Web lists-archives.com

[Samba] samba AD not working




Hello,

After classic upgrade from PDC to AD, most things look like they're
functioning but I'm having issues. Note that the upgrade did include a
system change, a new name, new IP address.

Using samba-4.6.5 compiled from git on Debian Stretch.

First issue I noticed was when trying to join the new AD from a
Windows machine I received:
=================
The RPC server is unavailable
=================

Troubleshooting on the AD itself, most tests pass (DNS lookups,
kerberos tickets) but smbclient fails:
=================
$ smbclient -L localhost -U%
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
=================

In the logs I'm seeing:
=================
# tail log.wb-MYDOMAINK
[2017/07/08 12:17:03.188677,  0]
../source3/winbindd/winbindd_cm.c:1793(wb_open_internal_pipe)
 open_internal_pipe: Could not connect to lsarpc pipe: NT_STATUS_UNSUCCESSFUL
=================

Services are running:
=================
20603 ?        Ss     0:00 /usr/local/samba/sbin/samba
20604 ?        S      0:00 /usr/local/samba/sbin/samba
20605 ?        S      0:00 /usr/local/samba/sbin/samba
20606 ?        Ss     0:00 /usr/local/samba/sbin/smbd -D
--option=server role check:inhibit=yes --foreground
20607 ?        S      0:01 /usr/local/samba/sbin/samba
20608 ?        S      0:00 /usr/local/samba/sbin/samba
20609 ?        S      0:00 /usr/local/samba/sbin/samba
20610 ?        S      0:00 /usr/local/samba/sbin/samba
20611 ?        S      0:00 /usr/local/samba/sbin/samba
20612 ?        S      0:01 /usr/local/samba/sbin/samba
20613 ?        S      0:00 /usr/local/samba/sbin/samba
20614 ?        S      0:00 /usr/local/samba/sbin/samba
20615 ?        S      0:00 /usr/local/samba/sbin/samba
20616 ?        Ss     0:00 /usr/local/samba/sbin/winbindd -D
--option=server role check:inhibit=yes --foreground
20617 ?        S      0:00 /usr/local/samba/sbin/samba
20620 ?        S      0:00 /usr/local/samba/sbin/smbd -D
--option=server role check:inhibit=yes --foreground
20621 ?        S      0:00 /usr/local/samba/sbin/smbd -D
--option=server role check:inhibit=yes --foreground
20623 ?        S      0:00 /usr/local/samba/sbin/winbindd -D
--option=server role check:inhibit=yes --foreground
20624 ?        S      0:00 /usr/local/samba/sbin/smbd -D
--option=server role check:inhibit=yes --foreground
20838 ?        Ssl    0:00 /usr/sbin/named -f -u bind
=================

And ports seem open, although should have no effect on the smbclient
failure run on the AD itself (I'm using hosts allow to prevent systems
other than the test system to see the new AD):
=================
# nmap -A ad

Starting Nmap 7.40 ( https://nmap.org ) at 2017-07-08 11:13 EDT
Nmap scan report for ad (172.26.62.31)
Host is up (0.00014s latency).
rDNS record for 172.26.62.31: ad.office.mydomain.com
Not shown: 987 closed ports

PORT     STATE SERVICE      VERSION
22/tcp   open  ssh          OpenSSH 7.4p1 Debian 10 (protocol 2.0)
| ssh-hostkey:
|   2048 18:4d:92:d2:69:66:c0:16:70:7e:ed:fe:fe:32:8a:fd (RSA)
|_  256 bc:f9:9c:05:42:1a:af:b5:f5:a4:ac:50:8c:f1:da:24 (ECDSA)
53/tcp   open  domain       ISC BIND 9.10.3-P4-Debian
| dns-nsid:
|_  bind.version: 9.10.3-P4-Debian
88/tcp   open  kerberos-sec Heimdal Kerberos (server time: 2017-07-08 15:13:47Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Samba smbd 3.X - 4.X (workgroup: MYDOMAIN)
389/tcp  open  ldap         (Anonymous bind OK)
| ssl-cert: Subject:
commonName=AD.office.mydomain.com/organizationName=Samba Administration
| Not valid before: 2017-07-04T17:24:08
|_Not valid after:  2019-06-04T17:24:08
|_ssl-date: 2017-07-08T15:11:06+00:00; -3m31s from scanner time.
445/tcp  open  netbios-ssn  Samba smbd 4.6.5 (workgroup: MYDOMAIN)
464/tcp  open  kpasswd5?
636/tcp  open  ssl/ldap     (Anonymous bind OK)
| ssl-cert: Subject:
commonName=AD.office.mydomain.com/organizationName=Samba Administration
| Not valid before: 2017-07-04T17:24:08
|_Not valid after:  2019-06-04T17:24:08
|_ssl-date: 2017-07-08T15:13:55+00:00; -42s from scanner time.
1024/tcp open  msrpc        Microsoft Windows RPC
1025/tcp open  msrpc        Microsoft Windows RPC
3268/tcp open  ldap         (Anonymous bind OK)
| ssl-cert: Subject:
commonName=AD.office.mydomain.com/organizationName=Samba Administration
| Not valid before: 2017-07-04T17:24:08
|_Not valid after:  2019-06-04T17:24:08
|_ssl-date: 2017-07-08T15:11:32+00:00; -3m05s from scanner time.
3269/tcp open  ssl/ldap     (Anonymous bind OK)
| ssl-cert: Subject:
commonName=AD.office.mydomain.com/organizationName=Samba Administration
| Not valid before: 2017-07-04T17:24:08
|_Not valid after:  2019-06-04T17:24:08
|_ssl-date: 2017-07-08T15:13:38+00:00; -59s from scanner time.
MAC Address: A0:36:9F:27:02:CD (Intel Corporate)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.6
Network Distance: 1 hop
Service Info: Host: AD; OSs: Linux, Windows; CPE: cpe:/o:linux:linux_kernel,
cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -1m39s, deviation: 1m32s, median: -59s
|_nbstat: NetBIOS name: AD, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
(unknown)
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.6.5)
|   Computer name: ad
|   NetBIOS computer name: AD\x00
|   Domain name: office.mydomain.com
|   FQDN: ad.office.mydomain.com
|_  System time: 2017-07-08T11:14:37-04:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
|_smbv2-enabled: Server supports SMBv2 protocol

TRACEROUTE
HOP RTT     ADDRESS
1   0.14 ms ad.office.mydomain.com (172.26.62.31)
=================

Where to look to resolve?

Thanks!

Chris

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba