MORILLO Jordi
2020-Nov-23 17:37 UTC
[Samba] domain member file server failed after upgrade from 4.11.14 to 4.13.2
Hi Rowland, Sorry to inform that none of thus packages solve my problem. But today, with some Tranquil.it helps, I have some news: - Upgrade from 4.11.14 -> 4.12.9 is OK - Upgrade from 4.12.9 -> 4.13.2 : problem is present with Tranquil.it AND Louis package - Fresh install + member join with 4.13.2 is OK (Centos AND Buster packages) Problem only occur when upgrading member to 4.13.2 with Windows 2016 DC. Here is some interesting parts of net ads testjoin -d99 between 4.11.14 and 4.13.2: 4.11.14 (working) [...] sitename_fetch: Returning sitename for realm 'EDUC-FOR.LOCAL': "Siege" resolve_and_ping_dns: (cldap) looking for realm 'EDUC-FOR.LOCAL' get_sorted_dc_list: attempting lookup for name EDUC-FOR.LOCAL (sitename Siege) saf_fetch: Returning "Palpatine.educ-for.local" for "EDUC-FOR.LOCAL" domain get_dc_list: preferred server list: "Palpatine.educ-for.local, *" internal_resolve_name: looking up EDUC-FOR.LOCAL#1c (sitename Siege) name EDUC-FOR.LOCAL#1C found. [...] 4.13.2 (failed) sitename_fetch: Returning sitename for realm 'EDUC-FOR.LOCAL': "Siege" resolve_and_ping_dns: (cldap) looking for realm 'EDUC-FOR.LOCAL' get_sorted_dc_list: attempting lookup for name EDUC-FOR.LOCAL (sitename Siege) saf_fetch: failed to find server for "EDUC-FOR.LOCAL" domain get_dc_list: preferred server list: ", *" internal_resolve_name: looking up EDUC-FOR.LOCAL#1c (sitename Siege) gencache_set_data_blob: Adding cache entry with key=[NBT/EDUC-FOR.LOCAL#1C] and timeout=[jeu. janv. 1 01:00:00 1970 CET] (-1606149379 seconds in the past) no entry for EDUC-FOR.LOCAL#1C found. resolve_ads: Attempting to resolve DCs for EDUC-FOR.LOCAL using DNS Good afternoon -----Message d'origine----- De?: samba <samba-bounces at lists.samba.org> De la part de Rowland penny via samba Envoy??: dimanche 22 novembre 2020 16:18 ??: samba at lists.samba.org Objet?: Re: [Samba] domain member file server failed after upgrade from 4.11.14 to 4.13.2 On 22/11/2020 14:42, MORILLO Jordi via samba wrote:> Hello ! > > I have just upgraded 40 x Samba domain member file server from 4.11.14 to 4.13.2 > > - No problem with 20 x domain member that are in a unique Samba domain (only samba DC) > > - But for my other domain (with composed of Windows 2016 DC), all of 20 x Samba domain member failed to desserve file after this upgrade :-/Try installing these packages: libpam-krb5 libpam-winbind Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland penny
2020-Nov-23 18:10 UTC
[Samba] domain member file server failed after upgrade from 4.11.14 to 4.13.2
On 23/11/2020 17:37, MORILLO Jordi via samba wrote:> Hi Rowland, > Sorry to inform that none of thus packages solve my problem. > > But today, with some Tranquil.it helps, I have some news: > > - Upgrade from 4.11.14 -> 4.12.9 is OK > - Upgrade from 4.12.9 -> 4.13.2 : problem is present with Tranquil.it AND Louis package > - Fresh install + member join with 4.13.2 is OK (Centos AND Buster packages) > > Problem only occur when upgrading member to 4.13.2 with Windows 2016 DC. > Here is some interesting parts of net ads testjoin -d99 between 4.11.14 and 4.13.2: > > 4.11.14 (working) > [...] > sitename_fetch: Returning sitename for realm 'EDUC-FOR.LOCAL': "Siege" > resolve_and_ping_dns: (cldap) looking for realm 'EDUC-FOR.LOCAL' > get_sorted_dc_list: attempting lookup for name EDUC-FOR.LOCAL (sitename Siege) > saf_fetch: Returning "Palpatine.educ-for.local" for "EDUC-FOR.LOCAL" domain > get_dc_list: preferred server list: "Palpatine.educ-for.local, *" > internal_resolve_name: looking up EDUC-FOR.LOCAL#1c (sitename Siege) > name EDUC-FOR.LOCAL#1C found. > [...] > > 4.13.2 (failed) > sitename_fetch: Returning sitename for realm 'EDUC-FOR.LOCAL': "Siege" > resolve_and_ping_dns: (cldap) looking for realm 'EDUC-FOR.LOCAL' > get_sorted_dc_list: attempting lookup for name EDUC-FOR.LOCAL (sitename Siege) > saf_fetch: failed to find server for "EDUC-FOR.LOCAL" domain > get_dc_list: preferred server list: ", *" > internal_resolve_name: looking up EDUC-FOR.LOCAL#1c (sitename Siege) > gencache_set_data_blob: Adding cache entry with key=[NBT/EDUC-FOR.LOCAL#1C] and timeout=[jeu. janv. 1 01:00:00 1970 CET] (-1606149379 seconds in the past) > no entry for EDUC-FOR.LOCAL#1C found. > resolve_ads: Attempting to resolve DCs for EDUC-FOR.LOCAL using DNS >Hmm, '1C' is a SMB1 thing, I wonder if the 2016 DC has SMBv1 turned off ? It seems to be a problem that involves the 2016 DC, 4.13.2 works against an AD DC. Rowland
MORILLO Jordi
2020-Nov-24 09:28 UTC
[Samba] domain member file server failed after upgrade from 4.11.14 to 4.13.2
Here is my last research (error at the bottom): Working 4.11.14: Net ads join -d99 [...] Successfully contacted LDAP server 10.2.2.1 Opening connection to LDAP server '10.2.2.1:389', timeout 15 seconds Initialized connection for LDAP server 'ldap://10.2.2.1:389' Connected to LDAP server Vader.educ-for.local ads_closest_dc: NBT_SERVER_CLOSEST flag set saf_store: domain = [EDUC-FOR], server = [Vader.educ-for.local], expire = [1606206403] gencache_set_data_blob: Adding cache entry with key=[SAF/DOMAIN/EDUC-FOR] and timeout=[mar. nov. 24 09:26:43 2020 CET] (900 seconds ahead) saf_store: domain = [EDUC-FOR.LOCAL], server = [Vader.educ-for.local], expire = [1606206403] gencache_set_data_blob: Adding cache entry with key=[SAF/DOMAIN/EDUC-FOR.LOCAL] and timeout=[mar. nov. 24 09:26:43 2020 CET] (900 seconds ahead) KDC time offset is 0 seconds Found SASL mechanism GSS-SPNEGO ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30 ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3 ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 kerberos_kinit_password_ext: as TEST-SMB$@EDUC-FOR.LOCAL using [MEMORY:net_ads] as ccache and config [/run/samba/smb_krb5/krb5.conf.EDUC-FOR] kerberos_kinit_password_ext: TEST-SMB$@EDUC-FOR.LOCAL mapped to test-smb$@EDUC-FOR.LOCAL [...] Tcpdump capture (10.1.38.66 is member and 10.1.1.12 is DC): No. Time Source Destination Protocol Length Info 37 1.826791 10.1.38.66 10.1.1.12 DNS 110 Standard query 0x78ea SRV _ldap._tcp.Siege._sites.dc._msdcs.EDUC-FOR.LOCAL 38 1.827123 10.1.1.12 10.1.38.66 DNS 336 Standard query response 0x78ea SRV _ldap._tcp.Siege._sites.dc._msdcs.EDUC-FOR.LOCAL SRV 0 100 389 yoda.educ-for.local SRV 0 100 389 palpatine.educ-for.local SRV 0 100 389 vader.educ-for.local SRV 0 100 389 Yoda.educ-for.local A 10.1.5.1 A 10.1.1.12 A 10.2.2.1 A 10.1.5.1 39 1.827353 10.1.38.66 10.1.5.1 CLDAP 140 searchRequest(29501) "<ROOT>" baseObject 40 1.827829 10.1.5.1 10.1.38.66 CLDAP 198 searchResEntry(29501) "<ROOT>" searchResDone(29501) success [1 result] 41 1.827973 10.1.38.66 10.1.1.12 DNS 114 Standard query 0xb3e0 SRV _kerberos._tcp.Siege._sites.dc._msdcs.EDUC-FOR.LOCAL 42 1.829550 10.1.1.12 10.1.38.66 DNS 340 Standard query response 0xb3e0 SRV _kerberos._tcp.Siege._sites.dc._msdcs.EDUC-FOR.LOCAL SRV 0 100 88 Yoda.educ-for.local SRV 0 100 88 yoda.educ-for.local SRV 0 100 88 palpatine.educ-for.local SRV 0 100 88 vader.educ-for.local A 10.1.5.1 A 10.1.5.1 A 10.1.1.12 A 10.2.2.1 43 1.829683 10.1.38.66 10.1.1.12 DNS 101 Standard query 0x722f SRV _kerberos._tcp.dc._msdcs.EDUC-FOR.LOCAL 44 1.830749 10.1.1.12 10.1.38.66 DNS 388 Standard query response 0x722f SRV _kerberos._tcp.dc._msdcs.EDUC-FOR.LOCAL SRV 0 100 88 palpatine.educ-for.local SRV 0 100 88 vader.educ-for.local SRV 0 100 88 Palpatine.educ-for.local SRV 0 100 88 Vader.educ-for.local SRV 0 100 88 yoda.educ-for.local A 10.1.1.12 A 10.2.2.1 A 10.1.1.12 A 10.2.2.1 A 10.1.5.1 45 1.830871 10.1.38.66 10.1.1.12 CLDAP 141 searchRequest(61399) "<ROOT>" baseObject 46 1.830897 10.1.38.66 10.2.2.1 CLDAP 141 searchRequest(39841) "<ROOT>" baseObject 47 1.831268 10.1.1.12 10.1.38.66 CLDAP 210 searchResEntry(61399) "<ROOT>" searchResDone(61399) success [1 result] 48 1.833024 10.2.2.1 10.1.38.66 CLDAP 202 searchResEntry(39841) "<ROOT>" searchResDone(39841) success [1 result] 49 1.833196 10.1.38.66 10.1.5.1 CLDAP 141 searchRequest(35575) "<ROOT>" baseObject 50 1.833664 10.1.5.1 10.1.38.66 CLDAP 200 searchResEntry(35575) "<ROOT>" searchResDone(35575) success [1 result] 51 1.833764 10.1.38.66 10.1.5.1 CLDAP 140 searchRequest(20088) "<ROOT>" baseObject 52 1.834848 10.1.5.1 10.1.38.66 CLDAP 198 searchResEntry(20088) "<ROOT>" searchResDone(20088) success [1 result] 53 1.834938 10.1.38.66 10.1.5.1 TCP 76 41114 ? 389 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=1938060442 TSecr=0 WS=128 54 1.835864 10.1.5.1 10.1.38.66 TCP 76 389 ? 41114 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1 TSval=1057770336 TSecr=1938060442 55 1.835880 10.1.38.66 10.1.5.1 TCP 68 41114 ? 389 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=1938060443 TSecr=1057770336 56 1.850768 10.1.38.66 10.1.5.1 LDAP 120 searchRequest(1) "<ROOT>" baseObject 57 1.851097 10.1.5.1 10.1.38.66 LDAP 157 searchResEntry(1) "<ROOT>" | searchResDone(1) success [2 results] 58 1.851109 10.1.38.66 10.1.5.1 TCP 68 41114 ? 389 [ACK] Seq=53 Ack=90 Win=64256 Len=0 TSval=1938060458 TSecr=1057770351 59 1.851191 10.1.38.66 10.1.5.1 LDAP 132 searchRequest(2) "<ROOT>" baseObject 60 1.851892 10.1.5.1 10.1.38.66 LDAP 192 searchResEntry(2) "<ROOT>" | searchResDone(2) success [2 results] 61 1.851927 10.1.38.66 10.1.5.1 LDAP 94 bindRequest(3) "<ROOT>" sasl 62 1.855256 10.1.5.1 10.1.38.66 LDAP 212 bindResponse(3) saslBindInProgress Now, here is a non-working net ads testjoin after upgrade to 4.13: [...] Successfully contacted LDAP server 10.1.5.1 Opening connection to LDAP server 'Yoda.educ-for.local:389', timeout 15 seconds samba_tevent: Added timed event "tevent_req_timedout": 0x557678f5e220 Connecting to 10.1.5.1 at port 389 samba_tevent: Running timer event 0x557678f5e220 "tevent_req_timedout" samba_tevent: Destroying timer event 0x557678f5e220 "tevent_req_timedout" ads_connect: leaving with: Operations error [...] Join to domain is not valid: LDAP_OPERATIONS_ERROR TCP dump capture (10.16.2.1 is member and 10.1.5.1 is DC) No. Time Source Destination Protocol Length Info 2 1.277433 10.16.2.1 10.1.5.1 DNS 110 Standard query 0x82f7 SRV _ldap._tcp.Siege._sites.dc._msdcs.EDUC-FOR.LOCAL 3 1.310064 10.1.5.1 10.16.2.1 DNS 336 Standard query response 0x82f7 SRV _ldap._tcp.Siege._sites.dc._msdcs.EDUC-FOR.LOCAL SRV 0 100 389 vader.educ-for.local SRV 0 100 389 Yoda.educ-for.local SRV 0 100 389 yoda.educ-for.local SRV 0 100 389 palpatine.educ-for.local A 10.2.2.1 A 10.1.5.1 A 10.1.5.1 A 10.1.1.12 4 1.311705 10.16.2.1 10.1.5.1 DNS 81 Standard query 0x1c5c A Yoda.educ-for.local 5 1.343982 10.1.5.1 10.16.2.1 DNS 97 Standard query response 0x1c5c A Yoda.educ-for.local A 10.1.5.1 6 1.344418 10.16.2.1 10.1.5.1 CLDAP 140 searchRequest(15790) "<ROOT>" baseObject 7 1.376772 10.1.5.1 10.16.2.1 CLDAP 198 searchResEntry(15790) "<ROOT>" searchResDone(15790) success [1 result] 8 1.377218 10.16.2.1 10.1.5.1 DNS 114 Standard query 0xc2b5 SRV _kerberos._tcp.Siege._sites.dc._msdcs.EDUC-FOR.LOCAL 9 1.409620 10.1.5.1 10.16.2.1 DNS 340 Standard query response 0xc2b5 SRV _kerberos._tcp.Siege._sites.dc._msdcs.EDUC-FOR.LOCAL SRV 0 100 88 vader.educ-for.local SRV 0 100 88 Yoda.educ-for.local SRV 0 100 88 yoda.educ-for.local SRV 0 100 88 palpatine.educ-for.local A 10.2.2.1 A 10.1.5.1 A 10.1.5.1 A 10.1.1.12 10 1.410054 10.16.2.1 10.1.5.1 DNS 101 Standard query 0xa00d SRV _kerberos._tcp.dc._msdcs.EDUC-FOR.LOCAL 11 1.442408 10.1.5.1 10.16.2.1 DNS 388 Standard query response 0xa00d SRV _kerberos._tcp.dc._msdcs.EDUC-FOR.LOCAL SRV 0 100 88 vader.educ-for.local SRV 0 100 88 Palpatine.educ-for.local SRV 0 100 88 Vader.educ-for.local SRV 0 100 88 yoda.educ-for.local SRV 0 100 88 palpatine.educ-for.local A 10.2.2.1 A 10.1.1.12 A 10.2.2.1 A 10.1.5.1 A 10.1.1.12 12 1.442824 10.16.2.1 10.2.2.1 CLDAP 140 searchRequest(704) "<ROOT>" baseObject 13 1.442888 10.16.2.1 10.1.1.12 CLDAP 140 searchRequest(12667) "<ROOT>" baseObject 14 1.476010 10.2.2.1 10.16.2.1 CLDAP 200 searchResEntry(704) "<ROOT>" searchResDone(704) success [1 result] 15 1.477232 10.1.1.12 10.16.2.1 CLDAP 208 searchResEntry(12667) "<ROOT>" searchResDone(12667) success [1 result] 16 1.477668 10.16.2.1 10.1.5.1 CLDAP 140 searchRequest(17519) "<ROOT>" baseObject 17 1.510654 10.1.5.1 10.16.2.1 CLDAP 198 searchResEntry(17519) "<ROOT>" searchResDone(17519) success [1 result] 18 1.511014 10.16.2.1 10.1.5.1 CLDAP 141 searchRequest(59784) "<ROOT>" baseObject 19 1.543881 10.1.5.1 10.16.2.1 CLDAP 200 searchResEntry(59784) "<ROOT>" searchResDone(59784) success [1 result] 20 1.544268 10.16.2.1 10.1.5.1 TCP 76 34508 ? 389 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=1037243691 TSecr=0 WS=128 21 1.576118 10.1.5.1 10.16.2.1 TCP 76 389 ? 34508 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1420 WS=256 SACK_PERM=1 TSval=1057631497 TSecr=1037243691 22 1.576147 10.16.2.1 10.1.5.1 TCP 56 34508 ? 389 [RST] Seq=1 Win=0 Len=0 I don't understand why 10.16.2.1 is sending [RST] when initializing ldap connection.... I revert back to 4.11 (or 4.12) because I don't have skill to do debug more. I can do some more test if someone could help me :-) Have a nice day Jordi -----Message d'origine----- De?: samba <samba-bounces at lists.samba.org> De la part de Rowland penny via samba Envoy??: lundi 23 novembre 2020 19:10 ??: samba at lists.samba.org Objet?: Re: [Samba] domain member file server failed after upgrade from 4.11.14 to 4.13.2 On 23/11/2020 17:37, MORILLO Jordi via samba wrote:> Hi Rowland, > Sorry to inform that none of thus packages solve my problem. > > But today, with some Tranquil.it helps, I have some news: > > - Upgrade from 4.11.14 -> 4.12.9 is OK > - Upgrade from 4.12.9 -> 4.13.2 : problem is present with Tranquil.it > AND Louis package > - Fresh install + member join with 4.13.2 is OK (Centos AND Buster > packages) > > Problem only occur when upgrading member to 4.13.2 with Windows 2016 DC. > Here is some interesting parts of net ads testjoin -d99 between 4.11.14 and 4.13.2: > > 4.11.14 (working) > [...] > sitename_fetch: Returning sitename for realm 'EDUC-FOR.LOCAL': "Siege" > resolve_and_ping_dns: (cldap) looking for realm 'EDUC-FOR.LOCAL' > get_sorted_dc_list: attempting lookup for name EDUC-FOR.LOCAL > (sitename Siege) > saf_fetch: Returning "Palpatine.educ-for.local" for "EDUC-FOR.LOCAL" > domain > get_dc_list: preferred server list: "Palpatine.educ-for.local, *" > internal_resolve_name: looking up EDUC-FOR.LOCAL#1c (sitename Siege) > name EDUC-FOR.LOCAL#1C found. > [...] > > 4.13.2 (failed) > sitename_fetch: Returning sitename for realm 'EDUC-FOR.LOCAL': "Siege" > resolve_and_ping_dns: (cldap) looking for realm 'EDUC-FOR.LOCAL' > get_sorted_dc_list: attempting lookup for name EDUC-FOR.LOCAL > (sitename Siege) > saf_fetch: failed to find server for "EDUC-FOR.LOCAL" domain > get_dc_list: preferred server list: ", *" > internal_resolve_name: looking up EDUC-FOR.LOCAL#1c (sitename Siege) > gencache_set_data_blob: Adding cache entry with > key=[NBT/EDUC-FOR.LOCAL#1C] and timeout=[jeu. janv. 1 01:00:00 1970 CET] (-1606149379 seconds in the past) no entry for EDUC-FOR.LOCAL#1C found. > resolve_ads: Attempting to resolve DCs for EDUC-FOR.LOCAL using DNS >Hmm, '1C' is a SMB1 thing, I wonder if the 2016 DC has SMBv1 turned off ? It seems to be a problem that involves the 2016 DC, 4.13.2 works against an AD DC. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Maybe Matching Threads
- domain member file server failed after upgrade from 4.11.14 to 4.13.2
- domain member file server failed after upgrade from 4.11.14 to 4.13.2
- winbind errors for trusted domain (of a one-way trust)
- Samba AD member lost domain join after reboot
- Failures to renegotiate machine password & domain participation check fails