Mike Lykov
2017-Jun-21 08:02 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
21.06.2017 11:45, L.P.H. van Belle via samba пишет:> I suggest before you upgrade do a very good read here. > > https://wiki.samba.org/index.php/Updating_Samba#Notable_Enhancements_and_Changes > > https://wiki.samba.org/index.php/Samba_Features_added/changed_(by_release) > And a summerize version for with all parameter changes as of upgrade from 4.2 up to 4.6 > http://downloads.van-belle.nl/samba4/Upgrade-info.txt > Same as the wiki links but just summerized the parameter changes.I know that there is a lot of work (like this particullary). I think to create test domain on 4.6 with 1-2 desktops to ensure working configuration, but maybe there is some side effects like as OP's cause.. -- Administrator
Prunk Dump
2017-Jun-21 09:57 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
First thank you very much all to study my problem !!!
I'am using Samba (with Debian) for 5 years now with very good results
! My network now have 3 Samba DCs, nearly 150 Debian Jessie Domain
members, and nearly 250 Windows 7 members. Fortunately it's a high
school network and students are now in vacation. But my network is now
completely down as machine account authentication don't work on DC (I
have checked, nfsv4 don't work anymore ).
So first, here the problems I need to correct after the upgrade to Stretch :
-> Services configuration was not conserved. nmbd, smbd, winbind was
started after the upgrade. In need to disable them with systemctl and
reenable samba-ad-dc.
-> Bind9 DLZ don't work because it's load the bad library
"dlz_bind9_9.so". I need to change to "dlz_bind9_10.so" in
the config
file. But that is normal.
Next my system informations :
-----------------------------
HOSTS : Don't take care of "puppet" entry. In use use puppet to
configure all my DCs and all my Linux Clients. But it's currently
disabled during the update.
~# cat /etc/hosts
127.0.0.1 localhost
172.16.0.20 fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr fichdc
172.16.0.20 puppet.net.lyc-guillaume-fichet.ac-grenoble.fr puppet
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------------------------
NAME RESOLUTION : 172.16.0.20 is the IP of fichdc. DNS seems to work
perfectly. I have made all the Samba Guide troubleshooting tests.
~# cat /etc/resolv.conf
domain net.lyc-guillaume-fichet.ac-grenoble.fr
nameserver 172.16.0.20
-----------------------------
WINBIND : winbind works perfectly on the DC and winbind-nsswitch to.
~# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: compat winbind
group: compat winbind
shadow: compat
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
sudoers: files sss
-----------------------------
KERBEROS
~# ls -al /etc/krb5.conf
lrwxrwxrwx 1 root root 32 juin 30 2015 /etc/krb5.conf ->
/var/lib/samba/private/krb5.conf
~# cat /var/lib/samba/private/krb5.conf
[libdefaults]
default_realm = NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
dns_lookup_realm = false
dns_lookup_kdc = true
-----------------------------
KEYTABS
I have now have three version of the machine keytab. Each one was put
in /var/lib/samba/private/secrets.keytab but never solve the problem.
-> The one generated before the upgrade. kinit still works with it :
~# klist -e -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at
NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(des-cbc-crc)
1 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at
NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(des-cbc-md5)
1 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at
NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(arcfour-hmac)
1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc)
1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5)
1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac)
2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc)
2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5)
2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac)
2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes128-cts-hmac-sha1-96)
2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes256-cts-hmac-sha1-96)
2 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at
NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(des-cbc-crc)
2 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at
NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(des-cbc-md5)
2 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at
NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(arcfour-hmac)
2 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at
NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(aes128-cts-hmac-sha1-96)
2 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at
NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(aes256-cts-hmac-sha1-96)
root at fichdc:~# kinit -k -t /etc/krb5.keytab FICHDC$
-> The one located in /var/lib/samba/private/secrets.keytab. kinit
does NOT work with it :
~# klist -e -k /var/lib/samba/private/secrets.keytab
Keytab name: FILE:/var/lib/samba/private/secrets.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc)
1 HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at
NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(des-cbc-crc)
1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc)
1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5)
1 HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at
NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(des-cbc-md5)
1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5)
1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac)
1 HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at
NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(arcfour-hmac)
1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac)
1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(aes128-cts-hmac-sha1-96)
1 HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at
NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(aes128-cts-hmac-sha1-96)
1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes128-cts-hmac-sha1-96)
1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(aes256-cts-hmac-sha1-96)
1 HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at
NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(aes256-cts-hmac-sha1-96)
1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes256-cts-hmac-sha1-96)
~# kinit -k -t /var/lib/samba/private/secrets.keytab FICHDC$
kinit: Preauthentication failed while getting initial credentials
-> The one generated with "samba-tool domain exportkeytab" after
the
upgrade. kinit works.
~# klist -e -k ./keytab_back/secrets.keytab
Keytab name: FILE:./keytab_back/secrets.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac)
2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5)
2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc)
2 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac)
2 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5)
2 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc)
2 HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at
NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(arcfour-hmac)
2 HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at
NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(des-cbc-md5)
2 HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at
NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(des-cbc-crc)
~# kinit -k -t ./keytab_back/secrets.keytab FICHDC$
-----------------------------
DRS VAN-BELLE TEST !! Sadly LDAP connection don't works between DCs.
~/samba_test_script# ./samba-check-db-repl.sh
No password for user FICHNET\Administrator was set in this script!
Please enter the password for FICHNET\Administrator :
Running with with console output
Checking the DC_With_FSMO (fichdc) with SAMBA DC:
fichds02.net.lyc-guillaume-fichet.ac-grenoble.fr
fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr
Running : /usr/bin/samba-tool ldapcmp --filter='whenChanged,dc,cn'
ldap://fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr
ldap://fichds02.net.lyc-guillaume-fichet.ac-grenoble.fr
Please wait.. this can take a while..
Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C:
LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data
52e, v1db1> <>
Failed to connect to
'ldap://fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr' with backend
'ldap': LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr:
DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1>
<>
ERROR(ldb): uncaught exception - LDAP error 49
LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C0904DC,
comment: AcceptSecurityContext error, data 52e, v1db1> <>
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py",
line 962, in run
outf=self.outf, errf=self.errf)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py",
line 64, in __init__
options=ldb_options)
File "/usr/lib/python2.7/dist-packages/samba/__init__.py", line 115,
in __init__
self.connect(url, flags, options)
Running : /usr/bin/samba-tool ldapcmp --filter='whenChanged,dc,cn'
ldap://fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr
ldap://fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr
Please wait.. this can take a while..
Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C:
LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data
52e, v1db1> <>
Failed to connect to
'ldap://fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr' with backend
'ldap': LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr:
DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1>
<>
ERROR(ldb): uncaught exception - LDAP error 49
LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C0904DC,
comment: AcceptSecurityContext error, data 52e, v1db1> <>
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py",
line 962, in run
outf=self.outf, errf=self.errf)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py",
line 64, in __init__
options=ldb_options)
File "/usr/lib/python2.7/dist-packages/samba/__init__.py", line 115,
in __init__
self.connect(url, flags, options)
.. Next check..
Running : samba-tool drs showrepl
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
ncacn_ip_tcp:172.16.0.20[1024,seal,target_hostname=fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=172.16.0.20]
NT_STATUS_LOGON_FAILURE
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to
fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr failed - drsException:
DRS connection to fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr
failed: (-1073741715, 'Logon failure')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
41, in drsuapi_connect
(ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions)
drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 54,
in drsuapi_connect
raise drsException("DRS connection to %s failed: %s" % (server,
e))
successes don't match
successes don't match
-----------------------------
SAMBA CONFIG : very classic smb.conf. But not regererated since Samba
4.1. I use DFS with success.
~# cat /etc/samba/smb.conf
# Global parameters
[global]
netbios aliases = sambaaccount
sambaaccount.net.lyc-guillaume-fichet.ac-grenoble.fr
load printers = yes
workgroup = FICHNET
realm = NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
netbios name = FICHDC
interfaces = lo, eth0
bind interfaces only = Yes
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/net.lyc-guillaume-fichet.ac-grenoble.fr/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
include = /etc/samba/s4_shares.conf
include = /etc/samba/s4_printers.conf
~# cat /etc/samba/s4_shares.conf
[profiles_local]
path = /fichsamba/smbprofile
read only = No
browseable = No
[profiles]
path = /srv/dfs/profiles
read only = No
msdfs root = yes
[homes_local]
path = /fichsamba/smbhome
read only = No
browseable = No
[homes]
path = /srv/dfs/homes
read only = No
msdfs root = yes
~# cat /etc/samba/s4_printers.conf
[printers]
path = /var/spool/samba
printable = yes
printing = CUPS
[print$]
path = /srv/samba/Printer_drivers
comment = Printer Drivers
writeable = yes
-----------------------------
SAMBA PACKAGES :
~# apt-cache policy samba-dsdb-modules
samba-dsdb-modules:
Installé : 2:4.5.8+dfsg-2
Candidat : 2:4.5.8+dfsg-2
Table de version :
*** 2:4.5.8+dfsg-2 500
500 http://ftp.fr.debian.org/debian stretch/main amd64 Packages
100 /var/lib/dpkg/status
~# dpkg -l | egrep "samba|?mbd|winbind|nss|talloc|tevent|tdb|ldb"
rc ctdb 2.5.4+debian0-4+deb8u1
amd64 clustered database to store temporary data
ii insserv 1.14.0-5.4+b1
amd64 boot sequence organizer using LSB init.d script
dependency information
ii ldb-tools 2:1.1.27-1+b1
amd64 LDAP-like embedded database - tools
rc libapache2-mod-dnssd 0.6-3.1
amd64 Zeroconf support for Apache 2 via avahi
ii libgmpxx4ldbl:amd64 2:6.1.2+dfsg-1
amd64 Multiprecision arithmetic library (C++ bindings)
ii libgnutls-openssl27:amd64 3.5.8-5+deb9u1
amd64 GNU TLS library - OpenSSL wrapper
rc libgsl0ldbl 1.16+dfsg-2
amd64 GNU Scientific Library (GSL) -- library package
ii libhsqldb1.8.0-java 1.8.0.10+dfsg-7
all Java SQL database engine
ii libjansson4:amd64 2.9-1
amd64 C library for encoding, decoding and manipulating
JSON data
ii libldb-dev:amd64 2:1.1.27-1+b1
amd64 LDAP-like embedded database - development files
ii libldb1:amd64 2:1.1.27-1+b1
amd64 LDAP-like embedded database - shared library
ii libnss-mdns:amd64 0.10-8
amd64 NSS module for Multicast DNS name resolution
rc libnss-myhostname:amd64 0.3-9
amd64 nss module providing fallback resolution for the
current hostname
rc libnss-sss:amd64 1.11.7-3
amd64 Nss library for the System Security Services
Daemon
ii libnss-winbind:amd64 2:4.5.8+dfsg-2
amd64 Samba nameservice integration plugins
ii libnss3:amd64 2:3.26.2-1.1
amd64 Network Security Service libraries
ii libntdb-dev 1.0-9+b1
amd64 New Trivial Database - development files
ii libntdb1:amd64 1.0-9+b1
amd64 New Trivial Database - shared library
rc libqtdbus4:amd64
4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1 amd64 Qt 4 D-Bus module
library
ii libreoffice-sdbc-hsqldb 1:5.2.7-1
amd64 HSQLDB SDBC driver for LibreOffice
ii libsss-nss-idmap0 1.15.0-3
amd64 SID based lookups library for SSSD
ii libtalloc-dev 2.1.8-1
amd64 hierarchical pool based memory allocator -
development files
ii libtalloc2:amd64 2.1.8-1
amd64 hierarchical pool based memory allocator
ii libtdb-dev:amd64 1.3.11-2
amd64 Trivial Database - development files
ii libtdb1:amd64 1.3.11-2
amd64 Trivial Database - shared library
ii libtevent-dev:amd64 0.9.31-1
amd64 talloc-based event loop library - development
files
ii libtevent0:amd64 0.9.31-1
amd64 talloc-based event loop library - shared library
ii libwbclient0:amd64 2:4.5.8+dfsg-2
amd64 Samba winbind client library
ii openssh-client 1:7.4p1-10
amd64 secure shell (SSH) client, for secure access to
remote machines
ii openssh-server 1:7.4p1-10
amd64 secure shell (SSH) server, for secure access from
remote machines
ii openssh-sftp-server 1:7.4p1-10
amd64 secure shell (SSH) sftp server module, for SFTP
access from remote machines
ii openssl 1.1.0f-3
amd64 Secure Sockets Layer toolkit - cryptographic
utility
ii perl-openssl-defaults:amd64 3
amd64 version compatibility baseline for Perl OpenSSL
packages
ii python-ldb 2:1.1.27-1+b1
amd64 Python bindings for LDB
ii python-ldb-dev:amd64 2:1.1.27-1+b1
amd64 LDB Python bindings - development files
ii python-samba 2:4.5.8+dfsg-2
amd64 Python bindings for Samba
ii python-talloc 2.1.8-1
amd64 hierarchical pool based memory allocator - Python
bindings
ii python-talloc-dev 2.1.8-1
amd64 talloc Python bindings - development files
ii python-tdb 1.3.11-2
amd64 Python bindings for TDB
ii samba 2:4.5.8+dfsg-2
amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.5.8+dfsg-2
all common files used by both the Samba server and
client
ii samba-common-bin 2:4.5.8+dfsg-2
amd64 Samba common files used by both the server and
the client
ii samba-dsdb-modules 2:4.5.8+dfsg-2
amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.5.8+dfsg-2
amd64 Samba core libraries
ii samba-vfs-modules 2:4.5.8+dfsg-2
amd64 Samba Virtual FileSystem plugins
ii tdb-tools 1.3.11-2
amd64 Trivial Database - bundled binaries
ii winbind 2:4.5.8+dfsg-2
amd64 service to resolve user and group information
from Windows NT servers
-----------------------------
IDMAP : no static resolution
~# cat /etc/idmapd.conf
[General]
Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
# set your own domain here, if id differs from FQDN minus hostname
# Domain = localdomain
Domain = net.lyc-guillaume-fichet.ac-grenoble.fr
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
[Translation]
Method = static,nsswitch
[Static]
-----------------------------
SAMBA VERSION CHANGE IN JESSIE.
You asked me about the two "forced" upgrade in Debian Jessie due to
security patch that can't be applied to the Samba stable version.
At start Debian Jessie was shipped with Samba-4.1 (maybe 4.1.17).
1) After some important CVE patch that can't be applied to 4.1 Debian
team changed the Samba version to 4.2.10
2) But this version introduce some regressions that are corrected
again changing the samba version to 4.2.14.
-----------------------------
Thank again !!!
Just a supposition. As my "/var/lib/samba/private/secrets.keytab"
become "corrupted". Maybe there is similar problems in
"/var/lib/samba/private/secrets.tdb" no ?
Where are stored the information needed by "samba-tool domain
exportkeytab" ?
Baptiste.
L.P.H. van Belle
2017-Jun-21 10:41 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
Hai, Before you start, Backup, /etc/ /var/lib/samba better safe than sorry.. Stop samba and related services ( check it at least nmbd smbd winbind samba samba-ad-dc)> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Prunk Dump via samba > Verzonden: woensdag 21 juni 2017 11:57 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] DRS stopped working after upgrade from > debian Jessie to Stretch > > First thank you very much all to study my problem !!! > > I'am using Samba (with Debian) for 5 years now with very good > results ! My network now have 3 Samba DCs, nearly 150 Debian > Jessie Domain members, and nearly 250 Windows 7 members. > Fortunately it's a high school network and students are now > in vacation. But my network is now completely down as machine > account authentication don't work on DC (I have checked, > nfsv4 don't work anymore ). > > So first, here the problems I need to correct after the > upgrade to Stretch : > -> Services configuration was not conserved. nmbd, smbd, winbind was > started after the upgrade. In need to disable them with > systemctl and reenable samba-ad-dc. > -> Bind9 DLZ don't work because it's load the bad library > "dlz_bind9_9.so". I need to change to "dlz_bind9_10.so" in > the config file. But that is normal. > > Next my system informations : > > ----------------------------- > HOSTS : Don't take care of "puppet" entry. In use use puppet > to configure all my DCs and all my Linux Clients. But it's > currently disabled during the update. > ~# cat /etc/hosts > 127.0.0.1 localhost > 172.16.0.20 fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr > fichdc > 172.16.0.20 > puppet.net.lyc-guillaume-fichet.ac-grenoble.fr puppet( better would be, create and CNAME in the dns and point that to the DC name ) For now, i also suggest, you change this to : /etc/hosts 127.0.0.1 localhost 172.16.0.20 fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr puppet.net.lyc-guillaume-fichet.ac-grenoble.fr fichdc puppet We need to make sure the real hostname matches always with the kerberos/dns hostnames.> > # The following lines are desirable for IPv6 capable hosts > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > ----------------------------- > NAME RESOLUTION : 172.16.0.20 is the IP of fichdc. DNS seems > to work perfectly. I have made all the Samba Guide > troubleshooting tests. > ~# cat /etc/resolv.conf > domain net.lyc-guillaume-fichet.ac-grenoble.fr > nameserver 172.16.0.20Well here is a choice, i preffer to keep the debian settings, which would be : ( and yes Rowland i know.. ;-) domain/search ) domain net.lyc-guillaume-fichet.ac-grenoble.fr search net.lyc-guillaume-fichet.ac-grenoble.fr nameserver 172.16.0.20> ----------------------------- > WINBIND : winbind works perfectly on the DC and winbind-nsswitch to. > ~# cat /etc/nsswitch.conf > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages > installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat winbind > group: compat winbind > shadow: compat > gshadow: files > > hosts: files mdns4_minimal [NOTFOUND=return] dnsThis can cause problems, change to : hosts: files dns mdns4_minimal [NOTFOUND=return] ( or remove avahi-daemon and remove the part mdns4.. [NOT.. )> networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > sudoers: files sss > ----------------------------- > KERBEROS > ~# ls -al /etc/krb5.conf > lrwxrwxrwx 1 root root 32 juin 30 2015 /etc/krb5.conf -> > /var/lib/samba/private/krb5.conf ~# cat > /var/lib/samba/private/krb5.conf [libdefaults] > default_realm = NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > dns_lookup_realm = false > dns_lookup_kdc = true > ----------------------------- > KEYTABS > I have now have three version of the machine keytab. Each one > was put in /var/lib/samba/private/secrets.keytab but never > solve the problem. > > -> The one generated before the upgrade. kinit still works with it : > ~# klist -e -k /etc/krb5.keytab > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------- > ------------ > 1 > nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI > LLAUME-FICHET.AC-GRENOBLE.FR > (des-cbc-crc) > 1 > nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI > LLAUME-FICHET.AC-GRENOBLE.FR > (des-cbc-md5) > 1 > nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI > LLAUME-FICHET.AC-GRENOBLE.FR > (arcfour-hmac) > 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) > 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) > 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac) > 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) > 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) > 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac) > 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > (aes128-cts-hmac-sha1-96) > 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > (aes256-cts-hmac-sha1-96) > 2 > nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI > LLAUME-FICHET.AC-GRENOBLE.FR > (des-cbc-crc) > 2 > nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI > LLAUME-FICHET.AC-GRENOBLE.FR > (des-cbc-md5) > 2 > nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI > LLAUME-FICHET.AC-GRENOBLE.FR > (arcfour-hmac) > 2 > nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI > LLAUME-FICHET.AC-GRENOBLE.FR > (aes128-cts-hmac-sha1-96) > 2 > nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI > LLAUME-FICHET.AC-GRENOBLE.FR > (aes256-cts-hmac-sha1-96) > root at fichdc:~# kinit -k -t /etc/krb5.keytab FICHDC$Ok, this one, remove all none nfs entries. ktutil rkt /etc/krb5.keytab list ( check the line numbers ) delent linnr wkt /etc/krb5.keytab> > -> The one located in /var/lib/samba/private/secrets.keytab. kinit > does NOT work with it : > ~# klist -e -k /var/lib/samba/private/secrets.keytab > Keytab name: FILE:/var/lib/samba/private/secrets.keytab > KVNO Principal > ---- > -------------------------------------------------------------- > ------------ > 1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) > 1 > HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU > ILLAUME-FICHET.AC-GRENOBLE.FR > (des-cbc-crc) > 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) > 1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) > 1 > HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU > ILLAUME-FICHET.AC-GRENOBLE.FR > (des-cbc-md5) > 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) > 1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > (arcfour-hmac) > 1 > HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU > ILLAUME-FICHET.AC-GRENOBLE.FR > (arcfour-hmac) > 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac) > 1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > (aes128-cts-hmac-sha1-96) > 1 > HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU > ILLAUME-FICHET.AC-GRENOBLE.FR > (aes128-cts-hmac-sha1-96) > 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > (aes128-cts-hmac-sha1-96) > 1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > (aes256-cts-hmac-sha1-96) > 1 > HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU > ILLAUME-FICHET.AC-GRENOBLE.FR > (aes256-cts-hmac-sha1-96) > 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > (aes256-cts-hmac-sha1-96) ~# kinit -k -t > /var/lib/samba/private/secrets.keytab FICHDC$ > kinit: Preauthentication failed while getting initial credentialsBackup the old /var/lib/samba/private/secrets.keytab The one below here that works place that one back. ! MAKE SURE YOU HAVE YOUR BACKUPS!> > -> The one generated with "samba-tool domain exportkeytab" after the > upgrade. kinit works. > ~# klist -e -k ./keytab_back/secrets.keytab Keytab name: > FILE:./keytab_back/secrets.keytab KVNO Principal > ---- > -------------------------------------------------------------- > ------------ > 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac) > 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) > 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) > 2 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > (arcfour-hmac) > 2 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) > 2 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) > 2 > HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU > ILLAUME-FICHET.AC-GRENOBLE.FR > (arcfour-hmac) > 2 > HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU > ILLAUME-FICHET.AC-GRENOBLE.FR > (des-cbc-md5) > 2 > HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU > ILLAUME-FICHET.AC-GRENOBLE.FR > (des-cbc-crc) > ~# kinit -k -t ./keytab_back/secrets.keytab FICHDC$ > ----------------------------- > DRS VAN-BELLE TEST !! Sadly LDAP connection don't works between DCs.That is because the ad isnt started fully.> ~/samba_test_script# ./samba-check-db-repl.sh No password for > user FICHNET\Administrator was set in this script! > Please enter the password for FICHNET\Administrator : > Running with with console output > Checking the DC_With_FSMO (fichdc) with SAMBA DC: > fichds02.net.lyc-guillaume-fichet.ac-grenoble.fr > fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr > Running : /usr/bin/samba-tool ldapcmp --filter='whenChanged,dc,cn' > ldap://fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr > ldap://fichds02.net.lyc-guillaume-fichet.ac-grenoble.fr > Please wait.. this can take a while.. > Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: > LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, > data 52e, v1db1> <> Failed to connect to > 'ldap://fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr' with backend > 'ldap': LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: > DSID-0C0904DC, comment: AcceptSecurityContext error, data > 52e, v1db1> <> > ERROR(ldb): uncaught exception - LDAP error 49 > LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C0904DC, > comment: AcceptSecurityContext error, data 52e, v1db1> <> > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", > line 962, in run > outf=self.outf, errf=self.errf) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", > line 64, in __init__ > options=ldb_options) > File "/usr/lib/python2.7/dist-packages/samba/__init__.py", > line 115, in __init__ > self.connect(url, flags, options) > > Running : /usr/bin/samba-tool ldapcmp --filter='whenChanged,dc,cn' > ldap://fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr > ldap://fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr > Please wait.. this can take a while.. > Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: > LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, > data 52e, v1db1> <> Failed to connect to > 'ldap://fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr' with backend > 'ldap': LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: > DSID-0C0904DC, comment: AcceptSecurityContext error, data > 52e, v1db1> <> > ERROR(ldb): uncaught exception - LDAP error 49 > LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C0904DC, > comment: AcceptSecurityContext error, data 52e, v1db1> <> > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", > line 962, in run > outf=self.outf, errf=self.errf) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", > line 64, in __init__ > options=ldb_options) > File "/usr/lib/python2.7/dist-packages/samba/__init__.py", > line 115, in __init__ > self.connect(url, flags, options) > > .. Next check.. > Running : samba-tool drs showrepl > Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 > for > ncacn_ip_tcp:172.16.0.20[1024,seal,target_hostname=fichdc.net. > lyc-guillaume-fichet.ac-grenoble.fr,abstract_syntax=e3514235-4 > b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=172.16.0.20] > NT_STATUS_LOGON_FAILURE > ERROR(<class 'samba.drs_utils.drsException'>): DRS connection > to fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr failed - > drsException: > DRS connection to fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr > failed: (-1073741715, 'Logon failure') > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line > 41, in drsuapi_connect > (ctx.drsuapi, ctx.drsuapi_handle, > ctx.bind_supported_extensions) = > drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds) > File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", > line 54, in drsuapi_connect > raise drsException("DRS connection to %s failed: %s" % > (server, e)) > successes don't match > successes don't match > ----------------------------- > SAMBA CONFIG : very classic smb.conf. But not regererated > since Samba 4.1. I use DFS with success.I did read somewhere you used bind9_DLZ? If thats correct. Then you smb.conf is not. Then change this line (server services = s3fs, rpc, nbt, wrepl, ldap, cldap,> kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate) to :server services = -dns> ~# cat /etc/samba/smb.conf > # Global parameters > [global] > netbios aliases = sambaaccount > sambaaccount.net.lyc-guillaume-fichet.ac-grenoble.fr > load printers = yes > workgroup = FICHNET > realm = NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > netbios name = FICHDC > interfaces = lo, eth0 > bind interfaces only = Yes > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, > kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > idmap_ldb:use rfc2307 = yes > > [netlogon] > path = > /var/lib/samba/sysvol/net.lyc-guillaume-fichet.ac-grenoble.fr/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = NoFor now disable these include, first make sure everything start working again.> include = /etc/samba/s4_shares.conf > include = /etc/samba/s4_printers.conf > > ~# cat /etc/samba/s4_shares.conf > [profiles_local] > path = /fichsamba/smbprofile > read only = No > browseable = No > > [profiles] > path = /srv/dfs/profiles > read only = No > msdfs root = yes > > [homes_local] > path = /fichsamba/smbhome > read only = No > browseable = No > > [homes] > path = /srv/dfs/homes > read only = No > msdfs root = yes > > ~# cat /etc/samba/s4_printers.conf > [printers] > path = /var/spool/samba > printable = yes > printing = CUPS > > [print$] > path = /srv/samba/Printer_drivers > comment = Printer Drivers > writeable = yes > ----------------------------- > SAMBA PACKAGES : > ~# apt-cache policy samba-dsdb-modules > samba-dsdb-modules: > Installé : 2:4.5.8+dfsg-2 > Candidat : 2:4.5.8+dfsg-2 > Table de version : > *** 2:4.5.8+dfsg-2 500 > 500 http://ftp.fr.debian.org/debian stretch/main > amd64 Packages > 100 /var/lib/dpkg/status > > ~# dpkg -l | egrep "samba|?mbd|winbind|nss|talloc|tevent|tdb|ldb" > rc ctdb 2.5.4+debian0-4+deb8u1 > amd64 clustered database to store temporary data > ii insserv 1.14.0-5.4+b1 > amd64 boot sequence organizer using LSB init.d script > dependency information > ii ldb-tools 2:1.1.27-1+b1 > amd64 LDAP-like embedded database - tools > rc libapache2-mod-dnssd 0.6-3.1 > amd64 Zeroconf support for Apache 2 via avahi > ii libgmpxx4ldbl:amd64 2:6.1.2+dfsg-1 > amd64 Multiprecision arithmetic library (C++ bindings) > ii libgnutls-openssl27:amd64 3.5.8-5+deb9u1 > amd64 GNU TLS library - OpenSSL wrapper > rc libgsl0ldbl 1.16+dfsg-2 > amd64 GNU Scientific Library (GSL) -- library package > ii libhsqldb1.8.0-java 1.8.0.10+dfsg-7 > all Java SQL database engine > ii libjansson4:amd64 2.9-1 > amd64 C library for encoding, decoding and manipulating > JSON data > ii libldb-dev:amd64 2:1.1.27-1+b1 > amd64 LDAP-like embedded database - development files > ii libldb1:amd64 2:1.1.27-1+b1 > amd64 LDAP-like embedded database - shared library > ii libnss-mdns:amd64 0.10-8 > amd64 NSS module for Multicast DNS name resolution > rc libnss-myhostname:amd64 0.3-9 > amd64 nss module providing fallback resolution for the > current hostname > rc libnss-sss:amd64 1.11.7-3 > amd64 Nss library for the System Security Services > Daemon > ii libnss-winbind:amd64 2:4.5.8+dfsg-2 > amd64 Samba nameservice integration plugins > ii libnss3:amd64 2:3.26.2-1.1 > amd64 Network Security Service libraries > ii libntdb-dev 1.0-9+b1 > amd64 New Trivial Database - development files > ii libntdb1:amd64 1.0-9+b1 > amd64 New Trivial Database - shared library > rc libqtdbus4:amd64 > 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1 amd64 Qt 4 D-Bus module > library > ii libreoffice-sdbc-hsqldb 1:5.2.7-1 > amd64 HSQLDB SDBC driver for LibreOffice > ii libsss-nss-idmap0 1.15.0-3 > amd64 SID based lookups library for SSSD > ii libtalloc-dev 2.1.8-1 > amd64 hierarchical pool based memory allocator - > development files > ii libtalloc2:amd64 2.1.8-1 > amd64 hierarchical pool based memory allocator > ii libtdb-dev:amd64 1.3.11-2 > amd64 Trivial Database - development files > ii libtdb1:amd64 1.3.11-2 > amd64 Trivial Database - shared library > ii libtevent-dev:amd64 0.9.31-1 > amd64 talloc-based event loop library - development > files > ii libtevent0:amd64 0.9.31-1 > amd64 talloc-based event loop library - shared library > ii libwbclient0:amd64 2:4.5.8+dfsg-2 > amd64 Samba winbind client library > ii openssh-client 1:7.4p1-10 > amd64 secure shell (SSH) client, for secure access to > remote machines > ii openssh-server 1:7.4p1-10 > amd64 secure shell (SSH) server, for secure access from > remote machines > ii openssh-sftp-server 1:7.4p1-10 > amd64 secure shell (SSH) sftp server module, for SFTP > access from remote machines > ii openssl 1.1.0f-3 > amd64 Secure Sockets Layer toolkit - cryptographic > utility > ii perl-openssl-defaults:amd64 3 > amd64 version compatibility baseline for Perl OpenSSL > packages > ii python-ldb 2:1.1.27-1+b1 > amd64 Python bindings for LDB > ii python-ldb-dev:amd64 2:1.1.27-1+b1 > amd64 LDB Python bindings - development files > ii python-samba 2:4.5.8+dfsg-2 > amd64 Python bindings for Samba > ii python-talloc 2.1.8-1 > amd64 hierarchical pool based memory allocator - Python > bindings > ii python-talloc-dev 2.1.8-1 > amd64 talloc Python bindings - development files > ii python-tdb 1.3.11-2 > amd64 Python bindings for TDB > ii samba 2:4.5.8+dfsg-2 > amd64 SMB/CIFS file, print, and login server for Unix > ii samba-common 2:4.5.8+dfsg-2 > all common files used by both the Samba server and > client > ii samba-common-bin 2:4.5.8+dfsg-2 > amd64 Samba common files used by both the server and > the client > ii samba-dsdb-modules 2:4.5.8+dfsg-2 > amd64 Samba Directory Services Database > ii samba-libs:amd64 2:4.5.8+dfsg-2 > amd64 Samba core libraries > ii samba-vfs-modules 2:4.5.8+dfsg-2 > amd64 Samba Virtual FileSystem plugins > ii tdb-tools 1.3.11-2 > amd64 Trivial Database - bundled binaries > ii winbind 2:4.5.8+dfsg-2 > amd64 service to resolve user and group informationAre you using ctdb ? If not : dpkg --purge ctdb Are you using sssd ? If not : dpkg --purge libnss-sss And if not : libsss-nss-idmap0 is installed, remove it.> from Windows NT servers > ----------------------------- > IDMAP : no static resolution > ~# cat /etc/idmapd.conf > [General] > > Verbosity = 0 > Pipefs-Directory = /run/rpc_pipefs > # set your own domain here, if id differs from FQDN minus > hostname # Domain = localdomain Domain = > net.lyc-guillaume-fichet.ac-grenoble.fr > > [Mapping] > > Nobody-User = nobody > Nobody-Group = nogroup > > [Translation] > > Method = static,nsswitch > > [Static]If you dont have [Static] definitons, change : Method = nsswitch For you NFS, create an entry root/SPN export that one, place it in /etc/krb5.keytab Or use the [Static] But first fix ad, we can do this bit later on.> ----------------------------- > SAMBA VERSION CHANGE IN JESSIE. > > You asked me about the two "forced" upgrade in Debian Jessie > due to security patch that can't be applied to the Samba > stable version. > At start Debian Jessie was shipped with Samba-4.1 (maybe 4.1.17). > 1) After some important CVE patch that can't be applied to > 4.1 Debian team changed the Samba version to 4.2.10 > 2) But this version introduce some regressions that are > corrected again changing the samba version to 4.2.14. > -----------------------------> > > Thank again !!! > > Just a supposition. As my "/var/lib/samba/private/secrets.keytab" > become "corrupted". Maybe there is similar problems in > "/var/lib/samba/private/secrets.tdb" no ? > > Where are stored the information needed by "samba-tool domain > exportkeytab" ?I dont understand this question. What i know is only this : https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/tdb.html But i suspect that is out dated info.> > > Baptiste. >Go try the changes and report back. Greetz, Louis
Rowland Penny
2017-Jun-21 11:20 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
On Wed, 21 Jun 2017 12:41:52 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hai, > > Before you start, > > Backup, /etc/ /var/lib/samba better safe than sorry.. > > Stop samba and related services ( check it at least nmbd smbd winbind > samba samba-ad-dc) >> > Well here is a choice, i preffer to keep the debian settings, which > would be : ( and yes Rowland i know.. ;-) domain/search ) > domain net.lyc-guillaume-fichet.ac-grenoble.fr > search net.lyc-guillaume-fichet.ac-grenoble.fr > nameserver 172.16.0.20 >This wouldn't be the first stupid thing that Debian has done ;-) From 'man resolv.conf' : The domain and search keywords are mutually exclusive. If more than one instance of these keywords is present, the last instance wins. So there is absolutely no point in adding the domain line, but you go ahead and add it Louis, it is after all your computer ;-)> > > > hosts: files mdns4_minimal [NOTFOUND=return] dns > This can cause problems, change to : > hosts: files dns mdns4_minimal [NOTFOUND=return] > ( or remove avahi-daemon and remove the part mdns4.. [NOT.. )Totally agree, this should be changed and if you are forced to use '.local' you definitely should remove Avahi.> > KEYTABS > > I have now have three version of the machine keytab. Each one > > was put in /var/lib/samba/private/secrets.keytab but never > > solve the problem.OK, /etc/krb5.keytab != /var/lib/samba/private/secrets.keytab They are used for different things, so unless you have something that requires /etc/krb5.keytab, you can remove it. Not sure if this help, but you could try checking the 'msDS-SupportedEncryptionTypes' attribute of your computers in AD. Rowland
L.P.H. van Belle
2017-Jun-21 12:08 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
Bit off topic.
*(debian Stretch)
man systemd-networkd
man systemd.network
Domains A list of domains which should be resolved using the
DNS servers on this link. Each item in the list should be a domain name,
optionally prefixed with a tilde ("~"). The domains with the
prefix are called "routing-only domains". The domains
without the prefix are called "search domains" and are first used as
search suffixes for extending single-label host names (host names
containing no dots) to become fully qualified domain names (FQDNs).
If a single-label host name is resolved on this interface, each of the specified
search domains are appended to it in
turn, converting it into a fully qualified domain name, until one of
them may be successfully resolved.
Both "search" and "routing-only" domains are used
for routing of DNS queries: look-ups for host names ending in those domains
(hence also single label names, if any "search domains" are
listed), are routed to the DNS servers configured for this interface.
The domain routing logic is particularly useful on multi-homed hosts with DNS
servers serving particular private DNS
zones on each interface.
The "routing-only" domain "~." (the tilde
indicating definition of a routing domain, the dot referring to the DNS root
domain which is the implied suffix of all valid DNS names) has special
effect. It causes all DNS traffic which does not match another
configured domain routing entry to be routed to DNS servers specified for this
interface. This setting is useful to prefer a
certain set of DNS servers if a link on which they are connected is
available.
This setting is read by systemd-resolved.service(8). "Search
domains" correspond to the domain and search entries in resolv.conf(5).
Domain name routing has no equivalent in the traditional
glibc API, which has no concept of domain name servers limited to a
specific link.
And
UseDomains Takes a boolean argument, or the special value
"route". When true, the domain name received from the DHCP server will
be used as DNS search domain over this link, similar to the effect of
the Domains= setting. If set to "route", the domain name
received from the DHCP server will be used for routing DNS queries only, but not
for searching, similar to the effect of the Domains setting when the
argument is prefixed with "~". Defaults to false.
It is recommended to enable this option only on trusted networks, as
setting this affects resolution of all host names, in particular of single-label
names. It is generally safer to use the
supplied domain only as routing domain, rather than as search domain,
in order to not have it affect local resolution of single-label names.
When set to true, this setting corresponds to the 'domain'
option in resolv.conf(5).
Even if they are mutally exclusive, some programs look for the
"domain" setting and not search.
And understand me right.. , its not that i want to be right here, that i dont
care.
Im just saying, that if the system installer puts in both, keep both and debian
uses both..
That the only reason to keep both in resolv.conf ( for debian then ).
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland Penny via samba
> Verzonden: woensdag 21 juni 2017 13:20
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] DRS stopped working after upgrade from
> debian Jessie to Stretch
>
> On Wed, 21 Jun 2017 12:41:52 +0200
> "L.P.H. van Belle via samba" <samba at lists.samba.org>
wrote:
>
> > Hai,
> >
> > Before you start,
> >
> > Backup, /etc/ /var/lib/samba better safe than sorry..
> >
> > Stop samba and related services ( check it at least nmbd
> smbd winbind
> > samba samba-ad-dc)
> >
>
> >
> > Well here is a choice, i preffer to keep the debian settings, which
> > would be : ( and yes Rowland i know.. ;-) domain/search ) domain
> > net.lyc-guillaume-fichet.ac-grenoble.fr
> > search net.lyc-guillaume-fichet.ac-grenoble.fr
> > nameserver 172.16.0.20
> >
>
> This wouldn't be the first stupid thing that Debian has done ;-)
>
> From 'man resolv.conf' :
>
> The domain and search keywords are mutually exclusive.
> If more than one instance of these keywords is
> present, the last instance wins.
>
> So there is absolutely no point in adding the domain line,
> but you go ahead and add it Louis, it is after all your computer ;-)
>
> > >
> > > hosts: files mdns4_minimal [NOTFOUND=return] dns
> > This can cause problems, change to :
> > hosts: files dns mdns4_minimal [NOTFOUND=return]
> > ( or remove avahi-daemon and remove the part mdns4.. [NOT.. )
>
> Totally agree, this should be changed and if you are forced
> to use '.local' you definitely should remove Avahi.
>
> > > KEYTABS
> > > I have now have three version of the machine keytab. Each one was
> > > put in /var/lib/samba/private/secrets.keytab but never solve the
> > > problem.
>
> OK, /etc/krb5.keytab != /var/lib/samba/private/secrets.keytab
>
> They are used for different things, so unless you have
> something that requires /etc/krb5.keytab, you can remove it.
>
> Not sure if this help, but you could try checking the
> 'msDS-SupportedEncryptionTypes' attribute of your computers in AD.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
Possibly Parallel Threads
- DRS stopped working after upgrade from debian Jessie to Stretch
- DRS stopped working after upgrade from debian Jessie to Stretch
- DRS stopped working after upgrade from debian Jessie to Stretch
- DRS stopped working after upgrade from debian Jessie to Stretch
- DRS stopped working after upgrade from debian Jessie to Stretch