[Samba] Unable to contact RPC server on a new DC
Andrey Repin
anrdaemon at yandex.ru
Tue Nov 7 17:00:40 UTC 2023
Greetings, Rowland Penny via samba!
> OK, I give in, why have 4 emails from Andrey Repin, that were
> apparently sent in May & June of this year, just appeared in my mail
> client ?
Don't worry, your sanity is not affected. My mail provider had changed
submission policy without a sufficient notification, causing my transit mail
server to block mail queue since last August.
Anyway, here's some news on the subject: Routine server upgrade uncovered an
IP address conflict in the local network.
Turned out, when I was setting up DC2, I did not add its address to the
infrastructure DNS zone.
When I was setting up a new infra server for tests a short while later, I
checked the infra zone and picked the next free address… which,
unsurprisingly, was the same as the DC2 one.
Having solved this, I get a stable "Domain join OK" on every domain member,
but still unable to authenticate the users using winbind.
Domain controller logs (notable parts) are following:
log.samba:
[2023/11/07 18:56:05.882689, 1] ../../source4/nbt_server/register.c:165(nbtd_register_name_handler)
Error registering DARKDRAGON<1b> with 192.168.1.19 on interface 192.168.1.255 - NT_STATUS_CONFLICTING_ADDRESSES
[2023/11/07 18:56:20.887545, 1] ../../source4/dsdb/kcc/garbage_collect_tombstones.c:67(garbage_collect_tombstones_part)
Doing a full scan on DC=ForestDnsZones,DC=ads,DC=darkdragon,DC=lan and looking for deleted objects
[2023/11/07 18:56:20.890975, 1] ../../source4/dsdb/kcc/garbage_collect_tombstones.c:67(garbage_collect_tombstones_part)
Doing a full scan on DC=DomainDnsZones,DC=ads,DC=darkdragon,DC=lan and looking for deleted objects
[2023/11/07 18:56:21.039408, 1] ../../source4/dsdb/kcc/garbage_collect_tombstones.c:67(garbage_collect_tombstones_part)
Doing a full scan on DC=ads,DC=darkdragon,DC=lan and looking for deleted objects
[2023/11/07 18:56:21.098762, 1] ../../source4/dsdb/kcc/garbage_collect_tombstones.c:67(garbage_collect_tombstones_part)
Doing a full scan on CN=Configuration,DC=ads,DC=darkdragon,DC=lan and looking for deleted objects
[2023/11/07 18:56:25.913081, 0] ../../source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done)
dnsupdate_nameupdate_done: Failed DNS update with exit code 110
log.smbd: lots of messages like these right from the start:
[2023/11/07 18:56:08.211331, 1] ../../source3/printing/printer_list.c:255(printer_list_get_last_refresh)
Failed to fetch record!
[2023/11/07 18:56:11.590717, 0] ../../source4/auth/unix_token.c:95(security_token_to_unix_token)
Unable to convert first SID (S-1-5-21-2269650170-3990761244-2407083512-1124) in user token to a UID. Conversion was returned as type 0, full token:
[2023/11/07 18:56:11.590888, 0] ../../libcli/security/security_token.c:51(security_token_debug)
Security token SIDs (8):
SID[ 0]: S-1-5-21-2269650170-3990761244-2407083512-1124
SID[ 1]: S-1-5-21-2269650170-3990761244-2407083512-515
SID[ 2]: S-1-1-0
SID[ 3]: S-1-5-2
SID[ 4]: S-1-5-11
SID[ 5]: S-1-5-64-10
SID[ 6]: S-1-5-32-554
SID[ 7]: S-1-5-32-545
Privileges (0x 800000):
Privilege[ 0]: SeChangeNotifyPrivilege
Rights (0x 400):
Right[ 0]: SeRemoteInteractiveLogonRight
[2023/11/07 18:56:29.811430, 0] ../../source4/auth/unix_token.c:95(security_token_to_unix_token)
Unable to convert first SID (S-1-5-21-2269650170-3990761244-2407083512-1117) in user token to a UID. Conversion was returned as type 0, full token:
[2023/11/07 18:56:29.812183, 0] ../../libcli/security/security_token.c:51(security_token_debug)
Security token SIDs (8):
SID[ 0]: S-1-5-21-2269650170-3990761244-2407083512-1117
SID[ 1]: S-1-5-21-2269650170-3990761244-2407083512-515
SID[ 2]: S-1-1-0
SID[ 3]: S-1-5-2
SID[ 4]: S-1-5-11
SID[ 5]: S-1-5-64-10
SID[ 6]: S-1-5-32-554
SID[ 7]: S-1-5-32-545
Privileges (0x 800000):
Privilege[ 0]: SeChangeNotifyPrivilege
Rights (0x 400):
Right[ 0]: SeRemoteInteractiveLogonRight
[2023/11/07 18:56:30.307255, 0] ../../source4/auth/unix_token.c:95(security_token_to_unix_token)
Unable to convert first SID (S-1-5-21-2269650170-3990761244-2407083512-1106) in user token to a UID. Conversion was returned as type 0, full token:
[2023/11/07 18:56:30.308127, 0] ../../libcli/security/security_token.c:51(security_token_debug)
Security token SIDs (8):
SID[ 0]: S-1-5-21-2269650170-3990761244-2407083512-1106
SID[ 1]: S-1-5-21-2269650170-3990761244-2407083512-515
SID[ 2]: S-1-1-0
SID[ 3]: S-1-5-2
SID[ 4]: S-1-5-11
SID[ 5]: S-1-5-64-10
SID[ 6]: S-1-5-32-554
SID[ 7]: S-1-5-32-545
Privileges (0x 800000):
Privilege[ 0]: SeChangeNotifyPrivilege
Rights (0x 400):
Right[ 0]: SeRemoteInteractiveLogonRight
AD DC configuration:
# Global parameters
[global]
auto services = homes
client ldap sasl wrapping = sign
dns forwarder = 192.168.1.12
dos charset = CP866
logging = systemd
log level = 1
netbios name = DC2
panic action = /usr/share/samba/panic-action %d
printcap name = /dev/null
realm = ADS.DARKDRAGON.LAN
server role = active directory domain controller
template homedir = /home/%U
template shell = /bin/bash
tls enabled = Yes
tls priority = NORMAL:-VERS-SSL3.0:+VERS-TLS-ALL
winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes
workgroup = DARKDRAGON
idmap config darkdragon : unix_nss_info = yes
idmap config darkdragon : unix_primary_group = yes
idmap config darkdragon : range = 2048-131071
idmap config darkdragon : schema_mode = rfc2307
idmap config darkdragon : backend = ad
idmap config * : range = 1024-2047
idmap config * : schema_mode = rfc2307
idmap config * : backend = tdb
idmap_ldb : use rfc2307 = Yes
map acl inherit = Yes
store dos attributes = Yes
vfs objects = dfs_samba4 acl_xattr
[netlogon]
comment = Network Logon Service
csc policy = disable
path = /var/lib/samba/sysvol/ads.darkdragon.lan/scripts
read only = No
[sysvol]
comment = Domain System Volume
csc policy = disable
path = /var/lib/samba/sysvol
read only = No
Member server:
# Global parameters
[global]
dos charset = CP866
workgroup = DARKDRAGON
realm = ADS.DARKDRAGON.LAN
netbios name = DAEMON1
interfaces = lo mac0
bind interfaces only = Yes
security = ADS
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
log level = 1
server min protocol = NT1
min protocol = NT1
client min protocol = NT1
client ldap sasl wrapping = sign
printcap name = /dev/null
preferred master = Yes
local master = Yes
domain master = Yes
browse list = Yes
wins server = 127.0.0.1
wins support = Yes
preload = homes
auto services = homes
panic action = /usr/share/samba/panic-action %d
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind offline logon = Yes
client ipc min protocol = NT1
idmap config darkdragon : unix_nss_info = yes
idmap config darkdragon : unix_primary_group = yes
idmap config darkdragon : range = 2048-131071
idmap config darkdragon : schema_mode = rfc2307
idmap config darkdragon : backend = ad
idmap config * : range = 1024-2047
idmap config * : backend = tdb
map acl inherit = Yes
store dos attributes = Yes
vfs objects = acl_xattr
[netlogon]
comment = Network Logon Service
path = /home/.samba/netlogon
read only = No
csc policy = disable
[homes]
comment = Home Directory
path = /home/%S
valid users = %S
read only = No
browseable = No
csc policy = disable
follow symlinks = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
csc policy = disable
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
[arc]
comment = Software archive
path = /srv/arc
read only = No
browseable = No
csc policy = disable
And in case it is of any relevance,
# samba-tool dbcheck --cross-ncs
Checking 3532 objects
WARNING: no target object found for GUID component for DN value msDS-NC-Replica-Locations in object CN=8bb6015d-6fa6-42c8-8227-342efcb172bb,CN=Partitions,CN=Configuration,DC=ads,DC=darkdragon,DC=lan - <GUID=6b675175-05be-4866-b529-968668e149ff>;<RMD_ADDTIME=131154335880000000>;<RMD_CHANGETIME=131154335880000000>;<RMD_FLAGS=0>;<RMD_INVOCID=05ea5d9d-5f6d-4cf6-bd9a-04567211caae>;<RMD_LOCAL_USN=3654>;<RMD_ORIGINATING_USN=3634>;<RMD_VERSION=0>;CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ads,DC=darkdragon,DC=lan
WARNING: target DN is deleted for msDS-NC-Replica-Locations in object CN=8bb6015d-6fa6-42c8-8227-342efcb172bb,CN=Partitions,CN=Configuration,DC=ads,DC=darkdragon,DC=lan - <GUID=6b675175-05be-4866-b529-968668e149ff>;<RMD_ADDTIME=131154335880000000>;<RMD_CHANGETIME=131154335880000000>;<RMD_FLAGS=0>;<RMD_INVOCID=05ea5d9d-5f6d-4cf6-bd9a-04567211caae>;<RMD_LOCAL_USN=3654>;<RMD_ORIGINATING_USN=3634>;<RMD_VERSION=0>;CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ads,DC=darkdragon,DC=lan
Target GUID points at deleted DN '<GUID=6b675175-05be-4866-b529-968668e149ff>;<RMD_ADDTIME=131154335880000000>;<RMD_CHANGETIME=131154335880000000>;<RMD_FLAGS=0>;<RMD_INVOCID=05ea5d9d-5f6d-4cf6-bd9a-04567211caae>;<RMD_LOCAL_USN=3654>;<RMD_ORIGINATING_USN=3634>;<RMD_VERSION=0>;CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ads,DC=darkdragon,DC=lan'
Not removing
WARNING: no target object found for GUID component for DN value msDS-NC-Replica-Locations in object CN=a6fed93a-b3f0-4d96-bd5e-65e0c081b127,CN=Partitions,CN=Configuration,DC=ads,DC=darkdragon,DC=lan - <GUID=6b675175-05be-4866-b529-968668e149ff>;<RMD_ADDTIME=131154335860000000>;<RMD_CHANGETIME=131154335860000000>;<RMD_FLAGS=0>;<RMD_INVOCID=05ea5d9d-5f6d-4cf6-bd9a-04567211caae>;<RMD_LOCAL_USN=3658>;<RMD_ORIGINATING_USN=3626>;<RMD_VERSION=0>;CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ads,DC=darkdragon,DC=lan
WARNING: target DN is deleted for msDS-NC-Replica-Locations in object CN=a6fed93a-b3f0-4d96-bd5e-65e0c081b127,CN=Partitions,CN=Configuration,DC=ads,DC=darkdragon,DC=lan - <GUID=6b675175-05be-4866-b529-968668e149ff>;<RMD_ADDTIME=131154335860000000>;<RMD_CHANGETIME=131154335860000000>;<RMD_FLAGS=0>;<RMD_INVOCID=05ea5d9d-5f6d-4cf6-bd9a-04567211caae>;<RMD_LOCAL_USN=3658>;<RMD_ORIGINATING_USN=3626>;<RMD_VERSION=0>;CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ads,DC=darkdragon,DC=lan
Target GUID points at deleted DN '<GUID=6b675175-05be-4866-b529-968668e149ff>;<RMD_ADDTIME=131154335860000000>;<RMD_CHANGETIME=131154335860000000>;<RMD_FLAGS=0>;<RMD_INVOCID=05ea5d9d-5f6d-4cf6-bd9a-04567211caae>;<RMD_LOCAL_USN=3658>;<RMD_ORIGINATING_USN=3626>;<RMD_VERSION=0>;CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ads,DC=darkdragon,DC=lan'
Not removing
Checked 3532 objects (0 errors)
--
With best regards,
Andrey Repin
Monday, November 6, 2023 23:42:24
Sorry for my terrible english...
More information about the samba
mailing list