Stefan G. Weichinger
2022-Nov-24 09:32 UTC
[Samba] accidentally upgraded DC to 4.17.3 ... didn't work
Am 24.11.22 um 10:01 schrieb Michael Tokarev:> 24.11.2022 11:46, Stefan G. Weichinger via samba wrote: > >> Hm, I see it in ps: >> >> # ps axf | egrep "winbindd" >> ??? 5281 pts/0??? S+???? 0:00????????? \_ grep -E winbindd >> ??? 5153 ???????? S????? 0:00? |?? \_ samba: task[winbindd] pre-fork >> master >> ??? 5159 ???????? Ss???? 0:00? |?????????? \_ /usr/sbin/winbindd -D >> --option=server role check:inhibit=yes --foreground >> ??? 5186 ???????? S????? 0:00? |?????????????? \_ winbindd: domain >> child [ARBEITSGRUPPE] > > There's no idmap child in there. There should be 3 of them > (also domain child {builtin]);It gets even stranger: now the processes are there: # ps axf | egrep "winbindd" 6516 pts/0 S+ 0:00 | \_ grep -E winbindd 5960 ? S 0:00 | \_ samba: task[winbindd] pre-fork master 5967 ? Ss 0:03 | \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground 5986 ? S 0:00 | \_ winbindd: domain child [ARBEITSGRUPPE] 6311 ? S 0:00 | \_ winbindd: domain child [BUILTIN] 6312 ? S 0:00 | \_ winbindd: idmap child # tail log.samba [2022/11/24 10:30:01.604138, 2] ../../source4/dns_server/dns_update.c:824(dns_server_process_update) Got a dns update request. [2022/11/24 10:30:01.604970, 2] ../../source4/dns_server/dns_update.c:781(dns_update_allowed) Update not allowed for unsigned packet. [2022/11/24 10:30:01.629463, 1] ../../source4/auth/gensec/gensec_gssapi.c:791(gensec_gssapi_update_internal) GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96 [2022/11/24 10:30:01.629577, 1] ../../auth/gensec/spnego.c:1242(gensec_spnego_server_negTokenInit_step) gensec_spnego_server_negTokenInit_step: gssapi_krb5: parsing NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE [2022/11/24 10:30:01.629641, 1] ../../source4/dns_server/dns_query.c:888(handle_tkey) GSS key negotiation returned NT_STATUS_LOGON_FAILURE # log.winbindd-idmap [2022/11/24 10:17:33.421300, 4] ../../source3/winbindd/winbindd_dual.c:1641(child_handler) Finished processing child request 55 [2022/11/24 10:17:33.423146, 4] ../../source3/winbindd/winbindd_dual.c:1633(child_handler) child daemon request 55 [2022/11/24 10:17:33.423173, 4] ../../source3/winbindd/winbindd_dual.c:1641(child_handler) Finished processing child request 55 [2022/11/24 10:17:33.424572, 4] ../../source3/winbindd/winbindd_dual.c:1633(child_handler) child daemon request 55 [2022/11/24 10:17:33.424593, 4] ../../source3/winbindd/winbindd_dual.c:1641(child_handler) Finished processing child request 55 [2022/11/24 10:17:33.426483, 4] ../../source3/winbindd/winbindd_dual.c:1633(child_handler) child daemon request 55 [2022/11/24 10:17:33.426511, 4] ../../source3/winbindd/winbindd_dual.c:1641(child_handler) Finished processing child request 55 # tail log.wb-ARBEITSGRUPPE [2022/11/24 10:29:55.915181, 3] ../../source3/winbindd/winbindd_samr.c:613(sam_name_to_sid) sam_name_to_sid: ARBEITSGRUPPE\POSTFIX [2022/11/24 10:29:55.915625, 4] ../../source3/winbindd/winbindd_dual.c:1641(child_handler) Finished processing child request 55 [2022/11/24 10:29:55.917674, 4] ../../source3/winbindd/winbindd_dual.c:1633(child_handler) child daemon request 55 [2022/11/24 10:29:55.917737, 3] ../../source3/winbindd/winbindd_samr.c:613(sam_name_to_sid) sam_name_to_sid: ARBEITSGRUPPE\MONIT [2022/11/24 10:29:55.918105, 4] ../../source3/winbindd/winbindd_dual.c:1641(child_handler) Finished processing child request 55 # tail log.winbindd [2022/11/24 10:31:40.400440, 3] ../../source3/winbindd/winbindd_getpwnam.c:59(winbindd_getpwnam_send) [nss_winbind (3886)] Winbind external command GETPWNAM start. Query username '*'. [2022/11/24 10:31:40.400457, 5] ../../source3/winbindd/wb_lookupname.c:52(wb_lookupname_send) WB command lookupname start. Search namespace 'ARBEITSGRUPPE' and domain 'ARBEITSGRUPPE' for name '*'. [2022/11/24 10:31:40.409343, 1] ../../source3/winbindd/winbindd_getpwnam.c:142(winbindd_getpwnam_recv) Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED [2022/11/24 10:31:40.409373, 3] ../../source3/winbindd/winbindd.c:563(process_request_done) process_request_done: [nss_winbind(3886):GETPWNAM]: NT_STATUS_NONE_MAPPED # wbinfo -t could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE could not obtain winbind domain name! checking the trust secret for domain (null) via RPC calls failed failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE Could not check secret I might have to restart samba-ad-dc.service, but wait for feedback ...
Stefan G. Weichinger
2022-Nov-24 10:12 UTC
[Samba] accidentally upgraded DC to 4.17.3 ... didn't work
Am 24.11.22 um 10:32 schrieb Stefan G. Weichinger via samba:> I might have to restart samba-ad-dc.service, but wait for feedback ...couldn't wait anymore restarting didn't help decided to stop, demote adc1 from adc2 (offline demote) because online demoting fails: root at adc1:~# samba-tool domain demote -U Administrator Using adc2.arbeitsgruppe.my.tld as partner server for the demotion Password for [ARBEITSGRUPPE\Administrator]: Deactivating inbound replication Asking partner server adc2.arbeitsgruppe.my.tld to synchronize from us Error while replicating out last local changes from 'CN=Schema,CN=Configuration,DC=arbeitsgruppe,DC=ikw-amstetten,DC=at' for demotion, re-enabling inbound replication ERROR(<class 'samba.WERRORError'>): Error while sending a DsReplicaSync for partition 'CN=Schema,CN=Configuration,DC=arbeitsgruppe,DC=ikw-amstetten,DC=at' - (31, 'WERR_GEN_FAILURE') File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line 860, in run drsuapiBind.DsReplicaSync(drsuapi_handle, 1, req1) join succeeded, winbind still failing after that. initally replication seems to work but fails soon after starting adc1 Maybe I have something wrong in AD now, some wrong objects or so? "dbcheck" lists old components for ADC1, but no errors. Help appreciated ...
Michael Tokarev
2022-Nov-24 11:14 UTC
[Samba] accidentally upgraded DC to 4.17.3 ... didn't work
[Stefan, I was afk for quite some time, now back just briefly] 24.11.2022 12:32, Stefan G. Weichinger wrote:> now the processes are there: > > # ps axf | egrep "winbindd" > ?? 6516 pts/0??? S+???? 0:00????? |?? \_ grep -E winbindd > ?? 5960 ???????? S????? 0:00? |?? \_ samba: task[winbindd] pre-fork master > ?? 5967 ???????? Ss???? 0:03? |?????????? \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground > ?? 5986 ???????? S????? 0:00? |?????????????? \_ winbindd: domain child [ARBEITSGRUPPE] > ?? 6311 ???????? S????? 0:00? |?????????????? \_ winbindd: domain child [BUILTIN] > ?? 6312 ???????? S????? 0:00? |?????????????? \_ winbindd: idmap childOkay, that looks good.> # tail log.samba > [2022/11/24 10:30:01.604138,? 2] ../../source4/dns_server/dns_update.c:824(dns_server_process_update) > ? Got a dns update request. > [2022/11/24 10:30:01.604970,? 2] ../../source4/dns_server/dns_update.c:781(dns_update_allowed) > ? Update not allowed for unsigned packet. > [2022/11/24 10:30:01.629463,? 1] ../../source4/auth/gensec/gensec_gssapi.c:791(gensec_gssapi_update_internal) > ? GSS server Update(krb5)(1) Update failed:? Miscellaneous failure (see text): Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, > key type aes256-cts-hmac-sha1-96 > [2022/11/24 10:30:01.629577,? 1] ../../auth/gensec/spnego.c:1242(gensec_spnego_server_negTokenInit_step) > ? gensec_spnego_server_negTokenInit_step: gssapi_krb5: parsing NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE > [2022/11/24 10:30:01.629641,? 1] ../../source4/dns_server/dns_query.c:888(handle_tkey) > ? GSS key negotiation returned NT_STATUS_LOGON_FAILUREThat *smalls* like a keytab issue, but I'm not sure yet. ..> # wbinfo -t > could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLEWow. See lsof /run/samba/winbindd/pipe - this will show which process is listening there. See strace -e connect wbinfo -t - this will show what wbinfo gets when trying to connect there. See lsof -p for the winbindd processes above (eg lsof -p 6312) for the files open by these processes. It is some very basic stuff.. it's weird. Has this been restarted after upgrade? (it should, but I haven't looked at this part in the debian package yet). Did you restart it manually before? /mjt