W dniu 2.11.2024 o?11:19, Rowland Penny via samba pisze:> > If your TLD is '.local', then I take it you missed that it is reserved > for Bonjour and Avahi, so if Avahi is running on the DC, you should > turn it off (and everywhere else in your domain).I am aware of this. The domain was set up almost 20 years ago, at that time some guides advised not to do anything on the public domain, and now it is very difficult to change it.> > You also seem to be running Bind9, is this set up correctly ? > Please post the contents of: > /etc/bind/named.conf > /etc/bind/named.conf.options > /etc/bind/named.conf.local# cat /etc/bind/named.conf include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; __________________________________ # cat /etc/bind/named.conf.options acl internals { 127.0.0.0/8; 192.168.0.0/24; 10.0.0.0/8; }; options { directory "/var/cache/bind"; version "Go Away 0.0.7"; notify no; empty-zones-enable no; auth-nxdomain yes; forwarders { 8.8.8.8; 1.1.1.1; }; allow-transfer { none; }; dnssec-validation no; // If you only use IPv4. listen-on-v6 { none; }; // listen on these ipnumbers. listen-on port 53 { any; }; minimal-responses yes; // Add any subnets or hosts you want to allow to use this DNS server allow-query { any; }; allow-query-cache { any; }; tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; }; __________________________________ # cat /etc/bind/named.conf.local include "/var/lib/samba/bind-dns/named.conf"; __________________________________ # cat /var/lib/samba/bind-dns/named.conf database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_18.so"; # cat /etc/bind/named.conf.default-zones zone "." { type hint; file "/usr/share/dns/root.hints"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; I don't really understand what DNS configuration has to do with the problem where when I log into ldap using: sasl it works but when I use: ntlmsspNegotiate LDAP drops the connection and the logs contain the entry: [2024/11/05 14:19:11.121983, 3] lib/ldb-samba/ldb_wrap.c:340(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2024/11/05 14:19:11.122344, 3] lib/ldb-samba/ldb_wrap.c:340(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2024/11/05 14:19:11.123630, 3] source4/samba/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_RESET' [2024/11/05 14:19:11.124440, 3] source4/samba/service_stream.c:6 7(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'LDAP_PROTOCOL_ERROR'> I don't use forticlient, but it seems there are various ways to connect > to it, which variant are you using ?ForticlientEMS supports only LDAP or LDAPS
On Tue, 5 Nov 2024 14:40:01 +0100 Programnet via samba <samba at lists.samba.org> wrote:> > W dniu 2.11.2024 o?11:19, Rowland Penny via samba pisze: > > > > If your TLD is '.local', then I take it you missed that it is > > reserved for Bonjour and Avahi, so if Avahi is running on the DC, > > you should turn it off (and everywhere else in your domain). > > I am aware of this. The domain was set up almost 20 years ago, at > that time some guides advised not to do anything on the public > domain, and now it is very difficult to change it.Fair enough, that would have been when Microsoft went through one of their 'stupid' periods and recommended '.local'.> >> > I don't really understand what DNS configuration has to do with the > problem where when I log into ldapAgain a fair comment, but if the DNS was wrong (which it doesn't appear to be), the DC might have been found.> using: sasl it works but when I > use: ntlmsspNegotiate LDAP drops the connection and the logs contain > the entry: [2024/11/05 14:19:11.121983, 3] > lib/ldb-samba/ldb_wrap.c:340(ldb_wrap_connect) > ldb_wrap open of secrets.ldb > [2024/11/05 14:19:11.122344, 3] > lib/ldb-samba/ldb_wrap.c:340(ldb_wrap_connect) > ldb_wrap open of secrets.ldb > [2024/11/05 14:19:11.123630, 3] > source4/samba/service_stream.c:67(stream_terminate_connection) > stream_terminate_connection: Terminating connection - > 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - > NT_STATUS_CONNECTION_RESET' [2024/11/05 14:19:11.124440, 3] > source4/samba/service_stream.c:6 7(stream_terminate_connection) > stream_terminate_connection: Terminating connection - > 'LDAP_PROTOCOL_ERROR'Could your forticlient program be using SMBv1 ??? It would help if it was known just what ldap command was being used, any chance you could use wireshark to capture the conversation ?> > > > I don't use forticlient, but it seems there are various ways to > > connect to it, which variant are you using ? > > ForticlientEMS supports only LDAP or LDAPSThere are numerous ways to connect to AD. ldap & ldaps are only two of them, but which one of the two have you tried. While searching for info about forticlient, I found this: https://community.fortinet.com/t5/Support-Forum/Forti-Client-EMS-LDAP-SAMBA/td-p/329996 It sounds like either Samba is not doing something that forticlient expects or Samba is doing something that forticlient isn't asking for. Either way, it looks like we are going to need that wireshark capture. Rowland