Web lists-archives.com

Re: [Samba] DRS stopped working after upgrade from debian Jessie to Stretch




Hello samba team !

I finally found why my "nfs/fichdc" credential stoppped working. I had
two SPN with the same name on two different users :

FICHDC$ -> have SPN nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr
nfs-fichdc -> have SPN nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr

This seems allowed on old version of samba but not admitted on samba
4.5. Maybe this test may be added on the "dbcheck" script.

Now almost everything works on my network (nfsv4, winbind
authentication, shares, dynamic dns...). But DRS and authentication
with the machine account on my three DC still fail ... I have still
the same problem :

--------------------
~# kinit -k -t /var/lib/samba/private/secrets.keytab FICHDC$
~# (OK)

~# samba-tool time -P -d 3
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
resolve_lmhosts: Attempting lmhosts lookup for name
fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr<0x20>
Wrong username or password: kinit for
FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR failed
(Preauthentication failed)

SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
Failed initial gensec_update with mechanism spnego: NT_STATUS_LOGON_FAILURE
ERROR(runtime): uncaught exception - (-1073741715, "Connection to
SRVSVC pipe of server 'fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr'
failed: NT_STATUS_LOGON_FAILURE")
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/nettime.py",
line 59, in run
    self.outf.write(net.time(server_name)+"\n")

~# tail /var/log/samba/log.samba
[2017/06/23 09:09:38.523889,  0]
../source4/librpc/rpc/dcerpc_util.c:745(dcerpc_pipe_auth_recv)
  Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
ncacn_ip_tcp:172.16.0.22[1024,seal,krb5,target_hostname=6592eb58-739e-4b40-94c1-b96abde63d44._msdcs.net.lyc-guillaume-fichet.ac-grenoble.fr,target_principal=GC/fichds02.net.lyc-guillaume-fichet.ac-grenoble.fr/net.lyc-guillaume-fichet.ac-grenoble.fr,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=172.16.0.20]
NT_STATUS_LOGON_FAILURE
[2017/06/23 09:09:40.759811,  0]
../source4/librpc/rpc/dcerpc_util.c:745(dcerpc_pipe_auth_recv)
  Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
ncacn_ip_tcp:172.16.0.21[1024,seal,krb5,target_hostname=04c6b4b0-4584-4368-831e-42aa7ac08c04._msdcs.net.lyc-guillaume-fichet.ac-grenoble.fr,target_principal=GC/fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr/net.lyc-guillaume-fichet.ac-grenoble.fr,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=172.16.0.20]
NT_STATUS_LOGON_FAILURE
--------------------

Something that maybe help to understand the root of my problem :

During the upgrade from Jessie to Stretch the "apt-get dist-upgrade"
failed on winbind configuration step. As I say previously, the Debian
upgrade procedure have tried to launch smbd, nmbd, winbind on my DC as
it shouldn't.

The winbind configuration step complain that "samba is not started"
witch is normal because smbd can't start with a DC configuration file.

I have disabled the smbd, nmdb, winbind services with "systemctl" and
relaunched the "dist-upgrade". And this time apt pass the winbind
configuration step.

Maybe is this that configuration step that corrupt my machine account ? no ?

Is is possible to have some more tips to fix my problem. I don't know
if demoting my DC is a good idea as I need to change their names when
remote again. And my DCs provide multiple others important services
(not always related to AD).

Is the "chgtdcpass" the best solution ? But I can't find information
about how to use it. And as my replication don't works, how I need to
use this script to change the password of the DC not owning FSMO roles
? Is this possible to join the DC again without changing their names ?

Do you think that I need to post on samba-technical ?

Thanks very much !

Baptiste.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba