[Samba] Debugging Samba 4 AD Setup

Johannes Amorosa | Celluloid VFX johannesa at celluloid-vfx.com
Tue Mar 24 09:04:18 MDT 2015 

Hi Louis,
answers are inline ...

On 03/24/2015 03:48 PM, L.P.H. van Belle wrote:
> Realm is advices to use UPPERCASE.. not obligated. ( but very advices yes )
I changed the config to uppercase and rebooted, no change in the logfiles.
>
> check the following outputs and post them back in the list ( if needed anonymized )
>
> hostname -i
192.168.1.235
> hostname -s
the-ad-hostname
> hostname -f
the-ad-hostname.ourdomain.com
> hostname -d
ourdomain.com
>
> cat /etc/resolv.conf
nameserver 192.168.1.236
nameserver 192.168.1.235
search ourdomain.com

> cat /etc/hosts
127.0.0.1    localhost
192.168.1.235    the-ad-hostname.ourdomain.com the-ad-hostname
<snip>
> cat /etc/mailname
cat: /etc/mailname: No such file or directory

>
> dig MX ourdomain.com @127.0.0.1
; <<>> DiG 9.8.1-P1 <<>> MX ourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3733
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ourdomain.com.        IN    MX

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Mar 24 15:58:44 2015
;; MSG SIZE  rcvd: 34

> dig MX ourdomain.com @192.168.1.254
; <<>> DiG 9.8.1-P1 <<>> MX ourdomain.com @192.168.1.254
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1156
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;ourdomain.com.        IN    MX

;; AUTHORITY SECTION:
.            10800    IN    SOA    a.root-servers.net. 
nstld.verisign-grs.com. 2015032400 1800 900 604800 86400

;; Query time: 73 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Tue Mar 24 16:00:07 2015
;; MSG SIZE  rcvd: 109

> dig PTR IP_OF_DC
; <<>> DiG 9.8.1-P1 <<>> PTR the-ad-hostname
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6806
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;the-ad-hostname.            IN    PTR

;; Query time: 43 msec
;; SERVER: 192.168.1.236#53(192.168.1.236)
;; WHEN: Tue Mar 24 16:00:57 2015
;; MSG SIZE  rcvd: 39

>
> Greetz,
>
> Louis
>
>
Thank you for your time.

>
>> -----Oorspronkelijk bericht-----
>> Van: kable at abv.bg [mailto:samba-bounces at lists.samba.org]
>> Namens Georg Georgiev
>> Verzonden: dinsdag 24 maart 2015 14:27
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Debugging Samba 4 AD Setup
>>
>> Hello Johannes,
>> Please check your kerberos realm, wiki says: _Realm:_ . It will also
>> automatically be used as the Active Directory DNS domain name.
>> The Realm
>> always has to be in uppercase.
>> I see that your is realm = ourdomain.com
>> Regards,
>> George
>>
>> On 24.3.2015 ??. 14:29 ??., Johannes Amorosa | Celluloid VFX wrote:
>>> We're using quite successfully a samba 4.1 AD setup authenticating
>>> user. We have on an unregular basis
>>> mails that can't be delivered because dovecot-pam fails to
>> verify the
>>> credentials. I'm trying to debug
>>> this and set the loglevel up to 3.
>>>
>>> I can see an error message being spammed in the log files and can't
>>> figure out what causes this. I expect a configuration error somewhere
>>> although everything else seems to work. Can someone shed
>> some light on
>>> this error.
>>>
>>> Invalid domain! Expected name in domain [ourdomain.com]. But
>> received
>>> [THE-AD-HOSTNAME]!
>>>
>> ../source4/rpc_server/netlogon/dcerpc_netlogon.c:2330(dcesrv_ne
>> tr_DsrEnumerateDomainTrusts)
>>>
>>> I don't believe this has anything to do with the initial
>> problem, but
>>> I would like to resolve this one aswell.
>>> Thank you for your time.
>>> Joe
>>>
>>> Setup:
>>> Two identical servers with this samba.conf.
>>>
>>> # Global parameters
>>> [global]
>>>      workgroup = OURDOMAIN
>>>      realm = ourdomain.com
>>>      netbios name = THE-AD-HOSTNAME
>>>      netbios aliases = SOMETHINGELSE
>>>      log level = 3
>>>
>>>      server role = active directory domain controller
>>>      dns forwarder = 192.168.1.254
>>> [netlogon]
>>>      path = /var/lib/samba/sysvol/ourdomain.com/scripts
>>>      read only = No
>>>
>>> [sysvol]
>>>      path = /var/lib/samba/sysvol
>>>      read only = No
>>>
>>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

-- 
Johannes Amorosa | Celluloid VFX

More information about the samba mailing list