[Samba] smbclient broken after update
Rowland Penny
rowlandpenny at googlemail.com
Fri Feb 14 05:29:29 MST 2014
On 14/02/14 11:37, Peter Serbe wrote:
> Since a bit more than a year I run a Samba4 AD server on a Debian
> testing box. During that period I did update and dist-update the
> box about twice a week, and also did update and recompile Sambe,
> i.e. Samba and Debian Jessie are on their latest stage. I use Bind
> 9.9.3 as name server, which works absolutely smooth.
>
> But two days ago something got broken, and I am totally clueless,
> what went wrong. Samba starts up without any uncommon entries in
> log.samba. 1) kinit and klist look absolutely normal. 2) However
> trying to access a Samba share fails with some complaints I don't
> understand enough to find the root cause of all this troubles. 3)
>
> I clearly see, that this syndrome is way to unclear, to be pinpointed
> remotely. But I hope for advice on how to systematically debug the
> problem.
>
> I have installed nslcd and pam/winbind and k5start. I did rerun
> the tests I did during the last reinstall in March last year, and
> all these test for the auxiliary blocks seem to work. I have the
> impression that something is wrong with GSSAPI calls, and I also
> saw SPNEGO calls failing. But I don't have a clue on how to
> debug that. Maybe someone can point me into the right direction
> here. And a point to corresponding information would also be
> grately appreciated. I found some references on the errors like
> NT_STATUS_OBJECT_NAME_NOT_FOUND, but I was missing the context.
> Maybe someone can point me in a more detailed step-by-step
> approach.
>
> Thank You in Advance!
>
> Best regards
> Peter
>
>
> ----------------------- attachments --------------------------
>
> 1) log.samba:
> [2014/02/14 11:59:16.526562, 0] ../source4/dsdb/kcc/kcc_periodic.c:664(kccsrv_samba_kcc)
> Calling samba_kcc script
> [2014/02/14 12:03:59.088334, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
> /usr/local/samba/sbin/samba_dnsupdate: Traceback (most recent call last):
> [2014/02/14 12:03:59.088425, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
> /usr/local/samba/sbin/samba_dnsupdate: File "/usr/local/samba/sbin/samba_dnsupdate", line 469, in <module>
> [2014/02/14 12:03:59.088465, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
> /usr/local/samba/sbin/samba_dnsupdate: d = parse_dns_line(line, sub_vars)
> [2014/02/14 12:03:59.088486, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
> /usr/local/samba/sbin/samba_dnsupdate: File "/usr/local/samba/sbin/samba_dnsupdate", line 174, in parse_dns_line
> [2014/02/14 12:03:59.088527, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
> /usr/local/samba/sbin/samba_dnsupdate: return dnsobj(subline)
> [2014/02/14 12:03:59.088553, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
> /usr/local/samba/sbin/samba_dnsupdate: File "/usr/local/samba/sbin/samba_dnsupdate", line 152, in __init__
> [2014/02/14 12:03:59.088579, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
> /usr/local/samba/sbin/samba_dnsupdate: raise Exception("Received unexpected DNS reply of type %s" % self.type)
> [2014/02/14 12:03:59.088601, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
> /usr/local/samba/sbin/samba_dnsupdate: Exception: Received unexpected DNS reply of type TXT
> [2014/02/14 12:04:16.590173, 0] ../source4/dsdb/kcc/kcc_periodic.c:664(kccsrv_samba_kcc)
>
Seems like a dns problem ???
> ----------------------- attachments --------------------------
>
> 2) kinit, klist
> root at ulysses:/etc# kinit administrator
> Password for administrator at SERBE.LOCAL:
> root at ulysses:/etc# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administrator at SERBE.LOCAL
>
> Valid starting Expires Service principal
> 14.02.2014 12:07:15 14.02.2014 22:07:15 krbtgt/SERBE.LOCAL at SERBE.LOCAL
> renew until 15.02.2014 12:07:12
>
> Calling samba_kcc script
>
>
> ----------------------- attachments --------------------------
>
> 3) smbclient //localhost/netlogon -U% -d3
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> params.c:pm_process() - Processing configuration file "/usr/local/samba/etc/smb.conf"
> Processing section "[global]"
> added interface eth0 ip=192.168.41.10 bcast=192.168.41.255 netmask=255.255.255.0
> Client started (version 4.2.0pre1-GIT-0535f73).
> Connecting to ::1 at port 445
> session setup failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
If I run your command I get:
Connecting to 127.0.0.1 at port 445
Domain=[HOME] OS=[Unix] Server=[Samba 4.1.4]
tree connect failed: NT_STATUS_ACCESS_DENIED
Yours seems to be trying to connect via ipv6 only.
>
>
> ----------------------- attachments --------------------------
>
> smb.conf-excerpt:
> [global]
> workgroup = SERBE
> realm = SERBE.LOCAL
> netbios name = ULYSSES
> server string = Ulysses
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
> wins support = yes
> security = user
> public = no
> username map = /usr/local/samba/etc/users.map
> local master = yes
> preferred master = yes
> os level = 65
> template shell = /bin/bash
> passdb backend = samba4
> socket options = TCP_NODELAY IPTOS_LOWDELAY
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/serbe.local/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
> [video]
> path = /srv/raid/video
> comment = video on raid
> read only = no
> inherit acls = yes
Remove these lines, I am sure that you do not need them:
server string = Ulysses
wins support = yes
security = user
public = no
username map = /usr/local/samba/etc/users.map
local master = yes
preferred master = yes
os level = 65
socket options = TCP_NODELAY IPTOS_LOWDELAY
>
> ----------------------- attachments --------------------------
>
> krb5.conf (note: it doesn't log, don't know why...):
> [libdefaults]
> debug = true
> default_realm = SERBE.LOCAL
> kdc_timesync = 1
> forwardable = true
> proxiable = true
> forward = true
> renewable = true
> encrypt = true
> krb4_get_tickets = false
> krb4_convert = false
> krb5_get_tickets = true
>
> [realms]
> SERBE.LOCAL = {
> kdc = ULYSSES.SERBE.LOCAL:88
> admin_server = ULYSSES.SERBE.LOCAL:749
> default_domain = SERBE.LOCAL
> }
>
> [domain_realm]
> .serbe.local = SERBE.LOCAL
> serbe.local = SERBE.LOCAL
>
> [logging]
> kdc = FILE:/var/log/kdc.log
> admin_server = FILE:/var/log/kadmin.log
> default = FILE:/var/log/kadmin.log
>
> [kdc]
> check-ticket-addresses = false
>
krb5.conf only needs to contain this:
[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
default_realm = SERBE.LOCAL
> ----------------------- attachments --------------------------
>
> nsswitch.conf:
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd: files winbind ldap
> group: files winbind ldap
> shadow: files ldap
>
> hosts: dns files ldap
> networks: files ldap
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
Remove all references to ldap, you are not running an LDAP server
The only other thing that I would suggest is to not run the master
branch of samba4, this is where the development is happening, you would
probably be better off using the latest tarball (4.1.4 at present) or
seeing as how you are using Jessie, just 'apt-get install samba'
Rowland
> ----------------------- attachments --------------------------
>
> transscript from the provisioning process
> root at ulysses:/usr/src/samba4# /usr/local/samba/bin/samba-tool domain provision
> Realm [HOME.LOCAL]: SERBE.LOCAL
> Domain [SERBE]:
> Server Role (dc, member, standalone) [dc]:
> DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_DLZ
> Administrator password:
> Retype password:
> Looking up IPv4 addresses
> Looking up IPv6 addresses
> No IPv6 address will be assigned
> Setting up share.ldb
> Setting up secrets.ldb
> Setting up the registry
> Setting up the privileges database
> Setting up idmap db
> Setting up SAM db
> Setting up sam.ldb partitions and settings
> Setting up sam.ldb rootDSE
> Pre-loading the Samba 4 and AD schema
> Adding DomainDN: DC=serbe,DC=local
> Adding configuration container
> Setting up sam.ldb schema
> Setting up sam.ldb configuration data
> Setting up display specifiers
> Modifying display specifiers
> Adding users container
> Modifying users container
> Adding computers container
> Modifying computers container
> Setting up sam.ldb data
> Setting up well known security principals
> Setting up sam.ldb users and groups
> Setting up self join
> Adding DNS accounts
> Creating CN=MicrosoftDNS,CN=System,DC=serbe,DC=local
> Creating DomainDnsZones and ForestDnsZones partitions
> Populating DomainDnsZones and ForestDnsZones partitions
> Unable to find group id for BIND,
> set permissions to sam.ldb* files manually
> See /usr/local/samba/private/named.conf for an example configuration include file for BIND
> and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates
> Setting up sam.ldb rootDSE marking as synchronized
> Fixing provision GUIDs
> A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
> Once the above files are installed, your Samba4 server will be ready to use
> Server Role: active directory domain controller
> Hostname: ulysses
> NetBIOS Domain: SERBE
> DNS Domain: serbe.local
> DOMAIN SID: S-1-5-21-**********-**********-**********
>
>
More information about the samba
mailing list