On Sun, 13 Nov 2016 09:50:09 +0000
niya levi via samba <samba at lists.samba.org> wrote:
> hi everyone
>
> i'm having trouble figuring out why i'm getting
> NT_STATUS_NO_LOGON_SERVERS errors,
> i have two samba ad domain controllers running on raspberry pi's
> i think it a recent problem since an upgrade because
> i was able to list domain users on a joined member server
> but now getent only lists local users,
> i've read that the problem might be due to avahi which i stop with
> systemd or it might be a dns issue,
> the following commands run on a dc all succeed except for the last
> nmblookup command
> what further commands could i run to identify the problem ?
>
> [ashanti ~]$ host -t SRV _ldap._tcp.ad.tissisat.co.uk
> _ldap._tcp.ad.tissisat.co.uk has SRV record 0 100 389
> khafu.ad.tissisat.co.uk.
> _ldap._tcp.ad.tissisat.co.uk has SRV record 0 100 389
> ashanti.ad.tissisat.co.uk.
> [ashanti ~]$ host -t SRV _kerberos._udp.ad.tissisat.co.uk
> _kerberos._udp.ad.tissisat.co.uk has SRV record 0 100 88
> khafu.ad.tissisat.co.uk.
> _kerberos._udp.ad.tissisat.co.uk has SRV record 0 100 88
> ashanti.ad.tissisat.co.uk.
> [ashanti ~]$ host -t A ashanti.ad.tissisat.co.uk
> ashanti.ad.tissisat.co.uk has address 10.2.1.6
>
> sudo smbclient -L ashanti -U%
> Domain=[TISSISAT] OS=[Windows 6.1] Server=[Samba 4.5.1]
>
> Sharename Type Comment
> --------- ---- -------
> netlogon Disk
> sysvol Disk
> IPC$ IPC IPC Service (Samba 4.5.1)
> Domain=[TISSISAT] OS=[Windows 6.1] Server=[Samba 4.5.1]
>
> Server Comment
> --------- -------
>
> Workgroup Master
> --------- -------
>
> sudo smbclient //tardis/smb/home/phil -Uphil
> Enter phil's password:
> session setup failed: NT_STATUS_NO_LOGON_SERVERS
>
> [ashanti ~]$ sudo nmblookup 'TISSISAT#1b' 'TISSISAT#1c'
> 10.2.1.9 TISSISAT<1b>
> name_query failed to find name TISSISAT#1c
>
> [ashanti ~]$ sudo smbclient -d=5 //TARDIS/smb/home/phil -Uphil
> INFO: Current debug levels:
> all: 5
> tdb: 5
> printdrivers: 5
> lanman: 5
> smb: 5
> rpc_parse: 5
> rpc_srv: 5
> rpc_cli: 5
> passdb: 5
> sam: 5
> auth: 5
> winbind: 5
> vfs: 5
> idmap: 5
> quota: 5
> acls: 5
> locking: 5
> msdfs: 5
> dmapi: 5
> registry: 5
> scavenger: 5
> dns: 5
> ldb: 5
> tevent: 5
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384) INFO: Current debug levels:
> all: 5
> tdb: 5
> printdrivers: 5
> lanman: 5
> smb: 5
> rpc_parse: 5
> rpc_srv: 5
> rpc_cli: 5
> passdb: 5
> sam: 5
> auth: 5
> winbind: 5
> vfs: 5
> idmap: 5
> quota: 5
> acls: 5
> locking: 5
> msdfs: 5
> dmapi: 5
> registry: 5
> scavenger: 5
> dns: 5
> ldb: 5
> tevent: 5
> Processing section "[global]"
> doing parameter netbios name = ASHANTI
> doing parameter realm = AD.TISSISAT.CO.UK
> doing parameter server services = s3fs, rpc, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
> doing parameter workgroup = TISSISAT
> doing parameter server role = active directory domain controller
> doing parameter idmap_ldb:use rfc2307 = yes
> doing parameter winbind enum users = yes
> doing parameter winbind enum groups = yes
> doing parameter load printers = no
> doing parameter printing = bsd
> doing parameter printcap name = /dev/null
> doing parameter disable spoolss = yes
> doing parameter interfaces = lo eth0
> doing parameter bind interfaces only = yes
> doing parameter allow dns updates = nonsecure
> doing parameter client ldap sasl wrapping = sign
> doing parameter tls enabled = yes
> doing parameter tls keyfile = tls/key.pem
> doing parameter tls certfile = tls/cert.pem
> doing parameter tls cafile = tls/ca.pem
> doing parameter log file = /var/log/samba/%m.log
> doing parameter max log size = 50
> pm_process() returned Yes
> added interface lo ip=::1 bcast>
netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
> added interface lo ip=127.0.0.1 bcast=127.255.255.255
> netmask=255.0.0.0 added interface eth0 ip=10.2.1.6 bcast=10.2.1.255
> netmask=255.255.255.0 Netbios name list:-
> my_netbios_names[0]="ASHANTI"
> Client started (version 4.5.1).
> Enter philmore's password:
> Opening cache file at /var/cache/samba/gencache.tdb
> Opening cache file at /var/cache/samba/gencache_notrans.tdb
> sitename_fetch: No stored sitename for realm 'AD.TISSISAT.CO.UK'
> no entry for TARDIS#20 found.
> resolve_lmhosts: Attempting lmhosts lookup for name TARDIS<0x20>
> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No
> such file or directory
> resolve_wins: WINS server resolution selected and no WINS servers
> listed. resolve_hosts: Attempting host lookup for name TARDIS<0x20>
> namecache_store: storing 1 address for TARDIS#20: 10.2.1.9
> Connecting to 10.2.1.9 at port 445
> Socket options:
> SO_KEEPALIVE = 0
> SO_REUSEADDR = 0
> SO_BROADCAST = 0
> TCP_NODELAY = 1
> TCP_KEEPCNT = 9
> TCP_KEEPIDLE = 7200
> TCP_KEEPINTVL = 75
> IPTOS_LOWDELAY = 0
> IPTOS_THROUGHPUT = 0
> SO_REUSEPORT = 0
> SO_SNDBUF = 44800
> SO_RCVBUF = 341760
> SO_SNDLOWAT = 1
> SO_RCVLOWAT = 1
> SO_SNDTIMEO = 0
> SO_RCVTIMEO = 0
> TCP_QUICKACK = 1
> TCP_DEFER_ACCEPT = 0
> session request ok
> Doing spnego session setup (blob length=96)
> got OID=1.2.840.48018.1.2.2
> got OID=1.2.840.113554.1.2.2
> got OID=1.3.6.1.4.1.311.2.2.10
> got principal=not_defined_in_RFC4178 at please_ignore
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism ntlmssp
> Got challenge flags:
> Got NTLMSSP neg_flags=0x62898215
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_TARGET_TYPE_DOMAIN
> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> NTLMSSP_NEGOTIATE_TARGET_INFO
> NTLMSSP_NEGOTIATE_VERSION
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x62088215
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> NTLMSSP_NEGOTIATE_VERSION
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088215
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> NTLMSSP_NEGOTIATE_VERSION
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> SPNEGO login failed: No logon servers
> session setup failed: NT_STATUS_NO_LOGON_SERVERS
>
> thanks
> shadrock
>
>
One thing jumps out here:
doing parameter server services = s3fs, rpc, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
What happened to 'nbt' ??
Rowland