[Samba] Mac/Win Login after sleep mode, Sync Problem for Access Control List between DCs, AccountLock
L.P.H. van Belle
belle at bazuin.nl
Thu Mar 3 16:19:20 UTC 2016
Commented between.. some extra info can help..
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oliver Werner
> Verzonden: donderdag 3 maart 2016 13:21
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Mac/Win Login after sleep mode, Sync Problem for Access
> Control List between DCs, AccountLock
>
>
> Hi,
>
> i have three problems in my AD.
>
> i have three DCs, four samba members and some Mac and Windows clients.
>
> first problem
>
> After some times my Windows and Mac clients can not login with the account
> cendentials. So i need to reboot the system and works fine.
[L.P.H. van Belle]
What are you rebooting the server of pc's. both?
Are the pc's always on?
And did you check the timesync before the reboot between server <-> client
Have you tried increasing :
> kdc:service ticket lifetime = 1
> kdc:user ticket lifetime = 24
> kdc:renewal lifetime = 120
>
> When the problem exists i got on my DC following log:
>
> [2016/03/03 12:39:10.029089, 3] ../lib/ldb-
> samba/ldb_wrap.c:320(ldb_wrap_connect)
> ldb_wrap open of secrets.ldb
> [2016/03/03 12:39:10.038056, 3] ../lib/ldb-
> samba/ldb_wrap.c:320(ldb_wrap_connect)
> ldb_wrap open of secrets.ldb
> [2016/03/03 12:39:10.042656, 3]
> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
> Terminating connection - 'ldapsrv_call_loop:
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
> [2016/03/03 12:39:10.043148, 3]
> ../source4/smbd/process_single.c:114(single_terminate)
> single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED]
> [2016/03/03 12:39:10.047746, 3]
> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
> Terminating connection - 'ldapsrv_call_loop:
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
> [2016/03/03 12:39:10.048298, 3]
> ../source4/smbd/process_single.c:114(single_terminate)
> single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED]
> [2016/03/03 12:39:10.126816, 3] ../lib/ldb-
> samba/ldb_wrap.c:320(ldb_wrap_connect)
> ldb_wrap open of secrets.ldb
> [2016/03/03 12:39:10.131704, 3] ../lib/ldb-
> samba/ldb_wrap.c:320(ldb_wrap_connect)
> ldb_wrap open of secrets.ldb
> [2016/03/03 12:39:10.136052, 3]
> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
> Terminating connection - 'ldapsrv_call_loop:
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
> [2016/03/03 12:39:10.136580, 3]
> ../source4/smbd/process_single.c:114(single_terminate)
> single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED]
> [2016/03/03 12:39:10.142548, 3]
> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
> Terminating connection - 'ldapsrv_call_loop:
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
> [2016/03/03 12:39:10.143076, 3]
> ../source4/smbd/process_single.c:114(single_terminate)
> single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED]
>
>
> second problem
>
> i have add deny rules for fields on user object like personal information,
> street postalcode… for Domain Users in dc=hq,dc=kontrast
>
> on cn=Users,dc=hq,dc=kontrast i have allow a specify user to read and
> write this fields for user objects.
>
> but my DCs don’t sync this changes.
>
> first DC where i changed it works correct but on DC1 and DC2 have only
> sync dc=hq,dc=kontrast
[L.P.H. van Belle]
Does this involve a schema change ?
> i have add deny rules for fields on user object like personal information,
How did you do that ?
>
>
> third problem
>
> is there a default setting for account lock in samba 4? when i use AD in
> subversion with wrong credentials and samba will revoke next requests.
>
> i have uses samba-tool domain password settings show for informations:
>
> Password informations for domain 'DC=hq,DC=kontrast'
>
> Password complexity: off
> Store plaintext passwords: off
> Password history length: 24
> Minimum password length: 16
> Minimum password age (days): 90
> Maximum password age (days): 100
>
>
> HERE IS DC CONFIG:
>
> more /etc/samba/smb.conf
> # Global parameters
> [global]
> workgroup = HQKONTRAST
> realm = HQ.KONTRAST
> netbios name = VL0227
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> interfaces=eth0:35
> bind interfaces only=yes
> log level = 3
>
> kdc:service ticket lifetime = 1
> kdc:user ticket lifetime = 24
> kdc:renewal lifetime = 120
>
> tls enabled = yes
> tls keyfile = /var/lib/samba/private/tls/key.pem
> tls certfile = /var/lib/samba/private/tls/cert.pem
> tls cafile = /var/lib/samba/private/tls/ca.pem
>
> [netlogon]
> path = /var/lib/samba/sysvol/hq.kontrast/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
>
> my /etc/krb5.conf DC0
> [libdefaults]
> default_realm = HQ.KONTRAST
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> [realms]
> HQ.KONTRAST = {
> kdc = vl0227.hq.kontrast
> admin_server = vl0227.hq.kontrast
> }
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
>
> my krb5.conf on second/third DC and Member
> [libdefaults]
> default_realm = HQ.KONTRAST
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list