[Samba] domain member file server failed after upgrade from 4.11.14 to 4.13.2
MORILLO Jordi
j.morillo at educationetformation.fr
Tue Nov 24 09:28:02 UTC 2020
Here is my last research (error at the bottom):
Working 4.11.14:
Net ads join -d99
[...]
Successfully contacted LDAP server 10.2.2.1
Opening connection to LDAP server '10.2.2.1:389', timeout 15 seconds
Initialized connection for LDAP server 'ldap://10.2.2.1:389'
Connected to LDAP server Vader.educ-for.local
ads_closest_dc: NBT_SERVER_CLOSEST flag set
saf_store: domain = [EDUC-FOR], server = [Vader.educ-for.local], expire = [1606206403]
gencache_set_data_blob: Adding cache entry with key=[SAF/DOMAIN/EDUC-FOR] and timeout=[mar. nov. 24 09:26:43 2020 CET] (900 seconds ahead)
saf_store: domain = [EDUC-FOR.LOCAL], server = [Vader.educ-for.local], expire = [1606206403]
gencache_set_data_blob: Adding cache entry with key=[SAF/DOMAIN/EDUC-FOR.LOCAL] and timeout=[mar. nov. 24 09:26:43 2020 CET] (900 seconds ahead)
KDC time offset is 0 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
kerberos_kinit_password_ext: as TEST-SMB$@EDUC-FOR.LOCAL using [MEMORY:net_ads] as ccache and config [/run/samba/smb_krb5/krb5.conf.EDUC-FOR]
kerberos_kinit_password_ext: TEST-SMB$@EDUC-FOR.LOCAL mapped to test-smb$@EDUC-FOR.LOCAL
[...]
Tcpdump capture (10.1.38.66 is member and 10.1.1.12 is DC):
No. Time Source Destination Protocol Length Info
37 1.826791 10.1.38.66 10.1.1.12 DNS 110 Standard query 0x78ea SRV _ldap._tcp.Siege._sites.dc._msdcs.EDUC-FOR.LOCAL
38 1.827123 10.1.1.12 10.1.38.66 DNS 336 Standard query response 0x78ea SRV _ldap._tcp.Siege._sites.dc._msdcs.EDUC-FOR.LOCAL SRV 0 100 389 yoda.educ-for.local SRV 0 100 389 palpatine.educ-for.local SRV 0 100 389 vader.educ-for.local SRV 0 100 389 Yoda.educ-for.local A 10.1.5.1 A 10.1.1.12 A 10.2.2.1 A 10.1.5.1
39 1.827353 10.1.38.66 10.1.5.1 CLDAP 140 searchRequest(29501) "<ROOT>" baseObject
40 1.827829 10.1.5.1 10.1.38.66 CLDAP 198 searchResEntry(29501) "<ROOT>" searchResDone(29501) success [1 result]
41 1.827973 10.1.38.66 10.1.1.12 DNS 114 Standard query 0xb3e0 SRV _kerberos._tcp.Siege._sites.dc._msdcs.EDUC-FOR.LOCAL
42 1.829550 10.1.1.12 10.1.38.66 DNS 340 Standard query response 0xb3e0 SRV _kerberos._tcp.Siege._sites.dc._msdcs.EDUC-FOR.LOCAL SRV 0 100 88 Yoda.educ-for.local SRV 0 100 88 yoda.educ-for.local SRV 0 100 88 palpatine.educ-for.local SRV 0 100 88 vader.educ-for.local A 10.1.5.1 A 10.1.5.1 A 10.1.1.12 A 10.2.2.1
43 1.829683 10.1.38.66 10.1.1.12 DNS 101 Standard query 0x722f SRV _kerberos._tcp.dc._msdcs.EDUC-FOR.LOCAL
44 1.830749 10.1.1.12 10.1.38.66 DNS 388 Standard query response 0x722f SRV _kerberos._tcp.dc._msdcs.EDUC-FOR.LOCAL SRV 0 100 88 palpatine.educ-for.local SRV 0 100 88 vader.educ-for.local SRV 0 100 88 Palpatine.educ-for.local SRV 0 100 88 Vader.educ-for.local SRV 0 100 88 yoda.educ-for.local A 10.1.1.12 A 10.2.2.1 A 10.1.1.12 A 10.2.2.1 A 10.1.5.1
45 1.830871 10.1.38.66 10.1.1.12 CLDAP 141 searchRequest(61399) "<ROOT>" baseObject
46 1.830897 10.1.38.66 10.2.2.1 CLDAP 141 searchRequest(39841) "<ROOT>" baseObject
47 1.831268 10.1.1.12 10.1.38.66 CLDAP 210 searchResEntry(61399) "<ROOT>" searchResDone(61399) success [1 result]
48 1.833024 10.2.2.1 10.1.38.66 CLDAP 202 searchResEntry(39841) "<ROOT>" searchResDone(39841) success [1 result]
49 1.833196 10.1.38.66 10.1.5.1 CLDAP 141 searchRequest(35575) "<ROOT>" baseObject
50 1.833664 10.1.5.1 10.1.38.66 CLDAP 200 searchResEntry(35575) "<ROOT>" searchResDone(35575) success [1 result]
51 1.833764 10.1.38.66 10.1.5.1 CLDAP 140 searchRequest(20088) "<ROOT>" baseObject
52 1.834848 10.1.5.1 10.1.38.66 CLDAP 198 searchResEntry(20088) "<ROOT>" searchResDone(20088) success [1 result]
53 1.834938 10.1.38.66 10.1.5.1 TCP 76 41114 → 389 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=1938060442 TSecr=0 WS=128
54 1.835864 10.1.5.1 10.1.38.66 TCP 76 389 → 41114 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1 TSval=1057770336 TSecr=1938060442
55 1.835880 10.1.38.66 10.1.5.1 TCP 68 41114 → 389 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=1938060443 TSecr=1057770336
56 1.850768 10.1.38.66 10.1.5.1 LDAP 120 searchRequest(1) "<ROOT>" baseObject
57 1.851097 10.1.5.1 10.1.38.66 LDAP 157 searchResEntry(1) "<ROOT>" | searchResDone(1) success [2 results]
58 1.851109 10.1.38.66 10.1.5.1 TCP 68 41114 → 389 [ACK] Seq=53 Ack=90 Win=64256 Len=0 TSval=1938060458 TSecr=1057770351
59 1.851191 10.1.38.66 10.1.5.1 LDAP 132 searchRequest(2) "<ROOT>" baseObject
60 1.851892 10.1.5.1 10.1.38.66 LDAP 192 searchResEntry(2) "<ROOT>" | searchResDone(2) success [2 results]
61 1.851927 10.1.38.66 10.1.5.1 LDAP 94 bindRequest(3) "<ROOT>" sasl
62 1.855256 10.1.5.1 10.1.38.66 LDAP 212 bindResponse(3) saslBindInProgress
Now, here is a non-working net ads testjoin after upgrade to 4.13:
[...]
Successfully contacted LDAP server 10.1.5.1
Opening connection to LDAP server 'Yoda.educ-for.local:389', timeout 15 seconds
samba_tevent: Added timed event "tevent_req_timedout": 0x557678f5e220
Connecting to 10.1.5.1 at port 389
samba_tevent: Running timer event 0x557678f5e220 "tevent_req_timedout"
samba_tevent: Destroying timer event 0x557678f5e220 "tevent_req_timedout"
ads_connect: leaving with: Operations error
[...]
Join to domain is not valid: LDAP_OPERATIONS_ERROR
TCP dump capture (10.16.2.1 is member and 10.1.5.1 is DC)
No. Time Source Destination Protocol Length Info
2 1.277433 10.16.2.1 10.1.5.1 DNS 110 Standard query 0x82f7 SRV _ldap._tcp.Siege._sites.dc._msdcs.EDUC-FOR.LOCAL
3 1.310064 10.1.5.1 10.16.2.1 DNS 336 Standard query response 0x82f7 SRV _ldap._tcp.Siege._sites.dc._msdcs.EDUC-FOR.LOCAL SRV 0 100 389 vader.educ-for.local SRV 0 100 389 Yoda.educ-for.local SRV 0 100 389 yoda.educ-for.local SRV 0 100 389 palpatine.educ-for.local A 10.2.2.1 A 10.1.5.1 A 10.1.5.1 A 10.1.1.12
4 1.311705 10.16.2.1 10.1.5.1 DNS 81 Standard query 0x1c5c A Yoda.educ-for.local
5 1.343982 10.1.5.1 10.16.2.1 DNS 97 Standard query response 0x1c5c A Yoda.educ-for.local A 10.1.5.1
6 1.344418 10.16.2.1 10.1.5.1 CLDAP 140 searchRequest(15790) "<ROOT>" baseObject
7 1.376772 10.1.5.1 10.16.2.1 CLDAP 198 searchResEntry(15790) "<ROOT>" searchResDone(15790) success [1 result]
8 1.377218 10.16.2.1 10.1.5.1 DNS 114 Standard query 0xc2b5 SRV _kerberos._tcp.Siege._sites.dc._msdcs.EDUC-FOR.LOCAL
9 1.409620 10.1.5.1 10.16.2.1 DNS 340 Standard query response 0xc2b5 SRV _kerberos._tcp.Siege._sites.dc._msdcs.EDUC-FOR.LOCAL SRV 0 100 88 vader.educ-for.local SRV 0 100 88 Yoda.educ-for.local SRV 0 100 88 yoda.educ-for.local SRV 0 100 88 palpatine.educ-for.local A 10.2.2.1 A 10.1.5.1 A 10.1.5.1 A 10.1.1.12
10 1.410054 10.16.2.1 10.1.5.1 DNS 101 Standard query 0xa00d SRV _kerberos._tcp.dc._msdcs.EDUC-FOR.LOCAL
11 1.442408 10.1.5.1 10.16.2.1 DNS 388 Standard query response 0xa00d SRV _kerberos._tcp.dc._msdcs.EDUC-FOR.LOCAL SRV 0 100 88 vader.educ-for.local SRV 0 100 88 Palpatine.educ-for.local SRV 0 100 88 Vader.educ-for.local SRV 0 100 88 yoda.educ-for.local SRV 0 100 88 palpatine.educ-for.local A 10.2.2.1 A 10.1.1.12 A 10.2.2.1 A 10.1.5.1 A 10.1.1.12
12 1.442824 10.16.2.1 10.2.2.1 CLDAP 140 searchRequest(704) "<ROOT>" baseObject
13 1.442888 10.16.2.1 10.1.1.12 CLDAP 140 searchRequest(12667) "<ROOT>" baseObject
14 1.476010 10.2.2.1 10.16.2.1 CLDAP 200 searchResEntry(704) "<ROOT>" searchResDone(704) success [1 result]
15 1.477232 10.1.1.12 10.16.2.1 CLDAP 208 searchResEntry(12667) "<ROOT>" searchResDone(12667) success [1 result]
16 1.477668 10.16.2.1 10.1.5.1 CLDAP 140 searchRequest(17519) "<ROOT>" baseObject
17 1.510654 10.1.5.1 10.16.2.1 CLDAP 198 searchResEntry(17519) "<ROOT>" searchResDone(17519) success [1 result]
18 1.511014 10.16.2.1 10.1.5.1 CLDAP 141 searchRequest(59784) "<ROOT>" baseObject
19 1.543881 10.1.5.1 10.16.2.1 CLDAP 200 searchResEntry(59784) "<ROOT>" searchResDone(59784) success [1 result]
20 1.544268 10.16.2.1 10.1.5.1 TCP 76 34508 → 389 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=1037243691 TSecr=0 WS=128
21 1.576118 10.1.5.1 10.16.2.1 TCP 76 389 → 34508 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1420 WS=256 SACK_PERM=1 TSval=1057631497 TSecr=1037243691
22 1.576147 10.16.2.1 10.1.5.1 TCP 56 34508 → 389 [RST] Seq=1 Win=0 Len=0
I don't understand why 10.16.2.1 is sending [RST] when initializing ldap connection....
I revert back to 4.11 (or 4.12) because I don't have skill to do debug more.
I can do some more test if someone could help me :-)
Have a nice day
Jordi
-----Message d'origine-----
De : samba <samba-bounces at lists.samba.org> De la part de Rowland penny via samba
Envoyé : lundi 23 novembre 2020 19:10
À : samba at lists.samba.org
Objet : Re: [Samba] domain member file server failed after upgrade from 4.11.14 to 4.13.2
On 23/11/2020 17:37, MORILLO Jordi via samba wrote:
> Hi Rowland,
> Sorry to inform that none of thus packages solve my problem.
>
> But today, with some Tranquil.it helps, I have some news:
>
> - Upgrade from 4.11.14 -> 4.12.9 is OK
> - Upgrade from 4.12.9 -> 4.13.2 : problem is present with Tranquil.it
> AND Louis package
> - Fresh install + member join with 4.13.2 is OK (Centos AND Buster
> packages)
>
> Problem only occur when upgrading member to 4.13.2 with Windows 2016 DC.
> Here is some interesting parts of net ads testjoin -d99 between 4.11.14 and 4.13.2:
>
> 4.11.14 (working)
> [...]
> sitename_fetch: Returning sitename for realm 'EDUC-FOR.LOCAL': "Siege"
> resolve_and_ping_dns: (cldap) looking for realm 'EDUC-FOR.LOCAL'
> get_sorted_dc_list: attempting lookup for name EDUC-FOR.LOCAL
> (sitename Siege)
> saf_fetch: Returning "Palpatine.educ-for.local" for "EDUC-FOR.LOCAL"
> domain
> get_dc_list: preferred server list: "Palpatine.educ-for.local, *"
> internal_resolve_name: looking up EDUC-FOR.LOCAL#1c (sitename Siege)
> name EDUC-FOR.LOCAL#1C found.
> [...]
>
> 4.13.2 (failed)
> sitename_fetch: Returning sitename for realm 'EDUC-FOR.LOCAL': "Siege"
> resolve_and_ping_dns: (cldap) looking for realm 'EDUC-FOR.LOCAL'
> get_sorted_dc_list: attempting lookup for name EDUC-FOR.LOCAL
> (sitename Siege)
> saf_fetch: failed to find server for "EDUC-FOR.LOCAL" domain
> get_dc_list: preferred server list: ", *"
> internal_resolve_name: looking up EDUC-FOR.LOCAL#1c (sitename Siege)
> gencache_set_data_blob: Adding cache entry with
> key=[NBT/EDUC-FOR.LOCAL#1C] and timeout=[jeu. janv. 1 01:00:00 1970 CET] (-1606149379 seconds in the past) no entry for EDUC-FOR.LOCAL#1C found.
> resolve_ads: Attempting to resolve DCs for EDUC-FOR.LOCAL using DNS
>
Hmm, '1C' is a SMB1 thing, I wonder if the 2016 DC has SMBv1 turned off ?
It seems to be a problem that involves the 2016 DC, 4.13.2 works against an AD DC.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list