[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
Prunk Dump
prunkdump at gmail.com
Mon Jun 19 20:13:48 UTC 2017
Hello Samba team !
I'am in a very delicate situation. After an upgrade to debian Stretch
my DRS stopped working.
I have three DCs (fichdc, fichds01, fichds02), all Debian Stretch, all
with the same problem. Everything seems to be fine except DRS.
-> File shares works
-> DNS (with bind9 DLZ) works
-> "kinit administrator" works
-> "kinit -k FICHDC$" works
-> times synchronisation works
-> winbind works (with nsswitch)
-> domain controller "A" resolve
-> domain controller "objectGuid CNAME" record resolve
-> nfsv4 share works using sec=krb5
But when I try a DRS connection :
--------------------------------
$ samba-tool drs showrepl -d 3
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name
fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr<0x20>
Wrong username or password: kinit for
FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR failed
(Preauthentication failed)
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
ncacn_ip_tcp:172.16.0.20[1024,seal,target_hostname=fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=172.16.0.20]
NT_STATUS_LOGON_FAILURE
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to
fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr failed - drsException:
DRS connection to fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr
failed: (-1073741715, 'Logon failure')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
41, in drsuapi_connect
(ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) =
drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 54,
in drsuapi_connect
raise drsException("DRS connection to %s failed: %s" % (server, e))
--------------------------------
And in log.samba, here the strange errors I have :
--------------------------------
resolve_lmhosts: Attempting lmhosts lookup for name
04c6b4b0-4584-4368-831e-42aa7ac08c04._msdcs.net.lyc-guillaume-fichet.ac-grenoble.fr<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
04c6b4b0-4584-4368-831e-42aa7ac08c04._msdcs.net.lyc-guillaume-fichet.ac-grenoble.fr<0x20>
Kerberos: AS-REQ FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR from
ipv4:172.16.0.20:41611 for
krbtgt/NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR at NET.LYC-GUILLAUME-FICHET.AC-G$
Kerberos: Client sent patypes: encrypted-timestamp
Kerberos: Looking for PKINIT pa-data --
FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
Kerberos: Looking for ENC-TS pa-data --
FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
Kerberos: Failed to decrypt PA-DATA --
FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (enctype
arcfour-hmac-md5) error Decrypt integrity check failed
Kerberos: Failed to decrypt PA-DATA --
FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
Wrong username or password: kinit for
FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR failed
(Preauthentication failed)
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
ncacn_ip_tcp:172.16.0.21[1024,seal,krb5,target_hostname=04c6b4b0-4584-4368-831e-42aa7ac08c04._msdcs.net.lyc-
...
resolve_lmhosts: Attempting lmhosts lookup for name
6592eb58-739e-4b40-94c1-b96abde63d44._msdcs.net.lyc-guillaume-fichet.ac-grenoble.fr<0x20>
Kerberos: AS-REQ FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR from
ipv4:172.16.0.20:50934 for
krbtgt/NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR at NET.LYC-GUILLAUME-FICHET.AC-G$
Kerberos: No preauth found, returning PREAUTH-REQUIRED --
FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
Wrong username or password: kinit for
FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR failed
(Preauthentication failed)
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
ncacn_ip_tcp:172.16.0.22[1024,seal,krb5,target_hostname=6592eb58-739e-4b40-94c1-b96abde63d44._msdcs.net.lyc-g
...
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see
text): Failed to find
FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR(kvno 2) in keytab
FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5)
--------------------------------
This seem to be a computer account problem. But I can't find any
problem in Kerberos :
--------------------------------
# kinit -k FICHDC$
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
Valid starting Expires Service principal
19/06/2017 22:05:54 20/06/2017 08:05:54
krbtgt/NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
renew until 20/06/2017 22:05:54
# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
1 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
1 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
2 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
2 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
2 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
2 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
2 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
Here my smb.conf :
--------------------------------
[global]
log level = 3
netbios aliases = sambaaccount
sambaaccount.net.lyc-guillaume-fichet.ac-grenoble.fr
load printers = yes
workgroup = FICHNET
realm = NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
netbios name = FICHDC
interfaces = lo, eth0
bind interfaces only = Yes
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/net.lyc-guillaume-fichet.ac-grenoble.fr/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
--------------------------------
A big thank if someone can help me !
Baptiste.
More information about the samba
mailing list