[Samba] smbclient broken after update

Peter Serbe peter at serbe.ch
Fri Feb 14 04:37:32 MST 2014

Since a bit more than a year I run a Samba4 AD server on a Debian 
testing box. During that period I did update and dist-update the 
box about twice a week, and also did update and recompile Sambe, 
i.e. Samba and Debian Jessie are on their latest stage. I use Bind 
9.9.3 as name server, which works absolutely smooth. 

But two days ago something got broken, and I am totally clueless, 
what went wrong. Samba starts up without any uncommon entries in 
log.samba. 1) kinit and klist look absolutely normal. 2) However 
trying to access a Samba share fails with some complaints I don't
understand enough to find the root cause of all this troubles. 3)

I clearly see, that this syndrome is way to unclear, to be pinpointed 
remotely. But I hope for advice on how to systematically debug the 

I have installed nslcd and pam/winbind and k5start. I did rerun 
the tests I did during the last reinstall in March last year, and 
all these test for the auxiliary blocks seem to work. I have the 
impression that something is wrong with GSSAPI calls, and I also 
saw SPNEGO calls failing. But I don't have a clue on how to 
debug that. Maybe someone can point me into the right direction 
here. And a point to corresponding information would also be 
grately appreciated. I found some references on the errors like 
NT_STATUS_OBJECT_NAME_NOT_FOUND, but I was missing the context. 
Maybe someone can point me in a more detailed step-by-step 

Thank You in Advance!

Best regards

----------------------- attachments --------------------------

1) log.samba: 
[2014/02/14 11:59:16.526562,  0] ../source4/dsdb/kcc/kcc_periodic.c:664(kccsrv_samba_kcc)
  Calling samba_kcc script
[2014/02/14 12:03:59.088334,  0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_dnsupdate: Traceback (most recent call last):
[2014/02/14 12:03:59.088425,  0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_dnsupdate:   File "/usr/local/samba/sbin/samba_dnsupdate", line 469, in <module>
[2014/02/14 12:03:59.088465,  0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_dnsupdate:     d = parse_dns_line(line, sub_vars)
[2014/02/14 12:03:59.088486,  0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_dnsupdate:   File "/usr/local/samba/sbin/samba_dnsupdate", line 174, in parse_dns_line
[2014/02/14 12:03:59.088527,  0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_dnsupdate:     return dnsobj(subline)
[2014/02/14 12:03:59.088553,  0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_dnsupdate:   File "/usr/local/samba/sbin/samba_dnsupdate", line 152, in __init__
[2014/02/14 12:03:59.088579,  0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_dnsupdate:     raise Exception("Received unexpected DNS reply of type %s" % self.type)
[2014/02/14 12:03:59.088601,  0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_dnsupdate: Exception: Received unexpected DNS reply of type TXT
[2014/02/14 12:04:16.590173,  0] ../source4/dsdb/kcc/kcc_periodic.c:664(kccsrv_samba_kcc)

----------------------- attachments --------------------------

2) kinit, klist
root at ulysses:/etc# kinit administrator
Password for administrator at SERBE.LOCAL:
root at ulysses:/etc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at SERBE.LOCAL

Valid starting       Expires              Service principal
14.02.2014 12:07:15  14.02.2014 22:07:15  krbtgt/SERBE.LOCAL at SERBE.LOCAL
        renew until 15.02.2014 12:07:12

  Calling samba_kcc script

----------------------- attachments --------------------------

3) smbclient //localhost/netlogon -U% -d3
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file "/usr/local/samba/etc/smb.conf"
Processing section "[global]"
added interface eth0 ip= bcast= netmask=
Client started (version 4.2.0pre1-GIT-0535f73).
Connecting to ::1 at port 445
session setup failed: NT_STATUS_OBJECT_NAME_NOT_FOUND

----------------------- attachments --------------------------

        workgroup = SERBE
        realm = SERBE.LOCAL
        netbios name = ULYSSES
        server string = Ulysses
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
        wins support = yes
        security = user
        public = no
        username map = /usr/local/samba/etc/users.map
        local master = yes
        preferred master = yes
        os level = 65
        template shell = /bin/bash
        passdb backend = samba4
        socket options = TCP_NODELAY IPTOS_LOWDELAY

        path = /usr/local/samba/var/locks/sysvol/serbe.local/scripts
        read only = No

        path = /usr/local/samba/var/locks/sysvol
        read only = No

       path = /srv/raid/video
       comment = video on raid
       read only = no
       inherit acls = yes

----------------------- attachments --------------------------

krb5.conf (note: it doesn't log, don't know why...):
    debug = true
        default_realm = SERBE.LOCAL
        kdc_timesync = 1
        forwardable = true
        proxiable = true
        forward = true
        renewable = true
        encrypt = true
        krb4_get_tickets = false
        krb4_convert = false
        krb5_get_tickets = true

        SERBE.LOCAL = {
                kdc = ULYSSES.SERBE.LOCAL:88
                admin_server = ULYSSES.SERBE.LOCAL:749
                default_domain = SERBE.LOCAL

        .serbe.local = SERBE.LOCAL
        serbe.local = SERBE.LOCAL

        kdc = FILE:/var/log/kdc.log
        admin_server = FILE:/var/log/kadmin.log
        default = FILE:/var/log/kadmin.log

check-ticket-addresses = false

----------------------- attachments --------------------------

# /etc/nsswitch.conf
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files winbind ldap
group:          files winbind ldap
shadow:         files ldap

hosts:          dns files ldap
networks:       files ldap

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

----------------------- attachments --------------------------

transscript from the provisioning process
root at ulysses:/usr/src/samba4# /usr/local/samba/bin/samba-tool domain provision
 Domain [SERBE]:
 Server Role (dc, member, standalone) [dc]:
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=serbe,DC=local
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=serbe,DC=local
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Unable to find group id for BIND,
                set permissions to sam.ldb* files manually
See /usr/local/samba/private/named.conf for an example configuration include file for BIND
and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role:           active directory domain controller
Hostname:              ulysses
NetBIOS Domain:        SERBE
DNS Domain:            serbe.local
DOMAIN SID:            S-1-5-21-**********-**********-**********

More information about the samba mailing list