[Samba] Winbind logins failing after upgrade from Samba 3 to Samba 4
Jonathan Heese
jheese at inetu.net
Mon Mar 24 09:21:18 MDT 2014
Hello,
I have a RHEL 6.5 server that was configured to use Samba 3.6.9-167 to authenticate against a Windows 2008 R2 Active Directory domain. The authentication was working fine, but we needed users to log in to this RHEL box with their AD credentials and then access files stored on a Windows file server CIFS share globally mounted on the RHEL box. As such, we added the "cifsacl" option to the mount options, but we're finding the Windows ACL <-> UNIX ACL support to be quite lacking.
I've read that the Samba4 client does a much better job of respecting Windows NTFS ACLs, so I took a snapshot of the server (just in case), removed the samba3 packages and installed the samba4 ones (4.0.0-60). I didn't truly expect my Samba 3-compliant smb.conf to work in Samba4, but I've looked over it line by line and haven't found anything that's not documented in the Samba4 smb.conf man page.
First, here's my smb.conf:
[global]
security = ads
realm = domain.local
workgroup = DOMAIN
server string = Samba Server Version %v
log file = /var/log/samba/log.%m
max log size = 50
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
client use spnego = yes
client NTLMv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2
log level = 100
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 10000 - 49999
When attempting to authenticate to the domain, I get the following error:
[root at server:/root]# wbinfo -a user%password --verbose
plaintext password authentication failed
Could not authenticate user user%password with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
error message was: No logon servers
Could not authenticate user user with challenge/response
I get a very similar error in /var/log/secure when attempting to log in via SSH:
Mar 24 10:58:26 server sshd[17398]: Set /proc/self/oom_score_adj to -1000
Mar 24 10:58:26 server sshd[17398]: Connection from 172.25.1.11 port 64484
Mar 24 10:58:26 server sshd[17398]: Invalid user DOMAIN\\user from 172.25.1.11
Mar 24 10:58:26 server sshd[17399]: input_userauth_request: invalid user DOMAIN\\user
Mar 24 10:58:26 server sshd[17398]: pam_unix(sshd:auth): check pass; user unknown
Mar 24 10:58:26 server sshd[17398]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.25.1.11
Mar 24 10:58:26 server sshd[17398]: pam_winbind(sshd:auth): getting password (0x00000010)
Mar 24 10:58:26 server sshd[17398]: pam_winbind(sshd:auth): pam_get_item returned a password
Mar 24 10:58:26 server sshd[17398]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTHINFO_UNAVAIL (9), NTSTATUS: NT_STATUS_NO_LOGON_SERVERS, Error message was: No logon servers
Mar 24 10:58:26 server sshd[17398]: pam_winbind(sshd:auth): internal module error (retval = PAM_AUTHINFO_UNAVAIL(9), user = 'DOMAIN\user')
Mar 24 10:58:26 server sshd[17398]: pam_succeed_if(sshd:auth): error retrieving information about user DOMAIN\user
Mar 24 10:58:28 server sshd[17398]: Failed password for invalid user DOMAIN\\user from 172.25.1.11 port 64484 ssh2
Mar 24 10:58:30 server sshd[17399]: Received disconnect from 172.25.1.11: 13: The user canceled authentication.
I enabled "log level = 100" in my smb.conf and 'tail -f'ed /var/log/samba/* during a login attempt, stripping out the timestamp lines, and saw the following:
==> log.winbindd <==
accepted socket 19
process_request: request fn INTERFACE_VERSION
s3_event: Schedule immediate event "tevent_queue_immediate_trigger": 0x130f9b0
s3_event: Run immediate event "tevent_queue_immediate_trigger": 0x130f9b0
process_request: request fn WINBINDD_PRIV_PIPE_DIR
s3_event: Schedule immediate event "tevent_queue_immediate_trigger": 0x130f9b0
s3_event: Run immediate event "tevent_queue_immediate_trigger": 0x130f9b0
accepted socket 21
closing socket 19, client exited
process_request: Handling async request 16207:PAM_AUTH
s3_event: Schedule immediate event "tevent_queue_immediate_trigger": 0x1312060
s3_event: Run immediate event "tevent_queue_immediate_trigger": 0x1312060
s3_event: Added timed event "tevent_req_timedout": 0x13163c0
==> log.wb-DOMAIN <==
child daemon request 13
child_process_request: request fn PAM_AUTH
winbindd_dual_pam_auth: domain: DOMAIN offline and auth request in startup mode.
Searching cache keys with pattern NEG_CONN_CACHE/DOMAIN,*
Calling function with arguments (key=NEG_CONN_CACHE/DOMAIN,DOMAINCONTROLLER1.DOMAIN.local, timeout=Mon Mar 24 10:33:08 2014
)
Calling function with arguments (key = NEG_CONN_CACHE/DOMAIN,DOMAINCONTROLLER1.DOMAIN.local, value = c0000030, timeout = Mon Mar 24 10:33:08 2014
)
Deleting cache entry (key = NEG_CONN_CACHE/DOMAIN,DOMAINCONTROLLER1.DOMAIN.local)
Adding cache entry with key = NEG_CONN_CACHE/DOMAIN,DOMAINCONTROLLER1.DOMAIN.local and timeout = Wed Dec 31 19:00:00 1969
(-1395671532 seconds in the past)
flush_negative_conn_cache_for_domain: flushed domain DOMAIN
Searching cache keys with pattern NEG_CONN_CACHE/DOMAIN.LOCAL,*
Calling function with arguments (key=NEG_CONN_CACHE/DOMAIN.LOCAL,DOMAINCONTROLLER1.DOMAIN.local, timeout=Mon Mar 24 10:33:08 2014
)
Calling function with arguments (key = NEG_CONN_CACHE/DOMAIN.LOCAL,DOMAINCONTROLLER1.DOMAIN.local, value = c0000030, timeout = Mon Mar 24 10:33:08 2014
)
Deleting cache entry (key = NEG_CONN_CACHE/DOMAIN.LOCAL,DOMAINCONTROLLER1.DOMAIN.local)
Adding cache entry with key = NEG_CONN_CACHE/DOMAIN.LOCAL,DOMAINCONTROLLER1.DOMAIN.local and timeout = Wed Dec 31 19:00:00 1969
(-1395671532 seconds in the past)
flush_negative_conn_cache_for_domain: flushed domain DOMAIN.LOCAL
winbindd_dual_pam_auth: domain: DOMAIN last was offline
Plain-text authentication for user DOMAIN\user returned NT_STATUS_NO_LOGON_SERVERS (PAM: 9)
Finished processing child request 13
Writing 3496 bytes to parent
==> log.winbindd <==
s3_event: Destroying timer event 0x13163c0 "tevent_req_timedout"
s3_event: Schedule immediate event "tevent_queue_immediate_trigger": 0x1311c20
s3_event: Run immediate event "tevent_queue_immediate_trigger": 0x1311c20
==> log.wb-DOMAIN <==
==> log.winbindd <==
==> log.wb-DOMAIN <==
timed_events_timeout: 5/682459
==> log.winbindd <==
==> log.wb-DOMAIN <==
select will use timeout of 5.682459 seconds
==> log.winbindd <==
process_request: request fn INTERFACE_VERSION
s3_event: Schedule immediate event "tevent_queue_immediate_trigger": 0x1311c20
s3_event: Run immediate event "tevent_queue_immediate_trigger": 0x1311c20
process_request: request fn INFO
s3_event: Schedule immediate event "tevent_queue_immediate_trigger": 0x1311c20
s3_event: Run immediate event "tevent_queue_immediate_trigger": 0x1311c20
process_request: request fn NETBIOS_NAME
s3_event: Schedule immediate event "tevent_queue_immediate_trigger": 0x1311c20
s3_event: Run immediate event "tevent_queue_immediate_trigger": 0x1311c20
process_request: request fn DOMAIN_NAME
s3_event: Schedule immediate event "tevent_queue_immediate_trigger": 0x1311c20
s3_event: Run immediate event "tevent_queue_immediate_trigger": 0x1311c20
process_request: request fn DOMAIN_INFO
s3_event: Schedule immediate event "tevent_queue_immediate_trigger": 0x1311c20
s3_event: Run immediate event "tevent_queue_immediate_trigger": 0x1311c20
process_request: Handling async request 16207:PAM_AUTH_CRAP
s3_event: Schedule immediate event "tevent_queue_immediate_trigger": 0x1312060
s3_event: Run immediate event "tevent_queue_immediate_trigger": 0x1312060
s3_event: Added timed event "tevent_req_timedout": 0x13163c0
==> log.wb-DOMAIN <==
child daemon request 14
child_process_request: request fn AUTH_CRAP
could not open handle to NETLOGON pipe (error: NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)
Finished processing child request 14
Writing 3496 bytes to parent
timed_events_timeout: 5/676057
select will use timeout of 5.676057 seconds
==> log.winbindd <==
s3_event: Destroying timer event 0x13163c0 "tevent_req_timedout"
s3_event: Schedule immediate event "tevent_queue_immediate_trigger": 0x1311c20
s3_event: Run immediate event "tevent_queue_immediate_trigger": 0x1311c20
closing socket 21, client exited
Running timed event "check_domain_online_handler" 0x1312220
check_domain_online_handler: called for domain DOMAIN (online = False)
s3_event: Destroying timer event 0x1312220 "check_domain_online_handler"
Registering messaging pointer for type 1030 - private_data=(nil)
Registering messaging pointer for type 1031 - private_data=(nil)
==> log.winbindd-dc-connect <==
Deregistering messaging pointer for type 33 - private_data=(nil)
Deregistering messaging pointer for type 13 - private_data=(nil)
Deregistering messaging pointer for type 1028 - private_data=(nil)
Deregistering messaging pointer for type 1027 - private_data=(nil)
Deregistering messaging pointer for type 1029 - private_data=(nil)
Deregistering messaging pointer for type 1280 - private_data=(nil)
Deregistering messaging pointer for type 1033 - private_data=(nil)
Deregistering messaging pointer for type 1 - private_data=(nil)
Opening cache file at /var/lib/samba/gencache.tdb
Opening cache file at /var/lib/samba/gencache_notrans.tdb
sitename_fetch: No stored sitename for DOMAIN.LOCAL
ads_dc_name: domain=DOMAIN
ads_connect: entering
ads: struct ads_struct
is_mine : true
ads: struct server
realm : 'DOMAIN.LOCAL'
workgroup : 'DOMAIN'
ldap_server : NULL
foreign : false
ads: struct auth
realm : NULL
password : '(PASSWORD ommited)'
user_name : NULL
kdc_server : NULL
flags : 0x00000002 (2)
0: ADS_AUTH_DISABLE_KERBEROS
1: ADS_AUTH_NO_BIND
0: ADS_AUTH_ANON_BIND
0: ADS_AUTH_SIMPLE_BIND
0: ADS_AUTH_ALLOW_NTLMSSP
0: ADS_AUTH_SASL_SIGN
0: ADS_AUTH_SASL_SEAL
0: ADS_AUTH_SASL_FORCE
time_offset : 0x00000000 (0)
tgt_expire : (time_t)0
tgs_expire : (time_t)0
renewable : (time_t)0
ads: struct config
flags : 0x00000000 (0)
0: DS_SERVER_PDC
0: DS_SERVER_GC
0: DS_SERVER_LDAP
0: DS_SERVER_DS
0: DS_SERVER_KDC
0: DS_SERVER_TIMESERV
0: DS_SERVER_CLOSEST
0: DS_SERVER_WRITABLE
0: DS_SERVER_GOOD_TIMESERV
0: DS_SERVER_NDNC
0: DS_SERVER_SELECT_SECRET_DOMAIN_6
0: DS_SERVER_FULL_SECRET_DOMAIN_6
0: DS_SERVER_WEBSERV
0: DS_DNS_CONTROLLER
0: DS_DNS_DOMAIN
0: DS_DNS_FOREST_ROOT
realm : NULL
bind_path : NULL
ldap_server_name : NULL
server_site_name : NULL
client_site_name : NULL
current_time : (time_t)0
schema_path : NULL
config_path : NULL
ads: struct ldap
ld : NULL
ss :
last_attempt : Sat Jan 17 12:46:02 PM 1970 EST
port : 0x00000000 (0)
wrap_type : 0x0001 (1)
sbiod : NULL
mem_ctx : NULL
wrap_ops : NULL
wrap_private_data : NULL
ads: struct in
ofs : 0x00000000 (0)
needed : 0x00000000 (0)
left : 0x00000000 (0)
max_wrapped : 0x00000000 (0)
min_wrapped : 0x00000000 (0)
size : 0x00000000 (0)
buf: ARRAY(0) : NULL
ads: struct out
ofs : 0x00000000 (0)
left : 0x00000000 (0)
max_unwrapped : 0x00000000 (0)
sig_size : 0x00000000 (0)
size : 0x00000000 (0)
buf: ARRAY(0) : NULL
sitename_fetch: No stored sitename for DOMAIN.LOCAL
ads_find_dc: (cldap) looking for realm 'DOMAIN.LOCAL'
get_sorted_dc_list: attempting lookup for name DOMAIN.LOCAL (sitename NULL)
saf_fetch: failed to find server for "DOMAIN.LOCAL" domain
get_dc_list: preferred server list: ", *"
internal_resolve_name: looking up DOMAIN.LOCAL#1c (sitename (null))
name DOMAIN.LOCAL#1C found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
Adding 2 DC's from auto lookup
check_negative_conn_cache returning result 0 for domain DOMAIN.LOCAL server 10.235.202.197
check_negative_conn_cache returning result 0 for domain DOMAIN.LOCAL server 10.1.11.12
remove_duplicate_addrs2: looking for duplicate address/port pairs
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 10.235.202.197:389 10.1.11.12:389
check_negative_conn_cache returning result 0 for domain DOMAIN.LOCAL server 10.235.202.197
ads_try_connect: sending CLDAP request to 10.235.202.197 (realm: DOMAIN.LOCAL)
&response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
command : LOGON_SAM_LOGON_RESPONSE_EX (23)
sbz : 0x0000 (0)
server_type : 0x0000317d (12669)
1: NBT_SERVER_PDC
1: NBT_SERVER_GC
1: NBT_SERVER_LDAP
1: NBT_SERVER_DS
1: NBT_SERVER_KDC
1: NBT_SERVER_TIMESERV
0: NBT_SERVER_CLOSEST
1: NBT_SERVER_WRITABLE
0: NBT_SERVER_GOOD_TIMESERV
0: NBT_SERVER_NDNC
0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
1: NBT_SERVER_FULL_SECRET_DOMAIN_6
1: NBT_SERVER_ADS_WEB_SERVICE
0: NBT_SERVER_HAS_DNS_NAME
0: NBT_SERVER_IS_DEFAULT_NC
0: NBT_SERVER_FOREST_ROOT
domain_uuid : 57fd4425-2f45-4d86-9c5f-f0485ec34836
forest : 'DOMAIN.local'
dns_domain : 'DOMAIN.local'
pdc_dns_name : 'DOMAINCONTROLLER1.DOMAIN.local'
domain_name : 'DOMAIN'
pdc_name : 'DOMAINCONTROLLER1'
user_name : ''
server_site : 'Site1'
client_site : ''
sockaddr_size : 0x00 (0)
sockaddr: struct nbt_sockaddr
sockaddr_family : 0x00000000 (0)
pdc_ip : (null)
remaining : DATA_BLOB length=0
next_closest_site : NULL
nt_version : 0x00000005 (5)
1: NETLOGON_NT_VERSION_1
0: NETLOGON_NT_VERSION_5
1: NETLOGON_NT_VERSION_5EX
0: NETLOGON_NT_VERSION_5EX_WITH_IP
0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
0: NETLOGON_NT_VERSION_PDC
0: NETLOGON_NT_VERSION_IP
0: NETLOGON_NT_VERSION_LOCAL
0: NETLOGON_NT_VERSION_GC
lmnt_token : 0xffff (65535)
lm20_token : 0xffff (65535)
sitename_store: deleting empty sitename!
Deleting cache entry (key = AD_SITENAME/DOMAIN/DOMAIN)
sitename_store: deleting empty sitename!
Deleting cache entry (key = AD_SITENAME/DOMAIN/DOMAIN.LOCAL)
Successfully contacted LDAP server 10.235.202.197
ads_connect: leaving with: Success
ads: struct ads_struct
is_mine : true
ads: struct server
realm : 'DOMAIN.LOCAL'
workgroup : 'DOMAIN'
ldap_server : NULL
foreign : false
ads: struct auth
realm : 'DOMAIN.LOCAL'
password : '(PASSWORD ommited)'
user_name : 'server$'
kdc_server : '10.235.202.197'
flags : 0x00000002 (2)
0: ADS_AUTH_DISABLE_KERBEROS
1: ADS_AUTH_NO_BIND
0: ADS_AUTH_ANON_BIND
0: ADS_AUTH_SIMPLE_BIND
0: ADS_AUTH_ALLOW_NTLMSSP
0: ADS_AUTH_SASL_SIGN
0: ADS_AUTH_SASL_SEAL
0: ADS_AUTH_SASL_FORCE
time_offset : 0x00000000 (0)
tgt_expire : (time_t)0
tgs_expire : (time_t)0
renewable : (time_t)0
ads: struct config
flags : 0x0000317d (12669)
1: DS_SERVER_PDC
1: DS_SERVER_GC
1: DS_SERVER_LDAP
1: DS_SERVER_DS
1: DS_SERVER_KDC
1: DS_SERVER_TIMESERV
0: DS_SERVER_CLOSEST
1: DS_SERVER_WRITABLE
0: DS_SERVER_GOOD_TIMESERV
0: DS_SERVER_NDNC
0: DS_SERVER_SELECT_SECRET_DOMAIN_6
1: DS_SERVER_FULL_SECRET_DOMAIN_6
1: DS_SERVER_WEBSERV
0: DS_DNS_CONTROLLER
0: DS_DNS_DOMAIN
0: DS_DNS_FOREST_ROOT
realm : 'DOMAIN.LOCAL'
bind_path : 'dc=DOMAIN,dc=LOCAL'
ldap_server_name : 'DOMAINCONTROLLER1.DOMAIN.local'
server_site_name : 'Site1'
client_site_name : NULL
current_time : (time_t)0
schema_path : NULL
config_path : NULL
ads: struct ldap
ld : NULL
ss : 10.235.202.197
last_attempt : Sat Jan 17 12:46:02 PM 1970 EST
port : 0x00000185 (389)
wrap_type : 0x0001 (1)
sbiod : NULL
mem_ctx : NULL
wrap_ops : NULL
wrap_private_data : NULL
ads: struct in
ofs : 0x00000000 (0)
needed : 0x00000000 (0)
left : 0x00000000 (0)
max_wrapped : 0x00000000 (0)
min_wrapped : 0x00000000 (0)
size : 0x00000000 (0)
buf: ARRAY(0) : NULL
ads: struct out
ofs : 0x00000000 (0)
left : 0x00000000 (0)
max_unwrapped : 0x00000000 (0)
sig_size : 0x00000000 (0)
size : 0x00000000 (0)
buf: ARRAY(0) : NULL
sitename_fetch: No stored sitename for DOMAIN.LOCAL
ads_sitename_match: no match between server: Site1 and client: NULL
ads_closest_dc: client belongs to no site
create_local_private_krb5_conf_for_domain: fname = /var/lib/samba/smb_krb5/krb5.conf.DOMAIN, realm = DOMAIN.LOCAL, domain = DOMAIN
saf_fetch: failed to find server for "DOMAIN.LOCAL" domain
get_dc_list: preferred server list: ", *"
internal_resolve_name: looking up DOMAIN.LOCAL#1c (sitename (null))
name DOMAIN.LOCAL#1C found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
Adding 2 DC's from auto lookup
check_negative_conn_cache returning result 0 for domain DOMAIN.LOCAL server 10.235.202.197
check_negative_conn_cache returning result 0 for domain DOMAIN.LOCAL server 10.1.11.12
remove_duplicate_addrs2: looking for duplicate address/port pairs
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 10.235.202.197:389 10.1.11.12:389
&response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
command : LOGON_SAM_LOGON_RESPONSE_EX (23)
sbz : 0x0000 (0)
server_type : 0x0000317d (12669)
1: NBT_SERVER_PDC
1: NBT_SERVER_GC
1: NBT_SERVER_LDAP
1: NBT_SERVER_DS
1: NBT_SERVER_KDC
1: NBT_SERVER_TIMESERV
0: NBT_SERVER_CLOSEST
1: NBT_SERVER_WRITABLE
0: NBT_SERVER_GOOD_TIMESERV
0: NBT_SERVER_NDNC
0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
1: NBT_SERVER_FULL_SECRET_DOMAIN_6
1: NBT_SERVER_ADS_WEB_SERVICE
0: NBT_SERVER_HAS_DNS_NAME
0: NBT_SERVER_IS_DEFAULT_NC
0: NBT_SERVER_FOREST_ROOT
domain_uuid : 57fd4425-2f45-4d86-9c5f-f0485ec34836
forest : 'DOMAIN.local'
dns_domain : 'DOMAIN.local'
pdc_dns_name : 'DOMAINCONTROLLER1.DOMAIN.local'
domain_name : 'DOMAIN'
pdc_name : 'DOMAINCONTROLLER1'
user_name : ''
server_site : 'Site1'
client_site : ''
sockaddr_size : 0x00 (0)
sockaddr: struct nbt_sockaddr
sockaddr_family : 0x00000000 (0)
pdc_ip : (null)
remaining : DATA_BLOB length=0
next_closest_site : NULL
nt_version : 0x00000005 (5)
1: NETLOGON_NT_VERSION_1
0: NETLOGON_NT_VERSION_5
1: NETLOGON_NT_VERSION_5EX
0: NETLOGON_NT_VERSION_5EX_WITH_IP
0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
0: NETLOGON_NT_VERSION_PDC
0: NETLOGON_NT_VERSION_IP
0: NETLOGON_NT_VERSION_LOCAL
0: NETLOGON_NT_VERSION_GC
lmnt_token : 0xffff (65535)
lm20_token : 0xffff (65535)
&response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
command : LOGON_SAM_LOGON_RESPONSE_EX (23)
sbz : 0x0000 (0)
server_type : 0x000073fc (29692)
0: NBT_SERVER_PDC
1: NBT_SERVER_GC
1: NBT_SERVER_LDAP
1: NBT_SERVER_DS
1: NBT_SERVER_KDC
1: NBT_SERVER_TIMESERV
1: NBT_SERVER_CLOSEST
1: NBT_SERVER_WRITABLE
1: NBT_SERVER_GOOD_TIMESERV
0: NBT_SERVER_NDNC
0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
1: NBT_SERVER_FULL_SECRET_DOMAIN_6
1: NBT_SERVER_ADS_WEB_SERVICE
0: NBT_SERVER_HAS_DNS_NAME
0: NBT_SERVER_IS_DEFAULT_NC
0: NBT_SERVER_FOREST_ROOT
domain_uuid : 57fd4425-2f45-4d86-9c5f-f0485ec34836
forest : 'DOMAIN.local'
dns_domain : 'DOMAIN.local'
pdc_dns_name : 'DOMAINCONTROLLER2.DOMAIN.local'
domain_name : 'DOMAIN'
pdc_name : 'DOMAINCONTROLLER2'
user_name : ''
server_site : 'Burlington'
client_site : 'Burlington'
sockaddr_size : 0x00 (0)
sockaddr: struct nbt_sockaddr
sockaddr_family : 0x00000000 (0)
pdc_ip : (null)
remaining : DATA_BLOB length=0
next_closest_site : NULL
nt_version : 0x00000005 (5)
1: NETLOGON_NT_VERSION_1
0: NETLOGON_NT_VERSION_5
1: NETLOGON_NT_VERSION_5EX
0: NETLOGON_NT_VERSION_5EX_WITH_IP
0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
0: NETLOGON_NT_VERSION_PDC
0: NETLOGON_NT_VERSION_IP
0: NETLOGON_NT_VERSION_LOCAL
0: NETLOGON_NT_VERSION_GC
lmnt_token : 0xffff (65535)
lm20_token : 0xffff (65535)
get_kdc_ip_string: Returning kdc = 10.235.202.197
kdc = 10.1.11.12
create_local_private_krb5_conf_for_domain: wrote file /var/lib/samba/smb_krb5/krb5.conf.DOMAIN with realm DOMAIN.LOCAL KDC list = kdc = 10.235.202.197
kdc = 10.1.11.12
ads_dc_name: using server='DOMAINCONTROLLER1.DOMAIN.LOCAL' IP=10.235.202.197
sitename_fetch: No stored sitename for DOMAIN.LOCAL
get_sorted_dc_list: attempting lookup for name DOMAIN.LOCAL (sitename NULL)
saf_fetch: failed to find server for "DOMAIN.LOCAL" domain
get_dc_list: preferred server list: ", *"
internal_resolve_name: looking up DOMAIN.LOCAL#1c (sitename (null))
name DOMAIN.LOCAL#1C found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
Adding 2 DC's from auto lookup
check_negative_conn_cache returning result 0 for domain DOMAIN.LOCAL server 10.235.202.197
check_negative_conn_cache returning result 0 for domain DOMAIN.LOCAL server 10.1.11.12
remove_duplicate_addrs2: looking for duplicate address/port pairs
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 10.235.202.197:389 10.1.11.12:389
check_negative_conn_cache returning result 0 for domain DOMAIN server 10.235.202.197
check_negative_conn_cache returning result 0 for domain DOMAIN server 10.1.11.12
messaging_tdb_store:
array: struct messaging_array
num_messages : 0x00000001 (1)
messages: ARRAY(1)
messages: struct messaging_rec
msg_version : 0x00000002 (2)
msg_type : MSG_WINBIND_TRY_TO_GO_ONLINE (1030)
dest: struct server_id
pid : 0x0000000000003f44 (16196)
task_id : 0x00000000 (0)
vnn : 0xffffffff (4294967295)
unique_id : 0x0000000000000000 (0)
src: struct server_id
pid : 0x0000000000003f54 (16212)
task_id : 0x00000000 (0)
vnn : 0xffffffff (4294967295)
unique_id : 0x0000000000000000 (0)
buf : DATA_BLOB length=12
==> log.winbindd <==
message_dispatch: received_messages = 1
messaging_tdb_fetch:
result: struct messaging_array
num_messages : 0x00000001 (1)
messages: ARRAY(1)
messages: struct messaging_rec
msg_version : 0x00000002 (2)
msg_type : MSG_WINBIND_TRY_TO_GO_ONLINE (1030)
dest: struct server_id
pid : 0x0000000000003f44 (16196)
task_id : 0x00000000 (0)
vnn : 0xffffffff (4294967295)
unique_id : 0x0000000000000000 (0)
src: struct server_id
pid : 0x0000000000003f54 (16212)
task_id : 0x00000000 (0)
vnn : 0xffffffff (4294967295)
unique_id : 0x0000000000000000 (0)
buf : DATA_BLOB length=12
msg_try_to_go_online: received for domain DOMAIN.
connection_ok: Connection to for domain DOMAIN is not connected
Opening cache file at /var/lib/samba/gencache.tdb
Opening cache file at /var/lib/samba/gencache_notrans.tdb
saf_fetch: failed to find server for "DOMAIN" domain
cm_open_connection: dcname is '' for domain DOMAIN
sitename_fetch: No stored sitename for DOMAIN.LOCAL
ads_dc_name: domain=DOMAIN
ads_connect: entering
ads: struct ads_struct
is_mine : true
ads: struct server
realm : 'DOMAIN.LOCAL'
workgroup : 'DOMAIN'
ldap_server : NULL
foreign : false
ads: struct auth
realm : NULL
password : '(PASSWORD ommited)'
user_name : NULL
kdc_server : NULL
flags : 0x00000002 (2)
0: ADS_AUTH_DISABLE_KERBEROS
1: ADS_AUTH_NO_BIND
0: ADS_AUTH_ANON_BIND
0: ADS_AUTH_SIMPLE_BIND
0: ADS_AUTH_ALLOW_NTLMSSP
0: ADS_AUTH_SASL_SIGN
0: ADS_AUTH_SASL_SEAL
0: ADS_AUTH_SASL_FORCE
time_offset : 0x00000000 (0)
tgt_expire : (time_t)0
tgs_expire : (time_t)0
renewable : (time_t)0
ads: struct config
flags : 0x00000000 (0)
0: DS_SERVER_PDC
0: DS_SERVER_GC
0: DS_SERVER_LDAP
0: DS_SERVER_DS
0: DS_SERVER_KDC
0: DS_SERVER_TIMESERV
0: DS_SERVER_CLOSEST
0: DS_SERVER_WRITABLE
0: DS_SERVER_GOOD_TIMESERV
0: DS_SERVER_NDNC
0: DS_SERVER_SELECT_SECRET_DOMAIN_6
0: DS_SERVER_FULL_SECRET_DOMAIN_6
0: DS_SERVER_WEBSERV
0: DS_DNS_CONTROLLER
0: DS_DNS_DOMAIN
0: DS_DNS_FOREST_ROOT
realm : NULL
bind_path : NULL
ldap_server_name : NULL
server_site_name : NULL
client_site_name : NULL
current_time : (time_t)0
schema_path : NULL
config_path : NULL
ads: struct ldap
ld : NULL
ss :
last_attempt : Sat Jan 17 12:46:02 PM 1970 EST
port : 0x00000000 (0)
wrap_type : 0x0001 (1)
sbiod : NULL
mem_ctx : NULL
wrap_ops : NULL
wrap_private_data : NULL
ads: struct in
ofs : 0x00000000 (0)
needed : 0x00000000 (0)
left : 0x00000000 (0)
max_wrapped : 0x00000000 (0)
min_wrapped : 0x00000000 (0)
size : 0x00000000 (0)
buf: ARRAY(0) : NULL
ads: struct out
ofs : 0x00000000 (0)
left : 0x00000000 (0)
max_unwrapped : 0x00000000 (0)
sig_size : 0x00000000 (0)
size : 0x00000000 (0)
buf: ARRAY(0) : NULL
sitename_fetch: No stored sitename for DOMAIN.LOCAL
ads_find_dc: (cldap) looking for realm 'DOMAIN.LOCAL'
get_sorted_dc_list: attempting lookup for name DOMAIN.LOCAL (sitename NULL)
saf_fetch: failed to find server for "DOMAIN.LOCAL" domain
get_dc_list: preferred server list: ", *"
internal_resolve_name: looking up DOMAIN.LOCAL#1c (sitename (null))
name DOMAIN.LOCAL#1C found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
Adding 2 DC's from auto lookup
check_negative_conn_cache returning result 0 for domain DOMAIN.LOCAL server 10.235.202.197
check_negative_conn_cache returning result 0 for domain DOMAIN.LOCAL server 10.1.11.12
remove_duplicate_addrs2: looking for duplicate address/port pairs
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 10.235.202.197:389 10.1.11.12:389
check_negative_conn_cache returning result 0 for domain DOMAIN.LOCAL server 10.235.202.197
ads_try_connect: sending CLDAP request to 10.235.202.197 (realm: DOMAIN.LOCAL)
&response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
command : LOGON_SAM_LOGON_RESPONSE_EX (23)
sbz : 0x0000 (0)
server_type : 0x0000317d (12669)
1: NBT_SERVER_PDC
1: NBT_SERVER_GC
1: NBT_SERVER_LDAP
1: NBT_SERVER_DS
1: NBT_SERVER_KDC
1: NBT_SERVER_TIMESERV
0: NBT_SERVER_CLOSEST
1: NBT_SERVER_WRITABLE
0: NBT_SERVER_GOOD_TIMESERV
0: NBT_SERVER_NDNC
0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
1: NBT_SERVER_FULL_SECRET_DOMAIN_6
1: NBT_SERVER_ADS_WEB_SERVICE
0: NBT_SERVER_HAS_DNS_NAME
0: NBT_SERVER_IS_DEFAULT_NC
0: NBT_SERVER_FOREST_ROOT
domain_uuid : 57fd4425-2f45-4d86-9c5f-f0485ec34836
forest : 'DOMAIN.local'
I can't seem to figure out exactly what's causing my "NT_STATUS_NO_LOGON_SERVERS" error-and this worked perfectly before switching from Samba 3 to Samba 4. I've tried searching around, but without much to go on, it's hard to know exactly what to search for.
Oh, and I should probably mention that we have two "Sites" in AD, which I've notated above as Site1 and Site2. The RHEL server is physically in Site1, but I'm unsure how to tell AD that-it seems like it should be able to tell this by its IP, but so far it doesn't show it being in any site in the Computer properties, nor by looking at the log output above.
Can anyone provide me with any ideas of things to look for/at? I will provide (unobfuscated) logs and/or config files upon request. Thanks in advance!
Jon Heese
Systems Administrator
INetU Managed Hosting
P: 610.266.7441 x 261
F: 610.266.7434
www.inetu.net<https://www.inetu.net/>
** This message contains confidential information, which also may be privileged, and is intended only for the person(s) addressed above. Any unauthorized use, distribution, copying or disclosure of confidential and/or privileged information is strictly prohibited. If you have received this communication in error, please erase all copies of the message and its attachments and notify the sender immediately via reply e-mail. **
More information about the samba
mailing list