[Samba] net ads info: failed to get server's current time

Guy-Laurent Subri guy-laurent at subri.ch
Wed Oct 28 13:43:04 UTC 2015 

On Wed, Oct 28, 2015 at 01:25:33PM +0000, Rowland Penny wrote:
>On 28/10/15 13:03, Guy-Laurent Subri wrote:
>> On Wed, Oct 28, 2015 at 10:32:31AM +0000, Rowland Penny wrote:
>>> On 28/10/15 10:09, Guy-Laurent Subri wrote:
>>>
>>>> My version of Samba is 4.1.17. I don't think this changes anything, but
>>>> I can try to upgrade if needed.
>>>
>>> OK, looks like you are running Debian, either wheezy using backports or
>>> Jessie and my old DC is running wheezy and net ads info works on that.
>>>
>>>> Here are the files:
>>>>
>>>> /etc/ntp.conf
>>>> -------------
>>>> driftfile /var/lib/ntp/ntp.drift
>>>> ntpsigndsocket /var/lib/samba/ntp_signd
>>>>
>>>> statsdir /var/log/ntpstats/
>>>>
>>>> server 0.ch.pool.ntp.org
>>>> server 1.ch.pool.ntp.org
>>>> server 2.ch.pool.ntp.org
>>>> server 3.ch.pool.ntp.org
>>>>
>>>> restrict -4 default kod notrap nomodify nopeer noquery mssntp
>>>> restrict -6 default kod notrap nomodify nopeer noquery mssntp
>>>>
>>>> restrict 127.0.0.1
>>>> restrict ::1
>>>>
>>>> restrict 0.ch.pool.ntp.org mask 255.255.255 nomodify notrap nopeer
>>>> noquery
>>>>
>>>> broadcast 192.168.123.255
>>>>
>>>
>>> I would suggest that you either remove the last 3 'server' lines or add
>>> another 3 'restrict' lines to cover them.
>>>
>>>> /etc/bind/named.conf
>>>> --------------------
>>>> include "/etc/bind/named.conf.options";
>>>> include "/etc/bind/named.conf.local";
>>>> include "/etc/bind/named.conf.default-zones";
>>>> include "/var/lib/samba/private/named.conf";
>>>>
>>>> /etc/bind/named.conf.options
>>>> ----------------------------
>>>> options {
>>>>    directory "/var/cache/bind";
>>>>
>>>>    forwarders {
>>>>        192.168.1.185;
>>>>    };
>>>
>>> What is the forwarder ?
>> I deleted the forwarder as we don't need it anymore. Thanks for
>> reminding me it was there!
>
>If you are running Samba4 as an AD DC with bind9, then you do need the
>forwarder, so make sure you have one and it must be one outside the
>Samba4 domain that resolve the rest of the internet.
>
>>>>       dnssec-validation auto;
>>>>
>>>>    auth-nxdomain no;
>>>>    allow-query { localhost; any; };
>>>>    listen-on port 53 { 127.0.0.1; 192.168.1.17; };
>>>>    listen-on-v6 { any; };
>>>> };
>>>>
>>>> /etc/bind/named.conf.local --------------------------
>>>> is empty
>>>>
>>>> /etc/bind/named.conf.default-zones
>>>> ----------------------------------
>>>> zone "." {
>>>>    type hint;
>>>>    file "/etc/bind/db.root";
>>>> };
>>>>
>>>> zone "localhost" {
>>>>    type master;
>>>>    file "/etc/bind/db.local";
>>>> };
>>>>
>>>> zone "127.in-addr.arpa" {
>>>>    type master;
>>>>    file "/etc/bind/db.127";
>>>> };
>>>>
>>>> zone "0.in-addr.arpa" {
>>>>    type master;
>>>>    file "/etc/bind/db.0";
>>>> };
>>>>
>>>> zone "255.in-addr.arpa" {
>>>>    type master;
>>>>    file "/etc/bind/db.255";
>>>> };
>>>>
>>>> /var/lib/samba/private/named.conf
>>>> ---------------------------------
>>>> zone "trs-ch.com." IN {
>>>>    type master;
>>>>    file "/var/lib/samba/private/dns/trs-ch.com.zone";
>>>>    include "/var/lib/samba/private/named.conf.update";
>>>>    check-names ignore;
>>>> };
>>>
>>> This is wrong, /var/lib/samba/private/named.conf should be:
>>>
>>> dlz "AD DNS Zone" {
>>>     # For BIND 9.8.0
>>>     #database "dlopen
>>> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so";
>>>
>>>     # For BIND 9.9.0
>>>     database "dlopen
>>> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
>>> };
>> Ok. I tried this but I've got an error:
>> samba_dlz: Unable to get basedn for /var/lib/samba/private/dns/sam.ldb
>> - NULL Base DN invalid for a base search
>
>OK, How did you provision Samba4 ?
>Does /var/lib/samba/private/dns/sam.ldb exist ? if it does (and it
>should) it should belong to root:bind with 0660 permissions (-rw-rw----)

I don't remember how I provisionned Samba exactly, but I'm sure I
provisioned with BIND9 instead of internal DNS. The file exists but is
bind:bind with 0664.
>>>>
>>>> resolv.conf
>>>> -----------
>>>> search trs-ch.com
>>>> nameserver 192.168.1.17
>>>> nameserver 192.168.1.7
>>>>
>>>
>>> What is the second nameserver ? if it is a second DC, swap them around,
>>> otherwise remove it.
>> It's another DC, but not for the same realm. I swaped them.
>
>Remove it, your DC should only ask other DCs in its own domain for DNS info
Ok, done. Why is it a problem if my DC asks for DNS info in another
domain ?
>>>> krb5.conf
>>>> ---------
>>>> [libdefaults]
>>>> default_realm = TRS-CH.COM
>>>> dns_lookup_realm = false
>>>> dns_lookup_kdc = true
>>>> [realms]
>>>> TRS-CH.COM = {
>>>>    kdc = 192.168.1.17
>>>>        admin_server = 192.168.1.17
>>>>        default_domain = trs-ch.com
>>>> }
>>>> [TRS-CH.COM]
>>>> .trs-ch.com = TRS-CH.COM
>>>> trs.ch.com =
>>>> TRS-CH.COM
>>>>
>>>
>>> You only need this in /etc/krb5.conf
>>>
>>> [libdefaults]
>>> default_realm = TRS-CH.COM
>>> dns_lookup_realm = false
>>> dns_lookup_kdc = true
>>
>> Ok, I modified it accordingly
>>
>> Do you know why I have this error ? BTW, sam.ldb is owned by root:root
>> and is set to rw for user and none to group and world, is this ok ?
>
>If you are talking /var/lib/samba/private/sam.ldb then this is correct.
I was, but I misread the path.

Guy-Laurent

More information about the samba mailing list