memberserver > net-fs/samba-4.5.0::gentoo USE="acl client fam gnutls ldap pam > system-mitkrb5 systemd -addc -addns -ads -avahi -cluster -cups -dmapi > -iprint -quota (-selinux) -syslog {-test} -winbind" ABI_X86="32 (64) (-x32)" > PYTHON_TARGETS="python2_7" 0 KiB > > Samba PDC 4.1.12 > > global] > panic action = /usr/share/samba/panic-action %d > dos charset = cp1255 > unix charset = utf-8 > workgroup = DOMAIN > netbios name = HOSTNAME > # interfaces = bond0 lo eth5 > interfaces = 192.168.1.2/24 > bind interfaces only = yes > hosts allow = 192.168.1. > socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=4096 > SO_RCVBUF=4096 > > # new from samba 3.6 > client ntlmv2 auth = yes > #client use spnego principal = no > #send spnego principal = no > > #max protocol = smb2 > ## notwendig für Windows 10 > max protocol = NT1 > > # use client driver = no > > # WINNT specific > # security = domain > # domain logins = yes > server string = PHOENIX > load printers = yes > printing = cups > printcap = cups > syslog only = no > syslog = 1 > log level = 2 > log file = /var/log/samba/log.%m > max log size = 1000 > encrypt passwords = true > # null passwords = no > wins support = yes > domain master = yes > local master = yes > # preferred master = yes > enhanced browsing = yes > browse list = yes > name resolve order = lmhosts host wins bcast > domain logons = yes > os level = 64 > # Domain Config > allow trusted domains = yes > logon home = \\%L\homes > logon drive = H: > logon script = %U.bat > logon path = \\%L\%U\profiles > dns proxy = no > preserve case = yes > short preserve case = yes > > ## getpeername fails > # use sendfile = no > # large readwrite = no > # max xmit = 16644 > > # LDAP > # ldap trust ids = Yes > # ldapsam:trusted=yes > ldap ssl = off > passdb backend = ldapsam:ldap://127.0.0.1/ > ldap admin dn = cn=admin,o=company,c=de > ldap suffix = ou=company,o=company,c=de > ldap user suffix = ou=people > ldap group suffix = ou=group > ldap machine suffix = ou=computers > idmap backend = ldap:ldap://127.0.0.1/ > ldap idmap suffix = ou=idMap > idmap uid = 40000-50000 > idmap gid = 40000-50000 > ldap passwd sync = yes > check password script = /sbin/crackcheck -c -d /usr/lib64/cracklib_dict > > > MEMBER SERVER > Samba 4.1.12 /.14 / 4.5.0 > > [global] > > workgroup = DOMAIN > realm = DOMAIN > #netbios name = %h > server string = Samba Server Version %v > #security = user > security = domain > server role = member server > ntlm auth = No > log file = /var/log/samba/log.%m > max log size = 50 > idmap config * : backend = tdb > cups options = raw > interfaces = 192.168.1.20/24 > hosts allow = 192.168.1. > #wins support = Yes > > > [dev] > comment = dev > browsable = yes > writeable = yes > public = yes > read only = no > valid users = USER > # delete readonly = yes > create mode = 0774 > directory mode = 0775 > create mode = 0774 > directory mode = 0775 > force create mode = 0600 > force group = USER > path = /mnt/folder > > > Mit freundlichen Grüßen, > René Fuchs > > > -- > *********************************************** > aixtema GmbH > René Fuchs > Philipsstr. 8, 52068 Aachen, Germany > Tel.: +49 241 70515-1323, Fax: +49 241 70515-15 > mailto:r.fuchs at aixtema.de > > WWW: http://www.aixtema.de > Shop: http://shop.aixtema.de > > Geschaeftsfuehrer: Oliver Rossbruch > HRB 8201, Amtsgericht Aachen > USt.-Id-Nr. DE 210 906 744 > St.-Nr. 201/5942/3737, Finanzamt Aachen Stadt > *********************************************** > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On Wed, 21 Sep 2016 10:35:53 -0600 Rylan Merritt via samba <samba at lists.samba.org> wrote:> Hi, > > Is your replication between you PDC and you member server working?Even if it was an AD DC and an ADS domain member, there wouldn't be replication, you only get replication between DCs, but the OP has an NT-4 style PDC and there isn't any replication at all. Rowland