samba - Jul 2017 - Samba ADS-member-server: FQDNs in /etc/hosts

(new thread, same migration project)

I see GPOs applied, but network drives sometimes mapped, sometimes not.

Found something around hardened UNC paths, applied some GPO, dunno if
that is necessary or helps (I still have to check where to apply that
GPO, computer or user ...).

While debugging that I find in log.smbd on the member server:

[2017/07/10 11:22:20.290018,  1] ../source3/lib/util.c:1974(name_to_fqdn)
  WARNING: your /etc/hosts file may be broken!
      Full qualified domain names (FQDNs) should not be specified
      as an alias in /etc/hosts. FQDN should be the first name
      prior to any aliases.
[2017/07/10 11:23:15.561739,  1] ../source3/lib/util.c:1974(name_to_fqdn)
  WARNING: your /etc/hosts file may be broken!
      Full qualified domain names (FQDNs) should not be specified
      as an alias in /etc/hosts. FQDN should be the first name
      prior to any aliases.
[2017/07/10 11:23:15.602520,  1]
../source3/auth/token_util.c:430(add_local_groups)
  SID S-1-5-21-2940660672-4062535256-4144655499-1031 -> getpwuid(11031)
failed
[2017/07/10 11:23:15.602534,  1]
../source3/auth/auth_generic.c:172(auth3_generate_session_info_pac)
  Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL)


Yes, I have FQDNs in /etc/hosts and I *really* hesitate to edit these
right now when so far most of things work.

I paste my /etc/hosts and ask for hints.

pre01svdeb01 = member server
pre01svbmd01 = a windows server (member)
pre01svdeb02 = samba ADS DC, not even listed here (192.168.16.205)

->

127.0.0.1       localhost
127.0.1.1       pre01svdeb01.my.tld     pre01svdeb01

::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

192.168.16.111 ipfire.my.tld ipfire
192.168.16.203 backup backup.my.tld dc.my.tld dc
192.168.16.226 server-bmd.my.tld server-bmd

192.168.16.230  pre01svbmd01

Step2: understood and fixed something:

dc-entry was wrong!

krb5.conf points to dc.my.tld ... was wrong IP.

fixed

Now I can look up that mentioned SID from both servers. Good, right?

On Mon, 10 Jul 2017 11:45:31 +0200
"Stefan G. Weichinger via samba" <samba at lists.samba.org>
wrote:
> 
> (new thread, same migration project)
> 
> I see GPOs applied, but network drives sometimes mapped, sometimes
> not.
> 
> Found something around hardened UNC paths, applied some GPO, dunno if
> that is necessary or helps (I still have to check where to apply that
> GPO, computer or user ...).
> 
> While debugging that I find in log.smbd on the member server:
> 
> [2017/07/10 11:22:20.290018,
> 1] ../source3/lib/util.c:1974(name_to_fqdn) WARNING: your /etc/hosts
> file may be broken! Full qualified domain names (FQDNs) should not be
> specified as an alias in /etc/hosts. FQDN should be the first name
>       prior to any aliases.
> [2017/07/10 11:23:15.561739,
> 1] ../source3/lib/util.c:1974(name_to_fqdn) WARNING: your /etc/hosts
> file may be broken! Full qualified domain names (FQDNs) should not be
> specified as an alias in /etc/hosts. FQDN should be the first name
>       prior to any aliases.
> [2017/07/10 11:23:15.602520,  1]
> ../source3/auth/token_util.c:430(add_local_groups)
>   SID S-1-5-21-2940660672-4062535256-4144655499-1031 ->
> getpwuid(11031) failed
> [2017/07/10 11:23:15.602534,  1]
> ../source3/auth/auth_generic.c:172(auth3_generate_session_info_pac)
>   Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL)
> 
> 
> Yes, I have FQDNs in /etc/hosts and I *really* hesitate to edit these
> right now when so far most of things work.
> 
> I paste my /etc/hosts and ask for hints.
> 
> pre01svdeb01 = member server
> pre01svbmd01 = a windows server (member)
> pre01svdeb02 = samba ADS DC, not even listed here (192.168.16.205)
> 
> ->
> 
> 127.0.0.1       localhost
> 127.0.1.1       pre01svdeb01.my.tld     pre01svdeb01
> 
> ::1     localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> 
> 192.168.16.111 ipfire.my.tld ipfire
> 192.168.16.203 backup backup.my.tld dc.my.tld dc
> 192.168.16.226 server-bmd.my.tld server-bmd
> 
> 192.168.16.230  pre01svbmd01
I would change /etc/hosts to this:

127.0.0.1       localhost
127.0.1.1       pre01svdeb01.my.tld     pre01svdeb01

::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

But replace '127.0.0.1' with the real ipaddress of pre01svdeb01.my.tld
if it has a fixed IP, if it hasn't, you can remove the entire line.
You don't need anything else, the DNS provided by your AD DC should
provide everything else.
> 
> Step2: understood and fixed something:
> 
> dc-entry was wrong!
> 
> krb5.conf points to dc.my.tld ... was wrong IP.
> 
> fixed
Probably not, /etc/krb5.conf should only contain something like this:

[libdefaults]
    default_realm = MY.TLD
    dns_lookup_realm = false
    dns_lookup_kdc = true

Rowland
> 
> Now I can look up that mentioned SID from both servers. Good, right?
> 
> 
> 
> 
>

Am 2017-07-10 um 12:08 schrieb Rowland Penny via samba:
> I would change /etc/hosts to this:
> 
> 127.0.0.1       localhost
> 127.0.1.1       pre01svdeb01.my.tld     pre01svdeb01
> 
> ::1     localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> 
> But replace '127.0.0.1' with the real ipaddress of
pre01svdeb01.my.tld
> if it has a fixed IP, if it hasn't, you can remove the entire line.
> You don't need anything else, the DNS provided by your AD DC should
> provide everything else.
Thanks, I consider doing so after work hours ... right now I am quite
happy that they all can work so far.
> Probably not, /etc/krb5.conf should only contain something like this:
> 
> [libdefaults]
>     default_realm = MY.TLD
>     dns_lookup_realm = false
>     dns_lookup_kdc = true
Yes, sure, understand.

Seems that the [realms] clause slipped in as I installed some krb5 package.

btw: the list of packages to be installed on debian might be worth
documenting. It was a bit of trial and error for me to get all the
needed krb5-stuff onto that machine. ( krb5-config krb5-locales
libkrb5-3 libpam-krb5 krb5-user ... )


And what does this tell me, please:

[2017/07/10 13:07:48.593400,  1]
../source3/auth/token_util.c:430(add_local_groups)
  SID S-1-5-21-2940660672-4062535256-4144655499-1008 -> getpwuid(11008)
failed
[2017/07/10 13:07:48.593415,  1]
../source3/auth/auth_generic.c:172(auth3_generate_session_info_pac)
  Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL)

?

Am 2017-07-10 um 11:45 schrieb Stefan G. Weichinger via samba:
> Now I can look up that mentioned SID from both servers. Good, right?
Should that query return instantly on the domain member as well?
Takes a few seconds here, 6 to be detailled.

(rm-ed [realms] in krb5.conf already)