[Samba] Debugging Samba 4 AD Setup

L.P.H. van Belle belle at bazuin.nl
Tue Mar 24 09:30:22 MDT 2015 

Just read the dovecot kerberos wiki a bit.. 

Are you using cross-realm authentication.. 
then you really must read :  http://wiki2.dovecot.org/Authentication/Kerberos 

and i suggest checking out:  http://wiki2.dovecot.org/PasswordDatabase/PAM 
enable pam session and caching. 

That would reduce possible problems. 
But that to much out of the samba scope for me.  

Greetz, 

Louis


>-----Oorspronkelijk bericht-----
>Van: belle at bazuin.nl [mailto:samba-bounces at lists.samba.org] 
>Namens L.P.H. van Belle
>Verzonden: dinsdag 24 maart 2015 16:23
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Debugging Samba 4 AD Setup
>
>all looks ok sofar
>
>but can you give me the output, 
>dig PTR the-ad-hostname.ourdomain.com
>
>just to be sure. 
>
>whats your OS running? 
>is dovecot running on the same server? 
>is dovecot auth running as root? 
>
>the output of : 
>cat /etc/pamd.d/imap 
>cat /etc/pamd.d/pop3 
>cat /etc/pamd.d/mail 
>
>and how may auth request are you getting, default is 100 . 
>
>
>Greetz, 
>
>Louis
>
>
>
>>-----Oorspronkelijk bericht-----
>>Van: johannesa at celluloid-vfx.com 
>>[mailto:samba-bounces at lists.samba.org] Namens Johannes Amorosa 
>>| Celluloid VFX
>>Verzonden: dinsdag 24 maart 2015 16:04
>>Aan: samba at lists.samba.org
>>Onderwerp: Re: [Samba] Debugging Samba 4 AD Setup
>>
>>Hi Louis,
>>answers are inline ...
>>
>>On 03/24/2015 03:48 PM, L.P.H. van Belle wrote:
>>> Realm is advices to use UPPERCASE.. not obligated. ( but 
>>very advices yes )
>>I changed the config to uppercase and rebooted, no change in 
>>the logfiles.
>>>
>>> check the following outputs and post them back in the list ( 
>>if needed anonymized )
>>>
>>> hostname -i
>>192.168.1.235
>>> hostname -s
>>the-ad-hostname
>>> hostname -f
>>the-ad-hostname.ourdomain.com
>>> hostname -d
>>ourdomain.com
>>>
>>> cat /etc/resolv.conf
>>nameserver 192.168.1.236
>>nameserver 192.168.1.235
>>search ourdomain.com
>>
>>> cat /etc/hosts
>>127.0.0.1    localhost
>>192.168.1.235    the-ad-hostname.ourdomain.com the-ad-hostname
>><snip>
>>> cat /etc/mailname
>>cat: /etc/mailname: No such file or directory
>>
>>>
>>> dig MX ourdomain.com @127.0.0.1
>>; <<>> DiG 9.8.1-P1 <<>> MX ourdomain.com @127.0.0.1
>>;; global options: +cmd
>>;; Got answer:
>>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3733
>>;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, 
>ADDITIONAL: 0
>>
>>;; QUESTION SECTION:
>>;ourdomain.com.        IN    MX
>>
>>;; Query time: 0 msec
>>;; SERVER: 127.0.0.1#53(127.0.0.1)
>>;; WHEN: Tue Mar 24 15:58:44 2015
>>;; MSG SIZE  rcvd: 34
>>
>>> dig MX ourdomain.com @192.168.1.254
>>; <<>> DiG 9.8.1-P1 <<>> MX ourdomain.com @192.168.1.254
>>;; global options: +cmd
>>;; Got answer:
>>;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1156
>>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>>
>>;; QUESTION SECTION:
>>;ourdomain.com.        IN    MX
>>
>>;; AUTHORITY SECTION:
>>.            10800    IN    SOA    a.root-servers.net. 
>>nstld.verisign-grs.com. 2015032400 1800 900 604800 86400
>>
>>;; Query time: 73 msec
>>;; SERVER: 192.168.1.254#53(192.168.1.254)
>>;; WHEN: Tue Mar 24 16:00:07 2015
>>;; MSG SIZE  rcvd: 109
>>
>>> dig PTR IP_OF_DC
>>; <<>> DiG 9.8.1-P1 <<>> PTR the-ad-hostname
>>;; global options: +cmd
>>;; Got answer:
>>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6806
>>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>>
>>;; OPT PSEUDOSECTION:
>>; EDNS: version: 0, flags:; udp: 4000
>>;; QUESTION SECTION:
>>;the-ad-hostname.            IN    PTR
>>
>>;; Query time: 43 msec
>>;; SERVER: 192.168.1.236#53(192.168.1.236)
>>;; WHEN: Tue Mar 24 16:00:57 2015
>>;; MSG SIZE  rcvd: 39
>>
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>Thank you for your time.
>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: kable at abv.bg [mailto:samba-bounces at lists.samba.org]
>>>> Namens Georg Georgiev
>>>> Verzonden: dinsdag 24 maart 2015 14:27
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] Debugging Samba 4 AD Setup
>>>>
>>>> Hello Johannes,
>>>> Please check your kerberos realm, wiki says: _Realm:_ . It 
>will also
>>>> automatically be used as the Active Directory DNS domain name.
>>>> The Realm
>>>> always has to be in uppercase.
>>>> I see that your is realm = ourdomain.com
>>>> Regards,
>>>> George
>>>>
>>>> On 24.3.2015 ??. 14:29 ??., Johannes Amorosa | Celluloid VFX wrote:
>>>>> We're using quite successfully a samba 4.1 AD setup authenticating
>>>>> user. We have on an unregular basis
>>>>> mails that can't be delivered because dovecot-pam fails to
>>>> verify the
>>>>> credentials. I'm trying to debug
>>>>> this and set the loglevel up to 3.
>>>>>
>>>>> I can see an error message being spammed in the log files 
>and can't
>>>>> figure out what causes this. I expect a configuration 
>>error somewhere
>>>>> although everything else seems to work. Can someone shed
>>>> some light on
>>>>> this error.
>>>>>
>>>>> Invalid domain! Expected name in domain [ourdomain.com]. But
>>>> received
>>>>> [THE-AD-HOSTNAME]!
>>>>>
>>>> ../source4/rpc_server/netlogon/dcerpc_netlogon.c:2330(dcesrv_ne
>>>> tr_DsrEnumerateDomainTrusts)
>>>>>
>>>>> I don't believe this has anything to do with the initial
>>>> problem, but
>>>>> I would like to resolve this one aswell.
>>>>> Thank you for your time.
>>>>> Joe
>>>>>
>>>>> Setup:
>>>>> Two identical servers with this samba.conf.
>>>>>
>>>>> # Global parameters
>>>>> [global]
>>>>>      workgroup = OURDOMAIN
>>>>>      realm = ourdomain.com
>>>>>      netbios name = THE-AD-HOSTNAME
>>>>>      netbios aliases = SOMETHINGELSE
>>>>>      log level = 3
>>>>>
>>>>>      server role = active directory domain controller
>>>>>      dns forwarder = 192.168.1.254
>>>>> [netlogon]
>>>>>      path = /var/lib/samba/sysvol/ourdomain.com/scripts
>>>>>      read only = No
>>>>>
>>>>> [sysvol]
>>>>>      path = /var/lib/samba/sysvol
>>>>>      read only = No
>>>>>
>>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>
>>-- 
>>Johannes Amorosa | Celluloid VFX
>>
>>-- 
>>To unsubscribe from this list go to the following URL and read the
>>instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list