[Samba] User Permissions issue
Denis Cardon
dcardon at tranquil.it
Wed Jan 17 11:21:21 UTC 2018
Hi Harsh,
> Thanks for the suggestion to trim the smb.conf after which the DC-1 is
> connecting to the Windows Server 2008 shared folder smbclient -k
> //IUMSVRAPP01/Pastel12 -d 9
> and DC-2 is also connecting after using the DNS name of the Windows server.
>
> *You'd better switch your DNS to Bind-DLZ. Internal DNS is not that good
> for larger site (looking at your DNS domain name, I guess it might be a
> university). You can take a look there [1]
> Yes you are right we are a University which is growing every year and I
> want to switch from INTERNAL DNS to BIND-DLZ. I will follow the
> instructions given in your wiki link but before doing I like to clear
> few doubts:
> 1. Can I migrate from Internal to Bind-DLZ in a running samba environment.
> 2. Will it migrate all the current DNS records.
> 3. Do I have to do the same migration for other samba DC's in the network.
> 4. I also have samba RODC in the network so do I have to migrate it from
> Internal to Bind-DLZ.
> 5. Do I have to install Bind-DLZ package on a different machine or it
> can be installed on the same Samba machine.
>
>
>
> samba-tool drs showrepl on DC-1 is replicating successfully except for
> below under INBOUND NEIGHBOR: *
>
> DC=iumnet,DC=edu,DC=na
> Default-First-Site-Name\IUMSVRPDC via RPC
> DSA object GUID: 27182378-a9c7-451e-bb95-7b2172a5f311
> Last attempt @ Tue Jan 16 14:24:05 2018 WAST failed,
> result 58 (WERR_BAD_NET_RESP)
> 17863 consecutive failure(s).
> Last success @ Sat Jan 13 23:16:52 2018 WAST
>
>
>
> This is probably your error. Replication of your main partition is not
> working. Domain members are changing their machine password one a month.
> If it has been changed on one of the server, but the replication didn't
> went throught to the other, it is normal to get the failure you are having.
>
> You should look at your samba log when trying replication for that
> partition. There is probably a corrupted entry somewhere that is
> preventing replication.
>
> Can you please give few steps on how to check the drs replication logs
> and find out the corrupted entry and how to remove it.
>
> Also I am trying to remove one offline RODC which I joined last month
> for testing by using the command which is failing
> samba-tool domain demote
> --remove-other-dead-server='iumong-rodc.iumnet.edu.na
> <http://iumong-rodc.iumnet.edu.na>' -UAdministrator
> ERROR: Demote failed: DemoteException: iumong-rodc.iumnet.edu.na
> <http://iumong-rodc.iumnet.edu.na> is not an AD DC in iumnet.edu.na
> <http://iumnet.edu.na>
> A transaction is still active in ldb context [0x22b0b20] on
> tdb:///var/lib/samba/private/sam.ldb
Like Rowland said previously, you should remove all RODC that have been
installed prior to Samba 4.7. There are many fixes that have been added
since 4.6.
I just demoted a DC on my test network to print you out the list of
entries. You'll find the list of entries to remove below, there may be
missing entries because it is a RODC, I'll let you handle that :-)
Moreover, you may upgrade all your DC to 4.7.4, it handles better the
removal of dead repsfrom/repsto after removal of DC, which are harder to
delete by hand.
Cheers,
Denis
Removing nTDSConnection: CN=bcc8c224-6a9f-4103-8888-e558b91dcdb1,CN=NTDS
Settings,CN=SRVADS,CN=Servers,CN=saint-seb,CN=Sites,CN=Configuration,DC=test,DC=tranquil,DC=it
Removing nTDSDSA: CN=NTDS
Settings,CN=WIN-6814UGPEM27,CN=Servers,CN=saint-seb,CN=Sites,CN=Configuration,DC=test,DC=tranquil,DC=it
(and any children)
Removing RID Set: CN=RID Set,CN=WIN-6814UGPEM27,OU=Domain
Controllers,DC=test,DC=tranquil,DC=it
Removing computer account: CN=WIN-6814UGPEM27,OU=Domain
Controllers,DC=test,DC=tranquil,DC=it (and any child objects)
updating test.tranquil.it keeping 6 values, removing 1 values
updating ForestDnsZones.test.tranquil.it keeping 2 values, removing 1 values
updating DomainDnsZones.test.tranquil.it keeping 2 values, removing 1 values
updating
DC=67,DC=149.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
keeping 0 values, removing 1 values
updating
DC=@,DC=149.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
keeping 2 values, removing 1 values
updating
DC=@,DC=151.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
keeping 2 values, removing 1 values
updating
DC=@,DC=0.149.10.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
keeping 2 values, removing 1 values
updating
DC=_ldap._tcp.saint-seb._sites.DomainDnsZones,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
keeping 1 values, removing 1 values
updating
DC=_ldap._tcp.saint-seb._sites.ForestDnsZones,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
keeping 1 values, removing 1 values
updating
DC=_kerberos._tcp.saint-seb._sites,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
keeping 1 values, removing 1 values
updating
DC=_ldap._tcp.saint-seb._sites,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
keeping 1 values, removing 1 values
updating
DC=_gc._tcp.saint-seb._sites,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
keeping 1 values, removing 1 values
updating
DC=_ldap._tcp.DomainDnsZones,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
keeping 2 values, removing 1 values
updating
DC=_ldap._tcp.ForestDnsZones,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
keeping 2 values, removing 1 values
updating
DC=_kerberos._tcp,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
keeping 2 values, removing 1 values
updating
DC=_kerberos._udp,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
keeping 2 values, removing 1 values
updating
DC=_kpasswd._tcp,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
keeping 2 values, removing 1 values
updating
DC=_kpasswd._udp,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
keeping 2 values, removing 1 values
updating
DC=_ldap._tcp,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
keeping 2 values, removing 1 values
updating
DC=_gc._tcp,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
keeping 2 values, removing 1 values
updating
DC=@,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it
keeping 5 values, removing 1 values
updating
DC=_ldap._tcp.7158087d-44be-436a-897b-ea76ba39cf5f.domains,DC=_msdcs.test.tranquil.it,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=tranquil,DC=it
keeping 2 values, removing 1 values
updating
DC=d976907c-3f56-4ab7-9ee1-3cbb3a9acc29,DC=_msdcs.test.tranquil.it,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=tranquil,DC=it
keeping 0 values, removing 1 values
updating
DC=_kerberos._tcp.saint-seb._sites.dc,DC=_msdcs.test.tranquil.it,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=tranquil,DC=it
keeping 1 values, removing 1 values
updating
DC=_ldap._tcp.saint-seb._sites.dc,DC=_msdcs.test.tranquil.it,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=tranquil,DC=it
keeping 1 values, removing 1 values
updating
DC=_ldap._tcp.saint-seb._sites.gc,DC=_msdcs.test.tranquil.it,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=tranquil,DC=it
keeping 1 values, removing 1 values
updating
DC=_kerberos._tcp.dc,DC=_msdcs.test.tranquil.it,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=tranquil,DC=it
keeping 2 values, removing 1 values
updating
DC=_ldap._tcp.dc,DC=_msdcs.test.tranquil.it,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=tranquil,DC=it
keeping 2 values, removing 1 values
updating
DC=_ldap._tcp.gc,DC=_msdcs.test.tranquil.it,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=tranquil,DC=it
keeping 2 values, removing 1 values
updating
DC=@,DC=_msdcs.test.tranquil.it,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=tranquil,DC=it
keeping 3 values, removing 1 values
Removing Sysvol reference: CN=WIN-6814UGPEM27,CN=Enterprise,CN=Microsoft
System Volumes,CN=System,CN=Configuration,DC=test,DC=tranquil,DC=it
Removing Sysvol reference:
CN=WIN-6814UGPEM27,CN=test.tranquil.it,CN=Microsoft System
Volumes,CN=System,CN=Configuration,DC=test,DC=tranquil,DC=it
Removing Sysvol reference: CN=WIN-6814UGPEM27,CN=Domain System Volumes
(SYSVOL share),CN=File Replication
Service,CN=System,DC=test,DC=tranquil,DC=it
Removing Sysvol reference: CN=WIN-6814UGPEM27,CN=Topology,CN=Domain
System Volume,CN=DFSR-GlobalSettings,CN=System,DC=test,DC=tranquil,DC=it
>
> Also I am trying to remove the offline RODC record manually which is failing
> ldbedit -e nano -H tdb:///var/lib/samba/private/sam.ldb 'IUMONG-RODC'
> failed to delete CN=IUMONG-RODC,OU=Domain
> Controllers,DC=iumnet,DC=edu,DC=na -
> ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:3643: Failed to
> remove backlink of msDS-RevealedDSAs when deleting
> CN=IUMONG-RODC,OU=Domain Controllers,DC=iumnet,DC=edu,DC=na: (null)
>
> How can I manually remove the records for the offline DC.
>
> Regards
>
> Harsh
>
>
>
> *Harsh Kukreja *Systems Administrator
>
> **International University of Namibia* *Tel: 061-4336000 -
> E-mail: h.kukreja at ium.edu.na
> <mailto:h.kukreja at ium.edu.na> - Web: _http://www.ium.edu.na
> <http://www.ium.edu.na/>
> _Private Bag 14005,Bachbrech. 21-31 Hercules Street, Dorado Park,
> Windhoek, NAMIBIA
>
> ____
>
>
>
>
>
>
>
>
>
>
> On Tue, Jan 16, 2018 at 3:31 PM, Denis Cardon <dcardon at tranquil.it
> <mailto:dcardon at tranquil.it>> wrote:
>
> Hi Harsh,
>
>
> Thanks for your advise I will not use these wordings here.
>
>
> thanks!
>
> Please check the result below when I run the command on the DC-1
> when
> DC-2 is off or on
> smbclient -k //IUMSVRAPP01/Pastel12 -d 9
>
> > ...
>
> session setup failed: NT_STATUS_INVALID_PARAMETER_MIX
>
>
> Looking at this message, I would start with doing some cleanup in
> your smb.conf. I would trim your smb.conf like below:
>
> *Here is the smb.conf dump from DC-1:*
> # Global parameters
>
> [global]
> workgroup = IUMNET
> realm = IUMNET.EDU.NA <http://IUMNET.EDU.NA>
> netbios name = IUMDCDP01
> server role = active directory domain controller
> dns forwarder = 172.16.10.254
> allow dns updates = nonsecure and secure
> ntlm auth = yes
> client use spnego = no
> client ldap sasl wrapping = sign
> ldap server require strong auth = no
> full_audit:prefix = %u|%I|%m|%S
> full_audit:failure = connect
> full_audit:success = connect disconnect
> log level = 9 dns:0
>
> [netlogon]
> path = /var/lib/samba/sysvol/iumnet.edu.na/scripts
> <http://iumnet.edu.na/scripts>
> read only = No
> browsable = no
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> You'd better switch your DNS to Bind-DLZ. Internal DNS is not that
> good for larger site (looking at your DNS domain name, I guess it
> might be a university). You can take a look there [1]
>
> And I wouldn't store anything else than AD stuff on an AD like below:
>
> [softshare]
> path = /home/administrator/ad
> read only = No
>
>
>
>
> *When I ran the same command on DC-2 ( Samba 4.7.4) *
>
> smbclient -k //172.16.10.21/Pastel12
> <http://172.16.10.21/Pastel12> -d 9
>
>
> When doing Kerberos authentication, you shouldn't use ip address,
> otherwise kerberos won't work. Try it again with real DNS name.
>
> > ...
>
> got OID=1.2.840.48018.1.2.2
> Kerberos auth with 'administrator at IUMNET.EDU.NA
> <mailto:administrator at IUMNET.EDU.NA>
> <mailto:administrator at IUMNET.EDU.NA
> <mailto:administrator at IUMNET.EDU.NA>>' (IUMNET\root) to access
> '172.16.10.21' not possible
> SPNEGO login failed: {Access Denied} A process has requested
> access to
> an object but has not been granted those access rights.
> session setup failed: NT_STATUS_ACCESS_DENIED
>
>
> You can cleanup your smb.conf the same way as pointed before.
>
> *Here is the smb.conf dump from DC-2:*
>
> # Global parameters
> [global]
> netbios name = IUMSVRPDC
> realm = IUMNET.EDU.NA <http://IUMNET.EDU.NA>
> <http://IUMNET.EDU.NA>
>
> workgroup = IUMNET
> server role = active directory domain controller
> dns forwarder = 172.16.10.254
> # server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap
> allow dns updates = nonsecure and secure
> ntlm auth = yes
> ldap server require strong auth = no
> time server = Yes
> template shell = /bin/bash
> template homedir = /home/%U
> # idmap config * : backend = tdb
> # idmap config *:range = 50000-1000000
> full_audit:prefix = %u|%I|%m|%S
> full_audit:failure = connect
> full_audit:success = connect disconnect
> tls enabled = yes
> tls keyfile = tls/key.pem
> tls certfile = tls/cert.pem
> tls cafile = tls/ca.pem
> log level = 9 dns:0
>
> [netlogon]
> path = /var/lib/samba/sysvol/iumnet.edu.na/scripts
> <http://iumnet.edu.na/scripts>
> read only = No
> browsable = no
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> *samba-tool drs showrepl on DC-1 is replicating successfully
> except for
> below under INBOUND NEIGHBOR: *
>
> DC=iumnet,DC=edu,DC=na
> Default-First-Site-Name\IUMSVRPDC via RPC
> DSA object GUID:
> 27182378-a9c7-451e-bb95-7b2172a5f311
> Last attempt @ Tue Jan 16 14:24:05 2018 WAST failed,
> result 58 (WERR_BAD_NET_RESP)
> 17863 consecutive failure(s).
> Last success @ Sat Jan 13 23:16:52 2018 WAST
>
>
>
> This is probably your error. Replication of your main partition is
> not working. Domain members are changing their machine password one
> a month. If it has been changed on one of the server, but the
> replication didn't went throught to the other, it is normal to get
> the failure you are having.
>
> You should look at your samba log when trying replication for that
> partition. There is probably a corrupted entry somewhere that is
> preventing replication.
>
>
> *samba-tool drs showrepl on DC-2 is replicating successfully
> except for
> below under INBOUND NEIGHBOR: *
>
> CN=Configuration,DC=iumnet,DC=edu,DC=na
> Default-First-Site-Name\IUMDCDP01 via RPC
> DSA object GUID:
> 8bf63977-f3b3-445e-8eb3-ff74cdd7e0fe
> Last attempt @ Tue Jan 16 14:26:56 2018 CAT failed,
> result 58 (WERR_BAD_NET_RESP)
> 1926 consecutive failure(s).
> Last success @ Tue Jan 9 14:15:43 2018 CAT
>
>
> this is not good either, and should be resolved too.
>
> Cheers,
>
> Denis
>
> [1] it is in French, but your favorite search engine should be able
> to translate it for you :
> https://dev.tranquil.it/wiki/SAMBA_-_Integration_avec_bind9
> <https://dev.tranquil.it/wiki/SAMBA_-_Integration_avec_bind9>
>
>
>
>
> *Harsh Kukreja *Systems Administrator
>
> **International University of Namibia* *Tel: 061-4336000 -
> E-mail: h.kukreja at ium.edu.na <mailto:h.kukreja at ium.edu.na>
> <mailto:h.kukreja at ium.edu.na <mailto:h.kukreja at ium.edu.na>> -
> Web: _http://www.ium.edu.na
> <http://www.ium.edu.na/>
> _Private Bag 14005,Bachbrech. 21-31 Hercules Street, Dorado Park,
> Windhoek, NAMIBIA
>
> ____
>
>
>
>
>
>
>
>
>
>
> On Tue, Jan 16, 2018 at 11:49 AM, Denis Cardon
> <dcardon at tranquil.it <mailto:dcardon at tranquil.it>
> <mailto:dcardon at tranquil.it <mailto:dcardon at tranquil.it>>> wrote:
>
> Hi Harsh,
>
>
> I have two Samba 4 DC’s as below
> server-1 with all FSMO roles running Samba 4.6.12 on
> Ubuntu 12.04
> server-2 joined to server-1 as a DC running Samba 4.7.4
> Ubuntu
> 16.04
>
> The problem is when I share files from my Windows 2008 file
> sharing server
> which shows it is logged on to Server-2 DC and the
> client PC
> which logs on
> to the server-1 DC cannot access the shared folder and
> gives an
> error Logon
> Failure: The target account name is incorrect.
>
>
> Windows error messages are not very sysadmin friendly. Could you
> please use instead smbclient command line from a domain
> member linux
> client to do your debugging:
> kinit myusername
> smbclient -k //win2k8server/sharename -d 9
>
> And do it with both with dc1 on and off.
>
> To fix the problem I have to shutdown server-2 DC and
> restart my
> Windows
> File server which logs on to the server-1 and then the
> client
> can access
> the shared folder.
>
>
> Could you check if replication is working properly?
> samba-tool drs showrepl
>
> Please assist to fix this issue as I have to run both
> the DC’s
> in the
> network.
>
>
> You should avoid wordings like "please assist for fix". It
> is deemed
> rude (at least in my culture) to give orders to people who
> don't owe
> you anything... They are many kind people on this mailing
> list that
> would be happy to help, but this kind of wording just make them
> dismiss your message directly.
>
> Cheers,
>
> Denis
>
>
> *Harsh Kukreja *Systems Administrator
> *International University of Namibia *Tel: 061-4336000 -
> E-mail:
> h.kukreja
> @ium.edu.na <http://ium.edu.na> <http://ium.edu.na> - Web:
> *http://www.ium.edu.na <http://www.ium.edu.na/>*Private Bag
> 14005,Bachbrech. 21-31 Hercules Street, Dorado Park,
> Windhoek,
> NAMIBIA
>
>
> --
> Denis Cardon
> Tranquil IT Systems
> Les Espaces Jules Verne, bâtiment A
> 12 avenue Jules Verne
> 44230 Saint Sébastien sur Loire
> tel : +33 (0) 2.40.97.57.55
> <tel:%2B33%20%280%29%202.40.97.57.55>
> <tel:%2B33%20%280%29%202.40.97.57.55>
> http://www.tranquil-it-systems.fr
> <http://www.tranquil-it-systems.fr>
> <http://www.tranquil-it-systems.fr
> <http://www.tranquil-it-systems.fr>>
>
>
>
> --
> Denis Cardon
> Tranquil IT Systems
> Les Espaces Jules Verne, bâtiment A
> 12 avenue Jules Verne
> 44230 Saint Sébastien sur Loire
> tel : +33 (0) 2.40.97.57.55 <tel:%2B33%20%280%29%202.40.97.57.55>
> http://www.tranquil-it-systems.fr <http://www.tranquil-it-systems.fr>
>
>
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr
More information about the samba
mailing list