[Samba] Debugging Samba 4 AD Setup

Tue Mar 24 09:22:37 MDT 2015

all looks ok sofar

but can you give me the output, 
dig PTR the-ad-hostname.ourdomain.com

just to be sure. 

whats your OS running? 
is dovecot running on the same server? 
is dovecot auth running as root? 

the output of : 
cat /etc/pamd.d/imap 
cat /etc/pamd.d/pop3 
cat /etc/pamd.d/mail 

and how may auth request are you getting, default is 100 . 

Greetz, 

Louis

>-----Oorspronkelijk bericht-----
>Van: johannesa at celluloid-vfx.com 
>[mailto:samba-bounces at lists.samba.org] Namens Johannes Amorosa 
>| Celluloid VFX
>Verzonden: dinsdag 24 maart 2015 16:04
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Debugging Samba 4 AD Setup
>
>Hi Louis,
>answers are inline ...
>
>On 03/24/2015 03:48 PM, L.P.H. van Belle wrote:
>> Realm is advices to use UPPERCASE.. not obligated. ( but 
>very advices yes )
>I changed the config to uppercase and rebooted, no change in 
>the logfiles.
>>
>> check the following outputs and post them back in the list ( 
>if needed anonymized )
>>
>> hostname -i
>192.168.1.235
>> hostname -s
>the-ad-hostname
>> hostname -f
>the-ad-hostname.ourdomain.com
>> hostname -d
>ourdomain.com
>>
>> cat /etc/resolv.conf
>nameserver 192.168.1.236
>nameserver 192.168.1.235
>search ourdomain.com
>
>> cat /etc/hosts
>127.0.0.1    localhost
>192.168.1.235    the-ad-hostname.ourdomain.com the-ad-hostname
><snip>
>> cat /etc/mailname
>cat: /etc/mailname: No such file or directory
>
>>
>> dig MX ourdomain.com @127.0.0.1
>; <<>> DiG 9.8.1-P1 <<>> MX ourdomain.com @127.0.0.1
>;; global options: +cmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3733
>;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
>;; QUESTION SECTION:
>;ourdomain.com.        IN    MX
>
>;; Query time: 0 msec
>;; SERVER: 127.0.0.1#53(127.0.0.1)
>;; WHEN: Tue Mar 24 15:58:44 2015
>;; MSG SIZE  rcvd: 34
>
>> dig MX ourdomain.com @192.168.1.254
>; <<>> DiG 9.8.1-P1 <<>> MX ourdomain.com @192.168.1.254
>;; global options: +cmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1156
>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
>;; QUESTION SECTION:
>;ourdomain.com.        IN    MX
>
>;; AUTHORITY SECTION:
>.            10800    IN    SOA    a.root-servers.net. 
>nstld.verisign-grs.com. 2015032400 1800 900 604800 86400
>
>;; Query time: 73 msec
>;; SERVER: 192.168.1.254#53(192.168.1.254)
>;; WHEN: Tue Mar 24 16:00:07 2015
>;; MSG SIZE  rcvd: 109
>
>> dig PTR IP_OF_DC
>; <<>> DiG 9.8.1-P1 <<>> PTR the-ad-hostname
>;; global options: +cmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6806
>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
>;; OPT PSEUDOSECTION:
>; EDNS: version: 0, flags:; udp: 4000
>;; QUESTION SECTION:
>;the-ad-hostname.            IN    PTR
>
>;; Query time: 43 msec
>;; SERVER: 192.168.1.236#53(192.168.1.236)
>;; WHEN: Tue Mar 24 16:00:57 2015
>;; MSG SIZE  rcvd: 39
>
>>
>> Greetz,
>>
>> Louis
>>
>>
>Thank you for your time.
>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: kable at abv.bg [mailto:samba-bounces at lists.samba.org]
>>> Namens Georg Georgiev
>>> Verzonden: dinsdag 24 maart 2015 14:27
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] Debugging Samba 4 AD Setup
>>>
>>> Hello Johannes,
>>> Please check your kerberos realm, wiki says: _Realm:_ . It will also
>>> automatically be used as the Active Directory DNS domain name.
>>> The Realm
>>> always has to be in uppercase.
>>> I see that your is realm = ourdomain.com
>>> Regards,
>>> George
>>>
>>> On 24.3.2015 ??. 14:29 ??., Johannes Amorosa | Celluloid VFX wrote:
>>>> We're using quite successfully a samba 4.1 AD setup authenticating
>>>> user. We have on an unregular basis
>>>> mails that can't be delivered because dovecot-pam fails to
>>> verify the
>>>> credentials. I'm trying to debug
>>>> this and set the loglevel up to 3.
>>>>
>>>> I can see an error message being spammed in the log files and can't
>>>> figure out what causes this. I expect a configuration 
>error somewhere
>>>> although everything else seems to work. Can someone shed
>>> some light on
>>>> this error.
>>>>
>>>> Invalid domain! Expected name in domain [ourdomain.com]. But
>>> received
>>>> [THE-AD-HOSTNAME]!
>>>>
>>> ../source4/rpc_server/netlogon/dcerpc_netlogon.c:2330(dcesrv_ne
>>> tr_DsrEnumerateDomainTrusts)
>>>>
>>>> I don't believe this has anything to do with the initial
>>> problem, but
>>>> I would like to resolve this one aswell.
>>>> Thank you for your time.
>>>> Joe
>>>>
>>>> Setup:
>>>> Two identical servers with this samba.conf.
>>>>
>>>> # Global parameters
>>>> [global]
>>>>      workgroup = OURDOMAIN
>>>>      realm = ourdomain.com
>>>>      netbios name = THE-AD-HOSTNAME
>>>>      netbios aliases = SOMETHINGELSE
>>>>      log level = 3
>>>>
>>>>      server role = active directory domain controller
>>>>      dns forwarder = 192.168.1.254
>>>> [netlogon]
>>>>      path = /var/lib/samba/sysvol/ourdomain.com/scripts
>>>>      read only = No
>>>>
>>>> [sysvol]
>>>>      path = /var/lib/samba/sysvol
>>>>      read only = No
>>>>
>>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>
>-- 
>Johannes Amorosa | Celluloid VFX
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>