[Samba] smbclient broken after update
Peter Serbe
peter at serbe.ch
Fri Feb 14 04:37:32 MST 2014
Since a bit more than a year I run a Samba4 AD server on a Debian
testing box. During that period I did update and dist-update the
box about twice a week, and also did update and recompile Sambe,
i.e. Samba and Debian Jessie are on their latest stage. I use Bind
9.9.3 as name server, which works absolutely smooth.
But two days ago something got broken, and I am totally clueless,
what went wrong. Samba starts up without any uncommon entries in
log.samba. 1) kinit and klist look absolutely normal. 2) However
trying to access a Samba share fails with some complaints I don't
understand enough to find the root cause of all this troubles. 3)
I clearly see, that this syndrome is way to unclear, to be pinpointed
remotely. But I hope for advice on how to systematically debug the
problem.
I have installed nslcd and pam/winbind and k5start. I did rerun
the tests I did during the last reinstall in March last year, and
all these test for the auxiliary blocks seem to work. I have the
impression that something is wrong with GSSAPI calls, and I also
saw SPNEGO calls failing. But I don't have a clue on how to
debug that. Maybe someone can point me into the right direction
here. And a point to corresponding information would also be
grately appreciated. I found some references on the errors like
NT_STATUS_OBJECT_NAME_NOT_FOUND, but I was missing the context.
Maybe someone can point me in a more detailed step-by-step
approach.
Thank You in Advance!
Best regards
Peter
----------------------- attachments --------------------------
1) log.samba:
[2014/02/14 11:59:16.526562, 0] ../source4/dsdb/kcc/kcc_periodic.c:664(kccsrv_samba_kcc)
Calling samba_kcc script
[2014/02/14 12:03:59.088334, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: Traceback (most recent call last):
[2014/02/14 12:03:59.088425, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: File "/usr/local/samba/sbin/samba_dnsupdate", line 469, in <module>
[2014/02/14 12:03:59.088465, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: d = parse_dns_line(line, sub_vars)
[2014/02/14 12:03:59.088486, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: File "/usr/local/samba/sbin/samba_dnsupdate", line 174, in parse_dns_line
[2014/02/14 12:03:59.088527, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: return dnsobj(subline)
[2014/02/14 12:03:59.088553, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: File "/usr/local/samba/sbin/samba_dnsupdate", line 152, in __init__
[2014/02/14 12:03:59.088579, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: raise Exception("Received unexpected DNS reply of type %s" % self.type)
[2014/02/14 12:03:59.088601, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: Exception: Received unexpected DNS reply of type TXT
[2014/02/14 12:04:16.590173, 0] ../source4/dsdb/kcc/kcc_periodic.c:664(kccsrv_samba_kcc)
----------------------- attachments --------------------------
2) kinit, klist
root at ulysses:/etc# kinit administrator
Password for administrator at SERBE.LOCAL:
root at ulysses:/etc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at SERBE.LOCAL
Valid starting Expires Service principal
14.02.2014 12:07:15 14.02.2014 22:07:15 krbtgt/SERBE.LOCAL at SERBE.LOCAL
renew until 15.02.2014 12:07:12
Calling samba_kcc script
----------------------- attachments --------------------------
3) smbclient //localhost/netlogon -U% -d3
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file "/usr/local/samba/etc/smb.conf"
Processing section "[global]"
added interface eth0 ip=192.168.41.10 bcast=192.168.41.255 netmask=255.255.255.0
Client started (version 4.2.0pre1-GIT-0535f73).
Connecting to ::1 at port 445
session setup failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
----------------------- attachments --------------------------
smb.conf-excerpt:
[global]
workgroup = SERBE
realm = SERBE.LOCAL
netbios name = ULYSSES
server string = Ulysses
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
wins support = yes
security = user
public = no
username map = /usr/local/samba/etc/users.map
local master = yes
preferred master = yes
os level = 65
template shell = /bin/bash
passdb backend = samba4
socket options = TCP_NODELAY IPTOS_LOWDELAY
[netlogon]
path = /usr/local/samba/var/locks/sysvol/serbe.local/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[video]
path = /srv/raid/video
comment = video on raid
read only = no
inherit acls = yes
----------------------- attachments --------------------------
krb5.conf (note: it doesn't log, don't know why...):
[libdefaults]
debug = true
default_realm = SERBE.LOCAL
kdc_timesync = 1
forwardable = true
proxiable = true
forward = true
renewable = true
encrypt = true
krb4_get_tickets = false
krb4_convert = false
krb5_get_tickets = true
[realms]
SERBE.LOCAL = {
kdc = ULYSSES.SERBE.LOCAL:88
admin_server = ULYSSES.SERBE.LOCAL:749
default_domain = SERBE.LOCAL
}
[domain_realm]
.serbe.local = SERBE.LOCAL
serbe.local = SERBE.LOCAL
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/kadmin.log
[kdc]
check-ticket-addresses = false
----------------------- attachments --------------------------
nsswitch.conf:
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files winbind ldap
group: files winbind ldap
shadow: files ldap
hosts: dns files ldap
networks: files ldap
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
----------------------- attachments --------------------------
transscript from the provisioning process
root at ulysses:/usr/src/samba4# /usr/local/samba/bin/samba-tool domain provision
Realm [HOME.LOCAL]: SERBE.LOCAL
Domain [SERBE]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_DLZ
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=serbe,DC=local
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=serbe,DC=local
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Unable to find group id for BIND,
set permissions to sam.ldb* files manually
See /usr/local/samba/private/named.conf for an example configuration include file for BIND
and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: ulysses
NetBIOS Domain: SERBE
DNS Domain: serbe.local
DOMAIN SID: S-1-5-21-**********-**********-**********
More information about the samba
mailing list