[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
Prunk Dump
prunkdump at gmail.com
Wed Jun 21 09:57:20 UTC 2017
First thank you very much all to study my problem !!!
I'am using Samba (with Debian) for 5 years now with very good results
! My network now have 3 Samba DCs, nearly 150 Debian Jessie Domain
members, and nearly 250 Windows 7 members. Fortunately it's a high
school network and students are now in vacation. But my network is now
completely down as machine account authentication don't work on DC (I
have checked, nfsv4 don't work anymore ).
So first, here the problems I need to correct after the upgrade to Stretch :
-> Services configuration was not conserved. nmbd, smbd, winbind was
started after the upgrade. In need to disable them with systemctl and
reenable samba-ad-dc.
-> Bind9 DLZ don't work because it's load the bad library
"dlz_bind9_9.so". I need to change to "dlz_bind9_10.so" in the config
file. But that is normal.
Next my system informations :
-----------------------------
HOSTS : Don't take care of "puppet" entry. In use use puppet to
configure all my DCs and all my Linux Clients. But it's currently
disabled during the update.
~# cat /etc/hosts
127.0.0.1 localhost
172.16.0.20 fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr fichdc
172.16.0.20 puppet.net.lyc-guillaume-fichet.ac-grenoble.fr puppet
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------------------------
NAME RESOLUTION : 172.16.0.20 is the IP of fichdc. DNS seems to work
perfectly. I have made all the Samba Guide troubleshooting tests.
~# cat /etc/resolv.conf
domain net.lyc-guillaume-fichet.ac-grenoble.fr
nameserver 172.16.0.20
-----------------------------
WINBIND : winbind works perfectly on the DC and winbind-nsswitch to.
~# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
sudoers: files sss
-----------------------------
KERBEROS
~# ls -al /etc/krb5.conf
lrwxrwxrwx 1 root root 32 juin 30 2015 /etc/krb5.conf ->
/var/lib/samba/private/krb5.conf
~# cat /var/lib/samba/private/krb5.conf
[libdefaults]
default_realm = NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
dns_lookup_realm = false
dns_lookup_kdc = true
-----------------------------
KEYTABS
I have now have three version of the machine keytab. Each one was put
in /var/lib/samba/private/secrets.keytab but never solve the problem.
-> The one generated before the upgrade. kinit still works with it :
~# klist -e -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(des-cbc-crc)
1 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(des-cbc-md5)
1 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(arcfour-hmac)
1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc)
1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5)
1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac)
2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc)
2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5)
2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac)
2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes128-cts-hmac-sha1-96)
2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes256-cts-hmac-sha1-96)
2 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(des-cbc-crc)
2 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(des-cbc-md5)
2 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(arcfour-hmac)
2 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(aes128-cts-hmac-sha1-96)
2 nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(aes256-cts-hmac-sha1-96)
root at fichdc:~# kinit -k -t /etc/krb5.keytab FICHDC$
-> The one located in /var/lib/samba/private/secrets.keytab. kinit
does NOT work with it :
~# klist -e -k /var/lib/samba/private/secrets.keytab
Keytab name: FILE:/var/lib/samba/private/secrets.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc)
1 HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(des-cbc-crc)
1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc)
1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5)
1 HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(des-cbc-md5)
1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5)
1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac)
1 HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(arcfour-hmac)
1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac)
1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(aes128-cts-hmac-sha1-96)
1 HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(aes128-cts-hmac-sha1-96)
1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes128-cts-hmac-sha1-96)
1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(aes256-cts-hmac-sha1-96)
1 HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(aes256-cts-hmac-sha1-96)
1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes256-cts-hmac-sha1-96)
~# kinit -k -t /var/lib/samba/private/secrets.keytab FICHDC$
kinit: Preauthentication failed while getting initial credentials
-> The one generated with "samba-tool domain exportkeytab" after the
upgrade. kinit works.
~# klist -e -k ./keytab_back/secrets.keytab
Keytab name: FILE:./keytab_back/secrets.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac)
2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5)
2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc)
2 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac)
2 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5)
2 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc)
2 HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(arcfour-hmac)
2 HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(des-cbc-md5)
2 HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(des-cbc-crc)
~# kinit -k -t ./keytab_back/secrets.keytab FICHDC$
-----------------------------
DRS VAN-BELLE TEST !! Sadly LDAP connection don't works between DCs.
~/samba_test_script# ./samba-check-db-repl.sh
No password for user FICHNET\Administrator was set in this script!
Please enter the password for FICHNET\Administrator :
Running with with console output
Checking the DC_With_FSMO (fichdc) with SAMBA DC:
fichds02.net.lyc-guillaume-fichet.ac-grenoble.fr
fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr
Running : /usr/bin/samba-tool ldapcmp --filter='whenChanged,dc,cn'
ldap://fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr
ldap://fichds02.net.lyc-guillaume-fichet.ac-grenoble.fr
Please wait.. this can take a while..
Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C:
LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data
52e, v1db1> <>
Failed to connect to
'ldap://fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr' with backend
'ldap': LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr:
DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1>
<>
ERROR(ldb): uncaught exception - LDAP error 49
LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C0904DC,
comment: AcceptSecurityContext error, data 52e, v1db1> <>
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py",
line 962, in run
outf=self.outf, errf=self.errf)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py",
line 64, in __init__
options=ldb_options)
File "/usr/lib/python2.7/dist-packages/samba/__init__.py", line 115,
in __init__
self.connect(url, flags, options)
Running : /usr/bin/samba-tool ldapcmp --filter='whenChanged,dc,cn'
ldap://fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr
ldap://fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr
Please wait.. this can take a while..
Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C:
LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data
52e, v1db1> <>
Failed to connect to
'ldap://fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr' with backend
'ldap': LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr:
DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1>
<>
ERROR(ldb): uncaught exception - LDAP error 49
LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C0904DC,
comment: AcceptSecurityContext error, data 52e, v1db1> <>
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py",
line 962, in run
outf=self.outf, errf=self.errf)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py",
line 64, in __init__
options=ldb_options)
File "/usr/lib/python2.7/dist-packages/samba/__init__.py", line 115,
in __init__
self.connect(url, flags, options)
.. Next check..
Running : samba-tool drs showrepl
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
ncacn_ip_tcp:172.16.0.20[1024,seal,target_hostname=fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=172.16.0.20]
NT_STATUS_LOGON_FAILURE
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to
fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr failed - drsException:
DRS connection to fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr
failed: (-1073741715, 'Logon failure')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
41, in drsuapi_connect
(ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) =
drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 54,
in drsuapi_connect
raise drsException("DRS connection to %s failed: %s" % (server, e))
successes don't match
successes don't match
-----------------------------
SAMBA CONFIG : very classic smb.conf. But not regererated since Samba
4.1. I use DFS with success.
~# cat /etc/samba/smb.conf
# Global parameters
[global]
netbios aliases = sambaaccount
sambaaccount.net.lyc-guillaume-fichet.ac-grenoble.fr
load printers = yes
workgroup = FICHNET
realm = NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
netbios name = FICHDC
interfaces = lo, eth0
bind interfaces only = Yes
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/net.lyc-guillaume-fichet.ac-grenoble.fr/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
include = /etc/samba/s4_shares.conf
include = /etc/samba/s4_printers.conf
~# cat /etc/samba/s4_shares.conf
[profiles_local]
path = /fichsamba/smbprofile
read only = No
browseable = No
[profiles]
path = /srv/dfs/profiles
read only = No
msdfs root = yes
[homes_local]
path = /fichsamba/smbhome
read only = No
browseable = No
[homes]
path = /srv/dfs/homes
read only = No
msdfs root = yes
~# cat /etc/samba/s4_printers.conf
[printers]
path = /var/spool/samba
printable = yes
printing = CUPS
[print$]
path = /srv/samba/Printer_drivers
comment = Printer Drivers
writeable = yes
-----------------------------
SAMBA PACKAGES :
~# apt-cache policy samba-dsdb-modules
samba-dsdb-modules:
Installé : 2:4.5.8+dfsg-2
Candidat : 2:4.5.8+dfsg-2
Table de version :
*** 2:4.5.8+dfsg-2 500
500 http://ftp.fr.debian.org/debian stretch/main amd64 Packages
100 /var/lib/dpkg/status
~# dpkg -l | egrep "samba|?mbd|winbind|nss|talloc|tevent|tdb|ldb"
rc ctdb 2.5.4+debian0-4+deb8u1
amd64 clustered database to store temporary data
ii insserv 1.14.0-5.4+b1
amd64 boot sequence organizer using LSB init.d script
dependency information
ii ldb-tools 2:1.1.27-1+b1
amd64 LDAP-like embedded database - tools
rc libapache2-mod-dnssd 0.6-3.1
amd64 Zeroconf support for Apache 2 via avahi
ii libgmpxx4ldbl:amd64 2:6.1.2+dfsg-1
amd64 Multiprecision arithmetic library (C++ bindings)
ii libgnutls-openssl27:amd64 3.5.8-5+deb9u1
amd64 GNU TLS library - OpenSSL wrapper
rc libgsl0ldbl 1.16+dfsg-2
amd64 GNU Scientific Library (GSL) -- library package
ii libhsqldb1.8.0-java 1.8.0.10+dfsg-7
all Java SQL database engine
ii libjansson4:amd64 2.9-1
amd64 C library for encoding, decoding and manipulating
JSON data
ii libldb-dev:amd64 2:1.1.27-1+b1
amd64 LDAP-like embedded database - development files
ii libldb1:amd64 2:1.1.27-1+b1
amd64 LDAP-like embedded database - shared library
ii libnss-mdns:amd64 0.10-8
amd64 NSS module for Multicast DNS name resolution
rc libnss-myhostname:amd64 0.3-9
amd64 nss module providing fallback resolution for the
current hostname
rc libnss-sss:amd64 1.11.7-3
amd64 Nss library for the System Security Services
Daemon
ii libnss-winbind:amd64 2:4.5.8+dfsg-2
amd64 Samba nameservice integration plugins
ii libnss3:amd64 2:3.26.2-1.1
amd64 Network Security Service libraries
ii libntdb-dev 1.0-9+b1
amd64 New Trivial Database - development files
ii libntdb1:amd64 1.0-9+b1
amd64 New Trivial Database - shared library
rc libqtdbus4:amd64
4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1 amd64 Qt 4 D-Bus module
library
ii libreoffice-sdbc-hsqldb 1:5.2.7-1
amd64 HSQLDB SDBC driver for LibreOffice
ii libsss-nss-idmap0 1.15.0-3
amd64 SID based lookups library for SSSD
ii libtalloc-dev 2.1.8-1
amd64 hierarchical pool based memory allocator -
development files
ii libtalloc2:amd64 2.1.8-1
amd64 hierarchical pool based memory allocator
ii libtdb-dev:amd64 1.3.11-2
amd64 Trivial Database - development files
ii libtdb1:amd64 1.3.11-2
amd64 Trivial Database - shared library
ii libtevent-dev:amd64 0.9.31-1
amd64 talloc-based event loop library - development
files
ii libtevent0:amd64 0.9.31-1
amd64 talloc-based event loop library - shared library
ii libwbclient0:amd64 2:4.5.8+dfsg-2
amd64 Samba winbind client library
ii openssh-client 1:7.4p1-10
amd64 secure shell (SSH) client, for secure access to
remote machines
ii openssh-server 1:7.4p1-10
amd64 secure shell (SSH) server, for secure access from
remote machines
ii openssh-sftp-server 1:7.4p1-10
amd64 secure shell (SSH) sftp server module, for SFTP
access from remote machines
ii openssl 1.1.0f-3
amd64 Secure Sockets Layer toolkit - cryptographic
utility
ii perl-openssl-defaults:amd64 3
amd64 version compatibility baseline for Perl OpenSSL
packages
ii python-ldb 2:1.1.27-1+b1
amd64 Python bindings for LDB
ii python-ldb-dev:amd64 2:1.1.27-1+b1
amd64 LDB Python bindings - development files
ii python-samba 2:4.5.8+dfsg-2
amd64 Python bindings for Samba
ii python-talloc 2.1.8-1
amd64 hierarchical pool based memory allocator - Python
bindings
ii python-talloc-dev 2.1.8-1
amd64 talloc Python bindings - development files
ii python-tdb 1.3.11-2
amd64 Python bindings for TDB
ii samba 2:4.5.8+dfsg-2
amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.5.8+dfsg-2
all common files used by both the Samba server and
client
ii samba-common-bin 2:4.5.8+dfsg-2
amd64 Samba common files used by both the server and
the client
ii samba-dsdb-modules 2:4.5.8+dfsg-2
amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.5.8+dfsg-2
amd64 Samba core libraries
ii samba-vfs-modules 2:4.5.8+dfsg-2
amd64 Samba Virtual FileSystem plugins
ii tdb-tools 1.3.11-2
amd64 Trivial Database - bundled binaries
ii winbind 2:4.5.8+dfsg-2
amd64 service to resolve user and group information
from Windows NT servers
-----------------------------
IDMAP : no static resolution
~# cat /etc/idmapd.conf
[General]
Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
# set your own domain here, if id differs from FQDN minus hostname
# Domain = localdomain
Domain = net.lyc-guillaume-fichet.ac-grenoble.fr
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
[Translation]
Method = static,nsswitch
[Static]
-----------------------------
SAMBA VERSION CHANGE IN JESSIE.
You asked me about the two "forced" upgrade in Debian Jessie due to
security patch that can't be applied to the Samba stable version.
At start Debian Jessie was shipped with Samba-4.1 (maybe 4.1.17).
1) After some important CVE patch that can't be applied to 4.1 Debian
team changed the Samba version to 4.2.10
2) But this version introduce some regressions that are corrected
again changing the samba version to 4.2.14.
-----------------------------
Thank again !!!
Just a supposition. As my "/var/lib/samba/private/secrets.keytab"
become "corrupted". Maybe there is similar problems in
"/var/lib/samba/private/secrets.tdb" no ?
Where are stored the information needed by "samba-tool domain exportkeytab" ?
Baptiste.
More information about the samba
mailing list