Lorenzo Milesi
2022-Jul-18 08:55 UTC
[Samba] Error adding second DC over slow conection: The specified I/O operation on %hs was not completed before the time-out period expired.')
I'm trying to add a second remote DC over a VPN (and possibly a not-so-fast
connection), but it fails with the following message:
ERROR(runtime): uncaught exception - (3221225653, '{Device Timeout} The
specified I/O operation on %hs was not completed before the time-out period
expired.')
I've seen the NT_STATUS_NO_LOGON_SERVERS but I cannot figure out why...
kinit works on the second server.
The two servers are reachable via IP and DNS, domain lookup seems to work fine.
This second server was initially a DC itself, but I removed smb.conf and
/var/lib/samba and rebooted before trying the join.
On the current DC, client join works, desktop login with domain users works.
The command I'm using:
samba-tool domain join wdc.domain.it DC -U administrator --realm=WDC.DOMAIN.IT
-W DOM --debuglevel=5 --option='interfaces=eth1'
The last one is because the server has multiple interfaces, and I want it to
exclude eth0.
Here's the full log of the join command:
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
scavenger: 5
dns: 5
ldb: 5
tevent: 5
auth_audit: 5
auth_json_audit: 5
kerberos: 5
drs_repl: 5
smb2: 5
smb2_credits: 5
dsdb_audit: 5
dsdb_json_audit: 5
dsdb_password_audit: 5
dsdb_password_json_audit: 5
dsdb_transaction_audit: 5
dsdb_transaction_json_audit: 5
dsdb_group_audit: 5
dsdb_group_json_audit: 5
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
added interface eth1 ip=192.168.8.1 bcast=192.168.8.255 netmask=255.255.255.0
added interface eth1 ip=192.168.8.1 bcast=192.168.8.255 netmask=255.255.255.0
added interface eth1 ip=192.168.8.1 bcast=192.168.8.255 netmask=255.255.255.0
added interface eth1 ip=192.168.8.1 bcast=192.168.8.255 netmask=255.255.255.0
INFO 2022-07-18 09:53:46,127 pid:1790
/usr/lib/python3/dist-packages/samba/join.py #105: Finding a writeable DC for
domain 'wdc.domain.it'
added interface eth1 ip=192.168.8.1 bcast=192.168.8.255 netmask=255.255.255.0
added interface eth1 ip=192.168.8.1 bcast=192.168.8.255 netmask=255.255.255.0
finddcs: searching for a DC by DNS domain wdc.domain.it
finddcs: looking for SRV records for _ldap._tcp.wdc.domain.it
resolve_lmhosts: Attempting lmhosts lookup for name
_ldap._tcp.wdc.domain.it<0x0>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such
file or directory
finddcs: DNS SRV response 0 at '192.168.1.206'
finddcs: performing CLDAP query on 192.168.1.206
finddcs: Found matching DC 192.168.1.206 with server_type=0x000013fd
INFO 2022-07-18 09:53:46,266 pid:1790
/usr/lib/python3/dist-packages/samba/join.py #107: Found DC dc-lan.wdc.domain.it
added interface eth1 ip=192.168.8.1 bcast=192.168.8.255 netmask=255.255.255.0
added interface eth1 ip=192.168.8.1 bcast=192.168.8.255 netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name
dc-lan.wdc.domain.it<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such
file or directory
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Password for [DOM\administrator]:Error reading smb_krb5 reply packet:
NT_STATUS_CONNECTION_REFUSED from 192.168.8.1
Received smb_krb5 packet of length 329
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from
192.168.8.1
Received smb_krb5 packet of length 201
Timed out smb_krb5 packet
Timed out smb_krb5 packet
Timed out smb_krb5 packet
Timed out smb_krb5 packet
Timed out smb_krb5 packet
Timed out smb_krb5 packet
Timed out smb_krb5 packet
Timed out smb_krb5 packet
Timed out smb_krb5 packet
Timed out smb_krb5 packet
Timed out smb_krb5 packet
Timed out smb_krb5 packet
Cannot reach a KDC we require in order to obtain a ticket to
ldap/dc-lan.wdc.domain.it at WDC.DOMAIN.IT: Miscellaneous failure (see text):
unable to reach any KDC in realm WDC.DOMAIN.IT
gensec_update_done: gssapi_krb5[0x198a0c0]: NT_STATUS_NO_LOGON_SERVERS
gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating NEG_TOKEN_INIT for
ldap/dc-lan.wdc.domain.it failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_SEAL
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_TARGET_TYPE_DOMAIN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_SEAL
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_SEAL
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_SEAL
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
INFO 2022-07-18 09:54:29,161 pid:1790
/usr/lib/python3/dist-packages/samba/join.py #1527: workgroup is DOM
INFO 2022-07-18 09:54:29,162 pid:1790
/usr/lib/python3/dist-packages/samba/join.py #1530: realm is wdc.domain.it
Using binding ncacn_ip_tcp:dc-lan.wdc.domain.it[,seal]
Mapped to DCERPC endpoint 135
added interface eth1 ip=192.168.8.1 bcast=192.168.8.255 netmask=255.255.255.0
added interface eth1 ip=192.168.8.1 bcast=192.168.8.255 netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name
dc-lan.wdc.domain.it<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such
file or directory
Mapped to DCERPC endpoint 49153
added interface eth1 ip=192.168.8.1 bcast=192.168.8.255 netmask=255.255.255.0
added interface eth1 ip=192.168.8.1 bcast=192.168.8.255 netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name
dc-lan.wdc.domain.it<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such
file or directory
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
GSSAPI credentials for Administrator at WDC.DOMAIN.IT will expire in 35963 secs
Timed out smb_krb5 packet
Timed out smb_krb5 packet
Timed out smb_krb5 packet
Timed out smb_krb5 packet
Timed out smb_krb5 packet
Timed out smb_krb5 packet
Timed out smb_krb5 packet
Timed out smb_krb5 packet
Timed out smb_krb5 packet
Timed out smb_krb5 packet
Timed out smb_krb5 packet
Timed out smb_krb5 packet
Cannot reach a KDC we require in order to obtain a ticket to
ldap/DC-LAN.WDC.DOMAIN.IT at WDC.DOMAIN.IT: Miscellaneous failure (see text):
unable to reach any KDC in realm WDC.DOMAIN.IT
gensec_update_done: gssapi_krb5[0x19d8250]: NT_STATUS_NO_LOGON_SERVERS
gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating NEG_TOKEN_INIT for
ldap/DC-LAN.WDC.DOMAIN.IT failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_SEAL
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_TARGET_TYPE_DOMAIN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_SEAL
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_SEAL
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_SEAL
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
[ ** NOTE: here the command gets stuck for ~30s ** ]
tdb(/var/lib/samba/private/secrets.tdb): tdb_open_ex: could not open file
/var/lib/samba/private/secrets.tdb: No such file or directory
Could not open tdb: No such file or directory
ldb: ltdb: tdb(/var/lib/samba/private/secrets.ldb): tdb_open_ex: could not open
file /var/lib/samba/private/secrets.ldb: No such file or directory
ldb: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such
file or directory
ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with
backend 'tdb': Unable to open tdb
'/var/lib/samba/private/secrets.ldb': No such file or directory
Could not find machine account in secrets database: Failed to fetch machine
account password from secrets.ldb: Could not open secrets.ldb and failed to open
/var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
ERROR(runtime): uncaught exception - (3221225653, '{Device Timeout} The
specified I/O operation on %hs was not completed before the time-out period
expired.')
File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
186, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line
698, in run
join_DC(logger=logger, server=server, creds=creds, lp=lp, domain=domain,
File "/usr/lib/python3/dist-packages/samba/join.py", line 1543, in
join_DC
ctx.do_join()
File "/usr/lib/python3/dist-packages/samba/join.py", line 1431, in
do_join
ctx.join_add_objects()
File "/usr/lib/python3/dist-packages/samba/join.py", line 667, in
join_add_objects
ctx.join_add_ntdsdsa()
File "/usr/lib/python3/dist-packages/samba/join.py", line 592, in
join_add_ntdsdsa
ctx.DsAddEntry([rec])
File "/usr/lib/python3/dist-packages/samba/join.py", line 516, in
DsAddEntry
(level, ctr) = ctx.drsuapi.DsAddEntry(ctx.drsuapi_handle, 2, req2)
Adding CN=DC-CONTABO,OU=Domain Controllers,DC=wdc,DC=domain,DC=it
Adding
CN=DC-CONTABO,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wdc,DC=domain,DC=it
Adding CN=NTDS
Settings,CN=DC-CONTABO,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wdc,DC=domain,DC=it
Join failed - cleaning up
Deleted CN=DC-CONTABO,OU=Domain Controllers,DC=wdc,DC=domain,DC=it
Deleted
CN=DC-CONTABO,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wdc,DC=domain,DC=it
Debug info on the FIRST SERVER:
Config collected --- 2022-07-18-10:02 -----------
Hostname: dc-lan
DNS Domain: wdc.domain.it
Realm: WDC.DOMAIN.IT
FQDN: dc-lan.wdc.domain.it
ipaddress: 192.168.1.206
-----------
This computer is running Ubuntu 20.04.4 LTS x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state
UP group default qlen 1000
link/ether 6e:03:dc:d8:bb:0f brd ff:ff:ff:ff:ff:ff
inet 192.168.1.206/24 brd 192.168.1.255 scope global ens18
inet6 fe80::6c03:dcff:fed8:bb0f/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.1.206 dc-lan.wdc.domain.it dc-lan
-----------
Checking file: /etc/resolv.conf
nameserver 127.0.0.1
nameserver 192.168.1.1
search wdc.domain.it
-----------
Kerberos SRV _kerberos._tcp.wdc.domain.it record(s) verified ok, sample output:
Server: 127.0.0.1
Address: 127.0.0.1#53
_kerberos._tcp.wdc.domain.it service = 0 100 88 dc-lan.wdc.domain.it.
-----------
'kinit Administrator' checked successfully.
-----------
Samba is running as an AD DC
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = WDC.DOMAIN.IT
dns_lookup_kdc = true
dns_lookup_realm = false
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: files systemd
group: files systemd
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
dns forwarder = 1.1.1.1
netbios name = DC-LAN
realm = WDC.DOMAIN.IT
server role = active directory domain controller
workgroup = DOM
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/wdc.domain.it/scripts
read only = No
-----------
This DC is not being used as a fileserver
BIND_DLZ not detected in smb.conf
-----------
This is the DC with the PDC Emulator role and time is: 2022-07-18T10:02:11
-----------
Installed packages:
ii attr 1:2.4.48-5
amd64 utilities for manipulating filesystem extended attributes
ii krb5-config 2.6ubuntu1 all
Configuration files for Kerberos Version 5
ii krb5-locales 1.17-6ubuntu4.1 all
internationalization support for MIT Kerberos
ii krb5-user 1.17-6ubuntu4.1
amd64 basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-6
amd64 access control list - shared library
ii libattr1:amd64 1:2.4.48-5
amd64 extended attribute handling - shared library
ii libgssapi-krb5-2:amd64 1.17-6ubuntu4.1
amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-26-heimdal:amd64 7.7.0+dfsg-1ubuntu1
amd64 Heimdal Kerberos - libraries
ii libkrb5-3:amd64 1.17-6ubuntu4.1
amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.17-6ubuntu4.1
amd64 MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.15.7~dfsg-0ubuntu0~20.04
amd64 Samba nameservice integration plugins
ii libsmbclient:amd64 2:4.15.7~dfsg-0ubuntu0~20.04
amd64 shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.15.7~dfsg-0ubuntu0~20.04
amd64 Samba winbind client library
ii python3-attr 19.3.0-2 all
Attributes without boilerplate (Python 3)
ii python3-nacl 1.3.0-5
amd64 Python bindings to libsodium (Python 3)
ii python3-samba 2:4.15.7~dfsg-0ubuntu0~20.04
amd64 Python 3 bindings for Samba
ii samba 2:4.15.7~dfsg-0ubuntu0~20.04
amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.15.7~dfsg-0ubuntu0~20.04 all
common files used by both the Samba server and client
ii samba-common-bin 2:4.15.7~dfsg-0ubuntu0~20.04
amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.15.7~dfsg-0ubuntu0~20.04
amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.15.7~dfsg-0ubuntu0~20.04
amd64 Samba core libraries
ii samba-vfs-modules:amd64 2:4.15.7~dfsg-0ubuntu0~20.04
amd64 Samba Virtual FileSystem plugins
ii smbclient 2:4.15.7~dfsg-0ubuntu0~20.04
amd64 command-line SMB/CIFS clients for Unix
ii winbind 2:4.15.7~dfsg-0ubuntu0~20.04
amd64 service to resolve user and group information from Windows NT
servers
-----------
Debug info on the SECOND server:
Config collected --- 2022-07-18-10:00 -----------
Hostname: dc-contabo
DNS Domain: wdc.domain.it
Realm: WDC.DOMAIN.IT
FQDN: dc-contabo.wdc.domain.it
ipaddress: 75.119.1.2 192.168.8.1 10.8.0.1 10.9.0.2
-----------
This computer is running Ubuntu 20.04.4 LTS x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state
UP group default qlen 1000
link/ether 00:50:56:46:2e:11 brd ff:ff:ff:ff:ff:ff
inet 75.119.1.2/19 brd 75.119.159.255 scope global eth0
inet6 fe80::250:56ff:fe46:2e11/64 scope link
3: eth1: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state
UNKNOWN group default qlen 1000
link/ether ba:25:80:99:69:d3 brd ff:ff:ff:ff:ff:ff
inet 192.168.8.1/24 brd 192.168.8.255 scope global eth1
inet6 fe80::b825:80ff:fe99:69d3/64 scope link
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel
state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
5: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel
state UNKNOWN group default qlen 100
link/none
inet 10.9.0.2/24 brd 10.9.0.255 scope global tun1
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
192.168.8.1 dc-contabo.wdc.domain.it dc-contabo
-----------
Checking file: /etc/resolv.conf
search wdc.domain.it
nameserver 192.168.1.206
nameserver 192.168.8.1
nameserver 1.0.0.1
-----------
Kerberos SRV _kerberos._tcp.wdc.domain.it record(s) verified ok, sample output:
Server: 192.168.1.206
Address: 192.168.1.206#53
_kerberos._tcp.wdc.domain.it service = 0 100 88 dc-lan.wdc.domain.it.
-----------
'kinit Administrator' checked successfully.
-----------
Samba is not being run as a DC or a Unix domain member.
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = WDC.DOMAIN.IT
dns_lookup_kdc = false
dns_lookup_realm = false
[realms]
WDC.DOMAIN.IT = {
kdc = 192.168.8.1
kdc = 192.168.1.206
}
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: files systemd
group: files systemd
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Time on the DC with PDC Emulator role is: 2022-07-18T10:02:14
Time on this computer is: 2022-07-18T10:02:14
Time verified ok, within the allowed 300sec margin.
Time offset is currently : 0 seconds
-----------
Installed packages:
ii attr 1:2.4.48-5
amd64 utilities for manipulating filesystem extended attributes
ii krb5-config 2.6ubuntu1 all
Configuration files for Kerberos Version 5
ii krb5-locales 1.17-6ubuntu4.1 all
internationalization support for MIT Kerberos
ii krb5-user 1.17-6ubuntu4.1
amd64 basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-6
amd64 access control list - shared library
ii libattr1:amd64 1:2.4.48-5
amd64 extended attribute handling - shared library
ii libgssapi-krb5-2:amd64 1.17-6ubuntu4.1
amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-26-heimdal:amd64 7.7.0+dfsg-1ubuntu1
amd64 Heimdal Kerberos - libraries
ii libkrb5-3:amd64 1.17-6ubuntu4.1
amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.17-6ubuntu4.1
amd64 MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.15.7~dfsg-0ubuntu0~20.04
amd64 Samba nameservice integration plugins
ii libsmbclient:amd64 2:4.15.7~dfsg-0ubuntu0~20.04
amd64 shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.15.7~dfsg-0ubuntu0~20.04
amd64 Samba winbind client library
ii python3-nacl 1.3.0-5
amd64 Python bindings to libsodium (Python 3)
ii python3-samba 2:4.15.7~dfsg-0ubuntu0~20.04
amd64 Python 3 bindings for Samba
ii samba 2:4.15.7~dfsg-0ubuntu0~20.04
amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.15.7~dfsg-0ubuntu0~20.04 all
common files used by both the Samba server and client
ii samba-common-bin 2:4.15.7~dfsg-0ubuntu0~20.04
amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.15.7~dfsg-0ubuntu0~20.04
amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.15.7~dfsg-0ubuntu0~20.04
amd64 Samba core libraries
ii samba-vfs-modules:amd64 2:4.15.7~dfsg-0ubuntu0~20.04
amd64 Samba Virtual FileSystem plugins
ii smbclient 2:4.15.7~dfsg-0ubuntu0~20.04
amd64 command-line SMB/CIFS clients for Unix
ii winbind 2:4.15.7~dfsg-0ubuntu0~20.04
amd64 service to resolve user and group information from Windows NT
servers
-----------
--
Lorenzo Milesi - lorenzo.milesi at yetopen.com
CTO @ YetOpen Srl
YetOpen - https://www.yetopen.com/
Corso Martiri della Liberazione 114 - 23900 Lecco - ITALY - | 4801 Glenwood
Avenue - Suite 200 - Raleigh, NC 27612 - USA -
Tel +39 0341 220 205 - info.it at yetopen.com | Phone +1 919-817-8106 - info.us
at yetopen.com
Think green - Non stampare questa e-mail se non necessario / Don't print
this email unless necessary
-------- D.Lgs. 196/2003 e GDPR 679/2016 --------
Tutte le informazioni contenute in questo messaggio sono riservate ed a uso
esclusivo del destinatario.
Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da
ritenere confidenziali e riservate secondo i termini
del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo
679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non
autorizzata.
Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad
eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci
non appena possibile.
Grazie.
Confidentiality notice: this email message including any attachment is for the
sole use of the intended recipient and may contain confidential and privileged
information;
pursuant to Legislative Decree 196/2003 and the European General Data Protection
Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or
distribution
is prohibited. If you are not the intended recepient please delete this message
without copying, printing or forwarding it to others, and alert us as soon as
possible.
Thank you.
Rowland Penny
2022-Jul-18 10:22 UTC
[Samba] Error adding second DC over slow conection: The specified I/O operation on %hs was not completed before the time-out period expired.')
On Mon, 2022-07-18 at 10:55 +0200, Lorenzo Milesi via samba wrote:> I'm trying to add a second remote DC over a VPN (and possibly a not- > so-fast connection), but it fails with the following message: > ERROR(runtime): uncaught exception - (3221225653, '{Device Timeout} > The specified I/O operation on %hs was not completed before the time- > out period expired.') > > I've seen the NT_STATUS_NO_LOGON_SERVERS but I cannot figure out > why... kinit works on the second server. > > > Debug info on the FIRST SERVER: > Config collected --- 2022-07-18-10:02 ----------- > > Hostname: dc-lan > DNS Domain: wdc.domain.it > Realm: WDC.DOMAIN.IT > FQDN: dc-lan.wdc.domain.it > ipaddress: 192.168.1.206 > > ----------- > > Checking file: /etc/hosts > > 127.0.0.1 localhost > > # The following lines are desirable for IPv6 capable hosts > ::1 ip6-localhost ip6-loopback > fe00::0 ip6-localnet > ff00::0 ip6-mcastprefix > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > 192.168.1.206 dc-lan.wdc.domain.it dc-lan > > ----------- > > Checking file: /etc/resolv.conf > > nameserver 127.0.0.1 > nameserver 192.168.1.1Your nameservers are incorrect, you do not use '127.0.0.1', you should be using '192.168.1.206' and the second nameserver is really useless, if something goes wrong with Samba, you certainly do not want it asking something else.> search wdc.domain.it > > ----------- > > Kerberos SRV _kerberos._tcp.wdc.domain.it record(s) verified ok, > sample output: > Server: 127.0.0.1 > Address: 127.0.0.1#53That is an artefact of using '127.0.0.1' as the first nameserver.> > _kerberos._tcp.wdc.domain.it service = 0 100 88 dc- > lan.wdc.domain.it. > > ----------- > > > > ----------- > > > Debug info on the SECOND server: > Config collected --- 2022-07-18-10:00 ----------- > > Hostname: dc-contabo > DNS Domain: wdc.domain.it > Realm: WDC.DOMAIN.IT > FQDN: dc-contabo.wdc.domain.it > ipaddress: 75.119.1.2 192.168.8.1 10.8.0.1 10.9.0.2 > > ----------- > > > Checking file: /etc/hosts > > 127.0.0.1 localhost > 192.168.8.1 dc-contabo.wdc.domain.it dc-contabo > > ----------- > > Checking file: /etc/resolv.conf > > search wdc.domain.it > nameserver 192.168.1.206 > nameserver 192.168.8.1 > nameserver 1.0.0.1 > > ----------- > > Kerberos SRV _kerberos._tcp.wdc.domain.it record(s) verified ok, > sample output: > Server: 192.168.1.206 > Address: 192.168.1.206#53 > > _kerberos._tcp.wdc.domain.it service = 0 100 88 dc- > lan.wdc.domain.it. > > ----------- > > > > Checking file: /etc/krb5.conf > > [libdefaults] > default_realm = WDC.DOMAIN.IT > dns_lookup_kdc = false > dns_lookup_realm = false > [realms] > WDC.DOMAIN.IT = { > kdc = 192.168.8.1 > kdc = 192.168.1.206 > } >You got it right on the first DC, just copy the krb5.conf from the first DC to the second DC. Rowland