[Samba] net ads info: failed to get server's current time

Rowland Penny rowlandpenny241155 at gmail.com
Wed Oct 28 13:25:33 UTC 2015


On 28/10/15 13:03, Guy-Laurent Subri wrote:
> On Wed, Oct 28, 2015 at 10:32:31AM +0000, Rowland Penny wrote:
>> On 28/10/15 10:09, Guy-Laurent Subri wrote:
>>
>>> My version of Samba is 4.1.17. I don't think this changes anything, but
>>> I can try to upgrade if needed.
>>
>> OK, looks like you are running Debian, either wheezy using backports or
>> Jessie and my old DC is running wheezy and net ads info works on that.
>>
>>> Here are the files:
>>>
>>> /etc/ntp.conf
>>> -------------
>>> driftfile /var/lib/ntp/ntp.drift
>>> ntpsigndsocket /var/lib/samba/ntp_signd
>>>
>>> statsdir /var/log/ntpstats/
>>>
>>> server 0.ch.pool.ntp.org
>>> server 1.ch.pool.ntp.org
>>> server 2.ch.pool.ntp.org
>>> server 3.ch.pool.ntp.org
>>>
>>> restrict -4 default kod notrap nomodify nopeer noquery mssntp
>>> restrict -6 default kod notrap nomodify nopeer noquery mssntp
>>>
>>> restrict 127.0.0.1
>>> restrict ::1
>>>
>>> restrict 0.ch.pool.ntp.org mask 255.255.255 nomodify notrap nopeer
>>> noquery
>>>
>>> broadcast 192.168.123.255
>>>
>>
>> I would suggest that you either remove the last 3 'server' lines or add
>> another 3 'restrict' lines to cover them.
>>
>>> /etc/bind/named.conf
>>> --------------------
>>> include "/etc/bind/named.conf.options";
>>> include "/etc/bind/named.conf.local";
>>> include "/etc/bind/named.conf.default-zones";
>>> include "/var/lib/samba/private/named.conf";
>>>
>>> /etc/bind/named.conf.options
>>> ----------------------------
>>> options {
>>>    directory "/var/cache/bind";
>>>
>>>    forwarders {
>>>        192.168.1.185;
>>>    };
>>
>> What is the forwarder ?
> I deleted the forwarder as we don't need it anymore. Thanks for
> reminding me it was there!

If you are running Samba4 as an AD DC with bind9, then you do need the 
forwarder, so make sure you have one and it must be one outside the 
Samba4 domain that resolve the rest of the internet.

>>>       dnssec-validation auto;
>>>
>>>    auth-nxdomain no;
>>>    allow-query { localhost; any; };
>>>    listen-on port 53 { 127.0.0.1; 192.168.1.17; };
>>>    listen-on-v6 { any; };
>>> };
>>>
>>> /etc/bind/named.conf.local --------------------------
>>> is empty
>>>
>>> /etc/bind/named.conf.default-zones
>>> ----------------------------------
>>> zone "." {
>>>    type hint;
>>>    file "/etc/bind/db.root";
>>> };
>>>
>>> zone "localhost" {
>>>    type master;
>>>    file "/etc/bind/db.local";
>>> };
>>>
>>> zone "127.in-addr.arpa" {
>>>    type master;
>>>    file "/etc/bind/db.127";
>>> };
>>>
>>> zone "0.in-addr.arpa" {
>>>    type master;
>>>    file "/etc/bind/db.0";
>>> };
>>>
>>> zone "255.in-addr.arpa" {
>>>    type master;
>>>    file "/etc/bind/db.255";
>>> };
>>>
>>> /var/lib/samba/private/named.conf
>>> ---------------------------------
>>> zone "trs-ch.com." IN {
>>>    type master;
>>>    file "/var/lib/samba/private/dns/trs-ch.com.zone";
>>>    include "/var/lib/samba/private/named.conf.update";
>>>    check-names ignore;
>>> };
>>
>> This is wrong, /var/lib/samba/private/named.conf should be:
>>
>> dlz "AD DNS Zone" {
>>     # For BIND 9.8.0
>>     #database "dlopen 
>> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so";
>>
>>     # For BIND 9.9.0
>>     database "dlopen 
>> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
>> };
> Ok. I tried this but I've got an error:
> samba_dlz: Unable to get basedn for /var/lib/samba/private/dns/sam.ldb
> - NULL Base DN invalid for a base search

OK, How did you provision Samba4 ?
Does /var/lib/samba/private/dns/sam.ldb exist ? if it does (and it 
should) it should belong to root:bind with 0660 permissions (-rw-rw----)

>>>
>>> resolv.conf
>>> -----------
>>> search trs-ch.com
>>> nameserver 192.168.1.17
>>> nameserver 192.168.1.7
>>>
>>
>> What is the second nameserver ? if it is a second DC, swap them around,
>> otherwise remove it.
> It's another DC, but not for the same realm. I swaped them.

Remove it, your DC should only ask other DCs in its own domain for DNS info


>>> krb5.conf
>>> ---------
>>> [libdefaults]
>>> default_realm = TRS-CH.COM
>>> dns_lookup_realm = false
>>> dns_lookup_kdc = true
>>> [realms]
>>> TRS-CH.COM = {
>>>    kdc = 192.168.1.17
>>>        admin_server = 192.168.1.17
>>>        default_domain = trs-ch.com
>>> }
>>> [TRS-CH.COM]
>>> .trs-ch.com = TRS-CH.COM
>>> trs.ch.com =
>>> TRS-CH.COM
>>>
>>
>> You only need this in /etc/krb5.conf
>>
>> [libdefaults]
>> default_realm = TRS-CH.COM
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>
> Ok, I modified it accordingly
>
> Do you know why I have this error ? BTW, sam.ldb is owned by root:root
> and is set to rw for user and none to group and world, is this ok ?

If you are talking /var/lib/samba/private/sam.ldb then this is correct.

Rowland

>
> Thanks again, Guy-Laurent
>




More information about the samba mailing list