Samba 4 testing report (using Debian packages) - failure
Pekka L.J. Jalkanen
pekka.jalkanen at vihreat.fi
Wed Jul 4 06:31:02 MDT 2012
Don't know if reports about experiences are still wanted now that Samba
4 is in beta, but I've decided to submit one anyway.
I decided to try to install Samba 4 using the Debian packages included
in Debian testing (Wheezy). The test DC actually runs stable (Squeeze),
but Samba 4 is from Wheezy. The problems I've observed may be due to
those packages, so I understand, if this information is seen as of
having little value for the Samba team. Having said that, I'm naturally
grateful of any information that could help me resolve the problems I've
observed.
This is a production setup. No need to remind me that this is risky; I'm
quite aware of it. My immediate goal is just to add another DC to enable
authentication services during unavailability of our Windows DC, without
installing new windows DCs. Long-term goal is to also replace the
Windows DC and entirely avoid upgrading to Win 2008 (or newer).
About the domain: it has only one DC, which is Win 2003 R2. It currently
has two member servers, one of which is running the Samba shipped with
Debian Squeeze (3.5.6); I've been using that member as part of my tests.
Currently has a full two-way external trust with another one-DC Win 2003
domain (non-R2), for purposes of migrating the accounts in that domain
to our domain, but I assume that this shouldn't have any effects within
our domain. Functional level is Windows 2000 native.
Any real domain names / machine names / IP addresses have been sanitised.
Installed packages:
root at samba4dc:~# aptitude search "(samba|winbind|wb)" |grep ^i
i libsamba-credentials0 - Samba Credentials management
library
i libsamba-hostconfig0 - Samba host configuration library
i libsamba-policy0 - Samba policy management
i libsamba-util0 - Samba utility function library
i libwbclient0 - Samba winbind client library
i python-samba - Python bindings for Samba
i samba-common - common files used by both the
Samba server
i samba-dsdb-modules - Samba Directory Services Database
i samba4 - SMB/CIFS file, NT domain and
active direct
i samba4-clients - client utilities from Samba 4
i samba4-common-bin - Samba 4 common files used by both
the serv
i winbind4 - service to resolve user and group
informat
root at samba4dc:~# samba --version
samba: /usr/lib/x86_64-linux-gnu/libwbclient.so.0: no version
information available (required by
/usr/lib/x86_64-linux-gnu/samba/libauth4.so)
Version 4.0.0beta2
Note that while I'm aware that beta3 has just been released, the Debian
packages were not yet available; hence beta2.
Joined the domain succesfully; no errors here:
samba-tool domain join mydomain.site DC -Uadministrator at MYDOMAIN.SITE
--realm=MYDOMAIN.SITE
"samba-tool drs showrepl" failed on 1st attempt:
Failed to connect host 10.10.X.X on port 135 - NT_STATUS_CONNECTION_REFUSED
Failed to connect host 10.10.X.X (samba4dc.mydomain.site) on port 135 -
NT_STATUS_CONNECTION_REFUSED.
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to
samba4dc.mydomain.site failed - drsException: DRS connection to
samba4dc.mydomain.site failed: (-1073741258, 'The connection was refused')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 39,
in drsuapi_connect
(ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) =
drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 54,
in drsuapi_connect
raise drsException("DRS connection to %s failed: %s" % (server, e))
It did, however, seem to work flawlessly after samba4 restart:
root at samba4dc:~# samba-tool drs showrepl
Default-First-Site-Name\SAMBA4DC
DSA Options: 0x00000001
DSA object GUID: 32e362d0-bcee-427f-ac58-11839e8bafe6
DSA invocationId: e06272cb-102c-4280-840b-209c30514715
==== INBOUND NEIGHBORS ====
==== OUTBOUND NEIGHBORS ====
==== KCC CONNECTION OBJECTS ====
RFC2307 information doesn't seem to get replicated succesfully. Real AD
user info polled from samba 3 member (UID 10000 is "Domain Users" group):
root at samba3member:~# getent passwd MyDOMAIN\\loginname
loginname:*:10059:10000:Samba User:/home/loginname:/bin/bash
User info polled from the same AD user as seen by the Samba 4 DC is all
wrong:
root at samba4dc:/lib# getent passwd loginname
MYDOMAIN\loginname:*:3000056:100:Samba
User:/home/MYDOMAIN/loginname:/bin/false
Winbind doesn't work:
root at samba4dc:/lib# wbinfo -p -v
wbinfo: /usr/lib/x86_64-linux-gnu/libwbclient.so.0: no version
information available (required by wbinfo)
Ping to winbindd failed
could not ping winbindd!
nsstest required creating the following symlink to work:
root at samba4dc:/lib# ln -s libnss_winbind.so.2 libnss_winbind.so
DNS records did get created successfully (BIND 9.7.3 in a separate box,
has been running with this AD quite a while, GSS-TSIG updates work), but
demoting Samba 4 DC back to member server didn't clean them up (which
made retrying this a little PITA, as BIND's zonefile had to be manually
cleared up first).
Some of the errors encountered in log.samba:
[2012/07/03 20:35:39, 0] ../source4/smbd/server.c:366(binary_smbd_main)
samba version 4.0.0beta2 started.
Copyright Andrew Tridgell and the Samba Team 1992-2012
[2012/07/03 20:35:39, 0] ../source4/smbd/server.c:461(binary_smbd_main)
samba: using 'standard' process model
[2012/07/03 20:35:39, 0]
../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
/usr/sbin/smbd: Failed to exec child - No such file or directory
[2012/07/03 20:35:39, 0]
../file_server/file_server.c:98(file_server_smbd_done)
file_server smbd daemon exited normally
I believe missing smbd has already been filed as a Debian bug
bugs.debian.org/cgi-bin/bugreport.cgi?bug=679678 , although I'm not
completely certain. Don't know if this is also behind my winbind
problems, or the SPN problems (see below).
Some problems with samba_spnupdate:
[2012/07/03 20:35:40, 0]
../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
/usr/sbin/samba_spnupdate: Traceback (most recent call last):
[2012/07/03 20:35:40, 0]
../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
/usr/sbin/samba_spnupdate: File "/usr/sbin/samba_spnupdate", line
133, in <module>
[2012/07/03 20:35:40, 0]
../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
/usr/sbin/samba_spnupdate: for e in res[0]["msDS-hasMasterNCs"]:
[2012/07/03 20:35:40, 0]
../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
/usr/sbin/samba_spnupdate: KeyError: 'No such element'
At the same time with these errors, the Win2003R2 DC logged the
following event with ID 1411:
Active Directory failed to construct a mutual authentication service
principal name (SPN) for the following domain controller.
Domain controller:
35a8e35d-2a28-4e20-8bb6-ece963ca0ae5._msdcs.mydomain.site
The call was denied. Communication with this domain controller might be
affected.
Additional Data
Error value:
8589 The DS cannot derive a service principal name (SPN) with which to
mutually authenticate the target server because the corresponding server
object in the local DS database has no serverReference attribute.
These spnupdate errors were repeated every ten minutes or so.
Some problems with NTLMSSP checks:
[2012/07/03 20:57:16, 0]
../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
NTLMSSP NTLM2 packet check failed due to invalid signature!
[2012/07/03 20:57:16, 0]
../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
NTLMSSP NTLM2 packet check failed due to invalid signature!
I shut down the Win2003R2 DC to test whether Samba 3 member can find the
users via Samba 4 DC (by getent passwd [account]), if Win2003R2 DC isn't
available. It can, but with erroneus RFC2307 info (see above). During
this test I got the NTLMSSP packet check failures above.
I've actually tried joining the domain two times (purging all changed
configuration in between), both times with similar results. I've since
demoted and disjoined the Samba 4 DC, since due to RFC2307 attributes
not replicating properly, winbind not working, and netlogon & sysvol
shares not working, I didn't dare to leave it running.
Pekka L.J. Jalkanen
More information about the samba-technical
mailing list