Jakub Kulesza
2017-Apr-23 09:40 UTC
[Samba] kerberos got crazy after ubuntu upgrade from 14.04 to 16.04
OK, I've deleted everything what Rowland suggested. THANKS
Now smb.conf looks like this
[global]
workgroup = GPMV
realm = BIURO.domain
netbios name = PDC
server role = active directory domain controller
dns forwarder = 192.168.0.252
max open files = 57000
full_audit:prefix = %u|%I|%m|%S
full_audit:success = mkdir rename unlink rmdir pwrite
full_audit:failure = none
full_audit:facility = local7
full_audit:priority = NOTICE
log level = 1
tls enabled = yes
tls keyfile = /var/lib/samba/private/tls/key.pem
tls certfile = /var/lib/samba/private/tls/cert.pem
tls cafile = /var/lib/samba/private/tls/ca.pem
tls verify peer = no_check
ldap server require strong auth = no
winbind enum groups = yes
winbind enum users = yes
[netlogon]
path = /var/local/samba/var/lib/samba/netlogon
#path = /var/lib/samba/sysvol/biuro.domain/scripts
read only = No
guest ok = yes
The result - the same. logging on a win2008 with user jkadmin gives the
following:
Apr 23 11:37:36 pdc krb5kdc[656]: AS_REQ (6 etypes {18 17 23 24 -135 3})
192.168.0.139: CLIENT_NOT_FOUND: jkadmin at biuro.domain.pl for krbtgt/
biuro.domain.pl at biuro.domain.pl, Client not found in Kerberos database
Apr 23 11:37:36 pdc krb5kdc[656]: closing down fd 15
Apr 23 11:37:36 pdc krb5kdc[656]: DISPATCH: repeated (retransmitted?)
request from 192.168.0.139, resending previous response
Apr 23 11:37:36 pdc krb5kdc[656]: closing down fd 15
Apr 23 11:37:36 pdc krb5kdc[656]: TGS_REQ (5 etypes {18 17 23 24 -135})
192.168.0.139: PROCESS_TGS: authtime 0, <unknown client> for krbtgt/
BIURO.domain.PL at BIURO.domain.PL, Bad encryption type
Apr 23 11:37:36 pdc krb5kdc[656]: closing down fd 15
Apr 23 11:37:36 pdc krb5kdc[656]: AS_REQ (5 etypes {23 -133 -128 24 -135})
192.168.0.139: CLIENT_NOT_FOUND: anadrol$@BIURO.domain.PL for krbtgt/
BIURO.domain.PL at BIURO.domain.PL, Client not found in Kerberos database
Apr 23 11:37:36 pdc krb5kdc[656]: closing down fd 15
Apr 23 11:37:36 pdc krb5kdc[656]: DISPATCH: repeated (retransmitted?)
request from 192.168.0.139, resending previous response
Apr 23 11:37:36 pdc krb5kdc[656]: closing down fd 15
Apr 23 11:37:36 pdc krb5kdc[656]: TGS_REQ (5 etypes {18 17 23 24 -135})
192.168.0.139: PROCESS_TGS: authtime 0, <unknown client> for krbtgt/
BIURO.domain.PL at BIURO.domain.PL, Bad encryption type
Apr 23 11:37:36 pdc krb5kdc[656]: closing down fd 15
Apr 23 11:37:36 pdc krb5kdc[656]: AS_REQ (5 etypes {23 -133 -128 24 -135})
192.168.0.139: CLIENT_NOT_FOUND: anadrol$@BIURO.domain.PL for krbtgt/
BIURO.domain.PL at BIURO.domain.PL, Client not found in Kerberos database
Apr 23 11:37:36 pdc krb5kdc[656]: closing down fd 15
Apr 23 11:37:36 pdc krb5kdc[656]: DISPATCH: repeated (retransmitted?)
request from 192.168.0.139, resending previous response
Apr 23 11:37:36 pdc krb5kdc[656]: closing down fd 15
Apr 23 11:37:36 pdc krb5kdc[656]: TGS_REQ (5 etypes {18 17 23 24 -135})
192.168.0.139: PROCESS_TGS: authtime 0, <unknown client> for LDAP/
pdc.biuro.domain.pl/biuro.domain.pl at BIURO.domain.PL, Bad encryption type
Apr 23 11:37:36 pdc krb5kdc[656]: closing down fd 15
funny thing, with ads testjoin
# net ads testjoin -d3
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
added interface eth0 ip=192.168.0.251 bcast=192.168.0.255
netmask=255.255.255.0
get_dc_list: preferred server list: ", *"
Successfully contacted LDAP server 192.168.0.251
get_dc_list: preferred server list: ", *"
get_dc_list: preferred server list: ", *"
get_dc_list: preferred server list: ", *"
Successfully contacted LDAP server 192.168.0.251
get_dc_list: preferred server list: ", *"
get_dc_list: preferred server list: ", *"
Successfully contacted LDAP server 192.168.0.251
Connected to LDAP server pdc.biuro.gpm-vindexus.pl
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
kerberos_kinit_password GPMV at BIURO.GPM-VINDEXUS.PL failed: Decrypt
integrity check failed
get_dc_list: preferred server list: "pdc.biuro.gpm-vindexus.pl, *"
resolve_hosts: Attempting host lookup for name pdc.biuro.gpm-vindexus.pl
<0x20>
Successfully contacted LDAP server 192.168.0.251
get_dc_list: preferred server list: "pdc.biuro.gpm-vindexus.pl, *"
get_dc_list: preferred server list: "pdc.biuro.gpm-vindexus.pl, *"
Successfully contacted LDAP server 192.168.0.251
Connected to LDAP server pdc.biuro.gpm-vindexus.pl
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
kerberos_kinit_password GPMV at BIURO.GPM-VINDEXUS.PL failed: Decrypt
integrity check failed
Join to domain is not valid: Logon failure
return code = -1
2017-04-23 10:32 GMT+02:00 Rowland Penny <rpenny at samba.org>:
> On Sun, 23 Apr 2017 09:39:53 +0200
> Jakub Kulesza via samba <samba at lists.samba.org> wrote:
>
> > Hi!
> >
> > I had to upgrade my PDC from 14.04 to 16.04 Ubuntu. The samba version
> > stayed the same, but then some crazy miracles started to
> > happen. 4.3.11+dfsg-0ubuntu0.16.04.6
> >
>
> You haven't got a PDC, you have an AD DC
>
> Can I suggest you remove these lines:
>
> security = auto
> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
> netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6,
> backupkey, dnsserver, winreg, srvsvc
> client use spnego = yes
> map acl inherit = Yes
> hosts allow = ALL
> server signing = auto
> raw NTLMv2 auth = yes
> client ipc signing = auto
> client ldap sasl wrapping = plain
> idmap config GPMV : backend = ad
> idmap config GPMV : range = 1000-9999999
> map untrusted to domain = Yes
> store dos attributes = yes
> kerberos method = secrets and keytab
> usershare max shares = 0
> encrypt passwords = yes
> password server = pdc.biuro.domain
>
> Change this :
>
> vfs objects = acl_xattr, full_audit
>
> To:
>
> vfs objects = full_audit
>
> But put it into a share!
>
> Also finally, there is this:
> server services = rpc, nbt, wrepl, ldap, cldap, drepl, winbind,
> ntp_signd, kcc, dnsupdate, dns, s3fs, winbindd
>
> I suggest you remove this as well because you have all the default
> settings and 'winbind' & 'winbindd'
>
> Rowland
>
>
>
Rowland Penny
2017-Apr-23 10:21 UTC
[Samba] kerberos got crazy after ubuntu upgrade from 14.04 to 16.04
On Sun, 23 Apr 2017 11:40:45 +0200 Jakub Kulesza <jakkul+samba at gmail.com> wrote:> OK, I've deleted everything what Rowland suggested. THANKS > > Now smb.conf looks like this > > [netlogon] > path = /var/local/samba/var/lib/samba/netlogon > #path = /var/lib/samba/sysvol/biuro.domain/scriptsPut netlogon back into sysvol and what happened to the 'sysvol' share ?> read only = Noguest ok = yes <-- remove this> > The result - the same. logging on a win2008 with user jkadmin gives > the following: > > Apr 23 11:37:36 pdc krb5kdc[656]: AS_REQ (6 etypes {18 17 23 24 -135 > 3}) 192.168.0.139: CLIENT_NOT_FOUND: jkadmin at biuro.domain.pl for > krbtgt/ biuro.domain.pl at biuro.domain.pl, Client not found in Kerberos > database Apr 23 11:37:36 pdc krb5kdc[656]: closing down fd 15 > Apr 23 11:37:36 pdc krb5kdc[656]: DISPATCH: repeated (retransmitted?) > request from 192.168.0.139, resending previous response > Apr 23 11:37:36 pdc krb5kdc[656]: closing down fd 15 > Apr 23 11:37:36 pdc krb5kdc[656]: TGS_REQ (5 etypes {18 17 23 24 > -135}) 192.168.0.139: PROCESS_TGS: authtime 0, <unknown client> for > krbtgt/ BIURO.domain.PL at BIURO.domain.PL, Bad encryption type > Apr 23 11:37:36 pdc krb5kdc[656]: closing down fd 15 > Apr 23 11:37:36 pdc krb5kdc[656]: AS_REQ (5 etypes {23 -133 -128 24 > -135}) 192.168.0.139: CLIENT_NOT_FOUND: anadrol$@BIURO.domain.PL for > krbtgt/ BIURO.domain.PL at BIURO.domain.PL, Client not found in Kerberos > database Apr 23 11:37:36 pdc krb5kdc[656]: closing down fd 15 > Apr 23 11:37:36 pdc krb5kdc[656]: DISPATCH: repeated (retransmitted?) > request from 192.168.0.139, resending previous response > Apr 23 11:37:36 pdc krb5kdc[656]: closing down fd 15 > Apr 23 11:37:36 pdc krb5kdc[656]: TGS_REQ (5 etypes {18 17 23 24 > -135}) 192.168.0.139: PROCESS_TGS: authtime 0, <unknown client> for > krbtgt/ BIURO.domain.PL at BIURO.domain.PL, Bad encryption type > Apr 23 11:37:36 pdc krb5kdc[656]: closing down fd 15 > Apr 23 11:37:36 pdc krb5kdc[656]: AS_REQ (5 etypes {23 -133 -128 24 > -135}) 192.168.0.139: CLIENT_NOT_FOUND: anadrol$@BIURO.domain.PL for > krbtgt/ BIURO.domain.PL at BIURO.domain.PL, Client not found in Kerberos > database Apr 23 11:37:36 pdc krb5kdc[656]: closing down fd 15 > Apr 23 11:37:36 pdc krb5kdc[656]: DISPATCH: repeated (retransmitted?) > request from 192.168.0.139, resending previous response > Apr 23 11:37:36 pdc krb5kdc[656]: closing down fd 15 > Apr 23 11:37:36 pdc krb5kdc[656]: TGS_REQ (5 etypes {18 17 23 24 > -135}) 192.168.0.139: PROCESS_TGS: authtime 0, <unknown client> for > LDAP/ pdc.biuro.domain.pl/biuro.domain.pl at BIURO.domain.PL, Bad > encryption type Apr 23 11:37:36 pdc krb5kdc[656]: closing down fd 15 > > funny thing, with ads testjoinYou do not test a DC like that, did you actually join the Samba AD DC with samba-tool ? Rowland
Jakub Kulesza
2017-Apr-23 11:37 UTC
[Samba] kerberos got crazy after ubuntu upgrade from 14.04 to 16.04
Rowland, thanks for answering 2017-04-23 12:21 GMT+02:00 Rowland Penny <rpenny at samba.org>:> On Sun, 23 Apr 2017 11:40:45 +0200 > Jakub Kulesza <jakkul+samba at gmail.com> wrote: > > > OK, I've deleted everything what Rowland suggested. THANKS > > > > Now smb.conf looks like this > > > > [netlogon] > > path = /var/local/samba/var/lib/samba/netlogon > > #path = /var/lib/samba/sysvol/biuro.domain/scripts > > Put netlogon back into sysvol and what happened to the 'sysvol' share ? > >they are still there, I did not post the shares :)> > You do not test a DC like that, did you actually join the Samba AD DC > with samba-tool ? >this was working before upgrade so I did not join AD DC using samba-tool again. If everything else fails I will do it, but: # samba-tool domain info pdc Forest : biuro.gpm-vindexus.pl Domain : biuro.gpm-vindexus.pl Netbios domain : GPMV DC name : pdc.biuro.gpm-vindexus.pl DC netbios name : PDC Server site : Default-First-Site-Name Client site : Default-First-Site-Name (pdc is the dns name of the server)
Possibly Parallel Threads
- kerberos got crazy after ubuntu upgrade from 14.04 to 16.04
- 4.3.11-Ubuntu fail to add DC to a AD domain
- kerberos got crazy after ubuntu upgrade from 14.04 to 16.04
- kerberos got crazy after ubuntu upgrade from 14.04 to 16.04
- 4.3.11-Ubuntu fail to add DC to a AD domain