On Sun, Nov 10, 2019 at 11:00:20AM +0000, Rowland penny via samba wrote:> On 10/11/2019 10:49, andi via samba wrote: > > Hello, > > > > I have configured an samba AD DC for use with > > some windows and linux machines. The linux machines use > > samba for user auth and also as kerberos kdc for > > nfs mounts. This works fine so far but after a while > > the user can not access the nfs shares anymore. > > > > I tried to analyze the problem and finally found, that > > the obtaining a ticket for nfs service failes in this > > case because of a wrong spn: nfs/servername at ... instead of > > nfs/fqdnservername at ... is used by the clients to get the > > ticket. > > > > I tracked the problem down to an invalid PTR record for > > the DC in the reverse lookup zone. The ptr record > > had only the hostname but not the fqdn set. > > > > I manually fixed this using samba-tool dns add/delete and nfs > > mount worked again. Unfortunately after a while the record > > gets changed back again. I was unable to figure out how this > > happens. It seems that the change occurs while 'samba_dnsupdate' > > tool is running but I didn't found were in 'samba_dnsupdate' > > the PTR record is set. I didn't found a suitable log > > setting in smb.conf which would help me to find the origin > > of the dns change (loglevel 12 for dns produces lots of output > > but nothing related to setting PTR records) > > > > samba version is 4.9.5-Debian > > > > Any ideas/help? > > > > cheers, > > Andreas > > > OK, lets start by making sure your DC and clients are set up correctly, can > you download this: > > https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh > > Run it on the Samba AD DC and a Unix client, then post the output into a > reply to this thread, do not attach it, this list strips attachments.Maybe one thing in advance: I'm using a typical DSL wallbox which is doing telephone, dhcp and dns (.183.1 address) I have setup its internal DNS so that ad.home.arpa, .ad.home.arpa and 183.168.192.in-addr.arpa are forwarded to the DC (.183.5 address) Here is the output for the server: Collected config --- 2019-11-10-18:30 ----------- Hostname: kronos DNS Domain: ad.home.arpa FQDN: kronos.ad.home.arpa ipaddress: 192.168.183.5 2003:e3:570b:9400:f6xx:xxff:fexx:xxxx 2003:e3:5705:5200:f6xx:xxff:fexx:xxxxxx fd1f:6d10:24a0:1:f6xx:xxff:fexx:xxxx ----------- Kerberos SRV _kerberos._tcp.ad.home.arpa record verified ok, sample output: Server: 192.168.183.1 Address: 192.168.183.1#53 _kerberos._tcp.ad.home.arpa service = 0 100 88 kronos.ad.home.arpa. Samba is running as an AD DC ----------- Checking file: /etc/os-release PRETTY_NAME="Devuan GNU/Linux 3 (beowulf)" NAME="Devuan GNU/Linux" VERSION_ID="3" VERSION="3 (beowulf)" VERSION_CODENAME=beowulf ID=debian ID_LIKE=debian HOME_URL="https://www.devuan.org/" SUPPORT_URL="https://devuan.org/os/community" BUG_REPORT_URL="https://bugs.devuan.org/" ----------- This computer is running Devuan beowulf/ceres x86_64 ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether f4:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff inet 192.168.183.5/24 brd 192.168.183.255 scope global dynamic eth0 valid_lft 800299sec preferred_lft 800299sec inet6 2003:e3:570b:9400:f6xx:xxff:fexx:xxxx/64 scope global dynamic mngtmpaddr valid_lft 6558sec preferred_lft 1158sec inet6 2003:e3:5705:5200:f6xx:xxff:fexx:xxxx/64 scope global deprecated dynamic mngtmpaddr valid_lft 3695sec preferred_lft 0sec inet6 fd1f:6d10:24a0:1:f6xx:xxff:fexx:xxxx/64 scope global dynamic mngtmpaddr valid_lft 6558sec preferred_lft 2958sec inet6 fe80::f6xx:xxff:fexx:xxxx/64 scope link ----------- Checking file: /etc/hosts 127.0.0.1 localhost # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters ----------- Checking file: /etc/resolv.conf domain ad.home.arpa search ad.home.arpa nameserver 192.168.183.1 ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = AD.HOME.ARPA dns_lookup_realm = false dns_lookup_kdc = true ----------- Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: files sss group: files sss shadow: files sss gshadow: files hosts: files dns networks: files protocols: db files services: db files sss ethers: db files rpc: db files netgroup: nis sss sudoers: files sss ----------- Checking file: /etc/samba/smb.conf # Global parameters [global] # dns forwarder = 192.168.183.1 netbios name = KRONOS realm = AD.HOME.ARPA server role = active directory domain controller workgroup = OLYMP idmap_ldb:use rfc2307 = yes #idmap config * : backend = tdb #idmap config * : range = 4000 - 8999 #idmap config OLYMP:backend = ad #idmap config OLYMP:schema_mode = rfc2307 #idmap config OLYMP:range = 1100-4000 #idmap config OLYMP:unix_nss_info = yes #idmap config OLYMP:unix_primary_group = yes vfs objects = acl_xattr map acl inherit = yes #store dos attributes = yes kerberos method = system keytab # log level = 1 kerberos:12 log level = 3 dns:2 [netlogon] path = /var/lib/samba/sysvol/ad.home.arpa/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No ----------- BIND_DLZ not detected in smb.conf ----------- Installed packages: ii attr 1:2.4.48-4 amd64 utilities for manipulating filesystem extended attributes ii krb5-admin-server 1.17-3 amd64 MIT Kerberos master server (kadmind) ii krb5-config 2.6 all Configuration files for Kerberos Version 5 ii krb5-kdc 1.17-3 amd64 MIT Kerberos key server (KDC) ii krb5-kdc-ldap 1.17-3 amd64 MIT Kerberos key server (KDC) LDAP plugin ii krb5-locales 1.17-3 all internationalization support for MIT Kerberos ii krb5-user 1.17-3 amd64 basic programs to authenticate using MIT Kerberos ii libacl1:amd64 2.2.53-4 amd64 access control list - shared library ii libacl1-dev:amd64 2.2.53-4 amd64 access control list - static libraries and headers ii libattr1:amd64 1:2.4.48-4 amd64 extended attribute handling - shared library ii libattr1-dev:amd64 1:2.4.48-4 amd64 extended attributes handling - static libraries and headers ii libcrypt-smbhash-perl 0.12-4 all generate LM/NT hash of a password for samba ii libgssapi-krb5-2:amd64 1.17-3 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-3:amd64 1.17-3 amd64 MIT Kerberos runtime libraries ii libkrb5support0:amd64 1.17-3 amd64 MIT Kerberos runtime libraries - Support library ii libpam-krb5:amd64 4.8-2 amd64 PAM module for MIT Kerberos ii libsmbclient:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 shared library for communication with SMB/CIFS servers ii libwbclient0:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba winbind client library ii python-samba 2:4.9.5+dfsg-5+deb10u1 amd64 Python bindings for Samba ii samba 2:4.9.5+dfsg-5+deb10u1 amd64 SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.9.5+dfsg-5+deb10u1 all common files used by both the Samba server and client ii samba-common-bin 2:4.9.5+dfsg-5+deb10u1 amd64 Samba common files used by both the server and the client ii samba-dsdb-modules:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba Directory Services Database ii samba-libs:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba core libraries ii samba-vfs-modules:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba Virtual FileSystem plugins ii smbclient 2:4.9.5+dfsg-5+deb10u1 amd64 command-line SMB/CIFS clients for Unix ii sssd-krb5 1.16.3-3.1 amd64 System Security Services Daemon -- Kerberos back end ii sssd-krb5-common 1.16.3-3.1 amd64 System Security Services Daemon -- Kerberos helpers ii winbind 2:4.9.5+dfsg-5+deb10u1 amd64 service to resolve user and group information from Windows NT servers ----------- And for the client: Collected config --- 2019-11-10-18:36 ----------- Hostname: iris DNS Domain: ad.home.arpa FQDN: iris.ad.home.arpa ipaddress: 192.168.183.22 2003:e3:570b:9400:4exx:xxff:fexx:xxxx fd1f:6d10:24a0:1:4exx:xxff:fexx:xxxx ----------- Kerberos SRV _kerberos._tcp.ad.home.arpa record verified ok, sample output: Server: 127.0.0.1 Address: 127.0.0.1#53 _kerberos._tcp.ad.home.arpa service = 0 100 88 kronos.ad.home.arpa. Samba is not being run as a DC or a Unix domain member. ----------- Checking file: /etc/os-release PRETTY_NAME="Devuan GNU/Linux ascii" NAME="Devuan GNU/Linux" ID=devuan ID_LIKE=debian HOME_URL="https://www.devuan.org/" SUPPORT_URL="https://devuan.org/os/community" BUG_REPORT_URL="https://bugs.devuan.org/" ----------- This computer is running Devuan ascii x86_64 ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host 2: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 4c:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff inet 192.168.183.22/24 brd 192.168.183.255 scope global dynamic wlan0 valid_lft 863507sec preferred_lft 863507sec inet6 2003:e3:570b:9400:4exx:xxff:fexx:xxxx/128 scope global dynamic valid_lft 6964sec preferred_lft 1564sec inet6 fd1f:6d10:24a0:1:4exx:xxff:fexx:xxxx/64 scope global noprefixroute dynamic valid_lft 6964sec preferred_lft 3364sec inet6 fe80::4exx:xxff:fexx:xxxx/64 scope link 3: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000 link/ether 50:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff 4: enx000011121314: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000 link/ether 00:00:11:12:13:14 brd ff:ff:ff:ff:ff:ff ----------- Checking file: /etc/hosts 127.0.0.1 iris.ad.home.arpa iris 127.0.0.1 localhost.localdomain localhost # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters ----------- Checking file: /etc/resolv.conf # Generated by NetworkManager search ad.home.arpa nameserver 127.0.0.1 ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = AD.HOME.ARPA dns_lookup_realm = false # The following krb5.conf variables are only for MIT Kerberos. kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # The following libdefaults parameters are only for Heimdal Kerberos. fcc-mit-ticketflags = true [realms] AD.HOME.ARPA = { kdc = kronos.ad.home.arpa default_domain = ad.home.arpa } [domain_realm] ad.home.arpa = AD.HOME.ARPA .ad.home.arpa = AD.HOME.ARPA ----------- Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: files sss group: files sss shadow: files sss gshadow: files hosts: files mdns4_minimal dns myhostname networks: files protocols: db files services: db files sss ethers: db files rpc: db files netgroup: nis sss sudoers: files sss ----------- Warning, does not exist ----------- Installed packages: ii acl 2.2.52-3+b1 amd64 Access control list utilities ii krb5-config 2.6 all Configuration files for Kerberos Version 5 ii krb5-locales 1.15-1+deb9u1 all internationalization support for MIT Kerberos ii krb5-user 1.15-1+deb9u1 amd64 basic programs to authenticate using MIT Kerberos ii libacl1:amd64 2.2.52-3+b1 amd64 Access control list shared library ii libattr1:amd64 1:2.4.47-2+b2 amd64 Extended attribute shared library ii libdb-je-java 3.3.98-1 all Oracle Berkeley Database Java Edition ii libgssapi-krb5-2:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libgssapi-krb5-2:i386 1.15-1+deb9u1 i386 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-3:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries ii libkrb5-3:i386 1.15-1+deb9u1 i386 MIT Kerberos runtime libraries ii libkrb5support0:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries - Support library ii libkrb5support0:i386 1.15-1+deb9u1 i386 MIT Kerberos runtime libraries - Support library ii libsmbclient:amd64 2:4.5.16+dfsg-1+deb9u2 amd64 shared library for communication with SMB/CIFS servers ii libwbclient0:amd64 2:4.5.16+dfsg-1+deb9u2 amd64 Samba winbind client library ii python-samba 2:4.5.16+dfsg-1+deb9u2 amd64 Python bindings for Samba ii samba-common 2:4.5.16+dfsg-1+deb9u2 all common files used by both the Samba server and client ii samba-common-bin 2:4.5.16+dfsg-1+deb9u2 amd64 Samba common files used by both the server and the client ii samba-libs:amd64 2:4.5.16+dfsg-1+deb9u2 amd64 Samba core libraries ii spice-client-glib-usb-acl-helper 0.33-3.3+deb9u1 amd64 Helper tool to validate usb ACLs ii sssd-krb5 1.15.0-3 amd64 System Security Services Daemon -- Kerberos back end ii sssd-krb5-common 1.15.0-3 amd64 System Security Services Daemon -- Kerberos helpers ii vlc-plugin-samba:amd64 3.0.8-0+deb9u1 amd64 Samba plugin for VLC ----------- cheers, Andreas -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20191110/79381974/signature.sig>
On 10/11/2019 17:49, andi via samba wrote:> Maybe one thing in advance: I'm using a typical DSL wallbox which is doing > telephone, dhcp and dns (.183.1 address) I have setup its internal DNS so that > ad.home.arpa, .ad.home.arpa and 183.168.192.in-addr.arpa are forwarded > to the DC (.183.5 address)Similar to my setup, except I have turned off dhcp etc. The problem is that whilst dhcp on the router will work with your Windows and Linux clients, it will not update dns records in AD and linux clients will not attempt to update their records in AD, but Windows clients will.> > Here is the output for the server: > > > Collected config --- 2019-11-10-18:30 ----------- > > Hostname: kronos > DNS Domain: ad.home.arpa > FQDN: kronos.ad.home.arpa > ipaddress: 192.168.183.5 2003:e3:570b:9400:f6xx:xxff:fexx:xxxx 2003:e3:5705:5200:f6xx:xxff:fexx:xxxxxx fd1f:6d10:24a0:1:f6xx:xxff:fexx:xxxx > > ----------- > > Kerberos SRV _kerberos._tcp.ad.home.arpa record verified ok, sample output: > Server: 192.168.183.1 > Address: 192.168.183.1#53 > > _kerberos._tcp.ad.home.arpa service = 0 100 88 kronos.ad.home.arpa. > Samba is running as an AD DCInteresting, the kerberos record should point to the DC, it seems to be pointing to the router. The AD DC should be authoritative for the AD dns domain.> > This computer is running Devuan beowulf/ceres x86_64 > > ----------- > running command : ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 > link/ether f4:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff > inet 192.168.183.5/24 brd 192.168.183.255 scope global dynamic eth0 > valid_lft 800299sec preferred_lft 800299sec > inet6 2003:e3:570b:9400:f6xx:xxff:fexx:xxxx/64 scope global dynamic mngtmpaddr > valid_lft 6558sec preferred_lft 1158sec > inet6 2003:e3:5705:5200:f6xx:xxff:fexx:xxxx/64 scope global deprecated dynamic mngtmpaddr > valid_lft 3695sec preferred_lft 0sec > inet6 fd1f:6d10:24a0:1:f6xx:xxff:fexx:xxxx/64 scope global dynamic mngtmpaddr > valid_lft 6558sec preferred_lft 2958sec > inet6 fe80::f6xx:xxff:fexx:xxxx/64 scope link > > ----------- > Checking file: /etc/hosts > > 127.0.0.1 localhostPlease tell me that your DC isn't getting its IP from DHCP, if it is, then change it to a fixed IP, it must have a fixed IP and there should be a line in /etc/hosts similar to this: 192.168.183.5 kronos.ad.home.arpa kronos> > # The following lines are desirable for IPv6 capable hosts > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > ----------- > > Checking file: /etc/resolv.conf > > domain ad.home.arpa > search ad.home.arpa > nameserver 192.168.183.1Remove the 'domain' line The 'nameserver' should point to the AD DCs ipaddress, not the router> > ----------- > > Checking file: /etc/krb5.conf > > [libdefaults] > default_realm = AD.HOME.ARPA > dns_lookup_realm = false > dns_lookup_kdc = true > > ----------- > > Checking file: /etc/nsswitch.conf > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: files sss > group: files sss > shadow: files sss > gshadow: files > > hosts: files dns > networks: files > > protocols: db files > services: db files sss > ethers: db files > rpc: db files > > netgroup: nis sss > sudoers: files sss > > -----------If you wish? your users to log into the DC, replace 'sss' with 'winbind' in the 'passwd' & 'group' lines, remove 'sss' from the other lines and 'sudoers' will work from ldap if you install sudo-ldap. You should also run 'apt-get purge sssd', you cannot use sssd with Samba >= 4.8.0> > Checking file: /etc/samba/smb.conf > > # Global parameters > [global] > # dns forwarder = 192.168.183.1Uncomment the line above, you need the forwarder> netbios name = KRONOS > realm = AD.HOME.ARPA > server role = active directory domain controller > workgroup = OLYMP > > idmap_ldb:use rfc2307 = yes > > vfs objects = acl_xattr > map acl inherit = yes > #store dos attributes = yesRemove the three lines above, they actually break your aD DC> > kerberos method = system keytab > # log level = 1 kerberos:12 > log level = 3 dns:2 > [netlogon] > path = /var/lib/samba/sysvol/ad.home.arpa/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > > ----------- > > BIND_DLZ not detected in smb.conf > > ----------- > > Installed packages: > ii attr 1:2.4.48-4 amd64 utilities for manipulating filesystem extended attributes > ii krb5-admin-server 1.17-3 amd64 MIT Kerberos master server (kadmind) > ii krb5-config 2.6 all Configuration files for Kerberos Version 5 > ii krb5-kdc 1.17-3 amd64 MIT Kerberos key server (KDC) > ii krb5-kdc-ldap 1.17-3 amd64 MIT Kerberos key server (KDC) LDAP pluginRemove 'krb5-kdc' & 'krb5-kdc-ldap', your Samba AD DC uses heimdal, so you shouldn't have another kdc.> ii krb5-locales 1.17-3 all internationalization support for MIT Kerberos > ii krb5-user 1.17-3 amd64 basic programs to authenticate using MIT Kerberos > ii libacl1:amd64 2.2.53-4 amd64 access control list - shared library > ii libacl1-dev:amd64 2.2.53-4 amd64 access control list - static libraries and headers > ii libattr1:amd64 1:2.4.48-4 amd64 extended attribute handling - shared library > ii libattr1-dev:amd64 1:2.4.48-4 amd64 extended attributes handling - static libraries and headers > ii libcrypt-smbhash-perl 0.12-4 all generate LM/NT hash of a password for samba > ii libgssapi-krb5-2:amd64 1.17-3 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism > ii libkrb5-3:amd64 1.17-3 amd64 MIT Kerberos runtime libraries > ii libkrb5support0:amd64 1.17-3 amd64 MIT Kerberos runtime libraries - Support library > ii libpam-krb5:amd64 4.8-2 amd64 PAM module for MIT Kerberos > ii libsmbclient:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 shared library for communication with SMB/CIFS servers > ii libwbclient0:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba winbind client library > ii python-samba 2:4.9.5+dfsg-5+deb10u1 amd64 Python bindings for Samba > ii samba 2:4.9.5+dfsg-5+deb10u1 amd64 SMB/CIFS file, print, and login server for Unix > ii samba-common 2:4.9.5+dfsg-5+deb10u1 all common files used by both the Samba server and client > ii samba-common-bin 2:4.9.5+dfsg-5+deb10u1 amd64 Samba common files used by both the server and the client > ii samba-dsdb-modules:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba Directory Services Database > ii samba-libs:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba core libraries > ii samba-vfs-modules:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba Virtual FileSystem plugins > ii smbclient 2:4.9.5+dfsg-5+deb10u1 amd64 command-line SMB/CIFS clients for Unix > ii sssd-krb5 1.16.3-3.1 amd64 System Security Services Daemon -- Kerberos back end > ii sssd-krb5-common 1.16.3-3.1 amd64 System Security Services Daemon -- Kerberos helpersAs I said, remove sssd.> ii winbind 2:4.9.5+dfsg-5+deb10u1 amd64 service to resolve user and group information from Windows NT servers > > ----------- > > > And for the client: > > > Collected config --- 2019-11-10-18:36 ----------- > > Hostname: iris > DNS Domain: ad.home.arpa > FQDN: iris.ad.home.arpa > ipaddress: 192.168.183.22 2003:e3:570b:9400:4exx:xxff:fexx:xxxx fd1f:6d10:24a0:1:4exx:xxff:fexx:xxxx > > ----------- > > Kerberos SRV _kerberos._tcp.ad.home.arpa record verified ok, sample output: > Server: 127.0.0.1 > Address: 127.0.0.1#53Again that '127.0.0.1' should be the Samba AD DCs IP> > _kerberos._tcp.ad.home.arpa service = 0 100 88 kronos.ad.home.arpa. > Samba is not being run as a DC or a Unix domain member. > > ----------- > Checking file: /etc/os-release > > PRETTY_NAME="Devuan GNU/Linux ascii" > NAME="Devuan GNU/Linux" > ID=devuan > ID_LIKE=debian > HOME_URL="https://www.devuan.org/" > SUPPORT_URL="https://devuan.org/os/community" > BUG_REPORT_URL="https://bugs.devuan.org/" > > ----------- > > > This computer is running Devuan ascii x86_64 > > ----------- > running command : ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > 2: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 > link/ether 4c:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff > inet 192.168.183.22/24 brd 192.168.183.255 scope global dynamic wlan0 > valid_lft 863507sec preferred_lft 863507sec > inet6 2003:e3:570b:9400:4exx:xxff:fexx:xxxx/128 scope global dynamic > valid_lft 6964sec preferred_lft 1564sec > inet6 fd1f:6d10:24a0:1:4exx:xxff:fexx:xxxx/64 scope global noprefixroute dynamic > valid_lft 6964sec preferred_lft 3364sec > inet6 fe80::4exx:xxff:fexx:xxxx/64 scope link > 3: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000 > link/ether 50:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff > 4: enx000011121314: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000 > link/ether 00:00:11:12:13:14 brd ff:ff:ff:ff:ff:ff > > ----------- > Checking file: /etc/hosts > > 127.0.0.1 iris.ad.home.arpa iris > 127.0.0.1 localhost.localdomain localhostIf this client gets its IP via DHCP, then you only need: 127.0.0.1 localhost Otherwise: 127.0.0.1 localhost 192.168.183.22 iris.ad.home.arpa iris> > # The following lines are desirable for IPv6 capable hosts > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > ----------- > > Checking file: /etc/resolv.conf > > # Generated by NetworkManager > search ad.home.arpa > nameserver 127.0.0.1The nameserver should point to the AD DC> > ----------- > > Checking file: /etc/nsswitch.conf > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: files sss > group: files sss > shadow: files sss > gshadow: files > > hosts: files mdns4_minimal dns myhostname > networks: files > > protocols: db files > services: db files sss > ethers: db files > rpc: db files > > netgroup: nis sss > sudoers: files sssAgain remove sssd.> > ----------- > > Warning, does not existOh dear, it looks like you do not have a smb.conf> > ----------- > > > Installed packages: > ii acl 2.2.52-3+b1 amd64 Access control list utilities > ii krb5-config 2.6 all Configuration files for Kerberos Version 5 > ii krb5-locales 1.15-1+deb9u1 all internationalization support for MIT Kerberos > ii krb5-user 1.15-1+deb9u1 amd64 basic programs to authenticate using MIT Kerberos > ii libacl1:amd64 2.2.52-3+b1 amd64 Access control list shared library > ii libattr1:amd64 1:2.4.47-2+b2 amd64 Extended attribute shared library > ii libdb-je-java 3.3.98-1 all Oracle Berkeley Database Java Edition > ii libgssapi-krb5-2:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism > ii libgssapi-krb5-2:i386 1.15-1+deb9u1 i386 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism > ii libkrb5-3:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries > ii libkrb5-3:i386 1.15-1+deb9u1 i386 MIT Kerberos runtime libraries > ii libkrb5support0:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries - Support library > ii libkrb5support0:i386 1.15-1+deb9u1 i386 MIT Kerberos runtime libraries - Support library > ii libsmbclient:amd64 2:4.5.16+dfsg-1+deb9u2 amd64 shared library for communication with SMB/CIFS servers > ii libwbclient0:amd64 2:4.5.16+dfsg-1+deb9u2 amd64 Samba winbind client library > ii python-samba 2:4.5.16+dfsg-1+deb9u2 amd64 Python bindings for Samba > ii samba-common 2:4.5.16+dfsg-1+deb9u2 all common files used by both the Samba server and client > ii samba-common-bin 2:4.5.16+dfsg-1+deb9u2 amd64 Samba common files used by both the server and the client > ii samba-libs:amd64 2:4.5.16+dfsg-1+deb9u2 amd64 Samba core libraries > ii spice-client-glib-usb-acl-helper 0.33-3.3+deb9u1 amd64 Helper tool to validate usb ACLs > ii sssd-krb5 1.15.0-3 amd64 System Security Services Daemon -- Kerberos back end > ii sssd-krb5-common 1.15.0-3 amd64 System Security Services Daemon -- Kerberos helpers > ii vlc-plugin-samba:amd64 3.0.8-0+deb9u1 amd64 Samba plugin for VLCAh, that explains it, 'samba' isn't installed, remove the sssd files, then install these: samba attr winbind libpam-winbind libpam-krb5 libnss-winbind You will then need a smb.conf similar to this: [global] ??? workgroup = OLYMP ??? security = ADS ??? realm = AD.HOME.ARPA ??? winbind use default domain = yes ??? winbind expand groups = 2 ??? winbind refresh tickets = Yes ??? idmap config *:backend = tdb ??? idmap config *:range = 3000-7999 ??? idmap config OLYMP : backend = rid ??? idmap config OLYMP : range = 10000-999999 ??? template shell = /bin/bash ??? template homedir = /home/%U ??? domain master = no ??? local master = no ??? preferred master = no ??? # user Administrator workaround, without it you are unable to set privileges ??? username map = /etc/samba/user.map ??? # For ACL support on domain member ??? vfs objects = acl_xattr ??? map acl inherit = Yes ??? store dos attributes = Yes Create /etc/samba/user.map containing this: !root = OLYMP\Administrator The above uses the 'rid' backend, but if you have added rfc2307 attributes and want to use the 'ad' backend, then see here: https://wiki.samba.org/index.php/Idmap_config_ad Rowland
On 11/11/2019 16:47, andi wrote:> On Sun, Nov 10, 2019 at 07:19:40PM +0000, Rowland penny via samba wrote: >> On 10/11/2019 17:49, andi via samba wrote: >>> Maybe one thing in advance: I'm using a typical DSL wallbox which is doing >>> telephone, dhcp and dns (.183.1 address) I have setup its internal DNS so that >>> ad.home.arpa, .ad.home.arpa and 183.168.192.in-addr.arpa are forwarded >>> to the DC (.183.5 address) >> Similar to my setup, except I have turned off dhcp etc. >> >> The problem is that whilst dhcp on the router will work with your Windows >> and Linux clients, it will not update dns records in AD and linux clients >> will not attempt to update their records in AD, but Windows clients will. > I'm using fixed assignments in DHCP, so effecively IP's are constant.Can I recommend you give the DC a static IP on the DC.> >>> Here is the output for the server: >>> >>> >>> Collected config --- 2019-11-10-18:30 ----------- >>> >>> Hostname: kronos >>> DNS Domain: ad.home.arpa >>> FQDN: kronos.ad.home.arpa >>> ipaddress: 192.168.183.5 2003:e3:570b:9400:f6xx:xxff:fexx:xxxx 2003:e3:5705:5200:f6xx:xxff:fexx:xxxxxx fd1f:6d10:24a0:1:f6xx:xxff:fexx:xxxx >>> >>> ----------- >>> >>> Kerberos SRV _kerberos._tcp.ad.home.arpa record verified ok, sample output: >>> Server: 192.168.183.1 >>> Address: 192.168.183.1#53 >>> >>> _kerberos._tcp.ad.home.arpa service = 0 100 88 kronos.ad.home.arpa. >>> Samba is running as an AD DC >> Interesting, the kerberos record should point to the DC, it seems to be >> pointing to the router. > Why? Kronos is the DC. So it should be fine.The IP above is 192.168.183.1, yet the IP for kronos (the DC) is 192.168.0.5, so it will not be fine.> >> The AD DC should be authoritative for the AD dns domain. >>> ----------- >>> Checking file: /etc/hosts >>> >>> 127.0.0.1 localhost >> Please tell me that your DC isn't getting its IP from DHCP, if it is, then >> change it to a fixed IP, it must have a fixed IP and there should be a line >> in /etc/hosts similar to this: >> >> 192.168.183.5 kronos.ad.home.arpa kronos > It is assigned its IP by DHCP, but the IP is fixed in DHCP server, so > should be fine right?. If I add the line to /etc/hosts will it fix the > issue with the wrong PTR record in DNS?It will fix a lot, but only if give your DC a static IP and stop using DHCP on the DC, I would add the line.> >>> # The following lines are desirable for IPv6 capable hosts >>> ::1 localhost ip6-localhost ip6-loopback >>> ff02::1 ip6-allnodes >>> ff02::2 ip6-allrouters >>> >>> ----------- >>> >>> Checking file: /etc/resolv.conf >>> >>> domain ad.home.arpa >>> search ad.home.arpa >>> nameserver 192.168.183.1 >> Remove the 'domain' line >> >> The 'nameserver' should point to the AD DCs ipaddress, not the router > I'll try. > >> If you wish? your users to log into the DC, replace 'sss' with 'winbind' in >> the 'passwd' & 'group' lines, remove 'sss' from the other lines and >> 'sudoers' will work from ldap if you install sudo-ldap. You should also run >> 'apt-get purge sssd', you cannot use sssd with Samba >= 4.8.0 > Well, since I'm just typing this email in a session of an domain account > on a Linux-Client this seems to be curious to me. Can you point me why this > wont work with sssd? Will the winbind module support the Road-Warrior > usecase? (Some of the machines are linux-notebooks which dont have access to the > AD all the time)You must use winbind with Samba >= 4.8.0 and this means you cannot sssd any more. If you want to use the DC as a fileserver (not recommended) either use idmap.ldb (the default) or nslcd. It might appear to work, but you are loading sssd variants of winbind libaries and they will conflict. Adding 'winbind offline logon = yes' to smb.conf will allow your laptops to work when away from the domain.> >> Remove 'krb5-kdc' & 'krb5-kdc-ldap', your Samba AD DC uses heimdal, so you >> shouldn't have another kdc. > oJust a leftover from linux only tests. Service are actually disabled. > >> Create /etc/samba/user.map containing this: >> >> !root = OLYMP\Administrator >> >> The above uses the 'rid' backend, but if you have added rfc2307 attributes >> and want to use the 'ad' backend, then see here: >> >> https://wiki.samba.org/index.php/Idmap_config_ad > Yes, the domain was provisioned with rfc2307 >That is not what I said, provisioning with RFC2307 only adds various OUs etc in AD, it does not add any of the RFC2307 attributes and you need these for the winbind 'ad' backend to work. If you haven't added any RFC2307 attributes to AD, then use 'rid' on the Unix domain members Can I point out that your set up is very like mine and everything works for me, I use the router as just that, everything else is done by the DCs. I suggest you read these: https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9 Rowland
On Mon, Nov 11, 2019 at 05:27:03PM +0000, Rowland penny via samba wrote:> > > > Kerberos SRV _kerberos._tcp.ad.home.arpa record verified ok, sample output: > > > > Server: 192.168.183.1 > > > > Address: 192.168.183.1#53 > > > > > > > > _kerberos._tcp.ad.home.arpa service = 0 100 88 kronos.ad.home.arpa. > > > > Samba is running as an AD DC > > > Interesting, the kerberos record should point to the DC, it seems to be > > > pointing to the router. > > Why? Kronos is the DC. So it should be fine. > The IP above is 192.168.183.1, yet the IP for kronos (the DC) is > 192.168.0.5, so it will not be fine.Just for my understanding: The lines "Server:" and "Address:" refer to the DNS server which responded the query, don't they? The actual answer to _kerberos._tcp.ad.home.arpa service is "0 100 88 kronos.ad.home.arpa." which is correct?> ... > You must use winbind with Samba >= 4.8.0 and this means you cannot sssd any > more. If you want to use the DC as a fileserver (not recommended) either use > idmap.ldb (the default) or nslcd.After another couple of hours I finally got a winbind login working. However I'm not sure how stable this works. On the client I had "wbinfo -i $username" return errors at first and suddenly it worked. Maybe related to the older samba 4.5.1 version on the client. I have to upgrade it anyways because of the primary group. (I don't want it to be "domain users") Yes I'm going to use the dc also as file server. I don't want to install multiple servers in a small home network, just an overkill. However, the winbind mapping on the DC is not very nice. Since you said I can not set the ad idmappings on the DC, I'll have to live with that. I tried to manually edit idmap.ldb to enforce a uid/gid mapping and it seems to me that this works for file server on the DC. Are settings in idmap.ldb permanent? Or might they change due to some update command?> It might appear to work, but you are loading sssd variants of winbind > libaries and they will conflict.Hmm. OK. Just a remark: I finally found the reason for the invalid PTR record update in the reverse lookup zone. It was sssd. It is actually a known problem with sssd in "ad" mode. It uses gethostname() and expects it to be the fqdn. Then it invokes "adcli" with the hostname to set the PTR record, which is then wrong since gethostname() does not return the fqdn in all configurations.> ... > That is not what I said, provisioning with RFC2307 only adds various OUs etc > in AD, it does not add any of the RFC2307 attributes and you need these for > the winbind 'ad' backend to work. If you haven't added any RFC2307 > attributes to AD, then use 'rid' on the Unix domain membersI already added them (sssd required them also)> Can I point out that your set up is very like mine and everything works for > me, I use the router as just that, everything else is done by the DCs. I > suggest you read these:Thanks for the links. Well, I tend to have my system as much error prone and also "non linux specialist maintainable (wife :-)" as possible. Browsing the internet should work in any case, even if the DC machine is completely broken. So far, thank you very much for your help. I was short before just going back to LDAP + Kerberos and forget about Windows Logon and Shares. In some parts it is really hard to track down problems with samba, the error reporting could be more informative in some cases. I'm gonna do a little more testing now to see if the configuration is somewhat stable and fits my needs. cheers, Andreas -- gnuPG keyid: 8C2BAF51 fingerprint: 28EE 8438 E688 D992 3661 C753 90B3 BAAA 8C2B AF51 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20191112/7e43c9a2/signature.sig>
If i may give a small remark on a comment's here..> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens andi > via samba > Verzonden: dinsdag 12 november 2019 20:25 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Invalid PTR record in reverse lookup zone > > > Hmm. OK. Just a remark: I finally found the reason for the invalid > PTR record update in the reverse lookup zone. It was sssd. It > is actually a known problem with sssd in "ad" mode. It uses gethostname() > and expects it to be the fqdn. Then it invokes "adcli" with the hostname > to set the PTR record, which is then wrong since gethostname() does not > return the fqdn in all configurations. >>It uses gethostname() and expects it to be the fqdn.Normaly yes, the hostname is always/should displayed in fqdn.> which is then wrong since gethostname() does not > return the fqdn in all configurations.Which is why you should use a correct setup in /etc/hosts If i look at yours. This part. ================================================2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether f4:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff inet 192.168.183.5/24 brd 192.168.183.255 scope global dynamic eth0 valid_lft 800299sec preferred_lft 800299sec inet6 2003:e3:570b:9400:f6xx:xxff:fexx:xxxx/64 scope global dynamic mngtmpaddr valid_lft 6558sec preferred_lft 1158sec inet6 2003:e3:5705:5200:f6xx:xxff:fexx:xxxx/64 scope global deprecated dynamic mngtmpaddr valid_lft 3695sec preferred_lft 0sec inet6 fd1f:6d10:24a0:1:f6xx:xxff:fexx:xxxx/64 scope global dynamic mngtmpaddr valid_lft 6558sec preferred_lft 2958sec inet6 fe80::f6xx:xxff:fexx:xxxx/64 scope link ----------- Checking file: /etc/hosts 127.0.0.1 localhost # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters ================================================ If this was my config, it would probely looked like this. DNS Domain: ad.home.arpa FQDN: kronos.ad.home.arpa /etc/resolv.conf domain ad.home.arpa search ad.home.arpa nameserver 192.168.183.5 /etc/hosts 127.0.0.1 localhost 192.168.183.5 kronos.ad.home.arpa kronos # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters 2003:e3:570b:9400:f6xx:xxff:fexx:xxxx kronos.ad.home.arpa kronos 2003:e3:5705:5200:f6xx:xxff:fexx:xxxx kronos.ad.home.arpa kronos fd1f:6d10:24a0:1:f6xx:xxff:fexx:xxxx kronos.ad.home.arpa kronos If you apply it like that, and you dns zones are setup correcty, you can and should use fqdns/ip's in all your configs. And A-PTR's must be set offcourse. If your applying spn's to this, which you also do, for nfs and/or cifs and kerberos for auth, It save you from problems with the spn resolvings. Just set only kronos.ad.home.arpa for the spns and it just works in all configs. Use CNAMES for all other hostnames you need and you spn with kerberos also keep working. This part,> I tried to analyze the problem and finally found, that > the obtaining a ticket for nfs service failes in this > case because of a wrong spn: nfs/servername at ... instead of > nfs/fqdnservername at ... is used by the clients to get the > ticket.No, this is the normal order of nfs to detect the nfs spn, even more are checked. I tried to find the article, but could not find it, and its late.. its something like spn/HOSTNAME.FQDN spn/HOSTNAME spn/HOSTNAME$ root/HOSTNAME.FQDN If your automounting in user homedir's you might need to add the root/ spn if its not working. That depends a bit on the rights setup.> > I tracked the problem down to an invalid PTR record for > the DC in the reverse lookup zone. The ptr record > had only the hostname but not the fqdn set.This is due to, not haveing a fully correct /etc/hosts at time of creating the domain, most probely.> > I manually fixed this using samba-tool dns add/delete and nfs > mount worked again. Unfortunately after a while the record > gets changed back again. I was unable to figure out how this > happens. It seems that the change occurs while 'samba_dnsupdate' > tool is running but I didn't found were in 'samba_dnsupdate' > the PTR record is set. I didn't found a suitable log > setting in smb.conf which would help me to find the origin > of the dns change (loglevel 12 for dns produces lots of output > but nothing related to setting PTR records)I dont know, if its fixed already, if not, how i check it. I use the windows RSAT tool, ADUC. Enable advanced in view. And there check in attribute editor, for the AD-DC the needed values on the server object. Like : dNSHostName and servicePrincipalName The keytab file might need a check also and reboot, check again. Just some advice/tips. Greetz, Louis