[Samba] domain member file server failed after upgrade from 4.11.14 to 4.13.2
MORILLO Jordi
j.morillo at educationetformation.fr
Sun Nov 22 14:42:56 UTC 2020
Hello !
I have just upgraded 40 x Samba domain member file server from 4.11.14 to 4.13.2
- No problem with 20 x domain member that are in a unique Samba domain (only samba DC)
- But for my other domain (with composed of Windows 2016 DC), all of 20 x Samba domain member failed to desserve file after this upgrade :-/
I have triple check /etc/hosts, hostname, krb5 etc .... And nothings was wrong. Thus samba domain members were working fine with 4.11.14.
Kerberos parts is OK (kinit/klist)
Here is some interesting logs (error only):
net ads testjoin
Join to domain is not valid: LDAP_OPERATIONS_ERROR
/var/log/samba/log.smbd :
[2020/11/22 13:13:18.319090, 0] ../../source3/printing/nt_printing.c:252(nt_printing_init)
nt_printing_init: error checking published printers: WERR_ACCESS_DENIED
/var/log/samba/log.wb-EF540
[2020/11/22 12:14:31.081839, 0] ../../source3/winbindd/winbindd_cm.c:1874(wb_open_internal_pipe)
open_internal_pipe: Could not connect to dssetup pipe: NT_STATUS_RPC_INTERFACE_NOT_FOUND
[2020/11/22 12:14:31.094251, 0] ../../source3/rpc_server/rpc_ncacn_np.c:456(rpcint_dispatch)
rpcint_dispatch: DCE/RPC fault in call lsarpc:2E - DCERPC_NCA_S_OP_RNG_ERROR
After searching for some hours, i downgrade to 4.11.14 to solve this problem.
I use tranquil.it repo, could it be some miss-build packages ?
Bellow the result of debug script :
Collected config --- 2020-11-22-15:37 -----------
Hostname: ef540
DNS Domain: educ-for.local
FQDN: ef540.educ-for.local
ipaddress: 10.20.2.1
-----------
Kerberos SRV _kerberos._tcp.educ-for.local record verified ok, sample output:
Server: 10.1.1.12
Address: 10.1.1.12#53
_kerberos._tcp.educ-for.local service = 0 100 88 Yoda.educ-for.local.
_kerberos._tcp.educ-for.local service = 0 100 88 palpatine.educ-for.local.
_kerberos._tcp.educ-for.local service = 0 100 88 yoda.educ-for.local.
_kerberos._tcp.educ-for.local service = 0 100 88 vader.educ-for.local.
Samba is running as a Unix domain member
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 10.6 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether ee:26:ac:b2:ea:04 brd ff:ff:ff:ff:ff:ff
inet 10.20.2.1/16 brd 10.20.255.255 scope global eth0
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
10.20.2.1 ef540.educ-for.local
-----------
Checking file: /etc/resolv.conf
domain educ-for.local
search educ-for.local
nameserver 10.1.1.12
nameserver 10.1.5.1
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = EDUC-FOR.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
clockskew = 3600
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind systemd
group: compat winbind systemd
shadow: compat winbind
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
[global]
workgroup = EDUC-FOR
security = ADS
realm = EDUC-FOR.LOCAL
server role = member server
bind interfaces only = yes
interfaces = lo eth0
# Disable Netbios
disable netbios = Yes
smb ports = 445
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = Yes
idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config EDUC-FOR:backend = rid
idmap config EDUC-FOR:range = 10000-70000
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
domain master = no
local master = no
# For ACL support on member file server
vfs objects = acl_xattr
map acl inherit = Yes
# Printing global configuration
printcap cache time = 60
printcap name = cups
rpc_server:spoolss = external
rpc_daemon:spoolssd = fork
enumports command = /usr/local/bin/show-ports.sh
# Disable offline mode on all shares
csc policy = disable
[Commun]
path = /home/commun
read only = no
[users$]
path = /home/users
read only = no
[printers]
path = /var/spool/samba
comment = All Printers
printable = yes
printing = CUPS
create mask = 0700
guest ok = yes
print ok = yes
browseable = no
[print$]
comment = Printer Drivers
path = /var/lib/samba/printing
writable = yes
read only = no
write list = root Administrateur @"Admins du domaine"
-----------
Running as Unix domain member and no user.map detected.
This is possible with an auth-only setup, checking also for NFS parts
-----------
Warning, /etc/idmapd.conf does not exist
-----------
Installed packages:
ii acl 2.2.53-4 amd64 access control list - utilities
ii attr 1:2.4.48-4 amd64 utilities for manipulating filesystem extended attributes
ii krb5-config 2.6 all Configuration files for Kerberos Version 5
ii krb5-locales 1.17-3+deb10u1 all internationalization support for MIT Kerberos
ii krb5-user 1.17-3+deb10u1 amd64 basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-4 amd64 access control list - shared library
ii libattr1:amd64 1:2.4.48-4 amd64 extended attribute handling - shared library
ii libgssapi-krb5-2:amd64 1.17-3+deb10u1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.17-3+deb10u1 amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.17-3+deb10u1 amd64 MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.13.2+dfsg-0.1buster1 amd64 Samba nameservice integration plugins
ii libsmbclient:amd64 2:4.13.2+dfsg-0.1buster1 amd64 shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.13.2+dfsg-0.1buster1 amd64 Samba winbind client library
ii python3-samba 2:4.13.2+dfsg-0.1buster1 amd64 Python 3 bindings for Samba
ii samba 2:4.13.2+dfsg-0.1buster1 amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.13.2+dfsg-0.1buster1 all common files used by both the Samba server and client
ii samba-common-bin 2:4.13.2+dfsg-0.1buster1 amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.13.2+dfsg-0.1buster1 amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.13.2+dfsg-0.1buster1 amd64 Samba core libraries
ii samba-vfs-modules:amd64 2:4.13.2+dfsg-0.1buster1 amd64 Samba Virtual FileSystem plugins
ii smbclient 2:4.13.2+dfsg-0.1buster1 amd64 command-line SMB/CIFS clients for Unix
ii winbind 2:4.13.2+dfsg-0.1buster1 amd64 service to resolve user and group information from Windows NT servers
-----------
More information about the samba
mailing list