[Samba] After some time 4.3.9 Member Server in different Subnet than ADS controller loses trust

L.P.H. van Belle belle at bazuin.nl
Tue May 24 07:55:18 UTC 2016 

Upgrade to 4.4.3 that fixes a lot, like. 

> - net ads testjoin
>       > ads_connect: No logon servers
>       > Join to domain is not valid: No logon servers
>
> - wbinfo -g and wbinfo -u
>       > provide no output anymore.

And dont forget to setup the ldap certificate part as described in the change log of 4.4.2. 

Anyone should avoid the version 4.2.9-4.2.11 4.3.7-4.3.9 4.4.2 and lower.
That helps, after the big upgrade, some new bug entered. 
Most of them are fixed in the latest version 4.4.3.
I cant tell about the 4.2/4.3 versions.



Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Thomas Burger
> (tburger at eritron.de)
> Verzonden: dinsdag 24 mei 2016 9:26
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] After some time 4.3.9 Member Server in different Subnet
> than ADS controller loses trust
> 
> Hello everybody,
> 
> I hope someone can help me with this or point me into the right
> direction since I am not being able to solve it since weeks.
> 
> Since last year I was running Samba 4.1.6 on Ubuntu 14.04 LTS without
> issues as a active directory domain controller as well as member
> servers. Trouble started with the upgrade to Samba 4.3.8 (now 4.3.9).
> 
> The ADS controller and most member servers are sharing the same subnet.
> For
> security reasons I pushed one of the member servers into a DMZ. I am
> using Kerberos, Winbind and Samba to integrate to the ADS.
> What has worked with 4.1.6 seems not to work anymore with 4.3.8 and
> 4.3.9. While all member servers on the same subnet work fine the machine
> in the DMZ looses connection to the ADS after some time.
> 
> On the member server in the DMZ, from a shell I can successfully
> - obtain Kerberos tickets
> - join to the domain via (net ads join ...)
> - After join do a testjoin
> - obtain domain information
> - get users via >wbinfo -u< and groups via >wbinfo -g<
> - create a keytab file for kerberos ticket update
> 
> After some time (several hours, I found it hard to track) I experience
> the following issues:
> - net ads testjoin
>       > ads_connect: No logon servers
>       > Join to domain is not valid: No logon servers
> - wbinfo -g and wbinfo -u
>       > provide no output anymore.
> 
> What I checked and did not change situation:
> - name resolution (forward, backward, all ok to ADS controller as well
> as domain name)
> - disabled ALL firewall rules between the systems (ADS controller and
> member server)
> 
> 
> 
> 
> My kerberos configuration on the client looks like this:
> [libdefaults]
>           default_realm = DOMAIN.DE
>           dns_lookup_realm = false # also tried this to set to true
>           dns_lookup_kdc = true
> 
> [realms]
>       DOMAIN.DE = {
>           kdc = dc.domain.de
>           admin_server = dc.domain.de
>           master_kdc = dc.domain.de
>       }
> 
> [domain_realm]
>       domain.de = DOMAIN.DE
> 
> 
> This is the smb.conf:
> ######## GLOBAL
> [global]
>       #### GLOBAL SETTINGS
>       netbios name = HOSTNAME
>       server string = HOSTNAME
>       workgroup = DOMAIN
>       realm = DOMAIN.DE
>       server role = MEMBER SERVER
>       name resolve order = hosts wins bcast
> 
>       #### SECURITY SETTINGS
>       security = ads
>       allow trusted domains = Yes
>       map untrusted to domain = Yes
>       encrypt passwords = yes
>       client use spnego = yes
>       client ntlmv2 auth = yes
>       client ldap sasl wrapping = sign
>       restrict anonymous = 2
>       acl map full control = yes
> 
>       #### SERVER SETTINGS
>       dns proxy = yes
>       domain master = no
>       local master = no
>       preferred master = no
>       os level = 0
>       follow symlinks = yes
>       veto files =
> /.AppleDouble/.DS_Store/._.DS_Store/.fseventsd/.notfirsttime/.Spotlight-
> V100/.TemporaryItems/.Trash/.Trashes/Thumbs.db/thumbs.db/._*/~$*/System\
> 
> Volume\ Information/
>       delete veto files = yes
>       server min protocol = SMB2
>       server max protocol = SMB3
> 
>       #### KERBEROS
>       dedicated keytab file = /etc/krb5.keytab
>       kerberos method = secrets and keytab
> 
>       #### WINBIND CONFIGURATION
>       winbind enum users = yes
>       winbind enum groups = yes
>       winbind offline logon = no
>       winbind reconnect delay = 30
>       winbind refresh tickets = yes
>       winbind nested groups = yes
>       idmap config *:backend = tdb
>       idmap config *:range = 70001-80000
>       idmap config DOMAIN:backend = rid
>       idmap config DOMAIN:schema_mode = rfc2307
>       idmap config DOMAIN:range = 20000-40000
>       idmap cache time = 604800
>       winbind separator = /
>       winbind use default domain = no
>       #### HOME DIRECTORIES
>       template shell = /bin/bash
>       template homedir = /home/%U
> 
>       #### PRINTING
>       disable spoolss = yes
>       load printers = no
>       idmap_ldb:use rfc2307 = yes
> 
>       #### LOGGING
>       log level = 2
>       username level = 3
>       log file = /var/log/samba/log.%m
>       max log size = 50
>       syslog only = no
>       syslog = 2
>       panic action = /usr/share/samba/panic-action %d
> 
> 
> the resolv.conf:
> nameserver 10.14.11.5 # This is the ADS Controller
> nameserver 10.14.12.1 # This is an alternate nameserver
> search domain.de
> 
> 
> 
> 
> In /var/log/syslog I can see various messages that caught my attention
> but neither of those helped me in my research. DonĀ“t give to much about
> date/time. I just copied them as I found them:
> 
> 1. "Could not receive Trustdoms".
> May 16 06:58:43 hostname winbindd[820]: [2016/05/16 06:58:43.776831,  1]
> ../source3/winbindd/winbindd_util.c:351(trustdom_list_done)
> May 16 06:58:43 hostname winbindd[820]:   Could not receive trustdoms
> 
> 2. "Check connection to trusted domain"
> May 22 06:10:23 hostname winbindd[840]: [2016/05/22 06:10:23.784860,  0]
> ../source3/winbindd/winbindd_group.c:45(fill_grent)
> May 22 06:10:23 hostname winbindd[840]:   Failed to find domain 'Unix
> Group'. Check connection to trusted domains!
> 
> 3. This is indicating a name resolution issue but I have checked that
> already:
> May 22 06:44:52 hostname winbindd[24623]:   ads_find_dc: name resolution
> for realm 'domain.de' (domain 'DOMAIN') failed: NT_STATUS_NO_LOGON_SERVERS
> 
> 4. "failed to reconnect (No logon servers)"
> May 22 21:09:51 hostname winbindd[971]: [2016/05/22 21:09:51.487192,  1]
> ../source3/libads/ldap_utils.c:107(ads_do_search_retry_internal)
> May 22 21:09:51 hostname winbindd[971]:   ads_search_retry: failed to
> reconnect (No logon servers)
> 
> 5. "ads_connect for domain DOMAIN failed: No logon servers"
> May 22 21:10:07 hostname winbindd[971]: [2016/05/22 21:10:07.493461,  1]
> ../source3/winbindd/winbindd_ads.c:136(ads_cached_connection_connect)
> May 22 21:10:07 hostname winbindd[971]:   ads_connect for domain DOMAIN
> failed: No logon servers
> 
> 
> 
> 
> Any pointers are greatly appreciated.
> Best regards
> 
> Thomas
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list