[Samba] Mac/Win Login after sleep mode, Sync Problem for Access Control List between DCs, AccountLock

L.P.H. van Belle belle at bazuin.nl
Thu Mar 3 16:19:20 UTC 2016 

Commented between..   some extra info can help.. 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oliver Werner
> Verzonden: donderdag 3 maart 2016 13:21
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Mac/Win Login after sleep mode, Sync Problem for Access
> Control List between DCs, AccountLock
> 
> 
> Hi,
> 
> i have three problems in my AD.
> 
> i have three DCs, four samba members and some Mac and Windows clients.
> 
> first problem
> 
> After some times my Windows and Mac clients can not login with the account
> cendentials. So i need to reboot the system and works fine.
[L.P.H. van Belle] 

What are you rebooting the server of pc's. both? 
Are the pc's always on? 
And did you check the timesync before the reboot between server <-> client 

Have you tried increasing : 
> 	kdc:service ticket lifetime = 1
> 	kdc:user ticket lifetime = 24
> 	kdc:renewal lifetime = 120



> 
> When the problem exists i got on my DC following log:
> 
> [2016/03/03 12:39:10.029089,  3] ../lib/ldb-
> samba/ldb_wrap.c:320(ldb_wrap_connect)
>   ldb_wrap open of secrets.ldb
> [2016/03/03 12:39:10.038056,  3] ../lib/ldb-
> samba/ldb_wrap.c:320(ldb_wrap_connect)
>   ldb_wrap open of secrets.ldb
> [2016/03/03 12:39:10.042656,  3]
> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
>   Terminating connection - 'ldapsrv_call_loop:
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
> [2016/03/03 12:39:10.043148,  3]
> ../source4/smbd/process_single.c:114(single_terminate)
>   single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED]
> [2016/03/03 12:39:10.047746,  3]
> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
>   Terminating connection - 'ldapsrv_call_loop:
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
> [2016/03/03 12:39:10.048298,  3]
> ../source4/smbd/process_single.c:114(single_terminate)
>   single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED]
> [2016/03/03 12:39:10.126816,  3] ../lib/ldb-
> samba/ldb_wrap.c:320(ldb_wrap_connect)
>   ldb_wrap open of secrets.ldb
> [2016/03/03 12:39:10.131704,  3] ../lib/ldb-
> samba/ldb_wrap.c:320(ldb_wrap_connect)
>   ldb_wrap open of secrets.ldb
> [2016/03/03 12:39:10.136052,  3]
> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
>   Terminating connection - 'ldapsrv_call_loop:
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
> [2016/03/03 12:39:10.136580,  3]
> ../source4/smbd/process_single.c:114(single_terminate)
>   single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED]
> [2016/03/03 12:39:10.142548,  3]
> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
>   Terminating connection - 'ldapsrv_call_loop:
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
> [2016/03/03 12:39:10.143076,  3]
> ../source4/smbd/process_single.c:114(single_terminate)
>   single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED]
> 
> 
> second problem
> 
> i have add deny rules for fields on user object like personal information,
> street postalcode… for Domain Users in dc=hq,dc=kontrast
> 
> on cn=Users,dc=hq,dc=kontrast i have allow a specify user to read and
> write this fields for user objects.
> 
> but my DCs don’t sync this changes.
> 
> first DC where i changed it works correct but on DC1 and DC2 have only
> sync dc=hq,dc=kontrast
[L.P.H. van Belle] 

Does this involve a schema change ? 
> i have add deny rules for fields on user object like personal information, 
How did you do that ? 



> 
> 
> third problem
> 
> is there a default setting for account lock in samba 4? when i use AD in
> subversion with wrong credentials and samba will revoke next requests.
> 
> i have uses samba-tool domain password settings show for informations:
> 
> Password informations for domain 'DC=hq,DC=kontrast'
> 
> Password complexity: off
> Store plaintext passwords: off
> Password history length: 24
> Minimum password length: 16
> Minimum password age (days): 90
> Maximum password age (days): 100
> 
> 
> HERE IS DC CONFIG:
> 
> more /etc/samba/smb.conf
> # Global parameters
> [global]
> 	workgroup = HQKONTRAST
> 	realm = HQ.KONTRAST
> 	netbios name = VL0227
> 	server role = active directory domain controller
> 	idmap_ldb:use rfc2307 = yes
>    interfaces=eth0:35
>    bind interfaces only=yes
> 	log level = 3
> 
> 	kdc:service ticket lifetime = 1
> 	kdc:user ticket lifetime = 24
> 	kdc:renewal lifetime = 120
> 
> 	tls enabled  = yes
> 	tls keyfile  = /var/lib/samba/private/tls/key.pem
> 	tls certfile = /var/lib/samba/private/tls/cert.pem
> 	tls cafile   = /var/lib/samba/private/tls/ca.pem
> 
> [netlogon]
> 	path = /var/lib/samba/sysvol/hq.kontrast/scripts
> 	read only = No
> 
> [sysvol]
> 	path = /var/lib/samba/sysvol
> 	read only = No
> 
> 
> my /etc/krb5.conf DC0
> [libdefaults]
> 	default_realm = HQ.KONTRAST
> 	dns_lookup_realm = false
> 	dns_lookup_kdc = true
> 
> [realms]
>    HQ.KONTRAST = {
>       kdc = vl0227.hq.kontrast
>       admin_server = vl0227.hq.kontrast
>    }
> [logging]
> 	default 		= FILE:/var/log/krb5libs.log
> 	kdc 			= FILE:/var/log/kdc.log
>    admin_server            = FILE:/var/log/kadmind.log
> 
> 
> my krb5.conf on second/third DC and Member
> [libdefaults]
> 	default_realm = HQ.KONTRAST
> 	dns_lookup_realm = false
> 	dns_lookup_kdc = true
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list