[Samba] Recently joined RODC looses machine accounts

Mitja Tavčar mitja at mttv.it
Mon Dec 9 14:04:16 UTC 2024



Il 06/12/24 13:20, Rowland Penny via samba ha scritto:
> On Fri, 6 Dec 2024 12:29:03 +0100
> Mitja Tavčar via samba <samba at lists.samba.org> wrote:
> 
>> Il 06/12/24 10:45, Rowland Penny via samba ha scritto:
>>> On Fri, 6 Dec 2024 10:19:31 +0100
>>> Mitja Tavčar via samba <samba at lists.samba.org> wrote:
>>>
>>>> But the machine accoounts are not completely lost, they seem lost
>>>> if i query the Read Only DC, when i query some of the other DC the
>>>> machine accounts result ok.
>>>>
>>>> I'have found that restarting winbind seems to solve the problem but
>>>> only for some short time. So i set up a testing script that checks
>>>> join every 5 minutes and eventually restarts winbind.
>>>>
>>>> The output is this:
>>>> [Thu 05 Dec 2024 03:40:02 PM CET] - Join is OK
>>>> [Thu 05 Dec 2024 03:45:01 PM CET] - Join is OK
>>>> [Thu 05 Dec 2024 03:50:03 PM CET] - Join is OK
>>>> [Thu 05 Dec 2024 03:55:01 PM CET] - Not joined - restart winbind
>>>> [Thu 05 Dec 2024 04:00:02 PM CET] - Join is OK
>>>> [Thu 05 Dec 2024 04:05:03 PM CET] - Join is OK
>>>> [Thu 05 Dec 2024 04:10:01 PM CET] - Join is OK
>>>> [Thu 05 Dec 2024 04:15:02 PM CET] - Not joined - restart winbind
>>>>
>>>
>>> So, AD doesn't loose the clients, it is the clients that loose AD.
>>>
>>> Try adding 'winbind refresh tickets = yes' to the clients smb.conf
>>> file and restarting Samba.
>>>
>>
>> I added winbind refresh tickets = yes and restarted samba, smbd and
>> winbind. But nothing seems to change.
> 
> If you are starting the 'samba', 'smbd' and 'winbindd' binaries, then
> something is very wrong.
> 
> You only start the 'samba' binary on a Samba AD DC, this will then
> start the other required binaries.

I restarted "smbd" and "winbind" on domain member and "samba" on RODC.
Anyway nothin chages.


>> [2024/12/06 12:05:04.722326,  1, traceid=1]
>> source3/libsmb/namequery.c:3487(get_sorted_dc_list)
>> get_sorted_dc_list: No server for domain 'INTRA.COMUNE.TRENTO.IT'
>> available in site 'PSN', fallback to all servers [2024/12/06
>> 12:05:08.142492,  1, traceid=1]
>> lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug) ldb: Unable to open tdb
>> '/var/lib/samba/private/secrets.ldb': No such file or directory
> 
> I think this is because it is an RODC, but is the RODC using itself as
> its first nameserver ?

Yes, resolv.conf:
search intra.comune.trento.it
nameserver 10.50.10.230	      <- this is RODC
nameserver 192.168.10.232

and /etc/hosts
127.0.0.1	localhost
10.50.10.230	lvsrvdc.intra.comune.trento.it	lvsrvdc


> You will probably get more in the logs if you raise the log level in
> smb.conf on the RODC, try '4'

I have a lot of output mostly are lines like this....

Discarding older DRS attribute update to dBCSPwd on CN=(redacted name) ,DC=intra,DC=comune,DC=trento,DC=it from 3a04bf76-1027-4839-bc45-570bad3efc59
[2024/12/09 12:02:40.746938,  3] source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6428(replmd_replicated_apply_merge)


So i filtered them out and if found something about the member server that looses connection.

....
[2024/12/09 14:54:34.547981,  3] lib/ldb-samba/ldb_wrap.c:340(ldb_wrap_connect)
   ldb_wrap open of secrets.ldb
[2024/12/09 14:54:34.559556,  3] source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
   Kerberos: Probing for AS-REQ
[2024/12/09 14:54:34.559634,  3] source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
   Kerberos: Not a FAST request
[2024/12/09 14:54:34.559652,  3] source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
   Kerberos: AS-REQ PSN-LVSRV39$@INTRA.COMUNE.TRENTO.IT from ipv4:10.50.10.28:42012 for krbtgt/INTRA.COMUNE.TRENTO.IT at INTRA.COMUNE.TRENTO.IT
[2024/12/09 14:54:34.560576,  3] source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
   Kerberos: UNKNOWN -- PSN-LVSRV39$@INTRA.COMUNE.TRENTO.IT: no such entry found in hdb
[2024/12/09 14:54:34.560590,  3] source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
   Kerberos: heim_audit_setkv_number(): setting kv pair #auth_event=2
[2024/12/09 14:54:34.560612,  2] auth/auth_log.c:858(log_authentication_event_human_readable)
   Auth: [Kerberos KDC,AS-REQ] user [(null)]\[PSN-LVSRV39$@INTRA.COMUNE.TRENTO.IT] at [Mon, 09 Dec 2024 14:54:34.560607 CET] with [(null)] status 
[NT_STATUS_NO_SUCH_USER] workstation [(null)] remote host [ipv4:10
.50.10.28:42012] mapped to [(null)]\[(null)]. local host [NULL]
   {"timestamp": "2024-12-09T14:54:34.560638+0100", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 3}, "eventId": 4625, 
"logonId": "16df769bcc3cc6f2", "logonType": 3, "status": "NT_
STATUS_NO_SUCH_USER", "localAddress": null, "remoteAddress": "ipv4:10.50.10.28:42012", "serviceDescription": "Kerberos KDC", "authDescription": "AS-REQ", 
"clientDomain": null, "clientAccount": "PSN-LVSRV39$@INTR
A.COMUNE.TRENTO.IT", "workstation": null, "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": null, "mappedDomain": null, 
"netlogonComputer": null, "netlogonTrustAccount": null, "net
logonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": null, "clientPolicyAccessCheck": null, 
"serverPolicyAccessCheck": null, "duration": 1107}}
[2024/12/09 14:54:34.560676,  3] source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
   Kerberos: as-req: sending error: -1765328378 to client
[2024/12/09 14:54:34.560684,  3] source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
   Kerberos: Making non-FAST KRB-ERROR
[2024/12/09 14:54:34.560712,  3] source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
   Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.001174
[2024/12/09 14:54:34.560721,  3] source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
   Kerberos: AS-REQ ERR_C_PRINCIPAL_UNKNOWN ipv4:10.50.10.28:42012 PSN-LVSRV39$@INTRA.COMUNE.TRENTO.IT krbtgt/INTRA.COMUNE.TRENTO.IT at INTRA.COMUNE.TRENTO.IT 
elapsed=0.001174
[2024/12/09 14:54:34.561336,  3] auth/ntlmssp/ntlmssp_util.c:78(debug_ntlmssp_flags)
   Got NTLMSSP neg_flags=0x62088235
     NTLMSSP_NEGOTIATE_UNICODE
     NTLMSSP_REQUEST_TARGET
     NTLMSSP_NEGOTIATE_SIGN
     NTLMSSP_NEGOTIATE_SEAL
     NTLMSSP_NEGOTIATE_NTLM
     NTLMSSP_NEGOTIATE_ALWAYS_SIGN
     NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
     NTLMSSP_NEGOTIATE_VERSION
     NTLMSSP_NEGOTIATE_128
     NTLMSSP_NEGOTIATE_KEY_EXCH
[2024/12/09 14:54:34.561764,  3] auth/ntlmssp/ntlmssp_server.c:512(ntlmssp_server_preauth)
   Got user=[PSN-LVSRV39$] domain=[INTRA] workstation=[PSN-LVSRV39] len1=24 len2=358
[2024/12/09 14:54:34.561786,  3] source4/auth/ntlm/auth.c:206(auth_check_password_send)
   auth_check_password_send: Checking password for unmapped user [INTRA]\[PSN-LVSRV39$]@[PSN-LVSRV39]
   auth_check_password_send: user is: [INTRA]\[PSN-LVSRV39$]@[PSN-LVSRV39]
[2024/12/09 14:54:34.562012,  3] source4/auth/sam.c:1558(authsam_search_account)
   authsam_search_account: Couldn't find user [PSN-LVSRV39$] in samdb, under DC=intra,DC=comune,DC=trento,DC=it
[2024/12/09 14:54:34.562024,  2] source4/auth/ntlm/auth.c:399(auth_check_password_recv)
   auth_check_password_recv: sam authentication for user [INTRA\PSN-LVSRV39$] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2024/12/09 14:54:34.562039,  2] auth/auth_log.c:858(log_authentication_event_human_readable)
   Auth: [LDAP,NTLMSSP] user [INTRA]\[PSN-LVSRV39$] at [Mon, 09 Dec 2024 14:54:34.562033 CET] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation 
[PSN-LVSRV39] remote host [ipv4:10.50.10.28:38194] mapped to [INTRA]\[PSN-LVSRV39$]. local host [ipv4:10.50.10.230:389]
   {"timestamp": "2024-12-09T14:54:34.562065+0100", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 3}, "eventId": 4625, 
"logonId": "0", "logonType": 3, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:10.50.10.230:389", "remoteAddress": "ipv4:10.50.10.28:38194", 
"serviceDescription": "LDAP", "authDescription": "NTLMSSP", "clientDomain": "INTRA", "clientAccount": "PSN-LVSRV39$", "workstation": "PSN-LVSRV39", 
"becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "PSN-LVSRV39$", "mappedDomain": "INTRA", "netlogonComputer": null, 
"netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", 
"clientPolicyAccessCheck": null, "serverPolicyAccessCheck": null, "duration": 773}}
[2024/12/09 14:54:34.562092,  3] auth/gensec/spnego.c:1426(gensec_spnego_server_negTokenTarg_step)
   gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed: NT_STATUS_NO_SUCH_USER
[2024/12/09 14:54:34.562284,  3] source4/samba/service_stream.c:67(stream_terminate_connection)
   stream_terminate_connection: Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_RESET'
   added interface ens192 ip=10.50.10.230 bcast=10.50.11.255 netmask=255.255.254.0
   added interface ens192 ip=10.50.10.230 bcast=10.50.11.255 netmask=255.255.254.0
   added interface ens192 ip=10.50.10.230 bcast=10.50.11.255 netmask=255.255.254.0
[2024/12/09 14:54:36.695367,  3] source4/dsdb/repl/drepl_service.c:207(_drepl_schedule_replication)
   _drepl_schedule_replication: forcing sync of partition (0cebda0e-fad7-49a0-87d4-58dd6094f221, DC=intra,DC=comune,DC=trento,DC=it, 
4c07570f-4e39-486e-b4fc-bd0a842fc69c._msdcs.intra.comune.trento.it)
[2024/12/09 14:54:36.770574,  4] source4/dsdb/samdb/ldb_modules/operational.c:404(construct_parent_guid)
   source4/dsdb/samdb/ldb_modules/operational.c:404: Object DC=intra,DC=comune,DC=trento,DC=it is NC
   Initial DRS replication modify DN of 0cebda0e-fad7-49a0-87d4-58dd6094f221 is: DC=intra,DC=comune,DC=trento,DC=it
   Final DRS replication modify DN of 0cebda0e-fad7-49a0-87d4-58dd6094f221 is DC=intra,DC=comune,DC=trento,DC=it




-- 
Mitja Tavčar




More information about the samba mailing list