samba - Jul 2017 - Samba ADS-member-server: FQDNs in /etc/hosts

Am 2017-07-11 um 14:57 schrieb Rowland Penny:
>> # smbclient \\\\server\\daten -Usgw%PW
>> session setup failed: NT_STATUS_UNSUCCESSFUL
> 
> Restart all the Samba binaries on the DM
> 
> Then check that the OS knows your user with:
> 
> getent passwd sgw
libnss_winbind was missing!

Now both results are the same

user-names in /etc/passwd ... rmed now

I was 100% sure to have had that fixed. My fault. I AM SORRY.

-

After several restarts of winbind/smbd/nmbd I now have a better overall
picture, but not fully happy.

One user gets displayed as "administrator" in smbstatus although he is
named differently. Other users on other PCs are mapped correctly and
files are created correctly (= get correct owner and group in linux fs).

For the PC with the problematic issue I see on the DC:

Jul 11 17:16:25 pre01svdeb02 samba[4657]: [2017/07/11 17:16:25.913628,
0]
../source4/rpc_server/drsuapi/writespn.c:235(dcesrv_drsuapi_DsWriteAccountSpn)
Jul 11 17:16:25 pre01svdeb02 samba[4657]:   Failed to modify SPNs on
CN=PC-2016-03,OU=secret-Computer,DC=secret,DC=at: acl: spn validation
failed for spn[TERMSRV/PC-2016-03.secret.at] uac[0x1000]
account[PC-2016-03$] hostname[PC-2016-03.BUERO] nbname[BUERO]
ntds[(null)] forest[secret.at] domain[secret.at]

Could that be related?

On another PC that user works correctly.

We try a rejoin now ...

Everything else *seems* to look good now ...

On Tue, 11 Jul 2017 17:33:51 +0200
"Stefan G. Weichinger" <lists at xunil.at> wrote:
> Am 2017-07-11 um 14:57 schrieb Rowland Penny:
> 
> >> # smbclient \\\\server\\daten -Usgw%PW
> >> session setup failed: NT_STATUS_UNSUCCESSFUL
> > 
> > Restart all the Samba binaries on the DM
> > 
> > Then check that the OS knows your user with:
> > 
> > getent passwd sgw
> 
> libnss_winbind was missing!
> 
> Now both results are the same
> 
> user-names in /etc/passwd ... rmed now
> 
> I was 100% sure to have had that fixed. My fault. I AM SORRY.
> 
> -
> 
> After several restarts of winbind/smbd/nmbd I now have a better
> overall picture, but not fully happy.
> 
> One user gets displayed as "administrator" in smbstatus although
he is
> named differently. Other users on other PCs are mapped correctly and
> files are created correctly (= get correct owner and group in linux
> fs).
> 
> For the PC with the problematic issue I see on the DC:
> 
> Jul 11 17:16:25 pre01svdeb02 samba[4657]: [2017/07/11 17:16:25.913628,
> 0]
>
../source4/rpc_server/drsuapi/writespn.c:235(dcesrv_drsuapi_DsWriteAccountSpn)
> Jul 11 17:16:25 pre01svdeb02 samba[4657]:   Failed to modify SPNs on
> CN=PC-2016-03,OU=secret-Computer,DC=secret,DC=at: acl: spn validation
> failed for spn[TERMSRV/PC-2016-03.secret.at] uac[0x1000]
> account[PC-2016-03$] hostname[PC-2016-03.BUERO] nbname[BUERO]
> ntds[(null)] forest[secret.at] domain[secret.at]
> 
> Could that be related?
> 
> On another PC that user works correctly.
> 
> We try a rejoin now ...
> 
> Everything else *seems* to look good now ...
Try running 'net cache flush'

Rowland

Am 2017-07-11 um 17:59 schrieb Rowland Penny:
>> One user gets displayed as "administrator" in smbstatus
although he is
>> named differently. Other users on other PCs are mapped correctly and
>> files are created correctly (= get correct owner and group in linux
>> fs).
>>
>> For the PC with the problematic issue I see on the DC:
>>
>> Jul 11 17:16:25 pre01svdeb02 samba[4657]: [2017/07/11 17:16:25.913628,
>> 0]
>>
../source4/rpc_server/drsuapi/writespn.c:235(dcesrv_drsuapi_DsWriteAccountSpn)
>> Jul 11 17:16:25 pre01svdeb02 samba[4657]:   Failed to modify SPNs on
>> CN=PC-2016-03,OU=secret-Computer,DC=secret,DC=at: acl: spn validation
>> failed for spn[TERMSRV/PC-2016-03.secret.at] uac[0x1000]
>> account[PC-2016-03$] hostname[PC-2016-03.BUERO] nbname[BUERO]
>> ntds[(null)] forest[secret.at] domain[secret.at]
>>
>> Could that be related?
>>
>> On another PC that user works correctly.
>>
>> We try a rejoin now ...
>>
>> Everything else *seems* to look good now ...
> 
> Try running 'net cache flush'
did that on both DC and DM, no change so far.

I assume this is rather cosmetic for now and a small issue compared to
the other things before. Right now people can access stuff and smbstatus
looks good to me. We will see tmrw morning how things proceed.

@Rowland: thanks a lot once again.

I am sorry for my stupid mistakes ...

tmrw issues on my list:

* some GPO-issues:

# samba-tool dbcheck
Checking 445 objects
NOTE: old (due to rename or delete) DN string component for
lastKnownParent in object
CN=User\0ADEL:c5644e95-616a-4897-bea7-45c909d93dc2,CN=Deleted
Objects,DC=secret,DC=at -
<GUID=f1278d7d-87c4-47b7-adf5-663d457026db>;CN={B21C7A4C-E611-460F-BC81-1BBDEC8C9053},CN=Policies,CN=System,DC=secret,DC=at
Not fixing old string component
NOTE: old (due to rename or delete) DN string component for
lastKnownParent in object
CN=Machine\0ADEL:3eccdc20-3d40-4c3d-a0fe-b5fa4dcc2c3c,CN=Deleted
Objects,DC=secret,DC=at -
<GUID=63de1753-994f-466a-9dd1-9dcf90910ffd>;CN={479204EF-EF2E-4C1B-9E3E-1B50149D578B},CN=Policies,CN=System,DC=secret,DC=at
Not fixing old string component
NOTE: old (due to rename or delete) DN string component for
lastKnownParent in object
CN=User\0ADEL:ef18debc-895a-4599-952d-a0bf302d2914,CN=Deleted
Objects,DC=secret,DC=at -
<GUID=63de1753-994f-466a-9dd1-9dcf90910ffd>;CN={479204EF-EF2E-4C1B-9E3E-1B50149D578B},CN=Policies,CN=System,DC=secret,DC=at
Not fixing old string component
NOTE: old (due to rename or delete) DN string component for
lastKnownParent in object
CN=Machine\0ADEL:f4336c47-c82e-477e-a5b6-fe7bf24ac07e,CN=Deleted
Objects,DC=secret,DC=at -
<GUID=f1278d7d-87c4-47b7-adf5-663d457026db>;CN={B21C7A4C-E611-460F-BC81-1BBDEC8C9053},CN=Policies,CN=System,DC=secret,DC=at
Not fixing old string component
Checked 445 objects (0 errors)

* valid users parameter didn't match so far: got to tighten that




But we're tired and happy now after all that struggle, and get some
drinks ...

have a great and quiet evening all

Stefan