[Samba] Winbind Craziness
ray klassen
julius_ahenobarbus at yahoo.co.uk
Wed Aug 1 15:59:33 UTC 2018
Thanks in advance. here's the total firehose drink. I've obscured host, domain, subnet. Hope that will still work for you. Don't want all the info publicized.
klist -ket /var/lib/samba/private/secrets.keytab!! there is no /var/lib/samba/private/secrets.keytab
klist -ket /etc/krb5.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
2 07/31/2018 12:28:12 host/herman.obscured.domain.com at OBSCURED.DOMAIN.COM (des-cbc-crc)
2 07/31/2018 12:28:12 host/HERMAN at OBSCURED.DOMAIN.COM (des-cbc-crc)
2 07/31/2018 12:28:12 host/herman.obscured.domain.com at OBSCURED.DOMAIN.COM (des-cbc-md5)
2 07/31/2018 12:28:12 host/HERMAN at OBSCURED.DOMAIN.COM (des-cbc-md5)
2 07/31/2018 12:28:12 host/herman.obscured.domain.com at OBSCURED.DOMAIN.COM (aes128-cts-hmac-sha1-96)
2 07/31/2018 12:28:12 host/HERMAN at OBSCURED.DOMAIN.COM (aes128-cts-hmac-sha1-96)
2 07/31/2018 12:28:12 host/herman.obscured.domain.com at OBSCURED.DOMAIN.COM (aes256-cts-hmac-sha1-96)
2 07/31/2018 12:28:12 host/HERMAN at OBSCURED.DOMAIN.COM (aes256-cts-hmac-sha1-96)
2 07/31/2018 12:28:12 host/herman.obscured.domain.com at OBSCURED.DOMAIN.COM (arcfour-hmac)
2 07/31/2018 12:28:12 host/HERMAN at OBSCURED.DOMAIN.COM (arcfour-hmac)
2 07/31/2018 12:28:12 HERMAN$@OBSCURED.DOMAIN.COM (des-cbc-crc)
2 07/31/2018 12:28:12 HERMAN$@OBSCURED.DOMAIN.COM (des-cbc-md5)
2 07/31/2018 12:28:12 HERMAN$@OBSCURED.DOMAIN.COM (aes128-cts-hmac-sha1-96)
2 07/31/2018 12:28:12 HERMAN$@OBSCURED.DOMAIN.COM (aes256-cts-hmac-sha1-96)
2 07/31/2018 12:28:12 HERMAN$@OBSCURED.DOMAIN.COM (arcfour-hmac)
3 07/31/2018 12:37:15 host/herman.obscured.domain.com at OBSCURED.DOMAIN.COM (des-cbc-crc)
3 07/31/2018 12:37:15 host/HERMAN at OBSCURED.DOMAIN.COM (des-cbc-crc)
3 07/31/2018 12:37:15 host/herman.obscured.domain.com at OBSCURED.DOMAIN.COM (des-cbc-md5)
3 07/31/2018 12:37:15 host/HERMAN at OBSCURED.DOMAIN.COM (des-cbc-md5)
3 07/31/2018 12:37:15 host/herman.obscured.domain.com at OBSCURED.DOMAIN.COM (aes128-cts-hmac-sha1-96)
3 07/31/2018 12:37:15 host/HERMAN at OBSCURED.DOMAIN.COM (aes128-cts-hmac-sha1-96)
3 07/31/2018 12:37:15 host/herman.obscured.domain.com at OBSCURED.DOMAIN.COM (aes256-cts-hmac-sha1-96)
3 07/31/2018 12:37:15 host/HERMAN at OBSCURED.DOMAIN.COM (aes256-cts-hmac-sha1-96)
3 07/31/2018 12:37:15 host/herman.obscured.domain.com at OBSCURED.DOMAIN.COM (arcfour-hmac)
3 07/31/2018 12:37:15 host/HERMAN at OBSCURED.DOMAIN.COM (arcfour-hmac)
3 07/31/2018 12:37:15 HERMAN$@OBSCURED.DOMAIN.COM (des-cbc-crc)
3 07/31/2018 12:37:15 HERMAN$@OBSCURED.DOMAIN.COM (des-cbc-md5)
3 07/31/2018 12:37:15 HERMAN$@OBSCURED.DOMAIN.COM (aes128-cts-hmac-sha1-96)
3 07/31/2018 12:37:15 HERMAN$@OBSCURED.DOMAIN.COM (aes256-cts-hmac-sha1-96)
3 07/31/2018 12:37:15 HERMAN$@OBSCURED.DOMAIN.COM (arcfour-hmac)
klist
Ticket cache: FILE:/tmp/krb5cc_0Default principal: Administrator@ OBSCURED.DOMAIN.COM
Valid starting Expires Service principal
08/01/2018 08:49:53 08/01/2018 18:49:53 krbtgt/ OBSCURED.DOMAIN.COM@ OBSCURED.DOMAIN.COM
renew until 08/02/2018 08:49:51
kinit AdministratorPassword for Administrator at OBSCURED.DOMAIN.COM:
Warning: Your password will expire in 89 days on Tue 30 Oct 2018 08:49:44 AM PDT
3 DC's is linux samba 4.5.5 compiled from tarball1 DC samba 4.5.12-Debian distro-versions
Collected config --- 2018-08-01-08:27 -----------
Hostname: herman
DNS Domain: obscured.domain.com
FQDN: herman.obscured.domain.com
ipaddress: 10.10.1.11
-----------
Samba is running as a Unix domain member
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
Warning, /etc/devuan_version does not exist
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 04:7d:7b:41:55:d3 brd ff:ff:ff:ff:ff:ff
inet 10.10.1.11/24 brd 10.10.1.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 04:7d:7b:41:55:d4 brd ff:ff:ff:ff:ff:ff
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
10.10.1.11 herman.obscured.domain.com herman
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
search obscured.domain.com
nameserver 10.10.1.14
nameserver 10.10.1.22
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = OBSCURED.DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files winbind
group: files winbind
shadow: files winbind
gshadow: files
hosts: files dns
networks: files dns
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
[global]
#--authconfig--start-line--
# Generated by authconfig on 2014/10/11 12:17:38
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future
workgroup = DOMAIN
realm = OBSCURED.DOMAIN.COM
security = ADS
# idmap uid = 16777216-33554431
# idmap gid = 16777216-33554431
template shell = /bin/false
winbind use default domain = false
winbind offline logon = false
#--authconfig--end-line--
: workgroup = DOMAIN
netbios name = HERMAN
;realm = OBSCURED.DOMAIN.COM
;security = ADS
server string =
wins server = 10.10.1.14
# winbind rpc only = yes
# kerberos method = dedicated keytab
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
# winbind rpc only = yes
winbind refresh tickets = yes
# winbind max clients = 500
winbind max domain connections = 20
machine password timeout = 0
idmap config DOMAIN:backend = ad
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 500-40000
idmap config *:backend = tdb
idmap config *:range = 70001-80000
domain master = no
local master = no
# name resolve order = wins bcast
name resolve order = lmhosts wins host bcast
printing = cups
printcap = cups
use client driver = no
utmp = yes
cups options = raw
load printers = yes
log file = /var/log/samba/log.%I
include = /etc/samba/smb.conf.%I
max log size = 100000
check password script = /usr/local/sbin/complexity.perl
encrypt passwords = yes
time server = Yes
enable privileges = yes
log level = 0
syslog = 0
mangling method = hash2
dos charset = 850
unix charset = ISO8859-1
username map = /etc/samba/smbusers
interfaces = eth0 lo
os level = 10
passwd chat timeout = 30
dns proxy = yes
;template shell = /bin/false
;winbind use default domain = no
spoolss: architecture = Windows x64
include = /etc/samba/smb.conf.client-%I
include = /etc/samba/shares.inc
-----------
Content of /etc/samba/smbusers
root = administrator
-----------
Installed packages, running: dpkg -l | egrep "samba|winbind|krb5|smb|acl|xattr"
ii acl 2.2.52-3+b1 amd64 Access control list utilities
ii krb5-config 2.6 all Configuration files for Kerberos Version 5
ii krb5-locales 1.15-1+deb9u1 all internationalization support for MIT Kerberos
ii krb5-multidev 1.15-1+deb9u1 amd64 development files for MIT Kerberos without Heimdal conflict
ii krb5-user 1.15-1+deb9u1 amd64 basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.52-3+b1 amd64 Access control list shared library
ii libacl1-dev 2.2.52-3+b1 amd64 Access control list static libraries and headers
ii libgssapi-krb5-2:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-26-heimdal:amd64 7.1.0+dfsg-13+deb9u2 amd64 Heimdal Kerberos - libraries
ii libkrb5-3:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries
ii libkrb5-dev 1.15-1+deb9u1 amd64 headers and development libraries for MIT Kerberos
ii libkrb5support0:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.5.12+dfsg-2+deb9u2 amd64 Samba nameservice integration plugins
ii libpam-winbind:amd64 2:4.5.12+dfsg-2+deb9u2 amd64 Windows domain authentication integration plugin
ii libsmbclient:amd64 2:4.5.12+dfsg-2+deb9u2 amd64 shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.5.12+dfsg-2+deb9u2 amd64 Samba winbind client library
ii python-samba 2:4.5.12+dfsg-2+deb9u2 amd64 Python bindings for Samba
ii samba 2:4.5.12+dfsg-2+deb9u2 amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.5.12+dfsg-2+deb9u2 all common files used by both the Samba server and client
ii samba-common-bin 2:4.5.12+dfsg-2+deb9u2 amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules 2:4.5.12+dfsg-2+deb9u2 amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.5.12+dfsg-2+deb9u2 amd64 Samba core libraries
ii samba-vfs-modules 2:4.5.12+dfsg-2+deb9u2 amd64 Samba Virtual FileSystem plugins
rc sernet-samba 99:4.2.12-9 amd64 SMB/CIFS file, print, and login server for Unix
rc sernet-samba-common 99:4.2.12-9 all Samba common files used by both the server and the client
ii sernet-samba-keyring 1.5 all GnuPG archive keys of the SerNet Samba archive
rc sernet-samba-libs:amd64 99:4.2.12-9 amd64 Samba common library files used by both the server and the client
rc sernet-samba-libsmbclient0:amd64 99:4.2.12-9 amd64 Shared library that allows applications to talk to SMB servers
ii smbclient 2:4.5.12+dfsg-2+deb9u2 amd64 command-line SMB/CIFS clients for Unix
ii winbind 2:4.5.12+dfsg-2+deb9u2 amd64 service to resolve user and group information from Windows NT servers
-----------
On Wednesday, 1 August 2018, 00:44:07 GMT-7, L.P.H. van Belle via samba <samba at lists.samba.org> wrote:
Hai,
In addition to Rowlands question.
Can you run this script and post it to the list also.
It gives a complete overview of what your running.
Its basicly what Rowland asked, but with a few extra things.
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
And the output of:
kinit Administrator
klist
klist -ket /var/lib/samba/private/secrets.keytab
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland Penny via samba
> Verzonden: woensdag 1 augustus 2018 9:10
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Winbind Craziness
>
> On Tue, 31 Jul 2018 21:48:29 +0000 (UTC)
> ray klassen <julius_ahenobarbus at yahoo.co.uk> wrote:
>
> > so I'm going to ramble a bit because I need help
> desperately and I'm
> > slogging away on my own, but something I say might give someone an
> > idea. This whole thing seem to revolve around kerberos kvno's and
> > machine password changes. couple of days after violently recreating
> > the server people start to not be able to connect. today's debugging
> > turned up a mismatch between the kvno supplied by the keytab and the
> > one apparently required by smbd or winbindd or both. at present i've
> > opted for
> >
> > machine password timeout = 0 in smb.conf
> > and
> >
> > @weekly /usr/bin/net ads changetrustpw ; /usr/bin/net ads keytab
> > create -P in root's crontab
> > hopefully this will make a difference...
> >
> > On Tuesday, 31 July 2018, 10:31:23 GMT-7, ray klassen via samba
> > <samba at lists.samba.org> wrote:
> > Failed to find cifs/madmain at LAND.SUPERORG.COM(kvno 5) in keytab
> > MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
> >
> > so far nothing works forever.
> > the above error happens when the pc's are unable to connect
> to shares
> > net leave/join fixes the problem temporarily.
> >
> >
> > seems to relate to
> >
> > [Samba] Failed to find cifs/foo.bar in keytab MEMORY:cifs_srv_keytab
> > (arcfour-hmac-md5)]
> >
> >
> >
> >
> >
> >
> >
> > On Monday, 30 July 2018, 10:07:16 GMT-7, ray klassen via samba
> > <samba at lists.samba.org> wrote:
> >
> > thanks for your response.
> > Obviously lmhosts is not part of the equation anymore.
> > But I copied/pasted from something that worked to something that
> > didn't( I thought of clarifying this in a following email
> but didn't)
> > If there is no /etc/lmhosts I'm sure nothing will suffer for having
> > that parameter. DNS has been examined and re-examined. All the tests
> > described in the wiki have been performed and results are exactly
> > what is expected. Still trying to shoot this down. It's elusive. I
> > have windows clients who connect to shares and are presented with a
> > username password dialogue. Tentatively, it appears that simply
> > running winbind -tP solves the problem for them. So as a test I have
> > an hourly cron job that runs that on the server.
> >
> > On Saturday, 28 July 2018, 01:29:06 GMT-7, Rowland Penny via
> > samba <samba at lists.samba.org> wrote:
> > On Fri, 27 Jul 2018 21:25:04 +0000 (UTC)
> > ray klassen via samba <samba at lists.samba.org> wrote:
> >
> > > so I had some time to follow this bunny trailand found that even
> > > though all the other servers had no problems this one continued
> > > to.Every so often a new computer couldn't connect and
> then it would
> > > be all better after a net leave/net join. Net join would not work
> > > without -S <MyDC> in the command lineWhat I found out was
> that most
> > > net rpc commands such as net rpc testjoin would also fail
> without -S
> > > <MyDC> in the command linewhereas they would work find
> for any other
> > > box. I also noticed that a tdbtool dump of secrets.tdb was pretty
> > > nearly empty whereas other servers had lots of info.The difference
> > > was in the smb.conf line "name resolve order"
> > >
> > > earlier I had taken the advice (the more fool me, I guess) of the
> > > man page with recommends
> > >
> > > "name resolve order = wins bcast" in a AD environment.
> > > when I changed it back to
> > >
> > > "name resolve order = lmhosts wins host bcast"
> > >
> >
> > I think you should look at your dns ;-)
> >
> > I doubt whether you have a lmhosts file on the Samba
> server, so if you
> > remove that, the line becomes 'wins host bcast' and the only
> > difference between that and what you had, is 'host'.
> >
> > Rowland
> >
> >
>
> I have reviewed this thread and we have received very little info to
> work with. Yes, it is Samba 4.5.12 running on debian stretch, but how
> is it running ?
>
> Can you post the following files:
>
> /etc/hostname
> /etc/hosts
> /etc/resolv.conf
> /etc/krb5.conf
> smb.conf
>
> Also what is the DC ? Samba or Windows ?
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list