[Samba] Unable to contact RPC server on a new DC
Rowland Penny
rpenny at samba.org
Tue Nov 7 17:51:17 UTC 2023
On Tue, 7 Nov 2023 20:00:40 +0300
Andrey Repin via samba <samba at lists.samba.org> wrote:
> Greetings, Rowland Penny via samba!
>
> > OK, I give in, why have 4 emails from Andrey Repin, that were
> > apparently sent in May & June of this year, just appeared in my mail
> > client ?
>
> Don't worry, your sanity is not affected. My mail provider had changed
> submission policy without a sufficient notification, causing my
> transit mail server to block mail queue since last August.
>
> Anyway, here's some news on the subject: Routine server upgrade
> uncovered an IP address conflict in the local network.
>
> Turned out, when I was setting up DC2, I did not add its address to
> the infrastructure DNS zone.
> When I was setting up a new infra server for tests a short while
> later, I checked the infra zone and picked the next free address…
> which, unsurprisingly, was the same as the DC2 one.
> Having solved this, I get a stable "Domain join OK" on every domain
> member, but still unable to authenticate the users using winbind.
>
> Domain controller logs (notable parts) are following:
>
> log.samba:
>
> [2023/11/07 18:56:05.882689, 1]
> ../../source4/nbt_server/register.c:165(nbtd_register_name_handler)
> Error registering DARKDRAGON<1b> with 192.168.1.19 on interface
> 192.168.1.255 - NT_STATUS_CONFLICTING_ADDRESSES [2023/11/07
> 18:56:20.887545, 1]
> ../../source4/dsdb/kcc/garbage_collect_tombstones.c:67(garbage_collect_tombstones_part)
> Doing a full scan on DC=ForestDnsZones,DC=ads,DC=darkdragon,DC=lan
> and looking for deleted objects [2023/11/07 18:56:20.890975, 1]
> ../../source4/dsdb/kcc/garbage_collect_tombstones.c:67(garbage_collect_tombstones_part)
> Doing a full scan on DC=DomainDnsZones,DC=ads,DC=darkdragon,DC=lan
> and looking for deleted objects [2023/11/07 18:56:21.039408, 1]
> ../../source4/dsdb/kcc/garbage_collect_tombstones.c:67(garbage_collect_tombstones_part)
> Doing a full scan on DC=ads,DC=darkdragon,DC=lan and looking for
> deleted objects [2023/11/07 18:56:21.098762, 1]
> ../../source4/dsdb/kcc/garbage_collect_tombstones.c:67(garbage_collect_tombstones_part)
> Doing a full scan on CN=Configuration,DC=ads,DC=darkdragon,DC=lan and
> looking for deleted objects [2023/11/07 18:56:25.913081, 0]
> ../../source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done)
> dnsupdate_nameupdate_done: Failed DNS update with exit code 110
>
> log.smbd: lots of messages like these right from the start:
>
> [2023/11/07 18:56:08.211331, 1]
> ../../source3/printing/printer_list.c:255(printer_list_get_last_refresh)
> Failed to fetch record! [2023/11/07 18:56:11.590717, 0]
> ../../source4/auth/unix_token.c:95(security_token_to_unix_token)
> Unable to convert first SID
> (S-1-5-21-2269650170-3990761244-2407083512-1124) in user token to a
> UID. Conversion was returned as type 0, full token: [2023/11/07
> 18:56:11.590888, 0]
> ../../libcli/security/security_token.c:51(security_token_debug)
> Security token SIDs (8): SID[ 0]:
> S-1-5-21-2269650170-3990761244-2407083512-1124 SID[ 1]:
> S-1-5-21-2269650170-3990761244-2407083512-515 SID[ 2]: S-1-1-0 SID[
> 3]: S-1-5-2 SID[ 4]: S-1-5-11 SID[ 5]: S-1-5-64-10 SID[ 6]:
> S-1-5-32-554 SID[ 7]: S-1-5-32-545
> Privileges (0x 800000):
> Privilege[ 0]: SeChangeNotifyPrivilege
> Rights (0x 400):
> Right[ 0]: SeRemoteInteractiveLogonRight
>
> [2023/11/07 18:56:29.811430, 0]
> ../../source4/auth/unix_token.c:95(security_token_to_unix_token)
> Unable to convert first SID
> (S-1-5-21-2269650170-3990761244-2407083512-1117) in user token to a
> UID. Conversion was returned as type 0, full token: [2023/11/07
> 18:56:29.812183, 0]
> ../../libcli/security/security_token.c:51(security_token_debug)
> Security token SIDs (8): SID[ 0]:
> S-1-5-21-2269650170-3990761244-2407083512-1117 SID[ 1]:
> S-1-5-21-2269650170-3990761244-2407083512-515 SID[ 2]: S-1-1-0 SID[
> 3]: S-1-5-2 SID[ 4]: S-1-5-11 SID[ 5]: S-1-5-64-10 SID[ 6]:
> S-1-5-32-554 SID[ 7]: S-1-5-32-545
> Privileges (0x 800000):
> Privilege[ 0]: SeChangeNotifyPrivilege
> Rights (0x 400):
> Right[ 0]: SeRemoteInteractiveLogonRight
> [2023/11/07 18:56:30.307255, 0]
> ../../source4/auth/unix_token.c:95(security_token_to_unix_token)
> Unable to convert first SID
> (S-1-5-21-2269650170-3990761244-2407083512-1106) in user token to a
> UID. Conversion was returned as type 0, full token: [2023/11/07
> 18:56:30.308127, 0]
> ../../libcli/security/security_token.c:51(security_token_debug)
> Security token SIDs (8): SID[ 0]:
> S-1-5-21-2269650170-3990761244-2407083512-1106 SID[ 1]:
> S-1-5-21-2269650170-3990761244-2407083512-515 SID[ 2]: S-1-1-0 SID[
> 3]: S-1-5-2 SID[ 4]: S-1-5-11 SID[ 5]: S-1-5-64-10 SID[ 6]:
> S-1-5-32-554 SID[ 7]: S-1-5-32-545
> Privileges (0x 800000):
> Privilege[ 0]: SeChangeNotifyPrivilege
> Rights (0x 400):
> Right[ 0]: SeRemoteInteractiveLogonRight
>
> AD DC configuration:
>
> # Global parameters
> [global]
> auto services = homes
> client ldap sasl wrapping = sign
> dns forwarder = 192.168.1.12
> dos charset = CP866
> logging = systemd
> log level = 1
> netbios name = DC2
> panic action = /usr/share/samba/panic-action %d
> printcap name = /dev/null
> realm = ADS.DARKDRAGON.LAN
> server role = active directory domain controller
> template homedir = /home/%U
> template shell = /bin/bash
> tls enabled = Yes
> tls priority = NORMAL:-VERS-SSL3.0:+VERS-TLS-ALL
> winbind enum groups = Yes
> winbind enum users = Yes
> winbind nss info = rfc2307
> winbind offline logon = Yes
> winbind refresh tickets = Yes
> winbind use default domain = Yes
> workgroup = DARKDRAGON
> idmap config darkdragon : unix_nss_info = yes
> idmap config darkdragon : unix_primary_group = yes
> idmap config darkdragon : range = 2048-131071
> idmap config darkdragon : schema_mode = rfc2307
> idmap config darkdragon : backend = ad
> idmap config * : range = 1024-2047
> idmap config * : schema_mode = rfc2307
> idmap config * : backend = tdb
> idmap_ldb : use rfc2307 = Yes
> map acl inherit = Yes
> store dos attributes = Yes
> vfs objects = dfs_samba4 acl_xattr
I would remove these from the DC smb.conf, they are either defauts, not required or flat out doing nothing on a DC:
auto services = homes
client ldap sasl wrapping = sign
tls enabled = Yes
winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
winbind use default domain = Yes
idmap config darkdragon : unix_nss_info = yes
idmap config darkdragon : unix_primary_group = yes
idmap config darkdragon : range = 2048-131071
idmap config darkdragon : schema_mode = rfc2307
idmap config darkdragon : backend = ad
idmap config * : range = 1024-2047
idmap config * : schema_mode = rfc2307
idmap config * : backend = tdb
store dos attributes = Yes
vfs objects = dfs_samba4 acl_xattr
>
> [netlogon]
> comment = Network Logon Service
> csc policy = disable
> path = /var/lib/samba/sysvol/ads.darkdragon.lan/scripts
> read only = No
>
> [sysvol]
> comment = Domain System Volume
> csc policy = disable
> path = /var/lib/samba/sysvol
> read only = No
>
>
> Member server:
> # Global parameters
> [global]
> dos charset = CP866
> workgroup = DARKDRAGON
> realm = ADS.DARKDRAGON.LAN
> netbios name = DAEMON1
> interfaces = lo mac0
> bind interfaces only = Yes
> security = ADS
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> log level = 1
> server min protocol = NT1
> min protocol = NT1
> client min protocol = NT1
> client ldap sasl wrapping = sign
> printcap name = /dev/null
> preferred master = Yes
> local master = Yes
> domain master = Yes
> browse list = Yes
> wins server = 127.0.0.1
> wins support = Yes
> preload = homes
> auto services = homes
> panic action = /usr/share/samba/panic-action %d
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind nss info = rfc2307
> winbind refresh tickets = Yes
> winbind offline logon = Yes
> client ipc min protocol = NT1
> idmap config darkdragon : unix_nss_info = yes
> idmap config darkdragon : unix_primary_group = yes
> idmap config darkdragon : range = 2048-131071
> idmap config darkdragon : schema_mode = rfc2307
> idmap config darkdragon : backend = ad
> idmap config * : range = 1024-2047
> idmap config * : backend = tdb
> map acl inherit = Yes
> store dos attributes = Yes
> vfs objects = acl_xattr
>
> [netlogon]
> comment = Network Logon Service
> path = /home/.samba/netlogon
> read only = No
> csc policy = disable
>
> [homes]
> comment = Home Directory
> path = /home/%S
> valid users = %S
> read only = No
> browseable = No
> csc policy = disable
> follow symlinks = No
>
> [printers]
> comment = All Printers
> path = /var/spool/samba
> printable = Yes
> browseable = No
> csc policy = disable
>
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/printers
>
> [arc]
> comment = Software archive
> path = /srv/arc
> read only = No
> browseable = No
> csc policy = disable
Andrey, sorry but words fail me about that Unix domain member smb.conf,
it appears to be most of an NT4-style BDC grafted onto the smb.conf for
an AD domain member. most (if not all) of the NT4-style parameters
should be removed, they aren't really doing anything anyway, the DC
isn't doing SMBv1 and they rely on it.
Rowland
More information about the samba
mailing list