thr3ads.net - samba - [Samba] samba AD not working [Jul 2017]

If this information is useful, please help other people find it:
Share via:

Sonic

2017-Jul-08 16:32 UTC

[Samba] samba AD not working

Hello,

After classic upgrade from PDC to AD, most things look like they're
functioning but I'm having issues. Note that the upgrade did include a
system change, a new name, new IP address.

Using samba-4.6.5 compiled from git on Debian Stretch.

First issue I noticed was when trying to join the new AD from a
Windows machine I received:
================The RPC server is unavailable
================
Troubleshooting on the AD itself, most tests pass (DNS lookups,
kerberos tickets) but smbclient fails:
================$ smbclient -L localhost -U%
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
================
In the logs I'm seeing:
================# tail log.wb-MYDOMAINK
[2017/07/08 12:17:03.188677,  0]
../source3/winbindd/winbindd_cm.c:1793(wb_open_internal_pipe)
 open_internal_pipe: Could not connect to lsarpc pipe: NT_STATUS_UNSUCCESSFUL
================
Services are running:
================20603 ?        Ss     0:00 /usr/local/samba/sbin/samba
20604 ?        S      0:00 /usr/local/samba/sbin/samba
20605 ?        S      0:00 /usr/local/samba/sbin/samba
20606 ?        Ss     0:00 /usr/local/samba/sbin/smbd -D
--option=server role check:inhibit=yes --foreground
20607 ?        S      0:01 /usr/local/samba/sbin/samba
20608 ?        S      0:00 /usr/local/samba/sbin/samba
20609 ?        S      0:00 /usr/local/samba/sbin/samba
20610 ?        S      0:00 /usr/local/samba/sbin/samba
20611 ?        S      0:00 /usr/local/samba/sbin/samba
20612 ?        S      0:01 /usr/local/samba/sbin/samba
20613 ?        S      0:00 /usr/local/samba/sbin/samba
20614 ?        S      0:00 /usr/local/samba/sbin/samba
20615 ?        S      0:00 /usr/local/samba/sbin/samba
20616 ?        Ss     0:00 /usr/local/samba/sbin/winbindd -D
--option=server role check:inhibit=yes --foreground
20617 ?        S      0:00 /usr/local/samba/sbin/samba
20620 ?        S      0:00 /usr/local/samba/sbin/smbd -D
--option=server role check:inhibit=yes --foreground
20621 ?        S      0:00 /usr/local/samba/sbin/smbd -D
--option=server role check:inhibit=yes --foreground
20623 ?        S      0:00 /usr/local/samba/sbin/winbindd -D
--option=server role check:inhibit=yes --foreground
20624 ?        S      0:00 /usr/local/samba/sbin/smbd -D
--option=server role check:inhibit=yes --foreground
20838 ?        Ssl    0:00 /usr/sbin/named -f -u bind
================
And ports seem open, although should have no effect on the smbclient
failure run on the AD itself (I'm using hosts allow to prevent systems
other than the test system to see the new AD):
================# nmap -A ad

Starting Nmap 7.40 ( https://nmap.org ) at 2017-07-08 11:13 EDT
Nmap scan report for ad (172.26.62.31)
Host is up (0.00014s latency).
rDNS record for 172.26.62.31: ad.office.mydomain.com
Not shown: 987 closed ports

PORT     STATE SERVICE      VERSION
22/tcp   open  ssh          OpenSSH 7.4p1 Debian 10 (protocol 2.0)
| ssh-hostkey:
|   2048 18:4d:92:d2:69:66:c0:16:70:7e:ed:fe:fe:32:8a:fd (RSA)
|_  256 bc:f9:9c:05:42:1a:af:b5:f5:a4:ac:50:8c:f1:da:24 (ECDSA)
53/tcp   open  domain       ISC BIND 9.10.3-P4-Debian
| dns-nsid:
|_  bind.version: 9.10.3-P4-Debian
88/tcp   open  kerberos-sec Heimdal Kerberos (server time: 2017-07-08 15:13:47Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Samba smbd 3.X - 4.X (workgroup: MYDOMAIN)
389/tcp  open  ldap         (Anonymous bind OK)
| ssl-cert: Subject:
commonName=AD.office.mydomain.com/organizationName=Samba Administration
| Not valid before: 2017-07-04T17:24:08
|_Not valid after:  2019-06-04T17:24:08
|_ssl-date: 2017-07-08T15:11:06+00:00; -3m31s from scanner time.
445/tcp  open  netbios-ssn  Samba smbd 4.6.5 (workgroup: MYDOMAIN)
464/tcp  open  kpasswd5?
636/tcp  open  ssl/ldap     (Anonymous bind OK)
| ssl-cert: Subject:
commonName=AD.office.mydomain.com/organizationName=Samba Administration
| Not valid before: 2017-07-04T17:24:08
|_Not valid after:  2019-06-04T17:24:08
|_ssl-date: 2017-07-08T15:13:55+00:00; -42s from scanner time.
1024/tcp open  msrpc        Microsoft Windows RPC
1025/tcp open  msrpc        Microsoft Windows RPC
3268/tcp open  ldap         (Anonymous bind OK)
| ssl-cert: Subject:
commonName=AD.office.mydomain.com/organizationName=Samba Administration
| Not valid before: 2017-07-04T17:24:08
|_Not valid after:  2019-06-04T17:24:08
|_ssl-date: 2017-07-08T15:11:32+00:00; -3m05s from scanner time.
3269/tcp open  ssl/ldap     (Anonymous bind OK)
| ssl-cert: Subject:
commonName=AD.office.mydomain.com/organizationName=Samba Administration
| Not valid before: 2017-07-04T17:24:08
|_Not valid after:  2019-06-04T17:24:08
|_ssl-date: 2017-07-08T15:13:38+00:00; -59s from scanner time.
MAC Address: A0:36:9F:27:02:CD (Intel Corporate)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.6
Network Distance: 1 hop
Service Info: Host: AD; OSs: Linux, Windows; CPE: cpe:/o:linux:linux_kernel,
cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -1m39s, deviation: 1m32s, median: -59s
|_nbstat: NetBIOS name: AD, NetBIOS user: <unknown>, NetBIOS MAC:
<unknown>
(unknown)
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.6.5)
|   Computer name: ad
|   NetBIOS computer name: AD\x00
|   Domain name: office.mydomain.com
|   FQDN: ad.office.mydomain.com
|_  System time: 2017-07-08T11:14:37-04:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
|_smbv2-enabled: Server supports SMBv2 protocol

TRACEROUTE
HOP RTT     ADDRESS
1   0.14 ms ad.office.mydomain.com (172.26.62.31)
================
Where to look to resolve?

Thanks!

Chris

Sonic

2017-Jul-08 19:49 UTC

head link

[Samba] samba AD not working

More info:

Attempting to connect via smbclient using hostnames fail:
================$ smbclient -L localhost -U%
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
================... doesn't matter whether I use localhost, or ad, or
ad.office.mydomain.com (local, short or full).

However, via IP address:
================/usr/local/samba/var# smbclient -L 172.26.62.31 -U%
Domain=[MYDOMAIN] OS=[] Server=[]

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk
        sysvol          Disk
        IPC$            IPC       IPC Service (Samba 4.6.5)
Domain=[MYDOMAIN] OS=[] Server=[]

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
================... and I can successfully use 127.0.0.1 as well.

All DNS tests pass, SRV records, etc. are all there. So this is quite confusing.

Sonic

2017-Jul-08 20:05 UTC

head link

[Samba] samba AD not working

Sorry for the smbclient noise - stale entry in the hosts file was
causing that issue.

However, this problem remians when trying to join the new AD from a
Windows machine:
================The RPC server is unavailable
================
Please advise.

Thank you!

samba - Jul 2017 - samba AD not working

[Samba] samba AD not working

[Samba] samba AD not working

[Samba] samba AD not working