Stefan G. Weichinger
2017-Jul-10 09:45 UTC
[Samba] Samba ADS-member-server: FQDNs in /etc/hosts
(new thread, same migration project) I see GPOs applied, but network drives sometimes mapped, sometimes not. Found something around hardened UNC paths, applied some GPO, dunno if that is necessary or helps (I still have to check where to apply that GPO, computer or user ...). While debugging that I find in log.smbd on the member server: [2017/07/10 11:22:20.290018, 1] ../source3/lib/util.c:1974(name_to_fqdn) WARNING: your /etc/hosts file may be broken! Full qualified domain names (FQDNs) should not be specified as an alias in /etc/hosts. FQDN should be the first name prior to any aliases. [2017/07/10 11:23:15.561739, 1] ../source3/lib/util.c:1974(name_to_fqdn) WARNING: your /etc/hosts file may be broken! Full qualified domain names (FQDNs) should not be specified as an alias in /etc/hosts. FQDN should be the first name prior to any aliases. [2017/07/10 11:23:15.602520, 1] ../source3/auth/token_util.c:430(add_local_groups) SID S-1-5-21-2940660672-4062535256-4144655499-1031 -> getpwuid(11031) failed [2017/07/10 11:23:15.602534, 1] ../source3/auth/auth_generic.c:172(auth3_generate_session_info_pac) Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL) Yes, I have FQDNs in /etc/hosts and I *really* hesitate to edit these right now when so far most of things work. I paste my /etc/hosts and ask for hints. pre01svdeb01 = member server pre01svbmd01 = a windows server (member) pre01svdeb02 = samba ADS DC, not even listed here (192.168.16.205) -> 127.0.0.1 localhost 127.0.1.1 pre01svdeb01.my.tld pre01svdeb01 ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters 192.168.16.111 ipfire.my.tld ipfire 192.168.16.203 backup backup.my.tld dc.my.tld dc 192.168.16.226 server-bmd.my.tld server-bmd 192.168.16.230 pre01svbmd01 Step2: understood and fixed something: dc-entry was wrong! krb5.conf points to dc.my.tld ... was wrong IP. fixed Now I can look up that mentioned SID from both servers. Good, right?
On Mon, 10 Jul 2017 11:45:31 +0200 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> > (new thread, same migration project) > > I see GPOs applied, but network drives sometimes mapped, sometimes > not. > > Found something around hardened UNC paths, applied some GPO, dunno if > that is necessary or helps (I still have to check where to apply that > GPO, computer or user ...). > > While debugging that I find in log.smbd on the member server: > > [2017/07/10 11:22:20.290018, > 1] ../source3/lib/util.c:1974(name_to_fqdn) WARNING: your /etc/hosts > file may be broken! Full qualified domain names (FQDNs) should not be > specified as an alias in /etc/hosts. FQDN should be the first name > prior to any aliases. > [2017/07/10 11:23:15.561739, > 1] ../source3/lib/util.c:1974(name_to_fqdn) WARNING: your /etc/hosts > file may be broken! Full qualified domain names (FQDNs) should not be > specified as an alias in /etc/hosts. FQDN should be the first name > prior to any aliases. > [2017/07/10 11:23:15.602520, 1] > ../source3/auth/token_util.c:430(add_local_groups) > SID S-1-5-21-2940660672-4062535256-4144655499-1031 -> > getpwuid(11031) failed > [2017/07/10 11:23:15.602534, 1] > ../source3/auth/auth_generic.c:172(auth3_generate_session_info_pac) > Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL) > > > Yes, I have FQDNs in /etc/hosts and I *really* hesitate to edit these > right now when so far most of things work. > > I paste my /etc/hosts and ask for hints. > > pre01svdeb01 = member server > pre01svbmd01 = a windows server (member) > pre01svdeb02 = samba ADS DC, not even listed here (192.168.16.205) > > -> > > 127.0.0.1 localhost > 127.0.1.1 pre01svdeb01.my.tld pre01svdeb01 > > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > 192.168.16.111 ipfire.my.tld ipfire > 192.168.16.203 backup backup.my.tld dc.my.tld dc > 192.168.16.226 server-bmd.my.tld server-bmd > > 192.168.16.230 pre01svbmd01I would change /etc/hosts to this: 127.0.0.1 localhost 127.0.1.1 pre01svdeb01.my.tld pre01svdeb01 ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters But replace '127.0.0.1' with the real ipaddress of pre01svdeb01.my.tld if it has a fixed IP, if it hasn't, you can remove the entire line. You don't need anything else, the DNS provided by your AD DC should provide everything else.> > Step2: understood and fixed something: > > dc-entry was wrong! > > krb5.conf points to dc.my.tld ... was wrong IP. > > fixedProbably not, /etc/krb5.conf should only contain something like this: [libdefaults] default_realm = MY.TLD dns_lookup_realm = false dns_lookup_kdc = true Rowland> > Now I can look up that mentioned SID from both servers. Good, right? > > > > >
Stefan G. Weichinger
2017-Jul-10 11:08 UTC
[Samba] Samba ADS-member-server: FQDNs in /etc/hosts
Am 2017-07-10 um 12:08 schrieb Rowland Penny via samba:> I would change /etc/hosts to this: > > 127.0.0.1 localhost > 127.0.1.1 pre01svdeb01.my.tld pre01svdeb01 > > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > But replace '127.0.0.1' with the real ipaddress of pre01svdeb01.my.tld > if it has a fixed IP, if it hasn't, you can remove the entire line. > You don't need anything else, the DNS provided by your AD DC should > provide everything else.Thanks, I consider doing so after work hours ... right now I am quite happy that they all can work so far.> Probably not, /etc/krb5.conf should only contain something like this: > > [libdefaults] > default_realm = MY.TLD > dns_lookup_realm = false > dns_lookup_kdc = trueYes, sure, understand. Seems that the [realms] clause slipped in as I installed some krb5 package. btw: the list of packages to be installed on debian might be worth documenting. It was a bit of trial and error for me to get all the needed krb5-stuff onto that machine. ( krb5-config krb5-locales libkrb5-3 libpam-krb5 krb5-user ... ) And what does this tell me, please: [2017/07/10 13:07:48.593400, 1] ../source3/auth/token_util.c:430(add_local_groups) SID S-1-5-21-2940660672-4062535256-4144655499-1008 -> getpwuid(11008) failed [2017/07/10 13:07:48.593415, 1] ../source3/auth/auth_generic.c:172(auth3_generate_session_info_pac) Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL) ?
Stefan G. Weichinger
2017-Jul-10 11:48 UTC
[Samba] Samba ADS-member-server: FQDNs in /etc/hosts
Am 2017-07-10 um 11:45 schrieb Stefan G. Weichinger via samba:> Now I can look up that mentioned SID from both servers. Good, right?Should that query return instantly on the domain member as well? Takes a few seconds here, 6 to be detailled. (rm-ed [realms] in krb5.conf already)