Hi,
Recently I try to build a domain with samba as the domain controller. It’s the
samba 4.8.0. After I’ve built and install it on my Linux, I try to test it via
Ldap connection. But it remains me that the server is not operational. I used
samba 4.5.16 before, and it works well. Is there any difference between samba
4.8.0 and 4.5.x about samba access or Ldap setting especially.
Here’s my smb.conf:
[global]
bind interfaces only = Yes
interfaces = 8.22.145.173 127.0.0.1
log file = /var/FusionAccess/LiteAD/log.samba
log level = 2
max log size = 15000
netbios name = SAMBATEST2
realm = TESTSAMBA476.HAUWEI.COM
server role = active directory domain controller
workgroup = TESTSAMBA476
idmap_ldb:use rfc2307 = yes
ldap server require strong auth = no
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
[netlogon]
path = /var/lib/samba/sysvol/testsamba476.hauwei.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
And in log.samba I found those when I used ldap to access the domain:
[2018/04/11 15:31:18.303677, 0]
../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
NTLMSSP NTLM2 packet check failed due to invalid signature!
[2018/04/11 15:31:18.303917, 2]
../source4/smbd/process_standard.c:473(standard_terminate)
standard_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_IO_DEVICE_ERROR]
[2018/04/11 15:31:18.307704, 2]
../source4/smbd/process_standard.c:157(standard_child_pipe_handler)
Child 24315 () exited with status 0
[2018/04/11 15:31:18.347855, 0]
../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
NTLMSSP NTLM2 packet check failed due to invalid signature!
[2018/04/11 15:31:18.348237, 2]
../source4/smbd/process_standard.c:473(standard_terminate)
standard_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_IO_DEVICE_ERROR]
[2018/04/11 15:31:18.352456, 2]
../source4/smbd/process_standard.c:157(standard_child_pipe_handler)
Child 24316 () exited with status 0
Thanks
Ryan Yang
On Mon, 16 Apr 2018 09:58:35 +0800 (CST) Ryan via samba <samba at lists.samba.org> wrote:> > Hi, > Recently I try to build a domain with samba as the domain controller. > It’s the samba 4.8.0. After I’ve built and install it on my Linux, I > try to test it via Ldap connection. But it remains me that the server > is not operational. I used samba 4.5.16 before, and it works well. Is > there any difference between samba 4.8.0 and 4.5.x about samba access > or Ldap setting especially.Whilst there have been some ldap changes, these have been improvments and shouldn't affect connecting with ldap. You say you 'built' Samba 4.8.0 and then installed it on your DC, I take it you mean that you upgraded your original 4.5.16 DC to 4.8.0. If this is the case, you will need to run 'sambaundoguididx' and then revert to an earlier version of Samba. To put it bluntly, upgrading to 4.8.0 doesn't seem to work and as such, shouldn't be done, wait for the fix that is coming in 4.8.1 Rowland
On Wed, 18 Apr 2018 00:55:45 +0800 (CST) Ryan <ryanyang51 at 163.com> wrote:> Hi,Rowland, > Thanks for your reply. > In fact, I could build samba 4.5.16 and package it into several rpms. > Considering 4.5.16 is the last version of samba 4.5.x, I want to use > samba 4.8.0 instead.You don't want to use 4.8.0 , there is a problem with this version if you upgrade to it.> I built 4.8.0 in the same way and installed > those rpm like before, not directly upgrading from 4.5.16.Then this would be a new domain, but I still wouldn't use 4.8.0> When I > found this problem in 4.8.0, I tried 4.7.6 and 4.7.3, But they also > have the same problem. I use ADExplorer to connect the domain. When I > use the wrong username or password it remains me the username or > password is wrong. And when I use right account info to access domain > it says "The directory service is not available". So I geuss maybe it > is the permission not authencation that gets something wrong. The > account I used to connect domain is a domain administrator account. > thanks Ryan Yang >What exactly are you trying to do ? are you trying to do something the user isn't allowed to ? Rowland
Hi, Rowland, I wanted to access the samba using an administrator account to query some info about the domain or the domain user, such as the sid of a computer in the domain. At first I thought the problem was the ldap configuration. But it seems not such simple. Today I find that joining the domain also has problem. When I try to join a Windows 7 machine into the domain with samba 4.8.0, it takes a long time before it tells me join succeed. And then a tip come out: Changing the primary domain dns name of this computer to "" failed. The name will remain "abc.local". The error was: The rpc server is unavailable. Now I’m afraid that my rpms have problem. Could you help find if there is any error in my spec file? Thanks, RyanYang At 2018-04-18 02:04:20, "Rowland Penny via samba" <samba at lists.samba.org> wrote:>On Wed, 18 Apr 2018 00:55:45 +0800 (CST) >Ryan <ryanyang51 at 163.com> wrote: > >> Hi,Rowland, >> Thanks for your reply. >> In fact, I could build samba 4.5.16 and package it into several rpms. >> Considering 4.5.16 is the last version of samba 4.5.x, I want to use >> samba 4.8.0 instead. > >You don't want to use 4.8.0 , there is a problem with this version if >you upgrade to it. > >> I built 4.8.0 in the same way and installed >> those rpm like before, not directly upgrading from 4.5.16. > >Then this would be a new domain, but I still wouldn't use 4.8.0 > >> When I >> found this problem in 4.8.0, I tried 4.7.6 and 4.7.3, But they also >> have the same problem. I use ADExplorer to connect the domain. When I >> use the wrong username or password it remains me the username or >> password is wrong. And when I use right account info to access domain >> it says "The directory service is not available". So I geuss maybe it >> is the permission not authencation that gets something wrong. The >> account I used to connect domain is a domain administrator account. >> thanks Ryan Yang >> > >What exactly are you trying to do ? are you trying to do something the >user isn't allowed to ? > >Rowland > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba