[Samba] [EXTERNAL] Veto Op Locks does not seem to working properly after updates MACHINE TRUST
Mark Bannister
mark at injection-moldings.com
Thu Jun 15 19:09:12 UTC 2023
Maybe something else to look at. Suddenly Machine Trust Relationship
issues.
This is simple Primary Domain (not AD). I rebooted the server. A few
computers could log on. Most could not "Machine Trust Relationship
could not be established"
* sudo samba-tool computer list*
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
tevent: 10
auth_audit: 10
auth_json_audit: 10
kerberos: 10
drs_repl: 10
smb2: 10
smb2_credits: 10
dsdb_audit: 10
dsdb_json_audit: 10
dsdb_password_audit: 10
dsdb_password_json_audit: 10
dsdb_transaction_audit: 10
dsdb_transaction_json_audit: 10
dsdb_group_audit: 10
dsdb_group_json_audit: 10
lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
Processing section "[homes]"
Processing section "[netlogon]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[PDFprinter]"
Processing section "[DATA]"
Processing section "[testing]"
pm_process() returned Yes
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch
machine account password for LINGROUP from both secrets.ldb (Could not
find entry to match filter:
'(&(flatname=LINGROUP)(objectclass=primaryDomain))' base: 'cn=Primary
Domains': No such object: dsdb_search at
../../source4/dsdb/common/util.c:4862) and from
/var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Security token SIDs (1):
SID[ 0]: S-1-5-18
Privileges (0xFFFFFFFFFFFFFFFF):
Privilege[ 0]: SeMachineAccountPrivilege
Privilege[ 1]: SeTakeOwnershipPrivilege
Privilege[ 2]: SeBackupPrivilege
Privilege[ 3]: SeRestorePrivilege
Privilege[ 4]: SeRemoteShutdownPrivilege
Privilege[ 5]: SePrintOperatorPrivilege
Privilege[ 6]: SeAddUsersPrivilege
Privilege[ 7]: SeDiskOperatorPrivilege
Privilege[ 8]: SeSecurityPrivilege
Privilege[ 9]: SeSystemtimePrivilege
Privilege[ 10]: SeShutdownPrivilege
Privilege[ 11]: SeDebugPrivilege
Privilege[ 12]: SeSystemEnvironmentPrivilege
Privilege[ 13]: SeSystemProfilePrivilege
Privilege[ 14]: SeProfileSingleProcessPrivilege
Privilege[ 15]: SeIncreaseBasePriorityPrivilege
Privilege[ 16]: SeLoadDriverPrivilege
Privilege[ 17]: SeCreatePagefilePrivilege
Privilege[ 18]: SeIncreaseQuotaPrivilege
Privilege[ 19]: SeChangeNotifyPrivilege
Privilege[ 20]: SeUndockPrivilege
Privilege[ 21]: SeManageVolumePrivilege
Privilege[ 22]: SeImpersonatePrivilege
Privilege[ 23]: SeCreateGlobalPrivilege
Privilege[ 24]: SeEnableDelegationPrivilege
Rights (0x 0):
ERROR(ldb): uncaught exception - ldb_search: invalid basedn '(null)'
File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
186, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python3/dist-packages/samba/netcmd/computer.py", line
564, in run
res = samdb.search(search_dn,
Not sure this nexr command is pertinent to my system but has similar errors:
* samba-tool dns zonelist LINGROUP*
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
tevent: 10
auth_audit: 10
auth_json_audit: 10
kerberos: 10
drs_repl: 10
smb2: 10
smb2_credits: 10
dsdb_audit: 10
dsdb_json_audit: 10
dsdb_password_audit: 10
dsdb_password_json_audit: 10
dsdb_transaction_audit: 10
dsdb_transaction_json_audit: 10
dsdb_group_audit: 10
dsdb_group_json_audit: 10
lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
Processing section "[homes]"
Processing section "[netlogon]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[PDFprinter]"
Processing section "[DATA]"
Processing section "[testing]"
pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:LINGROUP[,sign]
Mapped to DCERPC endpoint 135
added interface docker0 ip=172.17.0.1 bcast=172.17.255.255
netmask=255.255.0.0
added interface ens160 ip=192.168.1.190 bcast=192.168.1.255
netmask=255.255.254.0
added interface docker0 ip=172.17.0.1 bcast=172.17.255.255
netmask=255.255.0.0
added interface ens160 ip=192.168.1.190 bcast=192.168.1.255
netmask=255.255.254.0
print_socket_options: Could not test socket option TCP_NODELAY:
Operation not supported.
print_socket_options: Could not test socket option TCP_KEEPCNT:
Operation not supported.
print_socket_options: Could not test socket option TCP_KEEPIDLE:
Operation not supported.
print_socket_options: Could not test socket option TCP_KEEPINTVL:
Operation not supported.
print_socket_options: Could not test socket option TCP_QUICKACK:
Operation not supported.
print_socket_options: Could not test socket option TCP_DEFER_ACCEPT:
Operation not supported.
print_socket_options: Could not test socket option TCP_USER_TIMEOUT:
Operation not supported.
socket options: SO_KEEPALIVE=0, SO_REUSEADDR=0, SO_BROADCAST=1,
IPTOS_LOWDELAY=0, IPTOS_THROUGHPUT=0, SO_REUSEPORT=0, SO_SNDBUF=212992,
SO_RCVBUF=212992, SO_SNDLOWAT=1, SO_RCVLOWAT=1, SO_SNDTIMEO=0, SO_RCVTIMEO=0
Queueing nbt packet to 127.0.0.1:137
request: struct nbt_name_packet
name_trn_id : 0xe5b9 (58809)
operation : 0x0100 (256)
0x00: NBT_RCODE (0)
0: NBT_FLAG_BROADCAST
0: NBT_FLAG_RECURSION_AVAIL
1: NBT_FLAG_RECURSION_DESIRED
0: NBT_FLAG_TRUNCATION
0: NBT_FLAG_AUTHORITATIVE
0x00: NBT_OPCODE (0)
0: NBT_FLAG_REPLY
qdcount : 0x0001 (1)
ancount : 0x0000 (0)
nscount : 0x0000 (0)
arcount : 0x0000 (0)
questions: ARRAY(1)
questions: struct nbt_name_question
name: struct nbt_name
name : 'LINGROUP'
scope : NULL
type : NBT_NAME_SERVER (0x20)
question_type : NBT_QTYPE_NETBIOS (0x20)
question_class : NBT_QCLASS_IP (0x1)
answers: ARRAY(0)
nsrecs: ARRAY(0)
additional: ARRAY(0)
padding : DATA_BLOB length=0
Received nbt packet of length 56 from 127.0.0.1:137
packet: struct nbt_name_packet
name_trn_id : 0xe5b9 (58809)
operation : 0x8583 (34179)
0x03: NBT_RCODE (3)
0: NBT_FLAG_BROADCAST
1: NBT_FLAG_RECURSION_AVAIL
1: NBT_FLAG_RECURSION_DESIRED
0: NBT_FLAG_TRUNCATION
1: NBT_FLAG_AUTHORITATIVE
0x00: NBT_OPCODE (0)
1: NBT_FLAG_REPLY
qdcount : 0x0000 (0)
ancount : 0x0001 (1)
nscount : 0x0000 (0)
arcount : 0x0000 (0)
questions: ARRAY(0)
answers: ARRAY(1)
answers: struct nbt_res_rec
name: struct nbt_name
name : 'LINGROUP'
scope : NULL
type : NBT_NAME_SERVER (0x20)
rr_type : NBT_QTYPE_NULL (0xA)
rr_class : NBT_QCLASS_IP (0x1)
ttl : 0x00000000 (0)
rdata : union nbt_rdata(case 0xA)
data: struct nbt_rdata_data
length : 0x0000 (0)
data :
nsrecs: ARRAY(0)
additional: ARRAY(0)
padding : DATA_BLOB length=0
resolve_lmhosts: Attempting lmhosts lookup for name LINGROUP<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No
such file or directory
Failed to connect host 192.168.1.190 on port 135 -
NT_STATUS_CONNECTION_REFUSED
Failed to connect host 192.168.1.190 (LINGROUP) on port 135 -
NT_STATUS_CONNECTION_REFUSED.
ERROR: Connecting to DNS RPC server LINGROUP failed with (3221226038,
'The transport-connection attempt was refused by the remote system.')
File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 52,
in dns_connect
dns_conn = dnsserver.dnsserver(binding_str, lp, creds)
On 6/14/2023 1:13 PM, Mark Bannister via samba wrote:
> Continuation of this thread:
> https://www.spinics.net/lists/samba/msg179456.html
>
> I was able to get Samba working (properly I think) except my database
> cannot properly lock and unlock files.
>
> Paradox database (corel, Borland BDE) depending on SMB1 protocols.
> The database uses lock files to track database table and record
> usage. Database locks are no longer being properly released after
> updating to Samba 4.18.3 from an old version (not sure which version
> 4.x of some sort).
>
>
> # Global parameters
> [global]
> add machine script = sudo /usr/sbin/useradd -g machines -c "%u
> machine account" -d /var/lib/samba -s /bin/false %u
> add user script = /usr/sbin/adduser --quiet
> --disabled-password --gecos "" %u
> client max protocol = NT1
> client min protocol = NT1
> dns proxy = No
> domain logons = Yes
> domain master = Yes
> load printers = No
> log file = /var/log/samba/log.%m
> logon drive = H:
> logon home =
> logon path =
> logon script = logon.bat
> map to guest = Bad User
> max log size = 1000
> name resolve order = wins lmhosts host bcast
> ntlm auth = ntlmv1-permitted
> obey pam restrictions = Yes
> pam password change = Yes
> panic action = /usr/share/samba/panic-action %d
> passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> passwd program = /usr/bin/passwd %u
> preferred master = Yes
> server max protocol = NT1
> server min protocol = NT1
> server role = classic primary domain controller
> server string = APP Samba %v %h
> template homedir = /home/%U
> template shell = /bin/bash
> unix password sync = Yes
> username map = /usr/local/samba/etc/username.map
> wins support = Yes
> workgroup = LINGROUP
> idmap config lingroup : range = 10000-999999
> idmap config lingroup : backend = rid
> idmap config * : range = 3000-7999
> idmap config * : backend = tdb
> admin users = sysadmin
> hosts allow = 127.0.0.1 192.168.1. 192.168.0.0/26
> hosts deny = 0.0.0.0/0
> use client driver = Yes
> veto oplock files =
> /*.TV/*.FAM/*.dat/*.DAT/*.db/*.DB/*.X??/*.x??/*.Y??/*.y??/*.MB/*.mb/*.VAL/*.val/*.PX/*.px/*.mdb/*.MDB/*.lck/*.LCK/*.net/*.NET/
>
>
> --
> Mark B
--
Mark
More information about the samba
mailing list