[Samba] Serverinfo Error

L.P.H. van Belle belle at bazuin.nl
Tue Jul 30 07:28:28 UTC 2019 

Hai, 

Ok, below looks ok, except in dont see the search domain in the networkctl output. 
Which is possible, if you configured your interfaces through /etc/network/interfaces 

Im still amazed its not working.. Everything looks good. 
We are missing a bit info why/how/what/where. 

Short resume. 
Your on debian Buster official samba correct? ( samba 4.9.5 ) and your using internal DNS.
Configs looks ok in the debug output. No app armor Denied messages. 
Dns is running and basilcy your resolving looks ok.

And while im looking at this.
You joined this server to a windows AD-Domain and siezed fsmo roles, correct? 

Can you try this, if this helps, in then end you can switch the 2 dns servers ip's. 

Change you /etc/resolv.conf to 
# First a windows AD-DC DNS.
nameserver 10.10.1.XXXS 
# Second This server IP.
nameserver 10.10.1.10
search edm-inc.com

Your krb5.conf, i suggest you change it to this. 
I left the other options i use in, might be handy. 
You need the part. Enctypes part for win 2008. 

[libdefaults]
    default_realm = EDM-INC.COM
    dns_lookup_kdc = true
    dns_lookup_realm = false

; for Windows 2008 with AES ( win 2003 compliant ) 
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5


Reboot
After the reboot, wait 5 min, this depends a bit on the size of you AD. 
Now run again: samba-tool drs showrepl
Any errors? No errors, great. Check again if you getting you server info works. 
If you get errors, then, yes, you can upgrade you packages with mine even if you modifies that python file. 
P.s. if you see things you and you dont know, first post things again. 


Before you move to 4.10.6, i suggest try 4.9.11 first. 
Because i still not sure if it's samba what is the problem if this.
And you can always upgrade to 4.10.6 later on, i want to know if 4.9.11 helps/fixed this. 
That is because, I think this is a python2/3 problem or this patch in debian official is a problem :  
  - CVE-2019-12435 zone operations can crash rpc server 
And broke the join in samba. 
I just dont know which it is, but i do know multle python things are fixed in later version. 

If you preffer 4.9.11 from official debian. You need to backport it yourself. 
Or use samba from debian testing/sid which is 4.9.11 

For my repo use these steps. 
1) Choose http or https for you apt, both work, for https you need to :
apt-get install apt-transport-https

2) Import my public key
wget -O - http://apt.van-belle.nl/louis-van-belle.gpg-key.asc | apt-key add -

3) (optional) setup a header line for the repo file.
echo "# AptVanBelle repo for samba." | sudo tee /etc/apt/sources.list.d/van-belle.list

4) In the line below, change the OS and/or samba version to what you want. Shown is debian stretch with samba 4.9.
echo "deb http://apt.van-belle.nl/debian buster-samba49 main contrib non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list

This gives you 4.9.11, almost the same with debian official, i only added/enabled spotlight support. 

Try this first im suggesting then when it all looks good, then you can easy upgrade to 4.10.6 
Then in above repo line just change samba49 to samba410 and run apt update && apt dist-upgrade



Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Robert A Wooldridge via samba
> Verzonden: maandag 29 juli 2019 17:38
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Serverinfo Error
> 
> On 07/29/2019 02:11 AM, L.P.H. van Belle via samba wrote:
> > Hai,
> >
> > There is something going on in your resolving, that im sure.
> >
> > I dont know where you missing a setting or did a wrong setting,
> > but this should all work out of the box.
> >
> > The PTR lookup responce with ip of the DC, should be 
> hostname.fqdn. and not hostname.
> >
> > I've also had a good look at the debug script output again.
> > That all looks ok to me so i'm wondering, if apparmor is in 
> play here or systemd things.
> >
> > Im missing rules in apparmor, as shown below.
> > You are using internal DNS and not Bind9_DLZ. ( base on 
> smb.conf outputs ) so ..
> >
> > Can you run :
> > cat /var/log/syslog | grep 'DENIED'
> No output
> > And
> > cat /var/log/auditd/auditd.log | grep 'DENIED'
> Auditd not installed.
> > ( if auditd is installed )
> >
> > Can you also show me :
> > ps faux |egrep "samba|winbind"
> athena:~# ps faux |egrep "samba|winbind"
> root     11734  0.0  0.0   6076   832 pts/0    S+   10:30 
> 0:00                      \_ grep -E samba|winbind
> root     26888  0.0  0.4  95604 34800 ?        Ss   Jul26   
> 0:00 samba: 
> root process
> root     26889  0.0  0.2  95604 22060 ?        S    Jul26   0:00  \_ 
> samba: task[s3fs_parent]
> root     26891  0.0  0.2  95608 20924 ?        S    Jul26   
> 0:00 |   \_ 
> samba: tfork waiter process
> root     26890  0.0  0.6  96236 50588 ?        S    Jul26   1:14  \_ 
> samba: task[dcesrv]
> root     26892  0.0  0.4  95676 34320 ?        S    Jul26   0:01  \_ 
> samba: task[nbtd]
> root     26894  0.0  0.2  95604 21684 ?        S    Jul26   0:00  \_ 
> samba: task[wrepl]
> root     26895  0.0  0.3  95604 29380 ?        S    Jul26   0:06  \_ 
> samba: task[ldapsrv]
> root     26896  0.0  0.3  95604 31112 ?        S    Jul26   3:01  \_ 
> samba: task[cldapd]
> root     26897  0.0  0.4  95792 32868 ?        S    Jul26   0:41  \_ 
> samba: conn[kdc_tcp] c[ipv4:10.10.10.235:50790] s[ipv4:10.10.1.10:88] 
> server_id[26897.40]
> root     26898  0.0  0.4  96244 35024 ?        S    Jul26   3:34  \_ 
> samba: task[dreplsrv]
> root     26899  0.0  0.2  95604 22060 ?        S    Jul26   0:00  \_ 
> samba: task[winbindd_parent]
> root     26903  0.0  0.2  95608 20924 ?        S    Jul26   
> 0:00 |   \_ 
> samba: tfork waiter process
> root     26905  0.0  0.5  96104 43872 ?        Ss   Jul26   
> 0:03 |       
> \_ /usr/sbin/winbindd -D --option=server role 
> check:inhibit=yes --foreground
> root     26925  0.0  0.4  96336 34096 ?        S    Jul26   0:00 
> |           \_ winbindd: domain child [EDM]
> root     27112  0.0  0.3  96132 29184 ?        S    Jul26   0:00 
> |           \_ winbindd: idmap child
> root     26900  0.0  0.3  95604 25504 ?        S    Jul26   0:00  \_ 
> samba: task[ntp_signd]
> root     26901  0.0  0.4  95604 36224 ?        S    Jul26   0:02  \_ 
> samba: task[kccsrv]
> root     26902  0.0  0.3  95604 30428 ?        S    Jul26   0:58  \_ 
> samba: task[dnsupdate]
> root     26904  0.1  0.3  96108 31872 ?        S    Jul26   4:36  \_ 
> samba: conn[dns_tcp] c[ipv4:10.10.10.232:60715] s[ipv4:10.10.1.10:53] 
> server_id[26904.3]
> 
> 
> > And
> > netstat -tan|egrep "LISTEN" | grep "53"
> athena:~# netstat -tan|egrep "LISTEN" | grep "53"
> tcp        0      0 0.0.0.0:49153           0.0.0.0:* LISTEN
> tcp        0      0 0.0.0.0:53              0.0.0.0:* LISTEN
> tcp6       0      0 :::49153                :::* LISTEN
> tcp6       0      0 :::53                   :::* LISTEN
> 
> >
> > And check some things within systemd.
> > Show me also :
> >
> > networkctl status
> athena:~# networkctl status
> WARNING: systemd-networkd is not running, output will be incomplete.
> 
> ???        State: n/a
>         Address: 10.10.1.10 on enp0s25
>                  fe80::21c:c0ff:feec:2525 on enp0s25
>         Gateway: 10.10.1.1 (Intel Corporate) on enp0s25
> > networkctl status $(ip a|grep "state UP"| cut -d: -f2)
> athena:~# networkctl status $(ip a|grep "state UP"| cut -d: -f2)
> WARNING: systemd-networkd is not running, output will be incomplete.
> 
> ??? 2: enp0s25
>         Link File: /usr/lib/systemd/network/99-default.link
>      Network File: n/a
>              Type: ether
>             State: n/a (unmanaged)
>              Path: pci-0000:00:19.0
>            Driver: e1000e
>            Vendor: Intel Corporation
>             Model: 82567LM-3 Gigabit Network Connection
>        HW Address: 00:1c:c0:ec:25:25 (Intel Corporate)
>           Address: 10.10.1.10
>                    fe80::21c:c0ff:feec:2525
>           Gateway: 10.10.1.1 (Intel Corporate)
> 
> > timedatectl
> athena:~# timedatectl
>                 Local time: Mon 2019-07-29 10:33:09 CDT
>             Universal time: Mon 2019-07-29 15:33:09 UTC
>                   RTC time: Mon 2019-07-29 15:33:08
>                  Time zone: US/Central (CDT, -0500)
> System clock synchronized: yes
>                NTP service: inactive
>            RTC in local TZ: no
> > resolvectl status
> athena:~# resolvectl status
> Failed to get global data: Unit dbus-org.freedesktop.resolve1.service 
> not found.
> >
> >>> And maybe its an option to try the 4.10.6 package i supply.
> >>> Debian buster packages are updated within 1-2 hours.
> >> I had to comment out some lines of python to get this far.
> >> Should those files be replaced?
> > Which files? And which lines exactly?
> join.py (/usr/lib/python2.7/dist-packages/samba/join.py on my 
> DC), find 
> these lines:
> 
>              if ctx.dns_backend != "NONE":
>                  ctx.join_add_dns_records()
>                  ctx.join_replicate_new_dns_records()
> 
> -- 
> Bob Wooldridge
> EDM Incorporated
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list