[Samba] DRS stopped working after upgrade from debian Jessie to Stretch

Rowland Penny rpenny at samba.org
Wed Jun 21 18:56:26 UTC 2017


On Wed, 21 Jun 2017 19:54:43 +0200
Prunk Dump via samba <samba at lists.samba.org> wrote:

> 2017-06-21 14:29 GMT+02:00 Prunk Dump <prunkdump at gmail.com>:
> > Thank you very much Louis, Rowland, Mike !
> >
> > I have made all the changes proposed by Louis but still have the
> > same problem.
> >
> > -> kinit works now with /var/lib/samba/private/secrets.keytab
> > ------------------------
> > ~# kinit -k -t /var/lib/samba/private/secrets.keytab FICHDC$
> > ~#
> > ------------------------
> >
> > -> but samba-tool authentication with machine account fail :
> > ------------------------
> > ~# samba-tool time -P -d 8
> > INFO: Current debug levels:
> >   all: 8
> >   tdb: 8
> >   printdrivers: 8
> >   lanman: 8
> >   smb: 8
> >   rpc_parse: 8
> >   rpc_srv: 8
> >   rpc_cli: 8
> >   passdb: 8
> >   sam: 8
> >   auth: 8
> >   winbind: 8
> >   vfs: 8
> >   idmap: 8
> >   quota: 8
> >   acls: 8
> >   locking: 8
> >   msdfs: 8
> >   dmapi: 8
> >   registry: 8
> >   scavenger: 8
> >   dns: 8
> >   ldb: 8
> >   tevent: 8
> > lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> > Processing section "[global]"
> > Processing section "[netlogon]"
> > Processing section "[sysvol]"
> > pm_process() returned Yes
> > ldb_wrap open of secrets.ldb
> > GENSEC backend 'gssapi_spnego' registered
> > GENSEC backend 'gssapi_krb5' registered
> > GENSEC backend 'gssapi_krb5_sasl' registered
> > GENSEC backend 'spnego' registered
> > GENSEC backend 'schannel' registered
> > GENSEC backend 'naclrpc_as_system' registered
> > GENSEC backend 'sasl-EXTERNAL' registered
> > GENSEC backend 'ntlmssp' registered
> > GENSEC backend 'ntlmssp_resume_ccache' registered
> > GENSEC backend 'http_basic' registered
> > GENSEC backend 'http_ntlm' registered
> > GENSEC backend 'krb5' registered
> > GENSEC backend 'fake_gssapi_krb5' registered
> > added interface lo ip=::1 bcast=
> > netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff added interface lo
> > ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0 added
> > interface eth0 ip=172.16.0.20 bcast=172.16.255.255
> > netmask=255.255.0.0 added interface lo ip=::1 bcast=
> > netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff added interface lo
> > ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0 added
> > interface eth0 ip=172.16.0.20 bcast=172.16.255.255
> > netmask=255.255.0.0 Mapped to DCERPC endpoint \pipe\srvsvc added
> > interface lo ip=::1 bcast=
> > netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff added interface lo
> > ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0 added
> > interface eth0 ip=172.16.0.20 bcast=172.16.255.255
> > netmask=255.255.0.0 added interface lo ip=::1 bcast=
> > netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff added interface lo
> > ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0 added
> > interface eth0 ip=172.16.0.20 bcast=172.16.255.255
> > netmask=255.255.0.0 resolve_lmhosts: Attempting lmhosts lookup for
> > name fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr<0x20>
> > startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was
> > No such file or directory Socket options: SO_KEEPALIVE = 0
> > SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1
> >     TCP_KEEPCNT = 9
> >     TCP_KEEPIDLE = 7200
> >     TCP_KEEPINTVL = 75
> >     IPTOS_LOWDELAY = 0
> >     IPTOS_THROUGHPUT = 0
> >     SO_REUSEPORT = 0
> >     SO_SNDBUF = 2626560
> >     SO_RCVBUF = 1061808
> >     SO_SNDLOWAT = 1
> >     SO_RCVLOWAT = 1
> >     SO_SNDTIMEO = 0
> >     SO_RCVTIMEO = 0
> >     TCP_QUICKACK = 1
> >     TCP_DEFER_ACCEPT = 0
> > Starting GENSEC mechanism spnego
> > Starting GENSEC submechanism gssapi_krb5
> > Received smb_krb5 packet of length 343
> > Received smb_krb5 packet of length 298
> > Failed to get kerberos credentials: kinit for
> > FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR failed
> > (Preauthentication failed)
> >
> > Wrong username or password: kinit for
> > FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR failed
> > (Preauthentication failed)
> >
> > SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> > Failed initial gensec_update with mechanism spnego:
> > NT_STATUS_LOGON_FAILURE ERROR(runtime): uncaught exception -
> > (-1073741715, "Connection to SRVSVC pipe of server
> > 'fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr' failed:
> > NT_STATUS_LOGON_FAILURE") File
> > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> > 176, in _run return self.run(*args, **kwargs)
> >   File "/usr/lib/python2.7/dist-packages/samba/netcmd/nettime.py",
> > line 59, in run
> >     self.outf.write(net.time(server_name)+"\n")
> > ------------------------
> >
> > -> samba.log give many errors like this :
> > ------------------------
> > [2017/06/21 14:20:35.371312,  0]
> > ../source4/librpc/rpc/dcerpc_util.c:745(dcerpc_pipe_auth_recv)
> >   Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
> > ncacn_ip_tcp:172.16.0.21[1024,seal,krb5,target_hostname=04c6b4b0-4584-4368-831e-42aa7ac08c04._msdcs.net.lyc-guillaume-fichet.ac-grenoble.fr,target_principal=GC/fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr/net.lyc-guillaume-fichet.ac-grenoble.fr,abstract_syntax=e3514235--4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=172.16.0.20]
> > NT_STATUS_LOGON_FAILURE
> > ------------------------
> >
> > -> my msDS-SupportedEncryptionTypes value is 31 ? Is this bad ?
> > ------------------------
> > ~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=FICHDC)'
> > # record 1
> > dn: CN=FICHDC,OU=Domain
> > Controllers,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr
> > objectClass: top
> > objectClass: person
> > objectClass: organizationalPerson
> > objectClass: user
> > objectClass: computer
> > cn: FICHDC
> > instanceType: 4
> > whenCreated: 20150630144451.0Z
> > uSNCreated: 3583
> > name: FICHDC
> > objectGUID: bfaf861f-1138-4597-beaa-c83722b86fcf
> > userAccountControl: 532480
> > badPwdCount: 0
> > codePage: 0
> > countryCode: 0
> > badPasswordTime: 0
> > lastLogoff: 0
> > localPolicyFlags: 0
> > primaryGroupID: 516
> > objectSid: S-1-5-21-2690787391-1809550003-4172065244-1000
> > accountExpires: 9223372036854775807
> > sAMAccountName: FICHDC$
> > sAMAccountType: 805306369
> > operatingSystem: Samba
> > operatingSystemVersion: 4.1.17-Debian
> > dNSHostName: fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr
> > objectCategory:
> > CN=Computer,CN=Schema,CN=Configuration,DC=net,DC=lyc-guillaume
> > -fichet,DC=ac-grenoble,DC=fr isCriticalSystemObject: TRUE
> > rIDSetReferences: CN=RID Set,CN=FICHDC,OU=Domain
> > Controllers,DC=net,DC=lyc-gui llaume-fichet,DC=ac-grenoble,DC=fr
> > serverReferenceBL:
> > CN=FICHDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN
> > =Configuration,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr
> > msDS-SupportedEncryptionTypes: 31 pwdLastSet: 131423563752421340
> > servicePrincipalName:
> > nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr
> > servicePrincipalName:
> > HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr
> > servicePrincipalName:
> > HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/FICH NET
> > servicePrincipalName:
> > ldap/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/FICH NET
> > servicePrincipalName:
> > GC/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/net.ly
> > c-guillaume-fichet.ac-grenoble.fr servicePrincipalName:
> > ldap/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr
> > servicePrincipalName:
> > HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/net.
> > lyc-guillaume-fichet.ac-grenoble.fr servicePrincipalName:
> > ldap/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/net.
> > lyc-guillaume-fichet.ac-grenoble.fr servicePrincipalName:
> > HOST/FICHDC servicePrincipalName:
> > E3514235-4B06-11D1-AB04-00C04FC2DCD2/b339b873-f01c-4672-
> > 8984-61e1e48422ea/net.lyc-guillaume-fichet.ac-grenoble.fr
> > servicePrincipalName:
> > ldap/b339b873-f01c-4672-8984-61e1e48422ea._msdcs.net.lyc
> > -guillaume-fichet.ac-grenoble.fr servicePrincipalName: ldap/FICHDC
> > servicePrincipalName: RestrictedKrbHost/FICHDC
> > servicePrincipalName:
> > RestrictedKrbHost/fichdc.net.lyc-guillaume-fichet.ac-gre noble.fr
> > servicePrincipalName:
> > ldap/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/Doma
> > inDnsZones.net.lyc-guillaume-fichet.ac-grenoble.fr
> > servicePrincipalName:
> > ldap/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/Fore
> > stDnsZones.net.lyc-guillaume-fichet.ac-grenoble.fr
> > lastLogonTimestamp: 131424581015653910 whenChanged:
> > 20170620184821.0Z uSNChanged: 12626339 lastLogon:
> > 131425180561432210 logonCount: 70 distinguishedName:
> > CN=FICHDC,OU=Domain Controllers,DC=net,DC=lyc-guillaume-fic
> > het,DC=ac-grenoble,DC=fr
> >
> > # Referral
> > ref:
> > ldap://net.lyc-guillaume-fichet.ac-grenoble.fr/CN=Configuration,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr
> >
> > # Referral
> > ref:
> > ldap://net.lyc-guillaume-fichet.ac-grenoble.fr/DC=DomainDnsZones,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr
> >
> > # Referral
> > ref:
> > ldap://net.lyc-guillaume-fichet.ac-grenoble.fr/DC=ForestDnsZones,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr
> >
> > # returned 4 records
> > # 1 entries
> > # 3 referrals
> > -------------------------------
> >
> >
> > Even if I increase the debug level. I could not get more info on the
> > Kerberos authentication.
> >
> > Thanks again !
> >
> > Baptiste.
> 
> I investigued more again. Here what I have found.
> 
> 1) I know now why kerberized nfs stop working on "fichdc". A SPN
> disappeared from the Kerberos database ! After the upgrade there are
> no "nfs/fichdc" credencial anymore so I can't export it again in a
> keytab. But strangely "nfs/fichds01" and "nfs/fichds02" still working.
> To find the root of the problem I have not tried to delete/recreate
> the SPN yet.
> 
>  -------------------------------
> ~# samba-tool spn list nfs-fichdc
> nfs-fichdc
> User
> CN=nfs-fichdc,CN=Users,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr
> has the following servicePrincipalName:
> nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr
> 
> ~# kinit nfs-fichdc
> Password for nfs-fichdc at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR:
> kinit: Password incorrect while getting initial credentials
> 
> ~# kinit nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr
> kinit: Client
> 'nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR'
> not found in Kerberos database while getting initial credentials
> 
> ~# samba-tool spn list nfs-fichds01
> nfs-fichds01
> User
> CN=nfs-fichds01,CN=Users,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr
> has the following servicePrincipalName:
> nfs/fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr
> 
> ~# kinit nfs/fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr
> Password for
> nfs/fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr at NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR:
> kinit: Password incorrect while getting initial credentials
> 
> ~# kinit -k -t /tmp/krb5.keytab
> nfs/fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr
> kinit: Password has expired while getting initial credentials
> (I think that the password expiration is normal, and kerberized nfs
> works on fichds01)
>  -------------------------------
> 
> 2) I don't know if this is a problem. But the
> "msDS-SupportedEncryptionTypes" is not always present in the LDAP
> database :
> 
>  -------------------------------
> (first DC)
> ~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=FICHDC)' | grep
> msDS-SupportedEncryptionTypes
> msDS-SupportedEncryptionTypes: 31
> 
> (second DC)
> ~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=FICHDS01)' | grep
> msDS-SupportedEncryptionTypes
> msDS-SupportedEncryptionTypes: 31
> 
> (third DC)
> ~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=FICHDS02)' | grep
> msDS-SupportedEncryptionTypes
> 
> (a windows7 client)
> ~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=SVT06)' | grep
> msDS-SupportedEncryptionTypes
> 
> (another windows7 client)
> ~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=C501-05)' | grep
> msDS-SupportedEncryptionTypes
> msDS-SupportedEncryptionTypes: 28
> 
> (all linux client)
> ~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=F511A01)' | grep
> msDS-SupportedEncryptionTypes
> 
>  -------------------------------
> 
> Is someone have an idea what can have made SPN's credential
> disappaered ?
> 
> Thanks very much. It seems my issue is related to the kerberos
> database.
> 
> Baptiste.
> 

I would check the domain levels on the three DCs
My two DCs and Linux machines all have '31' for
'msDS-SupportedEncryptionTypes', though a couple of windows machine in
VMs have '28'

I think the problem must be with your DCs machine password, I think you
will need to change it with 'chgkrbtgtpass', though I have no idea how
you use it, presumably you would change this line:

sys.path.insert(0, "bin/python")

To the same as you will find in the 'samba-tool' script.

I presume you then just run the script.

Perhaps Andrew would care to comment here.

I have no idea where your nfs SPN went to, but if it has disappeared on
all your DCs, then you will have to add it again.

Rowland



More information about the samba mailing list