Prunk Dump
2017-Jun-21 17:54 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
2017-06-21 14:29 GMT+02:00 Prunk Dump <prunkdump at gmail.com>:> Thank you very much Louis, Rowland, Mike ! > > I have made all the changes proposed by Louis but still have the same problem. > > -> kinit works now with /var/lib/samba/private/secrets.keytab > ------------------------ > ~# kinit -k -t /var/lib/samba/private/secrets.keytab FICHDC$ > ~# > ------------------------ > > -> but samba-tool authentication with machine account fail : > ------------------------ > ~# samba-tool time -P -d 8 > INFO: Current debug levels: > all: 8 > tdb: 8 > printdrivers: 8 > lanman: 8 > smb: 8 > rpc_parse: 8 > rpc_srv: 8 > rpc_cli: 8 > passdb: 8 > sam: 8 > auth: 8 > winbind: 8 > vfs: 8 > idmap: 8 > quota: 8 > acls: 8 > locking: 8 > msdfs: 8 > dmapi: 8 > registry: 8 > scavenger: 8 > dns: 8 > ldb: 8 > tevent: 8 > lpcfg_load: refreshing parameters from /etc/samba/smb.conf > Processing section "[global]" > Processing section "[netlogon]" > Processing section "[sysvol]" > pm_process() returned Yes > ldb_wrap open of secrets.ldb > GENSEC backend 'gssapi_spnego' registered > GENSEC backend 'gssapi_krb5' registered > GENSEC backend 'gssapi_krb5_sasl' registered > GENSEC backend 'spnego' registered > GENSEC backend 'schannel' registered > GENSEC backend 'naclrpc_as_system' registered > GENSEC backend 'sasl-EXTERNAL' registered > GENSEC backend 'ntlmssp' registered > GENSEC backend 'ntlmssp_resume_ccache' registered > GENSEC backend 'http_basic' registered > GENSEC backend 'http_ntlm' registered > GENSEC backend 'krb5' registered > GENSEC backend 'fake_gssapi_krb5' registered > added interface lo ip=::1 bcast= netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff > added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0 > added interface eth0 ip=172.16.0.20 bcast=172.16.255.255 netmask=255.255.0.0 > added interface lo ip=::1 bcast= netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff > added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0 > added interface eth0 ip=172.16.0.20 bcast=172.16.255.255 netmask=255.255.0.0 > Mapped to DCERPC endpoint \pipe\srvsvc > added interface lo ip=::1 bcast= netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff > added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0 > added interface eth0 ip=172.16.0.20 bcast=172.16.255.255 netmask=255.255.0.0 > added interface lo ip=::1 bcast= netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff > added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0 > added interface eth0 ip=172.16.0.20 bcast=172.16.255.255 netmask=255.255.0.0 > resolve_lmhosts: Attempting lmhosts lookup for name > fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr<0x20> > startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No > such file or directory > Socket options: > SO_KEEPALIVE = 0 > SO_REUSEADDR = 0 > SO_BROADCAST = 0 > TCP_NODELAY = 1 > TCP_KEEPCNT = 9 > TCP_KEEPIDLE = 7200 > TCP_KEEPINTVL = 75 > IPTOS_LOWDELAY = 0 > IPTOS_THROUGHPUT = 0 > SO_REUSEPORT = 0 > SO_SNDBUF = 2626560 > SO_RCVBUF = 1061808 > SO_SNDLOWAT = 1 > SO_RCVLOWAT = 1 > SO_SNDTIMEO = 0 > SO_RCVTIMEO = 0 > TCP_QUICKACK = 1 > TCP_DEFER_ACCEPT = 0 > Starting GENSEC mechanism spnego > Starting GENSEC submechanism gssapi_krb5 > Received smb_krb5 packet of length 343 > Received smb_krb5 packet of length 298 > Failed to get kerberos credentials: kinit for > FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR failed > (Preauthentication failed) > > Wrong username or password: kinit for > FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR failed > (Preauthentication failed) > > SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE > Failed initial gensec_update with mechanism spnego: NT_STATUS_LOGON_FAILURE > ERROR(runtime): uncaught exception - (-1073741715, "Connection to > SRVSVC pipe of server 'fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr' > failed: NT_STATUS_LOGON_FAILURE") > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/nettime.py", > line 59, in run > self.outf.write(net.time(server_name)+"\n") > ------------------------ > > -> samba.log give many errors like this : > ------------------------ > [2017/06/21 14:20:35.371312, 0] > ../source4/librpc/rpc/dcerpc_util.c:745(dcerpc_pipe_auth_recv) > Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for > ncacn_ip_tcp:172.16.0.21[1024,seal,krb5,target_hostname=04c6b4b0-4584-4368-831e-42aa7ac08c04._msdcs.net.lyc-guillaume-fichet.ac-grenoble.fr,target_principal=GC/fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr/net.lyc-guillaume-fichet.ac-grenoble.fr,abstract_syntax=e3514235--4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=172.16.0.20] > NT_STATUS_LOGON_FAILURE > ------------------------ > > -> my msDS-SupportedEncryptionTypes value is 31 ? Is this bad ? > ------------------------ > ~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=FICHDC)' > # record 1 > dn: CN=FICHDC,OU=Domain > Controllers,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > objectClass: computer > cn: FICHDC > instanceType: 4 > whenCreated: 20150630144451.0Z > uSNCreated: 3583 > name: FICHDC > objectGUID: bfaf861f-1138-4597-beaa-c83722b86fcf > userAccountControl: 532480 > badPwdCount: 0 > codePage: 0 > countryCode: 0 > badPasswordTime: 0 > lastLogoff: 0 > localPolicyFlags: 0 > primaryGroupID: 516 > objectSid: S-1-5-21-2690787391-1809550003-4172065244-1000 > accountExpires: 9223372036854775807 > sAMAccountName: FICHDC$ > sAMAccountType: 805306369 > operatingSystem: Samba > operatingSystemVersion: 4.1.17-Debian > dNSHostName: fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr > objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=net,DC=lyc-guillaume > -fichet,DC=ac-grenoble,DC=fr > isCriticalSystemObject: TRUE > rIDSetReferences: CN=RID Set,CN=FICHDC,OU=Domain Controllers,DC=net,DC=lyc-gui > llaume-fichet,DC=ac-grenoble,DC=fr > serverReferenceBL: CN=FICHDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN > =Configuration,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr > msDS-SupportedEncryptionTypes: 31 > pwdLastSet: 131423563752421340 > servicePrincipalName: nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr > servicePrincipalName: HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr > servicePrincipalName: HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/FICH > NET > servicePrincipalName: ldap/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/FICH > NET > servicePrincipalName: GC/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/net.ly > c-guillaume-fichet.ac-grenoble.fr > servicePrincipalName: ldap/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr > servicePrincipalName: HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/net. > lyc-guillaume-fichet.ac-grenoble.fr > servicePrincipalName: ldap/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/net. > lyc-guillaume-fichet.ac-grenoble.fr > servicePrincipalName: HOST/FICHDC > servicePrincipalName: E3514235-4B06-11D1-AB04-00C04FC2DCD2/b339b873-f01c-4672- > 8984-61e1e48422ea/net.lyc-guillaume-fichet.ac-grenoble.fr > servicePrincipalName: ldap/b339b873-f01c-4672-8984-61e1e48422ea._msdcs.net.lyc > -guillaume-fichet.ac-grenoble.fr > servicePrincipalName: ldap/FICHDC > servicePrincipalName: RestrictedKrbHost/FICHDC > servicePrincipalName: RestrictedKrbHost/fichdc.net.lyc-guillaume-fichet.ac-gre > noble.fr > servicePrincipalName: ldap/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/Doma > inDnsZones.net.lyc-guillaume-fichet.ac-grenoble.fr > servicePrincipalName: ldap/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/Fore > stDnsZones.net.lyc-guillaume-fichet.ac-grenoble.fr > lastLogonTimestamp: 131424581015653910 > whenChanged: 20170620184821.0Z > uSNChanged: 12626339 > lastLogon: 131425180561432210 > logonCount: 70 > distinguishedName: CN=FICHDC,OU=Domain Controllers,DC=net,DC=lyc-guillaume-fic > het,DC=ac-grenoble,DC=fr > > # Referral > ref: ldap://net.lyc-guillaume-fichet.ac-grenoble.fr/CN=Configuration,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr > > # Referral > ref: ldap://net.lyc-guillaume-fichet.ac-grenoble.fr/DC=DomainDnsZones,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr > > # Referral > ref: ldap://net.lyc-guillaume-fichet.ac-grenoble.fr/DC=ForestDnsZones,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr > > # returned 4 records > # 1 entries > # 3 referrals > ------------------------------- > > > Even if I increase the debug level. I could not get more info on the > Kerberos authentication. > > Thanks again ! > > Baptiste.I investigued more again. Here what I have found. 1) I know now why kerberized nfs stop working on "fichdc". A SPN disappeared from the Kerberos database ! After the upgrade there are no "nfs/fichdc" credencial anymore so I can't export it again in a keytab. But strangely "nfs/fichds01" and "nfs/fichds02" still working. To find the root of the problem I have not tried to delete/recreate the SPN yet. ------------------------------- ~# samba-tool spn list nfs-fichdc nfs-fichdc User CN=nfs-fichdc,CN=Users,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr has the following servicePrincipalName: nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr ~# kinit nfs-fichdc Password for nfs-fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR: kinit: Password incorrect while getting initial credentials ~# kinit nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr kinit: Client 'nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR' not found in Kerberos database while getting initial credentials ~# samba-tool spn list nfs-fichds01 nfs-fichds01 User CN=nfs-fichds01,CN=Users,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr has the following servicePrincipalName: nfs/fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr ~# kinit nfs/fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr Password for nfs/fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR: kinit: Password incorrect while getting initial credentials ~# kinit -k -t /tmp/krb5.keytab nfs/fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr kinit: Password has expired while getting initial credentials (I think that the password expiration is normal, and kerberized nfs works on fichds01) ------------------------------- 2) I don't know if this is a problem. But the "msDS-SupportedEncryptionTypes" is not always present in the LDAP database : ------------------------------- (first DC) ~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=FICHDC)' | grep msDS-SupportedEncryptionTypes msDS-SupportedEncryptionTypes: 31 (second DC) ~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=FICHDS01)' | grep msDS-SupportedEncryptionTypes msDS-SupportedEncryptionTypes: 31 (third DC) ~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=FICHDS02)' | grep msDS-SupportedEncryptionTypes (a windows7 client) ~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=SVT06)' | grep msDS-SupportedEncryptionTypes (another windows7 client) ~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=C501-05)' | grep msDS-SupportedEncryptionTypes msDS-SupportedEncryptionTypes: 28 (all linux client) ~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=F511A01)' | grep msDS-SupportedEncryptionTypes ------------------------------- Is someone have an idea what can have made SPN's credential disappaered ? Thanks very much. It seems my issue is related to the kerberos database. Baptiste.
Rowland Penny
2017-Jun-21 18:56 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
On Wed, 21 Jun 2017 19:54:43 +0200 Prunk Dump via samba <samba at lists.samba.org> wrote:> 2017-06-21 14:29 GMT+02:00 Prunk Dump <prunkdump at gmail.com>: > > Thank you very much Louis, Rowland, Mike ! > > > > I have made all the changes proposed by Louis but still have the > > same problem. > > > > -> kinit works now with /var/lib/samba/private/secrets.keytab > > ------------------------ > > ~# kinit -k -t /var/lib/samba/private/secrets.keytab FICHDC$ > > ~# > > ------------------------ > > > > -> but samba-tool authentication with machine account fail : > > ------------------------ > > ~# samba-tool time -P -d 8 > > INFO: Current debug levels: > > all: 8 > > tdb: 8 > > printdrivers: 8 > > lanman: 8 > > smb: 8 > > rpc_parse: 8 > > rpc_srv: 8 > > rpc_cli: 8 > > passdb: 8 > > sam: 8 > > auth: 8 > > winbind: 8 > > vfs: 8 > > idmap: 8 > > quota: 8 > > acls: 8 > > locking: 8 > > msdfs: 8 > > dmapi: 8 > > registry: 8 > > scavenger: 8 > > dns: 8 > > ldb: 8 > > tevent: 8 > > lpcfg_load: refreshing parameters from /etc/samba/smb.conf > > Processing section "[global]" > > Processing section "[netlogon]" > > Processing section "[sysvol]" > > pm_process() returned Yes > > ldb_wrap open of secrets.ldb > > GENSEC backend 'gssapi_spnego' registered > > GENSEC backend 'gssapi_krb5' registered > > GENSEC backend 'gssapi_krb5_sasl' registered > > GENSEC backend 'spnego' registered > > GENSEC backend 'schannel' registered > > GENSEC backend 'naclrpc_as_system' registered > > GENSEC backend 'sasl-EXTERNAL' registered > > GENSEC backend 'ntlmssp' registered > > GENSEC backend 'ntlmssp_resume_ccache' registered > > GENSEC backend 'http_basic' registered > > GENSEC backend 'http_ntlm' registered > > GENSEC backend 'krb5' registered > > GENSEC backend 'fake_gssapi_krb5' registered > > added interface lo ip=::1 bcast> > netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff added interface lo > > ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0 added > > interface eth0 ip=172.16.0.20 bcast=172.16.255.255 > > netmask=255.255.0.0 added interface lo ip=::1 bcast> > netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff added interface lo > > ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0 added > > interface eth0 ip=172.16.0.20 bcast=172.16.255.255 > > netmask=255.255.0.0 Mapped to DCERPC endpoint \pipe\srvsvc added > > interface lo ip=::1 bcast> > netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff added interface lo > > ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0 added > > interface eth0 ip=172.16.0.20 bcast=172.16.255.255 > > netmask=255.255.0.0 added interface lo ip=::1 bcast> > netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff added interface lo > > ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0 added > > interface eth0 ip=172.16.0.20 bcast=172.16.255.255 > > netmask=255.255.0.0 resolve_lmhosts: Attempting lmhosts lookup for > > name fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr<0x20> > > startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was > > No such file or directory Socket options: SO_KEEPALIVE = 0 > > SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 > > TCP_KEEPCNT = 9 > > TCP_KEEPIDLE = 7200 > > TCP_KEEPINTVL = 75 > > IPTOS_LOWDELAY = 0 > > IPTOS_THROUGHPUT = 0 > > SO_REUSEPORT = 0 > > SO_SNDBUF = 2626560 > > SO_RCVBUF = 1061808 > > SO_SNDLOWAT = 1 > > SO_RCVLOWAT = 1 > > SO_SNDTIMEO = 0 > > SO_RCVTIMEO = 0 > > TCP_QUICKACK = 1 > > TCP_DEFER_ACCEPT = 0 > > Starting GENSEC mechanism spnego > > Starting GENSEC submechanism gssapi_krb5 > > Received smb_krb5 packet of length 343 > > Received smb_krb5 packet of length 298 > > Failed to get kerberos credentials: kinit for > > FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR failed > > (Preauthentication failed) > > > > Wrong username or password: kinit for > > FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR failed > > (Preauthentication failed) > > > > SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE > > Failed initial gensec_update with mechanism spnego: > > NT_STATUS_LOGON_FAILURE ERROR(runtime): uncaught exception - > > (-1073741715, "Connection to SRVSVC pipe of server > > 'fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr' failed: > > NT_STATUS_LOGON_FAILURE") File > > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > > 176, in _run return self.run(*args, **kwargs) > > File "/usr/lib/python2.7/dist-packages/samba/netcmd/nettime.py", > > line 59, in run > > self.outf.write(net.time(server_name)+"\n") > > ------------------------ > > > > -> samba.log give many errors like this : > > ------------------------ > > [2017/06/21 14:20:35.371312, 0] > > ../source4/librpc/rpc/dcerpc_util.c:745(dcerpc_pipe_auth_recv) > > Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for > > ncacn_ip_tcp:172.16.0.21[1024,seal,krb5,target_hostname=04c6b4b0-4584-4368-831e-42aa7ac08c04._msdcs.net.lyc-guillaume-fichet.ac-grenoble.fr,target_principal=GC/fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr/net.lyc-guillaume-fichet.ac-grenoble.fr,abstract_syntax=e3514235--4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=172.16.0.20] > > NT_STATUS_LOGON_FAILURE > > ------------------------ > > > > -> my msDS-SupportedEncryptionTypes value is 31 ? Is this bad ? > > ------------------------ > > ~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=FICHDC)' > > # record 1 > > dn: CN=FICHDC,OU=Domain > > Controllers,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr > > objectClass: top > > objectClass: person > > objectClass: organizationalPerson > > objectClass: user > > objectClass: computer > > cn: FICHDC > > instanceType: 4 > > whenCreated: 20150630144451.0Z > > uSNCreated: 3583 > > name: FICHDC > > objectGUID: bfaf861f-1138-4597-beaa-c83722b86fcf > > userAccountControl: 532480 > > badPwdCount: 0 > > codePage: 0 > > countryCode: 0 > > badPasswordTime: 0 > > lastLogoff: 0 > > localPolicyFlags: 0 > > primaryGroupID: 516 > > objectSid: S-1-5-21-2690787391-1809550003-4172065244-1000 > > accountExpires: 9223372036854775807 > > sAMAccountName: FICHDC$ > > sAMAccountType: 805306369 > > operatingSystem: Samba > > operatingSystemVersion: 4.1.17-Debian > > dNSHostName: fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr > > objectCategory: > > CN=Computer,CN=Schema,CN=Configuration,DC=net,DC=lyc-guillaume > > -fichet,DC=ac-grenoble,DC=fr isCriticalSystemObject: TRUE > > rIDSetReferences: CN=RID Set,CN=FICHDC,OU=Domain > > Controllers,DC=net,DC=lyc-gui llaume-fichet,DC=ac-grenoble,DC=fr > > serverReferenceBL: > > CN=FICHDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN > > =Configuration,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr > > msDS-SupportedEncryptionTypes: 31 pwdLastSet: 131423563752421340 > > servicePrincipalName: > > nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr > > servicePrincipalName: > > HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr > > servicePrincipalName: > > HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/FICH NET > > servicePrincipalName: > > ldap/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/FICH NET > > servicePrincipalName: > > GC/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/net.ly > > c-guillaume-fichet.ac-grenoble.fr servicePrincipalName: > > ldap/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr > > servicePrincipalName: > > HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/net. > > lyc-guillaume-fichet.ac-grenoble.fr servicePrincipalName: > > ldap/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/net. > > lyc-guillaume-fichet.ac-grenoble.fr servicePrincipalName: > > HOST/FICHDC servicePrincipalName: > > E3514235-4B06-11D1-AB04-00C04FC2DCD2/b339b873-f01c-4672- > > 8984-61e1e48422ea/net.lyc-guillaume-fichet.ac-grenoble.fr > > servicePrincipalName: > > ldap/b339b873-f01c-4672-8984-61e1e48422ea._msdcs.net.lyc > > -guillaume-fichet.ac-grenoble.fr servicePrincipalName: ldap/FICHDC > > servicePrincipalName: RestrictedKrbHost/FICHDC > > servicePrincipalName: > > RestrictedKrbHost/fichdc.net.lyc-guillaume-fichet.ac-gre noble.fr > > servicePrincipalName: > > ldap/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/Doma > > inDnsZones.net.lyc-guillaume-fichet.ac-grenoble.fr > > servicePrincipalName: > > ldap/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/Fore > > stDnsZones.net.lyc-guillaume-fichet.ac-grenoble.fr > > lastLogonTimestamp: 131424581015653910 whenChanged: > > 20170620184821.0Z uSNChanged: 12626339 lastLogon: > > 131425180561432210 logonCount: 70 distinguishedName: > > CN=FICHDC,OU=Domain Controllers,DC=net,DC=lyc-guillaume-fic > > het,DC=ac-grenoble,DC=fr > > > > # Referral > > ref: > > ldap://net.lyc-guillaume-fichet.ac-grenoble.fr/CN=Configuration,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr > > > > # Referral > > ref: > > ldap://net.lyc-guillaume-fichet.ac-grenoble.fr/DC=DomainDnsZones,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr > > > > # Referral > > ref: > > ldap://net.lyc-guillaume-fichet.ac-grenoble.fr/DC=ForestDnsZones,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr > > > > # returned 4 records > > # 1 entries > > # 3 referrals > > ------------------------------- > > > > > > Even if I increase the debug level. I could not get more info on the > > Kerberos authentication. > > > > Thanks again ! > > > > Baptiste. > > I investigued more again. Here what I have found. > > 1) I know now why kerberized nfs stop working on "fichdc". A SPN > disappeared from the Kerberos database ! After the upgrade there are > no "nfs/fichdc" credencial anymore so I can't export it again in a > keytab. But strangely "nfs/fichds01" and "nfs/fichds02" still working. > To find the root of the problem I have not tried to delete/recreate > the SPN yet. > > ------------------------------- > ~# samba-tool spn list nfs-fichdc > nfs-fichdc > User > CN=nfs-fichdc,CN=Users,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr > has the following servicePrincipalName: > nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr > > ~# kinit nfs-fichdc > Password for nfs-fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR: > kinit: Password incorrect while getting initial credentials > > ~# kinit nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr > kinit: Client > 'nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR' > not found in Kerberos database while getting initial credentials > > ~# samba-tool spn list nfs-fichds01 > nfs-fichds01 > User > CN=nfs-fichds01,CN=Users,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr > has the following servicePrincipalName: > nfs/fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr > > ~# kinit nfs/fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr > Password for > nfs/fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR: > kinit: Password incorrect while getting initial credentials > > ~# kinit -k -t /tmp/krb5.keytab > nfs/fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr > kinit: Password has expired while getting initial credentials > (I think that the password expiration is normal, and kerberized nfs > works on fichds01) > ------------------------------- > > 2) I don't know if this is a problem. But the > "msDS-SupportedEncryptionTypes" is not always present in the LDAP > database : > > ------------------------------- > (first DC) > ~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=FICHDC)' | grep > msDS-SupportedEncryptionTypes > msDS-SupportedEncryptionTypes: 31 > > (second DC) > ~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=FICHDS01)' | grep > msDS-SupportedEncryptionTypes > msDS-SupportedEncryptionTypes: 31 > > (third DC) > ~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=FICHDS02)' | grep > msDS-SupportedEncryptionTypes > > (a windows7 client) > ~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=SVT06)' | grep > msDS-SupportedEncryptionTypes > > (another windows7 client) > ~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=C501-05)' | grep > msDS-SupportedEncryptionTypes > msDS-SupportedEncryptionTypes: 28 > > (all linux client) > ~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=F511A01)' | grep > msDS-SupportedEncryptionTypes > > ------------------------------- > > Is someone have an idea what can have made SPN's credential > disappaered ? > > Thanks very much. It seems my issue is related to the kerberos > database. > > Baptiste. >I would check the domain levels on the three DCs My two DCs and Linux machines all have '31' for 'msDS-SupportedEncryptionTypes', though a couple of windows machine in VMs have '28' I think the problem must be with your DCs machine password, I think you will need to change it with 'chgkrbtgtpass', though I have no idea how you use it, presumably you would change this line: sys.path.insert(0, "bin/python") To the same as you will find in the 'samba-tool' script. I presume you then just run the script. Perhaps Andrew would care to comment here. I have no idea where your nfs SPN went to, but if it has disappeared on all your DCs, then you will have to add it again. Rowland
Rowland Penny
2017-Jun-22 09:08 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
Before you go down the 'backup' line, you mentioned that you have three DCs, is only one DC giving problems or all three ? If it is just one and the other two are working okay, I would demote the faulty DC and remove it from the domain. I would then check the ex-DC for faults (the HD for instance), once you are sure that there are no faults or you have fixed any ones found, you can then rejoin it as a DC (I would change its hostname as well). Rowland
Rowland Penny
2017-Jun-22 09:34 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
On Thu, 22 Jun 2017 11:19:54 +0200 Prunk Dump <prunkdump at gmail.com> wrote:> 2017-06-22 11:08 GMT+02:00 Rowland Penny via samba > <samba at lists.samba.org>: > > > > Before you go down the 'backup' line, you mentioned that you have > > three DCs, is only one DC giving problems or all three ? > > > > If it is just one and the other two are working okay, I would demote > > the faulty DC and remove it from the domain. I would then check the > > ex-DC for faults (the HD for instance), once you are sure that there > > are no faults or you have fixed any ones found, you can then rejoin > > it as a DC (I would change its hostname as well). > > > > Rowland > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > No sadly the three DC are affected by the same problem : > -> "samba-tool time -P" fail > -> kinit with exported machine keytab account works > -> kinit with /var/lib/samba/private/secrets.keytabs fail. > > But on the AD database there is one error that is only related to one > of my DC. -> the kerberos principal of "nfs/fichdc" disappeared of > the kerberos database -> the "nfs/fichds01" and "nfs/fichds02" > principal works with kinit. > > Baptiste.Then I am not sure if backing up the DCs is going to work, if the problem is in AD, you will just backup the problem :-( Two things you could try, add another DC and if this works, transfer the FSMO roles to it and then demote the other three and rejoin them, or try demoting a DC and rejoin it. Rowland
Prunk Dump
2017-Jun-23 07:28 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
Hello samba team !
I finally found why my "nfs/fichdc" credential stoppped working. I had
two SPN with the same name on two different users :
FICHDC$ -> have SPN nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr
nfs-fichdc -> have SPN nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr
This seems allowed on old version of samba but not admitted on samba
4.5. Maybe this test may be added on the "dbcheck" script.
Now almost everything works on my network (nfsv4, winbind
authentication, shares, dynamic dns...). But DRS and authentication
with the machine account on my three DC still fail ... I have still
the same problem :
--------------------
~# kinit -k -t /var/lib/samba/private/secrets.keytab FICHDC$
~# (OK)
~# samba-tool time -P -d 3
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
resolve_lmhosts: Attempting lmhosts lookup for name
fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr<0x20>
Wrong username or password: kinit for
FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR failed
(Preauthentication failed)
SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
Failed initial gensec_update with mechanism spnego: NT_STATUS_LOGON_FAILURE
ERROR(runtime): uncaught exception - (-1073741715, "Connection to
SRVSVC pipe of server 'fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr'
failed: NT_STATUS_LOGON_FAILURE")
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/nettime.py",
line 59, in run
self.outf.write(net.time(server_name)+"\n")
~# tail /var/log/samba/log.samba
[2017/06/23 09:09:38.523889, 0]
../source4/librpc/rpc/dcerpc_util.c:745(dcerpc_pipe_auth_recv)
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
ncacn_ip_tcp:172.16.0.22[1024,seal,krb5,target_hostname=6592eb58-739e-4b40-94c1-b96abde63d44._msdcs.net.lyc-guillaume-fichet.ac-grenoble.fr,target_principal=GC/fichds02.net.lyc-guillaume-fichet.ac-grenoble.fr/net.lyc-guillaume-fichet.ac-grenoble.fr,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=172.16.0.20]
NT_STATUS_LOGON_FAILURE
[2017/06/23 09:09:40.759811, 0]
../source4/librpc/rpc/dcerpc_util.c:745(dcerpc_pipe_auth_recv)
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
ncacn_ip_tcp:172.16.0.21[1024,seal,krb5,target_hostname=04c6b4b0-4584-4368-831e-42aa7ac08c04._msdcs.net.lyc-guillaume-fichet.ac-grenoble.fr,target_principal=GC/fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr/net.lyc-guillaume-fichet.ac-grenoble.fr,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=172.16.0.20]
NT_STATUS_LOGON_FAILURE
--------------------
Something that maybe help to understand the root of my problem :
During the upgrade from Jessie to Stretch the "apt-get dist-upgrade"
failed on winbind configuration step. As I say previously, the Debian
upgrade procedure have tried to launch smbd, nmbd, winbind on my DC as
it shouldn't.
The winbind configuration step complain that "samba is not started"
witch is normal because smbd can't start with a DC configuration file.
I have disabled the smbd, nmdb, winbind services with "systemctl" and
relaunched the "dist-upgrade". And this time apt pass the winbind
configuration step.
Maybe is this that configuration step that corrupt my machine account ? no ?
Is is possible to have some more tips to fix my problem. I don't know
if demoting my DC is a good idea as I need to change their names when
remote again. And my DCs provide multiple others important services
(not always related to AD).
Is the "chgtdcpass" the best solution ? But I can't find
information
about how to use it. And as my replication don't works, how I need to
use this script to change the password of the DC not owning FSMO roles
? Is this possible to join the DC again without changing their names ?
Do you think that I need to post on samba-technical ?
Thanks very much !
Baptiste.