samba - Dec 2017 - Samba 4 AD issues with RPC

Hi Rowland,

Sorry, migration using BIND9_DLZ gives the same result

Not sure if the following from the migration is of a concern

Could not add posix attrs for AD entry for
sid=S-1-5-21-3936576374-1604348213-1812465911-3034, ((21, 'Element
loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for
sid=S-1-5-21-3936576374-1604348213-1812465911-3040, ((21, 'Element
loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for
sid=S-1-5-21-3936576374-1604348213-1812465911-3030, ((21, 'Element
loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for
sid=S-1-5-21-3936576374-1604348213-1812465911-3046, ((21, 'Element
loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for
sid=S-1-5-21-3936576374-1604348213-1812465911-3032, ((21, 'Element
loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for
sid=S-1-5-21-3936576374-1604348213-1812465911-3050, ((21, 'Element
loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for
sid=S-1-5-21-3936576374-1604348213-1812465911-3036, ((21, 'Element
loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for
sid=S-1-5-21-3936576374-1604348213-1812465911-3038, ((21, 'Element
loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for
sid=S-1-5-21-3936576374-1604348213-1812465911-3042, ((21, 'Element
loginShell has empty attribute in ldb message ()!'))
User root has been kept in the directory, it should be removed in favour of the
Administrator user
Could not add posix attrs for AD entry for
sid=S-1-5-21-3936576374-1604348213-1812465911-3048, ((21, 'Element
loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for
sid=S-1-5-21-3936576374-1604348213-1812465911-3010, ((21, 'Element
loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for
sid=S-1-5-21-3936576374-1604348213-1812465911-3028, ((21, 'Element
loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for
sid=S-1-5-21-3936576374-1604348213-1812465911-3062, ((21, 'Element
loginShell has empty attribute in ldb message ()!'))
Committing 'add users' transaction to disk
Adding users to groups
Committing 'add users to groups' transaction to disk
Setting password for administrator
Administrator password has been set to password of user 'root'
Processing section "[netlogon]"
Processing section "[sysvol]"
Module 'acl_xattr' loaded
Module 'dfs_samba4' loaded
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service Unknown
Service (snum == -1)
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service Unknown
Service (snum == -1)
Processing section "[netlogon]"
Processing section "[sysvol]"
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service sysvol


I've tested the DNS according the Samba document, the SRV records for both
domain and the realm seems to work

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller


Have tried a Server 2008 and Server 2012. In 2012 it comes up with Verification
of replica failed. The wizard cannot access the list of domains in the forest.
The error is: An internal error occurred

Just confirming that I am logged in as Domain Administrator and using those
creds to run the AD Wizard and dcrpomo. Also tried using both realm the domain
when trying the dcpromo

The following is the new smb.conf file. Have added bits about dns udpates


[global]
        netbios name = TESTDC
        realm = TEST.LOCAL
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        workgroup = TEST
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        dcerpc endpoint servers = +mapiproxy
        allow dns updates = nonsecure
[netlogon]
        path = /var/lib/samba/sysvol/test.local/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No


The following is the krb5.conf

[libdefaults]
        default_realm = TEST.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = true

service --status-all
 [ - ]  acpid
 [ + ]  apparmor
 [ + ]  apport
 [ + ]  atd
 [ + ]  bind9
 [ - ]  console-setup.sh
 [ + ]  cron
 [ - ]  cryptdisks
 [ - ]  cryptdisks-early
 [ + ]  dbus
 [ + ]  ebtables
 [ + ]  grub-common
 [ - ]  hwclock.sh
 [ - ]  irqbalance
 [ + ]  isc-dhcp-server
 [ + ]  iscsid
 [ - ]  keyboard-setup.sh
 [ + ]  kmod
 [ - ]  lvm2
 [ + ]  lvm2-lvmetad
 [ + ]  lvm2-lvmpolld
 [ + ]  lxcfs
 [ - ]  lxd
 [ - ]  mdadm
 [ - ]  mdadm-waitidle
 [ - ]  nmbd
 [ - ]  open-iscsi
 [ + ]  open-vm-tools
 [ - ]  plymouth
 [ - ]  plymouth-log
 [ + ]  procps
 [ - ]  rsync
 [ + ]  rsyslog
 [ + ]  samba-ad-dc
 [ - ]  screen-cleanup
 [ - ]  smbd
 [ + ]  ssh
 [ + ]  udev
 [ + ]  ufw
 [ + ]  unattended-upgrades
 [ - ]  uuidd


server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc,
drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, mapiproxy

Any ideas?


Regards,

Praveen Ghimire








-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
via samba
Sent: Tuesday, 5 December 2017 5:58 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Samba 4 AD issues with RPC

On Tue, 5 Dec 2017 05:08:24 +0000
Praveen Ghimire via samba <samba at lists.samba.org> wrote:
> 
> 
> Hi Guys,
> 
> Setup:
> 
> Versions: Samba: 4.6.7
>                 Bind9:   9.10.3
> 
> 
> Firewall disabled
> 
> AD Provision:
> 
> Migrated from samba 3 to 4 using classic upgrade.
> 
> samba-tool domain classicupgrade --dbdir=/var/lib/samba.PDC/dbdir 
> --realm=TEST.LOCAL --dns-backend=BIND9_FLATFILE 
> /etc/samba.PDC/smb.PDC.conf
> 
> Any suggestions?
> 
Yes, Do not use BIND9_FLATFILE, it doesn't work.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

On Wed, 6 Dec 2017 04:55:03 +0000
Praveen Ghimire <PGhimire at sundata.com.au> wrote:
> Hi Rowland,
> 
> Sorry, migration using BIND9_DLZ gives the same result
> 
> Not sure if the following from the migration is of a concern
> 
> Could not add posix attrs for AD entry for
> sid=S-1-5-21-3936576374-1604348213-1812465911-3034, ((21, 'Element
> loginShell has empty attribute in ldb message ()!')) 
You need to find out why 'loginshell' is empty for the users the
upgrade is complaining about.


>         dcerpc endpoint servers = +mapiproxy
Why have you got this line in your smb.conf ?
Are you attempting to run openchange with Samba ?

Rowland

On Wed, 6 Dec 2017 09:46:56 +0000
Praveen Ghimire <PGhimire at sundata.com.au> wrote:
> Hi Rowland,
> 
> Will check the first one, that shouldn’t cause the RPC issues though
> right?
> 
> Not planning to run opechange with Samba, added to see if it fixes
> the issue with RPC.
> 
> Would the error be generated by something in the system or could be
> an issue with DNS? 
> 
It could be dns related, does the /etc/resolv.conf on the DC point to
itself as the nameserver, are your clients using the DC as their
nameserver.

Rowland

Hi,
Would the Windows 2008/2012 server be looking for a particular DNS record during
DCPROMO?

Both the Samba and Windows box are on the same vlan/host/subnet. The UFW has
been disabled. Stupid question,  do I need to install any RPC package in the
Samba box?

Would disabling Bind9 using dnsupdate and dns in server roles help? The only
issue I see with that is the SRV records will disappear and Windowsmight
complain about SRV records? Maybe going to DLZ might help?


Regards,

Praveen






Regards,

Praveen Ghimire


-------- Original message --------
From: Rowland Penny via samba <samba at lists.samba.org>
Date: 6/12/2017 8:19 PM (GMT+10:00)
To: samba at lists.samba.org
Subject: Re: [Samba] Samba 4 AD issues with RPC

On Wed, 6 Dec 2017 09:46:56 +0000
Praveen Ghimire <PGhimire at sundata.com.au> wrote:
> Hi Rowland,
>
> Will check the first one, that shouldn’t cause the RPC issues though
> right?
>
> Not planning to run opechange with Samba, added to see if it fixes
> the issue with RPC.
>
> Would the error be generated by something in the system or could be
> an issue with DNS?
>
It could be dns related, does the /etc/resolv.conf on the DC point to
itself as the nameserver, are your clients using the DC as their
nameserver.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________