[Samba] Mac/Win Login after sleep mode, Sync Problem for Access Control List between DCs, AccountLock
Oliver Werner
oliver.werner at kontrast.de
Thu Mar 3 12:21:10 UTC 2016
Hi,
i have three problems in my AD.
i have three DCs, four samba members and some Mac and Windows clients.
first problem
After some times my Windows and Mac clients can not login with the account cendentials. So i need to reboot the system and works fine.
When the problem exists i got on my DC following log:
[2016/03/03 12:39:10.029089, 3] ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2016/03/03 12:39:10.038056, 3] ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2016/03/03 12:39:10.042656, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2016/03/03 12:39:10.043148, 3] ../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
[2016/03/03 12:39:10.047746, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2016/03/03 12:39:10.048298, 3] ../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
[2016/03/03 12:39:10.126816, 3] ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2016/03/03 12:39:10.131704, 3] ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2016/03/03 12:39:10.136052, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2016/03/03 12:39:10.136580, 3] ../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
[2016/03/03 12:39:10.142548, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2016/03/03 12:39:10.143076, 3] ../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
second problem
i have add deny rules for fields on user object like personal information, street postalcode… for Domain Users in dc=hq,dc=kontrast
on cn=Users,dc=hq,dc=kontrast i have allow a specify user to read and write this fields for user objects.
but my DCs don’t sync this changes.
first DC where i changed it works correct but on DC1 and DC2 have only sync dc=hq,dc=kontrast
third problem
is there a default setting for account lock in samba 4? when i use AD in subversion with wrong credentials and samba will revoke next requests.
i have uses samba-tool domain password settings show for informations:
Password informations for domain 'DC=hq,DC=kontrast'
Password complexity: off
Store plaintext passwords: off
Password history length: 24
Minimum password length: 16
Minimum password age (days): 90
Maximum password age (days): 100
HERE IS DC CONFIG:
more /etc/samba/smb.conf
# Global parameters
[global]
workgroup = HQKONTRAST
realm = HQ.KONTRAST
netbios name = VL0227
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
interfaces=eth0:35
bind interfaces only=yes
log level = 3
kdc:service ticket lifetime = 1
kdc:user ticket lifetime = 24
kdc:renewal lifetime = 120
tls enabled = yes
tls keyfile = /var/lib/samba/private/tls/key.pem
tls certfile = /var/lib/samba/private/tls/cert.pem
tls cafile = /var/lib/samba/private/tls/ca.pem
[netlogon]
path = /var/lib/samba/sysvol/hq.kontrast/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
my /etc/krb5.conf DC0
[libdefaults]
default_realm = HQ.KONTRAST
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
HQ.KONTRAST = {
kdc = vl0227.hq.kontrast
admin_server = vl0227.hq.kontrast
}
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmind.log
my krb5.conf on second/third DC and Member
[libdefaults]
default_realm = HQ.KONTRAST
dns_lookup_realm = false
dns_lookup_kdc = true
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.samba.org/pipermail/samba/attachments/20160303/ce8951e2/signature.sig>
More information about the samba
mailing list