MORILLO Jordi
2020-Nov-22 14:42 UTC
[Samba] domain member file server failed after upgrade from 4.11.14 to 4.13.2
Hello ! I have just upgraded 40 x Samba domain member file server from 4.11.14 to 4.13.2 - No problem with 20 x domain member that are in a unique Samba domain (only samba DC) - But for my other domain (with composed of Windows 2016 DC), all of 20 x Samba domain member failed to desserve file after this upgrade :-/ I have triple check /etc/hosts, hostname, krb5 etc .... And nothings was wrong. Thus samba domain members were working fine with 4.11.14. Kerberos parts is OK (kinit/klist) Here is some interesting logs (error only): net ads testjoin Join to domain is not valid: LDAP_OPERATIONS_ERROR /var/log/samba/log.smbd : [2020/11/22 13:13:18.319090, 0] ../../source3/printing/nt_printing.c:252(nt_printing_init) nt_printing_init: error checking published printers: WERR_ACCESS_DENIED /var/log/samba/log.wb-EF540 [2020/11/22 12:14:31.081839, 0] ../../source3/winbindd/winbindd_cm.c:1874(wb_open_internal_pipe) open_internal_pipe: Could not connect to dssetup pipe: NT_STATUS_RPC_INTERFACE_NOT_FOUND [2020/11/22 12:14:31.094251, 0] ../../source3/rpc_server/rpc_ncacn_np.c:456(rpcint_dispatch) rpcint_dispatch: DCE/RPC fault in call lsarpc:2E - DCERPC_NCA_S_OP_RNG_ERROR After searching for some hours, i downgrade to 4.11.14 to solve this problem. I use tranquil.it repo, could it be some miss-build packages ? Bellow the result of debug script : Collected config --- 2020-11-22-15:37 ----------- Hostname: ef540 DNS Domain: educ-for.local FQDN: ef540.educ-for.local ipaddress: 10.20.2.1 ----------- Kerberos SRV _kerberos._tcp.educ-for.local record verified ok, sample output: Server: 10.1.1.12 Address: 10.1.1.12#53 _kerberos._tcp.educ-for.local service = 0 100 88 Yoda.educ-for.local. _kerberos._tcp.educ-for.local service = 0 100 88 palpatine.educ-for.local. _kerberos._tcp.educ-for.local service = 0 100 88 yoda.educ-for.local. _kerberos._tcp.educ-for.local service = 0 100 88 vader.educ-for.local. Samba is running as a Unix domain member Checking file: /etc/os-release PRETTY_NAME="Debian GNU/Linux 10 (buster)" NAME="Debian GNU/Linux" VERSION_ID="10" VERSION="10 (buster)" VERSION_CODENAME=buster ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" ----------- This computer is running Debian 10.6 x86_64 ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether ee:26:ac:b2:ea:04 brd ff:ff:ff:ff:ff:ff inet 10.20.2.1/16 brd 10.20.255.255 scope global eth0 ----------- Checking file: /etc/hosts 127.0.0.1 localhost 10.20.2.1 ef540.educ-for.local ----------- Checking file: /etc/resolv.conf domain educ-for.local search educ-for.local nameserver 10.1.1.12 nameserver 10.1.5.1 ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = EDUC-FOR.LOCAL dns_lookup_realm = false dns_lookup_kdc = true clockskew = 3600 ----------- Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind systemd group: compat winbind systemd shadow: compat winbind gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ----------- Checking file: /etc/samba/smb.conf [global] workgroup = EDUC-FOR security = ADS realm = EDUC-FOR.LOCAL server role = member server bind interfaces only = yes interfaces = lo eth0 # Disable Netbios disable netbios = Yes smb ports = 445 dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab winbind refresh tickets = Yes idmap config *:backend = tdb idmap config *:range = 70001-80000 idmap config EDUC-FOR:backend = rid idmap config EDUC-FOR:range = 10000-70000 winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes domain master = no local master = no # For ACL support on member file server vfs objects = acl_xattr map acl inherit = Yes # Printing global configuration printcap cache time = 60 printcap name = cups rpc_server:spoolss = external rpc_daemon:spoolssd = fork enumports command = /usr/local/bin/show-ports.sh # Disable offline mode on all shares csc policy = disable [Commun] path = /home/commun read only = no [users$] path = /home/users read only = no [printers] path = /var/spool/samba comment = All Printers printable = yes printing = CUPS create mask = 0700 guest ok = yes print ok = yes browseable = no [print$] comment = Printer Drivers path = /var/lib/samba/printing writable = yes read only = no write list = root Administrateur @"Admins du domaine" ----------- Running as Unix domain member and no user.map detected. This is possible with an auth-only setup, checking also for NFS parts ----------- Warning, /etc/idmapd.conf does not exist ----------- Installed packages: ii acl 2.2.53-4 amd64 access control list - utilities ii attr 1:2.4.48-4 amd64 utilities for manipulating filesystem extended attributes ii krb5-config 2.6 all Configuration files for Kerberos Version 5 ii krb5-locales 1.17-3+deb10u1 all internationalization support for MIT Kerberos ii krb5-user 1.17-3+deb10u1 amd64 basic programs to authenticate using MIT Kerberos ii libacl1:amd64 2.2.53-4 amd64 access control list - shared library ii libattr1:amd64 1:2.4.48-4 amd64 extended attribute handling - shared library ii libgssapi-krb5-2:amd64 1.17-3+deb10u1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-3:amd64 1.17-3+deb10u1 amd64 MIT Kerberos runtime libraries ii libkrb5support0:amd64 1.17-3+deb10u1 amd64 MIT Kerberos runtime libraries - Support library ii libnss-winbind:amd64 2:4.13.2+dfsg-0.1buster1 amd64 Samba nameservice integration plugins ii libsmbclient:amd64 2:4.13.2+dfsg-0.1buster1 amd64 shared library for communication with SMB/CIFS servers ii libwbclient0:amd64 2:4.13.2+dfsg-0.1buster1 amd64 Samba winbind client library ii python3-samba 2:4.13.2+dfsg-0.1buster1 amd64 Python 3 bindings for Samba ii samba 2:4.13.2+dfsg-0.1buster1 amd64 SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.13.2+dfsg-0.1buster1 all common files used by both the Samba server and client ii samba-common-bin 2:4.13.2+dfsg-0.1buster1 amd64 Samba common files used by both the server and the client ii samba-dsdb-modules:amd64 2:4.13.2+dfsg-0.1buster1 amd64 Samba Directory Services Database ii samba-libs:amd64 2:4.13.2+dfsg-0.1buster1 amd64 Samba core libraries ii samba-vfs-modules:amd64 2:4.13.2+dfsg-0.1buster1 amd64 Samba Virtual FileSystem plugins ii smbclient 2:4.13.2+dfsg-0.1buster1 amd64 command-line SMB/CIFS clients for Unix ii winbind 2:4.13.2+dfsg-0.1buster1 amd64 service to resolve user and group information from Windows NT servers -----------
Rowland penny
2020-Nov-22 15:18 UTC
[Samba] domain member file server failed after upgrade from 4.11.14 to 4.13.2
On 22/11/2020 14:42, MORILLO Jordi via samba wrote:> Hello ! > > I have just upgraded 40 x Samba domain member file server from 4.11.14 to 4.13.2 > > - No problem with 20 x domain member that are in a unique Samba domain (only samba DC) > > - But for my other domain (with composed of Windows 2016 DC), all of 20 x Samba domain member failed to desserve file after this upgrade :-/Try installing these packages: libpam-krb5 libpam-winbind Rowland
MORILLO Jordi
2020-Nov-23 17:37 UTC
[Samba] domain member file server failed after upgrade from 4.11.14 to 4.13.2
Hi Rowland, Sorry to inform that none of thus packages solve my problem. But today, with some Tranquil.it helps, I have some news: - Upgrade from 4.11.14 -> 4.12.9 is OK - Upgrade from 4.12.9 -> 4.13.2 : problem is present with Tranquil.it AND Louis package - Fresh install + member join with 4.13.2 is OK (Centos AND Buster packages) Problem only occur when upgrading member to 4.13.2 with Windows 2016 DC. Here is some interesting parts of net ads testjoin -d99 between 4.11.14 and 4.13.2: 4.11.14 (working) [...] sitename_fetch: Returning sitename for realm 'EDUC-FOR.LOCAL': "Siege" resolve_and_ping_dns: (cldap) looking for realm 'EDUC-FOR.LOCAL' get_sorted_dc_list: attempting lookup for name EDUC-FOR.LOCAL (sitename Siege) saf_fetch: Returning "Palpatine.educ-for.local" for "EDUC-FOR.LOCAL" domain get_dc_list: preferred server list: "Palpatine.educ-for.local, *" internal_resolve_name: looking up EDUC-FOR.LOCAL#1c (sitename Siege) name EDUC-FOR.LOCAL#1C found. [...] 4.13.2 (failed) sitename_fetch: Returning sitename for realm 'EDUC-FOR.LOCAL': "Siege" resolve_and_ping_dns: (cldap) looking for realm 'EDUC-FOR.LOCAL' get_sorted_dc_list: attempting lookup for name EDUC-FOR.LOCAL (sitename Siege) saf_fetch: failed to find server for "EDUC-FOR.LOCAL" domain get_dc_list: preferred server list: ", *" internal_resolve_name: looking up EDUC-FOR.LOCAL#1c (sitename Siege) gencache_set_data_blob: Adding cache entry with key=[NBT/EDUC-FOR.LOCAL#1C] and timeout=[jeu. janv. 1 01:00:00 1970 CET] (-1606149379 seconds in the past) no entry for EDUC-FOR.LOCAL#1C found. resolve_ads: Attempting to resolve DCs for EDUC-FOR.LOCAL using DNS Good afternoon -----Message d'origine----- De?: samba <samba-bounces at lists.samba.org> De la part de Rowland penny via samba Envoy??: dimanche 22 novembre 2020 16:18 ??: samba at lists.samba.org Objet?: Re: [Samba] domain member file server failed after upgrade from 4.11.14 to 4.13.2 On 22/11/2020 14:42, MORILLO Jordi via samba wrote:> Hello ! > > I have just upgraded 40 x Samba domain member file server from 4.11.14 to 4.13.2 > > - No problem with 20 x domain member that are in a unique Samba domain (only samba DC) > > - But for my other domain (with composed of Windows 2016 DC), all of 20 x Samba domain member failed to desserve file after this upgrade :-/Try installing these packages: libpam-krb5 libpam-winbind Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba