Stefan G. Weichinger
2017-Jul-11 08:21 UTC
[Samba] Samba ADS-member-server: FQDNs in /etc/hosts
Am 2017-07-11 um 09:34 schrieb Stefan G. Weichinger via samba:> [2017/07/11 09:31:17.790046, 2] > ../source4/dns_server/dns_query.c:1019(dns_server_process_query_send) > Not authoritative for 'SERVER', forwarding > [2017/07/11 09:31:17.826966, 2] > ../source4/dns_server/dns_query.c:1019(dns_server_process_query_send) > Not authoritative for 'SERVER', forwarding > > Note: the old netbios name of the DM server is "SERVER", and that is > what all the users use in their UNC paths. > > For some it works, for others not. > > I checked /etc/resolv.conf on DC and DM: > > nameserver 192.168.16.205 # IP of DC > domain my.tldis it search my.tld or domain my.tld ? Should "dig server" work on both DC and DM, right? It does not right now. There was no A-record for it (anymore?), created it, no change so far.
Stefan G. Weichinger
2017-Jul-11 08:36 UTC
[Samba] Samba ADS-member-server: FQDNs in /etc/hosts
[2017/07/11 10:28:51.553290, 3] ../source3/auth/auth.c:249(auth_check_ntlm_password) check_ntlm_password: winbind authentication for user [mueller] succeeded [2017/07/11 10:28:51.553324, 2] ../source3/auth/auth.c:305(auth_check_ntlm_password) check_ntlm_password: authentication for user [mueller] -> [mueller] -> [mueller] succeeded [2017/07/11 10:28:51.553493, 1] ../source3/auth/token_util.c:430(add_local_groups) SID S-1-5-21-2940660672-4062535256-4144655499-1029 -> getpwuid(11029) failed [2017/07/11 10:28:51.553518, 3] ../source3/auth/token_util.c:316(create_local_nt_token_from_info3) Failed to finalize nt token [2017/07/11 10:28:51.553552, 3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset) NTLMSSP Sign/Seal - Initialising with flags: [2017/07/11 10:28:51.553562, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0x62088215 [2017/07/11 10:28:51.553601, 3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset) NTLMSSP Sign/Seal - Initialising with flags: [2017/07/11 10:28:51.553611, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0x62088215 [2017/07/11 10:28:51.553782, 1] ../source3/auth/token_util.c:430(add_local_groups) SID S-1-5-21-2940660672-4062535256-4144655499-1029 -> getpwuid(11029) failed [2017/07/11 10:28:51.553808, 3] ../source3/auth/token_util.c:316(create_local_nt_token_from_info3) Failed to finalize nt token [2017/07/11 10:28:51.553818, 1] ../source3/smbd/sesssetup.c:290(reply_sesssetup_and_X_spnego) Failed to generate session_info (user and group token) for session setup: NT_STATUS_UNSUCCESSFUL [2017/07/11 10:28:51.553864, 3] ../source3/smbd/error.c:82(error_packet_set) NT error packet at ../source3/smbd/sesssetup.c(293) cmd=115 (SMBsesssetupX) NT_STATUS_UNSUCCESSFUL [2017/07/11 10:28:51.554117, 3] ../source3/smbd/server_exit.c:246(exit_server_common) Server exit (failed to receive smb request) --- getpwuid(11029) fails, local group 11029 does not exist. the SID looks like:# net ads sid S-1-5-21-2940660672-4062535256-4144655499-1029 Got 1 replies cn: mueller instanceType: 4 whenCreated: 20170524093910.0Z uSNCreated: 4231 name: mueller objectGUID: ddbb9928-167d-4cfb-a667-ef4a24600fef badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 primaryGroupID: 513 objectSid: S-1-5-21-2940660672-4062535256-4144655499-1029 sAMAccountName: mueller sAMAccountType: 805306368 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=secret,DC=at pwdLastSet: 130414131350000000 accountExpires: 137303967990000000 lastLogoff: 137303967990000000 userAccountControl: 512 uidNumber: 1070 objectClass: top objectClass: posixAccount objectClass: person objectClass: organizationalPerson objectClass: user unixHomeDirectory: /home/mueller loginShell: /bin/bash gidNumber: 1070 msSFU30NisDomain: buero lastLogonTimestamp: 131439211510194450 whenChanged: 20170707171231.0Z uSNChanged: 6300 memberOf: CN=Mitarbeiter,OU=secret-Benutzer,DC=secret,DC=at lastLogon: 131442246304847030 logonCount: 14 distinguishedName: CN=mueller,OU=secret-Benutzer,DC=secret,DC=at created a local group "rettung" with GID 11029 ... no change I don't find that 11029 in the SID infos ...
Stefan G. Weichinger
2017-Jul-11 08:45 UTC
[Samba] Samba ADS-member-server: FQDNs in /etc/hosts
found this: Jul 11 10:44:02 pre01svdeb01 winbindd[21976]: [2017/07/11 10:44:02.336493, 0] ../source3/lib/util_tdb.c:497(tdb_chainlock_with_timeout_internal) Jul 11 10:44:02 pre01svdeb01 winbindd[21976]: tdb_chainlock_with_timeout_internal: alarm (40) timed out for key dc.pilsbacher.at in tdb /var/run/samba/mutex.tdb Jul 11 10:44:02 pre01svdeb01 winbindd[21976]: [2017/07/11 10:44:02.336658, 0] ../source3/winbindd/winbindd_cm.c:1023(cm_prepare_connection) Jul 11 10:44:02 pre01svdeb01 winbindd[21976]: cm_prepare_connection: mutex grab failed for dc.pilsbacher.at restarting winbind didn't help may/should I stop winbind, rm that file and restart? This one sounds like: https://bugzilla.samba.org/show_bug.cgi?id=11962 pls advise! I have customers waiting for their files ............
On Tue, 11 Jul 2017 10:21:37 +0200 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> Am 2017-07-11 um 09:34 schrieb Stefan G. Weichinger via samba: > > > [2017/07/11 09:31:17.790046, 2] > > ../source4/dns_server/dns_query.c:1019(dns_server_process_query_send) > > Not authoritative for 'SERVER', forwarding > > [2017/07/11 09:31:17.826966, 2] > > ../source4/dns_server/dns_query.c:1019(dns_server_process_query_send) > > Not authoritative for 'SERVER', forwarding > > > > Note: the old netbios name of the DM server is "SERVER", and that is > > what all the users use in their UNC paths. > > > > For some it works, for others not. > > > > I checked /etc/resolv.conf on DC and DM: > > > > nameserver 192.168.16.205 # IP of DC > > domain my.tld > > is it > > search my.tld > > or > > domain my.tld > > ? > > Should "dig server" work on both DC and DM, right? > It does not right now.dig 'shorthostname' works on my DC, but I have to use dig FQDN on a Unix domain member Rowland
On Tue, 11 Jul 2017 10:36:08 +0200 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> > [2017/07/11 10:28:51.553290, 3] > ../source3/auth/auth.c:249(auth_check_ntlm_password) > check_ntlm_password: winbind authentication for user [mueller] > succeeded [2017/07/11 10:28:51.553324, 2] > ../source3/auth/auth.c:305(auth_check_ntlm_password) > check_ntlm_password: authentication for user [mueller] -> [mueller] > -> [mueller] succeeded > [2017/07/11 10:28:51.553493, 1] > ../source3/auth/token_util.c:430(add_local_groups) > SID S-1-5-21-2940660672-4062535256-4144655499-1029 -> > getpwuid(11029) failed > [2017/07/11 10:28:51.553518, 3] > ../source3/auth/token_util.c:316(create_local_nt_token_from_info3) > Failed to finalize nt token > [2017/07/11 10:28:51.553552, 3] > ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset) > NTLMSSP Sign/Seal - Initialising with flags: > [2017/07/11 10:28:51.553562, 3] > ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0x62088215 > [2017/07/11 10:28:51.553601, 3] > ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset) > NTLMSSP Sign/Seal - Initialising with flags: > [2017/07/11 10:28:51.553611, 3] > ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0x62088215 > [2017/07/11 10:28:51.553782, 1] > ../source3/auth/token_util.c:430(add_local_groups) > SID S-1-5-21-2940660672-4062535256-4144655499-1029 -> > getpwuid(11029) failed > [2017/07/11 10:28:51.553808, 3] > ../source3/auth/token_util.c:316(create_local_nt_token_from_info3) > Failed to finalize nt token > [2017/07/11 10:28:51.553818, 1] > ../source3/smbd/sesssetup.c:290(reply_sesssetup_and_X_spnego) > Failed to generate session_info (user and group token) for session > setup: NT_STATUS_UNSUCCESSFUL > [2017/07/11 10:28:51.553864, 3] > ../source3/smbd/error.c:82(error_packet_set) > NT error packet at ../source3/smbd/sesssetup.c(293) cmd=115 > (SMBsesssetupX) NT_STATUS_UNSUCCESSFUL > [2017/07/11 10:28:51.554117, 3] > ../source3/smbd/server_exit.c:246(exit_server_common) > Server exit (failed to receive smb request) > > > > --- > > > getpwuid(11029) fails, local group 11029 does not exist. > > the SID looks like:# net ads sid > S-1-5-21-2940660672-4062535256-4144655499-1029 > Got 1 replies > > cn: mueller > instanceType: 4 > whenCreated: 20170524093910.0Z > uSNCreated: 4231 > name: mueller > objectGUID: ddbb9928-167d-4cfb-a667-ef4a24600fef > badPwdCount: 0 > codePage: 0 > countryCode: 0 > badPasswordTime: 0 > primaryGroupID: 513 > objectSid: S-1-5-21-2940660672-4062535256-4144655499-1029 > sAMAccountName: mueller > sAMAccountType: 805306368 > objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=secret,DC=at > pwdLastSet: 130414131350000000 > accountExpires: 137303967990000000 > lastLogoff: 137303967990000000 > userAccountControl: 512 > uidNumber: 1070 > objectClass: top > objectClass: posixAccount > objectClass: person > objectClass: organizationalPerson > objectClass: user > unixHomeDirectory: /home/mueller > loginShell: /bin/bash > gidNumber: 1070 > msSFU30NisDomain: buero > lastLogonTimestamp: 131439211510194450 > whenChanged: 20170707171231.0Z > uSNChanged: 6300 > memberOf: CN=Mitarbeiter,OU=secret-Benutzer,DC=secret,DC=at > lastLogon: 131442246304847030 > logonCount: 14 > distinguishedName: CN=mueller,OU=secret-Benutzer,DC=secret,DC=at > > > created a local group "rettung" with GID 11029 ... no changeRemove this local Unix group, you cannot have a group (or a user) in AD and /etc/group> > I don't find that 11029 in the SID infos ...Probably because '11029' isn't a 'RID', it will be a uidNumber. Try running this on your DC: ldbsearch -H /path/to/sam.ldb -b "dc=secret,dc=at" -s sub "(&(objectclass=group)(gidnumber=11029))" Rowland
Stefan G. Weichinger
2017-Jul-11 09:59 UTC
[Samba] Samba ADS-member-server: FQDNs in /etc/hosts
Am 2017-07-11 um 11:43 schrieb Rowland Penny:> On Tue, 11 Jul 2017 10:21:37 +0200 > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote: > >> Am 2017-07-11 um 09:34 schrieb Stefan G. Weichinger via samba: >> >>> [2017/07/11 09:31:17.790046, 2] >>> ../source4/dns_server/dns_query.c:1019(dns_server_process_query_send) >>> Not authoritative for 'SERVER', forwarding >>> [2017/07/11 09:31:17.826966, 2] >>> ../source4/dns_server/dns_query.c:1019(dns_server_process_query_send) >>> Not authoritative for 'SERVER', forwarding >>> >>> Note: the old netbios name of the DM server is "SERVER", and that is >>> what all the users use in their UNC paths. >>> >>> For some it works, for others not. >>> >>> I checked /etc/resolv.conf on DC and DM: >>> >>> nameserver 192.168.16.205 # IP of DC >>> domain my.tld >> >> is it >> >> search my.tld >> >> or >> >> domain my.tld >> >> ? >> >> Should "dig server" work on both DC and DM, right? >> It does not right now. > > dig 'shorthostname' works on my DC, but I have to use dig FQDN on a > Unix domain membersearch or domain ? // I set "guest OK" now and let the guy there connect the problematic PCs. maybe relevant: DC: debian 9, samba 4.6.5 DM: debian 8.8, samba 4.5.10