[Samba] Serverinfo Error

L.P.H. van Belle belle at bazuin.nl
Mon Jul 29 07:11:50 UTC 2019 

Hai, 

There is something going on in your resolving, that im sure. 

I dont know where you missing a setting or did a wrong setting, 
but this should all work out of the box. 

The PTR lookup responce with ip of the DC, should be hostname.fqdn. and not hostname. 

I've also had a good look at the debug script output again. 
That all looks ok to me so i'm wondering, if apparmor is in play here or systemd things. 

Im missing rules in apparmor, as shown below. 
You are using internal DNS and not Bind9_DLZ. ( base on smb.conf outputs ) so .. 

Can you run : 
cat /var/log/syslog | grep 'DENIED' 
And 
cat /var/log/auditd/auditd.log | grep 'DENIED'
( if auditd is installed ) 

Can you also show me : 
ps faux |egrep "samba|winbind" 
And
netstat -tan|egrep "LISTEN" | grep "53"

And check some things within systemd. 
Show me also : 

networkctl status
networkctl status $(ip a|grep "state UP"| cut -d: -f2)
timedatectl
resolvectl status

> > And maybe its an option to try the 4.10.6 package i supply.
> > Debian buster packages are updated within 1-2 hours.
> I had to comment out some lines of python to get this far.  
> Should those files be replaced?

Which files? And which lines exactly? 

Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Robert A Wooldridge via samba
> Verzonden: vrijdag 26 juli 2019 18:21
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Serverinfo Error
> 
> On 07/26/2019 01:19 AM, L.P.H. van Belle via samba wrote:
> > Hai,
> >
> > Ok, below looks ok, as Rowland also said.
> >
> > But i have one more thing.
> >
> >>>         Checking file: /etc/krb5.conf
> >>>
> >>> [libdefaults]
> >>>      dns_lookup_realm = false
> >>>      dns_lookup_kdc = true
> >>>      default_realm = EDM-INC.COM
> >>>      default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc 
> des-cbc-md5
> >>>      default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc 
> des-cbc-md5
> > Remove the 2 default_*_enctypes lines.
> >
> > Or set:
> >      default_tgs_enctypes = aes128-cts-hmac-sha1-96 
> aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> >      default_tkt_enctypes = aes128-cts-hmac-sha1-96 
> aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> >      permitted_enctypes = aes128-cts-hmac-sha1-96 
> aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> Using this, I needed to put those two lines in because I 
> couldn't join the domain without them

> 
> >
> > And does it work if you run it like this :
> > samba-tool dns serverinfo athena -Uadministrator
> No:
> athena:~# samba-tool dns serverinfo athena -Uadministrator
> Password for [EDM\administrator]:
> ERROR(runtime): uncaught exception - (9717, 
> 'WERR_DNS_ERROR_DS_UNAVAILABLE')
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
> line 177, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 
> 564, in run
>      None, 'ServerInfo')
> 
> >
> > And test the following.
....

> ; <<>> DiG 9.11.5-P4-5.1-Debian <<>> -x 10.10.1.10
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59884
> ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, 
> ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;10.1.10.10.in-addr.arpa.       IN      PTR
> 
> ;; ANSWER SECTION:
> 10.1.10.10.in-addr.arpa. 3600   IN      PTR     athena.

This should show FQDN in the result. 

> 
> ;; AUTHORITY SECTION:
> 10.10.in-addr.arpa.     3600    IN      SOA     athena.edm-inc.com. 
> hostmaster.edm-inc.com. 1 900 600 86400 3600
> 
> ;; Query time: 0 msec
> ;; SERVER: 10.10.1.10#53(10.10.1.10)
> ;; WHEN: Fri Jul 26 11:06:51 CDT 2019
> ;; MSG SIZE  rcvd: 126
> 
> >
> > And can you show the output of :
> > egrep -ri "samba|winbind" /etc/apparmor.d/*
> athena:~# egrep -ri "samba|winbind" /etc/apparmor.d/*
> /etc/apparmor.d/abstractions/authentication:  # winbind
> /etc/apparmor.d/abstractions/authentication:  #include 
> <abstractions/winbind>
> /etc/apparmor.d/abstractions/smbpass:  /var/lib/samba/*.[lt]db rwk,
> /etc/apparmor.d/abstractions/samba:  /etc/samba/* r,
> /etc/apparmor.d/abstractions/samba:  /usr/lib*/samba/ldb/*.so mr,
> /etc/apparmor.d/abstractions/samba:  /usr/share/samba/*.dat r,
> /etc/apparmor.d/abstractions/samba: 
> /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
> /etc/apparmor.d/abstractions/samba:  /var/cache/samba/ w,
> /etc/apparmor.d/abstractions/samba:  /var/cache/samba/lck/* rwk,
> /etc/apparmor.d/abstractions/samba:  /var/lib/samba/** rwk,
> /etc/apparmor.d/abstractions/samba:  /var/log/samba/cores/ rw,
> /etc/apparmor.d/abstractions/samba:  /var/log/samba/cores/** rw,
> /etc/apparmor.d/abstractions/samba:  /var/log/samba/* w,
> /etc/apparmor.d/abstractions/samba:  /{,var/}run/samba/ w,
> /etc/apparmor.d/abstractions/samba:  /{,var/}run/samba/*.tdb rw,
> /etc/apparmor.d/abstractions/nameservice:  /etc/samba/lmhosts r,
> /etc/apparmor.d/abstractions/nameservice:  # winbind
> /etc/apparmor.d/abstractions/nameservice:  #include 
> <abstractions/winbind>
> /etc/apparmor.d/abstractions/winbind:  # pam_winbindd
> /etc/apparmor.d/abstractions/winbind:  /tmp/.winbindd/pipe  rw,
> /etc/apparmor.d/abstractions/winbind: 
> /var/{lib,run}/samba/winbindd_privileged/pipe rw,
> /etc/apparmor.d/abstractions/winbind:  /etc/samba/smb.conf r,
> /etc/apparmor.d/abstractions/winbind:  /etc/samba/dhcp.conf r,
> /etc/apparmor.d/abstractions/winbind:  /usr/lib*/samba/valid.dat r,
> /etc/apparmor.d/abstractions/winbind:  /usr/lib*/samba/upcase.dat r,
> /etc/apparmor.d/abstractions/winbind:  /usr/lib*/samba/lowcase.dat r,
> /etc/apparmor.d/abstractions/winbind: 
> /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
> /etc/apparmor.d/samba/smbd-shares:# autogenerated by 
> update-apparmor-samba-profile 1.2+deb at samba start - do not edit!
> /etc/apparmor.d/samba/smbd-shares:"/var/lib/samba/sysvol/edm-i
> nc.com/scripts/" 
> rk,
> /etc/apparmor.d/samba/smbd-shares:"/var/lib/samba/sysvol/edm-i
> nc.com/scripts/**" 
> rwkl,
> /etc/apparmor.d/samba/smbd-shares:"/var/lib/samba/sysvol/"   rk,
> /etc/apparmor.d/samba/smbd-shares:"/var/lib/samba/sysvol/**" rwkl,
> /etc/apparmor.d/usr.sbin.ntpd:  # samba4 ntp signing socket
> /etc/apparmor.d/usr.sbin.ntpd:  /{,var/}run/samba/ntp_signd/socket rw,
> /etc/apparmor.d/usr.sbin.ntpd:  # samba4 winbindd pipe
> /etc/apparmor.d/usr.sbin.ntpd:  /run/samba/winbindd/pipe rw,
> >
> > And maybe its an option to try the 4.10.6 package i supply.
> > Debian buster packages are updated within 1-2 hours.
> I had to comment out some lines of python to get this far.  
> Should those files be replaced?

Which files? And which lines exactly?

More information about the samba mailing list