• [Samba] Problem with adding an Samba Member Server to a Samba AD Domain

    From =?UTF-8?Q?Stefan_Sch=c3=a4fer?= via@21:1/5 to All on Sat Mar 18 08:10:01 2017
    Hi List,

    I found some threads here in the list with similar problems, but nothing
    helped to solve my problem.

    We have a very much to old Samba DC (Version 4.1.x) and a new Samba
    4.5.6 which should act as a member server.

    The first problem we had during joining the domain:

    "net ads join -k" didn't work.

    The Error Message said: Failed to join domain: failed to lookup DC info
    for domain 'BAETTENHAUSEN.LOCAL' over rpc: An internal error occurred.

    Joining with "net ads join -S s4ad.baettenhausen.local -U Administrator@baettenhausen.local" worked.

    After this it wasn't possible to connect to any share of this server. I
    found the following message in the logs:

    [2017/03/18 01:48:18.760431, 1] ../source3/librpc/crypto/gse.c:498(gse_get_server_auth_token)
    gss_accept_sec_context failed with [ Miscellaneous failure (see
    text): Failed to find cifs/fileserver.baettenhausen.local@BAETTENHAUSEN.LOCAL(kvno 2) in
    keytab MEMORY:cifs_srv_keytab
    (arcfour-hmac-md5)]

    Trying to search the keytab for "arcfour-hmac-md5" with "klist -e -k /etc/krb5.keytab | grep arcfour-hmac-md5" delivers no matches.

    Trying to connect with the Domain admins Account with smbclient didn't work:

    smbclient -L 127.0.0.1 -U administrator@baettenhausen.local
    Enter administrator@baettenhausen.local's password:
    session setup failed: NT_STATUS_LOGON_FAILURE

    The log shows:

    [2017/03/18 07:35:01.529313, 3] ../source3/auth/auth.c:178(auth_check_ntlm_password)
    check_ntlm_password: Checking password for unmapped user [BAETTENHAUSEN]\[administrator]@[FILESERVER] with the new password interface [2017/03/18 07:35:01.529339, 3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
    check_ntlm_password: mapped user is: [BAETTENHAUSEN]\[administrator]@[FILESERVER]
    [2017/03/18 07:35:01.552411, 3] ../source3/auth/auth_util.c:1233(check_account)
    Failed to find authenticated user BAETTENHAUSEN\administrator via getpwnam(), denying access.
    [2017/03/18 07:35:01.552450, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
    check_ntlm_password: Authentication for user [administrator] -> [administrator] FAILED with error NT_STATUS_NO_SUCH_USER
    [2017/03/18 07:35:01.552482, 2] ../auth/gensec/spnego.c:720(gensec_spnego_server_negTokenTarg)
    SPNEGO login failed: NT_STATUS_NO_SUCH_USER
    [2017/03/18 07:35:01.552546, 3]
    ../source3/smbd/error.c:82(error_packet_set)
    NT error packet at ../source3/smbd/sesssetup.c(277) cmd=115
    (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
    [2017/03/18 07:35:01.552988, 3] ../source3/smbd/server_exit.c:246(exit_server_common)
    Server exit (failed to receive smb request)
    [2017/03/18 07:35:01.577737, 3]
    ../source3/lib/util_procid.c:54(pid_to_procid)
    pid_to_procid: messaging_dgm_get_unique failed: No such file or directory

    kinit instead works fine and wbinfo -u is able to show all domain users

    My smb.conf:

    [global]
    workgroup = BAETTENHAUSEN
    interfaces = 127.0.0.1 eth0
    bind interfaces only = true
    printing = cups
    printcap name = cups
    load printers = yes
    user share allow guests = no
    log level = 3

    ## keine Offline Dateien
    # csc policy = disable

    ## Domain Settings
    security = ADS
    realm = BAETTENHAUSEN.LOCAL
    # server signing = auto
    kerberos method = secrets and keytab
    client signing = yes
    client use spnego = yes

    ntlm auth = yes

    winbind trusted domains only = no
    winbind use default domain = yes

    ## Winbind Settings
    #winbind separator = +
    # ID-Mapping mit RFC2307 Erweiterung
    # Builtin und lokale Benutzer/Gruppen
    idmap config *:backend = tdb
    idmap config *:range = 40000-49999

    # BAETTENHAUSEN
    idmap config BAETTENHAUSEN:backend = ad
    #idmap config BAETTENHAUSEN:schema_mode = rfc2307
    idmap config BAETTENHAUSEN:range = 500-30000

    winbind enum users = yes
    winbind enum groups = yes
    winbind refresh tickets = yes
    template homedir = /home/%D/%U

    ## Charset Settings
    unix charset = UTF8
    # display charset = UTF8
    dos charset = ASCII

    ....

    Here the krb5.conf

    [libdefaults]
    default_realm = BAETTENHAUSEN.LOCAL
    dns_lookup_realm = true
    dns_lookup_kdc = true

    [realms]
    BAETTENHAUSEN.LOCAL = {
    kdc = s4ad.baettenhausen.local
    admin_server = s4ad.baettenhausen.local
    }

    Resolving the DNS service records for LDAP and Kerberos works:

    fileserver:~ # dig SRV _ldap._tcp.baettenhausen.local

    ; <<>> DiG 9.9.9-P1 <<>> SRV _ldap._tcp.baettenhausen.local
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46492
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;_ldap._tcp.baettenhausen.local. IN SRV

    ;; ANSWER SECTION:
    _ldap._tcp.baettenhausen.local. 900 IN SRV 0 100 389 s4ad.baettenhausen.local.

    ;; AUTHORITY SECTION:
    baettenhausen.local. 900 IN NS s4ad.baettenhausen.local.

    ;; ADDITIONAL SECTION:
    s4ad.baettenhausen.local. 900 IN A 192.168.1.10

    ;; Query time: 8 msec
    ;; SERVER: 192.168.1.10#53(192.168.1.10)
    ;; WHEN: Sat Mar 18 07:45:39 CET 2017
    ;; MSG SIZE rcvd: 133


    fileserver:~ # dig SRV _kerberos._tcp.baettenhausen.local

    ; <<>> DiG 9.9.9-P1 <<>> SRV _kerberos._tcp.baettenhausen.local
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33727
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;_kerberos._tcp.baettenhausen.local. IN SRV

    ;; ANSWER SECTION:
    _kerberos._tcp.baettenhausen.local. 900 IN SRV 0 100 88 s4ad.baettenhausen.local.

    ;; AUTHORITY SECTION:
    baettenhausen.local. 900 IN NS s4ad.baettenhausen.local.

    ;; ADDITIONAL SECTION:
    s4ad.baettenhausen.local. 900 IN A 192.168.1.10

    ;; Query time: 7 msec
    ;; SERVER: 192.168.1.10#53(192.168.1.10)
    ;; WHEN: Sat Mar 18 07:46:58 CET 2017
    ;; MSG SIZE rcvd: 137

    Resolving the Hostnames of the AD-DC and the new Member Server works in
    both directions.

    Any Ideas?

    Stefan



    --
    To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)