Web lists-archives.com

Re: [Samba] DRS stopped working after upgrade from debian Jessie to Stretch




On Wed, 21 Jun 2017 19:54:43 +0200
Prunk Dump via samba <samba@xxxxxxxxxxxxxxx> wrote:

> 2017-06-21 14:29 GMT+02:00 Prunk Dump <prunkdump@xxxxxxxxx>:
> > Thank you very much Louis, Rowland, Mike !
> >
> > I have made all the changes proposed by Louis but still have the
> > same problem.
> >
> > -> kinit works now with /var/lib/samba/private/secrets.keytab
> > ------------------------
> > ~# kinit -k -t /var/lib/samba/private/secrets.keytab FICHDC$
> > ~#
> > ------------------------
> >
> > -> but samba-tool authentication with machine account fail :
> > ------------------------
> > ~# samba-tool time -P -d 8
> > INFO: Current debug levels:
> >   all: 8
> >   tdb: 8
> >   printdrivers: 8
> >   lanman: 8
> >   smb: 8
> >   rpc_parse: 8
> >   rpc_srv: 8
> >   rpc_cli: 8
> >   passdb: 8
> >   sam: 8
> >   auth: 8
> >   winbind: 8
> >   vfs: 8
> >   idmap: 8
> >   quota: 8
> >   acls: 8
> >   locking: 8
> >   msdfs: 8
> >   dmapi: 8
> >   registry: 8
> >   scavenger: 8
> >   dns: 8
> >   ldb: 8
> >   tevent: 8
> > lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> > Processing section "[global]"
> > Processing section "[netlogon]"
> > Processing section "[sysvol]"
> > pm_process() returned Yes
> > ldb_wrap open of secrets.ldb
> > GENSEC backend 'gssapi_spnego' registered
> > GENSEC backend 'gssapi_krb5' registered
> > GENSEC backend 'gssapi_krb5_sasl' registered
> > GENSEC backend 'spnego' registered
> > GENSEC backend 'schannel' registered
> > GENSEC backend 'naclrpc_as_system' registered
> > GENSEC backend 'sasl-EXTERNAL' registered
> > GENSEC backend 'ntlmssp' registered
> > GENSEC backend 'ntlmssp_resume_ccache' registered
> > GENSEC backend 'http_basic' registered
> > GENSEC backend 'http_ntlm' registered
> > GENSEC backend 'krb5' registered
> > GENSEC backend 'fake_gssapi_krb5' registered
> > added interface lo ip=::1 bcast=
> > netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff added interface lo
> > ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0 added
> > interface eth0 ip=172.16.0.20 bcast=172.16.255.255
> > netmask=255.255.0.0 added interface lo ip=::1 bcast=
> > netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff added interface lo
> > ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0 added
> > interface eth0 ip=172.16.0.20 bcast=172.16.255.255
> > netmask=255.255.0.0 Mapped to DCERPC endpoint \pipe\srvsvc added
> > interface lo ip=::1 bcast=
> > netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff added interface lo
> > ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0 added
> > interface eth0 ip=172.16.0.20 bcast=172.16.255.255
> > netmask=255.255.0.0 added interface lo ip=::1 bcast=
> > netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff added interface lo
> > ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0 added
> > interface eth0 ip=172.16.0.20 bcast=172.16.255.255
> > netmask=255.255.0.0 resolve_lmhosts: Attempting lmhosts lookup for
> > name fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr<0x20>
> > startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was
> > No such file or directory Socket options: SO_KEEPALIVE = 0
> > SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1
> >     TCP_KEEPCNT = 9
> >     TCP_KEEPIDLE = 7200
> >     TCP_KEEPINTVL = 75
> >     IPTOS_LOWDELAY = 0
> >     IPTOS_THROUGHPUT = 0
> >     SO_REUSEPORT = 0
> >     SO_SNDBUF = 2626560
> >     SO_RCVBUF = 1061808
> >     SO_SNDLOWAT = 1
> >     SO_RCVLOWAT = 1
> >     SO_SNDTIMEO = 0
> >     SO_RCVTIMEO = 0
> >     TCP_QUICKACK = 1
> >     TCP_DEFER_ACCEPT = 0
> > Starting GENSEC mechanism spnego
> > Starting GENSEC submechanism gssapi_krb5
> > Received smb_krb5 packet of length 343
> > Received smb_krb5 packet of length 298
> > Failed to get kerberos credentials: kinit for
> > FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR failed
> > (Preauthentication failed)
> >
> > Wrong username or password: kinit for
> > FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR failed
> > (Preauthentication failed)
> >
> > SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> > Failed initial gensec_update with mechanism spnego:
> > NT_STATUS_LOGON_FAILURE ERROR(runtime): uncaught exception -
> > (-1073741715, "Connection to SRVSVC pipe of server
> > 'fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr' failed:
> > NT_STATUS_LOGON_FAILURE") File
> > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> > 176, in _run return self.run(*args, **kwargs)
> >   File "/usr/lib/python2.7/dist-packages/samba/netcmd/nettime.py",
> > line 59, in run
> >     self.outf.write(net.time(server_name)+"\n")
> > ------------------------
> >
> > -> samba.log give many errors like this :
> > ------------------------
> > [2017/06/21 14:20:35.371312,  0]
> > ../source4/librpc/rpc/dcerpc_util.c:745(dcerpc_pipe_auth_recv)
> >   Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
> > ncacn_ip_tcp:172.16.0.21[1024,seal,krb5,target_hostname=04c6b4b0-4584-4368-831e-42aa7ac08c04._msdcs.net.lyc-guillaume-fichet.ac-grenoble.fr,target_principal=GC/fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr/net.lyc-guillaume-fichet.ac-grenoble.fr,abstract_syntax=e3514235--4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=172.16.0.20]
> > NT_STATUS_LOGON_FAILURE
> > ------------------------
> >
> > -> my msDS-SupportedEncryptionTypes value is 31 ? Is this bad ?
> > ------------------------
> > ~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=FICHDC)'
> > # record 1
> > dn: CN=FICHDC,OU=Domain
> > Controllers,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr
> > objectClass: top
> > objectClass: person
> > objectClass: organizationalPerson
> > objectClass: user
> > objectClass: computer
> > cn: FICHDC
> > instanceType: 4
> > whenCreated: 20150630144451.0Z
> > uSNCreated: 3583
> > name: FICHDC
> > objectGUID: bfaf861f-1138-4597-beaa-c83722b86fcf
> > userAccountControl: 532480
> > badPwdCount: 0
> > codePage: 0
> > countryCode: 0
> > badPasswordTime: 0
> > lastLogoff: 0
> > localPolicyFlags: 0
> > primaryGroupID: 516
> > objectSid: S-1-5-21-2690787391-1809550003-4172065244-1000
> > accountExpires: 9223372036854775807
> > sAMAccountName: FICHDC$
> > sAMAccountType: 805306369
> > operatingSystem: Samba
> > operatingSystemVersion: 4.1.17-Debian
> > dNSHostName: fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr
> > objectCategory:
> > CN=Computer,CN=Schema,CN=Configuration,DC=net,DC=lyc-guillaume
> > -fichet,DC=ac-grenoble,DC=fr isCriticalSystemObject: TRUE
> > rIDSetReferences: CN=RID Set,CN=FICHDC,OU=Domain
> > Controllers,DC=net,DC=lyc-gui llaume-fichet,DC=ac-grenoble,DC=fr
> > serverReferenceBL:
> > CN=FICHDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN
> > =Configuration,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr
> > msDS-SupportedEncryptionTypes: 31 pwdLastSet: 131423563752421340
> > servicePrincipalName:
> > nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr
> > servicePrincipalName:
> > HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr
> > servicePrincipalName:
> > HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/FICH NET
> > servicePrincipalName:
> > ldap/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/FICH NET
> > servicePrincipalName:
> > GC/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/net.ly
> > c-guillaume-fichet.ac-grenoble.fr servicePrincipalName:
> > ldap/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr
> > servicePrincipalName:
> > HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/net.
> > lyc-guillaume-fichet.ac-grenoble.fr servicePrincipalName:
> > ldap/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/net.
> > lyc-guillaume-fichet.ac-grenoble.fr servicePrincipalName:
> > HOST/FICHDC servicePrincipalName:
> > E3514235-4B06-11D1-AB04-00C04FC2DCD2/b339b873-f01c-4672-
> > 8984-61e1e48422ea/net.lyc-guillaume-fichet.ac-grenoble.fr
> > servicePrincipalName:
> > ldap/b339b873-f01c-4672-8984-61e1e48422ea._msdcs.net.lyc
> > -guillaume-fichet.ac-grenoble.fr servicePrincipalName: ldap/FICHDC
> > servicePrincipalName: RestrictedKrbHost/FICHDC
> > servicePrincipalName:
> > RestrictedKrbHost/fichdc.net.lyc-guillaume-fichet.ac-gre noble.fr
> > servicePrincipalName:
> > ldap/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/Doma
> > inDnsZones.net.lyc-guillaume-fichet.ac-grenoble.fr
> > servicePrincipalName:
> > ldap/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/Fore
> > stDnsZones.net.lyc-guillaume-fichet.ac-grenoble.fr
> > lastLogonTimestamp: 131424581015653910 whenChanged:
> > 20170620184821.0Z uSNChanged: 12626339 lastLogon:
> > 131425180561432210 logonCount: 70 distinguishedName:
> > CN=FICHDC,OU=Domain Controllers,DC=net,DC=lyc-guillaume-fic
> > het,DC=ac-grenoble,DC=fr
> >
> > # Referral
> > ref:
> > ldap://net.lyc-guillaume-fichet.ac-grenoble.fr/CN=Configuration,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr
> >
> > # Referral
> > ref:
> > ldap://net.lyc-guillaume-fichet.ac-grenoble.fr/DC=DomainDnsZones,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr
> >
> > # Referral
> > ref:
> > ldap://net.lyc-guillaume-fichet.ac-grenoble.fr/DC=ForestDnsZones,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr
> >
> > # returned 4 records
> > # 1 entries
> > # 3 referrals
> > -------------------------------
> >
> >
> > Even if I increase the debug level. I could not get more info on the
> > Kerberos authentication.
> >
> > Thanks again !
> >
> > Baptiste.
> 
> I investigued more again. Here what I have found.
> 
> 1) I know now why kerberized nfs stop working on "fichdc". A SPN
> disappeared from the Kerberos database ! After the upgrade there are
> no "nfs/fichdc" credencial anymore so I can't export it again in a
> keytab. But strangely "nfs/fichds01" and "nfs/fichds02" still working.
> To find the root of the problem I have not tried to delete/recreate
> the SPN yet.
> 
>  -------------------------------
> ~# samba-tool spn list nfs-fichdc
> nfs-fichdc
> User
> CN=nfs-fichdc,CN=Users,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr
> has the following servicePrincipalName:
> nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr
> 
> ~# kinit nfs-fichdc
> Password for nfs-fichdc@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:
> kinit: Password incorrect while getting initial credentials
> 
> ~# kinit nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr
> kinit: Client
> 'nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
> not found in Kerberos database while getting initial credentials
> 
> ~# samba-tool spn list nfs-fichds01
> nfs-fichds01
> User
> CN=nfs-fichds01,CN=Users,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr
> has the following servicePrincipalName:
> nfs/fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr
> 
> ~# kinit nfs/fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr
> Password for
> nfs/fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:
> kinit: Password incorrect while getting initial credentials
> 
> ~# kinit -k -t /tmp/krb5.keytab
> nfs/fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr
> kinit: Password has expired while getting initial credentials
> (I think that the password expiration is normal, and kerberized nfs
> works on fichds01)
>  -------------------------------
> 
> 2) I don't know if this is a problem. But the
> "msDS-SupportedEncryptionTypes" is not always present in the LDAP
> database :
> 
>  -------------------------------
> (first DC)
> ~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=FICHDC)' | grep
> msDS-SupportedEncryptionTypes
> msDS-SupportedEncryptionTypes: 31
> 
> (second DC)
> ~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=FICHDS01)' | grep
> msDS-SupportedEncryptionTypes
> msDS-SupportedEncryptionTypes: 31
> 
> (third DC)
> ~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=FICHDS02)' | grep
> msDS-SupportedEncryptionTypes
> 
> (a windows7 client)
> ~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=SVT06)' | grep
> msDS-SupportedEncryptionTypes
> 
> (another windows7 client)
> ~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=C501-05)' | grep
> msDS-SupportedEncryptionTypes
> msDS-SupportedEncryptionTypes: 28
> 
> (all linux client)
> ~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=F511A01)' | grep
> msDS-SupportedEncryptionTypes
> 
>  -------------------------------
> 
> Is someone have an idea what can have made SPN's credential
> disappaered ?
> 
> Thanks very much. It seems my issue is related to the kerberos
> database.
> 
> Baptiste.
> 

I would check the domain levels on the three DCs
My two DCs and Linux machines all have '31' for
'msDS-SupportedEncryptionTypes', though a couple of windows machine in
VMs have '28'

I think the problem must be with your DCs machine password, I think you
will need to change it with 'chgkrbtgtpass', though I have no idea how
you use it, presumably you would change this line:

sys.path.insert(0, "bin/python")

To the same as you will find in the 'samba-tool' script.

I presume you then just run the script.

Perhaps Andrew would care to comment here.

I have no idea where your nfs SPN went to, but if it has disappeared on
all your DCs, then you will have to add it again.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba