[Samba] Recently joined RODC looses machine accounts
Mitja Tavčar
mitja at mttv.it
Mon Dec 9 14:04:16 UTC 2024
Il 06/12/24 13:20, Rowland Penny via samba ha scritto:
> On Fri, 6 Dec 2024 12:29:03 +0100
> Mitja Tavčar via samba <samba at lists.samba.org> wrote:
>
>> Il 06/12/24 10:45, Rowland Penny via samba ha scritto:
>>> On Fri, 6 Dec 2024 10:19:31 +0100
>>> Mitja Tavčar via samba <samba at lists.samba.org> wrote:
>>>
>>>> But the machine accoounts are not completely lost, they seem lost
>>>> if i query the Read Only DC, when i query some of the other DC the
>>>> machine accounts result ok.
>>>>
>>>> I'have found that restarting winbind seems to solve the problem but
>>>> only for some short time. So i set up a testing script that checks
>>>> join every 5 minutes and eventually restarts winbind.
>>>>
>>>> The output is this:
>>>> [Thu 05 Dec 2024 03:40:02 PM CET] - Join is OK
>>>> [Thu 05 Dec 2024 03:45:01 PM CET] - Join is OK
>>>> [Thu 05 Dec 2024 03:50:03 PM CET] - Join is OK
>>>> [Thu 05 Dec 2024 03:55:01 PM CET] - Not joined - restart winbind
>>>> [Thu 05 Dec 2024 04:00:02 PM CET] - Join is OK
>>>> [Thu 05 Dec 2024 04:05:03 PM CET] - Join is OK
>>>> [Thu 05 Dec 2024 04:10:01 PM CET] - Join is OK
>>>> [Thu 05 Dec 2024 04:15:02 PM CET] - Not joined - restart winbind
>>>>
>>>
>>> So, AD doesn't loose the clients, it is the clients that loose AD.
>>>
>>> Try adding 'winbind refresh tickets = yes' to the clients smb.conf
>>> file and restarting Samba.
>>>
>>
>> I added winbind refresh tickets = yes and restarted samba, smbd and
>> winbind. But nothing seems to change.
>
> If you are starting the 'samba', 'smbd' and 'winbindd' binaries, then
> something is very wrong.
>
> You only start the 'samba' binary on a Samba AD DC, this will then
> start the other required binaries.
I restarted "smbd" and "winbind" on domain member and "samba" on RODC.
Anyway nothin chages.
>> [2024/12/06 12:05:04.722326, 1, traceid=1]
>> source3/libsmb/namequery.c:3487(get_sorted_dc_list)
>> get_sorted_dc_list: No server for domain 'INTRA.COMUNE.TRENTO.IT'
>> available in site 'PSN', fallback to all servers [2024/12/06
>> 12:05:08.142492, 1, traceid=1]
>> lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug) ldb: Unable to open tdb
>> '/var/lib/samba/private/secrets.ldb': No such file or directory
>
> I think this is because it is an RODC, but is the RODC using itself as
> its first nameserver ?
Yes, resolv.conf:
search intra.comune.trento.it
nameserver 10.50.10.230 <- this is RODC
nameserver 192.168.10.232
and /etc/hosts
127.0.0.1 localhost
10.50.10.230 lvsrvdc.intra.comune.trento.it lvsrvdc
> You will probably get more in the logs if you raise the log level in
> smb.conf on the RODC, try '4'
I have a lot of output mostly are lines like this....
Discarding older DRS attribute update to dBCSPwd on CN=(redacted name) ,DC=intra,DC=comune,DC=trento,DC=it from 3a04bf76-1027-4839-bc45-570bad3efc59
[2024/12/09 12:02:40.746938, 3] source4/dsdb/samdb/ldb_modules/repl_meta_data.c:6428(replmd_replicated_apply_merge)
So i filtered them out and if found something about the member server that looses connection.
....
[2024/12/09 14:54:34.547981, 3] lib/ldb-samba/ldb_wrap.c:340(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2024/12/09 14:54:34.559556, 3] source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Probing for AS-REQ
[2024/12/09 14:54:34.559634, 3] source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Not a FAST request
[2024/12/09 14:54:34.559652, 3] source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: AS-REQ PSN-LVSRV39$@INTRA.COMUNE.TRENTO.IT from ipv4:10.50.10.28:42012 for krbtgt/INTRA.COMUNE.TRENTO.IT at INTRA.COMUNE.TRENTO.IT
[2024/12/09 14:54:34.560576, 3] source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: UNKNOWN -- PSN-LVSRV39$@INTRA.COMUNE.TRENTO.IT: no such entry found in hdb
[2024/12/09 14:54:34.560590, 3] source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_setkv_number(): setting kv pair #auth_event=2
[2024/12/09 14:54:34.560612, 2] auth/auth_log.c:858(log_authentication_event_human_readable)
Auth: [Kerberos KDC,AS-REQ] user [(null)]\[PSN-LVSRV39$@INTRA.COMUNE.TRENTO.IT] at [Mon, 09 Dec 2024 14:54:34.560607 CET] with [(null)] status
[NT_STATUS_NO_SUCH_USER] workstation [(null)] remote host [ipv4:10
.50.10.28:42012] mapped to [(null)]\[(null)]. local host [NULL]
{"timestamp": "2024-12-09T14:54:34.560638+0100", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 3}, "eventId": 4625,
"logonId": "16df769bcc3cc6f2", "logonType": 3, "status": "NT_
STATUS_NO_SUCH_USER", "localAddress": null, "remoteAddress": "ipv4:10.50.10.28:42012", "serviceDescription": "Kerberos KDC", "authDescription": "AS-REQ",
"clientDomain": null, "clientAccount": "PSN-LVSRV39$@INTR
A.COMUNE.TRENTO.IT", "workstation": null, "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": null, "mappedDomain": null,
"netlogonComputer": null, "netlogonTrustAccount": null, "net
logonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": null, "clientPolicyAccessCheck": null,
"serverPolicyAccessCheck": null, "duration": 1107}}
[2024/12/09 14:54:34.560676, 3] source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: as-req: sending error: -1765328378 to client
[2024/12/09 14:54:34.560684, 3] source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Making non-FAST KRB-ERROR
[2024/12/09 14:54:34.560712, 3] source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.001174
[2024/12/09 14:54:34.560721, 3] source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: AS-REQ ERR_C_PRINCIPAL_UNKNOWN ipv4:10.50.10.28:42012 PSN-LVSRV39$@INTRA.COMUNE.TRENTO.IT krbtgt/INTRA.COMUNE.TRENTO.IT at INTRA.COMUNE.TRENTO.IT
elapsed=0.001174
[2024/12/09 14:54:34.561336, 3] auth/ntlmssp/ntlmssp_util.c:78(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088235
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_SEAL
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
[2024/12/09 14:54:34.561764, 3] auth/ntlmssp/ntlmssp_server.c:512(ntlmssp_server_preauth)
Got user=[PSN-LVSRV39$] domain=[INTRA] workstation=[PSN-LVSRV39] len1=24 len2=358
[2024/12/09 14:54:34.561786, 3] source4/auth/ntlm/auth.c:206(auth_check_password_send)
auth_check_password_send: Checking password for unmapped user [INTRA]\[PSN-LVSRV39$]@[PSN-LVSRV39]
auth_check_password_send: user is: [INTRA]\[PSN-LVSRV39$]@[PSN-LVSRV39]
[2024/12/09 14:54:34.562012, 3] source4/auth/sam.c:1558(authsam_search_account)
authsam_search_account: Couldn't find user [PSN-LVSRV39$] in samdb, under DC=intra,DC=comune,DC=trento,DC=it
[2024/12/09 14:54:34.562024, 2] source4/auth/ntlm/auth.c:399(auth_check_password_recv)
auth_check_password_recv: sam authentication for user [INTRA\PSN-LVSRV39$] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2024/12/09 14:54:34.562039, 2] auth/auth_log.c:858(log_authentication_event_human_readable)
Auth: [LDAP,NTLMSSP] user [INTRA]\[PSN-LVSRV39$] at [Mon, 09 Dec 2024 14:54:34.562033 CET] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation
[PSN-LVSRV39] remote host [ipv4:10.50.10.28:38194] mapped to [INTRA]\[PSN-LVSRV39$]. local host [ipv4:10.50.10.230:389]
{"timestamp": "2024-12-09T14:54:34.562065+0100", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 3}, "eventId": 4625,
"logonId": "0", "logonType": 3, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:10.50.10.230:389", "remoteAddress": "ipv4:10.50.10.28:38194",
"serviceDescription": "LDAP", "authDescription": "NTLMSSP", "clientDomain": "INTRA", "clientAccount": "PSN-LVSRV39$", "workstation": "PSN-LVSRV39",
"becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "PSN-LVSRV39$", "mappedDomain": "INTRA", "netlogonComputer": null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2",
"clientPolicyAccessCheck": null, "serverPolicyAccessCheck": null, "duration": 773}}
[2024/12/09 14:54:34.562092, 3] auth/gensec/spnego.c:1426(gensec_spnego_server_negTokenTarg_step)
gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed: NT_STATUS_NO_SUCH_USER
[2024/12/09 14:54:34.562284, 3] source4/samba/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_RESET'
added interface ens192 ip=10.50.10.230 bcast=10.50.11.255 netmask=255.255.254.0
added interface ens192 ip=10.50.10.230 bcast=10.50.11.255 netmask=255.255.254.0
added interface ens192 ip=10.50.10.230 bcast=10.50.11.255 netmask=255.255.254.0
[2024/12/09 14:54:36.695367, 3] source4/dsdb/repl/drepl_service.c:207(_drepl_schedule_replication)
_drepl_schedule_replication: forcing sync of partition (0cebda0e-fad7-49a0-87d4-58dd6094f221, DC=intra,DC=comune,DC=trento,DC=it,
4c07570f-4e39-486e-b4fc-bd0a842fc69c._msdcs.intra.comune.trento.it)
[2024/12/09 14:54:36.770574, 4] source4/dsdb/samdb/ldb_modules/operational.c:404(construct_parent_guid)
source4/dsdb/samdb/ldb_modules/operational.c:404: Object DC=intra,DC=comune,DC=trento,DC=it is NC
Initial DRS replication modify DN of 0cebda0e-fad7-49a0-87d4-58dd6094f221 is: DC=intra,DC=comune,DC=trento,DC=it
Final DRS replication modify DN of 0cebda0e-fad7-49a0-87d4-58dd6094f221 is DC=intra,DC=comune,DC=trento,DC=it
--
Mitja Tavčar
More information about the samba
mailing list