[Samba] One DC cannot authenticate off of another DC

Jonathon Reinhart jonathon.reinhart at gmail.com
Fri Jun 28 12:03:00 UTC 2019


Matthew,

May I ask why you have the IP addresses of the other DCs in /etc/hosts of
your DCs?

In /etc/hosts you should have only the "localhost" alias, and a line that
establishes the FQDN for the local machine:

127.0.0.1     localhost
192.168.x.x   dc1.ad.example.com dc1


Then in /etc/resolv.conf you should use the local machine as its nameserver:

nameserver 127.0.0.1
domain ad.example.com


This way, the DCs use AD DNS to resolve all other machine names. You don't
need the other DCs in /etc/hosts because their DNS entries are replicated
by AD.

The more redundant configuration you have, the more likely it is to become
out-of-sync.

Cheers,
Jonathon

On Wed, Jun 26, 2019, 13:45 Matthew Delfino via samba <samba at lists.samba.org>
wrote:

> Thank you, Louis, for your reply.
>
>
> By simply asking me to provide outputs of the aforementioned files, I
> found the cause of my first problem (auth failing). It was my /etc/hosts
> file on dc1.
>
>
> All of them should look like this, and indeed DC2 and DC3's *did* look
> like this:
>
>
>
>
> # cat /etc/hosts
> > 127.0.0.1       localhost.samdom.mycompany.net  localhost
> > 192.168.3.201 dc1.samdom.mycompany.net dc1
> > 192.168.3.202 dc2.samdom.mycompany.net dc2
> > 192.168.3.203 dc3.samdom.mycompany.net dc3
> >
> > # The following lines are desirable for IPv6 capable hosts
> > ::1     localhost ip6-localhost ip6-loopback
> > ff02::1 ip6-allnodes
> > ff02::2 ip6-allrouters
>
>
> DC1's /etc/hosts looked the same, except for the third line, which looked
> like this:
>
>
>
> > 192.168.3.203 dc2.samdom.mycompany.net dc2
>
>
> That's the same IP for dc3 on the fourth line! Changing it's IP address to
> 192.168.3.202 to match the other two hosts files swiftly put an end to my
> failed authentications.
>
>
> But, I still see this whenever I compare any of my DCs to DC1:
>
>
>
> # samba-tool ldapcmp ldap://dc1 ldap://dc2 -Uadministrator
> > Password for [SAMDOM\administrator]:
> >
> > * Comparing [DOMAIN] context...
> >
> > * Objects to be compared: 1723
> >
> > Comparing:
> > 'CN=DC2,OU=DOMAIN CONTROLLERS,DC=SAMDOM,DC=MYCOMPANY,DC=NET' [ldap://dc1]
> > 'CN=DC2,OU=DOMAIN CONTROLLERS,DC=SAMDOM,DC=MYCOMPANY,DC=NET' [ldap://dc2]
> >     Attributes found only in ldap://dc2:        SERVERREFERENCEBL
> >
> >     FAILED
> >
> > * Result for [DOMAIN]: FAILURE
> >
> > SUMMARY
> > ---------
> >
> > Attributes found only in ldap://dc2:
> >
> >     SERVERREFERENCEBL
> >
> > * Comparing [CONFIGURATION] context...
> >
> > * Objects to be compared: 1623
> >
> > * Result for [CONFIGURATION]: SUCCESS
> >
> > * Comparing [SCHEMA] context...
> >
> > * Objects to be compared: 1578
> >
> > * Result for [SCHEMA]: SUCCESS
> >
> > * Comparing [DNSDOMAIN] context...
> >
> > * Objects to be compared: 166
> >
> > * Result for [DNSDOMAIN]: SUCCESS
> >
> > * Comparing [DNSFOREST] context...
> >
> > * Objects to be compared: 26
> >
> > * Result for [DNSFOREST]: SUCCESS
> > ERROR: Compare failed: -1
>
>
> I have tried fixing this with reboots, and running this command:
>
>
> # samba-tool drs replicate --full-sync dc1 dc2
> DC=samdom,DC=mycompany,DC=net
>
>
> As well as the similar commands for DC=ForestDnsZones,...
> DC=DomainDnsZones,... CN=Configuration,... and CN=Schema,... but nothing
> gets that serverReferenceBL into the CN=DC2,OU=DOMAIN
> CONTROLLERS,DC=SAMDOM,DC=MYCOMPANY,DC=NET record on DC1.
>
>
> Do you think that this attribute, "SERVERREFERENCEBL," is applied at
> domain join only? And, perhaps that my wrongly configured /etc/hosts file
> botched a proper replication to DC1?
>
>
> Here are the answers to your questions...
>
>
>
> DC3
> --------
> # cat /etc/hosts
> > 127.0.0.1       localhost.samdom.mycompany.net  localhost
> > 192.168.3.201    dc1.samdom.mycompany.net    dc1
> > 192.168.3.202    dc2.samdom.mycompany.net    dc2
> > 192.168.3.203    dc3.samdom.mycompany.net    dc3
> >
> # The following lines are desirable for IPv6 capable hosts
> > ::1     localhost ip6-localhost ip6-loopback
> > ff02::1 ip6-allnodes
> > ff02::2 ip6-allrouters
>
>
> # cat /etc/resolv.conf
> > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
> resolvconf(8)
> > #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
> > nameserver 192.168.3.203
> > nameserver 192.168.3.201
> > nameserver 192.168.3.202
> > search samdom.mycompany.net
>
>
> # cat /etc/samba/smb.conf
> > # Global parameters
> > [global]
> >     netbios name = DC3
> >     realm = SAMDOM.MYCOMPANY.NET
> >     server role = active directory domain controller
> >     #server services = -dns
> >     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
> >     workgroup = SAMDOM
> >     idmap_ldb:use rfc2307 = yes
> >     #dns forwarder = 8.8.4.4
> >     #dns forwarder = 8.8.8.8
> >     #allow dns updates = disabled
> >     dsdb:schema update allowed = true
> >     printcap name = /dev/null
> >     load printers = no
> >     printing = bsd
> >     ldap server require strong auth = no
> >     tls enabled  = yes
> >     tls keyfile  = tls/myKey.pem
> >     tls certfile = tls/dc3_samdom_mycompany_net.pem
> >     tls cafile   = tls/dc3_samdom_mycompany_net.ca-bundle.pem
> >     #log file = /var/log/samba/%a.%M.log
> >     max log size = 2048
> >     log level = 1 auth_audit:3
> >     apply group policies = yes
> >
> > [netlogon]
> >     path = /var/lib/samba/sysvol/samdom.mycompany.net/scripts
> >     read only = No
> >
> > [sysvol]
> >     path = /var/lib/samba/sysvol
> >     read only = No
>
>
> # klist -ke /var/lib/samba/private/secrets.keytab
> > Keytab name: FILE:/var/lib/samba/private/secrets.keytab
> > KVNO Principal
> > ----
> --------------------------------------------------------------------------
> >    2 HOST/dc3 at SAMDOM.MYCOMPANY.NET (des-cbc-crc)
> >    2 HOST/dc3.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET (des-cbc-crc)
> >    2 DC3$@SAMDOM.MYCOMPANY.NET (des-cbc-crc)
> >    2 HOST/dc3 at SAMDOM.MYCOMPANY.NET (des-cbc-md5)
> >    2 HOST/dc3.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET (des-cbc-md5)
> >    2 DC3$@SAMDOM.MYCOMPANY.NET (des-cbc-md5)
> >    2 HOST/dc3 at SAMDOM.MYCOMPANY.NET (arcfour-hmac)
> >    2 HOST/dc3.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET (arcfour-hmac)
> >    2 DC3$@SAMDOM.MYCOMPANY.NET (arcfour-hmac)
> >    2 HOST/dc3 at SAMDOM.MYCOMPANY.NET (aes128-cts-hmac-sha1-96)
> >    2 HOST/dc3.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET
>  (aes128-cts-hmac-sha1-96)
> >    2 DC3$@SAMDOM.MYCOMPANY.NET (aes128-cts-hmac-sha1-96)
> >    2 HOST/dc3 at SAMDOM.MYCOMPANY.NET (aes256-cts-hmac-sha1-96)
> >    2 HOST/dc3.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET
>  (aes256-cts-hmac-sha1-96)
> >    2 DC3$@SAMDOM.MYCOMPANY.NET (aes256-cts-hmac-sha1-96)
>
>
>
>
> DC2
> --------
> # cat /etc/hosts
> > 127.0.0.1       localhost.samdom.mycompany.net  localhost
> > 192.168.3.201    dc1.samdom.mycompany.net    dc1
> > 192.168.3.202    dc2.samdom.mycompany.net    dc2
> > 192.168.3.203    dc3.samdom.mycompany.net    dc3
> >
> > # The following lines are desirable for IPv6 capable hosts
> > ::1     localhost ip6-localhost ip6-loopback
> > ff02::1 ip6-allnodes
> > ff02::2 ip6-allrouters
>
>
> # cat /etc/resolv.conf
> > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
> resolvconf(8)
> > #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
> > nameserver 192.168.3.202
> > nameserver 192.168.3.201
> > nameserver 192.168.3.203
> > search samdom.mycompany.net
>
>
> # cat /etc/samba/smb.conf
> > # Global parameters
> > [global]
> >     netbios name = DC2
> >     realm = SAMDOM.MYCOMPANY.NET
> >     server role = active directory domain controller
> >     #server services = -dns
> >     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
> >     workgroup = SAMDOM
> >     idmap_ldb:use rfc2307 = yes
> >     #dns forwarder = 8.8.4.4
> >     #dns forwarder = 8.8.8.8
> >     #allow dns updates = disabled
> >     dsdb:schema update allowed = true
> >     printcap name = /dev/null
> >     load printers = no
> >     printing = bsd
> >     ldap server require strong auth = no
> >     tls enabled  = yes
> >     tls keyfile  = tls/myKey.pem
> >     tls certfile = tls/dc2_samdom_mycompany_net.pem
> >     tls cafile   = tls/dc2_samdom_mycompany_net.ca-bundle.pem
> >     #log file = /var/log/samba/%a.%M.log
> >     max log size = 2048
> >     log level = 1 auth_audit:3
> >     apply group policies = yes
> >
> > [netlogon]
> >     path = /var/lib/samba/sysvol/samdom.mycompany.net/scripts
> >     read only = No
> >
> > [sysvol]
> >     path = /var/lib/samba/sysvol
> >     read only = No
>
>
> # klist -ke /var/lib/samba/private/secrets.keytab
> > Keytab name: FILE:/var/lib/samba/private/secrets.keytab
> > KVNO Principal
> > ----
> --------------------------------------------------------------------------
> >    2 HOST/dc2 at SAMDOM.MYCOMPANY.NET (des-cbc-crc)
> >    2 HOST/dc2.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET (des-cbc-crc)
> >    2 DC2$@SAMDOM.MYCOMPANY.NET (des-cbc-crc)
> >    2 HOST/dc2 at SAMDOM.MYCOMPANY.NET (des-cbc-md5)
> >    2 HOST/dc2.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET (des-cbc-md5)
> >    2 DC2$@SAMDOM.MYCOMPANY.NET (des-cbc-md5)
> >    2 HOST/dc2 at SAMDOM.MYCOMPANY.NET (arcfour-hmac)
> >    2 HOST/dc2.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET (arcfour-hmac)
> >    2 DC2$@SAMDOM.MYCOMPANY.NET (arcfour-hmac)
> >    2 HOST/dc2 at SAMDOM.MYCOMPANY.NET (aes128-cts-hmac-sha1-96)
> >    2 HOST/dc2.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET
>  (aes128-cts-hmac-sha1-96)
> >    2 DC2$@SAMDOM.MYCOMPANY.NET (aes128-cts-hmac-sha1-96)
> >    2 HOST/dc2 at SAMDOM.MYCOMPANY.NET (aes256-cts-hmac-sha1-96)
> >    2 HOST/dc2.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET
>  (aes256-cts-hmac-sha1-96)
> >    2 DC2$@SAMDOM.MYCOMPANY.NET (aes256-cts-hmac-sha1-96)
>
>
>
>
> DC1
> --------
> # cat /etc/hosts
> > 127.0.0.1    localhost.samdom.mycompany.net    localhost
> > 192.168.3.201    dc1.samdom.mycompany.net    dc1
> > 192.168.3.202    dc2.samdom.mycompany.net    dc2
> > 192.168.3.203    dc3.samdom.mycompany.net    dc3
> >
> > # The following lines are desirable for IPv6 capable hosts
> > ::1     localhost ip6-localhost ip6-loopback
> > ff02::1 ip6-allnodes
> > ff02::2 ip6-allrouters
>
>
> # cat /etc/resolv.conf
> > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
> resolvconf(8)
> > #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
> > nameserver 192.168.3.201
> > nameserver 192.168.3.202
> > nameserver 192.168.3.203
> > search samdom.mycompany.net
>
>
> # cat /etc/samba/smb.conf
> > # Global parameters
> > [global]
> >     netbios name = DC1
> >     realm = SAMDOM.MYCOMPANY.NET
> >     server role = active directory domain controller
> >     #server services = -dns
> >     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
> >     workgroup = SAMDOM
> >     idmap_ldb:use rfc2307 = yes
> >     #dns forwarder = 8.8.4.4
> >     #dns forwarder = 8.8.8.8
> >     #allow dns updates = disabled
> >     #dsdb:schema update allowed = true
> >     printcap name = /dev/null
> >     load printers = no
> >     printing = bsd
> >     ldap server require strong auth = no
> >     tls enabled  = yes
> >     tls keyfile  = tls/myKey.pem
> >     tls certfile = tls/dc1_samdom_mycompany_net.pem
> >     tls cafile   = tls/dc1_samdom_mycompany_net.ca-bundle.pem
> >     #log file = /var/log/samba/%a.%M.log
> >     max log size = 2048
> >     log level = 1 auth_audit:3
> >     apply group policies = yes
> >
> > [netlogon]
> >     path = /var/lib/samba/sysvol/samdom.mycompany.net/scripts
> >     read only = No
> >
> > [sysvol]
> >     path = /var/lib/samba/sysvol
> >     read only = No
>
>
> # klist -ke /var/lib/samba/private/secrets.keytab
> > Keytab name: FILE:/var/lib/samba/private/secrets.keytab
> > KVNO Principal
> > ----
> --------------------------------------------------------------------------
> >    2 HOST/dc1 at SAMDOM.MYCOMPANY.NET (des-cbc-crc)
> >    2 HOST/dc1.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET (des-cbc-crc)
> >    2 DC1$@SAMDOM.MYCOMPANY.NET (des-cbc-crc)
> >    2 HOST/dc1 at SAMDOM.MYCOMPANY.NET (des-cbc-md5)
> >    2 HOST/dc1.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET (des-cbc-md5)
> >    2 DC1$@SAMDOM.MYCOMPANY.NET (des-cbc-md5)
> >    2 HOST/dc1 at SAMDOM.MYCOMPANY.NET (arcfour-hmac)
> >    2 HOST/dc1.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET (arcfour-hmac)
> >    2 DC1$@SAMDOM.MYCOMPANY.NET (arcfour-hmac)
> >    2 HOST/dc1 at SAMDOM.MYCOMPANY.NET (aes128-cts-hmac-sha1-96)
> >    2 HOST/dc1.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET
>  (aes128-cts-hmac-sha1-96)
> >    2 DC1$@SAMDOM.MYCOMPANY.NET (aes128-cts-hmac-sha1-96)
> >    2 HOST/dc1 at SAMDOM.MYCOMPANY.NET (aes256-cts-hmac-sha1-96)
> >    2 HOST/dc1.samdom.mycompany.net at SAMDOM.MYCOMPANY.NET
>  (aes256-cts-hmac-sha1-96)
> >    2 DC1$@SAMDOM.MYCOMPANY.NET (aes256-cts-hmac-sha1-96)
>
>
> Thank you,
> Matthew
>
>
>
> From: L.P.H. van Belle via samba <samba at lists.samba.org>
> To: "samba at lists.samba.org" <samba at lists.samba.org>
> Sent: 6/26/2019 2:32 AM
> Subject: Re: [Samba] One DC cannot authenticate off of another DC
>
> Hai,
>
> What is the running OS and version of samba on these servers.
>
> Can you post some configs of these DC's ( all 3  )
>
> /etc/hosts
> /etc/resolv.conf
> /etc/samba/smb.conf
>
> And for all 3 this the keytab output.
> klist -ke /var/lib/samba/private/secrets.keytab
>
> Your also sure you servers time is not out of sync?
>
> Greetz,
>
> Louis
>
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Matthew Delfino via samba
> > Verzonden: woensdag 26 juni 2019 1:12
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] One DC cannot authenticate off of another DC
> >
> >
> > Hello Samba Friends,
> >
> >
> > I have a single DC (we'll call it, "DC1") that simply will
> > not take my password when I run this command:
> >
> >
> > #samba-tool ldapcmp ldap://dc2 ldap://dc3 -Uadministrator
> >
> >
> > Or this command:
> >
> >
> > #samba-tool ldapcmp ldap://dc1 ldap://dc2 -Uadministrator
> >
> >
> > I basically get this:
> >
> >
> > > Password for [SAMDOM\administrator]:
> > > Password for [SAMDOM\administrator]:
> > > Password for [SAMDOM\administrator]:
> > > Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -
> > <8009030C: LdapErr: DSID-0C0904DC, comment:
> > AcceptSecurityContext error, data 52e, > v1db1> <>
> > > Failed to connect to 'ldap://dc2' with backend 'ldap': LDAP
> > error 49 LDAP_INVALID_CREDENTIALS -  <8009030C: LdapErr:
> > DSID-0C0904DC, comment: AcceptSecurityContext error, data
> > 52e, v1db1> <>
> > > ERROR(ldb): uncaught exception - LDAP error 49
> > LDAP_INVALID_CREDENTIALS -  <8009030C: LdapErr:
> > DSID-0C0904DC, comment: AcceptSecurityContext error, data
> > 52e, v1db1> <>
> > >   File
> > "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
> > line 185, in _run
> > >     return self.run(*args, **kwargs)
> > >   File
> > "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py",
> > line 942, in run
> > >     outf=self.outf, errf=self.errf,
> > skip_missing_dn=skip_missing_dn)
> > >   File
> > "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py",
> > line 64, in __init__
> > >     options=ldb_options)
> > >   File "/usr/lib/python3/dist-packages/samba/__init__.py",
> > line 115, in __init__
> > >     self.connect(url, flags, options)
> >
> >
> > It *will* authenticate when I run this command, which implies
> > that DC2 is the one who doesn't like my password, but only
> > when it comes from DC1:
> >
> >
> > #samba-tool ldapcmp ldap://dc1 ldap://dc3 -Uadministrator
> >
> >
> > From DC2 and DC3, I can run all three of those commands with success.
> >
> >
> > What could cause one of my DCs (DC2) to hate my password only
> > when it comes from one of my other DCs (DC1)? And, by the
> > way, under that circumstance, it seems to hate every username
> > and password combination I have that I could think to try
> > ("-Umatthewdelfino", for example).
> >
> >
> > What have I already tried? I've demoted and re-promoted all
> > of the DCs, which didn't make things any better. Passwords
> > still fail in the same manner, but now every time I do an
> > ldapcmp from samba-tool, I see a complaint about
> > "serverReferenceBL," either as an attribute that doesn't
> > exist in DC1 for 'CN=DC2,OU=DOMAIN
> > CONTROLLERS,DC=SAMDOM,DC=MYCOMPANY,DC=NET', or as an uncaught
> > exception like this:
> >
> >
> > > ERROR(<class 'KeyError'>): uncaught exception - 'serverReferenceBL'
> > >   File
> > "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
> > line 185, in _run
> > >     return self.run(*args, **kwargs)
> > >   File
> > "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py",
> > line 957, in run
> > >     if b1.diff(b2):
> > >   File
> > "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py",
> > line 781, in diff
> > >     if object1 == object2:
> > >   File
> > "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py",
> > line 549, in __eq__
> > >     return self.cmp_attrs(other)
> > >   File
> > "/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py",
> > line 590, in cmp_attrs
> > >     if isinstance(self.attributes[x], list) and
> > isinstance(other.attributes[x], list):
> >
> >
> > (And all of that SERVERREFERENCEBL stuff is probably
> > unrelated. It's just very irritating, as it seems to be an
> > attribute created during a DC promotion/domain join, but not
> > during subsequent replications, and the ldapcmp always notices it.)
> >
> >
> > Can anyone provide some guidance?
> >
> >
> > Thanks,
> > Matthew
> >
> > © 2019 KNOCK, inc. All rights reserved. KNOCK is a registered
> > trademark of KNOCK, inc. This message and any attachments
> > contain information, which is confidential and/or privileged.
> > If you are not the intended recipient, please refrain from
> > any disclosure, copying, distribution or use of this
> > information. Please be aware that such actions are
> > prohibited. If you have received this transmission in error,
> > kindly notify the sender by e-mail. Your cooperation is appreciated.
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>
> © 2019 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of
> KNOCK, inc. This message and any attachments contain information, which is
> confidential and/or privileged. If you are not the intended recipient,
> please refrain from any disclosure, copying, distribution or use of this
> information. Please be aware that such actions are prohibited. If you have
> received this transmission in error, kindly notify the sender by e-mail.
> Your cooperation is appreciated.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list