[Samba] domain member file server failed after upgrade from 4.11.14 to 4.13.2

MORILLO Jordi j.morillo at educationetformation.fr
Tue Nov 24 09:28:02 UTC 2020 

Here is my last research (error at the bottom):

Working 4.11.14:
Net ads join -d99
[...]
Successfully contacted LDAP server 10.2.2.1
Opening connection to LDAP server '10.2.2.1:389', timeout 15 seconds
Initialized connection for LDAP server 'ldap://10.2.2.1:389'
Connected to LDAP server Vader.educ-for.local
ads_closest_dc: NBT_SERVER_CLOSEST flag set
saf_store: domain = [EDUC-FOR], server = [Vader.educ-for.local], expire = [1606206403]
gencache_set_data_blob: Adding cache entry with key=[SAF/DOMAIN/EDUC-FOR] and timeout=[mar. nov. 24 09:26:43 2020 CET] (900 seconds ahead)
saf_store: domain = [EDUC-FOR.LOCAL], server = [Vader.educ-for.local], expire = [1606206403]
gencache_set_data_blob: Adding cache entry with key=[SAF/DOMAIN/EDUC-FOR.LOCAL] and timeout=[mar. nov. 24 09:26:43 2020 CET] (900 seconds ahead)
KDC time offset is 0 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
kerberos_kinit_password_ext: as TEST-SMB$@EDUC-FOR.LOCAL using [MEMORY:net_ads] as ccache and config [/run/samba/smb_krb5/krb5.conf.EDUC-FOR]
kerberos_kinit_password_ext: TEST-SMB$@EDUC-FOR.LOCAL mapped to test-smb$@EDUC-FOR.LOCAL
[...]

Tcpdump capture (10.1.38.66 is member and 10.1.1.12 is DC):
No.	Time	Source	Destination	Protocol	Length	Info
37	1.826791	10.1.38.66	10.1.1.12	DNS	110	Standard query 0x78ea SRV _ldap._tcp.Siege._sites.dc._msdcs.EDUC-FOR.LOCAL
38	1.827123	10.1.1.12	10.1.38.66	DNS	336	Standard query response 0x78ea SRV _ldap._tcp.Siege._sites.dc._msdcs.EDUC-FOR.LOCAL SRV 0 100 389 yoda.educ-for.local SRV 0 100 389 palpatine.educ-for.local SRV 0 100 389 vader.educ-for.local SRV 0 100 389 Yoda.educ-for.local A 10.1.5.1 A 10.1.1.12 A 10.2.2.1 A 10.1.5.1
39	1.827353	10.1.38.66	10.1.5.1	CLDAP	140	searchRequest(29501) "<ROOT>" baseObject 
40	1.827829	10.1.5.1	10.1.38.66	CLDAP	198	searchResEntry(29501) "<ROOT>" searchResDone(29501) success  [1 result]
41	1.827973	10.1.38.66	10.1.1.12	DNS	114	Standard query 0xb3e0 SRV _kerberos._tcp.Siege._sites.dc._msdcs.EDUC-FOR.LOCAL
42	1.829550	10.1.1.12	10.1.38.66	DNS	340	Standard query response 0xb3e0 SRV _kerberos._tcp.Siege._sites.dc._msdcs.EDUC-FOR.LOCAL SRV 0 100 88 Yoda.educ-for.local SRV 0 100 88 yoda.educ-for.local SRV 0 100 88 palpatine.educ-for.local SRV 0 100 88 vader.educ-for.local A 10.1.5.1 A 10.1.5.1 A 10.1.1.12 A 10.2.2.1
43	1.829683	10.1.38.66	10.1.1.12	DNS	101	Standard query 0x722f SRV _kerberos._tcp.dc._msdcs.EDUC-FOR.LOCAL
44	1.830749	10.1.1.12	10.1.38.66	DNS	388	Standard query response 0x722f SRV _kerberos._tcp.dc._msdcs.EDUC-FOR.LOCAL SRV 0 100 88 palpatine.educ-for.local SRV 0 100 88 vader.educ-for.local SRV 0 100 88 Palpatine.educ-for.local SRV 0 100 88 Vader.educ-for.local SRV 0 100 88 yoda.educ-for.local A 10.1.1.12 A 10.2.2.1 A 10.1.1.12 A 10.2.2.1 A 10.1.5.1
45	1.830871	10.1.38.66	10.1.1.12	CLDAP	141	searchRequest(61399) "<ROOT>" baseObject 
46	1.830897	10.1.38.66	10.2.2.1	CLDAP	141	searchRequest(39841) "<ROOT>" baseObject 
47	1.831268	10.1.1.12	10.1.38.66	CLDAP	210	searchResEntry(61399) "<ROOT>" searchResDone(61399) success  [1 result]
48	1.833024	10.2.2.1	10.1.38.66	CLDAP	202	searchResEntry(39841) "<ROOT>" searchResDone(39841) success  [1 result]
49	1.833196	10.1.38.66	10.1.5.1	CLDAP	141	searchRequest(35575) "<ROOT>" baseObject 
50	1.833664	10.1.5.1	10.1.38.66	CLDAP	200	searchResEntry(35575) "<ROOT>" searchResDone(35575) success  [1 result]
51	1.833764	10.1.38.66	10.1.5.1	CLDAP	140	searchRequest(20088) "<ROOT>" baseObject 
52	1.834848	10.1.5.1	10.1.38.66	CLDAP	198	searchResEntry(20088) "<ROOT>" searchResDone(20088) success  [1 result]
53	1.834938	10.1.38.66	10.1.5.1	TCP	76	41114 → 389 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=1938060442 TSecr=0 WS=128
54	1.835864	10.1.5.1	10.1.38.66	TCP	76	389 → 41114 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1 TSval=1057770336 TSecr=1938060442
55	1.835880	10.1.38.66	10.1.5.1	TCP	68	41114 → 389 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=1938060443 TSecr=1057770336
56	1.850768	10.1.38.66	10.1.5.1	LDAP	120	searchRequest(1) "<ROOT>" baseObject 
57	1.851097	10.1.5.1	10.1.38.66	LDAP	157	searchResEntry(1) "<ROOT>"  | searchResDone(1) success  [2 results]
58	1.851109	10.1.38.66	10.1.5.1	TCP	68	41114 → 389 [ACK] Seq=53 Ack=90 Win=64256 Len=0 TSval=1938060458 TSecr=1057770351
59	1.851191	10.1.38.66	10.1.5.1	LDAP	132	searchRequest(2) "<ROOT>" baseObject 
60	1.851892	10.1.5.1	10.1.38.66	LDAP	192	searchResEntry(2) "<ROOT>"  | searchResDone(2) success  [2 results]
61	1.851927	10.1.38.66	10.1.5.1	LDAP	94	bindRequest(3) "<ROOT>" sasl 
62	1.855256	10.1.5.1	10.1.38.66	LDAP	212	bindResponse(3) saslBindInProgress

Now, here is a non-working net ads testjoin after upgrade to 4.13:
[...]
Successfully contacted LDAP server 10.1.5.1
Opening connection to LDAP server 'Yoda.educ-for.local:389', timeout 15 seconds
samba_tevent: Added timed event "tevent_req_timedout": 0x557678f5e220
Connecting to 10.1.5.1 at port 389
samba_tevent: Running timer event 0x557678f5e220 "tevent_req_timedout"
samba_tevent: Destroying timer event 0x557678f5e220 "tevent_req_timedout"
ads_connect: leaving with: Operations error
[...]
Join to domain is not valid: LDAP_OPERATIONS_ERROR

TCP dump capture (10.16.2.1 is member and 10.1.5.1 is DC)
No.	Time	Source	Destination	Protocol	Length	Info
2	1.277433	10.16.2.1	10.1.5.1	DNS	110	Standard query 0x82f7 SRV _ldap._tcp.Siege._sites.dc._msdcs.EDUC-FOR.LOCAL
3	1.310064	10.1.5.1	10.16.2.1	DNS	336	Standard query response 0x82f7 SRV _ldap._tcp.Siege._sites.dc._msdcs.EDUC-FOR.LOCAL SRV 0 100 389 vader.educ-for.local SRV 0 100 389 Yoda.educ-for.local SRV 0 100 389 yoda.educ-for.local SRV 0 100 389 palpatine.educ-for.local A 10.2.2.1 A 10.1.5.1 A 10.1.5.1 A 10.1.1.12
4	1.311705	10.16.2.1	10.1.5.1	DNS	81	Standard query 0x1c5c A Yoda.educ-for.local
5	1.343982	10.1.5.1	10.16.2.1	DNS	97	Standard query response 0x1c5c A Yoda.educ-for.local A 10.1.5.1
6	1.344418	10.16.2.1	10.1.5.1	CLDAP	140	searchRequest(15790) "<ROOT>" baseObject 
7	1.376772	10.1.5.1	10.16.2.1	CLDAP	198	searchResEntry(15790) "<ROOT>" searchResDone(15790) success  [1 result]
8	1.377218	10.16.2.1	10.1.5.1	DNS	114	Standard query 0xc2b5 SRV _kerberos._tcp.Siege._sites.dc._msdcs.EDUC-FOR.LOCAL
9	1.409620	10.1.5.1	10.16.2.1	DNS	340	Standard query response 0xc2b5 SRV _kerberos._tcp.Siege._sites.dc._msdcs.EDUC-FOR.LOCAL SRV 0 100 88 vader.educ-for.local SRV 0 100 88 Yoda.educ-for.local SRV 0 100 88 yoda.educ-for.local SRV 0 100 88 palpatine.educ-for.local A 10.2.2.1 A 10.1.5.1 A 10.1.5.1 A 10.1.1.12
10	1.410054	10.16.2.1	10.1.5.1	DNS	101	Standard query 0xa00d SRV _kerberos._tcp.dc._msdcs.EDUC-FOR.LOCAL
11	1.442408	10.1.5.1	10.16.2.1	DNS	388	Standard query response 0xa00d SRV _kerberos._tcp.dc._msdcs.EDUC-FOR.LOCAL SRV 0 100 88 vader.educ-for.local SRV 0 100 88 Palpatine.educ-for.local SRV 0 100 88 Vader.educ-for.local SRV 0 100 88 yoda.educ-for.local SRV 0 100 88 palpatine.educ-for.local A 10.2.2.1 A 10.1.1.12 A 10.2.2.1 A 10.1.5.1 A 10.1.1.12
12	1.442824	10.16.2.1	10.2.2.1	CLDAP	140	searchRequest(704) "<ROOT>" baseObject 
13	1.442888	10.16.2.1	10.1.1.12	CLDAP	140	searchRequest(12667) "<ROOT>" baseObject 
14	1.476010	10.2.2.1	10.16.2.1	CLDAP	200	searchResEntry(704) "<ROOT>" searchResDone(704) success  [1 result]
15	1.477232	10.1.1.12	10.16.2.1	CLDAP	208	searchResEntry(12667) "<ROOT>" searchResDone(12667) success  [1 result]
16	1.477668	10.16.2.1	10.1.5.1	CLDAP	140	searchRequest(17519) "<ROOT>" baseObject 
17	1.510654	10.1.5.1	10.16.2.1	CLDAP	198	searchResEntry(17519) "<ROOT>" searchResDone(17519) success  [1 result]
18	1.511014	10.16.2.1	10.1.5.1	CLDAP	141	searchRequest(59784) "<ROOT>" baseObject 
19	1.543881	10.1.5.1	10.16.2.1	CLDAP	200	searchResEntry(59784) "<ROOT>" searchResDone(59784) success  [1 result]
20	1.544268	10.16.2.1	10.1.5.1	TCP	76	34508 → 389 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=1037243691 TSecr=0 WS=128
21	1.576118	10.1.5.1	10.16.2.1	TCP	76	389 → 34508 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1420 WS=256 SACK_PERM=1 TSval=1057631497 TSecr=1037243691
22	1.576147	10.16.2.1	10.1.5.1	TCP	56	34508 → 389 [RST] Seq=1 Win=0 Len=0

I don't understand why 10.16.2.1 is sending [RST] when initializing ldap connection....

I revert back to 4.11 (or 4.12) because I don't have skill to do debug more.
I can do some more test if someone could help me :-)

Have a nice day
Jordi

-----Message d'origine-----
De : samba <samba-bounces at lists.samba.org> De la part de Rowland penny via samba
Envoyé : lundi 23 novembre 2020 19:10
À : samba at lists.samba.org
Objet : Re: [Samba] domain member file server failed after upgrade from 4.11.14 to 4.13.2

On 23/11/2020 17:37, MORILLO Jordi via samba wrote:
> Hi Rowland,
> Sorry to inform that none of thus packages solve my problem.
>
> But today, with some Tranquil.it helps, I have some news:
>
> - Upgrade from 4.11.14 -> 4.12.9 is OK
> - Upgrade from 4.12.9 -> 4.13.2 : problem is present with Tranquil.it 
> AND Louis package
> - Fresh install + member join with 4.13.2 is OK (Centos AND Buster 
> packages)
>
> Problem only occur when upgrading member to 4.13.2 with Windows 2016 DC.
> Here is some interesting parts of net ads testjoin -d99 between 4.11.14 and 4.13.2:
>
> 4.11.14 (working)
> [...]
> sitename_fetch: Returning sitename for realm 'EDUC-FOR.LOCAL': "Siege"
> resolve_and_ping_dns: (cldap) looking for realm 'EDUC-FOR.LOCAL'
> get_sorted_dc_list: attempting lookup for name EDUC-FOR.LOCAL 
> (sitename Siege)
> saf_fetch: Returning "Palpatine.educ-for.local" for "EDUC-FOR.LOCAL" 
> domain
> get_dc_list: preferred server list: "Palpatine.educ-for.local, *"
> internal_resolve_name: looking up EDUC-FOR.LOCAL#1c (sitename Siege) 
> name EDUC-FOR.LOCAL#1C found.
> [...]
>
> 4.13.2 (failed)
> sitename_fetch: Returning sitename for realm 'EDUC-FOR.LOCAL': "Siege"
> resolve_and_ping_dns: (cldap) looking for realm 'EDUC-FOR.LOCAL'
> get_sorted_dc_list: attempting lookup for name EDUC-FOR.LOCAL 
> (sitename Siege)
> saf_fetch: failed to find server for "EDUC-FOR.LOCAL" domain
> get_dc_list: preferred server list: ", *"
> internal_resolve_name: looking up EDUC-FOR.LOCAL#1c (sitename Siege)
> gencache_set_data_blob: Adding cache entry with 
> key=[NBT/EDUC-FOR.LOCAL#1C] and timeout=[jeu. janv.  1 01:00:00 1970 CET] (-1606149379 seconds in the past) no entry for EDUC-FOR.LOCAL#1C found.
> resolve_ads: Attempting to resolve DCs for EDUC-FOR.LOCAL using DNS
>
Hmm, '1C' is a SMB1 thing, I wonder if the 2016 DC has SMBv1 turned off ?

It seems to be a problem that involves the 2016 DC, 4.13.2 works against an AD DC.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list