[Samba] Samba 4 AD issues with RPC

Praveen Ghimire PGhimire at sundata.com.au
Wed Dec 6 04:55:03 UTC 2017 

Hi Rowland,

Sorry, migration using BIND9_DLZ gives the same result

Not sure if the following from the migration is of a concern

Could not add posix attrs for AD entry for sid=S-1-5-21-3936576374-1604348213-1812465911-3034, ((21, 'Element loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for sid=S-1-5-21-3936576374-1604348213-1812465911-3040, ((21, 'Element loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for sid=S-1-5-21-3936576374-1604348213-1812465911-3030, ((21, 'Element loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for sid=S-1-5-21-3936576374-1604348213-1812465911-3046, ((21, 'Element loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for sid=S-1-5-21-3936576374-1604348213-1812465911-3032, ((21, 'Element loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for sid=S-1-5-21-3936576374-1604348213-1812465911-3050, ((21, 'Element loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for sid=S-1-5-21-3936576374-1604348213-1812465911-3036, ((21, 'Element loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for sid=S-1-5-21-3936576374-1604348213-1812465911-3038, ((21, 'Element loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for sid=S-1-5-21-3936576374-1604348213-1812465911-3042, ((21, 'Element loginShell has empty attribute in ldb message ()!'))
User root has been kept in the directory, it should be removed in favour of the Administrator user
Could not add posix attrs for AD entry for sid=S-1-5-21-3936576374-1604348213-1812465911-3048, ((21, 'Element loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for sid=S-1-5-21-3936576374-1604348213-1812465911-3010, ((21, 'Element loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for sid=S-1-5-21-3936576374-1604348213-1812465911-3028, ((21, 'Element loginShell has empty attribute in ldb message ()!'))
Could not add posix attrs for AD entry for sid=S-1-5-21-3936576374-1604348213-1812465911-3062, ((21, 'Element loginShell has empty attribute in ldb message ()!'))
Committing 'add users' transaction to disk
Adding users to groups
Committing 'add users to groups' transaction to disk
Setting password for administrator
Administrator password has been set to password of user 'root'
Processing section "[netlogon]"
Processing section "[sysvol]"
Module 'acl_xattr' loaded
Module 'dfs_samba4' loaded
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service Unknown Service (snum == -1)
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service Unknown Service (snum == -1)
Processing section "[netlogon]"
Processing section "[sysvol]"
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol


I've tested the DNS according the Samba document, the SRV records for both domain and the realm seems to work

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller


Have tried a Server 2008 and Server 2012. In 2012 it comes up with Verification of replica failed. The wizard cannot access the list of domains in the forest. The error is: An internal error occurred

Just confirming that I am logged in as Domain Administrator and using those creds to run the AD Wizard and dcrpomo. Also tried using both realm the domain when trying the dcpromo 

The following is the new smb.conf file. Have added bits about dns udpates


[global]
        netbios name = TESTDC
        realm = TEST.LOCAL
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
        workgroup = TEST
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        dcerpc endpoint servers = +mapiproxy
        allow dns updates = nonsecure
[netlogon]
        path = /var/lib/samba/sysvol/test.local/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No


The following is the krb5.conf

[libdefaults]
        default_realm = TEST.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = true

service --status-all
 [ - ]  acpid
 [ + ]  apparmor
 [ + ]  apport
 [ + ]  atd
 [ + ]  bind9
 [ - ]  console-setup.sh
 [ + ]  cron
 [ - ]  cryptdisks
 [ - ]  cryptdisks-early
 [ + ]  dbus
 [ + ]  ebtables
 [ + ]  grub-common
 [ - ]  hwclock.sh
 [ - ]  irqbalance
 [ + ]  isc-dhcp-server
 [ + ]  iscsid
 [ - ]  keyboard-setup.sh
 [ + ]  kmod
 [ - ]  lvm2
 [ + ]  lvm2-lvmetad
 [ + ]  lvm2-lvmpolld
 [ + ]  lxcfs
 [ - ]  lxd
 [ - ]  mdadm
 [ - ]  mdadm-waitidle
 [ - ]  nmbd
 [ - ]  open-iscsi
 [ + ]  open-vm-tools
 [ - ]  plymouth
 [ - ]  plymouth-log
 [ + ]  procps
 [ - ]  rsync
 [ + ]  rsyslog
 [ + ]  samba-ad-dc
 [ - ]  screen-cleanup
 [ - ]  smbd
 [ + ]  ssh
 [ + ]  udev
 [ + ]  ufw
 [ + ]  unattended-upgrades
 [ - ]  uuidd


server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, mapiproxy

Any ideas?


Regards,

Praveen Ghimire








-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny via samba
Sent: Tuesday, 5 December 2017 5:58 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Samba 4 AD issues with RPC

On Tue, 5 Dec 2017 05:08:24 +0000
Praveen Ghimire via samba <samba at lists.samba.org> wrote:

> 
> 
> Hi Guys,
> 
> Setup:
> 
> Versions: Samba: 4.6.7
>                 Bind9:   9.10.3
> 
> 
> Firewall disabled
> 
> AD Provision:
> 
> Migrated from samba 3 to 4 using classic upgrade.
> 
> samba-tool domain classicupgrade --dbdir=/var/lib/samba.PDC/dbdir 
> --realm=TEST.LOCAL --dns-backend=BIND9_FLATFILE 
> /etc/samba.PDC/smb.PDC.conf
> 
> Any suggestions?
> 

Yes, Do not use BIND9_FLATFILE, it doesn't work.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com ______________________________________________________________________

More information about the samba mailing list