[Samba] Problem after update version 4.15.0
Ingo Asche
foren at asche-rz.de
Sat Oct 9 14:37:17 UTC 2021
Hi Rowland,
thanks for that instructions.
I set up my test Raspi completely new. The problem is still the same
with 4.15.0, I could join my test workstation to domain but after
restart no logon possible.
I took new debug infos:
Collected config --- 2021-10-09-16:07 -----------
Hostname: GalacticaTest
DNS Domain: test.mydomain.de
FQDN: GalacticaTest.test.mydomain.de
ipaddress: 192.168.181.83
-----------
Kerberos SRV _kerberos._tcp.test.mydomain.de record verified ok, sample
output:
Server: 192.168.181.83
Address: 192.168.181.83#53
_kerberos._tcp.test.mydomain.de service = 0 100 88
galacticatest.test.mydomain.de.
Samba is running as an AD DC
-----------
Checking file: /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"
NAME="Raspbian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"
-----------
This computer is running Debian 10.10 armv7l
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
link/ether b8:27:eb:f8:e8:f6 brd ff:ff:ff:ff:ff:ff
inet 192.168.181.83/24 brd 192.168.181.255 scope global eth0
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group
default qlen 1000
link/ether b8:27:eb:ad:bd:a3 brd ff:ff:ff:ff:ff:ff
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.181.83 GalacticaTest.test.mydomain.de GalacticaTest
-----------
Checking file: /etc/resolv.conf
search test.mydomain.de
nameserver 192.168.181.83
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = TEST.MYDOMAIN.DE
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
TEST.MYDOMAIN.DE = {
default_domain = test.mydomain.de
}
[domain_realm]
GalacticaTest = TEST.MYDOMAIN.DE
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files winbind sss
group: files winbind sss
shadow: files
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
#netbios name = GALACTICATEST
bind interfaces only = Yes
disable netbios = Yes
disable spoolss = Yes
interfaces = 127.0.0.1 192.168.181.83
ldap server require strong auth = No
load printers = No
log file = /var/log/samba/samba.log
logging = syslog at 0 file at 2
#log level = auth_audit:3 auth_json_audit:3
log level = 5
printcap name = /dev/null
realm = TEST.MYDOMAIN.DE
restrict anonymous = 2
rpc server dynamic port range = 50000-55000
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
server string = Server: AD DC %h (Samba %v)
smb ports = 445
time server = Yes
winbind enum groups = Yes
winbind enum users = Yes
workgroup = TEST
idmap_ldb:use rfc2307 = yes
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/test.mydomain.de/scripts
read only = No
-----------
Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in
/etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/bind-dns/named.conf";
-----------
Checking file: /etc/bind/named.conf.options
# Global Configuration Options
options {
auth-nxdomain yes;
directory "/var/cache/bind";
notify no;
empty-zones-enable no;
# IP addresses and network ranges allowed to query the DNS server:
allow-query {
127.0.0.1;
192.168.181.0/24;
};
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
# IP addresses and network ranges allowed to run recursive queries:
# (Zones not served by this DNS server)
allow-recursion {
127.0.0.1;
192.168.181.0/24;
};
# Forward queries that can not be answered from own zones
# to these DNS servers:
forwarders {
9.9.9.9;
149.112.112.112;
};
dnssec-enable no;
dnssec-validation no;
minimal-responses yes;
allow-transfer {
none;
};
};
-----------
Checking file: /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
-----------
Checking file: /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
-----------
Samba DNS zone list: WARNING: The option -k|--kerberos is deprecated!
2 zone(s) found
pszZoneName : test.mydomain.de
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED
DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.test.mydomain.de
pszZoneName : _msdcs.test.mydomain.de
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED
DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : ForestDnsZones.test.mydomain.de
Samba DNS zone list Automated check :
zone : test.mydomain.de ok, no Bind flat-files found
-----------
zone : _msdcs.test.mydomain.de ok, no Bind flat-files found
-----------
Installed packages:
ii acl 2.2.53-4 armhf access control
list - utilities
ii attr 1:2.4.48-4 armhf utilities for
manipulating filesystem extended attributes
ii bind9 1:9.11.5.P4+dfsg-5.1+deb10u5 armhf Internet
Domain Name Server
ii bind9-host 1:9.11.5.P4+dfsg-5.1+deb10u5 armhf DNS
lookup utility (deprecated)
ii bind9utils 1:9.11.5.P4+dfsg-5.1+deb10u5 armhf
Utilities for BIND
ii krb5-config 2.6 all
Configuration files for Kerberos Version 5
ii krb5-locales 1.17-3+deb10u2 all
internationalization support for MIT Kerberos
ii krb5-user 1.17-3+deb10u2 armhf basic
programs to authenticate using MIT Kerberos
ii libacl1:armhf 2.2.53-4 armhf
access control list - shared library
ii libattr1:armhf 1:2.4.48-4 armhf
extended attribute handling - shared library
ii libbind9-161:armhf 1:9.11.5.P4+dfsg-5.1+deb10u5 armhf
BIND9 Shared Library used by BIND
ii libgssapi-krb5-2:armhf 1.17-3+deb10u2
armhf MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:armhf 1.17-3+deb10u2 armhf MIT
Kerberos runtime libraries
ii libkrb5support0:armhf 1.17-3+deb10u2
armhf MIT Kerberos runtime libraries - Support library
ii libnss-winbind:armhf 2:4.15.0+dfsg-0.1buster1
armhf Samba nameservice integration plugins
ii libpam-krb5:armhf 4.8-2+deb10u1 armhf
PAM module for MIT Kerberos
ii libpam-winbind:armhf 2:4.15.0+dfsg-0.1buster1
armhf Windows domain authentication integration plugin
ii libsmbclient:armhf 2:4.15.0+dfsg-0.1buster1 armhf
shared library for communication with SMB/CIFS servers
ii libwbclient0:armhf 2:4.15.0+dfsg-0.1buster1 armhf
Samba winbind client library
ii python3-samba 2:4.15.0+dfsg-0.1buster1 armhf
Python 3 bindings for Samba
ii samba 2:4.15.0+dfsg-0.1buster1 armhf SMB/CIFS
file, print, and login server for Unix
ii samba-common 2:4.15.0+dfsg-0.1buster1 all common
files used by both the Samba server and client
ii samba-common-bin 2:4.15.0+dfsg-0.1buster1 armhf
Samba common files used by both the server and the client
ii samba-dsdb-modules:armhf 2:4.15.0+dfsg-0.1buster1
armhf Samba Directory Services Database
ii samba-libs:armhf 2:4.15.0+dfsg-0.1buster1 armhf
Samba core libraries
ii samba-vfs-modules:armhf 2:4.15.0+dfsg-0.1buster1
armhf Samba Virtual FileSystem plugins
ii smbclient 2:4.15.0+dfsg-0.1buster1 armhf
command-line SMB/CIFS clients for Unix
ii winbind 2:4.15.0+dfsg-0.1buster1 armhf service to
resolve user and group information from Windows NT servers
-----------
Also I have a log for the login attempt:
Oct 9 16:00:47 GalacticaTest pi: samba start logon test
Oct 9 16:00:51 GalacticaTest samba[721]: dreplsrv_notify_schedule:
dreplsrv_notify_schedule(5) scheduled for: Sat Oct 9 16:00:57 2021 CEST
Oct 9 16:00:55 GalacticaTest samba[721]: messaging_dgm_ref:
messaging_dgm_get_unique returned Success
Oct 9 16:00:55 GalacticaTest samba[721]: messaging_dgm_ref: unique =
9003500339812973685
Oct 9 16:00:55 GalacticaTest samba[721]: Received krb5 TCP packet of
length 221 from ipv4:192.168.181.12:51338
Oct 9 16:00:55 GalacticaTest samba[721]: kdc_process: Received KDC
packet of length 213 from ipv4:192.168.181.12:51338
Oct 9 16:00:55 GalacticaTest samba[721]: Kerberos: AS-REQ
administrator at test from ipv4:192.168.181.12:51338 for krbtgt/test at test
Oct 9 16:00:55 GalacticaTest samba[721]: gendb_search_v:
DC=test,DC=mydomain,DC=de NULL -> 1
Oct 9 16:00:55 GalacticaTest samba[721]: gendb_search_v:
DC=test,DC=mydomain,DC=de NULL -> 1
Oct 9 16:00:55 GalacticaTest samba[721]: gendb_search_v:
DC=test,DC=mydomain,DC=de NULL -> 1
Oct 9 16:00:55 GalacticaTest samba[721]: gendb_search_v:
DC=test,DC=mydomain,DC=de NULL -> 1
Oct 9 16:00:55 GalacticaTest samba[721]: gendb_search_v:
DC=test,DC=mydomain,DC=de NULL -> 1
Oct 9 16:00:55 GalacticaTest samba[721]: Kerberos: Client sent patypes: 128
Oct 9 16:00:55 GalacticaTest samba[721]: Kerberos: Looking for PKINIT
pa-data -- administrator at test
Oct 9 16:00:55 GalacticaTest samba[721]: Kerberos: Looking for ENC-TS
pa-data -- administrator at test
Oct 9 16:00:55 GalacticaTest samba[721]: Kerberos: No preauth found,
returning PREAUTH-REQUIRED -- administrator at test
Oct 9 16:00:55 GalacticaTest samba[721]: stream_terminate_connection:
Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
Oct 9 16:00:55 GalacticaTest samba[721]: msg_dgm_ref_destructor:
refs=0x235c3b0
Oct 9 16:00:55 GalacticaTest samba[721]: messaging_dgm_ref:
messaging_dgm_get_unique returned Success
Oct 9 16:00:55 GalacticaTest samba[721]: messaging_dgm_ref: unique =
14757258945690797531
Oct 9 16:00:55 GalacticaTest samba[721]: Received krb5 TCP packet of
length 301 from ipv4:192.168.181.12:51339
Oct 9 16:00:55 GalacticaTest samba[721]: kdc_process: Received KDC
packet of length 293 from ipv4:192.168.181.12:51339
Oct 9 16:00:55 GalacticaTest samba[721]: Kerberos: AS-REQ
administrator at test from ipv4:192.168.181.12:51339 for krbtgt/test at test
Oct 9 16:00:55 GalacticaTest samba[721]: gendb_search_v:
DC=test,DC=mydomain,DC=de NULL -> 1
Oct 9 16:00:55 GalacticaTest samba[721]: gendb_search_v:
DC=test,DC=mydomain,DC=de NULL -> 1
Oct 9 16:00:55 GalacticaTest samba[721]: gendb_search_v:
DC=test,DC=mydomain,DC=de NULL -> 1
Oct 9 16:00:55 GalacticaTest samba[721]: gendb_search_v:
DC=test,DC=mydomain,DC=de NULL -> 1
Oct 9 16:00:55 GalacticaTest samba[721]: gendb_search_v:
DC=test,DC=mydomain,DC=de NULL -> 1
Oct 9 16:00:55 GalacticaTest samba[721]: Kerberos: Client sent patypes:
encrypted-timestamp, 128
Oct 9 16:00:55 GalacticaTest samba[721]: Kerberos: Looking for PKINIT
pa-data -- administrator at test
Oct 9 16:00:55 GalacticaTest samba[721]: Kerberos: Looking for ENC-TS
pa-data -- administrator at test
Oct 9 16:00:55 GalacticaTest samba[721]: Kerberos: ENC-TS
Pre-authentication succeeded -- administrator at test using
aes256-cts-hmac-sha1-96
Oct 9 16:00:55 GalacticaTest samba[721]: Auth: [Kerberos KDC,ENC-TS
Pre-authentication] user [(null)]\[administrator at test] at [Sat, 09 Oct
2021 16:00:55.243500 CEST] with [aes256-cts-hmac-sha1-96] status
[NT_STATUS_OK] workstation [(null)] remote host
[ipv4:192.168.181.12:51339] became [TEST]\[Administrator]
[S-1-5-21-1045046306-3905977456-3949580285-500]. local host [NULL]
Oct 9 16:00:55 GalacticaTest samba[721]: {"timestamp":
"2021-10-09T16:00:55.243811+0200", "type": "Authentication",
"Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624,
"logonId": "4236639d193492ec", "logonType": 3, "status": "NT_STATUS_OK",
"localAddress": null, "remoteAddress": "ipv4:192.168.181.12:51339",
"serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS
Pre-authentication", "clientDomain": null, "clientAccount":
"administrator at test", "workstation": null, "becameAccount":
"Administrator", "becameDomain": "TEST", "becameSid":
"S-1-5-21-1045046306-3905977456-3949580285-500", "mappedAccount":
"Administrator", "mappedDomain": "TEST", "netlogonComputer": null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null,
"passwordType": "aes256-cts-hmac-sha1-96", "duration": 37815}}
Oct 9 16:00:55 GalacticaTest samba[721]: authsam_account_ok: Checking
SMB password for user administrator at test
Oct 9 16:00:55 GalacticaTest samba[721]: logon_hours_ok: No hours
restrictions for user administrator at test
Oct 9 16:00:55 GalacticaTest samba[721]: lastLogonTimestamp is
132782567889406750
Oct 9 16:00:55 GalacticaTest samba[721]: sync interval is 14
Oct 9 16:00:55 GalacticaTest samba[721]: randomised sync interval is 10
(-4)
Oct 9 16:00:55 GalacticaTest samba[721]: old timestamp is
132782567889406750, threshold 132773976552442150, diff 8591336964600
Oct 9 16:00:55 GalacticaTest samba[721]: ldb:acl_modify: lastLogon
Oct 9 16:00:55 GalacticaTest samba[721]: DSDB Change [Modify] at [Sat,
09 Oct 2021 16:00:55.258062 CEST] status [Success] remote host [Unknown]
SID [S-1-5-18] DN [CN=Administrator,CN=Users,DC=test,DC=mydomain,DC=de]
attributes [replace: lastLogon [132782616552442150] replace: logonCount
[16]]
Oct 9 16:00:55 GalacticaTest samba[721]: {"timestamp":
"2021-10-09T16:00:55.258352+0200", "type": "dsdbChange", "dsdbChange":
{"version": {"major": 1, "minor": 0}, "statusCode": 0, "status":
"Success", "operation": "Modify", "remoteAddress": null,
"performedAsSystem": false, "userSid": "S-1-5-18", "dn":
"CN=Administrator,CN=Users,DC=test,DC=mydomain,DC=de", "transactionId":
"0bde82fa-2553-41dc-a867-8eb237fa80f0", "sessionId":
"b6e47e71-fd7f-4de9-9788-90f3f2f77455", "attributes": {"lastLogon":
{"actions": [{"action": "replace", "values": [{"value":
"132782616552442150"}]}]}, "logonCount": {"actions": [{"action":
"replace", "values": [{"value": "16"}]}]}}}}
Oct 9 16:00:55 GalacticaTest samba[721]: DSDB Transaction [commit] at
[Sat, 09 Oct 2021 16:00:55.272218 CEST] duration [26961]
Oct 9 16:00:55 GalacticaTest samba[721]: {"timestamp":
"2021-10-09T16:00:55.272380+0200", "type": "dsdbTransaction",
"dsdbTransaction": {"version": {"major": 1, "minor": 0}, "action":
"commit", "transactionId": "0bde82fa-2553-41dc-a867-8eb237fa80f0",
"duration": 26961}}
Oct 9 16:00:55 GalacticaTest samba[721]: gendb_search_v:
DC=test,DC=mydomain,DC=de NULL -> 1
Oct 9 16:00:55 GalacticaTest samba[721]: Kerberos: AS-REQ authtime:
2021-10-09T16:00:55 starttime: unset endtime: 2021-10-10T02:00:55 renew
till: 2021-10-16T16:00:55
Oct 9 16:00:55 GalacticaTest samba[721]: Kerberos: Client supported
enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96,
arcfour-hmac-md5, 24, -135, 3, using
aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
Oct 9 16:00:55 GalacticaTest samba[721]: Kerberos: Requested flags:
renewable-ok, canonicalize, renewable, forwardable
Oct 9 16:00:55 GalacticaTest samba[721]: stream_terminate_connection:
Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
Oct 9 16:00:55 GalacticaTest samba[721]: msg_dgm_ref_destructor:
refs=0x1d400f8
Oct 9 16:00:55 GalacticaTest samba[721]: messaging_dgm_ref:
messaging_dgm_get_unique returned Success
Oct 9 16:00:55 GalacticaTest samba[721]: messaging_dgm_ref: unique =
14757258945690797531
Oct 9 16:00:55 GalacticaTest samba[721]: Received krb5 TCP packet of
length 1588 from ipv4:192.168.181.12:51340
Oct 9 16:00:55 GalacticaTest samba[721]: kdc_process: Received KDC
packet of length 1580 from ipv4:192.168.181.12:51340
Oct 9 16:00:55 GalacticaTest samba[721]: gendb_search_v:
DC=test,DC=mydomain,DC=de NULL -> 1
Oct 9 16:00:55 GalacticaTest samba[721]: gendb_search_v:
DC=test,DC=mydomain,DC=de NULL -> 1
Oct 9 16:00:55 GalacticaTest samba[721]: Kerberos: TGS-REQ
Administrator at TEST.MYDOMAIN.DE from ipv4:192.168.181.12:51340 for
host/galacticatst.test.mydomain.de at TEST.MYDOMAIN.DE [canonicalize,
renewable, forwardable]
Oct 9 16:00:55 GalacticaTest samba[721]: gendb_search_v:
DC=test,DC=mydomain,DC=de NULL -> 1
Oct 9 16:00:55 GalacticaTest samba[721]: gendb_search_v:
DC=test,DC=mydomain,DC=de NULL -> 1
Oct 9 16:00:55 GalacticaTest samba[721]: gendb_search_v:
DC=test,DC=mydomain,DC=de NULL -> 1
Oct 9 16:00:55 GalacticaTest samba[721]: gendb_search_v:
DC=test,DC=mydomain,DC=de NULL -> 1
Oct 9 16:00:55 GalacticaTest samba[721]: gendb_search_v:
DC=test,DC=mydomain,DC=de NULL -> 1
Oct 9 16:00:55 GalacticaTest samba[721]: gendb_search_v:
DC=test,DC=mydomain,DC=de NULL -> 1
Oct 9 16:00:55 GalacticaTest samba[721]: Kerberos: TGS-REQ authtime:
2021-10-09T16:00:55 starttime: 2021-10-09T16:00:55 endtime:
2021-10-10T02:00:55 renew till: 2021-10-16T16:00:55
Oct 9 16:00:55 GalacticaTest samba[721]: stream_terminate_connection:
Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
Oct 9 16:00:55 GalacticaTest samba[721]: msg_dgm_ref_destructor:
refs=0x1d400f8
Oct 9 16:00:56 GalacticaTest samba[721]: dreplsrv_notify_schedule:
dreplsrv_notify_schedule(5) scheduled for: Sat Oct 9 16:01:02 2021 CEST
Oct 9 16:01:00 GalacticaTest pi: samba end logon test
To be on the sure side: I joined the test workstation to my 4.14.8
domain and tried to login. This worked without problem. So it seems on
the first sight that the Windows installation is not the problem. By the
way it's an actual Windows 10 21H1.
Rejoining to the test domain worked but again no longer login is possible.
Regards
Ingo
More information about the samba
mailing list