[Samba] Winbind Craziness

ray klassen julius_ahenobarbus at yahoo.co.uk
Wed Aug 1 15:59:33 UTC 2018


 Thanks in advance. here's the total firehose drink. I've obscured host, domain, subnet. Hope that will still work for you. Don't want all the info publicized.



klist -ket /var/lib/samba/private/secrets.keytab!! there is no /var/lib/samba/private/secrets.keytab
klist -ket /etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 07/31/2018 12:28:12 host/herman.obscured.domain.com at OBSCURED.DOMAIN.COM (des-cbc-crc) 
   2 07/31/2018 12:28:12 host/HERMAN at OBSCURED.DOMAIN.COM (des-cbc-crc) 
   2 07/31/2018 12:28:12 host/herman.obscured.domain.com at OBSCURED.DOMAIN.COM (des-cbc-md5) 
   2 07/31/2018 12:28:12 host/HERMAN at OBSCURED.DOMAIN.COM (des-cbc-md5) 
   2 07/31/2018 12:28:12 host/herman.obscured.domain.com at OBSCURED.DOMAIN.COM (aes128-cts-hmac-sha1-96) 
   2 07/31/2018 12:28:12 host/HERMAN at OBSCURED.DOMAIN.COM (aes128-cts-hmac-sha1-96) 
   2 07/31/2018 12:28:12 host/herman.obscured.domain.com at OBSCURED.DOMAIN.COM (aes256-cts-hmac-sha1-96) 
   2 07/31/2018 12:28:12 host/HERMAN at OBSCURED.DOMAIN.COM (aes256-cts-hmac-sha1-96) 
   2 07/31/2018 12:28:12 host/herman.obscured.domain.com at OBSCURED.DOMAIN.COM (arcfour-hmac) 
   2 07/31/2018 12:28:12 host/HERMAN at OBSCURED.DOMAIN.COM (arcfour-hmac) 
   2 07/31/2018 12:28:12 HERMAN$@OBSCURED.DOMAIN.COM (des-cbc-crc) 
   2 07/31/2018 12:28:12 HERMAN$@OBSCURED.DOMAIN.COM (des-cbc-md5) 
   2 07/31/2018 12:28:12 HERMAN$@OBSCURED.DOMAIN.COM (aes128-cts-hmac-sha1-96) 
   2 07/31/2018 12:28:12 HERMAN$@OBSCURED.DOMAIN.COM (aes256-cts-hmac-sha1-96) 
   2 07/31/2018 12:28:12 HERMAN$@OBSCURED.DOMAIN.COM (arcfour-hmac) 
   3 07/31/2018 12:37:15 host/herman.obscured.domain.com at OBSCURED.DOMAIN.COM (des-cbc-crc) 
   3 07/31/2018 12:37:15 host/HERMAN at OBSCURED.DOMAIN.COM (des-cbc-crc) 
   3 07/31/2018 12:37:15 host/herman.obscured.domain.com at OBSCURED.DOMAIN.COM (des-cbc-md5) 
   3 07/31/2018 12:37:15 host/HERMAN at OBSCURED.DOMAIN.COM (des-cbc-md5) 
   3 07/31/2018 12:37:15 host/herman.obscured.domain.com at OBSCURED.DOMAIN.COM (aes128-cts-hmac-sha1-96) 
   3 07/31/2018 12:37:15 host/HERMAN at OBSCURED.DOMAIN.COM (aes128-cts-hmac-sha1-96) 
   3 07/31/2018 12:37:15 host/herman.obscured.domain.com at OBSCURED.DOMAIN.COM (aes256-cts-hmac-sha1-96) 
   3 07/31/2018 12:37:15 host/HERMAN at OBSCURED.DOMAIN.COM (aes256-cts-hmac-sha1-96) 
   3 07/31/2018 12:37:15 host/herman.obscured.domain.com at OBSCURED.DOMAIN.COM (arcfour-hmac) 
   3 07/31/2018 12:37:15 host/HERMAN at OBSCURED.DOMAIN.COM (arcfour-hmac) 
   3 07/31/2018 12:37:15 HERMAN$@OBSCURED.DOMAIN.COM (des-cbc-crc) 
   3 07/31/2018 12:37:15 HERMAN$@OBSCURED.DOMAIN.COM (des-cbc-md5) 
   3 07/31/2018 12:37:15 HERMAN$@OBSCURED.DOMAIN.COM (aes128-cts-hmac-sha1-96) 
   3 07/31/2018 12:37:15 HERMAN$@OBSCURED.DOMAIN.COM (aes256-cts-hmac-sha1-96) 
   3 07/31/2018 12:37:15 HERMAN$@OBSCURED.DOMAIN.COM (arcfour-hmac) 





klist

Ticket cache: FILE:/tmp/krb5cc_0Default principal: Administrator@ OBSCURED.DOMAIN.COM

Valid starting       Expires              Service principal
08/01/2018 08:49:53  08/01/2018 18:49:53  krbtgt/ OBSCURED.DOMAIN.COM@ OBSCURED.DOMAIN.COM
    renew until 08/02/2018 08:49:51

 


kinit AdministratorPassword for Administrator at OBSCURED.DOMAIN.COM: 
Warning: Your password will expire in 89 days on Tue 30 Oct 2018 08:49:44 AM PDT




3 DC's is linux samba 4.5.5 compiled from tarball1 DC samba 4.5.12-Debian distro-versions

Collected config  --- 2018-08-01-08:27 -----------
Hostname: herman
DNS Domain: obscured.domain.com
FQDN: herman.obscured.domain.com
ipaddress: 10.10.1.11

-----------
Samba is running as a Unix domain member
Checking file: /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

-----------

Warning, /etc/devuan_version does not exist

-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 04:7d:7b:41:55:d3 brd ff:ff:ff:ff:ff:ff
    inet 10.10.1.11/24 brd 10.10.1.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 04:7d:7b:41:55:d4 brd ff:ff:ff:ff:ff:ff
-----------
Checking file: /etc/hosts 
127.0.0.1    localhost
10.10.1.11    herman.obscured.domain.com    herman 

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

-----------
Checking file: /etc/resolv.conf 
search obscured.domain.com
nameserver 10.10.1.14
nameserver 10.10.1.22

-----------
Checking file: /etc/krb5.conf 
[libdefaults]
    default_realm = OBSCURED.DOMAIN.COM
    dns_lookup_realm = false
    dns_lookup_kdc = true

-----------
Checking file: /etc/nsswitch.conf 
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files winbind
group:          files winbind
shadow:         files winbind
gshadow:        files

hosts:          files dns
networks:       files dns
 
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

-----------
Checking file: /etc/samba/smb.conf 
[global]
#--authconfig--start-line--

# Generated by authconfig on 2014/10/11 12:17:38
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

   workgroup = DOMAIN
   realm = OBSCURED.DOMAIN.COM
   security = ADS
#   idmap uid = 16777216-33554431
#   idmap gid = 16777216-33554431
   template shell = /bin/false
   winbind use default domain = false
   winbind offline logon = false

#--authconfig--end-line--
: workgroup = DOMAIN
netbios name = HERMAN
;realm = OBSCURED.DOMAIN.COM
;security = ADS
server string = 
wins server = 10.10.1.14

# winbind rpc only = yes

# kerberos method = dedicated keytab
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab

winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
# winbind rpc only = yes
winbind refresh tickets = yes
# winbind max clients  = 500
winbind max domain connections = 20
machine password timeout = 0

idmap config DOMAIN:backend = ad
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 500-40000

idmap config *:backend = tdb
idmap config *:range = 70001-80000

domain master = no
local master = no

# name resolve order = wins bcast
name resolve order = lmhosts wins host bcast



printing = cups
printcap = cups
use client driver = no
utmp = yes
cups options = raw
load printers = yes
log file = /var/log/samba/log.%I
include = /etc/samba/smb.conf.%I
max log size = 100000
check password script = /usr/local/sbin/complexity.perl
encrypt passwords = yes
time server = Yes
enable privileges = yes
log level = 0
syslog = 0
mangling method = hash2
dos charset = 850
unix charset = ISO8859-1
username map = /etc/samba/smbusers
interfaces =  eth0 lo
os level = 10
passwd chat timeout = 30
dns proxy = yes
;template shell = /bin/false
;winbind use default domain = no
spoolss: architecture = Windows x64

include = /etc/samba/smb.conf.client-%I


include = /etc/samba/shares.inc


-----------
Content of /etc/samba/smbusers
root = administrator
-----------

Installed packages, running: dpkg -l | egrep "samba|winbind|krb5|smb|acl|xattr"
ii  acl                               2.2.52-3+b1                    amd64        Access control list utilities
ii  krb5-config                       2.6                            all          Configuration files for Kerberos Version 5
ii  krb5-locales                      1.15-1+deb9u1                  all          internationalization support for MIT Kerberos
ii  krb5-multidev                     1.15-1+deb9u1                  amd64        development files for MIT Kerberos without Heimdal conflict
ii  krb5-user                         1.15-1+deb9u1                  amd64        basic programs to authenticate using MIT Kerberos
ii  libacl1:amd64                     2.2.52-3+b1                    amd64        Access control list shared library
ii  libacl1-dev                       2.2.52-3+b1                    amd64        Access control list static libraries and headers
ii  libgssapi-krb5-2:amd64            1.15-1+deb9u1                  amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-26-heimdal:amd64          7.1.0+dfsg-13+deb9u2           amd64        Heimdal Kerberos - libraries
ii  libkrb5-3:amd64                   1.15-1+deb9u1                  amd64        MIT Kerberos runtime libraries
ii  libkrb5-dev                       1.15-1+deb9u1                  amd64        headers and development libraries for MIT Kerberos
ii  libkrb5support0:amd64             1.15-1+deb9u1                  amd64        MIT Kerberos runtime libraries - Support library
ii  libnss-winbind:amd64              2:4.5.12+dfsg-2+deb9u2         amd64        Samba nameservice integration plugins
ii  libpam-winbind:amd64              2:4.5.12+dfsg-2+deb9u2         amd64        Windows domain authentication integration plugin
ii  libsmbclient:amd64                2:4.5.12+dfsg-2+deb9u2         amd64        shared library for communication with SMB/CIFS servers
ii  libwbclient0:amd64                2:4.5.12+dfsg-2+deb9u2         amd64        Samba winbind client library
ii  python-samba                      2:4.5.12+dfsg-2+deb9u2         amd64        Python bindings for Samba
ii  samba                             2:4.5.12+dfsg-2+deb9u2         amd64        SMB/CIFS file, print, and login server for Unix
ii  samba-common                      2:4.5.12+dfsg-2+deb9u2         all          common files used by both the Samba server and client
ii  samba-common-bin                  2:4.5.12+dfsg-2+deb9u2         amd64        Samba common files used by both the server and the client
ii  samba-dsdb-modules                2:4.5.12+dfsg-2+deb9u2         amd64        Samba Directory Services Database
ii  samba-libs:amd64                  2:4.5.12+dfsg-2+deb9u2         amd64        Samba core libraries
ii  samba-vfs-modules                 2:4.5.12+dfsg-2+deb9u2         amd64        Samba Virtual FileSystem plugins
rc  sernet-samba                      99:4.2.12-9                    amd64        SMB/CIFS file, print, and login server for Unix
rc  sernet-samba-common               99:4.2.12-9                    all          Samba common files used by both the server and the client
ii  sernet-samba-keyring              1.5                            all          GnuPG archive keys of the SerNet Samba archive
rc  sernet-samba-libs:amd64           99:4.2.12-9                    amd64        Samba common library files used by both the server and the client
rc  sernet-samba-libsmbclient0:amd64  99:4.2.12-9                    amd64        Shared library that allows applications to talk to SMB servers
ii  smbclient                         2:4.5.12+dfsg-2+deb9u2         amd64        command-line SMB/CIFS clients for Unix
ii  winbind                           2:4.5.12+dfsg-2+deb9u2         amd64        service to resolve user and group information from Windows NT servers
-----------

    On Wednesday, 1 August 2018, 00:44:07 GMT-7, L.P.H. van Belle via samba <samba at lists.samba.org> wrote:  
 
 Hai, 

In addition to Rowlands question. 

Can you run this script and post it to the list also. 
It gives a complete overview of what your running. 
Its basicly what Rowland asked, but with a few extra things. 

https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh 

And the output of: 
kinit Administrator
klist 
klist -ket /var/lib/samba/private/secrets.keytab


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: woensdag 1 augustus 2018 9:10
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Winbind Craziness
> 
> On Tue, 31 Jul 2018 21:48:29 +0000 (UTC)
> ray klassen <julius_ahenobarbus at yahoo.co.uk> wrote:
> 
> >  so I'm going to ramble a bit because I need help 
> desperately and I'm
> > slogging away on my own, but something I say might give someone an
> > idea. This whole thing seem to revolve around kerberos kvno's and
> > machine password changes. couple of days after violently recreating
> > the server people start to not be able to connect. today's debugging
> > turned up a mismatch between the kvno supplied by the keytab and the
> > one apparently required by smbd or winbindd or both. at present i've
> > opted for 
> > 
> > machine password timeout = 0 in smb.conf
> > and 
> > 
> > @weekly /usr/bin/net ads changetrustpw ; /usr/bin/net ads keytab
> > create -P in root's crontab
> > hopefully this will make a difference...
> > 
> >    On Tuesday, 31 July 2018, 10:31:23 GMT-7, ray klassen via samba
> > <samba at lists.samba.org> wrote: 
> >  Failed to find cifs/madmain at LAND.SUPERORG.COM(kvno 5) in keytab
> > MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
> > 
> > so far nothing works forever. 
> > the above error happens when the pc's are unable to connect 
> to shares
> > net leave/join fixes the problem temporarily.
> > 
> > 
> > seems to relate to 
> > 
> > [Samba] Failed to find cifs/foo.bar in keytab MEMORY:cifs_srv_keytab
> > (arcfour-hmac-md5)]
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> >     On Monday, 30 July 2018, 10:07:16 GMT-7, ray klassen via samba
> > <samba at lists.samba.org> wrote: 
>> > thanks for your response. 
> > Obviously lmhosts is not part of the equation anymore. 
> > But I copied/pasted from something that worked to something that
> > didn't( I thought of clarifying this in a following email 
> but didn't)
> > If there is no /etc/lmhosts I'm sure nothing will suffer for having
> > that parameter. DNS has been examined and re-examined. All the tests
> > described in the wiki have been performed and results are exactly
> > what is expected. Still trying to shoot this down. It's elusive. I
> > have windows clients who connect to shares and are presented with a
> > username password dialogue. Tentatively, it appears that simply
> > running winbind -tP solves the problem for them. So as a test I have
> > an hourly cron job that runs that on the server.
> > 
> >     On Saturday, 28 July 2018, 01:29:06 GMT-7, Rowland Penny via
> > samba <samba at lists.samba.org> wrote: 
> >  On Fri, 27 Jul 2018 21:25:04 +0000 (UTC)
> > ray klassen via samba <samba at lists.samba.org> wrote:
> > 
> > >  so I had some time to follow this bunny trailand found that even
> > > though all the other servers had no problems this one continued
> > > to.Every so often a new computer couldn't connect and 
> then it would
> > > be all better after a net leave/net join. Net join would not work
> > > without -S <MyDC> in the command lineWhat I found out was 
> that most
> > > net rpc commands such as net rpc testjoin would also fail 
> without -S
> > > <MyDC> in the command linewhereas they would work find 
> for any other
> > > box. I also noticed that a tdbtool dump of secrets.tdb was pretty
> > > nearly empty whereas other servers had lots of info.The difference
> > > was in the smb.conf line "name resolve order" 
> > > 
> > > earlier I had taken the advice (the more fool me, I guess) of the
> > > man page with recommends 
> > > 
> > > "name resolve order = wins bcast" in a AD environment.
> > > when I changed it back to 
> > > 
> > > "name resolve order = lmhosts wins host bcast"
> > > 
> > 
> > I think you should look at your dns ;-)
> > 
> > I doubt whether you have a lmhosts file on the Samba 
> server, so if you
> > remove that, the line becomes 'wins host bcast' and the only
> > difference between that and what you had, is 'host'.
> > 
> > Rowland
>> > 
> 
> I have reviewed this thread and we have received very little info to
> work with. Yes, it is Samba 4.5.12 running on debian stretch, but how
> is it running ?
> 
> Can you post the following files:
> 
> /etc/hostname
> /etc/hosts
> /etc/resolv.conf
> /etc/krb5.conf
> smb.conf
> 
> Also what is the DC ? Samba or Windows ?
> 
> Rowland
>  
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
  


More information about the samba mailing list