L.P.H. van Belle
2019-Jun-26 14:25 UTC
[Samba] Samba 4.10 member: SMB login no longer working
Hai, And Omg... Your right, its my fault. :-/ I didnt say to you, you needed make the changes, to change what Rowland showed. Im really sorry.. ;-) when im in austria i'll buy you a beer. Or if you want teach you snowboarding.. I have an other guy in austria that cant ski/board. Im going to teach him also. .. So funny a dutch guy teaching to austria guys.. :-) And how is it running now, do you notice your network is running better after the big changes? Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sven > Schwedas via samba > Verzonden: woensdag 26 juni 2019 16:02 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Samba 4.10 member: SMB login no longer working > > On 26.06.19 15:32, L.P.H. van Belle via samba wrote: > > Sven... > > > > What did you do. .. I thought, this was all done/fixed. ;-) > > I installed your packages, so naturally everything is your fault. ;) > > Setting > > > kerberos method = secrets and keytab > > as suggested by Rowland did the trick. Guess I was too overzealous in > trying to merge the servers' different smb.conf files together. > > >> Failed to find > >> cifs/graz-file.ad.tao.at at AD.TAO.AT(kvno 100) in keytab > >> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] > > > > You need to add the cifs/spn also to the AD and the keytab. > > https://wiki.samba.org/index.php/Generating_Keytabs > > > > > > Greetz, > > > > Louis > > > > > > > > > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens > >> Rowland penny via samba > >> Verzonden: woensdag 26 juni 2019 15:16 > >> Aan: samba at lists.samba.org > >> Onderwerp: Re: [Samba] Samba 4.10 member: SMB login no > longer working > >> > >> On 26/06/2019 10:36, Sven Schwedas via samba wrote: > >>> Overall domain architecture hasn't changed since my spring > >> cleanup post > >>> earlier (I did sort out the krb5 packages and logging > >> settings, though). > >>> > >>> To start the migration, I figured I'd first update the > file servers, > >>> since they're the least critical component. Upgrade 4.5 ??? > >> 4.8, 4.8 ??? > >>> 4.9, 4.9 ??? 4.10 seemed to work fine each step. > >>> > >>> However, SMB logins either with smbclient or with Windows, > >> Mac clients > >>> no longer work, generating the following error message: > >>> > >>>> [2019/06/26 11:24:13.015993, 3] > >> ../../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_proces > >> s_negprot) > >>>> Selected protocol SMB2_10 > >>>> [2019/06/26 11:24:13.021148, 1] > >> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) > >>>> gss_accept_sec_context failed with [ Miscellaneous > >> failure (see text): Failed to find > >> cifs/graz-file.ad.tao.at at AD.TAO.AT(kvno 100) in keytab > >> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] > >>>> [2019/06/26 11:24:13.021265, 1] > >> ../../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenI > >> nit_step) > >>>> gensec_spnego_server_negTokenInit_step: gse_krb5: > >> parsing NEG_TOKEN_INIT content failed (next[(null)]): > >> NT_STATUS_LOGON_FAILURE > >>>> [2019/06/26 11:24:13.021469, 3] > >> ../../source3/smbd/smb2_server.c:3201(smbd_smb2_request_error_ex) > >>>> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: > >> idx[1] status[NT_STATUS_LOGON_FAILURE] || at > >> ../../source3/smbd/smb2_sesssetup.c:146 > >>>> [2019/06/26 11:24:13.022945, 3] > >> ../../source3/smbd/server_exit.c:236(exit_server_common) > >>>> Server exit (NT_STATUS_END_OF_FILE) > >>> wbinfo -t says the domain join is fine, and logins via > >> winbind work fine > >>> too, so I'm not what's causing this error. As far as I can > >> see, all the > >>> login-related smb.conf changes didn't affect us, since we > >> were already > >>> on the backwards compatible defaults. > >>> > >>> smb.conf: > >>> > >>>> [global] > >>>> deadtime = 15 > >>>> dns forwarder = 8.8.8.8 > >>>> kerberos method = system keytab > >>>> logging = syslog > >>>> realm = AD.TAO.AT > >>>> security = ADS > >>>> server string = Netzlaufwerke Graz > >>>> template homedir = /home/%U > >>>> template shell = /bin/bash > >>>> tls cafile = /usr/local/share/ca-certificates/tao-ad-ca.crt > >>>> winbind use default domain = Yes > >>>> workgroup = AD > >>>> idmap config ad : unix_nss_info = yes > >>> This was the only change that seemed necessary for a pure > >> domain member > >>> like this. > >>> > >>>> idmap config ad : schema_mode = rfc2307 > >>>> idmap config ad : range = 4500-50000 > >>>> idmap config ad : backend = ad > >>>> idmap config * : range = 60000-61000 > >>>> idmap_ldb:use rfc2307 = yes > >>>> idmap config * : backend = tdb > >>>> acl group control = Yes > >>>> aio read size = 16384 > >>>> aio write size = 16384 > >>>> create mask = 0770 > >>>> directory mask = 0770 > >>>> force create mode = 0660 > >>>> force directory mode = 02770 > >>>> inherit acls = Yes > >>>> inherit owner = windows and unix > >>>> inherit permissions = Yes > >>>> read only = No > >>>> use sendfile = Yes > >>>> > >>>> > >>>> [homes] > >>>> comment = ~ > >>>> volume = nethome > >>>> > >>>> > >>>> [print$] > >>>> comment = Druckertreiber Windows > >>>> path = /srv/smb/Drucker/ > >>>> > >>>> > >>>> [printers] > >>>> browseable = No > >>>> comment = Drucker > >>>> path = /var/spool/samba > >>>> printable = Yes > >>>> > >>>> > >>>> [public-graz] > >>>> comment = S: > >>>> path = /srv/smb > >>>> vfs objects = recycle > >>>> volume = Graz > >>>> recycle:versions = yes > >>>> recycle:keeptree = yes > >> > >> I would remove these lines: > >> > >> dns forwarder = 8.8.8.8 > >> > >> idmap_ldb:use rfc2307 = yes > >> > >> They only make sense on a DC > >> > >> I would also replace 'kerberos method = system keytab' > with 'kerberos > >> method = secrets and keytab' > >> > >> Rowland > >> > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > >> > > > > > > -- > Mit freundlichen Gr??en, / Best Regards, > Sven Schwedas, Systemadministrator > ??? sven.schwedas at tao.at | ??? +43 680 301 7167 > TAO Digital | Teil der TAO Beratungs- & Management GmbH > Lendplatz 45 | FN 213999f/Klagenfurt, FB-Gericht Villach > A8020 Graz | https://www.tao-digital.at > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Sven Schwedas
2019-Jun-26 14:39 UTC
[Samba] Samba 4.10 member: SMB login no longer working
On 26.06.19 16:25, L.P.H. van Belle via samba wrote:> Hai, > > And Omg... Your right, its my fault. :-/ > > I didnt say to you, you needed make the changes, to change what Rowland showed. > Im really sorry.. ;-) when im in austria i'll buy you a beer. > Or if you want teach you snowboarding.. I have an other guy in austria that cant ski/board. > Im going to teach him also. .. So funny a dutch guy teaching to austria guys.. :-) > > And how is it running now, do you notice your network is running better after the big changes?The big change ? updating the DCs ? hasn't happened just yet, I'm just testing the waters with the file servers. But having less outages than before certainly helps already.> > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sven >> Schwedas via samba >> Verzonden: woensdag 26 juni 2019 16:02 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Samba 4.10 member: SMB login no longer working >> >> On 26.06.19 15:32, L.P.H. van Belle via samba wrote: >>> Sven... >>> >>> What did you do. .. I thought, this was all done/fixed. ;-) >> >> I installed your packages, so naturally everything is your fault. ;) >> >> Setting >> >>> kerberos method = secrets and keytab >> >> as suggested by Rowland did the trick. Guess I was too overzealous in >> trying to merge the servers' different smb.conf files together. >> >>>> Failed to find >>>> cifs/graz-file.ad.tao.at at AD.TAO.AT(kvno 100) in keytab >>>> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] >>> >>> You need to add the cifs/spn also to the AD and the keytab. >>> https://wiki.samba.org/index.php/Generating_Keytabs >>> >>> >>> Greetz, >>> >>> Louis >>> >>> >>> >>> >>> >>> >>>> -----Oorspronkelijk bericht----- >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >>>> Rowland penny via samba >>>> Verzonden: woensdag 26 juni 2019 15:16 >>>> Aan: samba at lists.samba.org >>>> Onderwerp: Re: [Samba] Samba 4.10 member: SMB login no >> longer working >>>> >>>> On 26/06/2019 10:36, Sven Schwedas via samba wrote: >>>>> Overall domain architecture hasn't changed since my spring >>>> cleanup post >>>>> earlier (I did sort out the krb5 packages and logging >>>> settings, though). >>>>> >>>>> To start the migration, I figured I'd first update the >> file servers, >>>>> since they're the least critical component. Upgrade 4.5 ??? >>>> 4.8, 4.8 ??? >>>>> 4.9, 4.9 ??? 4.10 seemed to work fine each step. >>>>> >>>>> However, SMB logins either with smbclient or with Windows, >>>> Mac clients >>>>> no longer work, generating the following error message: >>>>> >>>>>> [2019/06/26 11:24:13.015993, 3] >>>> ../../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_proces >>>> s_negprot) >>>>>> Selected protocol SMB2_10 >>>>>> [2019/06/26 11:24:13.021148, 1] >>>> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) >>>>>> gss_accept_sec_context failed with [ Miscellaneous >>>> failure (see text): Failed to find >>>> cifs/graz-file.ad.tao.at at AD.TAO.AT(kvno 100) in keytab >>>> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] >>>>>> [2019/06/26 11:24:13.021265, 1] >>>> ../../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenI >>>> nit_step) >>>>>> gensec_spnego_server_negTokenInit_step: gse_krb5: >>>> parsing NEG_TOKEN_INIT content failed (next[(null)]): >>>> NT_STATUS_LOGON_FAILURE >>>>>> [2019/06/26 11:24:13.021469, 3] >>>> ../../source3/smbd/smb2_server.c:3201(smbd_smb2_request_error_ex) >>>>>> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: >>>> idx[1] status[NT_STATUS_LOGON_FAILURE] || at >>>> ../../source3/smbd/smb2_sesssetup.c:146 >>>>>> [2019/06/26 11:24:13.022945, 3] >>>> ../../source3/smbd/server_exit.c:236(exit_server_common) >>>>>> Server exit (NT_STATUS_END_OF_FILE) >>>>> wbinfo -t says the domain join is fine, and logins via >>>> winbind work fine >>>>> too, so I'm not what's causing this error. As far as I can >>>> see, all the >>>>> login-related smb.conf changes didn't affect us, since we >>>> were already >>>>> on the backwards compatible defaults. >>>>> >>>>> smb.conf: >>>>> >>>>>> [global] >>>>>> deadtime = 15 >>>>>> dns forwarder = 8.8.8.8 >>>>>> kerberos method = system keytab >>>>>> logging = syslog >>>>>> realm = AD.TAO.AT >>>>>> security = ADS >>>>>> server string = Netzlaufwerke Graz >>>>>> template homedir = /home/%U >>>>>> template shell = /bin/bash >>>>>> tls cafile = /usr/local/share/ca-certificates/tao-ad-ca.crt >>>>>> winbind use default domain = Yes >>>>>> workgroup = AD >>>>>> idmap config ad : unix_nss_info = yes >>>>> This was the only change that seemed necessary for a pure >>>> domain member >>>>> like this. >>>>> >>>>>> idmap config ad : schema_mode = rfc2307 >>>>>> idmap config ad : range = 4500-50000 >>>>>> idmap config ad : backend = ad >>>>>> idmap config * : range = 60000-61000 >>>>>> idmap_ldb:use rfc2307 = yes >>>>>> idmap config * : backend = tdb >>>>>> acl group control = Yes >>>>>> aio read size = 16384 >>>>>> aio write size = 16384 >>>>>> create mask = 0770 >>>>>> directory mask = 0770 >>>>>> force create mode = 0660 >>>>>> force directory mode = 02770 >>>>>> inherit acls = Yes >>>>>> inherit owner = windows and unix >>>>>> inherit permissions = Yes >>>>>> read only = No >>>>>> use sendfile = Yes >>>>>> >>>>>> >>>>>> [homes] >>>>>> comment = ~ >>>>>> volume = nethome >>>>>> >>>>>> >>>>>> [print$] >>>>>> comment = Druckertreiber Windows >>>>>> path = /srv/smb/Drucker/ >>>>>> >>>>>> >>>>>> [printers] >>>>>> browseable = No >>>>>> comment = Drucker >>>>>> path = /var/spool/samba >>>>>> printable = Yes >>>>>> >>>>>> >>>>>> [public-graz] >>>>>> comment = S: >>>>>> path = /srv/smb >>>>>> vfs objects = recycle >>>>>> volume = Graz >>>>>> recycle:versions = yes >>>>>> recycle:keeptree = yes >>>> >>>> I would remove these lines: >>>> >>>> dns forwarder = 8.8.8.8 >>>> >>>> idmap_ldb:use rfc2307 = yes >>>> >>>> They only make sense on a DC >>>> >>>> I would also replace 'kerberos method = system keytab' >> with 'kerberos >>>> method = secrets and keytab' >>>> >>>> Rowland >>>> >>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>> >>> >>> >> >> -- >> Mit freundlichen Gr??en, / Best Regards, >> Sven Schwedas, Systemadministrator >> ??? sven.schwedas at tao.at | ??? +43 680 301 7167 >> TAO Digital | Teil der TAO Beratungs- & Management GmbH >> Lendplatz 45 | FN 213999f/Klagenfurt, FB-Gericht Villach >> A8020 Graz | https://www.tao-digital.at >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >-- Mit freundlichen Gr??en, / Best Regards, Sven Schwedas, Systemadministrator ? sven.schwedas at tao.at | ? +43 680 301 7167 TAO Digital | Teil der TAO Beratungs- & Management GmbH Lendplatz 45 | FN 213999f/Klagenfurt, FB-Gericht Villach A8020 Graz | https://www.tao-digital.at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20190626/f5881d53/signature.sig>
Matthew Delfino
2019-Jun-26 17:44 UTC
[Samba] Samba 4.10 member: SMB login no longer working
Thank you, Louis, for your reply. By simply asking me to provide outputs of the aforementioned files, I found the cause of my first problem (auth failing). It was my /etc/hosts file on dc1. All of them should look like this, and indeed DC2 and DC3's *did* look like this: # cat /etc/hosts> 127.0.0.1 ? ? ? localhost.samdom.mycompany.net ?localhost > 192.168.3.201 dc1.samdom.mycompany.net dc1 > 192.168.3.202 dc2.samdom.mycompany.net dc2 > 192.168.3.203 dc3.samdom.mycompany.net dc3 >? > # The following lines are desirable for IPv6 capable hosts > ::1 ? ? localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allroutersDC1's /etc/hosts looked the same, except for the third line, which looked like this:> 192.168.3.203 dc2.samdom.mycompany.net dc2That's the same IP for dc3 on the fourth line! Changing it's IP address to 192.168.3.202 to match the other two hosts files swiftly put an end to my failed authentications. But, I still see this whenever I compare any of my DCs to DC1: # samba-tool ldapcmp ldap://dc1 ldap://dc2 -Uadministrator> Password for [SAMDOM\administrator]: >? > * Comparing [DOMAIN] context... >? > * Objects to be compared: 1723 >? > Comparing: > 'CN=DC2,OU=DOMAIN CONTROLLERS,DC=SAMDOM,DC=MYCOMPANY,DC=NET' [ldap://dc1] > 'CN=DC2,OU=DOMAIN CONTROLLERS,DC=SAMDOM,DC=MYCOMPANY,DC=NET' [ldap://dc2] > ? ? Attributes found only in ldap://dc2: ? ? ? ?SERVERREFERENCEBL >? > ? ? FAILED >? > * Result for [DOMAIN]: FAILURE >? > SUMMARY > --------- >? > Attributes found only in ldap://dc2: >? > ? ? SERVERREFERENCEBL >? > * Comparing [CONFIGURATION] context... >? > * Objects to be compared: 1623 >? > * Result for [CONFIGURATION]: SUCCESS >? > * Comparing [SCHEMA] context... >? > * Objects to be compared: 1578 >? > * Result for [SCHEMA]: SUCCESS >? > * Comparing [DNSDOMAIN] context... >? > * Objects to be compared: 166 >? > * Result for [DNSDOMAIN]: SUCCESS >? > * Comparing [DNSFOREST] context... >? > * Objects to be compared: 26 >? > * Result for [DNSFOREST]: SUCCESS > ERROR: Compare failed: -1I have tried fixing this with reboots, and running this command: # samba-tool drs replicate --full-sync dc1 dc2 DC=samdom,DC=mycompany,DC=net As well as the similar commands for?DC=ForestDnsZones,... DC=DomainDnsZones,... CN=Configuration,... and CN=Schema,... but nothing gets that serverReferenceBL into the CN=DC2,OU=DOMAIN CONTROLLERS,DC=SAMDOM,DC=MYCOMPANY,DC=NET record on DC1. Do you think that this attribute, "SERVERREFERENCEBL," is applied at domain join only? And, perhaps that my wrongly configured /etc/hosts file botched a proper replication to DC1? Here are the answers to your questions... DC3 -------- # cat /etc/hosts> 127.0.0.1 ? ? ? localhost.samdom.mycompany.net ?localhost > 192.168.3.201 ? ?dc1.samdom.mycompany.net ? ?dc1 > 192.168.3.202 ? ?dc2.samdom.mycompany.net ? ?dc2 > 192.168.3.203 ? ?dc3.samdom.mycompany.net ? ?dc3 >?# The following lines are desirable for IPv6 capable hosts> ::1 ? ? localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters# cat /etc/resolv.conf?> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) > # ? ? DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN > nameserver 192.168.3.203 > nameserver 192.168.3.201 > nameserver 192.168.3.202 > search samdom.mycompany.net# cat /etc/samba/smb.conf?> # Global parameters > [global] > ? ? netbios name = DC3 > ? ? realm = SAMDOM.MYCOMPANY.NET > ? ? server role = active directory domain controller > ? ? #server services = -dns > ? ? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > ? ? workgroup = SAMDOM > ? ? idmap_ldb:use rfc2307 = yes > ? ? #dns forwarder = 8.8.4.4 > ? ? #dns forwarder = 8.8.8.8 > ? ? #allow dns updates = disabled > ? ? dsdb:schema update allowed = true > ? ? printcap name = /dev/null > ? ? load printers = no > ? ? printing = bsd? > ? ? ldap server require strong auth = no? > ? ? tls enabled ?= yes > ? ? tls keyfile ?= tls/myKey.pem > ? ? tls certfile = tls/dc3_samdom_mycompany_net.pem > ? ? tls cafile ? = tls/dc3_samdom_mycompany_net.ca-bundle.pem > ? ? #log file = /var/log/samba/%a.%M.log > ? ? max log size = 2048 > ? ? log level = 1 auth_audit:3 > ? ? apply group policies = yes >? > [netlogon] > ? ? path = /var/lib/samba/sysvol/samdom.mycompany.net/scripts > ? ? read only = No >? > [sysvol] > ? ? path = /var/lib/samba/sysvol > ? ? read only = No# klist -ke /var/lib/samba/private/secrets.keytab?> Keytab name: FILE:/var/lib/samba/private/secrets.keytab > KVNO Principal > ---- -------------------------------------------------------------------------- > ? ?2 HOST/dc3 at SAMDOM.MYCOMPANY.NET?(des-cbc-crc)? > ? ?2 HOST/dc3.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET?(des-cbc-crc)? > ? ?2 DC3$@SAMDOM.MYCOMPANY.NET (des-cbc-crc)? > ? ?2 HOST/dc3 at SAMDOM.MYCOMPANY.NET?(des-cbc-md5)? > ? ?2 HOST/dc3.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET?(des-cbc-md5)? > ? ?2 DC3$@SAMDOM.MYCOMPANY.NET (des-cbc-md5)? > ? ?2 HOST/dc3 at SAMDOM.MYCOMPANY.NET?(arcfour-hmac)? > ? ?2 HOST/dc3.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET?(arcfour-hmac)? > ? ?2 DC3$@SAMDOM.MYCOMPANY.NET (arcfour-hmac)? > ? ?2 HOST/dc3 at SAMDOM.MYCOMPANY.NET?(aes128-cts-hmac-sha1-96)? > ? ?2 HOST/dc3.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET?(aes128-cts-hmac-sha1-96)? > ? ?2 DC3$@SAMDOM.MYCOMPANY.NET (aes128-cts-hmac-sha1-96)? > ? ?2 HOST/dc3 at SAMDOM.MYCOMPANY.NET?(aes256-cts-hmac-sha1-96)? > ? ?2 HOST/dc3.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET?(aes256-cts-hmac-sha1-96)? > ? ?2 DC3$@SAMDOM.MYCOMPANY.NET (aes256-cts-hmac-sha1-96)?DC2 -------- # cat /etc/hosts> 127.0.0.1 ? ? ? localhost.samdom.mycompany.net ?localhost > 192.168.3.201 ? ?dc1.samdom.mycompany.net ? ?dc1 > 192.168.3.202 ? ?dc2.samdom.mycompany.net ? ?dc2 > 192.168.3.203 ? ?dc3.samdom.mycompany.net ? ?dc3 >? > # The following lines are desirable for IPv6 capable hosts > ::1 ? ? localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters# cat /etc/resolv.conf?> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) > # ? ? DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN > nameserver 192.168.3.202 > nameserver 192.168.3.201 > nameserver 192.168.3.203 > search samdom.mycompany.net# cat /etc/samba/smb.conf?> # Global parameters > [global] > ? ? netbios name = DC2 > ? ? realm = SAMDOM.MYCOMPANY.NET > ? ? server role = active directory domain controller > ? ? #server services = -dns > ? ? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > ? ? workgroup = SAMDOM > ? ? idmap_ldb:use rfc2307 = yes > ? ? #dns forwarder = 8.8.4.4 > ? ? #dns forwarder = 8.8.8.8 > ? ? #allow dns updates = disabled > ? ? dsdb:schema update allowed = true > ? ? printcap name = /dev/null > ? ? load printers = no > ? ? printing = bsd? > ? ? ldap server require strong auth = no > ? ? tls enabled ?= yes > ? ? tls keyfile ?= tls/myKey.pem > ? ? tls certfile = tls/dc2_samdom_mycompany_net.pem > ? ? tls cafile ? = tls/dc2_samdom_mycompany_net.ca-bundle.pem > ? ? #log file = /var/log/samba/%a.%M.log > ? ? max log size = 2048 > ? ? log level = 1 auth_audit:3 > ? ? apply group policies = yes >? > [netlogon] > ? ? path = /var/lib/samba/sysvol/samdom.mycompany.net/scripts > ? ? read only = No >? > [sysvol] > ? ? path = /var/lib/samba/sysvol > ? ? read only = No# klist -ke /var/lib/samba/private/secrets.keytab?> Keytab name: FILE:/var/lib/samba/private/secrets.keytab > KVNO Principal > ---- -------------------------------------------------------------------------- > ? ?2 HOST/dc2 at SAMDOM.MYCOMPANY.NET?(des-cbc-crc)? > ? ?2 HOST/dc2.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET?(des-cbc-crc)? > ? ?2 DC2$@SAMDOM.MYCOMPANY.NET (des-cbc-crc)? > ? ?2 HOST/dc2 at SAMDOM.MYCOMPANY.NET?(des-cbc-md5)? > ? ?2 HOST/dc2.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET?(des-cbc-md5)? > ? ?2 DC2$@SAMDOM.MYCOMPANY.NET (des-cbc-md5)? > ? ?2 HOST/dc2 at SAMDOM.MYCOMPANY.NET?(arcfour-hmac)? > ? ?2 HOST/dc2.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET?(arcfour-hmac)? > ? ?2 DC2$@SAMDOM.MYCOMPANY.NET (arcfour-hmac)? > ? ?2 HOST/dc2 at SAMDOM.MYCOMPANY.NET?(aes128-cts-hmac-sha1-96)? > ? ?2 HOST/dc2.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET?(aes128-cts-hmac-sha1-96)? > ? ?2 DC2$@SAMDOM.MYCOMPANY.NET (aes128-cts-hmac-sha1-96)? > ? ?2 HOST/dc2 at SAMDOM.MYCOMPANY.NET?(aes256-cts-hmac-sha1-96)? > ? ?2 HOST/dc2.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET?(aes256-cts-hmac-sha1-96)? > ? ?2 DC2$@SAMDOM.MYCOMPANY.NET (aes256-cts-hmac-sha1-96)DC1 -------- # cat /etc/hosts> 127.0.0.1 ? ?localhost.samdom.mycompany.net ? ?localhost > 192.168.3.201 ? ?dc1.samdom.mycompany.net ? ?dc1 > 192.168.3.202 ? ?dc2.samdom.mycompany.net ? ?dc2 > 192.168.3.203 ? ?dc3.samdom.mycompany.net ? ?dc3 >? > # The following lines are desirable for IPv6 capable hosts > ::1 ? ? localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters# cat /etc/resolv.conf> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) > # ? ? DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN > nameserver 192.168.3.201 > nameserver 192.168.3.202 > nameserver 192.168.3.203 > search samdom.mycompany.net# cat /etc/samba/smb.conf> # Global parameters > [global] > ? ? netbios name = DC1 > ? ? realm = SAMDOM.MYCOMPANY.NET > ? ? server role = active directory domain controller > ? ? #server services = -dns > ? ? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > ? ? workgroup = SAMDOM > ? ? idmap_ldb:use rfc2307 = yes > ? ? #dns forwarder = 8.8.4.4 > ? ? #dns forwarder = 8.8.8.8 > ? ? #allow dns updates = disabled > ? ? #dsdb:schema update allowed = true > ? ? printcap name = /dev/null > ? ? load printers = no > ? ? printing = bsd? > ? ? ldap server require strong auth = no > ? ? tls enabled ?= yes > ? ? tls keyfile ?= tls/myKey.pem > ? ? tls certfile = tls/dc1_samdom_mycompany_net.pem > ? ? tls cafile ? = tls/dc1_samdom_mycompany_net.ca-bundle.pem > ? ? #log file = /var/log/samba/%a.%M.log > ? ? max log size = 2048 > ? ? log level = 1 auth_audit:3 > ? ? apply group policies = yes >? > [netlogon] > ? ? path = /var/lib/samba/sysvol/samdom.mycompany.net/scripts > ? ? read only = No >? > [sysvol] > ? ? path = /var/lib/samba/sysvol > ? ? read only = No# klist -ke /var/lib/samba/private/secrets.keytab> Keytab name: FILE:/var/lib/samba/private/secrets.keytab > KVNO Principal > ---- -------------------------------------------------------------------------- > ? ?2 HOST/dc1 at SAMDOM.MYCOMPANY.NET?(des-cbc-crc)? > ? ?2 HOST/dc1.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET?(des-cbc-crc)? > ? ?2 DC1$@SAMDOM.MYCOMPANY.NET (des-cbc-crc)? > ? ?2 HOST/dc1 at SAMDOM.MYCOMPANY.NET?(des-cbc-md5)? > ? ?2 HOST/dc1.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET?(des-cbc-md5)? > ? ?2 DC1$@SAMDOM.MYCOMPANY.NET (des-cbc-md5)? > ? ?2 HOST/dc1 at SAMDOM.MYCOMPANY.NET?(arcfour-hmac)? > ? ?2 HOST/dc1.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET?(arcfour-hmac)? > ? ?2 DC1$@SAMDOM.MYCOMPANY.NET (arcfour-hmac)? > ? ?2 HOST/dc1 at SAMDOM.MYCOMPANY.NET?(aes128-cts-hmac-sha1-96)? > ? ?2 HOST/dc1.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET?(aes128-cts-hmac-sha1-96)? > ? ?2 DC1$@SAMDOM.MYCOMPANY.NET (aes128-cts-hmac-sha1-96)? > ? ?2 HOST/dc1 at SAMDOM.MYCOMPANY.NET?(aes256-cts-hmac-sha1-96)? > ? ?2 HOST/dc1.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET?(aes256-cts-hmac-sha1-96)? > ? ?2 DC1$@SAMDOM.MYCOMPANY.NET (aes256-cts-hmac-sha1-96)?Thank you, Matthew From:?L.P.H. van Belle via samba <samba at lists.samba.org>? To:?"samba at lists.samba.org" <samba at lists.samba.org>? Sent:?6/26/2019 2:32 AM? Subject:?Re: [Samba] One DC cannot authenticate off of another DC? Hai,? What is the running OS and version of samba on these servers.? Can you post some configs of these DC's ( all 3 ?)? /etc/hosts? /etc/resolv.conf? /etc/samba/smb.conf? And for all 3 this the keytab output.? klist -ke /var/lib/samba/private/secrets.keytab? Your also sure you servers time is not out of sync?? Greetz,? Louis?> -----Oorspronkelijk bericht-----? > Van: samba [mailto:samba-bounces at lists.samba.org] Namens? > Matthew Delfino via samba? > Verzonden: woensdag 26 juni 2019 1:12? > Aan:?samba at lists.samba.org? > Onderwerp: [Samba] One DC cannot authenticate off of another DC? >? >? > Hello Samba Friends,? >? >? > I have a single DC (we'll call it, "DC1") that simply will? > not take my password when I run this command:?? >? >? > #samba-tool ldapcmp ldap://dc2 ldap://dc3 -Uadministrator?? >? >? > Or this command:?? >? >? > #samba-tool ldapcmp ldap://dc1 ldap://dc2 -Uadministrator?? >? >? > I basically get this:?? >? >? > > Password for [SAMDOM\administrator]:?? > > Password for [SAMDOM\administrator]:?? > > Password for [SAMDOM\administrator]:?? > > Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - ?? > <8009030C: LdapErr: DSID-0C0904DC, comment:? > AcceptSecurityContext error, data 52e, > v1db1> <>?? > > Failed to connect to 'ldap://dc2' with backend 'ldap': LDAP? > error 49 LDAP_INVALID_CREDENTIALS - ?<8009030C: LdapErr:? > DSID-0C0904DC, comment: AcceptSecurityContext error, data? > 52e, v1db1> <>?? > > ERROR(ldb): uncaught exception - LDAP error 49? > LDAP_INVALID_CREDENTIALS - ?<8009030C: LdapErr:? > DSID-0C0904DC, comment: AcceptSecurityContext error, data? > 52e, v1db1> <>?? > > ? File? > "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",? > line 185, in _run?? > > ? ? return self.run(*args, **kwargs)?? > > ? File? > "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py",? > line 942, in run?? > > ? ? outf=self.outf, errf=self.errf,? > skip_missing_dn=skip_missing_dn)?? > > ? File? > "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py",? > line 64, in __init__?? > > ? ? options=ldb_options)?? > > ? File "/usr/lib/python3/dist-packages/samba/__init__.py",? > line 115, in __init__?? > > ? ? self.connect(url, flags, options)?? >? >? > It *will* authenticate when I run this command, which implies? > that DC2 is the one who doesn't like my password, but only? > when it comes from DC1:?? >? >? > #samba-tool ldapcmp ldap://dc1 ldap://dc3 -Uadministrator?? >? >? > From DC2 and DC3, I can run all three of those commands with success.?? >? >? > What could cause one of my DCs (DC2) to hate my password only? > when it comes from one of my other DCs (DC1)? And, by the? > way, under that circumstance, it seems to hate every username? > and password combination I have that I could think to try? > ("-Umatthewdelfino", for example).?? >? >? > What have I already tried? I've demoted and re-promoted all? > of the DCs, which didn't make things any better. Passwords? > still fail in the same manner, but now every time I do an? > ldapcmp from samba-tool, I see a complaint about? > "serverReferenceBL," either as an attribute that doesn't? > exist in DC1 for 'CN=DC2,OU=DOMAIN? > CONTROLLERS,DC=SAMDOM,DC=MYCOMPANY,DC=NET', or as an uncaught? > exception like this:?? >? >? > > ERROR(<class 'KeyError'>): uncaught exception - 'serverReferenceBL'?? > > ? File? > "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",? > line 185, in _run?? > > ? ? return self.run(*args, **kwargs)?? > > ? File? > "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py",? > line 957, in run?? > > ? ? if b1.diff(b2):?? > > ? File? > "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py",? > line 781, in diff?? > > ? ? if object1 == object2:?? > > ? File? > "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py",? > line 549, in __eq__?? > > ? ? return self.cmp_attrs(other)?? > > ? File? > "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py",? > line 590, in cmp_attrs?? > > ? ? if isinstance(self.attributes[x], list) and? > isinstance(other.attributes[x], list):?? >? >? > (And all of that SERVERREFERENCEBL stuff is probably? > unrelated. It's just very irritating, as it seems to be an? > attribute created during a DC promotion/domain join, but not? > during subsequent replications, and the ldapcmp always notices it.)? >? >? > Can anyone provide some guidance??? >? >? > Thanks,? > Matthew? >? > ? 2019 KNOCK, inc. All rights reserved. KNOCK is a registered? > trademark of KNOCK, inc. This message and any attachments? > contain information, which is confidential and/or privileged.? > If you are not the intended recipient, please refrain from? > any disclosure, copying, distribution or use of this? > information. Please be aware that such actions are? > prohibited. If you have received this transmission in error,? > kindly notify the sender by e-mail. Your cooperation is appreciated.? > --? > To unsubscribe from this list go to the following URL and read the? > instructions: ?https://lists.samba.org/mailman/options/samba? >? >?--? To unsubscribe from this list go to the following URL and read the? instructions: ?https://lists.samba.org/mailman/options/samba? ? 2019 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated.
Matthew Delfino
2019-Jun-26 17:58 UTC
[Samba] Samba 4.10 member: SMB login no longer working
I apologize, everyone, for replying to the wrong thread here. Please ignore this message, it was supposed to be in the "Re: [Samba] One DC cannot authenticate off of another DC" thread. From: Matthew Delfino via samba <samba at lists.samba.org> To: L.P.H. van Belle <belle at bazuin.nl>, "samba at lists.samba.org" <samba at lists.samba.org> Sent: 6/26/2019 12:44 PM Subject: Re: [Samba] Samba 4.10 member: SMB login no longer working Thank you, Louis, for your reply. By simply asking me to provide outputs of the aforementioned files, I found the cause of my first problem (auth failing). It was my /etc/hosts file on dc1. All of them should look like this, and indeed DC2 and DC3's *did* look like this: # cat /etc/hosts> 127.0.0.1 ? ? ? localhost.samdom.mycompany.net ?localhost > 192.168.3.201 dc1.samdom.mycompany.net dc1 > 192.168.3.202 dc2.samdom.mycompany.net dc2 > 192.168.3.203 dc3.samdom.mycompany.net dc3 >? > # The following lines are desirable for IPv6 capable hosts > ::1 ? ? localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allroutersDC1's /etc/hosts looked the same, except for the third line, which looked like this:> 192.168.3.203 dc2.samdom.mycompany.net dc2That's the same IP for dc3 on the fourth line! Changing it's IP address to 192.168.3.202 to match the other two hosts files swiftly put an end to my failed authentications. But, I still see this whenever I compare any of my DCs to DC1: # samba-tool ldapcmp ldap://dc1 ldap://dc2 -Uadministrator> Password for [SAMDOM\administrator]: >? > * Comparing [DOMAIN] context... >? > * Objects to be compared: 1723 >? > Comparing: > 'CN=DC2,OU=DOMAIN CONTROLLERS,DC=SAMDOM,DC=MYCOMPANY,DC=NET' [ldap://dc1] > 'CN=DC2,OU=DOMAIN CONTROLLERS,DC=SAMDOM,DC=MYCOMPANY,DC=NET' [ldap://dc2] > ? ? Attributes found only in ldap://dc2: ? ? ? ?SERVERREFERENCEBL >? > ? ? FAILED >? > * Result for [DOMAIN]: FAILURE >? > SUMMARY > --------- >? > Attributes found only in ldap://dc2: >? > ? ? SERVERREFERENCEBL >? > * Comparing [CONFIGURATION] context... >? > * Objects to be compared: 1623 >? > * Result for [CONFIGURATION]: SUCCESS >? > * Comparing [SCHEMA] context... >? > * Objects to be compared: 1578 >? > * Result for [SCHEMA]: SUCCESS >? > * Comparing [DNSDOMAIN] context... >? > * Objects to be compared: 166 >? > * Result for [DNSDOMAIN]: SUCCESS >? > * Comparing [DNSFOREST] context... >? > * Objects to be compared: 26 >? > * Result for [DNSFOREST]: SUCCESS > ERROR: Compare failed: -1I have tried fixing this with reboots, and running this command: # samba-tool drs replicate --full-sync dc1 dc2 DC=samdom,DC=mycompany,DC=net As well as the similar commands for?DC=ForestDnsZones,... DC=DomainDnsZones,... CN=Configuration,... and CN=Schema,... but nothing gets that serverReferenceBL into the CN=DC2,OU=DOMAIN CONTROLLERS,DC=SAMDOM,DC=MYCOMPANY,DC=NET record on DC1. Do you think that this attribute, "SERVERREFERENCEBL," is applied at domain join only? And, perhaps that my wrongly configured /etc/hosts file botched a proper replication to DC1? Here are the answers to your questions... DC3 -------- # cat /etc/hosts> 127.0.0.1 ? ? ? localhost.samdom.mycompany.net ?localhost > 192.168.3.201 ? ?dc1.samdom.mycompany.net ? ?dc1 > 192.168.3.202 ? ?dc2.samdom.mycompany.net ? ?dc2 > 192.168.3.203 ? ?dc3.samdom.mycompany.net ? ?dc3 >?# The following lines are desirable for IPv6 capable hosts> ::1 ? ? localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters# cat /etc/resolv.conf?> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) > # ? ? DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN > nameserver 192.168.3.203 > nameserver 192.168.3.201 > nameserver 192.168.3.202 > search samdom.mycompany.net# cat /etc/samba/smb.conf?> # Global parameters > [global] > ? ? netbios name = DC3 > ? ? realm = SAMDOM.MYCOMPANY.NET > ? ? server role = active directory domain controller > ? ? #server services = -dns > ? ? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > ? ? workgroup = SAMDOM > ? ? idmap_ldb:use rfc2307 = yes > ? ? #dns forwarder = 8.8.4.4 > ? ? #dns forwarder = 8.8.8.8 > ? ? #allow dns updates = disabled > ? ? dsdb:schema update allowed = true > ? ? printcap name = /dev/null > ? ? load printers = no > ? ? printing = bsd? > ? ? ldap server require strong auth = no? > ? ? tls enabled ?= yes > ? ? tls keyfile ?= tls/myKey.pem > ? ? tls certfile = tls/dc3_samdom_mycompany_net.pem > ? ? tls cafile ? = tls/dc3_samdom_mycompany_net.ca-bundle.pem > ? ? #log file = /var/log/samba/%a.%M.log > ? ? max log size = 2048 > ? ? log level = 1 auth_audit:3 > ? ? apply group policies = yes >? > [netlogon] > ? ? path = /var/lib/samba/sysvol/samdom.mycompany.net/scripts > ? ? read only = No >? > [sysvol] > ? ? path = /var/lib/samba/sysvol > ? ? read only = No# klist -ke /var/lib/samba/private/secrets.keytab?> Keytab name: FILE:/var/lib/samba/private/secrets.keytab > KVNO Principal > ---- -------------------------------------------------------------------------- > ? ?2 HOST/dc3 at SAMDOM.MYCOMPANY.NET?(des-cbc-crc)? > ? ?2 HOST/dc3.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET?(des-cbc-crc)? > ? ?2 DC3$@SAMDOM.MYCOMPANY.NET (des-cbc-crc)? > ? ?2 HOST/dc3 at SAMDOM.MYCOMPANY.NET?(des-cbc-md5)? > ? ?2 HOST/dc3.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET?(des-cbc-md5)? > ? ?2 DC3$@SAMDOM.MYCOMPANY.NET (des-cbc-md5)? > ? ?2 HOST/dc3 at SAMDOM.MYCOMPANY.NET?(arcfour-hmac)? > ? ?2 HOST/dc3.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET?(arcfour-hmac)? > ? ?2 DC3$@SAMDOM.MYCOMPANY.NET (arcfour-hmac)? > ? ?2 HOST/dc3 at SAMDOM.MYCOMPANY.NET?(aes128-cts-hmac-sha1-96)? > ? ?2 HOST/dc3.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET?(aes128-cts-hmac-sha1-96)? > ? ?2 DC3$@SAMDOM.MYCOMPANY.NET (aes128-cts-hmac-sha1-96)? > ? ?2 HOST/dc3 at SAMDOM.MYCOMPANY.NET?(aes256-cts-hmac-sha1-96)? > ? ?2 HOST/dc3.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET?(aes256-cts-hmac-sha1-96)? > ? ?2 DC3$@SAMDOM.MYCOMPANY.NET (aes256-cts-hmac-sha1-96)?DC2 -------- # cat /etc/hosts> 127.0.0.1 ? ? ? localhost.samdom.mycompany.net ?localhost > 192.168.3.201 ? ?dc1.samdom.mycompany.net ? ?dc1 > 192.168.3.202 ? ?dc2.samdom.mycompany.net ? ?dc2 > 192.168.3.203 ? ?dc3.samdom.mycompany.net ? ?dc3 >? > # The following lines are desirable for IPv6 capable hosts > ::1 ? ? localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters# cat /etc/resolv.conf?> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) > # ? ? DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN > nameserver 192.168.3.202 > nameserver 192.168.3.201 > nameserver 192.168.3.203 > search samdom.mycompany.net# cat /etc/samba/smb.conf?> # Global parameters > [global] > ? ? netbios name = DC2 > ? ? realm = SAMDOM.MYCOMPANY.NET > ? ? server role = active directory domain controller > ? ? #server services = -dns > ? ? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > ? ? workgroup = SAMDOM > ? ? idmap_ldb:use rfc2307 = yes > ? ? #dns forwarder = 8.8.4.4 > ? ? #dns forwarder = 8.8.8.8 > ? ? #allow dns updates = disabled > ? ? dsdb:schema update allowed = true > ? ? printcap name = /dev/null > ? ? load printers = no > ? ? printing = bsd? > ? ? ldap server require strong auth = no > ? ? tls enabled ?= yes > ? ? tls keyfile ?= tls/myKey.pem > ? ? tls certfile = tls/dc2_samdom_mycompany_net.pem > ? ? tls cafile ? = tls/dc2_samdom_mycompany_net.ca-bundle.pem > ? ? #log file = /var/log/samba/%a.%M.log > ? ? max log size = 2048 > ? ? log level = 1 auth_audit:3 > ? ? apply group policies = yes >? > [netlogon] > ? ? path = /var/lib/samba/sysvol/samdom.mycompany.net/scripts > ? ? read only = No >? > [sysvol] > ? ? path = /var/lib/samba/sysvol > ? ? read only = No# klist -ke /var/lib/samba/private/secrets.keytab?> Keytab name: FILE:/var/lib/samba/private/secrets.keytab > KVNO Principal > ---- -------------------------------------------------------------------------- > ? ?2 HOST/dc2 at SAMDOM.MYCOMPANY.NET?(des-cbc-crc)? > ? ?2 HOST/dc2.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET?(des-cbc-crc)? > ? ?2 DC2$@SAMDOM.MYCOMPANY.NET (des-cbc-crc)? > ? ?2 HOST/dc2 at SAMDOM.MYCOMPANY.NET?(des-cbc-md5)? > ? ?2 HOST/dc2.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET?(des-cbc-md5)? > ? ?2 DC2$@SAMDOM.MYCOMPANY.NET (des-cbc-md5)? > ? ?2 HOST/dc2 at SAMDOM.MYCOMPANY.NET?(arcfour-hmac)? > ? ?2 HOST/dc2.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET?(arcfour-hmac)? > ? ?2 DC2$@SAMDOM.MYCOMPANY.NET (arcfour-hmac)? > ? ?2 HOST/dc2 at SAMDOM.MYCOMPANY.NET?(aes128-cts-hmac-sha1-96)? > ? ?2 HOST/dc2.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET?(aes128-cts-hmac-sha1-96)? > ? ?2 DC2$@SAMDOM.MYCOMPANY.NET (aes128-cts-hmac-sha1-96)? > ? ?2 HOST/dc2 at SAMDOM.MYCOMPANY.NET?(aes256-cts-hmac-sha1-96)? > ? ?2 HOST/dc2.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET?(aes256-cts-hmac-sha1-96)? > ? ?2 DC2$@SAMDOM.MYCOMPANY.NET (aes256-cts-hmac-sha1-96)DC1 -------- # cat /etc/hosts> 127.0.0.1 ? ?localhost.samdom.mycompany.net ? ?localhost > 192.168.3.201 ? ?dc1.samdom.mycompany.net ? ?dc1 > 192.168.3.202 ? ?dc2.samdom.mycompany.net ? ?dc2 > 192.168.3.203 ? ?dc3.samdom.mycompany.net ? ?dc3 >? > # The following lines are desirable for IPv6 capable hosts > ::1 ? ? localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters# cat /etc/resolv.conf> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) > # ? ? DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN > nameserver 192.168.3.201 > nameserver 192.168.3.202 > nameserver 192.168.3.203 > search samdom.mycompany.net# cat /etc/samba/smb.conf> # Global parameters > [global] > ? ? netbios name = DC1 > ? ? realm = SAMDOM.MYCOMPANY.NET > ? ? server role = active directory domain controller > ? ? #server services = -dns > ? ? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > ? ? workgroup = SAMDOM > ? ? idmap_ldb:use rfc2307 = yes > ? ? #dns forwarder = 8.8.4.4 > ? ? #dns forwarder = 8.8.8.8 > ? ? #allow dns updates = disabled > ? ? #dsdb:schema update allowed = true > ? ? printcap name = /dev/null > ? ? load printers = no > ? ? printing = bsd? > ? ? ldap server require strong auth = no > ? ? tls enabled ?= yes > ? ? tls keyfile ?= tls/myKey.pem > ? ? tls certfile = tls/dc1_samdom_mycompany_net.pem > ? ? tls cafile ? = tls/dc1_samdom_mycompany_net.ca-bundle.pem > ? ? #log file = /var/log/samba/%a.%M.log > ? ? max log size = 2048 > ? ? log level = 1 auth_audit:3 > ? ? apply group policies = yes >? > [netlogon] > ? ? path = /var/lib/samba/sysvol/samdom.mycompany.net/scripts > ? ? read only = No >? > [sysvol] > ? ? path = /var/lib/samba/sysvol > ? ? read only = No# klist -ke /var/lib/samba/private/secrets.keytab> Keytab name: FILE:/var/lib/samba/private/secrets.keytab > KVNO Principal > ---- -------------------------------------------------------------------------- > ? ?2 HOST/dc1 at SAMDOM.MYCOMPANY.NET?(des-cbc-crc)? > ? ?2 HOST/dc1.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET?(des-cbc-crc)? > ? ?2 DC1$@SAMDOM.MYCOMPANY.NET (des-cbc-crc)? > ? ?2 HOST/dc1 at SAMDOM.MYCOMPANY.NET?(des-cbc-md5)? > ? ?2 HOST/dc1.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET?(des-cbc-md5)? > ? ?2 DC1$@SAMDOM.MYCOMPANY.NET (des-cbc-md5)? > ? ?2 HOST/dc1 at SAMDOM.MYCOMPANY.NET?(arcfour-hmac)? > ? ?2 HOST/dc1.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET?(arcfour-hmac)? > ? ?2 DC1$@SAMDOM.MYCOMPANY.NET (arcfour-hmac)? > ? ?2 HOST/dc1 at SAMDOM.MYCOMPANY.NET?(aes128-cts-hmac-sha1-96)? > ? ?2 HOST/dc1.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET?(aes128-cts-hmac-sha1-96)? > ? ?2 DC1$@SAMDOM.MYCOMPANY.NET (aes128-cts-hmac-sha1-96)? > ? ?2 HOST/dc1 at SAMDOM.MYCOMPANY.NET?(aes256-cts-hmac-sha1-96)? > ? ?2 HOST/dc1.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET?(aes256-cts-hmac-sha1-96)? > ? ?2 DC1$@SAMDOM.MYCOMPANY.NET (aes256-cts-hmac-sha1-96)?Thank you, Matthew From:?L.P.H. van Belle via samba <samba at lists.samba.org>? To:?"samba at lists.samba.org" <samba at lists.samba.org>? Sent:?6/26/2019 2:32 AM? Subject:?Re: [Samba] One DC cannot authenticate off of another DC? Hai,? What is the running OS and version of samba on these servers.? Can you post some configs of these DC's ( all 3 ?)? /etc/hosts? /etc/resolv.conf? /etc/samba/smb.conf? And for all 3 this the keytab output.? klist -ke /var/lib/samba/private/secrets.keytab? Your also sure you servers time is not out of sync?? Greetz,? Louis?> -----Oorspronkelijk bericht-----? > Van: samba [mailto:samba-bounces at lists.samba.org] Namens? > Matthew Delfino via samba? > Verzonden: woensdag 26 juni 2019 1:12? > Aan:?samba at lists.samba.org? > Onderwerp: [Samba] One DC cannot authenticate off of another DC? >? >? > Hello Samba Friends,? >? >? > I have a single DC (we'll call it, "DC1") that simply will? > not take my password when I run this command:?? >? >? > #samba-tool ldapcmp ldap://dc2 ldap://dc3 -Uadministrator?? >? >? > Or this command:?? >? >? > #samba-tool ldapcmp ldap://dc1 ldap://dc2 -Uadministrator?? >? >? > I basically get this:?? >? >? > > Password for [SAMDOM\administrator]:?? > > Password for [SAMDOM\administrator]:?? > > Password for [SAMDOM\administrator]:?? > > Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - ?? > <8009030C: LdapErr: DSID-0C0904DC, comment:? > AcceptSecurityContext error, data 52e, > v1db1> <>?? > > Failed to connect to 'ldap://dc2' with backend 'ldap': LDAP? > error 49 LDAP_INVALID_CREDENTIALS - ?<8009030C: LdapErr:? > DSID-0C0904DC, comment: AcceptSecurityContext error, data? > 52e, v1db1> <>?? > > ERROR(ldb): uncaught exception - LDAP error 49? > LDAP_INVALID_CREDENTIALS - ?<8009030C: LdapErr:? > DSID-0C0904DC, comment: AcceptSecurityContext error, data? > 52e, v1db1> <>?? > > ? File? > "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",? > line 185, in _run?? > > ? ? return self.run(*args, **kwargs)?? > > ? File? > "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py",? > line 942, in run?? > > ? ? outf=self.outf, errf=self.errf,? > skip_missing_dn=skip_missing_dn)?? > > ? File? > "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py",? > line 64, in __init__?? > > ? ? options=ldb_options)?? > > ? File "/usr/lib/python3/dist-packages/samba/__init__.py",? > line 115, in __init__?? > > ? ? self.connect(url, flags, options)?? >? >? > It *will* authenticate when I run this command, which implies? > that DC2 is the one who doesn't like my password, but only? > when it comes from DC1:?? >? >? > #samba-tool ldapcmp ldap://dc1 ldap://dc3 -Uadministrator?? >? >? > From DC2 and DC3, I can run all three of those commands with success.?? >? >? > What could cause one of my DCs (DC2) to hate my password only? > when it comes from one of my other DCs (DC1)? And, by the? > way, under that circumstance, it seems to hate every username? > and password combination I have that I could think to try? > ("-Umatthewdelfino", for example).?? >? >? > What have I already tried? I've demoted and re-promoted all? > of the DCs, which didn't make things any better. Passwords? > still fail in the same manner, but now every time I do an? > ldapcmp from samba-tool, I see a complaint about? > "serverReferenceBL," either as an attribute that doesn't? > exist in DC1 for 'CN=DC2,OU=DOMAIN? > CONTROLLERS,DC=SAMDOM,DC=MYCOMPANY,DC=NET', or as an uncaught? > exception like this:?? >? >? > > ERROR(<class 'KeyError'>): uncaught exception - 'serverReferenceBL'?? > > ? File? > "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",? > line 185, in _run?? > > ? ? return self.run(*args, **kwargs)?? > > ? File? > "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py",? > line 957, in run?? > > ? ? if b1.diff(b2):?? > > ? File? > "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py",? > line 781, in diff?? > > ? ? if object1 == object2:?? > > ? File? > "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py",? > line 549, in __eq__?? > > ? ? return self.cmp_attrs(other)?? > > ? File? > "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py",? > line 590, in cmp_attrs?? > > ? ? if isinstance(self.attributes[x], list) and? > isinstance(other.attributes[x], list):?? >? >? > (And all of that SERVERREFERENCEBL stuff is probably? > unrelated. It's just very irritating, as it seems to be an? > attribute created during a DC promotion/domain join, but not? > during subsequent replications, and the ldapcmp always notices it.)? >? >? > Can anyone provide some guidance??? >? >? > Thanks,? > Matthew? >? > ? 2019 KNOCK, inc. All rights reserved. KNOCK is a registered? > trademark of KNOCK, inc. This message and any attachments? > contain information, which is confidential and/or privileged.? > If you are not the intended recipient, please refrain from? > any disclosure, copying, distribution or use of this? > information. Please be aware that such actions are? > prohibited. If you have received this transmission in error,? > kindly notify the sender by e-mail. Your cooperation is appreciated.? > --? > To unsubscribe from this list go to the following URL and read the? > instructions: ?https://lists.samba.org/mailman/options/samba? >? >?--? To unsubscribe from this list go to the following URL and read the? instructions: ?https://lists.samba.org/mailman/options/samba? ? 2019 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated. -- To unsubscribe from this list go to the following URL and read the instructions: ?https://lists.samba.org/mailman/options/samba ? 2019 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated.
Rowland penny
2019-Jun-26 18:00 UTC
[Samba] Samba 4.10 member: SMB login no longer working
On 26/06/2019 18:44, Matthew Delfino via samba wrote:> Thank you, Louis, for your reply. > > > By simply asking me to provide outputs of the aforementioned files, I found the cause of my first problem (auth failing). It was my /etc/hosts file on dc1. > > > All of them should look like this, and indeed DC2 and DC3's *did* look like this:Sorry, but no they shouldn't look like that> # cat /etc/hosts >> 127.0.0.1 ? ? ? localhost.samdom.mycompany.net ?localhost >> 192.168.3.201 dc1.samdom.mycompany.net dc1 >> 192.168.3.202 dc2.samdom.mycompany.net dc2 >> 192.168.3.203 dc3.samdom.mycompany.net dc3 >> >> # The following lines are desirable for IPv6 capable hosts >> ::1 ? ? localhost ip6-localhost ip6-loopback >> ff02::1 ip6-allnodes >> ff02::2 ip6-allroutersThey should look like this: 127.0.0.1?????? localhost 192.168.3.201 dc1.samdom.mycompany.net dc1 # The following lines are desirable for IPv6 capable hosts ::1???? localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters Replace the DC's info with correct info for the DC it is on. You do not need all the DC's in every /etc/hosts> But, I still see this whenever I compare any of my DCs to DC1: > > > > # samba-tool ldapcmp ldap://dc1 ldap://dc2 -Uadministrator >> Password for [SAMDOM\administrator]: >> >> * Comparing [DOMAIN] context... >> >> * Objects to be compared: 1723 >> >> Comparing: >> 'CN=DC2,OU=DOMAIN CONTROLLERS,DC=SAMDOM,DC=MYCOMPANY,DC=NET' [ldap://dc1] >> 'CN=DC2,OU=DOMAIN CONTROLLERS,DC=SAMDOM,DC=MYCOMPANY,DC=NET' [ldap://dc2] >> ? ? Attributes found only in ldap://dc2: ? ? ? ?SERVERREFERENCEBL >> >> ? ? FAILED >> >> * Result for [DOMAIN]: FAILURE >> >> SUMMARY >> --------- >> >> Attributes found only in ldap://dc2: >> >> ? ? SERVERREFERENCEBLI think this is another of attributes that got clobered by the 'oops, we uppercased a lot of the attribute names' bug, or,to put it another way, you can ignore it ;-) Rowland