Mike Lykov
2017-Jun-21 08:02 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
21.06.2017 11:45, L.P.H. van Belle via samba пишет:> I suggest before you upgrade do a very good read here. > > https://wiki.samba.org/index.php/Updating_Samba#Notable_Enhancements_and_Changes > > https://wiki.samba.org/index.php/Samba_Features_added/changed_(by_release) > And a summerize version for with all parameter changes as of upgrade from 4.2 up to 4.6 > http://downloads.van-belle.nl/samba4/Upgrade-info.txt > Same as the wiki links but just summerized the parameter changes.I know that there is a lot of work (like this particullary). I think to create test domain on 4.6 with 1-2 desktops to ensure working configuration, but maybe there is some side effects like as OP's cause.. -- Administrator
Prunk Dump
2017-Jun-21 09:57 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
First thank you very much all to study my problem !!! I'am using Samba (with Debian) for 5 years now with very good results ! My network now have 3 Samba DCs, nearly 150 Debian Jessie Domain members, and nearly 250 Windows 7 members. Fortunately it's a high school network and students are now in vacation. But my network is now completely down as machine account authentication don't work on DC (I have checked, nfsv4 don't work anymore ). So first, here the problems I need to correct after the upgrade to Stretch : -> Services configuration was not conserved. nmbd, smbd, winbind was started after the upgrade. In need to disable them with systemctl and reenable samba-ad-dc. -> Bind9 DLZ don't work because it's load the bad library "dlz_bind9_9.so". I need to change to "dlz_bind9_10.so" in the config file. But that is normal. Next my system informations : ----------------------------- HOSTS : Don't take care of "puppet" entry. In use use puppet to configure all my DCs and all my Linux Clients. But it's currently disabled during the update. ~# cat /etc/hosts 127.0.0.1 localhost 172.16.0.20 fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr fichdc 172.16.0.20 puppet.net.lyc-guillaume-fichet.ac-grenoble.fr puppet # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters ----------------------------- NAME RESOLUTION : 172.16.0.20 is the IP of fichdc. DNS seems to work perfectly. I have made all the Samba Guide troubleshooting tests. ~# cat /etc/resolv.conf domain net.lyc-guillaume-fichet.ac-grenoble.fr nameserver 172.16.0.20 ----------------------------- WINBIND : winbind works perfectly on the DC and winbind-nsswitch to. ~# cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: compat gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis sudoers: files sss ----------------------------- KERBEROS ~# ls -al /etc/krb5.conf lrwxrwxrwx 1 root root 32 juin 30 2015 /etc/krb5.conf -> /var/lib/samba/private/krb5.conf ~# cat /var/lib/samba/private/krb5.conf [libdefaults] default_realm = NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR dns_lookup_realm = false dns_lookup_kdc = true ----------------------------- KEYTABS I have now have three version of the machine keytab. Each one was put in /var/lib/samba/private/secrets.keytab but never solve the problem. -> The one generated before the upgrade. kinit still works with it : ~# klist -e -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) 1 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) 1 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac) 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac) 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac) 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes128-cts-hmac-sha1-96) 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes256-cts-hmac-sha1-96) 2 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) 2 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) 2 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac) 2 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes128-cts-hmac-sha1-96) 2 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes256-cts-hmac-sha1-96) root at fichdc:~# kinit -k -t /etc/krb5.keytab FICHDC$ -> The one located in /var/lib/samba/private/secrets.keytab. kinit does NOT work with it : ~# klist -e -k /var/lib/samba/private/secrets.keytab Keytab name: FILE:/var/lib/samba/private/secrets.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) 1 HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) 1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) 1 HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) 1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac) 1 HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac) 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac) 1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes128-cts-hmac-sha1-96) 1 HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes128-cts-hmac-sha1-96) 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes128-cts-hmac-sha1-96) 1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes256-cts-hmac-sha1-96) 1 HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes256-cts-hmac-sha1-96) 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes256-cts-hmac-sha1-96) ~# kinit -k -t /var/lib/samba/private/secrets.keytab FICHDC$ kinit: Preauthentication failed while getting initial credentials -> The one generated with "samba-tool domain exportkeytab" after the upgrade. kinit works. ~# klist -e -k ./keytab_back/secrets.keytab Keytab name: FILE:./keytab_back/secrets.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac) 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) 2 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac) 2 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) 2 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) 2 HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac) 2 HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) 2 HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) ~# kinit -k -t ./keytab_back/secrets.keytab FICHDC$ ----------------------------- DRS VAN-BELLE TEST !! Sadly LDAP connection don't works between DCs. ~/samba_test_script# ./samba-check-db-repl.sh No password for user FICHNET\Administrator was set in this script! Please enter the password for FICHNET\Administrator : Running with with console output Checking the DC_With_FSMO (fichdc) with SAMBA DC: fichds02.net.lyc-guillaume-fichet.ac-grenoble.fr fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr Running : /usr/bin/samba-tool ldapcmp --filter='whenChanged,dc,cn' ldap://fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr ldap://fichds02.net.lyc-guillaume-fichet.ac-grenoble.fr Please wait.. this can take a while.. Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1> <> Failed to connect to 'ldap://fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr' with backend 'ldap': LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1> <> ERROR(ldb): uncaught exception - LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1> <> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 962, in run outf=self.outf, errf=self.errf) File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 64, in __init__ options=ldb_options) File "/usr/lib/python2.7/dist-packages/samba/__init__.py", line 115, in __init__ self.connect(url, flags, options) Running : /usr/bin/samba-tool ldapcmp --filter='whenChanged,dc,cn' ldap://fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr ldap://fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr Please wait.. this can take a while.. Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1> <> Failed to connect to 'ldap://fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr' with backend 'ldap': LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1> <> ERROR(ldb): uncaught exception - LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1> <> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 962, in run outf=self.outf, errf=self.errf) File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 64, in __init__ options=ldb_options) File "/usr/lib/python2.7/dist-packages/samba/__init__.py", line 115, in __init__ self.connect(url, flags, options) .. Next check.. Running : samba-tool drs showrepl Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:172.16.0.20[1024,seal,target_hostname=fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=172.16.0.20] NT_STATUS_LOGON_FAILURE ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr failed - drsException: DRS connection to fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr failed: (-1073741715, 'Logon failure') File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 41, in drsuapi_connect (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds) File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 54, in drsuapi_connect raise drsException("DRS connection to %s failed: %s" % (server, e)) successes don't match successes don't match ----------------------------- SAMBA CONFIG : very classic smb.conf. But not regererated since Samba 4.1. I use DFS with success. ~# cat /etc/samba/smb.conf # Global parameters [global] netbios aliases = sambaaccount sambaaccount.net.lyc-guillaume-fichet.ac-grenoble.fr load printers = yes workgroup = FICHNET realm = NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR netbios name = FICHDC interfaces = lo, eth0 bind interfaces only = Yes server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/net.lyc-guillaume-fichet.ac-grenoble.fr/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No include = /etc/samba/s4_shares.conf include = /etc/samba/s4_printers.conf ~# cat /etc/samba/s4_shares.conf [profiles_local] path = /fichsamba/smbprofile read only = No browseable = No [profiles] path = /srv/dfs/profiles read only = No msdfs root = yes [homes_local] path = /fichsamba/smbhome read only = No browseable = No [homes] path = /srv/dfs/homes read only = No msdfs root = yes ~# cat /etc/samba/s4_printers.conf [printers] path = /var/spool/samba printable = yes printing = CUPS [print$] path = /srv/samba/Printer_drivers comment = Printer Drivers writeable = yes ----------------------------- SAMBA PACKAGES : ~# apt-cache policy samba-dsdb-modules samba-dsdb-modules: Installé : 2:4.5.8+dfsg-2 Candidat : 2:4.5.8+dfsg-2 Table de version : *** 2:4.5.8+dfsg-2 500 500 http://ftp.fr.debian.org/debian stretch/main amd64 Packages 100 /var/lib/dpkg/status ~# dpkg -l | egrep "samba|?mbd|winbind|nss|talloc|tevent|tdb|ldb" rc ctdb 2.5.4+debian0-4+deb8u1 amd64 clustered database to store temporary data ii insserv 1.14.0-5.4+b1 amd64 boot sequence organizer using LSB init.d script dependency information ii ldb-tools 2:1.1.27-1+b1 amd64 LDAP-like embedded database - tools rc libapache2-mod-dnssd 0.6-3.1 amd64 Zeroconf support for Apache 2 via avahi ii libgmpxx4ldbl:amd64 2:6.1.2+dfsg-1 amd64 Multiprecision arithmetic library (C++ bindings) ii libgnutls-openssl27:amd64 3.5.8-5+deb9u1 amd64 GNU TLS library - OpenSSL wrapper rc libgsl0ldbl 1.16+dfsg-2 amd64 GNU Scientific Library (GSL) -- library package ii libhsqldb1.8.0-java 1.8.0.10+dfsg-7 all Java SQL database engine ii libjansson4:amd64 2.9-1 amd64 C library for encoding, decoding and manipulating JSON data ii libldb-dev:amd64 2:1.1.27-1+b1 amd64 LDAP-like embedded database - development files ii libldb1:amd64 2:1.1.27-1+b1 amd64 LDAP-like embedded database - shared library ii libnss-mdns:amd64 0.10-8 amd64 NSS module for Multicast DNS name resolution rc libnss-myhostname:amd64 0.3-9 amd64 nss module providing fallback resolution for the current hostname rc libnss-sss:amd64 1.11.7-3 amd64 Nss library for the System Security Services Daemon ii libnss-winbind:amd64 2:4.5.8+dfsg-2 amd64 Samba nameservice integration plugins ii libnss3:amd64 2:3.26.2-1.1 amd64 Network Security Service libraries ii libntdb-dev 1.0-9+b1 amd64 New Trivial Database - development files ii libntdb1:amd64 1.0-9+b1 amd64 New Trivial Database - shared library rc libqtdbus4:amd64 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1 amd64 Qt 4 D-Bus module library ii libreoffice-sdbc-hsqldb 1:5.2.7-1 amd64 HSQLDB SDBC driver for LibreOffice ii libsss-nss-idmap0 1.15.0-3 amd64 SID based lookups library for SSSD ii libtalloc-dev 2.1.8-1 amd64 hierarchical pool based memory allocator - development files ii libtalloc2:amd64 2.1.8-1 amd64 hierarchical pool based memory allocator ii libtdb-dev:amd64 1.3.11-2 amd64 Trivial Database - development files ii libtdb1:amd64 1.3.11-2 amd64 Trivial Database - shared library ii libtevent-dev:amd64 0.9.31-1 amd64 talloc-based event loop library - development files ii libtevent0:amd64 0.9.31-1 amd64 talloc-based event loop library - shared library ii libwbclient0:amd64 2:4.5.8+dfsg-2 amd64 Samba winbind client library ii openssh-client 1:7.4p1-10 amd64 secure shell (SSH) client, for secure access to remote machines ii openssh-server 1:7.4p1-10 amd64 secure shell (SSH) server, for secure access from remote machines ii openssh-sftp-server 1:7.4p1-10 amd64 secure shell (SSH) sftp server module, for SFTP access from remote machines ii openssl 1.1.0f-3 amd64 Secure Sockets Layer toolkit - cryptographic utility ii perl-openssl-defaults:amd64 3 amd64 version compatibility baseline for Perl OpenSSL packages ii python-ldb 2:1.1.27-1+b1 amd64 Python bindings for LDB ii python-ldb-dev:amd64 2:1.1.27-1+b1 amd64 LDB Python bindings - development files ii python-samba 2:4.5.8+dfsg-2 amd64 Python bindings for Samba ii python-talloc 2.1.8-1 amd64 hierarchical pool based memory allocator - Python bindings ii python-talloc-dev 2.1.8-1 amd64 talloc Python bindings - development files ii python-tdb 1.3.11-2 amd64 Python bindings for TDB ii samba 2:4.5.8+dfsg-2 amd64 SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.5.8+dfsg-2 all common files used by both the Samba server and client ii samba-common-bin 2:4.5.8+dfsg-2 amd64 Samba common files used by both the server and the client ii samba-dsdb-modules 2:4.5.8+dfsg-2 amd64 Samba Directory Services Database ii samba-libs:amd64 2:4.5.8+dfsg-2 amd64 Samba core libraries ii samba-vfs-modules 2:4.5.8+dfsg-2 amd64 Samba Virtual FileSystem plugins ii tdb-tools 1.3.11-2 amd64 Trivial Database - bundled binaries ii winbind 2:4.5.8+dfsg-2 amd64 service to resolve user and group information from Windows NT servers ----------------------------- IDMAP : no static resolution ~# cat /etc/idmapd.conf [General] Verbosity = 0 Pipefs-Directory = /run/rpc_pipefs # set your own domain here, if id differs from FQDN minus hostname # Domain = localdomain Domain = net.lyc-guillaume-fichet.ac-grenoble.fr [Mapping] Nobody-User = nobody Nobody-Group = nogroup [Translation] Method = static,nsswitch [Static] ----------------------------- SAMBA VERSION CHANGE IN JESSIE. You asked me about the two "forced" upgrade in Debian Jessie due to security patch that can't be applied to the Samba stable version. At start Debian Jessie was shipped with Samba-4.1 (maybe 4.1.17). 1) After some important CVE patch that can't be applied to 4.1 Debian team changed the Samba version to 4.2.10 2) But this version introduce some regressions that are corrected again changing the samba version to 4.2.14. ----------------------------- Thank again !!! Just a supposition. As my "/var/lib/samba/private/secrets.keytab" become "corrupted". Maybe there is similar problems in "/var/lib/samba/private/secrets.tdb" no ? Where are stored the information needed by "samba-tool domain exportkeytab" ? Baptiste.
L.P.H. van Belle
2017-Jun-21 10:41 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
Hai, Before you start, Backup, /etc/ /var/lib/samba better safe than sorry.. Stop samba and related services ( check it at least nmbd smbd winbind samba samba-ad-dc)> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Prunk Dump via samba > Verzonden: woensdag 21 juni 2017 11:57 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] DRS stopped working after upgrade from > debian Jessie to Stretch > > First thank you very much all to study my problem !!! > > I'am using Samba (with Debian) for 5 years now with very good > results ! My network now have 3 Samba DCs, nearly 150 Debian > Jessie Domain members, and nearly 250 Windows 7 members. > Fortunately it's a high school network and students are now > in vacation. But my network is now completely down as machine > account authentication don't work on DC (I have checked, > nfsv4 don't work anymore ). > > So first, here the problems I need to correct after the > upgrade to Stretch : > -> Services configuration was not conserved. nmbd, smbd, winbind was > started after the upgrade. In need to disable them with > systemctl and reenable samba-ad-dc. > -> Bind9 DLZ don't work because it's load the bad library > "dlz_bind9_9.so". I need to change to "dlz_bind9_10.so" in > the config file. But that is normal. > > Next my system informations : > > ----------------------------- > HOSTS : Don't take care of "puppet" entry. In use use puppet > to configure all my DCs and all my Linux Clients. But it's > currently disabled during the update. > ~# cat /etc/hosts > 127.0.0.1 localhost > 172.16.0.20 fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr > fichdc > 172.16.0.20 > puppet.net.lyc-guillaume-fichet.ac-grenoble.fr puppet( better would be, create and CNAME in the dns and point that to the DC name ) For now, i also suggest, you change this to : /etc/hosts 127.0.0.1 localhost 172.16.0.20 fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr puppet.net.lyc-guillaume-fichet.ac-grenoble.fr fichdc puppet We need to make sure the real hostname matches always with the kerberos/dns hostnames.> > # The following lines are desirable for IPv6 capable hosts > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > ----------------------------- > NAME RESOLUTION : 172.16.0.20 is the IP of fichdc. DNS seems > to work perfectly. I have made all the Samba Guide > troubleshooting tests. > ~# cat /etc/resolv.conf > domain net.lyc-guillaume-fichet.ac-grenoble.fr > nameserver 172.16.0.20Well here is a choice, i preffer to keep the debian settings, which would be : ( and yes Rowland i know.. ;-) domain/search ) domain net.lyc-guillaume-fichet.ac-grenoble.fr search net.lyc-guillaume-fichet.ac-grenoble.fr nameserver 172.16.0.20> ----------------------------- > WINBIND : winbind works perfectly on the DC and winbind-nsswitch to. > ~# cat /etc/nsswitch.conf > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages > installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat winbind > group: compat winbind > shadow: compat > gshadow: files > > hosts: files mdns4_minimal [NOTFOUND=return] dnsThis can cause problems, change to : hosts: files dns mdns4_minimal [NOTFOUND=return] ( or remove avahi-daemon and remove the part mdns4.. [NOT.. )> networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > sudoers: files sss > ----------------------------- > KERBEROS > ~# ls -al /etc/krb5.conf > lrwxrwxrwx 1 root root 32 juin 30 2015 /etc/krb5.conf -> > /var/lib/samba/private/krb5.conf ~# cat > /var/lib/samba/private/krb5.conf [libdefaults] > default_realm = NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > dns_lookup_realm = false > dns_lookup_kdc = true > ----------------------------- > KEYTABS > I have now have three version of the machine keytab. Each one > was put in /var/lib/samba/private/secrets.keytab but never > solve the problem. > > -> The one generated before the upgrade. kinit still works with it : > ~# klist -e -k /etc/krb5.keytab > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------- > ------------ > 1 > nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI > LLAUME-FICHET.AC-GRENOBLE.FR > (des-cbc-crc) > 1 > nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI > LLAUME-FICHET.AC-GRENOBLE.FR > (des-cbc-md5) > 1 > nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI > LLAUME-FICHET.AC-GRENOBLE.FR > (arcfour-hmac) > 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) > 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) > 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac) > 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) > 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) > 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac) > 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > (aes128-cts-hmac-sha1-96) > 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > (aes256-cts-hmac-sha1-96) > 2 > nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI > LLAUME-FICHET.AC-GRENOBLE.FR > (des-cbc-crc) > 2 > nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI > LLAUME-FICHET.AC-GRENOBLE.FR > (des-cbc-md5) > 2 > nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI > LLAUME-FICHET.AC-GRENOBLE.FR > (arcfour-hmac) > 2 > nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI > LLAUME-FICHET.AC-GRENOBLE.FR > (aes128-cts-hmac-sha1-96) > 2 > nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI > LLAUME-FICHET.AC-GRENOBLE.FR > (aes256-cts-hmac-sha1-96) > root at fichdc:~# kinit -k -t /etc/krb5.keytab FICHDC$Ok, this one, remove all none nfs entries. ktutil rkt /etc/krb5.keytab list ( check the line numbers ) delent linnr wkt /etc/krb5.keytab> > -> The one located in /var/lib/samba/private/secrets.keytab. kinit > does NOT work with it : > ~# klist -e -k /var/lib/samba/private/secrets.keytab > Keytab name: FILE:/var/lib/samba/private/secrets.keytab > KVNO Principal > ---- > -------------------------------------------------------------- > ------------ > 1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) > 1 > HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU > ILLAUME-FICHET.AC-GRENOBLE.FR > (des-cbc-crc) > 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) > 1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) > 1 > HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU > ILLAUME-FICHET.AC-GRENOBLE.FR > (des-cbc-md5) > 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) > 1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > (arcfour-hmac) > 1 > HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU > ILLAUME-FICHET.AC-GRENOBLE.FR > (arcfour-hmac) > 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac) > 1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > (aes128-cts-hmac-sha1-96) > 1 > HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU > ILLAUME-FICHET.AC-GRENOBLE.FR > (aes128-cts-hmac-sha1-96) > 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > (aes128-cts-hmac-sha1-96) > 1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > (aes256-cts-hmac-sha1-96) > 1 > HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU > ILLAUME-FICHET.AC-GRENOBLE.FR > (aes256-cts-hmac-sha1-96) > 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > (aes256-cts-hmac-sha1-96) ~# kinit -k -t > /var/lib/samba/private/secrets.keytab FICHDC$ > kinit: Preauthentication failed while getting initial credentialsBackup the old /var/lib/samba/private/secrets.keytab The one below here that works place that one back. ! MAKE SURE YOU HAVE YOUR BACKUPS!> > -> The one generated with "samba-tool domain exportkeytab" after the > upgrade. kinit works. > ~# klist -e -k ./keytab_back/secrets.keytab Keytab name: > FILE:./keytab_back/secrets.keytab KVNO Principal > ---- > -------------------------------------------------------------- > ------------ > 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac) > 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) > 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) > 2 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > (arcfour-hmac) > 2 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5) > 2 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc) > 2 > HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU > ILLAUME-FICHET.AC-GRENOBLE.FR > (arcfour-hmac) > 2 > HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU > ILLAUME-FICHET.AC-GRENOBLE.FR > (des-cbc-md5) > 2 > HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU > ILLAUME-FICHET.AC-GRENOBLE.FR > (des-cbc-crc) > ~# kinit -k -t ./keytab_back/secrets.keytab FICHDC$ > ----------------------------- > DRS VAN-BELLE TEST !! Sadly LDAP connection don't works between DCs.That is because the ad isnt started fully.> ~/samba_test_script# ./samba-check-db-repl.sh No password for > user FICHNET\Administrator was set in this script! > Please enter the password for FICHNET\Administrator : > Running with with console output > Checking the DC_With_FSMO (fichdc) with SAMBA DC: > fichds02.net.lyc-guillaume-fichet.ac-grenoble.fr > fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr > Running : /usr/bin/samba-tool ldapcmp --filter='whenChanged,dc,cn' > ldap://fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr > ldap://fichds02.net.lyc-guillaume-fichet.ac-grenoble.fr > Please wait.. this can take a while.. > Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: > LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, > data 52e, v1db1> <> Failed to connect to > 'ldap://fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr' with backend > 'ldap': LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: > DSID-0C0904DC, comment: AcceptSecurityContext error, data > 52e, v1db1> <> > ERROR(ldb): uncaught exception - LDAP error 49 > LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C0904DC, > comment: AcceptSecurityContext error, data 52e, v1db1> <> > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", > line 962, in run > outf=self.outf, errf=self.errf) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", > line 64, in __init__ > options=ldb_options) > File "/usr/lib/python2.7/dist-packages/samba/__init__.py", > line 115, in __init__ > self.connect(url, flags, options) > > Running : /usr/bin/samba-tool ldapcmp --filter='whenChanged,dc,cn' > ldap://fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr > ldap://fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr > Please wait.. this can take a while.. > Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: > LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, > data 52e, v1db1> <> Failed to connect to > 'ldap://fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr' with backend > 'ldap': LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: > DSID-0C0904DC, comment: AcceptSecurityContext error, data > 52e, v1db1> <> > ERROR(ldb): uncaught exception - LDAP error 49 > LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C0904DC, > comment: AcceptSecurityContext error, data 52e, v1db1> <> > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", > line 962, in run > outf=self.outf, errf=self.errf) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", > line 64, in __init__ > options=ldb_options) > File "/usr/lib/python2.7/dist-packages/samba/__init__.py", > line 115, in __init__ > self.connect(url, flags, options) > > .. Next check.. > Running : samba-tool drs showrepl > Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 > for > ncacn_ip_tcp:172.16.0.20[1024,seal,target_hostname=fichdc.net. > lyc-guillaume-fichet.ac-grenoble.fr,abstract_syntax=e3514235-4 > b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=172.16.0.20] > NT_STATUS_LOGON_FAILURE > ERROR(<class 'samba.drs_utils.drsException'>): DRS connection > to fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr failed - > drsException: > DRS connection to fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr > failed: (-1073741715, 'Logon failure') > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line > 41, in drsuapi_connect > (ctx.drsuapi, ctx.drsuapi_handle, > ctx.bind_supported_extensions) = > drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds) > File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", > line 54, in drsuapi_connect > raise drsException("DRS connection to %s failed: %s" % > (server, e)) > successes don't match > successes don't match > ----------------------------- > SAMBA CONFIG : very classic smb.conf. But not regererated > since Samba 4.1. I use DFS with success.I did read somewhere you used bind9_DLZ? If thats correct. Then you smb.conf is not. Then change this line (server services = s3fs, rpc, nbt, wrepl, ldap, cldap,> kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate) to :server services = -dns> ~# cat /etc/samba/smb.conf > # Global parameters > [global] > netbios aliases = sambaaccount > sambaaccount.net.lyc-guillaume-fichet.ac-grenoble.fr > load printers = yes > workgroup = FICHNET > realm = NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR > netbios name = FICHDC > interfaces = lo, eth0 > bind interfaces only = Yes > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, > kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > idmap_ldb:use rfc2307 = yes > > [netlogon] > path = > /var/lib/samba/sysvol/net.lyc-guillaume-fichet.ac-grenoble.fr/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = NoFor now disable these include, first make sure everything start working again.> include = /etc/samba/s4_shares.conf > include = /etc/samba/s4_printers.conf > > ~# cat /etc/samba/s4_shares.conf > [profiles_local] > path = /fichsamba/smbprofile > read only = No > browseable = No > > [profiles] > path = /srv/dfs/profiles > read only = No > msdfs root = yes > > [homes_local] > path = /fichsamba/smbhome > read only = No > browseable = No > > [homes] > path = /srv/dfs/homes > read only = No > msdfs root = yes > > ~# cat /etc/samba/s4_printers.conf > [printers] > path = /var/spool/samba > printable = yes > printing = CUPS > > [print$] > path = /srv/samba/Printer_drivers > comment = Printer Drivers > writeable = yes > ----------------------------- > SAMBA PACKAGES : > ~# apt-cache policy samba-dsdb-modules > samba-dsdb-modules: > Installé : 2:4.5.8+dfsg-2 > Candidat : 2:4.5.8+dfsg-2 > Table de version : > *** 2:4.5.8+dfsg-2 500 > 500 http://ftp.fr.debian.org/debian stretch/main > amd64 Packages > 100 /var/lib/dpkg/status > > ~# dpkg -l | egrep "samba|?mbd|winbind|nss|talloc|tevent|tdb|ldb" > rc ctdb 2.5.4+debian0-4+deb8u1 > amd64 clustered database to store temporary data > ii insserv 1.14.0-5.4+b1 > amd64 boot sequence organizer using LSB init.d script > dependency information > ii ldb-tools 2:1.1.27-1+b1 > amd64 LDAP-like embedded database - tools > rc libapache2-mod-dnssd 0.6-3.1 > amd64 Zeroconf support for Apache 2 via avahi > ii libgmpxx4ldbl:amd64 2:6.1.2+dfsg-1 > amd64 Multiprecision arithmetic library (C++ bindings) > ii libgnutls-openssl27:amd64 3.5.8-5+deb9u1 > amd64 GNU TLS library - OpenSSL wrapper > rc libgsl0ldbl 1.16+dfsg-2 > amd64 GNU Scientific Library (GSL) -- library package > ii libhsqldb1.8.0-java 1.8.0.10+dfsg-7 > all Java SQL database engine > ii libjansson4:amd64 2.9-1 > amd64 C library for encoding, decoding and manipulating > JSON data > ii libldb-dev:amd64 2:1.1.27-1+b1 > amd64 LDAP-like embedded database - development files > ii libldb1:amd64 2:1.1.27-1+b1 > amd64 LDAP-like embedded database - shared library > ii libnss-mdns:amd64 0.10-8 > amd64 NSS module for Multicast DNS name resolution > rc libnss-myhostname:amd64 0.3-9 > amd64 nss module providing fallback resolution for the > current hostname > rc libnss-sss:amd64 1.11.7-3 > amd64 Nss library for the System Security Services > Daemon > ii libnss-winbind:amd64 2:4.5.8+dfsg-2 > amd64 Samba nameservice integration plugins > ii libnss3:amd64 2:3.26.2-1.1 > amd64 Network Security Service libraries > ii libntdb-dev 1.0-9+b1 > amd64 New Trivial Database - development files > ii libntdb1:amd64 1.0-9+b1 > amd64 New Trivial Database - shared library > rc libqtdbus4:amd64 > 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1 amd64 Qt 4 D-Bus module > library > ii libreoffice-sdbc-hsqldb 1:5.2.7-1 > amd64 HSQLDB SDBC driver for LibreOffice > ii libsss-nss-idmap0 1.15.0-3 > amd64 SID based lookups library for SSSD > ii libtalloc-dev 2.1.8-1 > amd64 hierarchical pool based memory allocator - > development files > ii libtalloc2:amd64 2.1.8-1 > amd64 hierarchical pool based memory allocator > ii libtdb-dev:amd64 1.3.11-2 > amd64 Trivial Database - development files > ii libtdb1:amd64 1.3.11-2 > amd64 Trivial Database - shared library > ii libtevent-dev:amd64 0.9.31-1 > amd64 talloc-based event loop library - development > files > ii libtevent0:amd64 0.9.31-1 > amd64 talloc-based event loop library - shared library > ii libwbclient0:amd64 2:4.5.8+dfsg-2 > amd64 Samba winbind client library > ii openssh-client 1:7.4p1-10 > amd64 secure shell (SSH) client, for secure access to > remote machines > ii openssh-server 1:7.4p1-10 > amd64 secure shell (SSH) server, for secure access from > remote machines > ii openssh-sftp-server 1:7.4p1-10 > amd64 secure shell (SSH) sftp server module, for SFTP > access from remote machines > ii openssl 1.1.0f-3 > amd64 Secure Sockets Layer toolkit - cryptographic > utility > ii perl-openssl-defaults:amd64 3 > amd64 version compatibility baseline for Perl OpenSSL > packages > ii python-ldb 2:1.1.27-1+b1 > amd64 Python bindings for LDB > ii python-ldb-dev:amd64 2:1.1.27-1+b1 > amd64 LDB Python bindings - development files > ii python-samba 2:4.5.8+dfsg-2 > amd64 Python bindings for Samba > ii python-talloc 2.1.8-1 > amd64 hierarchical pool based memory allocator - Python > bindings > ii python-talloc-dev 2.1.8-1 > amd64 talloc Python bindings - development files > ii python-tdb 1.3.11-2 > amd64 Python bindings for TDB > ii samba 2:4.5.8+dfsg-2 > amd64 SMB/CIFS file, print, and login server for Unix > ii samba-common 2:4.5.8+dfsg-2 > all common files used by both the Samba server and > client > ii samba-common-bin 2:4.5.8+dfsg-2 > amd64 Samba common files used by both the server and > the client > ii samba-dsdb-modules 2:4.5.8+dfsg-2 > amd64 Samba Directory Services Database > ii samba-libs:amd64 2:4.5.8+dfsg-2 > amd64 Samba core libraries > ii samba-vfs-modules 2:4.5.8+dfsg-2 > amd64 Samba Virtual FileSystem plugins > ii tdb-tools 1.3.11-2 > amd64 Trivial Database - bundled binaries > ii winbind 2:4.5.8+dfsg-2 > amd64 service to resolve user and group informationAre you using ctdb ? If not : dpkg --purge ctdb Are you using sssd ? If not : dpkg --purge libnss-sss And if not : libsss-nss-idmap0 is installed, remove it.> from Windows NT servers > ----------------------------- > IDMAP : no static resolution > ~# cat /etc/idmapd.conf > [General] > > Verbosity = 0 > Pipefs-Directory = /run/rpc_pipefs > # set your own domain here, if id differs from FQDN minus > hostname # Domain = localdomain Domain = > net.lyc-guillaume-fichet.ac-grenoble.fr > > [Mapping] > > Nobody-User = nobody > Nobody-Group = nogroup > > [Translation] > > Method = static,nsswitch > > [Static]If you dont have [Static] definitons, change : Method = nsswitch For you NFS, create an entry root/SPN export that one, place it in /etc/krb5.keytab Or use the [Static] But first fix ad, we can do this bit later on.> ----------------------------- > SAMBA VERSION CHANGE IN JESSIE. > > You asked me about the two "forced" upgrade in Debian Jessie > due to security patch that can't be applied to the Samba > stable version. > At start Debian Jessie was shipped with Samba-4.1 (maybe 4.1.17). > 1) After some important CVE patch that can't be applied to > 4.1 Debian team changed the Samba version to 4.2.10 > 2) But this version introduce some regressions that are > corrected again changing the samba version to 4.2.14. > -----------------------------> > > Thank again !!! > > Just a supposition. As my "/var/lib/samba/private/secrets.keytab" > become "corrupted". Maybe there is similar problems in > "/var/lib/samba/private/secrets.tdb" no ? > > Where are stored the information needed by "samba-tool domain > exportkeytab" ?I dont understand this question. What i know is only this : https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/tdb.html But i suspect that is out dated info.> > > Baptiste. >Go try the changes and report back. Greetz, Louis
Rowland Penny
2017-Jun-21 11:20 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
On Wed, 21 Jun 2017 12:41:52 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hai, > > Before you start, > > Backup, /etc/ /var/lib/samba better safe than sorry.. > > Stop samba and related services ( check it at least nmbd smbd winbind > samba samba-ad-dc) >> > Well here is a choice, i preffer to keep the debian settings, which > would be : ( and yes Rowland i know.. ;-) domain/search ) > domain net.lyc-guillaume-fichet.ac-grenoble.fr > search net.lyc-guillaume-fichet.ac-grenoble.fr > nameserver 172.16.0.20 >This wouldn't be the first stupid thing that Debian has done ;-) From 'man resolv.conf' : The domain and search keywords are mutually exclusive. If more than one instance of these keywords is present, the last instance wins. So there is absolutely no point in adding the domain line, but you go ahead and add it Louis, it is after all your computer ;-)> > > > hosts: files mdns4_minimal [NOTFOUND=return] dns > This can cause problems, change to : > hosts: files dns mdns4_minimal [NOTFOUND=return] > ( or remove avahi-daemon and remove the part mdns4.. [NOT.. )Totally agree, this should be changed and if you are forced to use '.local' you definitely should remove Avahi.> > KEYTABS > > I have now have three version of the machine keytab. Each one > > was put in /var/lib/samba/private/secrets.keytab but never > > solve the problem.OK, /etc/krb5.keytab != /var/lib/samba/private/secrets.keytab They are used for different things, so unless you have something that requires /etc/krb5.keytab, you can remove it. Not sure if this help, but you could try checking the 'msDS-SupportedEncryptionTypes' attribute of your computers in AD. Rowland
L.P.H. van Belle
2017-Jun-21 12:08 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
Bit off topic. *(debian Stretch) man systemd-networkd man systemd.network Domains A list of domains which should be resolved using the DNS servers on this link. Each item in the list should be a domain name, optionally prefixed with a tilde ("~"). The domains with the prefix are called "routing-only domains". The domains without the prefix are called "search domains" and are first used as search suffixes for extending single-label host names (host names containing no dots) to become fully qualified domain names (FQDNs). If a single-label host name is resolved on this interface, each of the specified search domains are appended to it in turn, converting it into a fully qualified domain name, until one of them may be successfully resolved. Both "search" and "routing-only" domains are used for routing of DNS queries: look-ups for host names ending in those domains (hence also single label names, if any "search domains" are listed), are routed to the DNS servers configured for this interface. The domain routing logic is particularly useful on multi-homed hosts with DNS servers serving particular private DNS zones on each interface. The "routing-only" domain "~." (the tilde indicating definition of a routing domain, the dot referring to the DNS root domain which is the implied suffix of all valid DNS names) has special effect. It causes all DNS traffic which does not match another configured domain routing entry to be routed to DNS servers specified for this interface. This setting is useful to prefer a certain set of DNS servers if a link on which they are connected is available. This setting is read by systemd-resolved.service(8). "Search domains" correspond to the domain and search entries in resolv.conf(5). Domain name routing has no equivalent in the traditional glibc API, which has no concept of domain name servers limited to a specific link. And UseDomains Takes a boolean argument, or the special value "route". When true, the domain name received from the DHCP server will be used as DNS search domain over this link, similar to the effect of the Domains= setting. If set to "route", the domain name received from the DHCP server will be used for routing DNS queries only, but not for searching, similar to the effect of the Domains setting when the argument is prefixed with "~". Defaults to false. It is recommended to enable this option only on trusted networks, as setting this affects resolution of all host names, in particular of single-label names. It is generally safer to use the supplied domain only as routing domain, rather than as search domain, in order to not have it affect local resolution of single-label names. When set to true, this setting corresponds to the 'domain' option in resolv.conf(5). Even if they are mutally exclusive, some programs look for the "domain" setting and not search. And understand me right.. , its not that i want to be right here, that i dont care. Im just saying, that if the system installer puts in both, keep both and debian uses both.. That the only reason to keep both in resolv.conf ( for debian then ). Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: woensdag 21 juni 2017 13:20 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] DRS stopped working after upgrade from > debian Jessie to Stretch > > On Wed, 21 Jun 2017 12:41:52 +0200 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > Hai, > > > > Before you start, > > > > Backup, /etc/ /var/lib/samba better safe than sorry.. > > > > Stop samba and related services ( check it at least nmbd > smbd winbind > > samba samba-ad-dc) > > > > > > > Well here is a choice, i preffer to keep the debian settings, which > > would be : ( and yes Rowland i know.. ;-) domain/search ) domain > > net.lyc-guillaume-fichet.ac-grenoble.fr > > search net.lyc-guillaume-fichet.ac-grenoble.fr > > nameserver 172.16.0.20 > > > > This wouldn't be the first stupid thing that Debian has done ;-) > > From 'man resolv.conf' : > > The domain and search keywords are mutually exclusive. > If more than one instance of these keywords is > present, the last instance wins. > > So there is absolutely no point in adding the domain line, > but you go ahead and add it Louis, it is after all your computer ;-) > > > > > > > hosts: files mdns4_minimal [NOTFOUND=return] dns > > This can cause problems, change to : > > hosts: files dns mdns4_minimal [NOTFOUND=return] > > ( or remove avahi-daemon and remove the part mdns4.. [NOT.. ) > > Totally agree, this should be changed and if you are forced > to use '.local' you definitely should remove Avahi. > > > > KEYTABS > > > I have now have three version of the machine keytab. Each one was > > > put in /var/lib/samba/private/secrets.keytab but never solve the > > > problem. > > OK, /etc/krb5.keytab != /var/lib/samba/private/secrets.keytab > > They are used for different things, so unless you have > something that requires /etc/krb5.keytab, you can remove it. > > Not sure if this help, but you could try checking the > 'msDS-SupportedEncryptionTypes' attribute of your computers in AD. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Maybe Matching Threads
- DRS stopped working after upgrade from debian Jessie to Stretch
- DRS stopped working after upgrade from debian Jessie to Stretch
- DRS stopped working after upgrade from debian Jessie to Stretch
- DRS stopped working after upgrade from debian Jessie to Stretch
- DRS stopped working after upgrade from debian Jessie to Stretch