Gary Dale
2023-Apr-25 03:56 UTC
[Samba] DNS problems (still) with Linux domain members - using Samba's internal DNS backend
On 2023-04-24 17:03, Gary Dale via samba wrote:> As near as I can tell, my Samba AD DC is working. I'm getting no > errors when I bring up and use Active Directory Users and Computers. > > When I do the testing (verifying) for the file server, DNS and > Kerberos from > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller, > everything works. To be clear, the DC is NOT running as a file server > - that is simply the terminology used by the wiki page. > > I did the Create a reverse zone section but the reverse lookup fails. > root at DC1:~# host 192.168.1.13 > Host 13.1.168.192.in-addr.arpa. not found: 3(NXDOMAIN) > > Here's the output from my DNS information commands: > > root at DC1:~# samba-tool dns zonelist DC1 -U Administrator > Password for [HOME\Administrator]: > ? 3 zone(s) found > > ? pszZoneName???????????????? : 1.168.192.in-addr.arpa > ? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > ? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY > ? Version???????????????????? : 50 > ? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > ? pszDpFqdn?????????????????? : DomainDnsZones.home.rahim-dale.org > > ? pszZoneName???????????????? : home.rahim-dale.org > ? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > ? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY > ? Version???????????????????? : 50 > ? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > ? pszDpFqdn?????????????????? : DomainDnsZones.home.rahim-dale.org > > ? pszZoneName???????????????? : _msdcs.home.rahim-dale.org > ? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > ? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY > ? Version???????????????????? : 50 > ? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED > DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED > ? pszDpFqdn?????????????????? : ForestDnsZones.home.rahim-dale.org > > > root at DC1:~# samba-tool dns zoneinfo DC1 home.rahim-dale.org -U > Administrator > Password for [HOME\Administrator]: > ? pszZoneName???????????????? : home.rahim-dale.org > ? dwZoneType????????????????? : DNS_ZONE_TYPE_PRIMARY > ? fReverse??????????????????? : FALSE > ? fAllowUpdate??????????????? : DNS_ZONE_UPDATE_SECURE > ? fPaused???????????????????? : FALSE > ? fShutdown?????????????????? : FALSE > ? fAutoCreated??????????????? : FALSE > ? fUseDatabase??????????????? : TRUE > ? pszDataFile???????????????? : None > ? aipMasters????????????????? : [] > ? fSecureSecondaries????????? : DNS_ZONE_SECSECURE_NO_XFER > ? fNotifyLevel??????????????? : DNS_ZONE_NOTIFY_LIST_ONLY > ? aipSecondaries????????????? : [] > ? aipNotify?????????????????? : [] > ? fUseWins??????????????????? : FALSE > ? fUseNbstat????????????????? : FALSE > ? fAging????????????????????? : FALSE > ? dwNoRefreshInterval???????? : 168 > ? dwRefreshInterval?????????? : 168 > ? dwAvailForScavengeTime????? : 0 > ? aipScavengeServers????????? : [] > ? dwRpcStructureVersion?????? : 0x2 > ? dwForwarderTimeout????????? : 0 > ? fForwarderSlave???????????? : 0 > ? aipLocalMasters???????????? : [] > ? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > ? pszDpFqdn?????????????????? : DomainDnsZones.home.rahim-dale.org > ? pwszZoneDn????????????????? : > DC=home.rahim-dale.org,CN=MicrosoftDNS,DC=DomainDnsZones,DC=home,DC=rahim-dale,DC=org > ? dwLastSuccessfulSoaCheck??? : 0 > ? dwLastSuccessfulXfr???????? : 0 > ? fQueuedForBackgroundLoad??? : FALSE > ? fBackgroundLoadInProgress?? : FALSE > ? fReadOnlyZone?????????????? : FALSE > ? dwLastXfrAttempt??????????? : 0 > ? dwLastXfrResult???????????? : 0 > > root at DC1:~# samba-tool dns query DC1 home.rahim-dale.org @ ALL -U > Administrator > Password for [HOME\Administrator]: > ? Name=, Records=3, Children=0 > ??? SOA: serial=136, refresh=900, retry=600, expire=86400, > minttl=3600, ns=dc1.home.rahim-dale.org., > email=hostmaster.home.rahim-dale.org. (flags=600000f0, serial=136, > ttl=3600) > ??? NS: dc1.home.rahim-dale.org. (flags=600000f0, serial=1, ttl=900) > ??? A: 192.168.1.13 (flags=600000f0, serial=1, ttl=900) > ? Name=_msdcs, Records=0, Children=0 > ? Name=_sites, Records=0, Children=1 > ? Name=_tcp, Records=0, Children=5 > ? Name=_udp, Records=0, Children=2 > ? Name=dc1, Records=4, Children=0 > ??? A: 192.168.1.13 (flags=f0, serial=1, ttl=900) > ??? SRV: dc1.home.rahim-dale.org. (8080, 0, 100) (flags=f0, > serial=129, ttl=900) > ??? SRV: dc1.home.rahim-dale.org. (389, 0, 100) (flags=f0, serial=130, > ttl=900) > ??? SRV: home.rahim-dale.org. (389, 0, 100) (flags=f0, serial=131, > ttl=900) > ? Name=DomainDnsZones, Records=0, Children=2 > ? Name=ForestDnsZones, Records=0, Children=2 > ? Name=GHOSTWHEEL10, Records=1, Children=0 > ??? A: 192.168.1.41 (flags=f0, serial=110, ttl=1200) > ? Name=thelibrarian, Records=1, Children=0 > ??? A: 192.168.1.14 (flags=f0, serial=110, ttl=3600) > ? Name=transponder, Records=1, Children=0 > ??? A: 192.168.1.20 (flags=f0, serial=110, ttl=3600) > > GhostWheel10 is my Windows 10 VM which gets its IP, etc. via DCHP from > my router. I note that it allows me to specify both the DNS and WINS > server addresses, both set to 192.168.1.13. > > My Linux boxes (real and virtual) have their IP set statically. > /etc/resolv.conf reads (in all cases, including DC1): > nameserver 192.168.1.13 > search home.rahim-dale.org > > The reverse lookup (using nslookup) also fails on the Windows VM. > > > The /etc/samba/smb.conf on the DC is > # Global parameters > [global] > ??????? dns forwarder = 192.168.1.1 > ??????? netbios name = DC1 > ??????? realm = HOME.RAHIM-DALE.ORG > ??????? server role = active directory domain controller > ??????? workgroup = HOME > ??????? idmap_ldb:use rfc2307 = yes > > [sysvol] > ??????? path = /var/lib/samba/sysvol > ??????? read only = No > > [netlogon] > ??????? path = /var/lib/samba/sysvol/home.rahim-dale.org/scripts > ??????? read only = No > > The dns forwarder points to the router. > > Anyway, the failure of the reverse lookup seems to be a symptom of > whatever is causing the "session setup failed: > NT_STATUS_NO_LOGON_SERVERS"? messages I keep getting when trying to > connect to anything but the DC or from any Linux machine. > > Can anyone suggest what I am doing wrong and/or how to fix it? > > Thanks. >Nope. I found the problem with the reverse lookup by using the Window 10 DNS Manager and corrected it. Now I'm getting the reverse lookup correctly everywhere but still getting the NT_STATUS_NO_LOGON_SERVERS from my Linux workstation: $ smbclient -L //TheLibrarian -U gary Password for [HOME\gary]: session setup failed: NT_STATUS_LOGON_FAILURE $ smbclient -L //DC1 -U gary Password for [HOME\gary]: ??????? Sharename?????? Type????? Comment ??????? ---------?????? ----????? ------- ??????? sysvol????????? Disk ??????? netlogon??????? Disk ??????? IPC$??????????? IPC?????? IPC Service (Samba 4.17.7-Debian) SMB1 disabled -- no workgroup available wbinfo --ping-dc succeeds from the workstation (and from the file+print server): $ wbinfo --ping-dc checking the NETLOGON for domain[HOME] dc connection to "dc1.home.rahim-dale.org" succeeded I really miss the way things used to just work with Samba. And I hate that virtually all of the wiki pages from Samba are no longer accurate and/or don't really explain what you need to do. After following the advice from a member of this forum, at this point all I've got is an extra VM running with neither the ability to authenticate my Linux workstation against the AD DC nor connect to shares from the file+print sever. Instead of having one Samba server, I've got two that require different setups. And the setup is apparently now spread out over umpteen programs that need to work perfectly in sync. Anyway, here's the current smb.conf from the file & print server: [global] ??????? netbios name = THELIBRARIAN ??????? realm = HOME.RAHIM-DALE.ORG ??????? restrict anonymous = 2 ??????? security = ADS ??????? server role = member server ??????? template homedir = /home/%D/%U ??????? template shell = /bin/bash ??????? winbind enum groups = Yes ??????? winbind enum users = Yes ??????? winbind use default domain = Yes ??????? workgroup = HOME ??????? idmap config * : range = 3000-7999 ??????? idmap config * : backend = tdb ??????? idmap config HOME:unix_nss_info = yes ??????? idmap config HOME:range = 10000-999999 ??????? idmap config HOME:schema_mode = rfc2307 ??????? idmap config HOME:backend = ad ??????? map acl inherit = Yes ??????? printing = cups ??????? store dos attributes = Yes ??????? vfs objects = acl_xattr I've set up a samba-only file share as: [taxes] ??????? path = /srv/taxes ??????? read only = No which is owned by root:Domain Admins. This shows up in Linux as: root at TheLibrarian:~# ls -l /srv/ total 4 drwxr-xr-x 2 root 110512 4096 Apr 23 11:30 taxes but when I try to connect from the Windows 10 VM using the same account I am logged in as, it rejects my password. It's late & I'm tired. If anyone has any ideas, I'd appreciate the help when I return to this in the morning.
Rowland Penny
2023-Apr-25 11:30 UTC
[Samba] DNS problems (still) with Linux domain members - using Samba's internal DNS backend
On 25/04/2023 04:56, Gary Dale via samba wrote:> > which is owned by root:Domain Admins. This shows up in Linux as: > root at TheLibrarian:~# ls -l /srv/ > total 4 > drwxr-xr-x 2 root 110512 4096 Apr 23 11:30 taxesWhy is the group being shown as a number rather than by name (which ends in '512' so is probably Domain Admins, which shouldn't have a gidNumber, it breaks sysvol when using the 'ad idmap backend) Is /etc/nsswitch.conf setup correctly ? arre libpam-winbind and libnss-winbind installed ? Rowland