samba - Jul 2019 - Serverinfo Error

Hai, 

Ok, below looks ok, except in dont see the search domain in the networkctl
output.
Which is possible, if you configured your interfaces through
/etc/network/interfaces

Im still amazed its not working.. Everything looks good. 
We are missing a bit info why/how/what/where. 

Short resume. 
Your on debian Buster official samba correct? ( samba 4.9.5 ) and your using
internal DNS.
Configs looks ok in the debug output. No app armor Denied messages. 
Dns is running and basilcy your resolving looks ok.

And while im looking at this.
You joined this server to a windows AD-Domain and siezed fsmo roles, correct? 

Can you try this, if this helps, in then end you can switch the 2 dns servers
ip's.

Change you /etc/resolv.conf to 
# First a windows AD-DC DNS.
nameserver 10.10.1.XXXS 
# Second This server IP.
nameserver 10.10.1.10
search edm-inc.com

Your krb5.conf, i suggest you change it to this. 
I left the other options i use in, might be handy. 
You need the part. Enctypes part for win 2008. 

[libdefaults]
    default_realm = EDM-INC.COM
    dns_lookup_kdc = true
    dns_lookup_realm = false

; for Windows 2008 with AES ( win 2003 compliant ) 
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5


Reboot
After the reboot, wait 5 min, this depends a bit on the size of you AD. 
Now run again: samba-tool drs showrepl
Any errors? No errors, great. Check again if you getting you server info works. 
If you get errors, then, yes, you can upgrade you packages with mine even if you
modifies that python file.
P.s. if you see things you and you dont know, first post things again. 


Before you move to 4.10.6, i suggest try 4.9.11 first. 
Because i still not sure if it's samba what is the problem if this.
And you can always upgrade to 4.10.6 later on, i want to know if 4.9.11
helps/fixed this.
That is because, I think this is a python2/3 problem or this patch in debian
official is a problem :
  - CVE-2019-12435 zone operations can crash rpc server 
And broke the join in samba. 
I just dont know which it is, but i do know multle python things are fixed in
later version.

If you preffer 4.9.11 from official debian. You need to backport it yourself. 
Or use samba from debian testing/sid which is 4.9.11 

For my repo use these steps. 
1) Choose http or https for you apt, both work, for https you need to :
apt-get install apt-transport-https

2) Import my public key
wget -O - http://apt.van-belle.nl/louis-van-belle.gpg-key.asc | apt-key add -

3) (optional) setup a header line for the repo file.
echo "# AptVanBelle repo for samba." | sudo tee
/etc/apt/sources.list.d/van-belle.list

4) In the line below, change the OS and/or samba version to what you want. Shown
is debian stretch with samba 4.9.
echo "deb http://apt.van-belle.nl/debian buster-samba49 main contrib
non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list

This gives you 4.9.11, almost the same with debian official, i only
added/enabled spotlight support.

Try this first im suggesting then when it all looks good, then you can easy
upgrade to 4.10.6
Then in above repo line just change samba49 to samba410 and run apt update
&& apt dist-upgrade



Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Robert A Wooldridge via samba
> Verzonden: maandag 29 juli 2019 17:38
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Serverinfo Error
> 
> On 07/29/2019 02:11 AM, L.P.H. van Belle via samba wrote:
> > Hai,
> >
> > There is something going on in your resolving, that im sure.
> >
> > I dont know where you missing a setting or did a wrong setting,
> > but this should all work out of the box.
> >
> > The PTR lookup responce with ip of the DC, should be 
> hostname.fqdn. and not hostname.
> >
> > I've also had a good look at the debug script output again.
> > That all looks ok to me so i'm wondering, if apparmor is in 
> play here or systemd things.
> >
> > Im missing rules in apparmor, as shown below.
> > You are using internal DNS and not Bind9_DLZ. ( base on 
> smb.conf outputs ) so ..
> >
> > Can you run :
> > cat /var/log/syslog | grep 'DENIED'
> No output
> > And
> > cat /var/log/auditd/auditd.log | grep 'DENIED'
> Auditd not installed.
> > ( if auditd is installed )
> >
> > Can you also show me :
> > ps faux |egrep "samba|winbind"
> athena:~# ps faux |egrep "samba|winbind"
> root???? 11734? 0.0? 0.0?? 6076?? 832 pts/0??? S+?? 10:30 
> 0:00????????????????????? \_ grep -E samba|winbind
> root???? 26888? 0.0? 0.4? 95604 34800 ???????? Ss?? Jul26?? 
> 0:00 samba: 
> root process
> root???? 26889? 0.0? 0.2? 95604 22060 ???????? S??? Jul26?? 0:00? \_ 
> samba: task[s3fs_parent]
> root???? 26891? 0.0? 0.2? 95608 20924 ???????? S??? Jul26?? 
> 0:00 |?? \_ 
> samba: tfork waiter process
> root???? 26890? 0.0? 0.6? 96236 50588 ???????? S??? Jul26?? 1:14? \_ 
> samba: task[dcesrv]
> root???? 26892? 0.0? 0.4? 95676 34320 ???????? S??? Jul26?? 0:01? \_ 
> samba: task[nbtd]
> root???? 26894? 0.0? 0.2? 95604 21684 ???????? S??? Jul26?? 0:00? \_ 
> samba: task[wrepl]
> root???? 26895? 0.0? 0.3? 95604 29380 ???????? S??? Jul26?? 0:06? \_ 
> samba: task[ldapsrv]
> root???? 26896? 0.0? 0.3? 95604 31112 ???????? S??? Jul26?? 3:01? \_ 
> samba: task[cldapd]
> root???? 26897? 0.0? 0.4? 95792 32868 ???????? S??? Jul26?? 0:41? \_ 
> samba: conn[kdc_tcp] c[ipv4:10.10.10.235:50790] s[ipv4:10.10.1.10:88] 
> server_id[26897.40]
> root???? 26898? 0.0? 0.4? 96244 35024 ???????? S??? Jul26?? 3:34? \_ 
> samba: task[dreplsrv]
> root???? 26899? 0.0? 0.2? 95604 22060 ???????? S??? Jul26?? 0:00? \_ 
> samba: task[winbindd_parent]
> root???? 26903? 0.0? 0.2? 95608 20924 ???????? S??? Jul26?? 
> 0:00 |?? \_ 
> samba: tfork waiter process
> root???? 26905? 0.0? 0.5? 96104 43872 ???????? Ss?? Jul26?? 
> 0:03 |?????? 
> \_ /usr/sbin/winbindd -D --option=server role 
> check:inhibit=yes --foreground
> root???? 26925? 0.0? 0.4? 96336 34096 ???????? S??? Jul26?? 0:00 
> |?????????? \_ winbindd: domain child [EDM]
> root???? 27112? 0.0? 0.3? 96132 29184 ???????? S??? Jul26?? 0:00 
> |?????????? \_ winbindd: idmap child
> root???? 26900? 0.0? 0.3? 95604 25504 ???????? S??? Jul26?? 0:00? \_ 
> samba: task[ntp_signd]
> root???? 26901? 0.0? 0.4? 95604 36224 ???????? S??? Jul26?? 0:02? \_ 
> samba: task[kccsrv]
> root???? 26902? 0.0? 0.3? 95604 30428 ???????? S??? Jul26?? 0:58? \_ 
> samba: task[dnsupdate]
> root???? 26904? 0.1? 0.3? 96108 31872 ???????? S??? Jul26?? 4:36? \_ 
> samba: conn[dns_tcp] c[ipv4:10.10.10.232:60715] s[ipv4:10.10.1.10:53] 
> server_id[26904.3]
> 
> 
> > And
> > netstat -tan|egrep "LISTEN" | grep "53"
> athena:~# netstat -tan|egrep "LISTEN" | grep "53"
> tcp??????? 0????? 0 0.0.0.0:49153?????????? 0.0.0.0:* LISTEN
> tcp??????? 0????? 0 0.0.0.0:53????????????? 0.0.0.0:* LISTEN
> tcp6?????? 0????? 0 :::49153??????????????? :::* LISTEN
> tcp6?????? 0????? 0 :::53?????????????????? :::* LISTEN
> 
> >
> > And check some things within systemd.
> > Show me also :
> >
> > networkctl status
> athena:~# networkctl status
> WARNING: systemd-networkd is not running, output will be incomplete.
> 
> ?????????? State: n/a
>  ?????? Address: 10.10.1.10 on enp0s25
>  ??????????????? fe80::21c:c0ff:feec:2525 on enp0s25
>  ?????? Gateway: 10.10.1.1 (Intel Corporate) on enp0s25
> > networkctl status $(ip a|grep "state UP"| cut -d: -f2)
> athena:~# networkctl status $(ip a|grep "state UP"| cut -d: -f2)
> WARNING: systemd-networkd is not running, output will be incomplete.
> 
> ??? 2: enp0s25
>  ?????? Link File: /usr/lib/systemd/network/99-default.link
>  ??? Network File: n/a
>  ??????????? Type: ether
>  ?????????? State: n/a (unmanaged)
>  ??????????? Path: pci-0000:00:19.0
>  ????????? Driver: e1000e
>  ????????? Vendor: Intel Corporation
>  ?????????? Model: 82567LM-3 Gigabit Network Connection
>  ????? HW Address: 00:1c:c0:ec:25:25 (Intel Corporate)
>  ???????? Address: 10.10.1.10
>  ????????????????? fe80::21c:c0ff:feec:2525
>  ???????? Gateway: 10.10.1.1 (Intel Corporate)
> 
> > timedatectl
> athena:~# timedatectl
>  ?????????????? Local time: Mon 2019-07-29 10:33:09 CDT
>  ?????????? Universal time: Mon 2019-07-29 15:33:09 UTC
>  ???????????????? RTC time: Mon 2019-07-29 15:33:08
>  ??????????????? Time zone: US/Central (CDT, -0500)
> System clock synchronized: yes
>  ????????????? NTP service: inactive
>  ????????? RTC in local TZ: no
> > resolvectl status
> athena:~# resolvectl status
> Failed to get global data: Unit dbus-org.freedesktop.resolve1.service 
> not found.
> >
> >>> And maybe its an option to try the 4.10.6 package i supply.
> >>> Debian buster packages are updated within 1-2 hours.
> >> I had to comment out some lines of python to get this far.
> >> Should those files be replaced?
> > Which files? And which lines exactly?
> join.py (/usr/lib/python2.7/dist-packages/samba/join.py on my 
> DC), find 
> these lines:
> 
>  ??????????? if ctx.dns_backend != "NONE":
>  ??????????????? ctx.join_add_dns_records()
>  ??????????????? ctx.join_replicate_new_dns_records()
> 
> -- 
> Bob Wooldridge
> EDM Incorporated
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On 30/07/2019 08:28, L.P.H. van Belle via samba wrote:
> Hai,
>
> Ok, below looks ok, except in dont see the search domain in the networkctl
output.
> Which is possible, if you configured your interfaces through
/etc/network/interfaces
>
> Im still amazed its not working.. Everything looks good.
> We are missing a bit info why/how/what/where.
>
> Short resume.
> Your on debian Buster official samba correct? ( samba 4.9.5 ) and your
using internal DNS.
> Configs looks ok in the debug output. No app armor Denied messages.
> Dns is running and basilcy your resolving looks ok.
>
> And while im looking at this.
> You joined this server to a windows AD-Domain and siezed fsmo roles,
correct?
>
> Can you try this, if this helps, in then end you can switch the 2 dns
servers ip's.
>
> Change you /etc/resolv.conf to
> # First a windows AD-DC DNS.
> nameserver 10.10.1.XXXS
> # Second This server IP.
> nameserver 10.10.1.10
> search edm-inc.com
>
> Your krb5.conf, i suggest you change it to this.
> I left the other options i use in, might be handy.
> You need the part. Enctypes part for win 2008.
>
> [libdefaults]
>      default_realm = EDM-INC.COM
>      dns_lookup_kdc = true
>      dns_lookup_realm = false
>
> ; for Windows 2008 with AES ( win 2003 compliant )
>      default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5
>      default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5
>      permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5
>
>
> Reboot
> After the reboot, wait 5 min, this depends a bit on the size of you AD.
> Now run again: samba-tool drs showrepl
> Any errors? No errors, great. Check again if you getting you server info
works.
> If you get errors, then, yes, you can upgrade you packages with mine even
if you modifies that python file.
> P.s. if you see things you and you dont know, first post things again.
>
>
> Before you move to 4.10.6, i suggest try 4.9.11 first.
> Because i still not sure if it's samba what is the problem if this.
> And you can always upgrade to 4.10.6 later on, i want to know if 4.9.11
helps/fixed this.
> That is because, I think this is a python2/3 problem or this patch in
debian official is a problem :
>    - CVE-2019-12435 zone operations can crash rpc server
> And broke the join in samba.
> I just dont know which it is, but i do know multle python things are fixed
in later version.
>
> If you preffer 4.9.11 from official debian. You need to backport it
yourself.
> Or use samba from debian testing/sid which is 4.9.11
>
> For my repo use these steps.
> 1) Choose http or https for you apt, both work, for https you need to :
> apt-get install apt-transport-https
>
> 2) Import my public key
> wget -O - http://apt.van-belle.nl/louis-van-belle.gpg-key.asc | apt-key add
-
>
> 3) (optional) setup a header line for the repo file.
> echo "# AptVanBelle repo for samba." | sudo tee
/etc/apt/sources.list.d/van-belle.list
>
> 4) In the line below, change the OS and/or samba version to what you want.
Shown is debian stretch with samba 4.9.
> echo "deb http://apt.van-belle.nl/debian buster-samba49 main contrib
non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list
>
> This gives you 4.9.11, almost the same with debian official, i only
added/enabled spotlight support.
>
> Try this first im suggesting then when it all looks good, then you can easy
upgrade to 4.10.6
> Then in above repo line just change samba49 to samba410 and run apt update
&& apt dist-upgrade

I have been thinking about this and reading the code that didn't get run 
and I know think that the OP is at the point that existed before 4.6.0, 
He possibly has missing records in AD, can I suggest he reads this:

https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record

Rowland

On 07/30/2019 03:08 AM, Rowland penny via samba wrote:
> I have been thinking about this and reading the code that didn't get 
> run and I know think that the OP is at the point that existed before 
> 4.6.0, He possibly has missing records in AD, can I suggest he reads 
> this:
>
> https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record
athena:~# host -t A athena.edm-inc.com
athena.edm-inc.com has address 10.10.1.10

athena:~# host -t A ads1.edm-inc.com
ads1.edm-inc.com has address 10.10.1.14

athena:~# ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationId=*)'
--cross-ncs objectguid
# record 1
dn: CN=NTDS 
Settings,CN=ATHENA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=edm-inc,DC=com
objectGUID: 0a70b006-a6ea-4d60-a706-b6d5df668c90

# record 2
dn: CN=NTDS 
Settings,CN=ADS1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=edm-inc,DC=com
objectGUID: 40c6c8d7-37b3-4507-9d97-2ed274708993

# returned 2 records
# 2 entries
# 0 referrals

athena:~# host -t CNAME 
0a70b006-a6ea-4d60-a706-b6d5df668c90._msdcs.edm-inc.com
0a70b006-a6ea-4d60-a706-b6d5df668c90._msdcs.edm-inc.com is an alias for 
athena.edm-inc.com.

athena:~# host -t CNAME 
40c6c8d7-37b3-4507-9d97-2ed274708993._msdcs.edm-inc.com
40c6c8d7-37b3-4507-9d97-2ed274708993._msdcs.edm-inc.com is an alias for 
ads1.edm-inc.com.


-- 
Bob Wooldridge
EDM Incorporated

On 07/30/2019 02:28 AM, L.P.H. van Belle via samba
wrote:
> Hai,
>
> Ok, below looks ok, except in dont see the search domain in the networkctl
output.
> Which is possible, if you configured your interfaces through
/etc/network/interfaces
>
> Im still amazed its not working.. Everything looks good.
> We are missing a bit info why/how/what/where.
>
> Short resume.
> Your on debian Buster official samba correct? ( samba 4.9.5 ) and your
using internal DNS.
Version: 2:4.9.5+dfsg-5.? Yes, internal DNS.
> Configs looks ok in the debug output. No app armor Denied messages.
> Dns is running and basilcy your resolving looks ok.
>
> And while im looking at this.
> You joined this server to a windows AD-Domain and siezed fsmo roles,
correct?
Yes, joined to AD-Domain where the DC was Windows Server 2003. Roles 
were transferred except forestdns and domaindns.? These did not transfer 
on first attempt but then they appeared to not have an owner so I seized 
both of them.? The Server 2003 machine is still active in the
domain.
>
> Can you try this, if this helps, in then end you can switch the 2 dns
servers ip's.
>
> Change you /etc/resolv.conf to
> # First a windows AD-DC DNS.
> nameserver 10.10.1.XXXS
> # Second This server IP.
> nameserver 10.10.1.10
> search edm-inc.com
>
> Your krb5.conf, i suggest you change it to this.
> I left the other options i use in, might be handy.
> You need the part. Enctypes part for win 2008.
>
> [libdefaults]
>      default_realm = EDM-INC.COM
>      dns_lookup_kdc = true
>      dns_lookup_realm = false
>
> ; for Windows 2008 with AES ( win 2003 compliant )
>      default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5
>      default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5
>      permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5
I used these settings last week but haven't
rebooted.
>
>
> Reboot
> After the reboot, wait 5 min, this depends a bit on the size of you AD.
> Now run again: samba-tool drs showrepl
> Any errors? No errors, great. Check again if you getting you server info
works.
> If you get errors, then, yes, you can upgrade you packages with mine even
if you modifies that python file.
> P.s. if you see things you and you dont know, first post things again.
Will reboot later today.
>
>
> Before you move to 4.10.6, i suggest try 4.9.11 first.
> Because i still not sure if it's samba what is the problem if this.
> And you can always upgrade to 4.10.6 later on, i want to know if 4.9.11
helps/fixed this.
> That is because, I think this is a python2/3 problem or this patch in
debian official is a problem :
>    - CVE-2019-12435 zone operations can crash rpc server
> And broke the join in samba.
> I just dont know which it is, but i do know multle python things are fixed
in later version.
>
> If you preffer 4.9.11 from official debian. You need to backport it
yourself.
> Or use samba from debian testing/sid which is 4.9.11
I will try this later today.


-- 
Bob Wooldridge
EDM Incorporated