[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
L.P.H. van Belle
belle at bazuin.nl
Wed Jun 21 10:41:52 UTC 2017
Hai,
Before you start,
Backup, /etc/ /var/lib/samba better safe than sorry..
Stop samba and related services ( check it at least nmbd smbd winbind samba samba-ad-dc)
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Prunk Dump via samba
> Verzonden: woensdag 21 juni 2017 11:57
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] DRS stopped working after upgrade from
> debian Jessie to Stretch
>
> First thank you very much all to study my problem !!!
>
> I'am using Samba (with Debian) for 5 years now with very good
> results ! My network now have 3 Samba DCs, nearly 150 Debian
> Jessie Domain members, and nearly 250 Windows 7 members.
> Fortunately it's a high school network and students are now
> in vacation. But my network is now completely down as machine
> account authentication don't work on DC (I have checked,
> nfsv4 don't work anymore ).
>
> So first, here the problems I need to correct after the
> upgrade to Stretch :
> -> Services configuration was not conserved. nmbd, smbd, winbind was
> started after the upgrade. In need to disable them with
> systemctl and reenable samba-ad-dc.
> -> Bind9 DLZ don't work because it's load the bad library
> "dlz_bind9_9.so". I need to change to "dlz_bind9_10.so" in
> the config file. But that is normal.
>
> Next my system informations :
>
> -----------------------------
> HOSTS : Don't take care of "puppet" entry. In use use puppet
> to configure all my DCs and all my Linux Clients. But it's
> currently disabled during the update.
> ~# cat /etc/hosts
> 127.0.0.1 localhost
> 172.16.0.20 fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr
> fichdc
> 172.16.0.20
> puppet.net.lyc-guillaume-fichet.ac-grenoble.fr puppet
( better would be, create and CNAME in the dns and point that to the DC name )
For now, i also suggest, you change this to :
/etc/hosts
127.0.0.1 localhost
172.16.0.20 fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr puppet.net.lyc-guillaume-fichet.ac-grenoble.fr fichdc puppet
We need to make sure the real hostname matches always with the kerberos/dns hostnames.
>
> # The following lines are desirable for IPv6 capable hosts
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> -----------------------------
> NAME RESOLUTION : 172.16.0.20 is the IP of fichdc. DNS seems
> to work perfectly. I have made all the Samba Guide
> troubleshooting tests.
> ~# cat /etc/resolv.conf
> domain net.lyc-guillaume-fichet.ac-grenoble.fr
> nameserver 172.16.0.20
Well here is a choice, i preffer to keep the debian settings, which would be :
( and yes Rowland i know.. ;-) domain/search )
domain net.lyc-guillaume-fichet.ac-grenoble.fr
search net.lyc-guillaume-fichet.ac-grenoble.fr
nameserver 172.16.0.20
> -----------------------------
> WINBIND : winbind works perfectly on the DC and winbind-nsswitch to.
> ~# cat /etc/nsswitch.conf
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages
> installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd: compat winbind
> group: compat winbind
> shadow: compat
> gshadow: files
>
> hosts: files mdns4_minimal [NOTFOUND=return] dns
This can cause problems, change to :
hosts: files dns mdns4_minimal [NOTFOUND=return]
( or remove avahi-daemon and remove the part mdns4.. [NOT.. )
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
> sudoers: files sss
> -----------------------------
> KERBEROS
> ~# ls -al /etc/krb5.conf
> lrwxrwxrwx 1 root root 32 juin 30 2015 /etc/krb5.conf ->
> /var/lib/samba/private/krb5.conf ~# cat
> /var/lib/samba/private/krb5.conf [libdefaults]
> default_realm = NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
> dns_lookup_realm = false
> dns_lookup_kdc = true
> -----------------------------
> KEYTABS
> I have now have three version of the machine keytab. Each one
> was put in /var/lib/samba/private/secrets.keytab but never
> solve the problem.
>
> -> The one generated before the upgrade. kinit still works with it :
> ~# klist -e -k /etc/krb5.keytab
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------
> ------------
> 1
> nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI
> LLAUME-FICHET.AC-GRENOBLE.FR
> (des-cbc-crc)
> 1
> nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI
> LLAUME-FICHET.AC-GRENOBLE.FR
> (des-cbc-md5)
> 1
> nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI
> LLAUME-FICHET.AC-GRENOBLE.FR
> (arcfour-hmac)
> 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc)
> 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5)
> 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac)
> 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc)
> 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5)
> 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac)
> 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
> (aes128-cts-hmac-sha1-96)
> 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
> (aes256-cts-hmac-sha1-96)
> 2
> nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI
> LLAUME-FICHET.AC-GRENOBLE.FR
> (des-cbc-crc)
> 2
> nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI
> LLAUME-FICHET.AC-GRENOBLE.FR
> (des-cbc-md5)
> 2
> nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI
> LLAUME-FICHET.AC-GRENOBLE.FR
> (arcfour-hmac)
> 2
> nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI
> LLAUME-FICHET.AC-GRENOBLE.FR
> (aes128-cts-hmac-sha1-96)
> 2
> nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUI
> LLAUME-FICHET.AC-GRENOBLE.FR
> (aes256-cts-hmac-sha1-96)
> root at fichdc:~# kinit -k -t /etc/krb5.keytab FICHDC$
Ok, this one, remove all none nfs entries.
ktutil
rkt /etc/krb5.keytab
list ( check the line numbers )
delent linnr
wkt /etc/krb5.keytab
>
> -> The one located in /var/lib/samba/private/secrets.keytab. kinit
> does NOT work with it :
> ~# klist -e -k /var/lib/samba/private/secrets.keytab
> Keytab name: FILE:/var/lib/samba/private/secrets.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------
> ------------
> 1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc)
> 1
> HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU
> ILLAUME-FICHET.AC-GRENOBLE.FR
> (des-cbc-crc)
> 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc)
> 1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5)
> 1
> HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU
> ILLAUME-FICHET.AC-GRENOBLE.FR
> (des-cbc-md5)
> 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5)
> 1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
> (arcfour-hmac)
> 1
> HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU
> ILLAUME-FICHET.AC-GRENOBLE.FR
> (arcfour-hmac)
> 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac)
> 1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
> (aes128-cts-hmac-sha1-96)
> 1
> HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU
> ILLAUME-FICHET.AC-GRENOBLE.FR
> (aes128-cts-hmac-sha1-96)
> 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
> (aes128-cts-hmac-sha1-96)
> 1 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
> (aes256-cts-hmac-sha1-96)
> 1
> HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU
> ILLAUME-FICHET.AC-GRENOBLE.FR
> (aes256-cts-hmac-sha1-96)
> 1 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
> (aes256-cts-hmac-sha1-96) ~# kinit -k -t
> /var/lib/samba/private/secrets.keytab FICHDC$
> kinit: Preauthentication failed while getting initial credentials
Backup the old /var/lib/samba/private/secrets.keytab
The one below here that works place that one back.
! MAKE SURE YOU HAVE YOUR BACKUPS!
>
> -> The one generated with "samba-tool domain exportkeytab" after the
> upgrade. kinit works.
> ~# klist -e -k ./keytab_back/secrets.keytab Keytab name:
> FILE:./keytab_back/secrets.keytab KVNO Principal
> ----
> --------------------------------------------------------------
> ------------
> 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac)
> 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5)
> 2 FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc)
> 2 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
> (arcfour-hmac)
> 2 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5)
> 2 HOST/fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc)
> 2
> HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU
> ILLAUME-FICHET.AC-GRENOBLE.FR
> (arcfour-hmac)
> 2
> HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU
> ILLAUME-FICHET.AC-GRENOBLE.FR
> (des-cbc-md5)
> 2
> HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GU
> ILLAUME-FICHET.AC-GRENOBLE.FR
> (des-cbc-crc)
> ~# kinit -k -t ./keytab_back/secrets.keytab FICHDC$
> -----------------------------
> DRS VAN-BELLE TEST !! Sadly LDAP connection don't works between DCs.
That is because the ad isnt started fully.
> ~/samba_test_script# ./samba-check-db-repl.sh No password for
> user FICHNET\Administrator was set in this script!
> Please enter the password for FICHNET\Administrator :
> Running with with console output
> Checking the DC_With_FSMO (fichdc) with SAMBA DC:
> fichds02.net.lyc-guillaume-fichet.ac-grenoble.fr
> fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr
> Running : /usr/bin/samba-tool ldapcmp --filter='whenChanged,dc,cn'
> ldap://fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr
> ldap://fichds02.net.lyc-guillaume-fichet.ac-grenoble.fr
> Please wait.. this can take a while..
> Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C:
> LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error,
> data 52e, v1db1> <> Failed to connect to
> 'ldap://fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr' with backend
> 'ldap': LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr:
> DSID-0C0904DC, comment: AcceptSecurityContext error, data
> 52e, v1db1> <>
> ERROR(ldb): uncaught exception - LDAP error 49
> LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C0904DC,
> comment: AcceptSecurityContext error, data 52e, v1db1> <>
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 176, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py",
> line 962, in run
> outf=self.outf, errf=self.errf)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py",
> line 64, in __init__
> options=ldb_options)
> File "/usr/lib/python2.7/dist-packages/samba/__init__.py",
> line 115, in __init__
> self.connect(url, flags, options)
>
> Running : /usr/bin/samba-tool ldapcmp --filter='whenChanged,dc,cn'
> ldap://fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr
> ldap://fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr
> Please wait.. this can take a while..
> Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C:
> LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error,
> data 52e, v1db1> <> Failed to connect to
> 'ldap://fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr' with backend
> 'ldap': LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr:
> DSID-0C0904DC, comment: AcceptSecurityContext error, data
> 52e, v1db1> <>
> ERROR(ldb): uncaught exception - LDAP error 49
> LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C0904DC,
> comment: AcceptSecurityContext error, data 52e, v1db1> <>
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 176, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py",
> line 962, in run
> outf=self.outf, errf=self.errf)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py",
> line 64, in __init__
> options=ldb_options)
> File "/usr/lib/python2.7/dist-packages/samba/__init__.py",
> line 115, in __init__
> self.connect(url, flags, options)
>
> .. Next check..
> Running : samba-tool drs showrepl
> Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2
> for
> ncacn_ip_tcp:172.16.0.20[1024,seal,target_hostname=fichdc.net.
> lyc-guillaume-fichet.ac-grenoble.fr,abstract_syntax=e3514235-4
> b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=172.16.0.20]
> NT_STATUS_LOGON_FAILURE
> ERROR(<class 'samba.drs_utils.drsException'>): DRS connection
> to fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr failed -
> drsException:
> DRS connection to fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr
> failed: (-1073741715, 'Logon failure')
> File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
> 41, in drsuapi_connect
> (ctx.drsuapi, ctx.drsuapi_handle,
> ctx.bind_supported_extensions) =
> drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
> File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py",
> line 54, in drsuapi_connect
> raise drsException("DRS connection to %s failed: %s" %
> (server, e))
> successes don't match
> successes don't match
> -----------------------------
> SAMBA CONFIG : very classic smb.conf. But not regererated
> since Samba 4.1. I use DFS with success.
I did read somewhere you used bind9_DLZ? If thats correct. Then you smb.conf is not.
Then change this line (server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
> kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate) to :
server services = -dns
> ~# cat /etc/samba/smb.conf
> # Global parameters
> [global]
> netbios aliases = sambaaccount
> sambaaccount.net.lyc-guillaume-fichet.ac-grenoble.fr
> load printers = yes
> workgroup = FICHNET
> realm = NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
> netbios name = FICHDC
> interfaces = lo, eth0
> bind interfaces only = Yes
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
> kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path =
> /var/lib/samba/sysvol/net.lyc-guillaume-fichet.ac-grenoble.fr/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
For now disable these include, first make sure everything start working again.
> include = /etc/samba/s4_shares.conf
> include = /etc/samba/s4_printers.conf
>
> ~# cat /etc/samba/s4_shares.conf
> [profiles_local]
> path = /fichsamba/smbprofile
> read only = No
> browseable = No
>
> [profiles]
> path = /srv/dfs/profiles
> read only = No
> msdfs root = yes
>
> [homes_local]
> path = /fichsamba/smbhome
> read only = No
> browseable = No
>
> [homes]
> path = /srv/dfs/homes
> read only = No
> msdfs root = yes
>
> ~# cat /etc/samba/s4_printers.conf
> [printers]
> path = /var/spool/samba
> printable = yes
> printing = CUPS
>
> [print$]
> path = /srv/samba/Printer_drivers
> comment = Printer Drivers
> writeable = yes
> -----------------------------
> SAMBA PACKAGES :
> ~# apt-cache policy samba-dsdb-modules
> samba-dsdb-modules:
> Installé : 2:4.5.8+dfsg-2
> Candidat : 2:4.5.8+dfsg-2
> Table de version :
> *** 2:4.5.8+dfsg-2 500
> 500 http://ftp.fr.debian.org/debian stretch/main
> amd64 Packages
> 100 /var/lib/dpkg/status
>
> ~# dpkg -l | egrep "samba|?mbd|winbind|nss|talloc|tevent|tdb|ldb"
> rc ctdb 2.5.4+debian0-4+deb8u1
> amd64 clustered database to store temporary data
> ii insserv 1.14.0-5.4+b1
> amd64 boot sequence organizer using LSB init.d script
> dependency information
> ii ldb-tools 2:1.1.27-1+b1
> amd64 LDAP-like embedded database - tools
> rc libapache2-mod-dnssd 0.6-3.1
> amd64 Zeroconf support for Apache 2 via avahi
> ii libgmpxx4ldbl:amd64 2:6.1.2+dfsg-1
> amd64 Multiprecision arithmetic library (C++ bindings)
> ii libgnutls-openssl27:amd64 3.5.8-5+deb9u1
> amd64 GNU TLS library - OpenSSL wrapper
> rc libgsl0ldbl 1.16+dfsg-2
> amd64 GNU Scientific Library (GSL) -- library package
> ii libhsqldb1.8.0-java 1.8.0.10+dfsg-7
> all Java SQL database engine
> ii libjansson4:amd64 2.9-1
> amd64 C library for encoding, decoding and manipulating
> JSON data
> ii libldb-dev:amd64 2:1.1.27-1+b1
> amd64 LDAP-like embedded database - development files
> ii libldb1:amd64 2:1.1.27-1+b1
> amd64 LDAP-like embedded database - shared library
> ii libnss-mdns:amd64 0.10-8
> amd64 NSS module for Multicast DNS name resolution
> rc libnss-myhostname:amd64 0.3-9
> amd64 nss module providing fallback resolution for the
> current hostname
> rc libnss-sss:amd64 1.11.7-3
> amd64 Nss library for the System Security Services
> Daemon
> ii libnss-winbind:amd64 2:4.5.8+dfsg-2
> amd64 Samba nameservice integration plugins
> ii libnss3:amd64 2:3.26.2-1.1
> amd64 Network Security Service libraries
> ii libntdb-dev 1.0-9+b1
> amd64 New Trivial Database - development files
> ii libntdb1:amd64 1.0-9+b1
> amd64 New Trivial Database - shared library
> rc libqtdbus4:amd64
> 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1 amd64 Qt 4 D-Bus module
> library
> ii libreoffice-sdbc-hsqldb 1:5.2.7-1
> amd64 HSQLDB SDBC driver for LibreOffice
> ii libsss-nss-idmap0 1.15.0-3
> amd64 SID based lookups library for SSSD
> ii libtalloc-dev 2.1.8-1
> amd64 hierarchical pool based memory allocator -
> development files
> ii libtalloc2:amd64 2.1.8-1
> amd64 hierarchical pool based memory allocator
> ii libtdb-dev:amd64 1.3.11-2
> amd64 Trivial Database - development files
> ii libtdb1:amd64 1.3.11-2
> amd64 Trivial Database - shared library
> ii libtevent-dev:amd64 0.9.31-1
> amd64 talloc-based event loop library - development
> files
> ii libtevent0:amd64 0.9.31-1
> amd64 talloc-based event loop library - shared library
> ii libwbclient0:amd64 2:4.5.8+dfsg-2
> amd64 Samba winbind client library
> ii openssh-client 1:7.4p1-10
> amd64 secure shell (SSH) client, for secure access to
> remote machines
> ii openssh-server 1:7.4p1-10
> amd64 secure shell (SSH) server, for secure access from
> remote machines
> ii openssh-sftp-server 1:7.4p1-10
> amd64 secure shell (SSH) sftp server module, for SFTP
> access from remote machines
> ii openssl 1.1.0f-3
> amd64 Secure Sockets Layer toolkit - cryptographic
> utility
> ii perl-openssl-defaults:amd64 3
> amd64 version compatibility baseline for Perl OpenSSL
> packages
> ii python-ldb 2:1.1.27-1+b1
> amd64 Python bindings for LDB
> ii python-ldb-dev:amd64 2:1.1.27-1+b1
> amd64 LDB Python bindings - development files
> ii python-samba 2:4.5.8+dfsg-2
> amd64 Python bindings for Samba
> ii python-talloc 2.1.8-1
> amd64 hierarchical pool based memory allocator - Python
> bindings
> ii python-talloc-dev 2.1.8-1
> amd64 talloc Python bindings - development files
> ii python-tdb 1.3.11-2
> amd64 Python bindings for TDB
> ii samba 2:4.5.8+dfsg-2
> amd64 SMB/CIFS file, print, and login server for Unix
> ii samba-common 2:4.5.8+dfsg-2
> all common files used by both the Samba server and
> client
> ii samba-common-bin 2:4.5.8+dfsg-2
> amd64 Samba common files used by both the server and
> the client
> ii samba-dsdb-modules 2:4.5.8+dfsg-2
> amd64 Samba Directory Services Database
> ii samba-libs:amd64 2:4.5.8+dfsg-2
> amd64 Samba core libraries
> ii samba-vfs-modules 2:4.5.8+dfsg-2
> amd64 Samba Virtual FileSystem plugins
> ii tdb-tools 1.3.11-2
> amd64 Trivial Database - bundled binaries
> ii winbind 2:4.5.8+dfsg-2
> amd64 service to resolve user and group information
Are you using ctdb ? If not : dpkg --purge ctdb
Are you using sssd ? If not : dpkg --purge libnss-sss
And if not : libsss-nss-idmap0 is installed, remove it.
> from Windows NT servers
> -----------------------------
> IDMAP : no static resolution
> ~# cat /etc/idmapd.conf
> [General]
>
> Verbosity = 0
> Pipefs-Directory = /run/rpc_pipefs
> # set your own domain here, if id differs from FQDN minus
> hostname # Domain = localdomain Domain =
> net.lyc-guillaume-fichet.ac-grenoble.fr
>
> [Mapping]
>
> Nobody-User = nobody
> Nobody-Group = nogroup
>
> [Translation]
>
> Method = static,nsswitch
>
> [Static]
If you dont have [Static] definitons, change :
Method = nsswitch
For you NFS, create an entry root/SPN export that one, place it in /etc/krb5.keytab Or use the [Static]
But first fix ad, we can do this bit later on.
> -----------------------------
> SAMBA VERSION CHANGE IN JESSIE.
>
> You asked me about the two "forced" upgrade in Debian Jessie
> due to security patch that can't be applied to the Samba
> stable version.
> At start Debian Jessie was shipped with Samba-4.1 (maybe 4.1.17).
> 1) After some important CVE patch that can't be applied to
> 4.1 Debian team changed the Samba version to 4.2.10
> 2) But this version introduce some regressions that are
> corrected again changing the samba version to 4.2.14.
> -----------------------------
>
>
> Thank again !!!
>
> Just a supposition. As my "/var/lib/samba/private/secrets.keytab"
> become "corrupted". Maybe there is similar problems in
> "/var/lib/samba/private/secrets.tdb" no ?
>
> Where are stored the information needed by "samba-tool domain
> exportkeytab" ?
I dont understand this question.
What i know is only this :
https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/tdb.html
But i suspect that is out dated info.
>
>
> Baptiste.
>
Go try the changes and report back.
Greetz,
Louis
More information about the samba
mailing list