Lorenzo Milesi
2020-Mar-19 17:37 UTC
[Samba] Computer in Samba 4.3.11 domain - logon server unavailable
We've a Samba 4 domain (no AD, just DC) with LDAP backend on Ubuntu 14.04.
This server has been migrated from files backend to LDAP by the previous
maintainer, I know the version is pretty old but we cannot update at the moment.
The domain works fine with some W7 and W10 (updated from 7) computers, but we
have purchased a new Lenovo laptop with Win10 which joined the domain seamlessly
but denies any login with a domain user, it always returns:
we can't sign you in with this credential because your domain isn't
available.
After digging into event manager I found the error:
RPC Server unavailable (id 5719)
Samba is listening on ports 445 and 139, RPC should be on 135 if I got it right,
but I have other Samba4 DC setup without port 135 open, and they work fine. This
one as well has other Win10 PCs logging in correctly (tough they were W7 before,
the failing one is brand new).
We tried enabling SMBv1, changing computer name, removing and adding it back to
the domain, none of these actions produced a change. We also tried the three
common actions suggested for this kind of error (changing dns, remove
credentials caching, remove protected user (tough having no one)) and none of
these worked.
I raised Samba log level but it won't report anything useful. We've just
seen the IP successfully connecting to port 445, but nothing else.
Could it be a SID problem?
Another error I found in event log is:
NETLOGON 5719: Unable to establish secure connection to a domain controller.
I checked with
nltest /DSGET:DOM
nltest /DNSGET:DOM
and the first return all the domain information, the latter just report
"Command executed correctly".
smb.conf:
[global]
name resolve order = lmhosts hosts bcast
force group = adm
pam password change = yes
browsable = yes
server signing = auto
winbind uid = 10000-20000
remote announce = 10.0.0.255/OFFICE
interfaces = 10.0.0.3/24 127.0.0.1
bind interfaces only = yes
guest account = nobody
guest ok = yes
netbios name = server3
printing = bsd
delete readonly = yes
writeable = yes
logon script = netlogon.bat
local master = yes
workgroup = office
os level = 255
printcap name = /dev/null
security = user
username map = /etc/samba/username.map
max log size = 50
directory mode = 2770
log level = 10
log file = /var/log/samba/log.%m
load printers = no
root directory = /
force directory mode = 2777
logon drive = H:
domain master = yes
domain logons = yes
encrypt passwords = yes
winbind use default domain = Yes
server string = server3
winbind enum users = yes
unix password sync = yes
force create mode = 0777
winbind enum groups = yes
create mode = 0770
prefered master = yes
winbind cache time = 10
server signing = auto
ntlm auth = yes
lanman auth = yes
server signing = auto
map untrusted to domain = Yes
# wins support = yes
allow dcerpc auth level connect = yes
ldap suffix = dc=office,dc=lan
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=admin,dc=office,dc=lan
passdb backend = ldapsam:ldap://localhost:3890/
name resolve order = wins host dns bcast
add user script = /bin/netuseradd -a -m '%u'
delete user script = /bin/netuserdel '%u'
add group script = /bin/netgroupadd -a -p '%g'
delete group script = /bin/netgroupdel '%g'
add user to group script = /bin/netgroupmod -m '%u' '%g'
delete user from group script = /bin/netgroupmod -x '%u'
'%g'
set primary group script = /bin/netusermod -g '%g' '%u'
add machine script = /bin/netuseradd -w '%u'
logon script = %U.bat
logon path logon home ldap ssl = no
wins support = yes
Debug log:
[2020/03/19 18:07:33.656027, 5, pid=27931, effective(0, 0), real(0, 0)]
../lib/dbwrap/dbwrap.c:178(dbwrap_check_lock_order)
check lock order 1 for /var/run/samba/smbXsrv_session_global.tdb
[2020/03/19 18:07:33.656041, 10, pid=27931, effective(0, 0), real(0, 0)]
../lib/dbwrap/dbwrap.c:133(debug_lock_order)
lock order: 1:/var/run/samba/smbXsrv_session_global.tdb 2:<none>
3:<none>
[2020/03/19 18:07:33.656056, 10, pid=27931, effective(0, 0), real(0, 0)]
../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key)
Locking key B266FEC4
[2020/03/19 18:07:33.656074, 10, pid=27931, effective(0, 0), real(0, 0)]
../lib/dbwrap/dbwrap_tdb.c:143(db_tdb_fetch_locked_internal)
Allocated locked data 0x0x7f114a7f3d70
[2020/03/19 18:07:33.656374, 10, pid=27931, effective(0, 0), real(0, 0)]
../source3/smbd/smbXsrv_session.c:888(smbXsrv_session_global_store)
[2020/03/19 18:07:33.656384, 10, pid=27931, effective(0, 0), real(0, 0)]
../source3/smbd/smbXsrv_session.c:890(smbXsrv_session_global_store)
smbXsrv_session_global_store: key 'B266FEC4' stored
[2020/03/19 18:07:33.656399, 1, pid=27931, effective(0, 0), real(0, 0)]
../librpc/ndr/ndr.c:402(ndr_print_debug)
&global_blob: struct smbXsrv_session_globalB
version : SMBXSRV_VERSION_0 (0)
seqnum : 0x00000002 (2)
info : union smbXsrv_session_globalU(case 0)
info0 : *
info0: struct smbXsrv_session_global0
db_rec : *
session_global_id : 0xb266fec4 (2993094340)
session_wire_id : 0x00000000b266fec4 (2993094340)
creation_time : Thu Mar 19 18:07:34 2020 CET
expiration_time : Thu Jan 1 01:00:00 1970 CET
auth_time : Thu Mar 19 18:07:34 2020 CET
auth_session_info_seqnum : 0x00000001 (1)
auth_session_info : *
auth_session_info: struct auth_session_info
security_token : *
security_token: struct security_token
num_sids : 0x00000008 (8)
sids: ARRAY(8)
sids :
S-1-5-21-1476696432-437498857-2255427411-501
sids :
S-1-5-21-1476696432-437498857-2255427411-514
sids : S-1-22-2-65534
sids : S-1-1-0
sids : S-1-5-2
sids : S-1-5-32-546
sids : S-1-22-1-65534
sids : S-1-22-2-514
privilege_mask : 0x0000000000000000
(0)
0: SEC_PRIV_MACHINE_ACCOUNT_BIT
0: SEC_PRIV_PRINT_OPERATOR_BIT
0: SEC_PRIV_ADD_USERS_BIT
0: SEC_PRIV_DISK_OPERATOR_BIT
0: SEC_PRIV_REMOTE_SHUTDOWN_BIT
0: SEC_PRIV_BACKUP_BIT
0: SEC_PRIV_RESTORE_BIT
0: SEC_PRIV_TAKE_OWNERSHIP_BIT
0: SEC_PRIV_INCREASE_QUOTA_BIT
0: SEC_PRIV_SECURITY_BIT
0: SEC_PRIV_LOAD_DRIVER_BIT
0: SEC_PRIV_SYSTEM_PROFILE_BIT
0: SEC_PRIV_SYSTEMTIME_BIT
0: SEC_PRIV_PROFILE_SINGLE_PROCESS_BIT
0: SEC_PRIV_INCREASE_BASE_PRIORITY_BIT
0: SEC_PRIV_CREATE_PAGEFILE_BIT
0: SEC_PRIV_SHUTDOWN_BIT
0: SEC_PRIV_DEBUG_BIT
0: SEC_PRIV_SYSTEM_ENVIRONMENT_BIT
0: SEC_PRIV_CHANGE_NOTIFY_BIT
0: SEC_PRIV_UNDOCK_BIT
0: SEC_PRIV_ENABLE_DELEGATION_BIT
0: SEC_PRIV_MANAGE_VOLUME_BIT
0: SEC_PRIV_IMPERSONATE_BIT
0: SEC_PRIV_CREATE_GLOBAL_BIT
rights_mask : 0x00000000 (0)
0: LSA_POLICY_MODE_INTERACTIVE
0: LSA_POLICY_MODE_NETWORK
0: LSA_POLICY_MODE_BATCH
0: LSA_POLICY_MODE_SERVICE
0: LSA_POLICY_MODE_PROXY
0: LSA_POLICY_MODE_DENY_INTERACTIVE
0: LSA_POLICY_MODE_DENY_NETWORK
0: LSA_POLICY_MODE_DENY_BATCH
0: LSA_POLICY_MODE_DENY_SERVICE
0: LSA_POLICY_MODE_REMOTE_INTERACTIVE
0:
LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE
0x00: LSA_POLICY_MODE_ALL (0)
0x00: LSA_POLICY_MODE_ALL_NT4 (0)
unix_token : *
unix_token: struct security_unix_token
uid : 0x000000000000fffe
(65534)
gid : 0x000000000000fffe
(65534)
ngroups : 0x00000002 (2)
groups: ARRAY(2)
groups :
0x0000000000000202 (514)
groups :
0x000000000000fffe (65534)
info : *
info: struct auth_user_info
account_name : *
account_name :
'nobody'
domain_name : *
domain_name : 'DOM'
full_name : NULL
logon_script : NULL
profile_path : NULL
home_directory : NULL
home_drive : NULL
logon_server : NULL
last_logon : NTTIME(0)
last_logoff : NTTIME(0)
acct_expiry : NTTIME(0)
last_password_change : NTTIME(0)
allow_password_change : NTTIME(0)
force_password_change : NTTIME(0)
logon_count : 0x0000 (0)
bad_password_count : 0x0000 (0)
acct_flags : 0x00000000 (0)
authenticated : 0x00 (0)
unix_info : *
unix_info: struct auth_user_info_unix
unix_name : *
unix_name :
'nobody'
sanitized_username : *
sanitized_username : ''
torture : NULL
credentials : NULL
connection_dialect : 0x0311 (785)
signing_required : 0x00 (0)
encryption_required : 0x00 (0)
num_channels : 0x00000001 (1)
channels: ARRAY(1)
channels: struct smbXsrv_channel_global0
server_id: struct server_id
pid : 0x0000000000006d1b
(27931)
task_id : 0x00000000 (0)
vnn : 0xffffffff (4294967295)
unique_id : 0x186f91593000f4b8
(1760785791568639160)
local_address : 'ipv4:10.0.0.1:445'
remote_address :
'ipv4:10.0.0.90:56660'
remote_name : '10.0.0.90'
auth_session_info_seqnum : 0x00000001 (1)
connection : *
[2020/03/19 18:07:33.657137, 10, pid=27931, effective(0, 0), real(0, 0)]
../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key)
Unlocking key B266FEC4
[2020/03/19 18:07:33.657155, 5, pid=27931, effective(0, 0), real(0, 0)]
../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor)
release lock order 1 for /var/run/samba/smbXsrv_session_global.tdb
[2020/03/19 18:07:33.657168, 10, pid=27931, effective(0, 0), real(0, 0)]
../lib/dbwrap/dbwrap.c:133(debug_lock_order)
lock order: 1:<none> 2:<none> 3:<none>
[2020/03/19 18:07:33.657182, 10, pid=27931, effective(0, 0), real(0, 0)]
../source3/smbd/smbXsrv_session.c:1346(smbXsrv_session_update)
[2020/03/19 18:07:33.657191, 10, pid=27931, effective(0, 0), real(0, 0)]
../source3/smbd/smbXsrv_session.c:1354(smbXsrv_session_update)
smbXsrv_session_update: global_id (0xb266fec4) stored
[2020/03/19 18:07:33.657204, 1, pid=27931, effective(0, 0), real(0, 0)]
../librpc/ndr/ndr.c:402(ndr_print_debug)
&session_blob: struct smbXsrv_sessionB
version : SMBXSRV_VERSION_0 (0)
reserved : 0x00000000 (0)
info : union smbXsrv_sessionU(case 0)
info0 : *
info0: struct smbXsrv_session
table : *
db_rec : NULL
client : *
local_id : 0xb266fec4 (2993094340)
global : *
global: struct smbXsrv_session_global0
db_rec : NULL
session_global_id : 0xb266fec4 (2993094340)
session_wire_id : 0x00000000b266fec4
(2993094340)
creation_time : Thu Mar 19 18:07:34 2020
CET
expiration_time : Thu Jan 1 01:00:00 1970
CET
auth_time : Thu Mar 19 18:07:34 2020
CET
auth_session_info_seqnum : 0x00000001 (1)
auth_session_info : *
auth_session_info: struct auth_session_info
security_token : *
security_token: struct security_token
num_sids : 0x00000008
(8)
sids: ARRAY(8)
sids :
S-1-5-21-1476696432-437498857-2255427411-501
sids :
S-1-5-21-1476696432-437498857-2255427411-514
sids :
S-1-22-2-65534
sids : S-1-1-0
sids : S-1-5-2
sids :
S-1-5-32-546
sids :
S-1-22-1-65534
sids :
S-1-22-2-514
privilege_mask :
0x0000000000000000 (0)
0: SEC_PRIV_MACHINE_ACCOUNT_BIT
0: SEC_PRIV_PRINT_OPERATOR_BIT
0: SEC_PRIV_ADD_USERS_BIT
0: SEC_PRIV_DISK_OPERATOR_BIT
0: SEC_PRIV_REMOTE_SHUTDOWN_BIT
0: SEC_PRIV_BACKUP_BIT
0: SEC_PRIV_RESTORE_BIT
0: SEC_PRIV_TAKE_OWNERSHIP_BIT
0: SEC_PRIV_INCREASE_QUOTA_BIT
0: SEC_PRIV_SECURITY_BIT
0: SEC_PRIV_LOAD_DRIVER_BIT
0: SEC_PRIV_SYSTEM_PROFILE_BIT
0: SEC_PRIV_SYSTEMTIME_BIT
0:
SEC_PRIV_PROFILE_SINGLE_PROCESS_BIT
0:
SEC_PRIV_INCREASE_BASE_PRIORITY_BIT
0: SEC_PRIV_CREATE_PAGEFILE_BIT
0: SEC_PRIV_SHUTDOWN_BIT
0: SEC_PRIV_DEBUG_BIT
0:
SEC_PRIV_SYSTEM_ENVIRONMENT_BIT
0: SEC_PRIV_CHANGE_NOTIFY_BIT
0: SEC_PRIV_UNDOCK_BIT
0:
SEC_PRIV_ENABLE_DELEGATION_BIT
0: SEC_PRIV_MANAGE_VOLUME_BIT
0: SEC_PRIV_IMPERSONATE_BIT
0: SEC_PRIV_CREATE_GLOBAL_BIT
rights_mask : 0x00000000
(0)
0: LSA_POLICY_MODE_INTERACTIVE
0: LSA_POLICY_MODE_NETWORK
0: LSA_POLICY_MODE_BATCH
0: LSA_POLICY_MODE_SERVICE
0: LSA_POLICY_MODE_PROXY
0:
LSA_POLICY_MODE_DENY_INTERACTIVE
0: LSA_POLICY_MODE_DENY_NETWORK
0: LSA_POLICY_MODE_DENY_BATCH
0: LSA_POLICY_MODE_DENY_SERVICE
0:
LSA_POLICY_MODE_REMOTE_INTERACTIVE
0:
LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE
0x00: LSA_POLICY_MODE_ALL
(0)
0x00: LSA_POLICY_MODE_ALL_NT4
(0)
unix_token : *
unix_token: struct security_unix_token
uid :
0x000000000000fffe (65534)
gid :
0x000000000000fffe (65534)
ngroups : 0x00000002
(2)
groups: ARRAY(2)
groups :
0x0000000000000202 (514)
groups :
0x000000000000fffe (65534)
info : *
info: struct auth_user_info
account_name : *
account_name :
'nobody'
domain_name : *
domain_name :
'DOM'
full_name : NULL
logon_script : NULL
profile_path : NULL
home_directory : NULL
home_drive : NULL
logon_server : NULL
last_logon : NTTIME(0)
last_logoff : NTTIME(0)
acct_expiry : NTTIME(0)
last_password_change : NTTIME(0)
allow_password_change : NTTIME(0)
force_password_change : NTTIME(0)
logon_count : 0x0000 (0)
bad_password_count : 0x0000 (0)
acct_flags : 0x00000000
(0)
authenticated : 0x00 (0)
unix_info : *
unix_info: struct auth_user_info_unix
unix_name : *
unix_name :
'nobody'
sanitized_username : *
sanitized_username :
''
torture : NULL
credentials : NULL
connection_dialect : 0x0311 (785)
signing_required : 0x00 (0)
encryption_required : 0x00 (0)
num_channels : 0x00000001 (1)
channels: ARRAY(1)
channels: struct smbXsrv_channel_global0
server_id: struct server_id
pid :
0x0000000000006d1b (27931)
task_id : 0x00000000 (0)
vnn : 0xffffffff
(4294967295)
unique_id :
0x186f91593000f4b8 (1760785791568639160)
local_address :
'ipv4:10.0.0.1:445'
remote_address :
'ipv4:10.0.0.90:56660'
remote_name : '10.0.0.90'
auth_session_info_seqnum : 0x00000001 (1)
connection : *
status : NT_STATUS_OK
idle_time : Thu Mar 19 18:07:34 2020 CET
nonce_high_random : 0x88195c3aa5fe5e25
(-8639773003170816475)
nonce_high_max : 0x0000000000ffffff (16777215)
nonce_high : 0x0000000000000000 (0)
nonce_low : 0x0000000000000000 (0)
gensec : *
compat : *
tcon_table : *
preauth : NULL
encryption_desired : 0x00 (0)
[2020/03/19 18:07:33.658165, 10, pid=27931, effective(0, 0), real(0, 0)]
../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex)
smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[8] dyn[yes:29] at
../source3/smbd/smb2_sesssetup.c:171
[2020/03/19 18:07:33.658182, 10, pid=27931, effective(0, 0), real(0, 0)]
../source3/smbd/smb2_server.c:906(smb2_set_operation_credit)
smb2_set_operation_credit: requested 33, charge 1, granted 33, current
possible/max 512/512, total granted/max/low/range 33/8192/4/33
[2020/03/19 18:07:33.683865, 10, pid=27931, effective(0, 0), real(0, 0)]
../source3/smbd/smb2_server.c:1061(smbd_server_connection_terminate_ex)
smbd_server_connection_terminate_ex: reason[NT_STATUS_CONNECTION_RESET] at
../source3/smbd/smb2_server.c:3591
[2020/03/19 18:07:33.683908, 4, pid=27931, effective(0, 0), real(0, 0)]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2020/03/19 18:07:33.683923, 5, pid=27931, effective(0, 0), real(0, 0)]
../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2020/03/19 18:07:33.683937, 5, pid=27931, effective(0, 0), real(0, 0)]
../source3/auth/token_util.c:639(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2020/03/19 18:07:33.683963, 5, pid=27931, effective(0, 0), real(0, 0)]
../source3/smbd/uid.c:425(smbd_change_to_root_user)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2020/03/19 18:07:33.683980, 4, pid=27931, effective(0, 0), real(0, 0)]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2020/03/19 18:07:33.683993, 5, pid=27931, effective(0, 0), real(0, 0)]
../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2020/03/19 18:07:33.684010, 5, pid=27931, effective(0, 0), real(0, 0)]
../source3/auth/token_util.c:639(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2020/03/19 18:07:33.684033, 5, pid=27931, effective(0, 0), real(0, 0)]
../source3/smbd/uid.c:425(smbd_change_to_root_user)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2020/03/19 18:07:33.684048, 4, pid=27931, effective(0, 0), real(0, 0)]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2020/03/19 18:07:33.684060, 5, pid=27931, effective(0, 0), real(0, 0)]
../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2020/03/19 18:07:33.684072, 5, pid=27931, effective(0, 0), real(0, 0)]
../source3/auth/token_util.c:639(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2020/03/19 18:07:33.684094, 5, pid=27931, effective(0, 0), real(0, 0)]
../source3/smbd/uid.c:425(smbd_change_to_root_user)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2020/03/19 18:07:33.684132, 5, pid=27931, effective(0, 0), real(0, 0)]
../lib/dbwrap/dbwrap.c:178(dbwrap_check_lock_order)
check lock order 1 for /var/run/samba/smbXsrv_session_global.tdb
[2020/03/19 18:07:33.684148, 10, pid=27931, effective(0, 0), real(0, 0)]
../lib/dbwrap/dbwrap.c:133(debug_lock_order)
lock order: 1:/var/run/samba/smbXsrv_session_global.tdb 2:<none>
3:<none>
[2020/03/19 18:07:33.684164, 10, pid=27931, effective(0, 0), real(0, 0)]
../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key)
Locking key B266FEC4
[2020/03/19 18:07:33.684183, 10, pid=27931, effective(0, 0), real(0, 0)]
../lib/dbwrap/dbwrap_tdb.c:143(db_tdb_fetch_locked_internal)
Allocated locked data 0x0x7f114a823370
[2020/03/19 18:07:33.684210, 10, pid=27931, effective(0, 0), real(0, 0)]
../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key)
Unlocking key B266FEC4
[2020/03/19 18:07:33.684225, 5, pid=27931, effective(0, 0), real(0, 0)]
../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor)
release lock order 1 for /var/run/samba/smbXsrv_session_global.tdb
[2020/03/19 18:07:33.684237, 10, pid=27931, effective(0, 0), real(0, 0)]
../lib/dbwrap/dbwrap.c:133(debug_lock_order)
lock order: 1:<none> 2:<none> 3:<none>
[2020/03/19 18:07:33.684261, 4, pid=27931, effective(0, 0), real(0, 0)]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2020/03/19 18:07:33.684274, 5, pid=27931, effective(0, 0), real(0, 0)]
../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2020/03/19 18:07:33.684286, 5, pid=27931, effective(0, 0), real(0, 0)]
../source3/auth/token_util.c:639(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2020/03/19 18:07:33.684308, 5, pid=27931, effective(0, 0), real(0, 0)]
../source3/smbd/uid.c:425(smbd_change_to_root_user)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2020/03/19 18:07:33.684424, 3, pid=27931, effective(0, 0), real(0, 0)]
../source3/smbd/server_exit.c:252(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
Thanks
--
Lorenzo Milesi - lorenzo.milesi at yetopen.it
YetOpen S.r.l. - https://www.yetopen.it/
Via Salerno 18 - 23900 Lecco - ITALY -
Tel +39 0341 220 205 - Fax +39 178 6070 222
Think green - Non stampare questa e-mail se non necessario / Don't print
this email unless necessary
-------- D.Lgs. 196/2003 e GDPR 679/2016 --------
Tutte le informazioni contenute in questo messaggio sono riservate ed a uso
esclusivo del destinatario.
Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da
ritenere confidenziali e riservate secondo i termini
del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo
679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non
autorizzata.
Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad
eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci
non appena possibile.
Grazie.
Confidentiality notice: this email message including any attachment is for the
sole use of the intended recipient and may contain confidential and privileged
information;
pursuant to Legislative Decree 196/2003 and the European General Data Protection
Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or
distribution
is prohibited. If you are not the intended recepient please delete this message
without copying, printing or forwarding it to others, and alert us as soon as
possible.
Thank you.
Rowland penny
2020-Mar-19 19:05 UTC
[Samba] Computer in Samba 4.3.11 domain - logon server unavailable
On 19/03/2020 17:37, Lorenzo Milesi via samba wrote:> We've a Samba 4 domain (no AD, just DC) with LDAP backend on Ubuntu 14.04. This server has been migrated from files backend to LDAP by the previous maintainer, I know the version is pretty old but we cannot update at the moment. > The domain works fine with some W7 and W10 (updated from 7) computers, but we have purchased a new Lenovo laptop with Win10 which joined the domain seamlessly but denies any login with a domain user, it always returns: > > we can't sign you in with this credential because your domain isn't available. > > After digging into event manager I found the error: > > RPC Server unavailable (id 5719) > > Samba is listening on ports 445 and 139, RPC should be on 135 if I got it right, but I have other Samba4 DC setup without port 135 open, and they work fine. This one as well has other Win10 PCs logging in correctly (tough they were W7 before, the failing one is brand new).Try reading this: https://wiki.samba.org/index.php/Samba_NT4_PDC_Port_Usage> > We tried enabling SMBv1, changing computer name, removing and adding it back to the domain, none of these actions produced a change. We also tried the three common actions suggested for this kind of error (changing dns, remove credentials caching, remove protected user (tough having no one)) and none of these worked. > > I raised Samba log level but it won't report anything useful. We've just seen the IP successfully connecting to port 445, but nothing else. > Could it be a SID problem? > > > Another error I found in event log is: > NETLOGON 5719: Unable to establish secure connection to a domain controller. > > I checked with > nltest /DSGET:DOM > nltest /DNSGET:DOM > and the first return all the domain information, the latter just report "Command executed correctly". > > > smb.conf: > > [global] > name resolve order = lmhosts hosts bcast > force group = adm > pam password change = yes > browsable = yes > server signing = auto > winbind uid = 10000-20000 > remote announce = 10.0.0.255/OFFICE > interfaces = 10.0.0.3/24 127.0.0.1 > bind interfaces only = yes > guest account = nobody > guest ok = yes > netbios name = server3 > printing = bsd > delete readonly = yes > writeable = yes > logon script = netlogon.bat > local master = yes > workgroup = office > os level = 255 > printcap name = /dev/null > security = user > username map = /etc/samba/username.map > max log size = 50 > directory mode = 2770 > log level = 10 > log file = /var/log/samba/log.%m > load printers = no > root directory = / > force directory mode = 2777 > logon drive = H: > domain master = yes > domain logons = yes > encrypt passwords = yes > winbind use default domain = Yes > > server string = server3 > winbind enum users = yes > unix password sync = yes > force create mode = 0777 > winbind enum groups = yes > create mode = 0770 > prefered master = yes > winbind cache time = 10 > server signing = auto > ntlm auth = yes > lanman auth = yes > server signing = auto > map untrusted to domain = Yes > # wins support = yes > allow dcerpc auth level connect = yes > ldap suffix = dc=office,dc=lan > ldap user suffix = ou=Users > ldap machine suffix = ou=Computers > ldap group suffix = ou=Groups > ldap idmap suffix = ou=Idmap > ldap admin dn = cn=admin,dc=office,dc=lan > passdb backend = ldapsam:ldap://localhost:3890/ > name resolve order = wins host dns bcast > add user script = /bin/netuseradd -a -m '%u' > delete user script = /bin/netuserdel '%u' > add group script = /bin/netgroupadd -a -p '%g' > delete group script = /bin/netgroupdel '%g' > add user to group script = /bin/netgroupmod -m '%u' '%g' > delete user from group script = /bin/netgroupmod -x '%u' '%g' > set primary group script = /bin/netusermod -g '%g' '%u' > add machine script = /bin/netuseradd -w '%u' > logon script = %U.bat > logon path > logon home > ldap ssl = no > wins support = yesCan I suggest you read 'man smb.conf' Try adding 'server max protocol = NT1' and ensure SMBv1 is running on all machines. Also, is the ldap server really running on port 3890 ? You also some winbind lines, is winbind running ? Finally, I note that you say 'we cannot update at the moment', can I suggest that you find the time to not only upgrade your distro, but to upgrade to AD, one of these days Microsoft will turn off the the NT4-style domain support (probably by accident) and the refuse to turn it back on again. Rowland
Lorenzo Milesi
2020-Mar-19 19:19 UTC
[Samba] Computer in Samba 4.3.11 domain - logon server unavailable
> Can I suggest you read 'man smb.conf'Thanks, but on what "topic"? Is there a specific param or config you think could be relevant?> Try adding 'server max protocol = NT1' and ensure SMBv1 is running on > all machines.Is this just for SMBv1 or because you think could be related to the login problem?> Also, is the ldap server really running on port 3890 ?Yes.> You also some winbind lines, is winbind running ?Yes> Finally, I note that you say 'we cannot update at the moment', can I > suggest that you find the time to not only upgrade your distro, but to > upgrade to AD, one of these days Microsoft will turn off the the > NT4-style domain support (probably by accident) and the refuse to turn > it back on again.Good point. thanks -- Lorenzo Milesi - lorenzo.milesi at yetopen.it YetOpen S.r.l. - https://www.yetopen.it/ Via Salerno 18 - 23900 Lecco - ITALY - Tel +39 0341 220 205 - Fax +39 178 6070 222 Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary -------- D.Lgs. 196/2003 e GDPR 679/2016 -------- Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information; pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible. Thank you.