Hi,>Are you using Bind9, if so, post your named.conf files (the ones from/etc/bind) No, I'm using DNS Internal.>Is winbind installed ?No, because the Samba tutorial said that for DC it was not necessary. Regards, M?rcio Bacci Em qui, 22 de ago de 2019 ?s 15:43, Rowland penny via samba < samba at lists.samba.org> escreveu:> On 22/08/2019 19:22, Marcio Demetrio Bacci via samba wrote: > > Hi, > > > > I noticed some problems in my DC2 (secondary) Logs, as below: > > > > root at samba4-dc2:/var/log/samba# tail log.samba > > > > ago 22 14:55:21 samba4-dc2 samba[2812]: [2019/08/22 14:55:21.106213, 0] > > ../lib/util/util_runcmd.c:316(?andler) > > ago 22 14:55:21 samba4-dc2 samba[2812]: /usr/sbin/samba_dnsupdate: > GENSEC > > backend 'krb5' registered > > ago 22 14:55:21 samba4-dc2 samba[2812]: [2019/08/22 14:55:21.106248, 0] > > ../lib/util/util_runcmd.c:316(?andler) > > ago 22 14:55:21 samba4-dc2 samba[2812]: /usr/sbin/samba_dnsupdate: > GENSEC > > backend 'fake_gssapi_krb5' ?istered > > ago 22 14:56:13 samba4-dc2 samba[2812]: [2019/08/22 14:56:13.779939, 0] > > ../lib/util/util_runcmd.c:316(?andler) > > ago 22 14:56:13 samba4-dc2 samba[2812]: /usr/sbin/rndc: Failed to exec > > child - No such file or directory > > ago 22 14:56:13 samba4-dc2 samba[2812]: [2019/08/22 14:56:13.781786, 0] > > ../source4/dsdb/dns/dns_update?c_done) > > ago 22 14:56:13 samba4-dc2 samba[2812]: > > ../source4/dsdb/dns/dns_update.c:91: Failed rndc update - NT_?CESSFUL > > ago 22 14:56:25 samba4-dc2 samba[2811]: [2019/08/22 14:56:25.466999, 0] > > ../lib/util/util_runcmd.c:316(?andler) > > ago 22 14:56:25 samba4-dc2 samba[2811]: /usr/sbin/samba_kcc: ldb_wrap > > open of secrets.ldb > Are you using Bind9, if so, post your named.conf files (the ones from > /etc/bind) > > > > root at samba4-dc2:/var/log/samba# tail syslog > > > > Aug 22 15:04:28 samba4-dc2 smbd[17917]: Right[ 0]: > > SeRemoteInteractiveLogonRight > > Aug 22 15:04:31 samba4-dc2 smbd[17918]: [2019/08/22 15:04:31.678220, 0] > > ../source4/auth/unix_token.c:79(security_token_to_unix_token) > > Aug 22 15:04:31 samba4-dc2 smbd[17918]: Unable to convert first SID > > (S-1-5-21-1712526294-259020848-313593124-9877) in user token to a UID. > > Conversion was returned as type 0, full token: > > Aug 22 15:04:31 samba4-dc2 smbd[17918]: [2019/08/22 15:04:31.679042, 0] > > ../libcli/security/security_token.c:63(security_token_debug) > > Aug 22 15:04:31 samba4-dc2 smbd[17918]: Security token SIDs (6): > > Aug 22 15:04:31 samba4-dc2 smbd[17918]: SID[ 0]: > > S-1-5-21-1712526294-259020848-313593124-9877 > > Aug 22 15:04:31 samba4-dc2 smbd[17918]: SID[ 1]: > > S-1-5-21-1712526294-259020848-313593124-515 > > Aug 22 15:04:31 samba4-dc2 smbd[17918]: SID[ 2]: S-1-1-0 > > Aug 22 15:04:31 samba4-dc2 smbd[17918]: SID[ 3]: S-1-5-2 > > Aug 22 15:04:31 samba4-dc2 smbd[17918]: SID[ 4]: S-1-5-11 > > Aug 22 15:04:31 samba4-dc2 smbd[17918]: SID[ 5]: S-1-5-32-554 > > Aug 22 15:04:31 samba4-dc2 smbd[17918]: Privileges (0x > 800000): > > Aug 22 15:04:31 samba4-dc2 smbd[17918]: Privilege[ 0]: > > SeChangeNotifyPrivilege > > Aug 22 15:04:31 samba4-dc2 smbd[17918]: Rights (0x 400): > > Aug 22 15:04:31 samba4-dc2 smbd[17918]: Right[ 0]: > > SeRemoteInteractiveLogonRight > > Aug 22 15:04:41 samba4-dc2 smbd[17923]: [2019/08/22 15:04:41.911678, 0] > > ../source4/auth/unix_token.c:79(security_token_to_unix_token) > > Aug 22 15:04:41 samba4-dc2 smbd[17923]: Unable to convert first SID > > (S-1-5-21-1712526294-259020848-313593124-9846) in user token to a UID. > > Conversion was returned as type 0, full token: > > Aug 22 15:04:41 samba4-dc2 smbd[17923]: [2019/08/22 15:04:41.912554, 0] > > ../libcli/security/security_token.c:63(security_token_debug) > > Aug 22 15:04:41 samba4-dc2 smbd[17923]: Security token SIDs (6): > > Aug 22 15:04:41 samba4-dc2 smbd[17923]: SID[ 0]: > > S-1-5-21-1712526294-259020848-313593124-9846 > > Aug 22 15:04:41 samba4-dc2 smbd[17923]: SID[ 1]: > > S-1-5-21-1712526294-259020848-313593124-515 > > Aug 22 15:04:41 samba4-dc2 smbd[17923]: SID[ 2]: S-1-1-0 > > Aug 22 15:04:41 samba4-dc2 smbd[17923]: SID[ 3]: S-1-5-2 > > Aug 22 15:04:41 samba4-dc2 smbd[17923]: SID[ 4]: S-1-5-11 > > Aug 22 15:04:41 samba4-dc2 smbd[17923]: SID[ 5]: S-1-5-32-554 > > Aug 22 15:04:41 samba4-dc2 smbd[17923]: Privileges (0x > 800000): > > Aug 22 15:04:41 samba4-dc2 smbd[17923]: Privilege[ 0]: > > SeChangeNotifyPrivilege > > Aug 22 15:04:41 samba4-dc2 smbd[17923]: Rights (0x 400): > > Aug 22 15:04:41 samba4-dc2 smbd[17923]: Right[ 0]: > > SeRemoteInteractiveLogonRight > > Aug 22 15:04:57 samba4-dc2 smbd[17925]: [2019/08/22 15:04:57.666287, 0] > > ../source4/auth/unix_token.c:79(security_token_to_unix_token) > > Aug 22 15:04:57 samba4-dc2 smbd[17925]: Unable to convert first SID > > (S-1-5-21-1712526294-259020848-313593124-9200) in user token to a UID. > > Conversion was returned as type 0, full token: > > Aug 22 15:04:57 samba4-dc2 smbd[17925]: [2019/08/22 15:04:57.667152, 0] > > ../libcli/security/security_token.c:63(security_token_debug) > > Aug 22 15:04:57 samba4-dc2 smbd[17925]: Security token SIDs (6): > > Aug 22 15:04:57 samba4-dc2 smbd[17925]: SID[ 0]: > > S-1-5-21-1712526294-259020848-313593124-9200 > > Aug 22 15:04:57 samba4-dc2 smbd[17925]: SID[ 1]: > > S-1-5-21-1712526294-259020848-313593124-515 > > Aug 22 15:04:57 samba4-dc2 smbd[17925]: SID[ 2]: S-1-1-0 > > Aug 22 15:04:57 samba4-dc2 smbd[17925]: SID[ 3]: S-1-5-2 > > Aug 22 15:04:57 samba4-dc2 smbd[17925]: SID[ 4]: S-1-5-11 > > Aug 22 15:04:57 samba4-dc2 smbd[17925]: SID[ 5]: S-1-5-32-554 > > Aug 22 15:04:57 samba4-dc2 smbd[17925]: Privileges (0x > 800000): > > Aug 22 15:04:57 samba4-dc2 smbd[17925]: Privilege[ 0]: > > SeChangeNotifyPrivilege > > Aug 22 15:04:57 samba4-dc2 smbd[17925]: Rights (0x 400): > > Aug 22 15:04:57 samba4-dc2 smbd[17925]: Right[ 0]: > > SeRemoteInteractiveLogonRight > > > > > > /etc/init.d/samba-ad-dc status > > ? samba-ad-dc.service - Samba AD Daemon > > Loaded: loaded (/lib/systemd/system/samba-ad-dc.service; enabled; > vendor > > preset: enabled) > > Active: active (running) since Tue 2019-08-20 06:15:09 -03; 2 days > ago > > Docs: man:samba(8) > > man:samba(7) > > man:smb.conf(5) > > Main PID: 2799 (samba) > > Status: "samba: ready to serve connections..." > > Tasks: 12 (limit: 4915) > > CGroup: /system.slice/samba-ad-dc.service > > ??2799 /usr/sbin/samba > > ??2801 /usr/sbin/samba > > ??2802 /usr/sbin/samba > > ??2803 /usr/sbin/samba > > ??2804 /usr/sbin/samba > > ??2806 /usr/sbin/samba > > ??2807 /usr/sbin/samba > > ??2808 /usr/sbin/samba > > ??2810 /usr/sbin/samba > > ??2811 /usr/sbin/samba > > ??2812 /usr/sbin/samba > > ??2813 /usr/sbin/samba > > > > ago 22 14:55:21 samba4-dc2 samba[2812]: [2019/08/22 14:55:21.106213, 0] > > ../lib/util/util_runcmd.c:316(?andler) > > ago 22 14:55:21 samba4-dc2 samba[2812]: /usr/sbin/samba_dnsupdate: > GENSEC > > backend 'krb5' registered > > ago 22 14:55:21 samba4-dc2 samba[2812]: [2019/08/22 14:55:21.106248, 0] > > ../lib/util/util_runcmd.c:316(?andler) > > ago 22 14:55:21 samba4-dc2 samba[2812]: /usr/sbin/samba_dnsupdate: > GENSEC > > backend 'fake_gssapi_krb5' ?istered > > ago 22 14:56:13 samba4-dc2 samba[2812]: [2019/08/22 14:56:13.779939, 0] > > ../lib/util/util_runcmd.c:316(?andler) > > ago 22 14:56:13 samba4-dc2 samba[2812]: /usr/sbin/rndc: Failed to exec > > child - No such file or directory > > ago 22 14:56:13 samba4-dc2 samba[2812]: [2019/08/22 14:56:13.781786, 0] > > ../source4/dsdb/dns/dns_update?c_done) > > ago 22 14:56:13 samba4-dc2 samba[2812]: > > ../source4/dsdb/dns/dns_update.c:91: Failed rndc update - NT_?CESSFUL > > ago 22 14:56:25 samba4-dc2 samba[2811]: [2019/08/22 14:56:25.466999, 0] > > ../lib/util/util_runcmd.c:316(?andler) > > ago 22 14:56:25 samba4-dc2 samba[2811]: /usr/sbin/samba_kcc: ldb_wrap > > open of secrets.ldb > > Hint: Some lines were ellipsized, use -l to show in full. > > Why oh why would anything not print the entire output and then tell you > how to get it ? > > Why not just print the entire output ? > > > > > How could you resolve these errors? > > > > Regards, > > > > M?rcio Bacci > > Is winbind installed ? > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hi,>.Is winbind installed ? >No, because the Samba tutorial said that for DC it was not necessary.Sorry, Winbind is instaled, only packages libpam-winbind libnss-winbind libpam-krb5 aren't installed, I have follwed the tutorial: https://wiki.samba.org/index.php/Distribution-specific_Package_Installation#Debian Regards, M?rcio Bacci Em qui, 22 de ago de 2019 ?s 20:11, Marcio Demetrio Bacci < marciobacci at gmail.com> escreveu:> Hi, > > >Are you using Bind9, if so, post your named.conf files (the ones from > /etc/bind) > No, I'm using DNS Internal. > > > >Is winbind installed ? > No, because the Samba tutorial said that for DC it was not necessary. > > Regards, > > M?rcio Bacci > > Em qui, 22 de ago de 2019 ?s 15:43, Rowland penny via samba < > samba at lists.samba.org> escreveu: > >> On 22/08/2019 19:22, Marcio Demetrio Bacci via samba wrote: >> > Hi, >> > >> > I noticed some problems in my DC2 (secondary) Logs, as below: >> > >> > root at samba4-dc2:/var/log/samba# tail log.samba >> > >> > ago 22 14:55:21 samba4-dc2 samba[2812]: [2019/08/22 14:55:21.106213, 0] >> > ../lib/util/util_runcmd.c:316(?andler) >> > ago 22 14:55:21 samba4-dc2 samba[2812]: /usr/sbin/samba_dnsupdate: >> GENSEC >> > backend 'krb5' registered >> > ago 22 14:55:21 samba4-dc2 samba[2812]: [2019/08/22 14:55:21.106248, 0] >> > ../lib/util/util_runcmd.c:316(?andler) >> > ago 22 14:55:21 samba4-dc2 samba[2812]: /usr/sbin/samba_dnsupdate: >> GENSEC >> > backend 'fake_gssapi_krb5' ?istered >> > ago 22 14:56:13 samba4-dc2 samba[2812]: [2019/08/22 14:56:13.779939, 0] >> > ../lib/util/util_runcmd.c:316(?andler) >> > ago 22 14:56:13 samba4-dc2 samba[2812]: /usr/sbin/rndc: Failed to exec >> > child - No such file or directory >> > ago 22 14:56:13 samba4-dc2 samba[2812]: [2019/08/22 14:56:13.781786, 0] >> > ../source4/dsdb/dns/dns_update?c_done) >> > ago 22 14:56:13 samba4-dc2 samba[2812]: >> > ../source4/dsdb/dns/dns_update.c:91: Failed rndc update - NT_?CESSFUL >> > ago 22 14:56:25 samba4-dc2 samba[2811]: [2019/08/22 14:56:25.466999, 0] >> > ../lib/util/util_runcmd.c:316(?andler) >> > ago 22 14:56:25 samba4-dc2 samba[2811]: /usr/sbin/samba_kcc: ldb_wrap >> > open of secrets.ldb >> Are you using Bind9, if so, post your named.conf files (the ones from >> /etc/bind) >> > >> > root at samba4-dc2:/var/log/samba# tail syslog >> > >> > Aug 22 15:04:28 samba4-dc2 smbd[17917]: Right[ 0]: >> > SeRemoteInteractiveLogonRight >> > Aug 22 15:04:31 samba4-dc2 smbd[17918]: [2019/08/22 15:04:31.678220, 0] >> > ../source4/auth/unix_token.c:79(security_token_to_unix_token) >> > Aug 22 15:04:31 samba4-dc2 smbd[17918]: Unable to convert first SID >> > (S-1-5-21-1712526294-259020848-313593124-9877) in user token to a UID. >> > Conversion was returned as type 0, full token: >> > Aug 22 15:04:31 samba4-dc2 smbd[17918]: [2019/08/22 15:04:31.679042, 0] >> > ../libcli/security/security_token.c:63(security_token_debug) >> > Aug 22 15:04:31 samba4-dc2 smbd[17918]: Security token SIDs (6): >> > Aug 22 15:04:31 samba4-dc2 smbd[17918]: SID[ 0]: >> > S-1-5-21-1712526294-259020848-313593124-9877 >> > Aug 22 15:04:31 samba4-dc2 smbd[17918]: SID[ 1]: >> > S-1-5-21-1712526294-259020848-313593124-515 >> > Aug 22 15:04:31 samba4-dc2 smbd[17918]: SID[ 2]: S-1-1-0 >> > Aug 22 15:04:31 samba4-dc2 smbd[17918]: SID[ 3]: S-1-5-2 >> > Aug 22 15:04:31 samba4-dc2 smbd[17918]: SID[ 4]: S-1-5-11 >> > Aug 22 15:04:31 samba4-dc2 smbd[17918]: SID[ 5]: S-1-5-32-554 >> > Aug 22 15:04:31 samba4-dc2 smbd[17918]: Privileges (0x >> 800000): >> > Aug 22 15:04:31 samba4-dc2 smbd[17918]: Privilege[ 0]: >> > SeChangeNotifyPrivilege >> > Aug 22 15:04:31 samba4-dc2 smbd[17918]: Rights (0x 400): >> > Aug 22 15:04:31 samba4-dc2 smbd[17918]: Right[ 0]: >> > SeRemoteInteractiveLogonRight >> > Aug 22 15:04:41 samba4-dc2 smbd[17923]: [2019/08/22 15:04:41.911678, 0] >> > ../source4/auth/unix_token.c:79(security_token_to_unix_token) >> > Aug 22 15:04:41 samba4-dc2 smbd[17923]: Unable to convert first SID >> > (S-1-5-21-1712526294-259020848-313593124-9846) in user token to a UID. >> > Conversion was returned as type 0, full token: >> > Aug 22 15:04:41 samba4-dc2 smbd[17923]: [2019/08/22 15:04:41.912554, 0] >> > ../libcli/security/security_token.c:63(security_token_debug) >> > Aug 22 15:04:41 samba4-dc2 smbd[17923]: Security token SIDs (6): >> > Aug 22 15:04:41 samba4-dc2 smbd[17923]: SID[ 0]: >> > S-1-5-21-1712526294-259020848-313593124-9846 >> > Aug 22 15:04:41 samba4-dc2 smbd[17923]: SID[ 1]: >> > S-1-5-21-1712526294-259020848-313593124-515 >> > Aug 22 15:04:41 samba4-dc2 smbd[17923]: SID[ 2]: S-1-1-0 >> > Aug 22 15:04:41 samba4-dc2 smbd[17923]: SID[ 3]: S-1-5-2 >> > Aug 22 15:04:41 samba4-dc2 smbd[17923]: SID[ 4]: S-1-5-11 >> > Aug 22 15:04:41 samba4-dc2 smbd[17923]: SID[ 5]: S-1-5-32-554 >> > Aug 22 15:04:41 samba4-dc2 smbd[17923]: Privileges (0x >> 800000): >> > Aug 22 15:04:41 samba4-dc2 smbd[17923]: Privilege[ 0]: >> > SeChangeNotifyPrivilege >> > Aug 22 15:04:41 samba4-dc2 smbd[17923]: Rights (0x 400): >> > Aug 22 15:04:41 samba4-dc2 smbd[17923]: Right[ 0]: >> > SeRemoteInteractiveLogonRight >> > Aug 22 15:04:57 samba4-dc2 smbd[17925]: [2019/08/22 15:04:57.666287, 0] >> > ../source4/auth/unix_token.c:79(security_token_to_unix_token) >> > Aug 22 15:04:57 samba4-dc2 smbd[17925]: Unable to convert first SID >> > (S-1-5-21-1712526294-259020848-313593124-9200) in user token to a UID. >> > Conversion was returned as type 0, full token: >> > Aug 22 15:04:57 samba4-dc2 smbd[17925]: [2019/08/22 15:04:57.667152, 0] >> > ../libcli/security/security_token.c:63(security_token_debug) >> > Aug 22 15:04:57 samba4-dc2 smbd[17925]: Security token SIDs (6): >> > Aug 22 15:04:57 samba4-dc2 smbd[17925]: SID[ 0]: >> > S-1-5-21-1712526294-259020848-313593124-9200 >> > Aug 22 15:04:57 samba4-dc2 smbd[17925]: SID[ 1]: >> > S-1-5-21-1712526294-259020848-313593124-515 >> > Aug 22 15:04:57 samba4-dc2 smbd[17925]: SID[ 2]: S-1-1-0 >> > Aug 22 15:04:57 samba4-dc2 smbd[17925]: SID[ 3]: S-1-5-2 >> > Aug 22 15:04:57 samba4-dc2 smbd[17925]: SID[ 4]: S-1-5-11 >> > Aug 22 15:04:57 samba4-dc2 smbd[17925]: SID[ 5]: S-1-5-32-554 >> > Aug 22 15:04:57 samba4-dc2 smbd[17925]: Privileges (0x >> 800000): >> > Aug 22 15:04:57 samba4-dc2 smbd[17925]: Privilege[ 0]: >> > SeChangeNotifyPrivilege >> > Aug 22 15:04:57 samba4-dc2 smbd[17925]: Rights (0x 400): >> > Aug 22 15:04:57 samba4-dc2 smbd[17925]: Right[ 0]: >> > SeRemoteInteractiveLogonRight >> > >> > >> > /etc/init.d/samba-ad-dc status >> > ? samba-ad-dc.service - Samba AD Daemon >> > Loaded: loaded (/lib/systemd/system/samba-ad-dc.service; enabled; >> vendor >> > preset: enabled) >> > Active: active (running) since Tue 2019-08-20 06:15:09 -03; 2 days >> ago >> > Docs: man:samba(8) >> > man:samba(7) >> > man:smb.conf(5) >> > Main PID: 2799 (samba) >> > Status: "samba: ready to serve connections..." >> > Tasks: 12 (limit: 4915) >> > CGroup: /system.slice/samba-ad-dc.service >> > ??2799 /usr/sbin/samba >> > ??2801 /usr/sbin/samba >> > ??2802 /usr/sbin/samba >> > ??2803 /usr/sbin/samba >> > ??2804 /usr/sbin/samba >> > ??2806 /usr/sbin/samba >> > ??2807 /usr/sbin/samba >> > ??2808 /usr/sbin/samba >> > ??2810 /usr/sbin/samba >> > ??2811 /usr/sbin/samba >> > ??2812 /usr/sbin/samba >> > ??2813 /usr/sbin/samba >> > >> > ago 22 14:55:21 samba4-dc2 samba[2812]: [2019/08/22 14:55:21.106213, 0] >> > ../lib/util/util_runcmd.c:316(?andler) >> > ago 22 14:55:21 samba4-dc2 samba[2812]: /usr/sbin/samba_dnsupdate: >> GENSEC >> > backend 'krb5' registered >> > ago 22 14:55:21 samba4-dc2 samba[2812]: [2019/08/22 14:55:21.106248, 0] >> > ../lib/util/util_runcmd.c:316(?andler) >> > ago 22 14:55:21 samba4-dc2 samba[2812]: /usr/sbin/samba_dnsupdate: >> GENSEC >> > backend 'fake_gssapi_krb5' ?istered >> > ago 22 14:56:13 samba4-dc2 samba[2812]: [2019/08/22 14:56:13.779939, 0] >> > ../lib/util/util_runcmd.c:316(?andler) >> > ago 22 14:56:13 samba4-dc2 samba[2812]: /usr/sbin/rndc: Failed to exec >> > child - No such file or directory >> > ago 22 14:56:13 samba4-dc2 samba[2812]: [2019/08/22 14:56:13.781786, 0] >> > ../source4/dsdb/dns/dns_update?c_done) >> > ago 22 14:56:13 samba4-dc2 samba[2812]: >> > ../source4/dsdb/dns/dns_update.c:91: Failed rndc update - NT_?CESSFUL >> > ago 22 14:56:25 samba4-dc2 samba[2811]: [2019/08/22 14:56:25.466999, 0] >> > ../lib/util/util_runcmd.c:316(?andler) >> > ago 22 14:56:25 samba4-dc2 samba[2811]: /usr/sbin/samba_kcc: ldb_wrap >> > open of secrets.ldb >> > Hint: Some lines were ellipsized, use -l to show in full. >> >> Why oh why would anything not print the entire output and then tell you >> how to get it ? >> >> Why not just print the entire output ? >> >> > >> > How could you resolve these errors? >> > >> > Regards, >> > >> > M?rcio Bacci >> >> Is winbind installed ? >> >> Rowland >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >
Same for you. Can you run : https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh And post the output, anonimize it where needed. And install acl, its not installed by default, where its needed for samba-ad-dc and members. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marcio Demetrio Bacci via samba > Verzonden: vrijdag 23 augustus 2019 2:30 > Aan: Rowland penny > CC: sambalist > Onderwerp: Re: [Samba] Erros in Samba 4 DC > > Hi, > > >.Is winbind installed ? > >No, because the Samba tutorial said that for DC it was not necessary. > > Sorry, Winbind is instaled, only packages libpam-winbind > libnss-winbind > libpam-krb5 aren't installed, > > I have follwed the tutorial: > https://wiki.samba.org/index.php/Distribution-specific_Package > _Installation#Debian > > Regards, > > M?rcio Bacci > > Em qui, 22 de ago de 2019 ?s 20:11, Marcio Demetrio Bacci < > marciobacci at gmail.com> escreveu: > > > Hi, > > > > >Are you using Bind9, if so, post your named.conf files > (the ones from > > /etc/bind) > > No, I'm using DNS Internal. > > > > > > >Is winbind installed ? > > No, because the Samba tutorial said that for DC it was not > necessary. > > > > Regards, > > > > M?rcio Bacci > > > > Em qui, 22 de ago de 2019 ?s 15:43, Rowland penny via samba < > > samba at lists.samba.org> escreveu: > > > >> On 22/08/2019 19:22, Marcio Demetrio Bacci via samba wrote: > >> > Hi, > >> > > >> > I noticed some problems in my DC2 (secondary) Logs, as below: > >> > > >> > root at samba4-dc2:/var/log/samba# tail log.samba > >> > > >> > ago 22 14:55:21 samba4-dc2 samba[2812]: [2019/08/22 > 14:55:21.106213, 0] > >> > ../lib/util/util_runcmd.c:316(?andler) > >> > ago 22 14:55:21 samba4-dc2 samba[2812]: > /usr/sbin/samba_dnsupdate: > >> GENSEC > >> > backend 'krb5' registered > >> > ago 22 14:55:21 samba4-dc2 samba[2812]: [2019/08/22 > 14:55:21.106248, 0] > >> > ../lib/util/util_runcmd.c:316(?andler) > >> > ago 22 14:55:21 samba4-dc2 samba[2812]: > /usr/sbin/samba_dnsupdate: > >> GENSEC > >> > backend 'fake_gssapi_krb5' ?istered > >> > ago 22 14:56:13 samba4-dc2 samba[2812]: [2019/08/22 > 14:56:13.779939, 0] > >> > ../lib/util/util_runcmd.c:316(?andler) > >> > ago 22 14:56:13 samba4-dc2 samba[2812]: > /usr/sbin/rndc: Failed to exec > >> > child - No such file or directory > >> > ago 22 14:56:13 samba4-dc2 samba[2812]: [2019/08/22 > 14:56:13.781786, 0] > >> > ../source4/dsdb/dns/dns_update?c_done) > >> > ago 22 14:56:13 samba4-dc2 samba[2812]: > >> > ../source4/dsdb/dns/dns_update.c:91: Failed rndc update > - NT_?CESSFUL > >> > ago 22 14:56:25 samba4-dc2 samba[2811]: [2019/08/22 > 14:56:25.466999, 0] > >> > ../lib/util/util_runcmd.c:316(?andler) > >> > ago 22 14:56:25 samba4-dc2 samba[2811]: > /usr/sbin/samba_kcc: ldb_wrap > >> > open of secrets.ldb > >> Are you using Bind9, if so, post your named.conf files > (the ones from > >> /etc/bind) > >> > > >> > root at samba4-dc2:/var/log/samba# tail syslog > >> > > >> > Aug 22 15:04:28 samba4-dc2 smbd[17917]: Right[ 0]: > >> > SeRemoteInteractiveLogonRight > >> > Aug 22 15:04:31 samba4-dc2 smbd[17918]: [2019/08/22 > 15:04:31.678220, 0] > >> > ../source4/auth/unix_token.c:79(security_token_to_unix_token) > >> > Aug 22 15:04:31 samba4-dc2 smbd[17918]: Unable to > convert first SID > >> > (S-1-5-21-1712526294-259020848-313593124-9877) in user > token to a UID. > >> > Conversion was returned as type 0, full token: > >> > Aug 22 15:04:31 samba4-dc2 smbd[17918]: [2019/08/22 > 15:04:31.679042, 0] > >> > ../libcli/security/security_token.c:63(security_token_debug) > >> > Aug 22 15:04:31 samba4-dc2 smbd[17918]: Security token > SIDs (6): > >> > Aug 22 15:04:31 samba4-dc2 smbd[17918]: SID[ 0]: > >> > S-1-5-21-1712526294-259020848-313593124-9877 > >> > Aug 22 15:04:31 samba4-dc2 smbd[17918]: SID[ 1]: > >> > S-1-5-21-1712526294-259020848-313593124-515 > >> > Aug 22 15:04:31 samba4-dc2 smbd[17918]: SID[ 2]: S-1-1-0 > >> > Aug 22 15:04:31 samba4-dc2 smbd[17918]: SID[ 3]: S-1-5-2 > >> > Aug 22 15:04:31 samba4-dc2 smbd[17918]: SID[ 4]: S-1-5-11 > >> > Aug 22 15:04:31 samba4-dc2 smbd[17918]: SID[ 5]: > S-1-5-32-554 > >> > Aug 22 15:04:31 samba4-dc2 smbd[17918]: Privileges (0x > >> 800000): > >> > Aug 22 15:04:31 samba4-dc2 smbd[17918]: Privilege[ 0]: > >> > SeChangeNotifyPrivilege > >> > Aug 22 15:04:31 samba4-dc2 smbd[17918]: Rights (0x > 400): > >> > Aug 22 15:04:31 samba4-dc2 smbd[17918]: Right[ 0]: > >> > SeRemoteInteractiveLogonRight > >> > Aug 22 15:04:41 samba4-dc2 smbd[17923]: [2019/08/22 > 15:04:41.911678, 0] > >> > ../source4/auth/unix_token.c:79(security_token_to_unix_token) > >> > Aug 22 15:04:41 samba4-dc2 smbd[17923]: Unable to > convert first SID > >> > (S-1-5-21-1712526294-259020848-313593124-9846) in user > token to a UID. > >> > Conversion was returned as type 0, full token: > >> > Aug 22 15:04:41 samba4-dc2 smbd[17923]: [2019/08/22 > 15:04:41.912554, 0] > >> > ../libcli/security/security_token.c:63(security_token_debug) > >> > Aug 22 15:04:41 samba4-dc2 smbd[17923]: Security token > SIDs (6): > >> > Aug 22 15:04:41 samba4-dc2 smbd[17923]: SID[ 0]: > >> > S-1-5-21-1712526294-259020848-313593124-9846 > >> > Aug 22 15:04:41 samba4-dc2 smbd[17923]: SID[ 1]: > >> > S-1-5-21-1712526294-259020848-313593124-515 > >> > Aug 22 15:04:41 samba4-dc2 smbd[17923]: SID[ 2]: S-1-1-0 > >> > Aug 22 15:04:41 samba4-dc2 smbd[17923]: SID[ 3]: S-1-5-2 > >> > Aug 22 15:04:41 samba4-dc2 smbd[17923]: SID[ 4]: S-1-5-11 > >> > Aug 22 15:04:41 samba4-dc2 smbd[17923]: SID[ 5]: > S-1-5-32-554 > >> > Aug 22 15:04:41 samba4-dc2 smbd[17923]: Privileges (0x > >> 800000): > >> > Aug 22 15:04:41 samba4-dc2 smbd[17923]: Privilege[ 0]: > >> > SeChangeNotifyPrivilege > >> > Aug 22 15:04:41 samba4-dc2 smbd[17923]: Rights (0x > 400): > >> > Aug 22 15:04:41 samba4-dc2 smbd[17923]: Right[ 0]: > >> > SeRemoteInteractiveLogonRight > >> > Aug 22 15:04:57 samba4-dc2 smbd[17925]: [2019/08/22 > 15:04:57.666287, 0] > >> > ../source4/auth/unix_token.c:79(security_token_to_unix_token) > >> > Aug 22 15:04:57 samba4-dc2 smbd[17925]: Unable to > convert first SID > >> > (S-1-5-21-1712526294-259020848-313593124-9200) in user > token to a UID. > >> > Conversion was returned as type 0, full token: > >> > Aug 22 15:04:57 samba4-dc2 smbd[17925]: [2019/08/22 > 15:04:57.667152, 0] > >> > ../libcli/security/security_token.c:63(security_token_debug) > >> > Aug 22 15:04:57 samba4-dc2 smbd[17925]: Security token > SIDs (6): > >> > Aug 22 15:04:57 samba4-dc2 smbd[17925]: SID[ 0]: > >> > S-1-5-21-1712526294-259020848-313593124-9200 > >> > Aug 22 15:04:57 samba4-dc2 smbd[17925]: SID[ 1]: > >> > S-1-5-21-1712526294-259020848-313593124-515 > >> > Aug 22 15:04:57 samba4-dc2 smbd[17925]: SID[ 2]: S-1-1-0 > >> > Aug 22 15:04:57 samba4-dc2 smbd[17925]: SID[ 3]: S-1-5-2 > >> > Aug 22 15:04:57 samba4-dc2 smbd[17925]: SID[ 4]: S-1-5-11 > >> > Aug 22 15:04:57 samba4-dc2 smbd[17925]: SID[ 5]: > S-1-5-32-554 > >> > Aug 22 15:04:57 samba4-dc2 smbd[17925]: Privileges (0x > >> 800000): > >> > Aug 22 15:04:57 samba4-dc2 smbd[17925]: Privilege[ 0]: > >> > SeChangeNotifyPrivilege > >> > Aug 22 15:04:57 samba4-dc2 smbd[17925]: Rights (0x > 400): > >> > Aug 22 15:04:57 samba4-dc2 smbd[17925]: Right[ 0]: > >> > SeRemoteInteractiveLogonRight > >> > > >> > > >> > /etc/init.d/samba-ad-dc status > >> > ??? samba-ad-dc.service - Samba AD Daemon > >> > Loaded: loaded > (/lib/systemd/system/samba-ad-dc.service; enabled; > >> vendor > >> > preset: enabled) > >> > Active: active (running) since Tue 2019-08-20 > 06:15:09 -03; 2 days > >> ago > >> > Docs: man:samba(8) > >> > man:samba(7) > >> > man:smb.conf(5) > >> > Main PID: 2799 (samba) > >> > Status: "samba: ready to serve connections..." > >> > Tasks: 12 (limit: 4915) > >> > CGroup: /system.slice/samba-ad-dc.service > >> > ??????2799 /usr/sbin/samba > >> > ??????2801 /usr/sbin/samba > >> > ??????2802 /usr/sbin/samba > >> > ??????2803 /usr/sbin/samba > >> > ??????2804 /usr/sbin/samba > >> > ??????2806 /usr/sbin/samba > >> > ??????2807 /usr/sbin/samba > >> > ??????2808 /usr/sbin/samba > >> > ??????2810 /usr/sbin/samba > >> > ??????2811 /usr/sbin/samba > >> > ??????2812 /usr/sbin/samba > >> > ??????2813 /usr/sbin/samba > >> > > >> > ago 22 14:55:21 samba4-dc2 samba[2812]: [2019/08/22 > 14:55:21.106213, 0] > >> > ../lib/util/util_runcmd.c:316(?andler) > >> > ago 22 14:55:21 samba4-dc2 samba[2812]: > /usr/sbin/samba_dnsupdate: > >> GENSEC > >> > backend 'krb5' registered > >> > ago 22 14:55:21 samba4-dc2 samba[2812]: [2019/08/22 > 14:55:21.106248, 0] > >> > ../lib/util/util_runcmd.c:316(?andler) > >> > ago 22 14:55:21 samba4-dc2 samba[2812]: > /usr/sbin/samba_dnsupdate: > >> GENSEC > >> > backend 'fake_gssapi_krb5' ?istered > >> > ago 22 14:56:13 samba4-dc2 samba[2812]: [2019/08/22 > 14:56:13.779939, 0] > >> > ../lib/util/util_runcmd.c:316(?andler) > >> > ago 22 14:56:13 samba4-dc2 samba[2812]: > /usr/sbin/rndc: Failed to exec > >> > child - No such file or directory > >> > ago 22 14:56:13 samba4-dc2 samba[2812]: [2019/08/22 > 14:56:13.781786, 0] > >> > ../source4/dsdb/dns/dns_update?c_done) > >> > ago 22 14:56:13 samba4-dc2 samba[2812]: > >> > ../source4/dsdb/dns/dns_update.c:91: Failed rndc update > - NT_?CESSFUL > >> > ago 22 14:56:25 samba4-dc2 samba[2811]: [2019/08/22 > 14:56:25.466999, 0] > >> > ../lib/util/util_runcmd.c:316(?andler) > >> > ago 22 14:56:25 samba4-dc2 samba[2811]: > /usr/sbin/samba_kcc: ldb_wrap > >> > open of secrets.ldb > >> > Hint: Some lines were ellipsized, use -l to show in full. > >> > >> Why oh why would anything not print the entire output and > then tell you > >> how to get it ? > >> > >> Why not just print the entire output ? > >> > >> > > >> > How could you resolve these errors? > >> > > >> > Regards, > >> > > >> > M?rcio Bacci > >> > >> Is winbind installed ? > >> > >> Rowland > >> > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On 23/08/2019 00:11, Marcio Demetrio Bacci wrote:> Hi, > > >Are you using Bind9, if so, post your named.conf files (the ones from > /etc/bind) > No, I'm using DNS Internal. > > > >Is winbind installed ? > No, because the Samba tutorial said that for DC it was not necessary.Which Samba tutorial ? Please install it. Rowland
Hi,
Now I installed acl package in DC 2.
Follows the result of the scripts executed on both DCs:
DC 1
Collected config --- 2019-08-23-07:36 -----------
Hostname: samba4-dc1
DNS Domain: empresa.com.br
FQDN: samba4-dc1.empresa.com.br
ipaddress: 192.168.1.20
-----------
Kerberos SRV _kerberos._tcp.empresa.com.br record verified ok, sample
output:
Server: 192.168.1.20
Address: 192.168.1.20#53
_kerberos._tcp.empresa.com.br service = 0 100 88 samba4-dc1.gabcmt.eb.mil.b
r.
_kerberos._tcp.empresa.com.br service = 0 100 88 samba4-dc2.empresa.com.br
.
Samba is running as an AD DC
-----------
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 9.9 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
defaul
t qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: ens2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP gr
oup default qlen 1000
link/ether 52:54:00:00:01:20 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.20/16 brd 192.168.255.255 scope global ens2
inet6 fe80::5054:ff:fe00:120/64 scope link
-----------
Checking file: /etc/hosts
192.168.1.20 samba4-dc1.empresa.com.br samba4-dc1
-----------
Checking file: /etc/resolv.conf
#domain empresa.com.br
search empresa.com.br
nameserver 192.168.1.20
-----------
Checking file: /etc/krb5.conf
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = true
default_realm = EMPRESA.COM.BR
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: compat
group: compat
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
netbios name = SAMBA4-DC1
realm = EMPRESA.COM.BR
workgroup = EMPRESA
server role = active directory domain controller
dns forwarder = 192.168.1.1 192.168.1.2
dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
ldap server require strong auth = no
[netlogon]
path = /var/lib/samba/sysvol/empresa.com.br/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
-----------
BIND_DLZ not detected in smb.conf
-----------
Installed packages:
ii acl 2.2.52-3+b1 amd64
Access control list utilities
ii attr 1:2.4.47-2+b2 amd64
Utilities for manipulating
filesystem extended attributes
ii krb5-config 2.6 all
Configuration files for
Kerberos Version 5
ii krb5-locales 1.15-1+deb9u1 all
internationalization support
for MIT Kerberos
ii krb5-user 1.15-1+deb9u1 amd64
basic programs to
authenticate using MIT Kerberos
ii libacl1:amd64 2.2.52-3+b1 amd64
Access control list shared
library
ii libacl1-dev 2.2.52-3+b1 amd64
Access control list static
libraries and headers
ii libattr1:amd64 1:2.4.47-2+b2 amd64
Extended attribute shared
library
ii libattr1-dev:amd64 1:2.4.47-2+b2 amd64
Extended attribute static
libraries and headers
ii libgssapi-krb5-2:amd64 1.15-1+deb9u1 amd64
MIT Kerberos runtime
libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.15-1+deb9u1 amd64
MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.15-1+deb9u1 amd64
MIT Kerberos runtime
libraries - Support library
ii libnss-winbind:amd64 2:4.5.16+dfsg-1+deb9u2 amd64
Samba nameservice integration
plugins
ii libpam-krb5:amd64 4.7-4 amd64
PAM module for MIT Kerberos
ii libpam-winbind:amd64 2:4.5.16+dfsg-1+deb9u2 amd64
Windows domain authentication
integration plugin
ii libwbclient0:amd64 2:4.5.16+dfsg-1+deb9u2 amd64
Samba winbind client library
ii python-samba 2:4.5.16+dfsg-1+deb9u2 amd64
Python bindings for Samba
ii samba 2:4.5.16+dfsg-1+deb9u2 amd64
SMB/CIFS file, print, and
login server for Unix
ii samba-common 2:4.5.16+dfsg-1+deb9u2 all
common files used by both the
Samba server and client
ii samba-common-bin 2:4.5.16+dfsg-1+deb9u2 amd64
Samba common files used by
both the server and the client
ii samba-dsdb-modules 2:4.5.16+dfsg-1+deb9u2 amd64
Samba Directory Services
Database
ii samba-libs:amd64 2:4.5.16+dfsg-1+deb9u2 amd64
Samba core libraries
ii samba-vfs-modules 2:4.5.16+dfsg-1+deb9u2 amd64
Samba Virtual FileSystem
plugins
ii winbind 2:4.5.16+dfsg-1+deb9u2 amd64
service to resolve user and
group information from Windows NT servers
-----------
root at samba4-dc1:~#
################################################################################
DC 2
Please wait, collecting debug info.
Password for Administrator at EMPRESA.COM.BR:
grep: : Arquivo ou diret?rio n?o encontrado
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
The debug info about your system can be found in this file:
/tmp/samba-debug-inf
o.txt
Please check this and if required, sanitise it.
Then copy & paste it into an email to the samba list
Do not attach it to the email, the Samba mailing list strips attachments.
root at samba4-dc2:~# cat /tmp/samba-debug-info.txt
Collected config --- 2019-08-23-07:33 -----------
Hostname: samba4-dc2
DNS Domain: empresa.com.br
FQDN: samba4-dc2.empresa.com.br
ipaddress: 192.168.1.22
-----------
Kerberos SRV _kerberos._tcp.empresa.com.br record verified ok, sample
output:
Server: 192.168.1.20
Address: 192.168.1.20#53
_kerberos._tcp.empresa.com.br service = 0 100 88 samba4-dc1.gabcmt.eb.mil.b
r.
_kerberos._tcp.empresa.com.br service = 0 100 88 samba4-dc2.empresa.com.br
.
You are running Samba as DC, but nmbd is also running
This is not allowed, please stop 'nmbd' from running
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 9.9 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
defaul
t qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: ens2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP gr
oup default qlen 1000
link/ether 52:54:00:00:01:22 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.22/16 brd 192.168.255.255 scope global ens2
inet6 fe80::5054:ff:fe00:122/64 scope link
-----------
Checking file: /etc/hosts
192.168.1.22 samba4-dc2.empresa.com.br samba4-dc2
192.168.1.20 samba4-dc1.empresa.com.br samba4-dc1
-----------
Checking file: /etc/resolv.conf
#domain empresa.com.br
search empresa.com.br
#nameserver 10.133.84.135
nameserver 192.168.1.20
nameserver 192.168.1.22
-----------
Checking file: /etc/krb5.conf
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = true
default_realm =EMPRESA.COM.BR
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: compat
group: compat
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Warning, does not exist
-----------
Installed packages:
ii acl 2.2.52-3+b1 amd64
Access control list utilities
ii attr 1:2.4.47-2+b2 amd64
Utilities for manipulating
filesystem extended attributes
ii krb5-config 2.6 all
Configuration files for
Kerberos Version 5
ii krb5-locales 1.15-1+deb9u1 all
internationalization support
for MIT Kerberos
ii krb5-user 1.15-1+deb9u1 amd64
basic programs to
authenticate using MIT Kerberos
ii libacl1:amd64 2.2.52-3+b1 amd64
Access control list shared
library
ii libattr1:amd64 1:2.4.47-2+b2 amd64
Extended attribute shared
library
ii libgssapi-krb5-2:amd64 1.15-1+deb9u1 amd64
MIT Kerberos runtime
libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.15-1+deb9u1 amd64
MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.15-1+deb9u1 amd64
MIT Kerberos runtime
libraries - Support library
ii libwbclient0:amd64 2:4.5.16+dfsg-1+deb9u2 amd64
Samba winbind client library
ii python-samba 2:4.5.16+dfsg-1+deb9u2 amd64
Python bindings for Samba
ii samba 2:4.5.16+dfsg-1+deb9u2 amd64
SMB/CIFS file, print, and
login server for Unix
ii samba-common 2:4.5.16+dfsg-1+deb9u2 all
common files used by both the
Samba server and client
ii samba-common-bin 2:4.5.16+dfsg-1+deb9u2 amd64
Samba common files used by
both the server and the client
ii samba-dsdb-modules 2:4.5.16+dfsg-1+deb9u2 amd64
Samba Directory Services
Database
ii samba-libs:amd64 2:4.5.16+dfsg-1+deb9u2 amd64
Samba core libraries
ii samba-vfs-modules 2:4.5.16+dfsg-1+deb9u2 amd64
Samba Virtual FileSystem
plugins
ii winbind 2:4.5.16+dfsg-1+deb9u2 amd64
service to resolve user and
group information from Windows NT servers
-----------
Regards,
M?rcio Bacci
Em sex, 23 de ago de 2019 ?s 04:41, Rowland penny via samba <
samba at lists.samba.org> escreveu:
> On 23/08/2019 00:11, Marcio Demetrio Bacci wrote:
> > Hi,
> >
> > >Are you using Bind9, if so, post your named.conf files (the ones
from
> > /etc/bind)
> > No, I'm using DNS Internal.
> >
> >
> > >Is winbind installed ?
> > No, because the Samba tutorial said that for DC it was not necessary.
>
> Which Samba tutorial ?
>
> Please install it.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
I'll give you the hint
FQDN: samba4-dc1.empresa.com.br
ipaddress: 192.168.1.20
FQDN: samba4-dc2.empresa.com.br
ipaddress: 192.168.1.22
DC1 .
Kerberos SRV _kerberos._tcp.empresa.com.br record verified ok, sample output:
Server: 192.168.1.20
Address: 192.168.1.20#53
_kerberos._tcp.empresa.com.br service = 0 100 88 samba4-dc1.gabcmt.eb.mil.br.
<<<<
_kerberos._tcp.empresa.com.br service = 0 100 88 samba4-dc2.empresa.com.br.
/etc/hosts
192.168.1.20 samba4-dc1.empresa.com.br samba4-dc1
DC2.
Address: 192.168.1.20#53
_kerberos._tcp.empresa.com.br service = 0 100 88 samba4-dc1.gabcmt.eb.mil.br.
<<<<<
_kerberos._tcp.empresa.com.br service = 0 100 88 samba4-dc2.empresa.com.br.
Checking file: /etc/hosts
192.168.1.22 samba4-dc2.empresa.com.br samba4-dc2
192.168.1.20 samba4-dc1.empresa.com.br samba4-dc1
so as far i can tell/see you need to fix some things in your resolving because
where is DC1 (samba4-dc1.empresa.com.br)
it looks like its registered under the name samba4-dc1.gabcmt.eb.mil.br?
Can you colaberate more on this/check this. (samba4-dc1.gabcmt.eb.mil.br?)
and change your host files to this layout. : etc/hosts
127.0.0.1 localhost
192.168.1.20 samba4-dc1.empresa.com.br samba4-dc1
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Greetz,
Louis
________________________________
Van: Marcio Demetrio Bacci [mailto:marciobacci at gmail.com]
Verzonden: vrijdag 23 augustus 2019 12:52
Aan: Rowland penny; L.P.H. van Belle
CC: sambalist
Onderwerp: Re: [Samba] Erros in Samba 4 DC
Hi,
Now I installed acl package in DC 2.
Follows the result of the scripts executed on both DCs:
DC 1
Collected config --- 2019-08-23-07:36 -----------
Hostname: samba4-dc1
DNS Domain: empresa.com.br
FQDN: samba4-dc1.empresa.com.br
ipaddress: 192.168.1.20
-----------
Kerberos SRV _kerberos._tcp.empresa.com.br record verified ok, sample output:
Server: 192.168.1.20
Address: 192.168.1.20#53
_kerberos._tcp.empresa.com.br service = 0 100 88 samba4-dc1.gabcmt.eb.mil.br.
_kerberos._tcp.empresa.com.br service = 0 100 88 samba4-dc2.empresa.com.br.
Samba is running as an AD DC
-----------
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 9.9 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
defaul
t qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet MailScanner warning: numerical links are often malicious: 127.0.0.1/8
<http://127.0.0.1/8> scope host lo
inet6 ::1/128 scope host
2: ens2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP gr
oup default qlen 1000
link/ether 52:54:00:00:01:20 brd ff:ff:ff:ff:ff:ff
inet MailScanner warning: numerical links are often malicious:
192.168.1.20/16 <http://192.168.1.20/16> brd 192.168.255.255 scope global
ens2
inet6 fe80::5054:ff:fe00:120/64 scope link
-----------
Checking file: /etc/hosts
192.168.1.20 samba4-dc1.empresa.com.br samba4-dc1
-----------
Checking file: /etc/resolv.conf
#domain empresa.com.br
search empresa.com.br
nameserver 192.168.1.20
-----------
Checking file: /etc/krb5.conf
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = true
default_realm = EMPRESA.COM.BR
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: compat
group: compat
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
netbios name = SAMBA4-DC1
realm = EMPRESA.COM.BR
workgroup = EMPRESA
server role = active directory domain controller
dns forwarder = 192.168.1.1 192.168.1.2
dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
ldap server require strong auth = no
[netlogon]
path = /var/lib/samba/sysvol/empresa.com.br/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
-----------
BIND_DLZ not detected in smb.conf
-----------
Installed packages:
ii acl 2.2.52-3+b1 amd64
Access control list utilities
ii attr 1:2.4.47-2+b2 amd64
Utilities for manipulating filesystem extended attributes
ii krb5-config 2.6 all
Configuration files for Kerberos Version 5
ii krb5-locales 1.15-1+deb9u1 all
internationalization support for MIT Kerberos
ii krb5-user 1.15-1+deb9u1 amd64
basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.52-3+b1 amd64
Access control list shared library
ii libacl1-dev 2.2.52-3+b1 amd64
Access control list static libraries and headers
ii libattr1:amd64 1:2.4.47-2+b2 amd64
Extended attribute shared library
ii libattr1-dev:amd64 1:2.4.47-2+b2 amd64
Extended attribute static libraries and headers
ii libgssapi-krb5-2:amd64 1.15-1+deb9u1 amd64
MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.15-1+deb9u1 amd64
MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.15-1+deb9u1 amd64
MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.5.16+dfsg-1+deb9u2 amd64
Samba nameservice integration plugins
ii libpam-krb5:amd64 4.7-4 amd64
PAM module for MIT Kerberos
ii libpam-winbind:amd64 2:4.5.16+dfsg-1+deb9u2 amd64
Windows domain authentication integration plugin
ii libwbclient0:amd64 2:4.5.16+dfsg-1+deb9u2 amd64
Samba winbind client library
ii python-samba 2:4.5.16+dfsg-1+deb9u2 amd64
Python bindings for Samba
ii samba 2:4.5.16+dfsg-1+deb9u2 amd64
SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.5.16+dfsg-1+deb9u2 all
common files used by both the Samba server and client
ii samba-common-bin 2:4.5.16+dfsg-1+deb9u2 amd64
Samba common files used by both the server and the client
ii samba-dsdb-modules 2:4.5.16+dfsg-1+deb9u2 amd64
Samba Directory Services Database
ii samba-libs:amd64 2:4.5.16+dfsg-1+deb9u2 amd64
Samba core libraries
ii samba-vfs-modules 2:4.5.16+dfsg-1+deb9u2 amd64
Samba Virtual FileSystem plugins
ii winbind 2:4.5.16+dfsg-1+deb9u2 amd64
service to resolve user and group information from Windows NT servers
-----------
root at samba4-dc1:~#
################################################################################
DC 2
Please wait, collecting debug info.
Password for Administrator at EMPRESA.COM.BR:
grep: : Arquivo ou diret?rio n?o encontrado
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
The debug info about your system can be found in this file:
/tmp/samba-debug-inf
o.txt
Please check this and if required, sanitise it.
Then copy & paste it into an email to the samba list
Do not attach it to the email, the Samba mailing list strips attachments.
root at samba4-dc2:~# cat /tmp/samba-debug-info.txt
Collected config --- 2019-08-23-07:33 -----------
Hostname: samba4-dc2
DNS Domain: empresa.com.br
FQDN: samba4-dc2.empresa.com.br
ipaddress: 192.168.1.22
-----------
Kerberos SRV _kerberos._tcp.empresa.com.br record verified ok, sample output:
Server: 192.168.1.20
Address: 192.168.1.20#53
_kerberos._tcp.empresa.com.br service = 0 100 88 samba4-dc1.gabcmt.eb.mil.br.
_kerberos._tcp.empresa.com.br service = 0 100 88 samba4-dc2.empresa.com.br.
You are running Samba as DC, but nmbd is also running
This is not allowed, please stop 'nmbd' from running
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 9.9 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
defaul
t qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet MailScanner warning: numerical links are often malicious: 127.0.0.1/8
<http://127.0.0.1/8> scope host lo
inet6 ::1/128 scope host
2: ens2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP gr
oup default qlen 1000
link/ether 52:54:00:00:01:22 brd ff:ff:ff:ff:ff:ff
inet MailScanner warning: numerical links are often malicious:
192.168.1.22/16 <http://192.168.1.22/16> brd 192.168.255.255 scope global
ens2
inet6 fe80::5054:ff:fe00:122/64 scope link
-----------
Checking file: /etc/hosts
192.168.1.22 samba4-dc2.empresa.com.br samba4-dc2
192.168.1.20 samba4-dc1.empresa.com.br samba4-dc1
-----------
Checking file: /etc/resolv.conf
#domain empresa.com.br
search empresa.com.br
#nameserver 10.133.84.135
nameserver 192.168.1.20
nameserver 192.168.1.22
-----------
Checking file: /etc/krb5.conf
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = true
default_realm =EMPRESA.COM.BR
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: compat
group: compat
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Warning, does not exist
-----------
Installed packages:
ii acl 2.2.52-3+b1 amd64
Access control list utilities
ii attr 1:2.4.47-2+b2 amd64
Utilities for manipulating filesystem extended attributes
ii krb5-config 2.6 all
Configuration files for Kerberos Version 5
ii krb5-locales 1.15-1+deb9u1 all
internationalization support for MIT Kerberos
ii krb5-user 1.15-1+deb9u1 amd64
basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.52-3+b1 amd64
Access control list shared library
ii libattr1:amd64 1:2.4.47-2+b2 amd64
Extended attribute shared library
ii libgssapi-krb5-2:amd64 1.15-1+deb9u1 amd64
MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.15-1+deb9u1 amd64
MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.15-1+deb9u1 amd64
MIT Kerberos runtime libraries - Support library
ii libwbclient0:amd64 2:4.5.16+dfsg-1+deb9u2 amd64
Samba winbind client library
ii python-samba 2:4.5.16+dfsg-1+deb9u2 amd64
Python bindings for Samba
ii samba 2:4.5.16+dfsg-1+deb9u2 amd64
SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.5.16+dfsg-1+deb9u2 all
common files used by both the Samba server and client
ii samba-common-bin 2:4.5.16+dfsg-1+deb9u2 amd64
Samba common files used by both the server and the client
ii samba-dsdb-modules 2:4.5.16+dfsg-1+deb9u2 amd64
Samba Directory Services Database
ii samba-libs:amd64 2:4.5.16+dfsg-1+deb9u2 amd64
Samba core libraries
ii samba-vfs-modules 2:4.5.16+dfsg-1+deb9u2 amd64
Samba Virtual FileSystem plugins
ii winbind 2:4.5.16+dfsg-1+deb9u2 amd64
service to resolve user and group information from Windows NT servers
-----------
Regards,
M?rcio Bacci
Em sex, 23 de ago de 2019 ?s 04:41, Rowland penny via samba <samba at
lists.samba.org> escreveu:
On 23/08/2019 00:11, Marcio Demetrio Bacci wrote:
> Hi,
>
> >Are you using Bind9, if so, post your named.conf files (the ones from
> /etc/bind)
> No, I'm using DNS Internal.
>
>
> >Is winbind installed ?
> No, because the Samba tutorial said that for DC it was not necessary.
Which Samba tutorial ?
Please install it.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba