Hello,
After classic upgrade from PDC to AD, most things look like they're
functioning but I'm having issues. Note that the upgrade did include a
system change, a new name, new IP address.
Using samba-4.6.5 compiled from git on Debian Stretch.
First issue I noticed was when trying to join the new AD from a
Windows machine I received:
================The RPC server is unavailable
================
Troubleshooting on the AD itself, most tests pass (DNS lookups,
kerberos tickets) but smbclient fails:
================$ smbclient -L localhost -U%
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
================
In the logs I'm seeing:
================# tail log.wb-MYDOMAINK
[2017/07/08 12:17:03.188677, 0]
../source3/winbindd/winbindd_cm.c:1793(wb_open_internal_pipe)
open_internal_pipe: Could not connect to lsarpc pipe: NT_STATUS_UNSUCCESSFUL
================
Services are running:
================20603 ? Ss 0:00 /usr/local/samba/sbin/samba
20604 ? S 0:00 /usr/local/samba/sbin/samba
20605 ? S 0:00 /usr/local/samba/sbin/samba
20606 ? Ss 0:00 /usr/local/samba/sbin/smbd -D
--option=server role check:inhibit=yes --foreground
20607 ? S 0:01 /usr/local/samba/sbin/samba
20608 ? S 0:00 /usr/local/samba/sbin/samba
20609 ? S 0:00 /usr/local/samba/sbin/samba
20610 ? S 0:00 /usr/local/samba/sbin/samba
20611 ? S 0:00 /usr/local/samba/sbin/samba
20612 ? S 0:01 /usr/local/samba/sbin/samba
20613 ? S 0:00 /usr/local/samba/sbin/samba
20614 ? S 0:00 /usr/local/samba/sbin/samba
20615 ? S 0:00 /usr/local/samba/sbin/samba
20616 ? Ss 0:00 /usr/local/samba/sbin/winbindd -D
--option=server role check:inhibit=yes --foreground
20617 ? S 0:00 /usr/local/samba/sbin/samba
20620 ? S 0:00 /usr/local/samba/sbin/smbd -D
--option=server role check:inhibit=yes --foreground
20621 ? S 0:00 /usr/local/samba/sbin/smbd -D
--option=server role check:inhibit=yes --foreground
20623 ? S 0:00 /usr/local/samba/sbin/winbindd -D
--option=server role check:inhibit=yes --foreground
20624 ? S 0:00 /usr/local/samba/sbin/smbd -D
--option=server role check:inhibit=yes --foreground
20838 ? Ssl 0:00 /usr/sbin/named -f -u bind
================
And ports seem open, although should have no effect on the smbclient
failure run on the AD itself (I'm using hosts allow to prevent systems
other than the test system to see the new AD):
================# nmap -A ad
Starting Nmap 7.40 ( https://nmap.org ) at 2017-07-08 11:13 EDT
Nmap scan report for ad (172.26.62.31)
Host is up (0.00014s latency).
rDNS record for 172.26.62.31: ad.office.mydomain.com
Not shown: 987 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10 (protocol 2.0)
| ssh-hostkey:
| 2048 18:4d:92:d2:69:66:c0:16:70:7e:ed:fe:fe:32:8a:fd (RSA)
|_ 256 bc:f9:9c:05:42:1a:af:b5:f5:a4:ac:50:8c:f1:da:24 (ECDSA)
53/tcp open domain ISC BIND 9.10.3-P4-Debian
| dns-nsid:
|_ bind.version: 9.10.3-P4-Debian
88/tcp open kerberos-sec Heimdal Kerberos (server time: 2017-07-08 15:13:47Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: MYDOMAIN)
389/tcp open ldap (Anonymous bind OK)
| ssl-cert: Subject:
commonName=AD.office.mydomain.com/organizationName=Samba Administration
| Not valid before: 2017-07-04T17:24:08
|_Not valid after: 2019-06-04T17:24:08
|_ssl-date: 2017-07-08T15:11:06+00:00; -3m31s from scanner time.
445/tcp open netbios-ssn Samba smbd 4.6.5 (workgroup: MYDOMAIN)
464/tcp open kpasswd5?
636/tcp open ssl/ldap (Anonymous bind OK)
| ssl-cert: Subject:
commonName=AD.office.mydomain.com/organizationName=Samba Administration
| Not valid before: 2017-07-04T17:24:08
|_Not valid after: 2019-06-04T17:24:08
|_ssl-date: 2017-07-08T15:13:55+00:00; -42s from scanner time.
1024/tcp open msrpc Microsoft Windows RPC
1025/tcp open msrpc Microsoft Windows RPC
3268/tcp open ldap (Anonymous bind OK)
| ssl-cert: Subject:
commonName=AD.office.mydomain.com/organizationName=Samba Administration
| Not valid before: 2017-07-04T17:24:08
|_Not valid after: 2019-06-04T17:24:08
|_ssl-date: 2017-07-08T15:11:32+00:00; -3m05s from scanner time.
3269/tcp open ssl/ldap (Anonymous bind OK)
| ssl-cert: Subject:
commonName=AD.office.mydomain.com/organizationName=Samba Administration
| Not valid before: 2017-07-04T17:24:08
|_Not valid after: 2019-06-04T17:24:08
|_ssl-date: 2017-07-08T15:13:38+00:00; -59s from scanner time.
MAC Address: A0:36:9F:27:02:CD (Intel Corporate)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.6
Network Distance: 1 hop
Service Info: Host: AD; OSs: Linux, Windows; CPE: cpe:/o:linux:linux_kernel,
cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1m39s, deviation: 1m32s, median: -59s
|_nbstat: NetBIOS name: AD, NetBIOS user: <unknown>, NetBIOS MAC:
<unknown>
(unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.6.5)
| Computer name: ad
| NetBIOS computer name: AD\x00
| Domain name: office.mydomain.com
| FQDN: ad.office.mydomain.com
|_ System time: 2017-07-08T11:14:37-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
|_smbv2-enabled: Server supports SMBv2 protocol
TRACEROUTE
HOP RTT ADDRESS
1 0.14 ms ad.office.mydomain.com (172.26.62.31)
================
Where to look to resolve?
Thanks!
Chris