[Samba] Serverinfo Error
Rowland penny
rpenny at samba.org
Mon Jul 29 08:33:38 UTC 2019
On 29/07/2019 08:11, L.P.H. van Belle via samba wrote:
> Hai,
>
> There is something going on in your resolving, that im sure.
>
> I dont know where you missing a setting or did a wrong setting,
> but this should all work out of the box.
>
> The PTR lookup responce with ip of the DC, should be hostname.fqdn. and not hostname.
>
> I've also had a good look at the debug script output again.
> That all looks ok to me so i'm wondering, if apparmor is in play here or systemd things.
>
> Im missing rules in apparmor, as shown below.
> You are using internal DNS and not Bind9_DLZ. ( base on smb.conf outputs ) so ..
>
> Can you run :
> cat /var/log/syslog | grep 'DENIED'
> And
> cat /var/log/auditd/auditd.log | grep 'DENIED'
> ( if auditd is installed )
>
> Can you also show me :
> ps faux |egrep "samba|winbind"
> And
> netstat -tan|egrep "LISTEN" | grep "53"
>
> And check some things within systemd.
> Show me also :
>
> networkctl status
> networkctl status $(ip a|grep "state UP"| cut -d: -f2)
> timedatectl
> resolvectl status
>
>>> And maybe its an option to try the 4.10.6 package i supply.
>>> Debian buster packages are updated within 1-2 hours.
>> I had to comment out some lines of python to get this far.
>> Should those files be replaced?
> Which files? And which lines exactly?
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Robert A Wooldridge via samba
>> Verzonden: vrijdag 26 juli 2019 18:21
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Serverinfo Error
>>
>> On 07/26/2019 01:19 AM, L.P.H. van Belle via samba wrote:
>>> Hai,
>>>
>>> Ok, below looks ok, as Rowland also said.
>>>
>>> But i have one more thing.
>>>
>>>>> Checking file: /etc/krb5.conf
>>>>>
>>>>> [libdefaults]
>>>>> dns_lookup_realm = false
>>>>> dns_lookup_kdc = true
>>>>> default_realm = EDM-INC.COM
>>>>> default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc
>> des-cbc-md5
>>>>> default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc
>> des-cbc-md5
>>> Remove the 2 default_*_enctypes lines.
>>>
>>> Or set:
>>> default_tgs_enctypes = aes128-cts-hmac-sha1-96
>> aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>>> default_tkt_enctypes = aes128-cts-hmac-sha1-96
>> aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>>> permitted_enctypes = aes128-cts-hmac-sha1-96
>> aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>> Using this, I needed to put those two lines in because I
>> couldn't join the domain without them
>>> And does it work if you run it like this :
>>> samba-tool dns serverinfo athena -Uadministrator
>> No:
>> athena:~# samba-tool dns serverinfo athena -Uadministrator
>> Password for [EDM\administrator]:
>> ERROR(runtime): uncaught exception - (9717,
>> 'WERR_DNS_ERROR_DS_UNAVAILABLE')
>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>> line 177, in _run
>> return self.run(*args, **kwargs)
>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line
>> 564, in run
>> None, 'ServerInfo')
>>
>>> And test the following.
> ....
>
>> ; <<>> DiG 9.11.5-P4-5.1-Debian <<>> -x 10.10.1.10
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59884
>> ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1,
>> ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;10.1.10.10.in-addr.arpa. IN PTR
>>
>> ;; ANSWER SECTION:
>> 10.1.10.10.in-addr.arpa. 3600 IN PTR athena.
> This should show FQDN in the result.
>
>> ;; AUTHORITY SECTION:
>> 10.10.in-addr.arpa. 3600 IN SOA athena.edm-inc.com.
>> hostmaster.edm-inc.com. 1 900 600 86400 3600
>>
>> ;; Query time: 0 msec
>> ;; SERVER: 10.10.1.10#53(10.10.1.10)
>> ;; WHEN: Fri Jul 26 11:06:51 CDT 2019
>> ;; MSG SIZE rcvd: 126
>>
>>> And can you show the output of :
>>> egrep -ri "samba|winbind" /etc/apparmor.d/*
>> athena:~# egrep -ri "samba|winbind" /etc/apparmor.d/*
>> /etc/apparmor.d/abstractions/authentication: # winbind
>> /etc/apparmor.d/abstractions/authentication: #include
>> <abstractions/winbind>
>> /etc/apparmor.d/abstractions/smbpass: /var/lib/samba/*.[lt]db rwk,
>> /etc/apparmor.d/abstractions/samba: /etc/samba/* r,
>> /etc/apparmor.d/abstractions/samba: /usr/lib*/samba/ldb/*.so mr,
>> /etc/apparmor.d/abstractions/samba: /usr/share/samba/*.dat r,
>> /etc/apparmor.d/abstractions/samba:
>> /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
>> /etc/apparmor.d/abstractions/samba: /var/cache/samba/ w,
>> /etc/apparmor.d/abstractions/samba: /var/cache/samba/lck/* rwk,
>> /etc/apparmor.d/abstractions/samba: /var/lib/samba/** rwk,
>> /etc/apparmor.d/abstractions/samba: /var/log/samba/cores/ rw,
>> /etc/apparmor.d/abstractions/samba: /var/log/samba/cores/** rw,
>> /etc/apparmor.d/abstractions/samba: /var/log/samba/* w,
>> /etc/apparmor.d/abstractions/samba: /{,var/}run/samba/ w,
>> /etc/apparmor.d/abstractions/samba: /{,var/}run/samba/*.tdb rw,
>> /etc/apparmor.d/abstractions/nameservice: /etc/samba/lmhosts r,
>> /etc/apparmor.d/abstractions/nameservice: # winbind
>> /etc/apparmor.d/abstractions/nameservice: #include
>> <abstractions/winbind>
>> /etc/apparmor.d/abstractions/winbind: # pam_winbindd
>> /etc/apparmor.d/abstractions/winbind: /tmp/.winbindd/pipe rw,
>> /etc/apparmor.d/abstractions/winbind:
>> /var/{lib,run}/samba/winbindd_privileged/pipe rw,
>> /etc/apparmor.d/abstractions/winbind: /etc/samba/smb.conf r,
>> /etc/apparmor.d/abstractions/winbind: /etc/samba/dhcp.conf r,
>> /etc/apparmor.d/abstractions/winbind: /usr/lib*/samba/valid.dat r,
>> /etc/apparmor.d/abstractions/winbind: /usr/lib*/samba/upcase.dat r,
>> /etc/apparmor.d/abstractions/winbind: /usr/lib*/samba/lowcase.dat r,
>> /etc/apparmor.d/abstractions/winbind:
>> /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
>> /etc/apparmor.d/samba/smbd-shares:# autogenerated by
>> update-apparmor-samba-profile 1.2+deb at samba start - do not edit!
>> /etc/apparmor.d/samba/smbd-shares:"/var/lib/samba/sysvol/edm-i
>> nc.com/scripts/"
>> rk,
>> /etc/apparmor.d/samba/smbd-shares:"/var/lib/samba/sysvol/edm-i
>> nc.com/scripts/**"
>> rwkl,
>> /etc/apparmor.d/samba/smbd-shares:"/var/lib/samba/sysvol/" rk,
>> /etc/apparmor.d/samba/smbd-shares:"/var/lib/samba/sysvol/**" rwkl,
>> /etc/apparmor.d/usr.sbin.ntpd: # samba4 ntp signing socket
>> /etc/apparmor.d/usr.sbin.ntpd: /{,var/}run/samba/ntp_signd/socket rw,
>> /etc/apparmor.d/usr.sbin.ntpd: # samba4 winbindd pipe
>> /etc/apparmor.d/usr.sbin.ntpd: /run/samba/winbindd/pipe rw,
>>> And maybe its an option to try the 4.10.6 package i supply.
>>> Debian buster packages are updated within 1-2 hours.
>> I had to comment out some lines of python to get this far.
>> Should those files be replaced?
> Which files? And which lines exactly?
>
>
>
>
He had to comment out the lines that created the computers dns records,
so I now think he needs to run 'samba_upgradedns --verbose'
Rowland
More information about the samba
mailing list