Jonathan Neuhauser
2022-Jul-11 12:34 UTC
[Samba] name resolve order parameter for security=ads
Dear Rowland, I had one more idea where my setup might be different from yours - our domain uses disjoint namespaces, i.e. my PC is "hostname.subdomain.example.org", while the domain is located at "example.org". Anyway, here's the debug info you requested, with relevant parts replaced (I hope consistently so): Config collected --- 2022-07-11-11:25 ----------- Hostname:?? hostname DNS Domain: subdomain.example.org Realm:????? SUBDOMAIN.EXAMPLE.ORG FQDN:?????? hostname.subdomain.example.org ipaddress:? <my.static.ipv4.address> 172.17.0.1 <my.temporary.ipv6.address> <my.static.ipv6.address> ----------- This computer is running Ubuntu 20.04.4 LTS x86_64 ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 ??? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 ??? inet 127.0.0.1/8 scope host lo ??? inet6 ::1/128 scope host 2: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 ??? link/ether <my:mac:address> brd ff:ff:ff:ff:ff:ff ??? inet <my.static.ipv4.address>/26 brd <my.subnet.broadcast.address> scope global dynamic noprefixroute enp4s0 ?????? valid_lft 2906sec preferred_lft 2906sec ??? inet6 <my.temporary.ipv6.address>/64 scope global dynamic mngtmpaddr noprefixroute ?????? valid_lft 2591940sec preferred_lft 604740sec ??? inet6 <my.static.ipv6.address>/64 scope global dynamic noprefixroute ?????? valid_lft 2591940sec preferred_lft 604740sec ??? inet6 fe80::785b:6c9a:15e2:1646/64 scope link noprefixroute ??? inet6 fe80::f22f:74ff:fe1e:32c8/64 scope link noprefixroute ----------- Checking file: /etc/hosts 127.0.0.1??? localhost <my.static.ipv4.address> hostname.subdomain.example.org hostname.subdomain.example.org hostname hostname # The following lines are desirable for IPv6 capable hosts ::1???? ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts ----------- Checking file: /etc/resolv.conf # Generated by resolvconf domain subdomain.example.org <here, the DNS resolvers of my domain are listed, which are set by DHCP> ----------- WARNING: 'kinit Administrator' will fail, you need to fix this. Unable to verify DNS kerberos._tcp SRV records ----------- 'kinit Administrator' password checked failed. Wrong password or kerberos REALM problems. ----------- Samba is running as a Unix domain member ----------- Checking file: /etc/krb5.conf [libdefaults] ? default_realm = EXAMPLE.ORG ? dns_lookup_realm = false ? dns_lookup_kdc = true ----------- Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd:???????? files systemd winbind group:????????? files systemd winbind shadow:???????? files gshadow:??????? files hosts:????????? files mdns4_minimal [NOTFOUND=return] dns networks:?????? files protocols:????? db files services:?????? db files ethers:???????? db files rpc:??????????? db files netgroup:?????? files sudoers:??????? files ----------- Checking file: /etc/samba/smb.conf [global] ? # Logging options ? debug level = 3 ? log file = /var/log/samba/log.%m ? max log size = 1000 ? logging = file ? panic action = /usr/share/samba/panic-action %d ? # domain settings ? security = ADS ? workgroup = EXAMPLE ? ntlm auth = no ? pam password change = no ? map to guest = bad user ? # Winbind ? idmap config *?? : backend = tdb ? idmap config *?? : range = 3000 - 7999 ? idmap config EXAMPLE : backend = ad ? idmap config EXAMPLE : range = 8000 - 9999999 ? idmap config EXAMPLE : unix_nss_info = yes ? idmap config EXAMPLE : schema_mode = rfc2307 ? idmap config EXAMPLE : unix_primary_group = yes ? winbind nss info = rfc2307 ? # This parameter controls whether groups should be filled with usernames, which is slow (sequential request for each group). It is not needed to evaluate group memberships, so we disable it. ? winbind expand groups = 0 ? winbind use default domain = yes ? winbind refresh tickets = yes ? winbind offline logon = yes ? winbind enum groups = yes ? winbind enum users = yes ? # this doesn't work, since we allow offline logon (for which this parameter is disabled) ? # winbind max domain connections = 10 ? # Kerberos ? kerberos method = system keytab ? realm = EXAMPLE.ORG ? template homedir = /home/ws/%U ? template shell = /bin/bash ? # include this file where we define shares (via ansible) ? include = /etc/samba/shares.conf ----------- Running as Unix domain member and no user.map detected. This is possible with an auth-only setup, checking also for NFS parts ----------- Checking file: /etc/idmapd.conf [General] Verbosity = 0 Pipefs-Directory = /run/rpc_pipefs # set your own domain here, if it differs from FQDN minus hostname # Domain = localdomain [Mapping] Nobody-User = nobody Nobody-Group = nogroup ----------- This Unix domain member is using 'winbind' in /etc/nsswitch.conf. ----------- Time on the DC with PDC Emulator role is: 2022-07-11T11:25:40 Time on this computer is:???????????????? 2022-07-11T11:25:40 Time verified ok, within the allowed 300sec margin. Time offset is currently : 0 seconds ----------- Installed packages: ii? acl 2.2.53-6?????????????????????????????????????? amd64 access control list - utilities ii? attr 1:2.4.48-5???????????????????????????????????? amd64 utilities for manipulating filesystem extended attributes ii? fonts-quicksand 0.2016-2?????????????????????????????????????? all sans-serif font with round attributes ii? kde-spectacle 19.12.3-1ubuntu1?????????????????????????????? amd64 Screenshot capture utility ii? krb5-config 2.6ubuntu1???????????????????????????????????? all Configuration files for Kerberos Version 5 ii? krb5-locales 1.17-6ubuntu4.1??????????????????????????????? all internationalization support for MIT Kerberos ii? krb5-user 1.17-6ubuntu4.1??????????????????????????????? amd64 basic programs to authenticate using MIT Kerberos ii? libacl1:amd64 2.2.53-6?????????????????????????????????????? amd64 access control list - shared library ii? libattr1:amd64 1:2.4.48-5???????????????????????????????????? amd64 extended attribute handling - shared library ii? libgssapi-krb5-2:amd64 1.17-6ubuntu4.1??????????????????????????????? amd64??????? MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii? libkrb5-26-heimdal:amd64 7.7.0+dfsg-1ubuntu1??????????????????????????? amd64 Heimdal Kerberos - libraries ii? libkrb5-3:amd64 1.17-6ubuntu4.1??????????????????????????????? amd64??????? MIT Kerberos runtime libraries ii? libkrb5support0:amd64 1.17-6ubuntu4.1??????????????????????????????? amd64??????? MIT Kerberos runtime libraries - Support library ii? libnfs13:amd64 4.0.0-1??????????????????????????????????????? amd64??????? NFS client library (shared library) ii? libnfsidmap2:amd64 0.25-5.1ubuntu1??????????????????????????????? amd64??????? NFS idmapping library ii? libnss-winbind:amd64 2:4.13.17~dfsg-0ubuntu0.21.04.2??????????????? amd64 Samba nameservice integration plugins ii? libpam-krb5:amd64 4.8-2ubuntu1?????????????????????????????????? amd64??????? PAM module for MIT Kerberos ii? libpam-winbind:amd64 2:4.13.17~dfsg-0ubuntu0.21.04.2??????????????? amd64 Windows domain authentication integration plugin ii? libsmbclient:amd64 2:4.13.17~dfsg-0ubuntu0.21.04.2??????????????? amd64 shared library for communication with SMB/CIFS servers ii? libwbclient0:amd64 2:4.13.17~dfsg-0ubuntu0.21.04.2??????????????? amd64 Samba winbind client library ii? nfs-common 1:1.3.4-2.5ubuntu3.4?????????????????????????? amd64??????? NFS support files common to client and server ii? nfs-kernel-server 1:1.3.4-2.5ubuntu3.4?????????????????????????? amd64 support for NFS kernel server ii? python3-attr 19.3.0-2?????????????????????????????????????? all Attributes without boilerplate (Python 3) ii? python3-nacl 1.3.0-5??????????????????????????????????????? amd64 Python bindings to libsodium (Python 3) ii? python3-samba 2:4.13.17~dfsg-0ubuntu0.21.04.2??????????????? amd64 Python 3 bindings for Samba ii? samba 2:4.13.17~dfsg-0ubuntu0.21.04.2??????????????? amd64 SMB/CIFS file, print, and login server for Unix ii? samba-common 2:4.13.17~dfsg-0ubuntu0.21.04.2??????????????? all common files used by both the Samba server and client ii? samba-common-bin 2:4.13.17~dfsg-0ubuntu0.21.04.2??????????????? amd64 Samba common files used by both the server and the client ii? samba-dsdb-modules:amd64 2:4.13.17~dfsg-0ubuntu0.21.04.2??????????????? amd64 Samba Directory Services Database ii? samba-libs:amd64 2:4.13.17~dfsg-0ubuntu0.21.04.2??????????????? amd64 Samba core libraries ii? samba-vfs-modules:amd64 2:4.13.17~dfsg-0ubuntu0.21.04.2??????????????? amd64 Samba Virtual FileSystem plugins ii? smbclient 2:4.13.17~dfsg-0ubuntu0.21.04.2??????????????? amd64 command-line SMB/CIFS clients for Unix ii? sssd-krb5 2.2.3-3ubuntu0.8?????????????????????????????? amd64 System Security Services Daemon -- Kerberos back end ii? sssd-krb5-common 2.2.3-3ubuntu0.8?????????????????????????????? amd64 System Security Services Daemon -- Kerberos helpers ii? vlc-plugin-samba:amd64 3.0.9.2-1????????????????????????????????????? amd64 Samba plugin for VLC ii? winbind 2:4.13.17~dfsg-0ubuntu0.21.04.2??????????????? amd64 service to resolve user and group information from Windows NT servers ----------- Thanks in advance, Jonathan On 11.07.22 11:21, Rowland Penny via samba wrote:> On Mon, 2022-07-11 at 10:17 +0200, Jonathan Neuhauser via samba wrote: >> Dear Rowland, >> >> thanks for your response! I've tried your krb5.conf without better >> results. However I noticed that that this time after enabling "name >> resolve order = wins bcast" and restarting winbind, the error >> doesn't >> occur immediately, but requires a restart of the machine (however >> afterwards, the errors are the same as in my original email). Does >> this >> make a difference for you? >> >> Jonathan > I am running Linux Mint LMDE 5 in a VM, just fully updated it (so Samba > is probably very similar to your 4.13.17) and it still works. > > Can you go here: > https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh > > Download the script and run it on your Samba server, post the output > here in a reply to this, do not attach it, this list strips > attachments. > > Rowland > > >-- Karlsruhe Institute of Technology (KIT) Institute of Fluid Mechanics (ISTM) Jonathan Neuhauser MSc. Scientific Staff Kaiserstr. 10 76131 Karlsruhe E-mail: neuhauser?kit.edu Web: www.istm.kit.edu Registered office: Kaiserstra?e 12, 76131 Karlsruhe, Germany KIT ? The Research University in the Helmholtz Association
On Mon, 2022-07-11 at 14:34 +0200, Jonathan Neuhauser via samba wrote:> Dear Rowland, > > I had one more idea where my setup might be different from yours - > our > domain uses disjoint namespaces, i.e. my PC is > "hostname.subdomain.example.org", while the domain is located at > "example.org".You have found your problem, Samba (at this time) does not do subdomains. You should have set up a new AD domain using 'subdomain.example.org' as the dns domain (and the REALM in uppercase) and then used trusts between the two AD domains.> Anyway, here's the debug info you requested, with > relevant parts replaced (I hope consistently so): > > Config collected --- 2022-07-11-11:25 ----------- > > Hostname: hostname > DNS Domain: subdomain.example.org > Realm: SUBDOMAIN.EXAMPLE.ORG > FQDN: hostname.subdomain.example.org > ipaddress: <my.static.ipv4.address> 172.17.0.1 > <my.temporary.ipv6.address> <my.static.ipv6.address> > > ----------- > > Checking file: /etc/resolv.conf > > # Generated by resolvconf > domain subdomain.example.org > <here, the DNS resolvers of my domain are listed, which are set by > DHCP>Yes, but are they in the 'subdomain.example.org' dns domain or in the 'example.org' dns domain ?> > ----------- > > WARNING: 'kinit Administrator' will fail, you need to fix this. > Unable to verify DNS kerberos._tcp SRV records > > ----------- > > 'kinit Administrator' password checked failed. > Wrong password or kerberos REALM problems.Sort of says it all.> > ----------- > > Checking file: /etc/krb5.conf > > [libdefaults] > default_realm = EXAMPLE.ORGWrong realm.> dns_lookup_realm = false > dns_lookup_kdc = true > > ----------- > > Checking file: /etc/samba/smb.conf > > [global] > # Logging options > debug level = 3 > log file = /var/log/samba/log.%m > max log size = 1000 > logging = file > panic action = /usr/share/samba/panic-action %d > > # domain settings > security = ADS > workgroup = EXAMPLE > ntlm auth = no > pam password change = no > map to guest = bad user > > # Winbind > idmap config * : backend = tdb > idmap config * : range = 3000 - 7999 > idmap config EXAMPLE : backend = ad > idmap config EXAMPLE : range = 8000 - 9999999 > idmap config EXAMPLE : unix_nss_info = yes > idmap config EXAMPLE : schema_mode = rfc2307 > idmap config EXAMPLE : unix_primary_group = yes > > winbind nss info = rfc2307 > # This parameter controls whether groups should be filled with > usernames, which is slow (sequential request for each group). It is > not > needed to evaluate group memberships, so we disable it. > winbind expand groups = 0 > winbind use default domain = yes > winbind refresh tickets = yes > winbind offline logon = yes > winbind enum groups = yes > winbind enum users = yes > # this doesn't work, since we allow offline logon (for which this > parameter is disabled) > # winbind max domain connections = 10 > # Kerberos > kerberos method = system keytab > realm = EXAMPLE.ORGYes, but your realm should be 'SUBDOMAIN.EXAMPLE.ORG' Rowland