samba - Aug 2019 - New Domain can't connect to localhost

I've just provisioned the new AD DC domain following the steps on the 
wiki.? Using Debian Buster but with samba and kerberos packages from 
unstable.? Everything seems fine but when I do (entering the password):

smbclient //localhost/netlogon -UAdministrator -c 'ls'? I get:

tree connect failed: NT_STATUS_BAD_NETWORK_NAME


What could be the problem here?


-- 
Bob Wooldridge
EDM Incorporated

Hai,  
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Robert A Wooldridge via samba
> Verzonden: donderdag 22 augustus 2019 23:36
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] New Domain can't connect to localhost
> 
> I've just provisioned the new AD DC domain following the steps on the 
> wiki.? Using Debian Buster but with samba and kerberos packages from 
> unstable.? Everything seems fine but when I do (entering the 
> password):
> 
> smbclient //localhost/netlogon -UAdministrator -c 'ls'? I get:
> 
> tree connect failed: NT_STATUS_BAD_NETWORK_NAME
> 
> 
> What could be the problem here?
Still problems in your resolving setup? 
Try //FQDN/netlogon 

But that said, my 4.10.6 works fine. 

smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter NTDOM\Administrator's password:
  .                                   D        0  Tue Feb 13 14:14:08 2018
  ..                                  D        0  Fri Jul 26 09:39:59 2019
  firefox_startup.vbs.off             A    25091  Sun Jul  3 03:56:20 2016


Can you run : 
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
And post the output, anonimize it where needed. 


> 
> 
> -- 
> Bob Wooldridge
> EDM Incorporated
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On 08/23/2019 01:48 AM, L.P.H. van Belle via samba
wrote:
> Hai,
>
> Still problems in your resolving setup?
> Try //FQDN/netlogon
No, this doesn't work either.? Tried both //athena/netlogon and 
//athena.edm-inc.com/netlogon
>
> But that said, my 4.10.6 works fine.
>
> smbclient //localhost/netlogon -UAdministrator -c 'ls'
> Enter NTDOM\Administrator's password:
>    .                                   D        0  Tue Feb 13 14:14:08 2018
>    ..                                  D        0  Fri Jul 26 09:39:59 2019
>    firefox_startup.vbs.off             A    25091  Sun Jul  3 03:56:20 2016
>
>
> Can you run :
>
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
> And post the output, anonimize it where needed.
Results:
Collected config? --- 2019-08-23-10:33 -----------

Hostname: athena
DNS Domain: edm-inc.com
FQDN: athena.edm-inc.com
ipaddress: 10.10.1.10

-----------

Samba is running as an AD DC

-----------
 ?????? Checking file: /etc/os-release

PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

-----------


This computer is running Debian 10.0 x86_64

-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
group default qlen 1000
 ??? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
 ??? inet 127.0.0.1/8 scope host lo
 ??? inet6 ::1/128 scope host
2: enp0s25: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc 
pfifo_fast state DOWN group default qlen 1000
 ??? link/ether 00:1c:c0:ec:25:25 brd ff:ff:ff:ff:ff:ff
 ??? inet 10.10.1.10/16 brd 10.10.255.255 scope global noprefixroute enp0s25
 ??? inet6 fe80::21c:c0ff:feec:2525/64 scope link noprefixroute

-----------
 ?????? Checking file: /etc/hosts

127.0.0.1??? localhost
10.10.1.10??? athena.edm-inc.com??? athena

# The following lines are desirable for IPv6 capable hosts
::1???? localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

-----------

 ?????? Checking file: /etc/resolv.conf

nameserver 10.10.1.10
search edm-inc.com

-----------

 ?????? Checking file: /etc/krb5.conf

[libdefaults]
 ??? default_realm = EDM-INC.COM
 ??? dns_lookup_realm = false
 ??? dns_lookup_kdc = true

-----------

 ?????? Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.

passwd:???????? files systemd
group:????????? files systemd
shadow:???????? files
gshadow:??????? files

hosts:????????? files mdns4_minimal [NOTFOUND=return] dns
networks:?????? files

protocols:????? db files
services:?????? db files
ethers:???????? db files
rpc:??????????? db files

netgroup:?????? nis

-----------

 ?????? Checking file: /etc/samba/smb.conf

# Global parameters
[global]
 ??? dns forwarder = 10.10.1.1
 ??? netbios name = ATHENA
 ??? realm = EDM-INC.COM
 ??? server role = active directory domain controller
 ??? workgroup = EDM
 ??? idmap_ldb:use rfc2307 = yes

[netlogon]
 ??? path = /var/lib/samba/sysvol/edm-inc.com/scripts
 ??? read only = No

[sysvol]
 ??? path = /var/lib/samba/sysvol
 ??? read only = No

-----------

BIND_DLZ not detected in smb.conf

-----------

Installed packages:
ii? acl 2.2.53-4??????????????????????? amd64??????? access control list 
- utilities
ii? attr 1:2.4.48-4????????????????????? amd64??????? utilities for 
manipulating filesystem extended attributes
ii? fonts-quicksand 0.2016-2??????????????????????? all????????? 
sans-serif font with round attributes
ii? krb5-config 2.6???????????????????????????? all????????? 
Configuration files for Kerberos Version 5
ii? krb5-locales 1.17-3????????????????????????? all????????? 
internationalization support for MIT Kerberos
ii? krb5-user 1.17-6????????????????????????? amd64??????? basic 
programs to authenticate using MIT Kerberos
ii? libacl1:amd64 2.2.53-4??????????????????????? amd64??????? access 
control list - shared library
ii? libattr1:amd64 1:2.4.48-4????????????????????? amd64??????? extended 
attribute handling - shared library
ii? libgssapi-krb5-2:amd64 1.17-6????????????????????????? amd64??????? 
MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii? libkrb5-3:amd64 1.17-6????????????????????????? amd64??????? MIT 
Kerberos runtime libraries
ii? libkrb5support0:amd64 1.17-6????????????????????????? amd64??????? 
MIT Kerberos runtime libraries - Support library
ii? libnss-winbind:amd64 2:4.9.11+dfsg-1???????????????? amd64??????? 
Samba nameservice integration plugins
ii? libpam-krb5:amd64 4.8-2?????????????????????????? amd64??????? PAM 
module for MIT Kerberos
ii? libpam-winbind:amd64 2:4.9.11+dfsg-1???????????????? amd64??????? 
Windows domain authentication integration plugin
ii? libsmbclient:amd64 2:4.9.11+dfsg-1???????????????? amd64??????? 
shared library for communication with SMB/CIFS servers
ii? libwbclient0:amd64 2:4.9.11+dfsg-1???????????????? amd64??????? 
Samba winbind client library
ii? python-samba 2:4.9.11+dfsg-1???????????????? amd64??????? Python 
bindings for Samba
ii? samba 2:4.9.11+dfsg-1???????????????? amd64??????? SMB/CIFS file, 
print, and login server for Unix
ii? samba-common 2:4.9.11+dfsg-1???????????????? all????????? common 
files used by both the Samba server and client
ii? samba-common-bin 2:4.9.11+dfsg-1???????????????? amd64??????? Samba 
common files used by both the server and the client
ii? samba-dsdb-modules:amd64 2:4.9.11+dfsg-1???????????????? 
amd64??????? Samba Directory Services Database
ii? samba-libs:amd64 2:4.9.11+dfsg-1???????????????? amd64??????? Samba 
core libraries
ii? samba-vfs-modules:amd64 2:4.9.11+dfsg-1???????????????? amd64??????? 
Samba Virtual FileSystem plugins
ii? smbc 1.2.2-4+b3????????????????????? amd64??????? samba-commander - 
curses based samba network browser
ii? smbclient 2:4.9.11+dfsg-1???????????????? amd64??????? command-line 
SMB/CIFS clients for Unix
ii? winbind 2:4.9.11+dfsg-1???????????????? amd64??????? service to 
resolve user and group information from Windows NT servers

-----------

-- 
Bob Wooldridge
EDM Incorporated

Hai, 

A quick reply, i was almost out of the office here.. 

Your config looks ok except one thing. 

You can try switching the hosts, like this. 
/etc/nsswitch.conf 
hosts:????????? files dns mdns4_minimal [NOTFOUND=return]

I suggest you verify the dns A PTR NS records of the servers. 
https://wiki.samba.org/index.php/DNS_Administration 

https://wiki.samba.org/index.php/Testing_the_DNS_Name_Resolution 

Greetz, 

Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Robert A Wooldridge via samba
> Verzonden: vrijdag 23 augustus 2019 17:44
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] New Domain can't connect to localhost
> 
> On 08/23/2019 01:48 AM, L.P.H. van Belle via samba wrote:
> > Hai,
> >
> > Still problems in your resolving setup?
> > Try //FQDN/netlogon
> No, this doesn't work either.? Tried both //athena/netlogon and 
> //athena.edm-inc.com/netlogon
> >
> > But that said, my 4.10.6 works fine.
> >
> > smbclient //localhost/netlogon -UAdministrator -c 'ls'
> > Enter NTDOM\Administrator's password:
> >    .                                   D        0  Tue Feb 
> 13 14:14:08 2018
> >    ..                                  D        0  Fri Jul 
> 26 09:39:59 2019
> >    firefox_startup.vbs.off             A    25091  Sun Jul  
> 3 03:56:20 2016
> >
> >
> > Can you run :
> > 
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-c
ollect-debug-info.sh
> > And post the output, anonimize it where needed.
> Results:
> Collected config? --- 2019-08-23-10:33 -----------
> 
> Hostname: athena
> DNS Domain: edm-inc.com
> FQDN: athena.edm-inc.com
> ipaddress: 10.10.1.10
> 
> -----------
> 
> Samba is running as an AD DC
> 
> -----------
>  ?????? Checking file: /etc/os-release
> 
> PRETTY_NAME="Debian GNU/Linux 10 (buster)"
> NAME="Debian GNU/Linux"
> VERSION_ID="10"
> VERSION="10 (buster)"
> VERSION_CODENAME=buster
> ID=debian
> HOME_URL="https://www.debian.org/"
> SUPPORT_URL="https://www.debian.org/support"
> BUG_REPORT_URL="https://bugs.debian.org/"
> 
> -----------
> 
> 
> This computer is running Debian 10.0 x86_64
> 
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
> group default qlen 1000
>  ??? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>  ??? inet 127.0.0.1/8 scope host lo
>  ??? inet6 ::1/128 scope host
> 2: enp0s25: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc 
> pfifo_fast state DOWN group default qlen 1000
>  ??? link/ether 00:1c:c0:ec:25:25 brd ff:ff:ff:ff:ff:ff
>  ??? inet 10.10.1.10/16 brd 10.10.255.255 scope global 
> noprefixroute enp0s25
>  ??? inet6 fe80::21c:c0ff:feec:2525/64 scope link noprefixroute
> 
> -----------
>  ?????? Checking file: /etc/hosts
> 
> 127.0.0.1??? localhost
> 10.10.1.10??? athena.edm-inc.com??? athena
> 
> # The following lines are desirable for IPv6 capable hosts
> ::1???? localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> 
> -----------
> 
>  ?????? Checking file: /etc/resolv.conf
> 
> nameserver 10.10.1.10
> search edm-inc.com
> 
> -----------
> 
>  ?????? Checking file: /etc/krb5.conf
> 
> [libdefaults]
>  ??? default_realm = EDM-INC.COM
>  ??? dns_lookup_realm = false
>  ??? dns_lookup_kdc = true
> 
> -----------
> 
>  ?????? Checking file: /etc/nsswitch.conf
> 
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages 
> installed, try:
> # `info libc "Name Service Switch"' for information about
this file.
> 
> passwd:???????? files systemd
> group:????????? files systemd
> shadow:???????? files
> gshadow:??????? files
> 
> hosts:????????? files mdns4_minimal [NOTFOUND=return] dns
> networks:?????? files
> 
> protocols:????? db files
> services:?????? db files
> ethers:???????? db files
> rpc:??????????? db files
> 
> netgroup:?????? nis
> 
> -----------
> 
>  ?????? Checking file: /etc/samba/smb.conf
> 
> # Global parameters
> [global]
>  ??? dns forwarder = 10.10.1.1
>  ??? netbios name = ATHENA
>  ??? realm = EDM-INC.COM
>  ??? server role = active directory domain controller
>  ??? workgroup = EDM
>  ??? idmap_ldb:use rfc2307 = yes
> 
> [netlogon]
>  ??? path = /var/lib/samba/sysvol/edm-inc.com/scripts
>  ??? read only = No
> 
> [sysvol]
>  ??? path = /var/lib/samba/sysvol
>  ??? read only = No
> 
> -----------
> 
> BIND_DLZ not detected in smb.conf
> 
> -----------
> 
> Installed packages:
> ii? acl 2.2.53-4??????????????????????? amd64??????? access 
> control list 
> - utilities
> ii? attr 1:2.4.48-4????????????????????? amd64??????? utilities for 
> manipulating filesystem extended attributes
> ii? fonts-quicksand 0.2016-2??????????????????????? all????????? 
> sans-serif font with round attributes
> ii? krb5-config 2.6???????????????????????????? all????????? 
> Configuration files for Kerberos Version 5
> ii? krb5-locales 1.17-3????????????????????????? all????????? 
> internationalization support for MIT Kerberos
> ii? krb5-user 1.17-6????????????????????????? amd64??????? basic 
> programs to authenticate using MIT Kerberos
> ii? libacl1:amd64 2.2.53-4??????????????????????? amd64??????? access 
> control list - shared library
> ii? libattr1:amd64 1:2.4.48-4????????????????????? amd64??????
> ? extended 
> attribute handling - shared library
> ii? libgssapi-krb5-2:amd64 1.17-6????????????????????????? 
> amd64??????? 
> MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
> ii? libkrb5-3:amd64 1.17-6????????????????????????? amd64??????? MIT 
> Kerberos runtime libraries
> ii? libkrb5support0:amd64 1.17-6????????????????????????? 
> amd64??????? 
> MIT Kerberos runtime libraries - Support library
> ii? libnss-winbind:amd64 2:4.9.11+dfsg-1???????????????? amd64??????? 
> Samba nameservice integration plugins
> ii? libpam-krb5:amd64 4.8-2?????????????????????????? amd64???
???? PAM 
> module for MIT Kerberos
> ii? libpam-winbind:amd64 2:4.9.11+dfsg-1???????????????? amd64??????? 
> Windows domain authentication integration plugin
> ii? libsmbclient:amd64 2:4.9.11+dfsg-1???????????????? amd64??????? 
> shared library for communication with SMB/CIFS servers
> ii? libwbclient0:amd64 2:4.9.11+dfsg-1???????????????? amd64??????? 
> Samba winbind client library
> ii? python-samba 2:4.9.11+dfsg-1???????????????? amd64??????? Python 
> bindings for Samba
> ii? samba 2:4.9.11+dfsg-1???????????????? amd64??????? SMB/CIFS file, 
> print, and login server for Unix
> ii? samba-common 2:4.9.11+dfsg-1???????????????? all????????? common 
> files used by both the Samba server and client
> ii? samba-common-bin 2:4.9.11+dfsg-1???????????????? amd64????
??? Samba 
> common files used by both the server and the client
> ii? samba-dsdb-modules:amd64 2:4.9.11+dfsg-1???????????????? 
> amd64??????? Samba Directory Services Database
> ii? samba-libs:amd64 2:4.9.11+dfsg-1???????????????? amd64????
??? Samba 
> core libraries
> ii? samba-vfs-modules:amd64 2:4.9.11+dfsg-1???????????????? 
> amd64??????? 
> Samba Virtual FileSystem plugins
> ii? smbc 1.2.2-4+b3????????????????????? amd64??????? 
> samba-commander - 
> curses based samba network browser
> ii? smbclient 2:4.9.11+dfsg-1???????????????? amd64??????? 
> command-line 
> SMB/CIFS clients for Unix
> ii? winbind 2:4.9.11+dfsg-1???????????????? amd64??????? service to 
> resolve user and group information from Windows NT servers
> 
> -----------
> 
> -- 
> Bob Wooldridge
> EDM Incorporated
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>