Hi Rowland, On Wed, Nov 08, 2017 at 12:12:20PM +0000, Rowland Penny wrote:> On Wed, 8 Nov 2017 12:43:16 +0100 > Ervin Hegedüs <airween at gmail.com> wrote: > > > > You would be better using the DCs ipaddress rather than '127.0.0.1'. > > > You should also remove '10.10.0.1' it doesn't seem to be a DC. > > > > yes, that's the forwarder (see in smb.conf). Most documents > > notives that keep it in resolv.conf. > > And most documents get it wrong, The DC is a DNS server and your > clients should use it as their nameserver. Your DC should forward > anything unknown to the nameserver that is set in the DCs smb.conf if > using the internal DNS server, or if in the named conf files if using > Bind9right, I've removed it, now all DC uses only themselves as nameserver.> > > > /etc/samba/smb.conf > > > > # Global parameters > > > > [global] > > > > netbios name = OPEN-LDAP > > > > realm = CORE.MYDOMAIN.HU > > > > workgroup = CORE > > > > dns forwarder = 10.10.10.1 > > > > server role = active directory domain controller > > > > idmap_ldb:use rfc2307 = yes > > > > > > > > log level = 3 passdb:5 auth:5 tdb:5 ldb:5 > > > > ntlm auth = yes > > > > lanman auth = yes > > > > client ntlmv2 auth = yes > > > > > > I would investigate upgrading security on the clients, rather than > > > turning it down on the DC > > > > I'm sorry, what do you think about exactly? > > You have set 'ntlm auth = yes' in the smb.conf, this means your clients > can use NTLMv1, this is insecure, you would be better off removing this > line and then make your clients use NTLMv2 (at least) by default.well, this line needs some clarification - see below> > > > =======> > > > client: > > > > > > > > -------- > > > > /etc/krb5.conf > > > > > > The krb5.conf only needs to match the ones on the DCs, so you don't > > > need all of the following. > > > > does it mean that the krb5.conf should be empty? > > No, the /etc/krb5.conf on all the machines needs to be only this: > > [libdefaults] > default_realm = CORE.MYDOMAIN.HU > dns_lookup_realm = false > dns_lookup_kdc = trueright,> > > and probably this: > > > > > > https://wiki.samba.org/index.php/Idmap_config_rid > > > > I'm afraid I don't need to that :) > > Yes you do :)no, I don't :)> windbind needs to map your windows users & groups to Unix IDs in the > 'CORE' domain, not the '*' domain. The '*' domain is reserved for the > well known SIDs and anything outside the 'CORE' domain.there will _not_ any Linux user - see below :)> > > > I don't want to build the fileserver, I just need the user > > management - these blocks stayed from the previous install. > > Then why have the Unix domain member ???so, the directory service needs because we have a captive portal, to authenticate users for several services - eg. network access, network groups. But only for these. There will _not_ any file sharing. The current device (Aruba) can authenticate only if the ntlm auth = yes had turned on (but I'll check it again, may be the ntlmv2 is enough). We configured the CP that use this AD. We joined the deices to domain, set up the both DC's. Then when I turned off the "first" DC (which isn't the PDC :), I just installed and configred first), then the auth service stops to work. The device doesn't use the backup server (in the device config we see the "Backup device" - I'm sorry). So, I ask from the provider a "client" machine, which is a Linux (I prefer the Linux), and this is the open-client. Now I'ld like to test the redundant work of both DC's, and that's why I don't need to any Linux user, user mapping, or any other specific things. There will be thousends of users, everyone has a login and a password. Connected to WiFI/eth LAN with 802.1x, and use the network.> Hopefully I have answered these questions above.yes, thank you for all of your help again. I left the domain (from client), and re-join again, but now I got this message: # net ads join -U administrator Enter administrator's password: Using short domain name -- CORE Joined 'OPEN-CLIENT' to dns domain 'core.mydomain.hu' DNS Update for open-client.core.mydomain.hu failed: ERROR_DNS_UPDATE_FAILED DNS update failed: NT_STATUS_UNSUCCESSFUL # wbinfo --ping-dc checking the NETLOGON for domain[CORE] dc connection to "open-ldap.core.mydomain.hu" succeeded # ntlm_auth --username=abc_airween --password=GOODPASS --domain=CORE --target-hostname=open-ldap2.core.mydomain.hu NT_STATUS_OK: Success (0x0) # ntlm_auth --username=abc_airween --password=GOODPASS --domain=CORE --target-hostname=open-ldap.core.mydomain.hu NT_STATUS_OK: Success (0x0) # ntlm_auth --username=abc_airween --password=WRONGPASS --domain=CORE --target-hostname=open-ldap.core.mydomain.hu NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) # ntlm_auth --username=abc_airween --password=WRONGPASS # --domain=CORE --target-hostname=open-ldap2.core.mydomain.hu NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) so, looks like it works. # net ads status gives a very long output. And wbinfo gives only open-ldap as DC: # wbinfo --dsgetdcname=CORE open-ldap.core.mydomain.hu \\10.10.20.202 1 37241698-63dd-40d5-805b-d83f4a35223a core.mydomain.hu core.mydomain.hu 0xe00013fd Default-First-Site-Name Default-First-Site-Name # wbinfo --getdcname=CORE OPEN-LDAP # wbinfo -a abc_airween%GOODPASS plaintext password authentication failed Could not authenticate user abc_airween%GOODPASS with plaintext password challenge/response password authentication succeeded # wbinfo -a abc_airween%WRONGPASS plaintext password authentication failed Could not authenticate user abc_airween%WRONGPASS with plaintext password challenge/response password authentication failed wbcAuthenticateUserEx(CORE\abc_airween): error code was NT_STATUS_WRONG_PASSWORD (0xc000006a) error message was: Wrong Password Could not authenticate user abc_airween with challenge/response At this point I made open-ldap (the first server) as unattainable, and the result of the command above: # time wbinfo -a abc_airween%GOODPASS plaintext password authentication failed Could not authenticate user abc_airween%GOODPASS with plaintext password challenge/response password authentication failed Could not authenticate user abc_airween with challenge/response real 1m2.640s user 0m0.012s sys 0m0.000s it waits 1 minute, and then I got the message. When I turned off the open-ldap2, and open-ldap works, then the wbinfo -a returns with succeed, but only after 30 seconds. So, looks like something is still wrong - may be I'm using wbinfo as wrong way? What should I do that the auth method works as well, when a DC kicked out? a.
On Wed, 8 Nov 2017 14:33:28 +0100 Ervin Hegedüs <airween at gmail.com> wrote:> The current device (Aruba) can authenticate only if the > > ntlm auth = yes > > had turned on (but I'll check it again, may be the ntlmv2 is > enough).All I can do is advise you, NTLMv1 is easily crackable, so, if you can use a stronger authentication method, then I suggest you use it. If you are only using the Unix domain member for authentication, you might as well remove it and use one or both of the DCs instead.> > I left the domain (from client), and re-join again, but now I got > this message: > > # net ads join -U administrator > Enter administrator's password: > Using short domain name -- CORE > Joined 'OPEN-CLIENT' to dns domain 'core.mydomain.hu' > DNS Update for open-client.core.mydomain.hu failed: > ERROR_DNS_UPDATE_FAILED DNS update failed: NT_STATUS_UNSUCCESSFUL > > # wbinfo --ping-dc > checking the NETLOGON for domain[CORE] dc connection to > "open-ldap.core.mydomain.hu" succeeded > > # ntlm_auth --username=abc_airween --password=GOODPASS --domain=CORE > --target-hostname=open-ldap2.core.mydomain.hu NT_STATUS_OK: Success > (0x0) # ntlm_auth --username=abc_airween --password=GOODPASS > --domain=CORE --target-hostname=open-ldap.core.mydomain.hu > NT_STATUS_OK: Success (0x0) > > # ntlm_auth --username=abc_airween --password=WRONGPASS --domain=CORE > --target-hostname=open-ldap.core.mydomain.hu > NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) # ntlm_auth > --username=abc_airween --password=WRONGPASS # --domain=CORE > --target-hostname=open-ldap2.core.mydomain.hu > NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) > > so, looks like it works. > > # net ads status > > gives a very long output. > > And wbinfo gives only open-ldap as DC: > > # wbinfo --dsgetdcname=CORE > open-ldap.core.mydomain.hu > \\10.10.20.202 > 1 > 37241698-63dd-40d5-805b-d83f4a35223a > core.mydomain.hu > core.mydomain.hu > 0xe00013fd > Default-First-Site-Name > Default-First-Site-Name > > # wbinfo --getdcname=CORE > OPEN-LDAP > > # wbinfo -a abc_airween%GOODPASS > plaintext password authentication failed > Could not authenticate user abc_airween%GOODPASS with plaintext > password challenge/response password authentication succeeded > > # wbinfo -a abc_airween%WRONGPASS > plaintext password authentication failed > Could not authenticate user abc_airween%WRONGPASS with plaintext > password challenge/response password authentication failed > wbcAuthenticateUserEx(CORE\abc_airween): error code was > NT_STATUS_WRONG_PASSWORD (0xc000006a) error message was: Wrong > Password Could not authenticate user abc_airween with > challenge/response > > > At this point I made open-ldap (the first server) as > unattainable, and the result of the command above: > > # time wbinfo -a abc_airween%GOODPASS > plaintext password authentication failed > Could not authenticate user abc_airween%GOODPASS with plaintext > password challenge/response password authentication failed > Could not authenticate user abc_airween with challenge/response > > real 1m2.640s > user 0m0.012s > sys 0m0.000s > > it waits 1 minute, and then I got the message. > > When I turned off the open-ldap2, and open-ldap works, then the > wbinfo -a returns with succeed, but only after 30 seconds.OK, the problem here is not that you have turned off the first DC, it is that the client keeps trying to connect to it for 30 seconds. You need to add: 'timeout:1 attempts:2 rotate' to /etc/resolv.conf Rowland> > > So, looks like something is still wrong - may be I'm using wbinfo > as wrong way? > > > What should I do that the auth method works as well, when a DC > kicked out? > > > > a. >
On Wed, Nov 08, 2017 at 03:21:28PM +0000, Rowland Penny wrote:> On Wed, 8 Nov 2017 14:33:28 +0100 > Ervin Hegedüs <airween at gmail.com> wrote: > > > The current device (Aruba) can authenticate only if the > > > > ntlm auth = yes > > > > had turned on (but I'll check it again, may be the ntlmv2 is > > enough). > > All I can do is advise you, NTLMv1 is easily crackable, so, if you can > use a stronger authentication method, then I suggest you use it.yes, thanks - I'll check it that when I drop the ntlm auth from config, the CP will work away.> If you are only using the Unix domain member for authentication, you > might as well remove it and use one or both of the DCs instead.this Unix domain member test (with Linux) is just a "test". The final box will an Aruba cluster. That's also a Linux box, but we don't know what works inside of that.> > real 1m2.640s > > user 0m0.012s > > sys 0m0.000s > > > > it waits 1 minute, and then I got the message. > > > > When I turned off the open-ldap2, and open-ldap works, then the > > wbinfo -a returns with succeed, but only after 30 seconds. > > > OK, the problem here is not that you have turned off the first DC, it > is that the client keeps trying to connect to it for 30 seconds. > > You need to add: > > 'timeout:1 attempts:2 rotate' > > to /etc/resolv.conf# cat /etc/resolv.conf options timeout:1 options attempts:2 options rotate search core.mydomain.hu nameserver 10.10.20.202 nameserver 10.10.20.204 # wbinfo --ntlmv2 -a abc_airween%GOODPASS plaintext password authentication failed Could not authenticate user abc_airween%GOODPASS with plaintext password challenge/response password authentication failed wbcAuthenticateUserEx(CORE\abc_airween): error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e) error message was: No logon servers Could not authenticate user abc_airween with challenge/response but I wrote the lines above, and about after 2-3 minutes, now it works: # wbinfo --ntlmv2 -a abc_airween%GOODPASS plaintext password authentication failed Could not authenticate user abc_airween%GOODPASS with plaintext password challenge/response password authentication succeeded I'm not sure that _this_ is the solution. I've never read this DNS settings is required. How can I check that the Samba4 DNS service is works correctly? The regular checks (host -t A some.domain.com, etc...) are works. I've set up both DC for _ldap._tcp.core.mydomain.hu SRV, _kerberos._udp SRV, and core.mydomain.hu A records. Now the client got both DC for all DNS requests. Is that correct? Thanks again, a.
Hi, On Wed, Nov 08, 2017 at 03:21:28PM +0000, Rowland Penny wrote:> On Wed, 8 Nov 2017 14:33:28 +0100 > Ervin Hegedüs <airween at gmail.com> wrote: > > > When I turned off the open-ldap2, and open-ldap works, then the > > wbinfo -a returns with succeed, but only after 30 seconds. > > > OK, the problem here is not that you have turned off the first DC, it > is that the client keeps trying to connect to it for 30 seconds. > > You need to add: > > 'timeout:1 attempts:2 rotate' > > to /etc/resolv.confokay, may be I've found something interest: the DC's have 2 network interfaces (eth0: 192.168.100.n/26, eth1: 10.10.20.m/25). We planned, that the eth0 and that network will be used. But I've added the another network addresses to DNS too. Perhaps this was my mistake, because I've removed the 10.10.20.x addresses from DNS (from domain, and from DC's A record), and now I turned off any DC (till another works, of course), and client can authenticate! But. :) After some minutes, the 10.10.20.x address gone back to DNS... and I didn't set it up... # host -t A core.mydomain.hu core.mydomain.hu has address 192.168.255.100 core.mydomain.hu has address 192.168.255.99 (takes few minutes...) # host -t A core.mydomain.hu core.mydomain.hu has address 192.168.255.100 core.mydomain.hu has address 10.10.20.202 core.mydomain.hu has address 192.168.255.99 How can I prevent that this record appears in zone? I can delete that with samba-tool: # samba-tool dns delete open-ldap.core.mydomain.hu core.mydomain.hu core.mydomain.hu A 10.10.20.202 -Uadministrator at core.mydomain.hu Password for [administrator at core.mydomain.hu]: Record deleted successfully # host -t A core.mydomain.hu core.mydomain.hu has address 192.168.255.100 core.mydomain.hu has address 192.168.255.99 but it comes again after some minutes... Thanks, a.