samba - Jun 2018 - Developed an issue with Samba File Server integrated with Samba-AD

Hello Rowland,
> On Sat, 30 Jun 2018 14:51:48 +0530
> Anantha Raghava via samba <samba at lists.samba.org> wrote:
>
>> Hi,
>>
>> We have been using Samba File Server (Version 4.3.11 Ubuntu 14.04
>> LTS) for quite sometime now. We recently installed Samba-AD (Samba AD
>> Version 4.7.6) and made the file server a member of the Domain.
>> Everything was fine till around 11:15 am yesterday. We just added one
>> more share folder and gave access to three users and restarted Samba
>> File Server services
>> - smbd, nmbd and winbindd - services and we lost the file server.
>> None of the domain user is able to login to file server and access
>> their shares. If we access the shares from a non-domain member PC,
>> shares are accessible.
>>
>> File server when accessed asks for user name & password. Once the
>> user feeds his credentials, the login fails and again the file server
>> will ask for user credentials. This is really surprising.
>>
>> We enabled log level 3 on both samba servers (File & AD Server) and
>> we see nothing with respect to this error.
>>
>> Our smb.conf (samba file server) and Samba-AD (AD-smb.conf) are
>> attached.
>>
>> I am aware that Samba file server is very old and it's time to
>> upgrade. However, getting it back live is now critical for us.
>>
>> Look forward for any guidance.
>>
>>
>> Thanks & Regards,
>>
>>
>> Anantha Raghava
>>
>>
>> Do not print this e-mail unless required. Save Paper & trees.
>>
> There doesn't seen to be anything really wrong with the Unix domain
> member smb.conf, apart from it having a netlogon share (this in my
> opinion should only be on a PDC or DC). I would leave the domain,
> remove the netlogon share, remove all Samba .ldb and .tdb files
> (usually in /var/lib/samba), then rejoin the domain and restart the
> samba deamons (nmbd, smbd and winbindd), this will recreate all the
> Samba databases.
>
> If this doesn't work, add 'log level = 10' to smb.conf on the
Unix
> domain member and see if anything pops out.
>
> I have however noticed this:
>
> DC smb.conf:
>
>   	realm = XXXX.COM
> 	workgroup = XXXX
>
> [netlogon]
> 	path = /usr/local/samba/var/locks/sysvol/exza.com/scripts
>
> Unix domain member smb.conf:
>
>      workgroup = CSAEROTHERM
>      realm = CSAEROTHERM.COM
>
> On the DC, the realm appears to actually be 'exza.com' but on the
Unix
> domain member it is set to 'CSAEROTHERM.COM', these must match,
yours
> don't.
This is matching. I was just comparing the smb.conf of AD DC on exza.com 
server with that of CSAEROTHERM.COM. Since it was same, I just copied 
smb.conf from exza.com server and attached to the mail.

I tried the your suggestion. I attempted to leave domain. it resulted in:

root at samba-64:/var/lib/samba# net ads leave -U administrator
No realm set, are we joined ?

& If I try to join the domain, it results in :

root at samba-64:/var/lib/samba# net ads join -U administrator
Host is not configured as a member server.
Invalid configuration.  Exiting....
Failed to join domain: This operation is only allowed for the PDC of the 
domain.
>
> Rowland
>
Regards,

Anantha Raghava

On Sat, 30 Jun 2018 21:09:07 +0530
Anantha Raghava via samba <samba at lists.samba.org> wrote:
> Hello Rowland,
> > On Sat, 30 Jun 2018 14:51:48 +0530
> > Anantha Raghava via samba <samba at lists.samba.org> wrote:
> >
> >> Hi,
> >>
> >> We have been using Samba File Server (Version 4.3.11 Ubuntu 14.04
> >> LTS) for quite sometime now. We recently installed Samba-AD (Samba
> >> AD Version 4.7.6) and made the file server a member of the Domain.
> >> Everything was fine till around 11:15 am yesterday. We just added
> >> one more share folder and gave access to three users and restarted
> >> Samba File Server services
> >> - smbd, nmbd and winbindd - services and we lost the file server.
> >> None of the domain user is able to login to file server and access
> >> their shares. If we access the shares from a non-domain member PC,
> >> shares are accessible.
> >>
> >> File server when accessed asks for user name & password. Once
the
> >> user feeds his credentials, the login fails and again the file
> >> server will ask for user credentials. This is really surprising.
> >>
> >> We enabled log level 3 on both samba servers (File & AD
Server) and
> >> we see nothing with respect to this error.
> >>
> >> Our smb.conf (samba file server) and Samba-AD (AD-smb.conf) are
> >> attached.
> >>
> >> I am aware that Samba file server is very old and it's time to
> >> upgrade. However, getting it back live is now critical for us.
> >>
> >> Look forward for any guidance.
> >>
> >>
> >> Thanks & Regards,
> >>
> >>
> >> Anantha Raghava
> >>
> >>
> >> Do not print this e-mail unless required. Save Paper & trees.
> >>
> > There doesn't seen to be anything really wrong with the Unix
domain
> > member smb.conf, apart from it having a netlogon share (this in my
> > opinion should only be on a PDC or DC). I would leave the domain,
> > remove the netlogon share, remove all Samba .ldb and .tdb files
> > (usually in /var/lib/samba), then rejoin the domain and restart the
> > samba deamons (nmbd, smbd and winbindd), this will recreate all the
> > Samba databases.
> >
> > If this doesn't work, add 'log level = 10' to smb.conf on
the Unix
> > domain member and see if anything pops out.
> >
> > I have however noticed this:
> >
> > DC smb.conf:
> >
> >   	realm = XXXX.COM
> > 	workgroup = XXXX
> >
> > [netlogon]
> > 	path = /usr/local/samba/var/locks/sysvol/exza.com/scripts
> >
> > Unix domain member smb.conf:
> >
> >      workgroup = CSAEROTHERM
> >      realm = CSAEROTHERM.COM
> >
> > On the DC, the realm appears to actually be 'exza.com' but on
the
> > Unix domain member it is set to 'CSAEROTHERM.COM', these must
> > match, yours don't.
> This is matching. I was just comparing the smb.conf of AD DC on
> exza.com server with that of CSAEROTHERM.COM. Since it was same, I
> just copied smb.conf from exza.com server and attached to the mail.
> 
> I tried the your suggestion. I attempted to leave domain. it resulted
> in:
> 
> root at samba-64:/var/lib/samba# net ads leave -U administrator
> No realm set, are we joined ?
> 
> & If I try to join the domain, it results in :
> 
> root at samba-64:/var/lib/samba# net ads join -U administrator
> Host is not configured as a member server.
> Invalid configuration.  Exiting....
> Failed to join domain: This operation is only allowed for the PDC of
> the domain.
> 
> >
> > Rowland
> >
> Regards,
> 
> Anantha Raghava
I ran your smb.conf through testparm and it found something I missed,
you do not have a [global] section ;-)
You have a [gdlobal] section !

Rowland

> On Sat, 30 Jun 2018 21:09:07 +0530
> Anantha Raghava via samba <samba at lists.samba.org> wrote:
>
>> Hello Rowland,
>>> On Sat, 30 Jun 2018 14:51:48 +0530
>>> Anantha Raghava via samba <samba at lists.samba.org> wrote:
>>>
>>>> Hi,
>>>>
>>>> We have been using Samba File Server (Version 4.3.11 Ubuntu
14.04
>>>> LTS) for quite sometime now. We recently installed Samba-AD
(Samba
>>>> AD Version 4.7.6) and made the file server a member of the
Domain.
>>>> Everything was fine till around 11:15 am yesterday. We just
added
>>>> one more share folder and gave access to three users and
restarted
>>>> Samba File Server services
>>>> - smbd, nmbd and winbindd - services and we lost the file
server.
>>>> None of the domain user is able to login to file server and
access
>>>> their shares. If we access the shares from a non-domain member
PC,
>>>> shares are accessible.
>>>>
>>>> File server when accessed asks for user name & password.
Once the
>>>> user feeds his credentials, the login fails and again the file
>>>> server will ask for user credentials. This is really
surprising.
>>>>
>>>> We enabled log level 3 on both samba servers (File & AD
Server) and
>>>> we see nothing with respect to this error.
>>>>
>>>> Our smb.conf (samba file server) and Samba-AD (AD-smb.conf) are
>>>> attached.
>>>>
>>>> I am aware that Samba file server is very old and it's time
to
>>>> upgrade. However, getting it back live is now critical for us.
>>>>
>>>> Look forward for any guidance.
>>>>
>>>>
>>>> Thanks & Regards,
>>>>
>>>>
>>>> Anantha Raghava
>>>>
>>>>
>>>> Do not print this e-mail unless required. Save Paper &
trees.
>>>>
>>> There doesn't seen to be anything really wrong with the Unix
domain
>>> member smb.conf, apart from it having a netlogon share (this in my
>>> opinion should only be on a PDC or DC). I would leave the domain,
>>> remove the netlogon share, remove all Samba .ldb and .tdb files
>>> (usually in /var/lib/samba), then rejoin the domain and restart the
>>> samba deamons (nmbd, smbd and winbindd), this will recreate all the
>>> Samba databases.
>>>
>>> If this doesn't work, add 'log level = 10' to smb.conf
on the Unix
>>> domain member and see if anything pops out.
>>>
>>> I have however noticed this:
>>>
>>> DC smb.conf:
>>>
>>>    	realm = XXXX.COM
>>> 	workgroup = XXXX
>>>
>>> [netlogon]
>>> 	path = /usr/local/samba/var/locks/sysvol/exza.com/scripts
>>>
>>> Unix domain member smb.conf:
>>>
>>>       workgroup = CSAEROTHERM
>>>       realm = CSAEROTHERM.COM
>>>
>>> On the DC, the realm appears to actually be 'exza.com' but
on the
>>> Unix domain member it is set to 'CSAEROTHERM.COM', these
must
>>> match, yours don't.
>> This is matching. I was just comparing the smb.conf of AD DC on
>> exza.com server with that of CSAEROTHERM.COM. Since it was same, I
>> just copied smb.conf from exza.com server and attached to the mail.
>>
>> I tried the your suggestion. I attempted to leave domain. it resulted
>> in:
>>
>> root at samba-64:/var/lib/samba# net ads leave -U administrator
>> No realm set, are we joined ?
>>
>> & If I try to join the domain, it results in :
>>
>> root at samba-64:/var/lib/samba# net ads join -U administrator
>> Host is not configured as a member server.
>> Invalid configuration.  Exiting....
>> Failed to join domain: This operation is only allowed for the PDC of
>> the domain.
>>
>>> Rowland
>>>
>> Regards,
>>
>> Anantha Raghava
> I ran your smb.conf through testparm and it found something I missed,
> you do not have a [global] section ;-)
> You have a [gdlobal] section !
MY GOD!!!
>
> Rowland
>   
>