thr3ads.net - samba - [Samba] RSAT Hang [May 2018]

If this information is useful, please help other people find it:
Share via:

Gregory Sloop

2018-May-21 16:36 UTC

[Samba] RSAT Hang

So, I setup Samba on Ubuntu 18.04, using the packaged Samba version. [Thanks
Rowland/Louis et al.]

I'm doing some testing/tinkering using FreeNAS as a share, using the AD as
the authentication back-end.
As part of that process, you need to add a computer account and change some
security settings.

I setup RSAT and can see the AD tree, and add users etc.
When I try to switch to advanced view and view the security tab of a created
user or computer account, it hangs and never returns the details I'm looking
for.

-The machine RSAT is on is pointed at the Samba server for DNS, and it's
resolving queries properly.

I can create user/computer accounts fine. It's just when I try to view the
security tab, that things hang.
A quick search doesn't seem to find anything.

Nothing in the logs that seems relevant.
Suggestions? [Just point me in the right general direction...unless you have
something better...]

TIA
-Greg

Gregory Sloop

2018-May-21 17:07 UTC

head link

[Samba] RSAT Hang

Should add...

I'm using the Internal Samba DNS, not BIND_DLZ.

Related:
I noticed that Louis and others appear to be using BIND, and get the feeling
BIND is preferred...
Is there a good reason to avoid Samba internal DNS? I, at least in the case
I'm testing for, will be using a regular BIND server for everything outside
the AD site. [Samba/Active Directory is being setup in a 3rd level domain, which
it will have exclusive control over. Like - sambadom.mydomain.com.]

GSvs> So, I setup Samba on Ubuntu 18.04, using the packaged Samba
GSvs> version. [Thanks Rowland/Louis et al.]

GSvs> I'm doing some testing/tinkering using FreeNAS as a share,
GSvs> using the AD as the authentication back-end.
GSvs> As part of that process, you need to add a computer account and change
some security settings.

GSvs> I setup RSAT and can see the AD tree, and add users etc.
GSvs> When I try to switch to advanced view and view the security tab
GSvs> of a created user or computer account, it hangs and never
GSvs> returns the details I'm looking for.

GSvs> -The machine RSAT is on is pointed at the Samba server for DNS,
GSvs> and it's resolving queries properly.

GSvs> I can create user/computer accounts fine. It's just when I try
GSvs> to view the security tab, that things hang.
GSvs> A quick search doesn't seem to find anything.

GSvs> Nothing in the logs that seems relevant.
GSvs> Suggestions? [Just point me in the right general
GSvs> direction...unless you have something better...]

GSvs> TIA
GSvs> -Greg

-- 
Gregory Sloop, Principal: Sloop Network & Computer Consulting
Voice: 503.251.0452 x82
EMail: gregs at sloop.net
http://www.sloop.net
---

L.P.H. van Belle

2018-May-21 18:58 UTC

head link

[Samba] RSAT Hang

Hi Gregory, 

On the questions.> Is there a good reason to avoid Samba internal DNS?No, imo not, but i only use bind9_dlz because i need bind in my lan for other
setups also.

I just used my RSAT on my win7 64b, but at my point it works fine. 

I do have questions to get a better impression of the setup. 
Whats the os your using with RSAT and did u use DOM\Administrator or an other
account?
Check if Adminsitrator has id 0. (root)

Is there anything showing up in the windows event logs? 

Are the SePrivileges checked if the needed groups/users exists? 
I use this script to check this, it shows the seprivileges. 
https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-SePrivileges.sh

Which shows on my DC's. 
SeMachineAccountPrivilege:
  NTDOM\Domain Admins
SeTakeOwnershipPrivilege:
  NTDOM\Domain Admins
  BUILTIN\Administrators
SeBackupPrivilege:
  NTDOM\Domain Admins
  BUILTIN\Backup Operators
  BUILTIN\Administrators
  BUILTIN\Server Operators
SeRestorePrivilege:
  NTDOM\Domain Admins
  BUILTIN\Backup Operators
  BUILTIN\Administrators
  BUILTIN\Server Operators
SeRemoteShutdownPrivilege:
  NTDOM\Domain Admins
  BUILTIN\Administrators
  BUILTIN\Server Operators
SePrintOperatorPrivilege:
  NTDOM\Domain Admins
SeAddUsersPrivilege:
  NTDOM\Domain Admins
SeDiskOperatorPrivilege:
  NTDOM\Domain Admins
  BUILTIN\Administrators
SeSecurityPrivilege:
  NTDOM\Domain Admins
  BUILTIN\Administrators
SeSystemtimePrivilege:
  NTDOM\Domain Admins
  BUILTIN\Administrators
  BUILTIN\Server Operators
SeShutdownPrivilege:
  NTDOM\Domain Admins
  BUILTIN\Print Operators
  BUILTIN\Backup Operators
  BUILTIN\Administrators
  BUILTIN\Server Operators
SeDebugPrivilege:
  NTDOM\Domain Admins
  BUILTIN\Administrators
SeSystemEnvironmentPrivilege:
  NTDOM\Domain Admins
  BUILTIN\Administrators
SeSystemProfilePrivilege:
  NTDOM\Domain Admins
  BUILTIN\Administrators
SeProfileSingleProcessPrivilege:
  NTDOM\Domain Admins
  BUILTIN\Administrators
SeIncreaseBasePriorityPrivilege:
  NTDOM\Domain Admins
  BUILTIN\Administrators
SeLoadDriverPrivilege:
  NTDOM\Domain Admins
  BUILTIN\Print Operators
  BUILTIN\Administrators
SeCreatePagefilePrivilege:
  NTDOM\Domain Admins
  BUILTIN\Administrators
SeIncreaseQuotaPrivilege:
  NTDOM\Domain Admins
  BUILTIN\Administrators
SeChangeNotifyPrivilege:
  NTDOM\Domain Admins
  BUILTIN\Administrators
  BUILTIN\Pre-Windows 2000 Compatible Access
SeUndockPrivilege:
  NTDOM\Domain Admins
  BUILTIN\Administrators
SeManageVolumePrivilege:
  NTDOM\Domain Admins
  BUILTIN\Administrators
SeImpersonatePrivilege:
  NTDOM\Domain Admins
  BUILTIN\Administrators
SeCreateGlobalPrivilege:
  NTDOM\Domain Admins
  BUILTIN\Administrators
SeEnableDelegationPrivilege:
  NTDOM\Domain Admins
  BUILTIN\Administrators

Have you setup samba with a higher debug level also, that might show whats
missing/going wrong.

A few things to check, this is ofent a right whats missing somewhere.


Greetz, 

Louis

 


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Gregory Sloop via samba
> Verzonden: maandag 21 mei 2018 19:07
> Aan: Gregory Sloop via samba
> Onderwerp: Re: [Samba] RSAT Hang
> 
> Should add...
> 
> I'm using the Internal Samba DNS, not BIND_DLZ.
> 
> Related:
> I noticed that Louis and others appear to be using BIND, and 
> get the feeling BIND is preferred...
> Is there a good reason to avoid Samba internal DNS? I, at 
> least in the case I'm testing for, will be using a regular 
> BIND server for everything outside the AD site. [Samba/Active 
> Directory is being setup in a 3rd level domain, which it will 
> have exclusive control over. Like - sambadom.mydomain.com.]
> 
> GSvs> So, I setup Samba on Ubuntu 18.04, using the packaged Samba
> GSvs> version. [Thanks Rowland/Louis et al.]
> 
> GSvs> I'm doing some testing/tinkering using FreeNAS as a share,
> GSvs> using the AD as the authentication back-end.
> GSvs> As part of that process, you need to add a computer 
> account and change some security settings.
> 
> GSvs> I setup RSAT and can see the AD tree, and add users etc.
> GSvs> When I try to switch to advanced view and view the security tab
> GSvs> of a created user or computer account, it hangs and never
> GSvs> returns the details I'm looking for.
> 
> GSvs> -The machine RSAT is on is pointed at the Samba server for DNS,
> GSvs> and it's resolving queries properly.
> 
> GSvs> I can create user/computer accounts fine. It's just when I try
> GSvs> to view the security tab, that things hang.
> GSvs> A quick search doesn't seem to find anything.
> 
> GSvs> Nothing in the logs that seems relevant.
> GSvs> Suggestions? [Just point me in the right general
> GSvs> direction...unless you have something better...]
> 
> GSvs> TIA
> GSvs> -Greg
> 
> -- 
> Gregory Sloop, Principal: Sloop Network & Computer Consulting
> Voice: 503.251.0452 x82
> EMail: gregs at sloop.net
> http://www.sloop.net
> ---
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

Gregory Sloop

2018-May-22 00:15 UTC

head link

[Samba] RSAT Hang

See Inline

LPHvBvs> Hi Gregory, 

LPHvBvs> On the questions.>> Is there a good reason to avoid Samba internal DNS?LPHvBvs> No, imo not, but i only use bind9_dlz because i need bind in my lan
for other setups also.

LPHvBvs> I just used my RSAT on my win7 64b, but at my point it works fine. 

LPHvBvs> I do have questions to get a better impression of the setup. 
LPHvBvs> Whats the os your using with RSAT and did u use
LPHvBvs> DOM\Administrator or an other account? 
LPHvBvs> Check if Adminsitrator has id 0. (root)

W7P, on a station not joined to the domain. But using this kind of launch.
runas /netonly /user:someco-adc1\administrator "mmc
/server=someco-adc1.ad.sncc.local."
[The names are defined in the hosts file, on the W7 box.]

LPHvBvs> Is there anything showing up in the windows event logs? 

No.

LPHvBvs> Are the SePrivileges checked if the needed groups/users exists? 
LPHvBvs> I use this script to check this, it shows the seprivileges. 
LPHvBvs>
https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-SePrivileges.sh

-SNIPPED YOURS- 
[But mine don't appear to have "NTDOM\Domain Admins" - which seems
odd.]

SeMachineAccountPrivilege:
SeTakeOwnershipPrivilege:
  BUILTIN\Administrators
SeBackupPrivilege:
  BUILTIN\Backup Operators
  BUILTIN\Administrators
  BUILTIN\Server Operators
SeRestorePrivilege:
  BUILTIN\Backup Operators
  BUILTIN\Administrators
  BUILTIN\Server Operators
SeRemoteShutdownPrivilege:
  BUILTIN\Administrators
  BUILTIN\Server Operators
SePrintOperatorPrivilege:
SeAddUsersPrivilege:
SeDiskOperatorPrivilege:
SeSecurityPrivilege:
  BUILTIN\Administrators
SeSystemtimePrivilege:
  BUILTIN\Administrators
  BUILTIN\Server Operators
SeShutdownPrivilege:
  BUILTIN\Print Operators
  BUILTIN\Backup Operators
  BUILTIN\Administrators
  BUILTIN\Server Operators
SeDebugPrivilege:
  BUILTIN\Administrators
SeSystemEnvironmentPrivilege:
  BUILTIN\Administrators
SeSystemProfilePrivilege:
  BUILTIN\Administrators
SeProfileSingleProcessPrivilege:
  BUILTIN\Administrators
SeIncreaseBasePriorityPrivilege:
  BUILTIN\Administrators
SeLoadDriverPrivilege:
  BUILTIN\Print Operators
  BUILTIN\Administrators
SeCreatePagefilePrivilege:
  BUILTIN\Administrators
SeIncreaseQuotaPrivilege:
  BUILTIN\Administrators
SeChangeNotifyPrivilege:
  BUILTIN\Administrators
  BUILTIN\Pre-Windows 2000 Compatible Access
SeUndockPrivilege:
  BUILTIN\Administrators
SeManageVolumePrivilege:
  BUILTIN\Administrators
SeImpersonatePrivilege:
  BUILTIN\Administrators
SeCreateGlobalPrivilege:
  BUILTIN\Administrators
SeEnableDelegationPrivilege:
  BUILTIN\Administrators


LPHvBvs> Have you setup samba with a higher debug level also, that
LPHvBvs> might show whats missing/going wrong. 
Samba logs, [log level = 2]
Opening a user/computer properties gives these log lines:

[2018/05/21 17:05:15.278252,  2]
../source4/smbd/process_standard.c:473(standard_terminate)
  standard_terminate: reason[ldapsrv_call_wait_done: call->wait_recv() -
NT_STATUS_LOCAL_DISCONNECT]
[2018/05/21 17:05:15.283207,  2]
../source4/smbd/process_standard.c:157(standard_child_pipe_handler)
  Child 27541 () exited with status 0
[2018/05/21 17:05:15.327654,  0]
../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
  NTLMSSP NTLM2 packet check failed due to invalid signature!
[2018/05/21 17:05:15.328495,  2]
../source4/smbd/process_standard.c:473(standard_terminate)
  standard_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_IO_DEVICE_ERROR]
[2018/05/21 17:05:15.333242,  2]
../source4/smbd/process_standard.c:157(standard_child_pipe_handler)
  Child 27553 () exited with status 0

[Multiple times]

Then when I open the security tab, and force close after the hang of the MMC, I
get this.

[2018/05/21 17:05:36.549449,  2]
../source4/smbd/process_standard.c:473(standard_terminate)
[2018/05/21 17:05:36.549762,  2]
../source4/smbd/process_standard.c:473(standard_terminate)
[2018/05/21 17:05:36.549967,  2]
../source4/smbd/process_standard.c:473(standard_terminate)
  standard_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_RESET]
  standard_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_RESET]
  standard_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_RESET]
[2018/05/21 17:05:36.550139,  2]
../source4/smbd/process_standard.c:473(standard_terminate)
  standard_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_RESET]
[2018/05/21 17:05:36.565558,  2]
../source4/smbd/process_standard.c:157(standard_child_pipe_handler)
  Child 27531 () exited with status 0
[2018/05/21 17:05:36.565742,  2]
../source4/smbd/process_standard.c:157(standard_child_pipe_handler)
  Child 27524 () exited with status 0
[2018/05/21 17:05:36.565877,  2]
../source4/smbd/process_standard.c:157(standard_child_pipe_handler)
  Child 27561 () exited with status 0
[2018/05/21 17:05:36.566021,  2]
../source4/smbd/process_standard.c:157(standard_child_pipe_handler)
  Child 27552 () exited with status 0

Not sure if any of that is helpful, but lets see. I'll keep digging too.

-Greg

Seemingly Similar Threads

Search for more reasonably related threads

samba - May 2018 - RSAT Hang

[Samba] RSAT Hang

[Samba] RSAT Hang

[Samba] RSAT Hang

[Samba] RSAT Hang

Seemingly Similar Threads