Web lists-archives.com

[Samba] DRS stopped working after upgrade from debian Jessie to Stretch




2017-06-21 14:29 GMT+02:00 Prunk Dump <prunkdump@xxxxxxxxx>:
> Thank you very much Louis, Rowland, Mike !
>
> I have made all the changes proposed by Louis but still have the same problem.
>
> -> kinit works now with /var/lib/samba/private/secrets.keytab
> ------------------------
> ~# kinit -k -t /var/lib/samba/private/secrets.keytab FICHDC$
> ~#
> ------------------------
>
> -> but samba-tool authentication with machine account fail :
> ------------------------
> ~# samba-tool time -P -d 8
> INFO: Current debug levels:
>   all: 8
>   tdb: 8
>   printdrivers: 8
>   lanman: 8
>   smb: 8
>   rpc_parse: 8
>   rpc_srv: 8
>   rpc_cli: 8
>   passdb: 8
>   sam: 8
>   auth: 8
>   winbind: 8
>   vfs: 8
>   idmap: 8
>   quota: 8
>   acls: 8
>   locking: 8
>   msdfs: 8
>   dmapi: 8
>   registry: 8
>   scavenger: 8
>   dns: 8
>   ldb: 8
>   tevent: 8
> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> Processing section "[global]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> pm_process() returned Yes
> ldb_wrap open of secrets.ldb
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> added interface lo ip=::1 bcast= netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
> added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
> added interface eth0 ip=172.16.0.20 bcast=172.16.255.255 netmask=255.255.0.0
> added interface lo ip=::1 bcast= netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
> added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
> added interface eth0 ip=172.16.0.20 bcast=172.16.255.255 netmask=255.255.0.0
> Mapped to DCERPC endpoint \pipe\srvsvc
> added interface lo ip=::1 bcast= netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
> added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
> added interface eth0 ip=172.16.0.20 bcast=172.16.255.255 netmask=255.255.0.0
> added interface lo ip=::1 bcast= netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
> added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
> added interface eth0 ip=172.16.0.20 bcast=172.16.255.255 netmask=255.255.0.0
> resolve_lmhosts: Attempting lmhosts lookup for name
> fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr<0x20>
> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No
> such file or directory
> Socket options:
>     SO_KEEPALIVE = 0
>     SO_REUSEADDR = 0
>     SO_BROADCAST = 0
>     TCP_NODELAY = 1
>     TCP_KEEPCNT = 9
>     TCP_KEEPIDLE = 7200
>     TCP_KEEPINTVL = 75
>     IPTOS_LOWDELAY = 0
>     IPTOS_THROUGHPUT = 0
>     SO_REUSEPORT = 0
>     SO_SNDBUF = 2626560
>     SO_RCVBUF = 1061808
>     SO_SNDLOWAT = 1
>     SO_RCVLOWAT = 1
>     SO_SNDTIMEO = 0
>     SO_RCVTIMEO = 0
>     TCP_QUICKACK = 1
>     TCP_DEFER_ACCEPT = 0
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism gssapi_krb5
> Received smb_krb5 packet of length 343
> Received smb_krb5 packet of length 298
> Failed to get kerberos credentials: kinit for
> FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR failed
> (Preauthentication failed)
>
> Wrong username or password: kinit for
> FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR failed
> (Preauthentication failed)
>
> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> Failed initial gensec_update with mechanism spnego: NT_STATUS_LOGON_FAILURE
> ERROR(runtime): uncaught exception - (-1073741715, "Connection to
> SRVSVC pipe of server 'fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr'
> failed: NT_STATUS_LOGON_FAILURE")
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/nettime.py",
> line 59, in run
>     self.outf.write(net.time(server_name)+"\n")
> ------------------------
>
> -> samba.log give many errors like this :
> ------------------------
> [2017/06/21 14:20:35.371312,  0]
> ../source4/librpc/rpc/dcerpc_util.c:745(dcerpc_pipe_auth_recv)
>   Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
> ncacn_ip_tcp:172.16.0.21[1024,seal,krb5,target_hostname=04c6b4b0-4584-4368-831e-42aa7ac08c04._msdcs.net.lyc-guillaume-fichet.ac-grenoble.fr,target_principal=GC/fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr/net.lyc-guillaume-fichet.ac-grenoble.fr,abstract_syntax=e3514235--4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=172.16.0.20]
> NT_STATUS_LOGON_FAILURE
> ------------------------
>
> -> my msDS-SupportedEncryptionTypes value is 31 ? Is this bad ?
> ------------------------
> ~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=FICHDC)'
> # record 1
> dn: CN=FICHDC,OU=Domain
> Controllers,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> objectClass: computer
> cn: FICHDC
> instanceType: 4
> whenCreated: 20150630144451.0Z
> uSNCreated: 3583
> name: FICHDC
> objectGUID: bfaf861f-1138-4597-beaa-c83722b86fcf
> userAccountControl: 532480
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> localPolicyFlags: 0
> primaryGroupID: 516
> objectSid: S-1-5-21-2690787391-1809550003-4172065244-1000
> accountExpires: 9223372036854775807
> sAMAccountName: FICHDC$
> sAMAccountType: 805306369
> operatingSystem: Samba
> operatingSystemVersion: 4.1.17-Debian
> dNSHostName: fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr
> objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=net,DC=lyc-guillaume
>  -fichet,DC=ac-grenoble,DC=fr
> isCriticalSystemObject: TRUE
> rIDSetReferences: CN=RID Set,CN=FICHDC,OU=Domain Controllers,DC=net,DC=lyc-gui
>  llaume-fichet,DC=ac-grenoble,DC=fr
> serverReferenceBL: CN=FICHDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN
>  =Configuration,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr
> msDS-SupportedEncryptionTypes: 31
> pwdLastSet: 131423563752421340
> servicePrincipalName: nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr
> servicePrincipalName: HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr
> servicePrincipalName: HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/FICH
>  NET
> servicePrincipalName: ldap/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/FICH
>  NET
> servicePrincipalName: GC/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/net.ly
>  c-guillaume-fichet.ac-grenoble.fr
> servicePrincipalName: ldap/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr
> servicePrincipalName: HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/net.
>  lyc-guillaume-fichet.ac-grenoble.fr
> servicePrincipalName: ldap/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/net.
>  lyc-guillaume-fichet.ac-grenoble.fr
> servicePrincipalName: HOST/FICHDC
> servicePrincipalName: E3514235-4B06-11D1-AB04-00C04FC2DCD2/b339b873-f01c-4672-
>  8984-61e1e48422ea/net.lyc-guillaume-fichet.ac-grenoble.fr
> servicePrincipalName: ldap/b339b873-f01c-4672-8984-61e1e48422ea._msdcs.net.lyc
>  -guillaume-fichet.ac-grenoble.fr
> servicePrincipalName: ldap/FICHDC
> servicePrincipalName: RestrictedKrbHost/FICHDC
> servicePrincipalName: RestrictedKrbHost/fichdc.net.lyc-guillaume-fichet.ac-gre
>  noble.fr
> servicePrincipalName: ldap/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/Doma
>  inDnsZones.net.lyc-guillaume-fichet.ac-grenoble.fr
> servicePrincipalName: ldap/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/Fore
>  stDnsZones.net.lyc-guillaume-fichet.ac-grenoble.fr
> lastLogonTimestamp: 131424581015653910
> whenChanged: 20170620184821.0Z
> uSNChanged: 12626339
> lastLogon: 131425180561432210
> logonCount: 70
> distinguishedName: CN=FICHDC,OU=Domain Controllers,DC=net,DC=lyc-guillaume-fic
>  het,DC=ac-grenoble,DC=fr
>
> # Referral
> ref: ldap://net.lyc-guillaume-fichet.ac-grenoble.fr/CN=Configuration,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr
>
> # Referral
> ref: ldap://net.lyc-guillaume-fichet.ac-grenoble.fr/DC=DomainDnsZones,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr
>
> # Referral
> ref: ldap://net.lyc-guillaume-fichet.ac-grenoble.fr/DC=ForestDnsZones,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr
>
> # returned 4 records
> # 1 entries
> # 3 referrals
> -------------------------------
>
>
> Even if I increase the debug level. I could not get more info on the
> Kerberos authentication.
>
> Thanks again !
>
> Baptiste.

I investigued more again. Here what I have found.

1) I know now why kerberized nfs stop working on "fichdc". A SPN
disappeared from the Kerberos database ! After the upgrade there are
no "nfs/fichdc" credencial anymore so I can't export it again in a
keytab. But strangely "nfs/fichds01" and "nfs/fichds02" still working.
To find the root of the problem I have not tried to delete/recreate
the SPN yet.

 -------------------------------
~# samba-tool spn list nfs-fichdc
nfs-fichdc
User CN=nfs-fichdc,CN=Users,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr
has the following servicePrincipalName:
     nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr

~# kinit nfs-fichdc
Password for nfs-fichdc@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:
kinit: Password incorrect while getting initial credentials

~# kinit nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr
kinit: Client 'nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
not found in Kerberos database while getting initial credentials

~# samba-tool spn list nfs-fichds01
nfs-fichds01
User CN=nfs-fichds01,CN=Users,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr
has the following servicePrincipalName:
     nfs/fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr

~# kinit nfs/fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr
Password for nfs/fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:
kinit: Password incorrect while getting initial credentials

~# kinit -k -t /tmp/krb5.keytab
nfs/fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr
kinit: Password has expired while getting initial credentials
(I think that the password expiration is normal, and kerberized nfs
works on fichds01)
 -------------------------------

2) I don't know if this is a problem. But the
"msDS-SupportedEncryptionTypes" is not always present in the LDAP
database :

 -------------------------------
(first DC)
~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=FICHDC)' | grep
msDS-SupportedEncryptionTypes
msDS-SupportedEncryptionTypes: 31

(second DC)
~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=FICHDS01)' | grep
msDS-SupportedEncryptionTypes
msDS-SupportedEncryptionTypes: 31

(third DC)
~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=FICHDS02)' | grep
msDS-SupportedEncryptionTypes

(a windows7 client)
~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=SVT06)' | grep
msDS-SupportedEncryptionTypes

(another windows7 client)
~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=C501-05)' | grep
msDS-SupportedEncryptionTypes
msDS-SupportedEncryptionTypes: 28

(all linux client)
~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=F511A01)' | grep
msDS-SupportedEncryptionTypes

 -------------------------------

Is someone have an idea what can have made SPN's credential disappaered ?

Thanks very much. It seems my issue is related to the kerberos database.

Baptiste.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba