[Samba] Mac/Win Login after sleep mode, Sync Problem for Access Control List between DCs, AccountLock

Oliver Werner oliver.werner at kontrast.de
Thu Mar 3 12:21:10 UTC 2016 

Hi,

i have three problems in my AD.

i have three DCs, four samba members and some Mac and Windows clients.

first problem

After some times my Windows and Mac clients can not login with the account cendentials. So i need to reboot the system and works fine.

When the problem exists i got on my DC following log:

[2016/03/03 12:39:10.029089,  3] ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2016/03/03 12:39:10.038056,  3] ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2016/03/03 12:39:10.042656,  3] ../source4/smbd/service_stream.c:66(stream_terminate_connection)
  Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2016/03/03 12:39:10.043148,  3] ../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
[2016/03/03 12:39:10.047746,  3] ../source4/smbd/service_stream.c:66(stream_terminate_connection)
  Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2016/03/03 12:39:10.048298,  3] ../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
[2016/03/03 12:39:10.126816,  3] ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2016/03/03 12:39:10.131704,  3] ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2016/03/03 12:39:10.136052,  3] ../source4/smbd/service_stream.c:66(stream_terminate_connection)
  Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2016/03/03 12:39:10.136580,  3] ../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
[2016/03/03 12:39:10.142548,  3] ../source4/smbd/service_stream.c:66(stream_terminate_connection)
  Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2016/03/03 12:39:10.143076,  3] ../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]


second problem

i have add deny rules for fields on user object like personal information, street postalcode… for Domain Users in dc=hq,dc=kontrast

on cn=Users,dc=hq,dc=kontrast i have allow a specify user to read and write this fields for user objects.

but my DCs don’t sync this changes.

first DC where i changed it works correct but on DC1 and DC2 have only sync dc=hq,dc=kontrast


third problem

is there a default setting for account lock in samba 4? when i use AD in subversion with wrong credentials and samba will revoke next requests.

i have uses samba-tool domain password settings show for informations:

Password informations for domain 'DC=hq,DC=kontrast'

Password complexity: off
Store plaintext passwords: off
Password history length: 24
Minimum password length: 16
Minimum password age (days): 90
Maximum password age (days): 100


HERE IS DC CONFIG:

more /etc/samba/smb.conf
# Global parameters
[global]
	workgroup = HQKONTRAST
	realm = HQ.KONTRAST
	netbios name = VL0227
	server role = active directory domain controller
	idmap_ldb:use rfc2307 = yes
   interfaces=eth0:35
   bind interfaces only=yes
	log level = 3

	kdc:service ticket lifetime = 1
	kdc:user ticket lifetime = 24
	kdc:renewal lifetime = 120

	tls enabled  = yes
	tls keyfile  = /var/lib/samba/private/tls/key.pem
	tls certfile = /var/lib/samba/private/tls/cert.pem
	tls cafile   = /var/lib/samba/private/tls/ca.pem

[netlogon]
	path = /var/lib/samba/sysvol/hq.kontrast/scripts
	read only = No

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No


my /etc/krb5.conf DC0
[libdefaults]
	default_realm = HQ.KONTRAST
	dns_lookup_realm = false
	dns_lookup_kdc = true

[realms]
   HQ.KONTRAST = {
      kdc = vl0227.hq.kontrast
      admin_server = vl0227.hq.kontrast
   }
[logging]
	default 		= FILE:/var/log/krb5libs.log
	kdc 			= FILE:/var/log/kdc.log
   admin_server            = FILE:/var/log/kadmind.log


my krb5.conf on second/third DC and Member
[libdefaults]
	default_realm = HQ.KONTRAST
	dns_lookup_realm = false
	dns_lookup_kdc = true

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.samba.org/pipermail/samba/attachments/20160303/ce8951e2/signature.sig>

More information about the samba mailing list