samba - Feb 2018 - smbclient //server/netlogon -k -c 'ls' fails with "NT_STATUS_LOGON_FAILURE"

On Mon, 26 Feb 2018 12:27:56 +0200
Arcadie Cracan <arcadiec at gmail.com> wrote:
> Dear Rowland,
> 
> I have commented out the 'idmap config' options, nothing changed.
> Here are my bind9 configs:
> 
> /etc/bind/named.conf:
Nothing wrong there
> 
> /etc/bind/named.conf.options:
> options {
>         directory "/var/cache/bind";
>         recursion yes;
>         allow-query { goodclients; };
>         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>         tkey-domain "INTRA.DAM-APPLICATION.RO";
> 
>         forwarders {
>                 213.154.124.1;
>                 193.231.252.1;
>         };
> 
>         dnssec-enable yes;
>         dnssec-validation yes;
I have this instead:

        dnssec-validation no;
        dnssec-enable no;
        dnssec-lookaside no;
> 
>         auth-nxdomain no;    # conform to RFC1035
>         listen-on-v6 { none; };
> };
> 
> /etc/bind/named.conf.default-zones:
Nothing wrong there
> 
> 
> /var/lib/samba/private/named.conf:
Nothing wrong there

Is Apparmor running or is a firewall running ?

Rowland

Dear Rowland,

I have no firewall enabled and no apparmor installed:
 # iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

I have tried the suggested options in named.conf.options, nothing changed.

I have found the following message in my 'log.samba':
GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see text): 
Failed to find LOTUS$@INTRA.DAM-APPLICATION.RO(kvno 2) in keytab FILE:/var/
lib/samba/private/secrets.keytab (aes256-cts-hmac-sha1-96)

Does it tell you anything?

I have looked in my /var/lib/samba/private/secrets.keytab and I do have that 
entry...

Kind regards,
   Arcadie Cracan

În ziua de luni, 26 februarie 2018, la 12:54:20 EET, Rowland Penny via samba a 
scris:
> On Mon, 26 Feb 2018 12:27:56 +0200
> 
> Arcadie Cracan <arcadiec at gmail.com> wrote:
> > Dear Rowland,
> > 
> > I have commented out the 'idmap config' options, nothing
changed.
> > Here are my bind9 configs:
> 
> > /etc/bind/named.conf:
> Nothing wrong there
> 
> > /etc/bind/named.conf.options:
> > options {
> > 
> >         directory "/var/cache/bind";
> >         recursion yes;
> >         allow-query { goodclients; };
> >         tkey-gssapi-keytab
"/var/lib/samba/private/dns.keytab";
> >         tkey-domain "INTRA.DAM-APPLICATION.RO";
> >         
> >         forwarders {
> >         
> >                 213.154.124.1;
> >                 193.231.252.1;
> >         
> >         };
> >         
> >         dnssec-enable yes;
> >         dnssec-validation yes;
> 
> I have this instead:
> 
>         dnssec-validation no;
>         dnssec-enable no;
>         dnssec-lookaside no;
> 
> >         auth-nxdomain no;    # conform to RFC1035
> >         listen-on-v6 { none; };
> > 
> > };
> 
> > /etc/bind/named.conf.default-zones:
> Nothing wrong there
> 
> > /var/lib/samba/private/named.conf:
> Nothing wrong there
> 
> Is Apparmor running or is a firewall running ?
> 
> Rowland

Dear Rowland,

Based on a hunch I have done:
 # cd /var/lib/samba/private
 # mv secrets.keytab secrets.keytab.orig
 # samba-tool domain exportkeytab secrets.keytab
and restarted samba.

For whatever reason everything started to work again. Was this a stupid thing 
to do? Do you have any idea as to why it works now?

Thank you for your help!

Kind regards,
   Arcadie Cracan

În ziua de luni, 26 februarie 2018, la 13:07:36 EET, Arcadie Cracan a
scris:
> Dear Rowland,
> 
> I have no firewall enabled and no apparmor installed:
>  # iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> I have tried the suggested options in named.conf.options, nothing changed.
> 
> I have found the following message in my 'log.samba':
> GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see
text):
> Failed to find LOTUS$@INTRA.DAM-APPLICATION.RO(kvno 2) in keytab FILE:/var/
> lib/samba/private/secrets.keytab (aes256-cts-hmac-sha1-96)
> 
> Does it tell you anything?
> 
> I have looked in my /var/lib/samba/private/secrets.keytab and I do have
that
> entry...
> 
> Kind regards,
>    Arcadie Cracan
> 
> În ziua de luni, 26 februarie 2018, la 12:54:20 EET, Rowland Penny via
samba
> a
> scris:
> > On Mon, 26 Feb 2018 12:27:56 +0200
> > 
> > Arcadie Cracan <arcadiec at gmail.com> wrote:
> > > Dear Rowland,
> > > 
> > > I have commented out the 'idmap config' options, nothing
changed.
> > > Here are my bind9 configs:
> > 
> > > /etc/bind/named.conf:
> > Nothing wrong there
> > 
> > > /etc/bind/named.conf.options:
> > > options {
> > > 
> > >         directory "/var/cache/bind";
> > >         recursion yes;
> > >         allow-query { goodclients; };
> > >         tkey-gssapi-keytab
"/var/lib/samba/private/dns.keytab";
> > >         tkey-domain "INTRA.DAM-APPLICATION.RO";
> > >         
> > >         forwarders {
> > >         
> > >                 213.154.124.1;
> > >                 193.231.252.1;
> > >         
> > >         };
> > >         
> > >         dnssec-enable yes;
> > >         dnssec-validation yes;
> > 
> > I have this instead:
> >         dnssec-validation no;
> >         dnssec-enable no;
> >         dnssec-lookaside no;
> >         
> > >         auth-nxdomain no;    # conform to RFC1035
> > >         listen-on-v6 { none; };
> > > 
> > > };
> > 
> > > /etc/bind/named.conf.default-zones:
> > Nothing wrong there
> > 
> > > /var/lib/samba/private/named.conf:
> > Nothing wrong there
> > 
> > Is Apparmor running or is a firewall running ?
> > 
> > Rowland