[Samba] Windows 2016 RSAT not connect with samba4 DC

Rommel Rodriguez Toirac rommelrt at nauta.cu
Mon Nov 30 15:11:04 UTC 2020


El 30 de noviembre de 2020 3:18:34 GMT-05:00, "L.P.H. van Belle via samba" <samba at lists.samba.org> escribió:
>Hai, 
>
>Looks to me there is more going on here. 
>
>RSAT tools working fine here since 4.1 upto 4.13.2 now. 
>From W7 upto Latest Windows 10 used with latest RSAT tools. 
>
>Provide the info of the not working server, like : 
>- OS
>- /etc/hosts and resolv.conf
>- replication status and how you checked this. 
> 
>If the os is ubuntu or debian. 
>https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
>
>Run this and and post the content. 
>
>Greetz, 
>
>Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
>> Rommel Rodriguez Toirac via samba
>> Verzonden: zaterdag 28 november 2020 2:09
>> Aan: Lista samba4
>> Onderwerp: Re: [Samba] Windows 2016 RSAT not connect with samba4 DC
>> 
>> El 27 de noviembre de 2020 17:47:10 GMT-05:00, Michael Howard 
>> via samba <samba at lists.samba.org> escribió:
>> >On 27/11/2020 21:20, Rowland penny via samba wrote:
>> >> On 27/11/2020 21:10, Michael Howard via samba wrote:
>> >>> On 27/11/2020 20:42, Rommel Rodriguez Toirac via samba wrote:
>> >>>> Thanks for answer me and to Rowland.
>> >>>> I understand well now, thanks.
>> >>>> But, from Windows 2016 Server I do connect to samba4.
>> >>>>
>> >>>> samba 4.11.2 (my actual ADDC) is management from this 
>> Windows 2016,
>> >
>> >>>> but is impossible to connect to a samba 4.13.2 (an adicional DC)
>> >>>> To one yes and to another not. Thit is my question?
>> >>>>
>> >>> Rommel,
>> >>>
>> >>> Uhm, actually, I think had mis-read your situation/problem. Can I
>
>> >>> confirm you can use RSAT on a Server 2016 to manage your Samba
>> >4.11.2 
>> >>> instance?
>> >> I am beginning to wonder what he is on about ????
>> >>>
>> >>> Rowland,
>> >>>
>> >>> If the above is correct, what has changed in Samba (if anything),
>
>> >>> since 4.11.2, that would prevent the use of RSAT on 
>> Server 2016? Why
>> >
>> >>> would Web Services be running on 4.11.2 and not 4.13.2, 
>> if that is 
>> >>> what Server 2016 requires?
>> >>
>> >> Initially you could download and install the install RSAT on a
>> >Windows 
>> >> server, this has now changed, it has become a web service that
>runs
>> >on 
>> >> a DC and you connect to that with RSAT (a different RSAT), 
>> Samba has 
>> >> never run this web service, so it couldn't have worked 
>> with 4.11.2. I
>> >
>> >> think we need more info, but the language barrier isn't 
>> helping ????
>> >Ok, thanks. Sounds like the OP is actually running a different RSAT
>> >than 
>> >he thinks he is. Maybe it got updated on him, behind his 
>> back, in true 
>> >Windows fashion!
>> 
>> 
>> 
>>  Sorry  for all problem with my language. 
>>   
>>  I have  installed a Windows 2016 Server Operating System and 
>> add the role of DNS, Users and Coputers of Active Directory 
>> and others. All of then are into Administrate Tools.
>> 
>>  Using 'User and Computer of Active Directory' the option 
>> 'Conect to another Domain Controller' I connect to samba4 
>> 4.11.2 (the Active Directory Domain Controller) and I can see 
>> and made the task with Users, Groups and Organizational Units 
>> that are created.
>> 
>>  Using the same procedure, if I try to connect to samba 
>> 4.13.2 (additional Domaind Controller) it never happend.
>> 
>>  Maybe mention RSAT way my mystake in the others messages, 
>> sorry for the confution. 
>> 
>>  Maybe, if possible, on Monday I send to the personal email 
>> some pictures that clear the view. Is possible?
>> 
>> -- 
>> Rommel Rodriguez Toirac
>> rommelrt at nauta.cu
>> 
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>> 
>> 



Now I test from Windows 7 using RSAT and can not connect neather to the samba 4.13.2 (adittional DC)

 Here the result of commands asked:
 

[root at gtmad1 ~]# cat /etc/centos-release
CentOS Linux release 8.2.2004 (Core)




[root at gtmad1 ~]# cat /etc/hosts  
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
# --- BEGIN PVE ---
192.168.41.18 gtmad1.gtm.onat.gob.cu gtmad1
# --- END PVE ---




[root at gtmad1 ~]# cat /etc/resolv.conf  
# --- BEGIN PVE ---
search gtm.onat.gob.cu
nameserver 192.168.41.18
# --- END PVE ---




 [root at gtmad1 ~]# samba-tool drs showrepl
Default-First-Site-Name\GTMAD1
DSA Options: 0x00000001
DSA object GUID: 03d9f4b0-72a5-47cd-b572-a33ae30b73ce
DSA invocationId: 1a022b20-9777-4366-b996-5b27a46aff42

==== INBOUND NEIGHBORS ====

DC=DomainDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu
       Default-First-Site-Name\GTMAD via RPC
               DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
               Last attempt @ Mon Nov 30 09:39:54 2020 CST was successful
               0 consecutive failure(s).
               Last success @ Mon Nov 30 09:39:54 2020 CST

DC=ForestDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu
       Default-First-Site-Name\GTMAD via RPC
               DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
               Last attempt @ Mon Nov 30 09:39:54 2020 CST was successful
               0 consecutive failure(s).
               Last success @ Mon Nov 30 09:39:54 2020 CST

CN=Schema,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
       Default-First-Site-Name\GTMAD via RPC
               DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
               Last attempt @ Mon Nov 30 09:39:54 2020 CST was successful
               0 consecutive failure(s).
               Last success @ Mon Nov 30 09:39:54 2020 CST

DC=gtm,DC=onat,DC=gob,DC=cu
       Default-First-Site-Name\GTMAD via RPC
               DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
               Last attempt @ Mon Nov 30 09:39:54 2020 CST was successful
               0 consecutive failure(s).
               Last success @ Mon Nov 30 09:39:54 2020 CST

CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
       Default-First-Site-Name\GTMAD via RPC
               DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
               Last attempt @ Mon Nov 30 09:39:54 2020 CST was successful
               0 consecutive failure(s).
               Last success @ Mon Nov 30 09:39:54 2020 CST

==== OUTBOUND NEIGHBORS ====

DC=DomainDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu
       Default-First-Site-Name\GTMAD via RPC
               DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
               Last attempt @ NTTIME(0) was successful
               0 consecutive failure(s).
               Last success @ NTTIME(0)

DC=ForestDnsZones,DC=gtm,DC=onat,DC=gob,DC=cu
       Default-First-Site-Name\GTMAD via RPC
               DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
               Last attempt @ NTTIME(0) was successful
               0 consecutive failure(s).
               Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
       Default-First-Site-Name\GTMAD via RPC
               DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
               Last attempt @ NTTIME(0) was successful
               0 consecutive failure(s).
               Last success @ NTTIME(0)

DC=gtm,DC=onat,DC=gob,DC=cu
       Default-First-Site-Name\GTMAD via RPC
               DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
               Last attempt @ NTTIME(0) was successful
               0 consecutive failure(s).
               Last success @ NTTIME(0)

CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
       Default-First-Site-Name\GTMAD via RPC
               DSA object GUID: 968f8914-c861-4cd4-96f4-7a233880992c
               Last attempt @ NTTIME(0) was successful
               0 consecutive failure(s).
               Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ====

Connection --
       Connection name: 0c6a236f-edeb-486a-9791-d75de0564fc4
       Enabled        : TRUE
       Server DNS name : gtmad.gtm.onat.gob.cu
       Server DN name  : CN=NTDS Settings,CN=GTMAD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
               TransportType: RPC
               options: 0x00000001
Warning: No NC replicated for Connection!




[root at gtmad1 ~]# ./samba-collect-debug-info.sh    
Please wait, collecting debug info.
 
Password for Administrator at GTM.ONAT.GOB.CU:  INFO 2020-11-30 09:55:44,894 pid:3983 /usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/testparm.py #96: Loaded smb config files from /etc/samba//smb.conf 
INFO 2020-11-30 09:55:44,895 pid:3983 /usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/testparm.py #97: Loaded services file OK. 
./samba-collect-debug-info.sh: línea 439: dpkg: no se encontró la orden
The debug info about your system can be found in this file: /tmp/samba-debug-info.txt
Please check this and if required, sanitise it.
Then copy & paste it into an  email to the samba list
Do not attach it to the email, the Samba mailing list strips attachments.





[root at gtmad1 ~]# cat /tmp/samba-debug-info.txt  
Collected config  --- 2020-11-30-09:55 -----------

Hostname: gtmad1
DNS Domain: gtm.onat.gob.cu
FQDN: gtmad1.gtm.onat.gob.cu
ipaddress: 192.168.41.18  

-----------

Kerberos SRV _kerberos._tcp.gtm.onat.gob.cu record verified ok, sample output:  
Server:         192.168.41.18
Address:        192.168.41.18#53

_kerberos._tcp.gtm.onat.gob.cu  service = 0 100 88 gtmad.gtm.onat.gob.cu.
_kerberos._tcp.gtm.onat.gob.cu  service = 0 100 88 gtmad1.gtm.onat.gob.cu.
Samba is running as an AD DC

-----------
      Checking file: /etc/os-release

NAME="CentOS Linux"
VERSION="8 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="8"
PLATFORM_ID="platform:el8"
PRETTY_NAME="CentOS Linux 8 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:8"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-8"
CENTOS_MANTISBT_PROJECT_VERSION="8"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="8"

-----------


This computer is running an unknown distribution x86_64

-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
   link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
   inet 127.0.0.1/8 scope host lo
   inet6 ::1/128 scope host  
2: eth0 at if53: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
   link/ether 7a:d6:5a:bc:a6:fa brd ff:ff:ff:ff:ff:ff link-netnsid 0
   inet 192.168.41.18/24 brd 192.168.41.255 scope global noprefixroute eth0
   inet6 fe80::78d6:5aff:febc:a6fa/64 scope link  

-----------
      Checking file: /etc/hosts

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
# --- BEGIN PVE ---
192.168.41.18 gtmad1.gtm.onat.gob.cu gtmad1
# --- END PVE ---

-----------

      Checking file: /etc/resolv.conf

# --- BEGIN PVE ---
search gtm.onat.gob.cu
nameserver 192.168.41.18
# --- END PVE ---

-----------

      Checking file: /etc/krb5.conf

[libdefaults]
   dns_lookup_realm = false
   dns_lookup_kdc = true
   default_realm = GTM.ONAT.GOB.CU

-----------

      Checking file: /etc/nsswitch.conf

#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files in /etc
#       db                      Use the pre-processed /var/db files
#       compat                  Use /etc files plus *_compat pseudo-databases
#       hesiod                  Use Hesiod (DNS) for user lookups
#       sss                     Use sssd (System Security Services Daemon)
#       [NOTFOUND=return]       Stop searching if not found so far
#
# 'sssd' performs its own 'files'-based caching, so it should
# generally come before 'files'.

# To use 'db', install the nss_db package, and put the 'db' in front
# of 'files' for entries you want to be looked up first in the
# databases, like this:
#
# passwd:    db files
# shadow:    db files
# group:     db files

passwd:      sss files systemd
shadow:     files sss
group:       sss files systemd

hosts:      files dns myhostname

bootparams: files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   sss

publickey:  files

automount:  files sss
aliases:    files

-----------

      Checking file: /etc/samba//smb.conf

# Global parameters
[global]
       netbios name = GTMAD1
       realm = GTM.ONAT.GOB.CU
       server role = active directory domain controller
       server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
       workgroup = ATGTM00
       idmap_ldb:use rfc2307  = yes

[sysvol]
       path = /usr/local/samba/var/locks/sysvol
       read only = No

[netlogon]
       path = /usr/local/samba/var/locks/sysvol/gtm.onat.gob.cu/scripts
       read only = No

-----------

Detected bind DLZ enabled..

Warning, detected bind is enabled in smb.conf, but no /etc/bind directory found

-----------

Installed packages:


-----------




[root at gtmad1 etc]# cat /etc/named.conf
# Global Configuration Options
options {

   auth-nxdomain yes;
   version "Parametro no soportado";
   directory "/var/named";
   notify no;
   empty-zones-enable no;
   dnssec-validation no;
   dnssec-enable no;
   dnssec-lookaside no;
   listen-on-v6 { none; };
   listen-on port 53 { 192.168.41.18; 127.0.0.1; };

   # IP addresses and network ranges allowed to query the DNS server:
   allow-query {
       127.0.0.1;
       192.168.41.0/24;
   };
   allow-query-cache {
       127.0.0.1;
       192.168.41.0/24;
   };

   # IP addresses and network ranges allowed to run recursive queries:
   # (Zones not served by this DNS server)
   allow-recursion {
       127.0.0.1;
       192.168.41.0/24;
   };

   # Forward queries that can not be answered from own zones
   # to these DNS servers:
   forwarders {
       10.10.8.2;
   };

   # Disable zone transfers  
   allow-transfer {
       none;
   };
   
  tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab";
  minimal-responses yes;

};

# Root Servers
# (Required for recursive DNS queries)
#zone "." {
#   type hint;
#   file "named.root";
#};

# localhost zone
zone "localhost" {
   type master;
   file "master/localhost.zone";
};

# 127.0.0. zone.
zone "0.0.127.in-addr.arpa" {
   type master;
   file "master/0.0.127.zone";
};

include "/usr/local/samba/bind-dns/named.conf";


-- 
Rommel Rodriguez Toirac
rommelrt at nauta.cu



More information about the samba mailing list