samba - Feb 2018 - smbclient //server/netlogon -k -c 'ls' fails with "NT_STATUS_LOGON_FAILURE"

On Mon, 26 Feb 2018 11:30:58 +0200
Arcadie Cracan <arcadiec at gmail.com> wrote:
> /etc/samba/smb.conf:
> # Global parameters
> [global]
>         workgroup = DAM
>         realm = INTRA.DAM-APPLICATION.RO
>         netbios name = LOTUS
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>         idmap_ldb:use rfc2307 = yes
Everything above looks okay and it also shows you are using Bind9, so
can you post the contents of the various named.conf files.
> 
>         # Default idmap config used for BUILTIN and local
> accounts/groups idmap config *:backend = tdb
>         idmap config *:range = 2000-9999
> 
>         # idmap config for domain INTRA
>         idmap config INTRA:backend = ad
>         idmap config INTRA:schema_mode = rfc2307
>         idmap config INTRA:range = 10000-99999
> 
>         # Use settings from AD for login shell and home directory
>         winbind nss info = rfc2307
You might as well remove the above lines, they do not work on a DC,
they never did and anyway 'INTRA' should be 'DAM' if they did
work.
In fact they may be your problem.

Rowland

On Mon, 26 Feb 2018 09:49:48 +0000
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Mon, 26 Feb 2018 11:30:58 +0200
> Arcadie Cracan <arcadiec at gmail.com> wrote:
> 
> > /etc/samba/smb.conf:
> > # Global parameters
> > [global]
> >         workgroup = DAM
> >         realm = INTRA.DAM-APPLICATION.RO
> >         netbios name = LOTUS
> >         server role = active directory domain controller
> >         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> > drepl, winbindd, ntp_signd, kcc, dnsupdate
> >         idmap_ldb:use rfc2307 = yes
> 
> Everything above looks okay and it also shows you are using Bind9, so
> can you post the contents of the various named.conf files.
> 
> > 
> >         # Default idmap config used for BUILTIN and local
> > accounts/groups idmap config *:backend = tdb
> >         idmap config *:range = 2000-9999
> > 
> >         # idmap config for domain INTRA
> >         idmap config INTRA:backend = ad
> >         idmap config INTRA:schema_mode = rfc2307
> >         idmap config INTRA:range = 10000-99999
> > 
> >         # Use settings from AD for login shell and home directory
> >         winbind nss info = rfc2307
> 
> You might as well remove the above lines, they do not work on a DC,
> they never did and anyway 'INTRA' should be 'DAM' if they
did work.
> In fact they may be your problem.
> 
> Rowland
> 
Just had another thought, if you run 'pstree', do you get something
like this in the output:

     ├─samba─┬─samba───samba───smbd─┬─cleanupd
     │       │                      ├─smbd
     │       │                      └─smbd-notifyd
     │       ├─samba───samba
     │       ├─9*[samba]
     │       └─samba───samba───winbindd───3*[winbindd]

If you don't get 'winbindd', try running 'apt-get install
winbind'

Rowland

Dear Rowland,

I have commented out the 'idmap config' options, nothing changed.
Here are my bind9 configs:

/etc/bind/named.conf:
acl goodclients {
        192.168.1.0/24;
        localhost;
};

include "/etc/bind/named.conf.options";
#include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";

/etc/bind/named.conf.options:
options {
        directory "/var/cache/bind";
        recursion yes;
        allow-query { goodclients; };
        tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
        tkey-domain "INTRA.DAM-APPLICATION.RO";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable 
        // nameservers, you probably want to use them as forwarders.  
        // Uncomment the following block, and insert the addresses replacing 
        // the all-0's placeholder.

        forwarders {
                213.154.124.1;
                193.231.252.1;
        };

        //
=======================================================================       
// If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //
=======================================================================       
dnssec-enable yes;
        dnssec-validation yes;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { none; };
};

/etc/bind/named.conf.default-zones:
// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};


/var/lib/samba/private/named.conf:
dlz "AD DNS Zone" {
    # For BIND 9.8.x
    # database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so";

    # For BIND 9.9.x
    # database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";

    # For BIND 9.10.x
     database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";

    # For BIND 9.11.x
    # database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
};

This is (a part of) the output of 'pstree':
├─samba─┬─samba───smbd─┬─cleanupd
        │       │              ├─lpqd
        │       │              └─smbd-notifyd
        │       ├─10*[samba]
        │       └─samba───winbindd───winbindd
So, I guess winbindd is running.

Kind regards,
   Arcadie Cracan

În ziua de luni, 26 februarie 2018, la 11:49:48 EET, Rowland Penny via samba a 
scris:
> On Mon, 26 Feb 2018 11:30:58 +0200
> 
> Arcadie Cracan <arcadiec at gmail.com> wrote:
> > /etc/samba/smb.conf:
> > # Global parameters
> > [global]
> > 
> >         workgroup = DAM
> >         realm = INTRA.DAM-APPLICATION.RO
> >         netbios name = LOTUS
> >         server role = active directory domain controller
> >         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> > 
> > drepl, winbindd, ntp_signd, kcc, dnsupdate
> > 
> >         idmap_ldb:use rfc2307 = yes
> 
> Everything above looks okay and it also shows you are using Bind9, so
> can you post the contents of the various named.conf files.
> 
> >         # Default idmap config used for BUILTIN and local
> > 
> > accounts/groups idmap config *:backend = tdb
> > 
> >         idmap config *:range = 2000-9999
> >         
> >         # idmap config for domain INTRA
> >         idmap config INTRA:backend = ad
> >         idmap config INTRA:schema_mode = rfc2307
> >         idmap config INTRA:range = 10000-99999
> >         
> >         # Use settings from AD for login shell and home directory
> >         winbind nss info = rfc2307
> 
> You might as well remove the above lines, they do not work on a DC,
> they never did and anyway 'INTRA' should be 'DAM' if they
did work.
> In fact they may be your problem.
> 
> Rowland

On Mon, 26 Feb 2018 12:27:56 +0200
Arcadie Cracan <arcadiec at gmail.com> wrote:
> Dear Rowland,
> 
> I have commented out the 'idmap config' options, nothing changed.
> Here are my bind9 configs:
> 
> /etc/bind/named.conf:
Nothing wrong there
> 
> /etc/bind/named.conf.options:
> options {
>         directory "/var/cache/bind";
>         recursion yes;
>         allow-query { goodclients; };
>         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>         tkey-domain "INTRA.DAM-APPLICATION.RO";
> 
>         forwarders {
>                 213.154.124.1;
>                 193.231.252.1;
>         };
> 
>         dnssec-enable yes;
>         dnssec-validation yes;
I have this instead:

        dnssec-validation no;
        dnssec-enable no;
        dnssec-lookaside no;
> 
>         auth-nxdomain no;    # conform to RFC1035
>         listen-on-v6 { none; };
> };
> 
> /etc/bind/named.conf.default-zones:
Nothing wrong there
> 
> 
> /var/lib/samba/private/named.conf:
Nothing wrong there

Is Apparmor running or is a firewall running ?

Rowland