Stefan Schäfer
2017-Mar-18 06:48 UTC
[Samba] Problem with adding an Samba Member Server to a Samba AD Domain
Hi List,
I found some threads here in the list with similar problems, but nothing
helped to solve my problem.
We have a very much to old Samba DC (Version 4.1.x) and a new Samba
4.5.6 which should act as a member server.
The first problem we had during joining the domain:
"net ads join -k" didn't work.
The Error Message said: Failed to join domain: failed to lookup DC info
for domain 'BAETTENHAUSEN.LOCAL' over rpc: An internal error occurred.
Joining with "net ads join -S s4ad.baettenhausen.local -U
Administrator at baettenhausen.local" worked.
After this it wasn't possible to connect to any share of this server. I
found the following message in the logs:
[2017/03/18 01:48:18.760431, 1]
../source3/librpc/crypto/gse.c:498(gse_get_server_auth_token)
gss_accept_sec_context failed with [ Miscellaneous failure (see
text): Failed to find
cifs/fileserver.baettenhausen.local at BAETTENHAUSEN.LOCAL(kvno 2) in
keytab MEMORY:cifs_srv_keytab
(arcfour-hmac-md5)]
Trying to search the keytab for "arcfour-hmac-md5" with "klist -e
-k
/etc/krb5.keytab | grep arcfour-hmac-md5" delivers no matches.
Trying to connect with the Domain admins Account with smbclient didn't work:
smbclient -L 127.0.0.1 -U administrator at baettenhausen.local
Enter administrator at baettenhausen.local's password:
session setup failed: NT_STATUS_LOGON_FAILURE
The log shows:
[2017/03/18 07:35:01.529313, 3]
../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[BAETTENHAUSEN]\[administrator]@[FILESERVER] with the new password interface
[2017/03/18 07:35:01.529339, 3]
../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is:
[BAETTENHAUSEN]\[administrator]@[FILESERVER]
[2017/03/18 07:35:01.552411, 3]
../source3/auth/auth_util.c:1233(check_account)
Failed to find authenticated user BAETTENHAUSEN\administrator via
getpwnam(), denying access.
[2017/03/18 07:35:01.552450, 2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [administrator] ->
[administrator] FAILED with error NT_STATUS_NO_SUCH_USER
[2017/03/18 07:35:01.552482, 2]
../auth/gensec/spnego.c:720(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_NO_SUCH_USER
[2017/03/18 07:35:01.552546, 3]
../source3/smbd/error.c:82(error_packet_set)
NT error packet at ../source3/smbd/sesssetup.c(277) cmd=115
(SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2017/03/18 07:35:01.552988, 3]
../source3/smbd/server_exit.c:246(exit_server_common)
Server exit (failed to receive smb request)
[2017/03/18 07:35:01.577737, 3]
../source3/lib/util_procid.c:54(pid_to_procid)
pid_to_procid: messaging_dgm_get_unique failed: No such file or directory
kinit instead works fine and wbinfo -u is able to show all domain users
My smb.conf:
[global]
workgroup = BAETTENHAUSEN
interfaces = 127.0.0.1 eth0
bind interfaces only = true
printing = cups
printcap name = cups
load printers = yes
user share allow guests = no
log level = 3
## keine Offline Dateien
# csc policy = disable
## Domain Settings
security = ADS
realm = BAETTENHAUSEN.LOCAL
# server signing = auto
kerberos method = secrets and keytab
client signing = yes
client use spnego = yes
ntlm auth = yes
winbind trusted domains only = no
winbind use default domain = yes
## Winbind Settings
#winbind separator = +
# ID-Mapping mit RFC2307 Erweiterung
# Builtin und lokale Benutzer/Gruppen
idmap config *:backend = tdb
idmap config *:range = 40000-49999
# BAETTENHAUSEN
idmap config BAETTENHAUSEN:backend = ad
#idmap config BAETTENHAUSEN:schema_mode = rfc2307
idmap config BAETTENHAUSEN:range = 500-30000
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
template homedir = /home/%D/%U
## Charset Settings
unix charset = UTF8
# display charset = UTF8
dos charset = ASCII
....
Here the krb5.conf
[libdefaults]
default_realm = BAETTENHAUSEN.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
BAETTENHAUSEN.LOCAL = {
kdc = s4ad.baettenhausen.local
admin_server = s4ad.baettenhausen.local
}
Resolving the DNS service records for LDAP and Kerberos works:
fileserver:~ # dig SRV _ldap._tcp.baettenhausen.local
; <<>> DiG 9.9.9-P1 <<>> SRV
_ldap._tcp.baettenhausen.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46492
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_ldap._tcp.baettenhausen.local. IN SRV
;; ANSWER SECTION:
_ldap._tcp.baettenhausen.local. 900 IN SRV 0 100 389
s4ad.baettenhausen.local.
;; AUTHORITY SECTION:
baettenhausen.local. 900 IN NS s4ad.baettenhausen.local.
;; ADDITIONAL SECTION:
s4ad.baettenhausen.local. 900 IN A 192.168.1.10
;; Query time: 8 msec
;; SERVER: 192.168.1.10#53(192.168.1.10)
;; WHEN: Sat Mar 18 07:45:39 CET 2017
;; MSG SIZE rcvd: 133
fileserver:~ # dig SRV _kerberos._tcp.baettenhausen.local
; <<>> DiG 9.9.9-P1 <<>> SRV
_kerberos._tcp.baettenhausen.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33727
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_kerberos._tcp.baettenhausen.local. IN SRV
;; ANSWER SECTION:
_kerberos._tcp.baettenhausen.local. 900 IN SRV 0 100 88
s4ad.baettenhausen.local.
;; AUTHORITY SECTION:
baettenhausen.local. 900 IN NS s4ad.baettenhausen.local.
;; ADDITIONAL SECTION:
s4ad.baettenhausen.local. 900 IN A 192.168.1.10
;; Query time: 7 msec
;; SERVER: 192.168.1.10#53(192.168.1.10)
;; WHEN: Sat Mar 18 07:46:58 CET 2017
;; MSG SIZE rcvd: 137
Resolving the Hostnames of the AD-DC and the new Member Server works in
both directions.
Any Ideas?
Stefan
Rowland Penny
2017-Mar-18 09:43 UTC
[Samba] Problem with adding an Samba Member Server to a Samba AD Domain
On Sat, 18 Mar 2017 07:48:27 +0100 Stefan Schäfer via samba <samba at lists.samba.org> wrote:> Hi List, > > I found some threads here in the list with similar problems, but > nothing helped to solve my problem. > > We have a very much to old Samba DC (Version 4.1.x) and a new Samba > 4.5.6 which should act as a member server.Don't suppose you can update the DC to a newer Samba version ?> > smbclient -L 127.0.0.1 -U administrator at baettenhausen.local > Enter administrator at baettenhausen.local's password: > session setup failed: NT_STATUS_LOGON_FAILURE >You should be able to fix this by adding this line to smb.conf: username map = /etc/samba/user.map Then create the user.map: nano /etc/samba/user.map !root = BAETTENHAUSEN\Administrator BAETTENHAUSEN\administrator Administrator administrator> > Here the krb5.confYou only need: [libdefaults] default_realm = BAETTENHAUSEN.LOCAL dns_lookup_realm = false dns_lookup_kdc = true If your TLD really is '.local' turn off Avahi on the domain member Rowland
Stefan Schäfer
2017-Mar-18 12:23 UTC
[Samba] Problem with adding an Samba Member Server to a Samba AD Domain
Am 18.03.2017 um 10:43 schrieb Rowland Penny via samba:> On Sat, 18 Mar 2017 07:48:27 +0100 > Stefan Schäfer via samba <samba at lists.samba.org> wrote: > >> Hi List, >> >> I found some threads here in the list with similar problems, but >> nothing helped to solve my problem. >> >> We have a very much to old Samba DC (Version 4.1.x) and a new Samba >> 4.5.6 which should act as a member server. > Don't suppose you can update the DC to a newer Samba version ?I know, I have to....> > >> smbclient -L 127.0.0.1 -U administrator at baettenhausen.local >> Enter administrator at baettenhausen.local's password: >> session setup failed: NT_STATUS_LOGON_FAILURE >> > You should be able to fix this by adding this line to smb.conf: > > username map = /etc/samba/user.map > > Then create the user.map: > > nano /etc/samba/user.map > !root = BAETTENHAUSEN\Administrator BAETTENHAUSEN\administrator > Administrator administratorThis works for the Administrator account, but I have this Problem with all users. It's a user mapping problem?> >> Here the krb5.conf > You only need: > > [libdefaults] > default_realm = BAETTENHAUSEN.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = trueI tested this before, makes no difference.> If your TLD really is '.local' turn off Avahi on the domain memberAvahi isn't running.> > Rowland >Stefan