Web lists-archives.com

Re: [Samba] User Permissions issue




Hi Denis

Thanks for your advise I will not use these wordings here.

Please check the result below when I run the command on the DC-1 when DC-2
is off or on
smbclient -k //IUMSVRAPP01/Pastel12 -d 9
INFO: Current debug levels:
  all: 9
  tdb: 9
  printdrivers: 9
  lanman: 9
  smb: 9
  rpc_parse: 9
  rpc_srv: 9
  rpc_cli: 9
  passdb: 9
  sam: 9
  auth: 9
  winbind: 9
  vfs: 9
  idmap: 9
  quota: 9
  acls: 9
  locking: 9
  msdfs: 9
  dmapi: 9
  registry: 9
  scavenger: 9
  dns: 9
  ldb: 9
  tevent: 9
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 9
  tdb: 9
  printdrivers: 9
  lanman: 9
  smb: 9
  rpc_parse: 9
  rpc_srv: 9
  rpc_cli: 9
  passdb: 9
  sam: 9
  auth: 9
  winbind: 9
  vfs: 9
  idmap: 9
  quota: 9
  acls: 9
  locking: 9
  msdfs: 9
  dmapi: 9
  registry: 9
  scavenger: 9
  dns: 9
  ldb: 9
  tevent: 9
Processing section "[global]"
doing parameter workgroup = IUMNET
doing parameter realm = IUMNET.EDU.NA
doing parameter netbios name = IUMDCDP01
doing parameter server role = active directory domain controller
doing parameter dns forwarder = 172.16.10.254
doing parameter domain master = yes
doing parameter preferred master = yes
doing parameter password server = 172.16.10.5
doing parameter allow dns updates = nonsecure and secure
doing parameter ntlm auth = yes
doing parameter client use spnego = no
doing parameter client ldap sasl wrapping = sign
doing parameter ldap server require strong auth = no
doing parameter time server = Yes
doing parameter template shell = /bin/bash
doing parameter template homedir = /home/%U
doing parameter full_audit:prefix = %u|%I|%m|%S
doing parameter full_audit:failure = connect
doing parameter full_audit:success = connect disconnect
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface eth0 ip=172.16.10.5 bcast=172.16.10.255
netmask=255.255.255.0
added interface eth2 ip=192.29.0.5 bcast=192.29.255.255 netmask=255.255.0.0
Netbios name list:-
my_netbios_names[0]="IUMDCDP01"
Client started (version 4.6.12-SerNet-Ubuntu-14.precise).
Opening cache file at /var/cache/samba/gencache.tdb
Opening cache file at /var/cache/samba/gencache_notrans.tdb
sitename_fetch: Returning sitename for realm 'IUMNET.EDU.NA':
"Default-First-Site-Name"
no entry for IUMSVRAPP01#20 found.
resolve_lmhosts: Attempting lmhosts lookup for name IUMSVRAPP01<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such
file or directory
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name IUMSVRAPP01<0x20>
namecache_store: storing 1 address for IUMSVRAPP01#20: 172.16.10.21
Connecting to 172.16.10.21 at port 445
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_SNDBUF = 24040
        SO_RCVBUF = 87380
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        SO_SNDTIMEO = 0
        SO_RCVTIMEO = 0
        TCP_QUICKACK = 1
        TCP_DEFER_ACCEPT = 0
 session request ok
session setup failed: NT_STATUS_INVALID_PARAMETER_MIX

*Here is the smb.conf dump from DC-1:*
# Global parameters
[global]
        workgroup = IUMNET
        realm = IUMNET.EDU.NA
        netbios name = IUMDCDP01
        server role = active directory domain controller
        dns forwarder = 172.16.10.254
        domain master = yes
        preferred master = yes
#       server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap
        password server = 172.16.10.5
        allow dns updates = nonsecure and secure
#       lanman auth = Yes
#       client lanman auth = Yes
        ntlm auth = yes
        client use spnego = no
        client ldap sasl wrapping = sign
#       ldap ssl ads = yes
#       ldap ssl = start tls
        ldap server require strong auth = no
#       wins server = iumnet.edu.na
#       wins support = Yes
        time server = Yes
        template shell = /bin/bash
        template homedir = /home/%U
#       idmap config * : backend = tdb
#       idmap config *:range = 50000-1000000
        full_audit:prefix = %u|%I|%m|%S
        full_audit:failure = connect
        full_audit:success = connect disconnect
#       log level = 9 dns:0

[netlogon]
path = /var/lib/samba/sysvol/iumnet.edu.na/scripts
        read only = No
        browsable = no

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[softshare]
        path = /home/administrator/ad
        read only = No


*When I ran the same command on DC-2 ( Samba 4.7.4) *

smbclient -k //172.16.10.21/Pastel12 -d 9
INFO: Current debug levels:
  all: 9
  tdb: 9
  printdrivers: 9
  lanman: 9
  smb: 9
  rpc_parse: 9
  rpc_srv: 9
  rpc_cli: 9
  passdb: 9
  sam: 9
  auth: 9
  winbind: 9
  vfs: 9
  idmap: 9
  quota: 9
  acls: 9
  locking: 9
  msdfs: 9
  dmapi: 9
  registry: 9
  scavenger: 9
  dns: 9
  ldb: 9
  tevent: 9
  auth_audit: 9
  auth_json_audit: 9
  kerberos: 9
  drs_repl: 9
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 9
  tdb: 9
  printdrivers: 9
  lanman: 9
  smb: 9
  rpc_parse: 9
  rpc_srv: 9
  rpc_cli: 9
  passdb: 9
  sam: 9
  auth: 9
  winbind: 9
  vfs: 9
  idmap: 9
  quota: 9
  acls: 9
  locking: 9
  msdfs: 9
  dmapi: 9
  registry: 9
  scavenger: 9
  dns: 9
  ldb: 9
  tevent: 9
  auth_audit: 9
  auth_json_audit: 9
  kerberos: 9
  drs_repl: 9
Processing section "[global]"
doing parameter netbios name = IUMSVRPDC
doing parameter realm = IUMNET.EDU.NA
doing parameter workgroup = IUMNET
doing parameter server role = active directory domain controller
doing parameter dns forwarder = 172.16.10.254
doing parameter allow dns updates = nonsecure and secure
doing parameter ntlm auth = yes
doing parameter ldap server require strong auth = no
doing parameter time server = Yes
doing parameter template shell = /bin/bash
doing parameter template homedir = /home/%U
doing parameter full_audit:prefix = %u|%I|%m|%S
doing parameter full_audit:failure = connect
doing parameter full_audit:success = connect disconnect
doing parameter tls enabled = yes
doing parameter tls keyfile = tls/key.pem
doing parameter tls certfile = tls/cert.pem
doing parameter tls cafile = tls/ca.pem
doing parameter log level = 9 dns:0
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface ens18 ip=172.16.100.5 bcast=172.16.100.255
netmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="IUMSVRPDC"
Client started (version 4.7.4-SerNet-Ubuntu-6.trusty).
Connecting to 172.16.10.21 at port 445
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_REUSEPORT = 0
        SO_SNDBUF = 87040
        SO_RCVBUF = 372480
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        SO_SNDTIMEO = 0
        SO_RCVTIMEO = 0
        TCP_QUICKACK = 1
        TCP_DEFER_ACCEPT = 0
 session request ok
 negotiated dialect[SMB2_02] against server[172.16.10.21]
got OID=1.2.840.48018.1.2.2
Kerberos auth with 'administrator@xxxxxxxxxxxxx' (IUMNET\root) to access
'172.16.10.21' not possible
SPNEGO login failed: {Access Denied} A process has requested access to an
object but has not been granted those access rights.
session setup failed: NT_STATUS_ACCESS_DENIED

*Here is the smb.conf dump from DC-2:*

# Global parameters
[global]
        netbios name = IUMSVRPDC
        realm = IUMNET.EDU.NA
        workgroup = IUMNET
        server role = active directory domain controller
        dns forwarder = 172.16.10.254
#       server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap
        allow dns updates = nonsecure and secure
        ntlm auth = yes
        ldap server require strong auth = no
        time server = Yes
        template shell = /bin/bash
        template homedir = /home/%U
#       idmap config * : backend = tdb
#       idmap config *:range = 50000-1000000
        full_audit:prefix = %u|%I|%m|%S
        full_audit:failure = connect
        full_audit:success = connect disconnect
        tls enabled = yes
        tls keyfile  = tls/key.pem
        tls certfile = tls/cert.pem
        tls cafile   = tls/ca.pem
        log level = 9 dns:0

[netlogon]
        path = /var/lib/samba/sysvol/iumnet.edu.na/scripts
        read only = No
         browsable = no

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

*samba-tool drs showrepl on DC-1 is replicating successfully except for
below under INBOUND NEIGHBOR: *

DC=iumnet,DC=edu,DC=na
        Default-First-Site-Name\IUMSVRPDC via RPC
                DSA object GUID: 27182378-a9c7-451e-bb95-7b2172a5f311
                Last attempt @ Tue Jan 16 14:24:05 2018 WAST failed, result
58 (WERR_BAD_NET_RESP)
                17863 consecutive failure(s).
                Last success @ Sat Jan 13 23:16:52 2018 WAST



*samba-tool drs showrepl on DC-2 is replicating successfully except for
below under INBOUND NEIGHBOR: *

CN=Configuration,DC=iumnet,DC=edu,DC=na
        Default-First-Site-Name\IUMDCDP01 via RPC
                DSA object GUID: 8bf63977-f3b3-445e-8eb3-ff74cdd7e0fe
                Last attempt @ Tue Jan 16 14:26:56 2018 CAT failed, result
58 (WERR_BAD_NET_RESP)
                1926 consecutive failure(s).
                Last success @ Tue Jan  9 14:15:43 2018 CAT



*Harsh Kukreja *Systems Administrator
*International University of Namibia *Tel: 061-4336000 - E-mail: h.kukreja
@ium.edu.na - Web:
*http://www.ium.edu.na <http://www.ium.edu.na/>*Private Bag
14005,Bachbrech. 21-31 Hercules Street, Dorado Park, Windhoek, NAMIBIA






On Tue, Jan 16, 2018 at 11:49 AM, Denis Cardon <dcardon@xxxxxxxxxxx> wrote:

> Hi Harsh,
>
>>
>> I have two Samba 4 DC’s as below
>> server-1 with all FSMO roles running Samba 4.6.12 on Ubuntu 12.04
>> server-2 joined to server-1 as a DC running Samba 4.7.4 Ubuntu  16.04
>>
>> The problem is when I share files from my Windows 2008 file sharing server
>> which shows it is logged on to Server-2 DC and the  client PC which logs
>> on
>> to the server-1 DC cannot access the shared folder and gives an error
>> Logon
>> Failure: The target account name is incorrect.
>>
>
> Windows error messages are not very sysadmin friendly. Could you please
> use instead smbclient command line from a domain member linux client to do
> your debugging:
>  kinit myusername
>  smbclient -k //win2k8server/sharename -d 9
>
> And do it with both with dc1 on and off.
>
> To fix the problem I have to shutdown server-2 DC and restart my Windows
>> File server which logs on to the server-1 and then the client can access
>> the shared folder.
>>
>
> Could you check if replication is working properly?
>  samba-tool drs showrepl
>
> Please assist to fix this issue as I have to run both the DC’s in the
>> network.
>>
>
> You should avoid wordings like "please assist for fix". It is deemed rude
> (at least in my culture) to give orders to people who don't owe you
> anything... They are many kind people on this mailing list that would be
> happy to help, but this kind of wording just make them dismiss your message
> directly.
>
> Cheers,
>
> Denis
>
>
>> *Harsh Kukreja *Systems Administrator
>> *International University of Namibia *Tel: 061-4336000 - E-mail: h.kukreja
>> @ium.edu.na - Web:
>> *http://www.ium.edu.na <http://www.ium.edu.na/>*Private Bag
>> 14005,Bachbrech. 21-31 Hercules Street, Dorado Park, Windhoek, NAMIBIA
>>
>>
> --
> Denis Cardon
> Tranquil IT Systems
> Les Espaces Jules Verne, bâtiment A
> 12 avenue Jules Verne
> 44230 Saint Sébastien sur Loire
> tel : +33 (0) 2.40.97.57.55
> http://www.tranquil-it-systems.fr
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba