Web lists-archives.com

Re: [Samba] User Permissions issue




Hi Denis & Rowland

Thanks for the suggestion to trim the smb.conf after which the DC-1 is
connecting to the Windows Server 2008 shared folder smbclient -k
//IUMSVRAPP01/Pastel12 -d 9
and DC-2 is also connecting after using the DNS name of the Windows server.

*You'd better switch your DNS to Bind-DLZ. Internal DNS is not that good
for larger site (looking at your DNS domain name, I guess it might be a
university). You can take a look there [1]
Yes you are right we are a University which is growing every year and I
want to switch from INTERNAL DNS to BIND-DLZ. I will follow the
instructions given in your wiki link but before doing I like to clear few
doubts:
1. Can I migrate from Internal to Bind-DLZ in a running samba environment.
2. Will it migrate all the current DNS records.
3. Do I have to do the same migration for other samba DC's in the network.
4. I also have samba RODC in the network so do I have to migrate it from
Internal to Bind-DLZ.
5. Do I have to install Bind-DLZ package on a different machine or it can
be installed on the same Samba machine.



> samba-tool drs showrepl on DC-1 is replicating successfully except for
> below under INBOUND NEIGHBOR: *
>
> DC=iumnet,DC=edu,DC=na
>         Default-First-Site-Name\IUMSVRPDC via RPC
>                 DSA object GUID: 27182378-a9c7-451e-bb95-7b2172a5f311
>                 Last attempt @ Tue Jan 16 14:24:05 2018 WAST failed,
> result 58 (WERR_BAD_NET_RESP)
>                 17863 consecutive failure(s).
>                 Last success @ Sat Jan 13 23:16:52 2018 WAST
>


This is probably your error. Replication of your main partition is not
working. Domain members are changing their machine password one a month. If
it has been changed on one of the server, but the replication didn't went
throught to the other, it is normal to get the failure you are having.

You should look at your samba log when trying replication for that
partition. There is probably a corrupted entry somewhere that is preventing
replication.

Can you please give few steps on how to check the drs replication logs and
find out the corrupted entry and how to remove it.

Also I am trying to remove one offline RODC which I joined last month for
testing by using the command which is failing
samba-tool domain demote --remove-other-dead-server='
iumong-rodc.iumnet.edu.na' -UAdministrator
ERROR: Demote failed: DemoteException: iumong-rodc.iumnet.edu.na is not an
AD DC in iumnet.edu.na
A transaction is still active in ldb context [0x22b0b20] on
tdb:///var/lib/samba/private/sam.ldb

Also I am trying to remove the offline RODC record manually which is failing
ldbedit -e nano -H tdb:///var/lib/samba/private/sam.ldb 'IUMONG-RODC'
failed to delete CN=IUMONG-RODC,OU=Domain
Controllers,DC=iumnet,DC=edu,DC=na -
../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:3643: Failed to remove
backlink of msDS-RevealedDSAs when deleting CN=IUMONG-RODC,OU=Domain
Controllers,DC=iumnet,DC=edu,DC=na: (null)

How can I manually remove the records for the offline DC.

Regards

Harsh



*Harsh Kukreja *Systems Administrator
*International University of Namibia *Tel: 061-4336000 - E-mail: h.kukreja
@ium.edu.na - Web:
*http://www.ium.edu.na <http://www.ium.edu.na/>*Private Bag
14005,Bachbrech. 21-31 Hercules Street, Dorado Park, Windhoek, NAMIBIA






On Tue, Jan 16, 2018 at 3:31 PM, Denis Cardon <dcardon@xxxxxxxxxxx> wrote:

> Hi Harsh,
>
>>
>> Thanks for your advise I will not use these wordings here.
>>
>
> thanks!
>
> Please check the result below when I run the command on the DC-1 when
>> DC-2 is off or on
>> smbclient -k //IUMSVRAPP01/Pastel12 -d 9
>>
> > ...
>
>> session setup failed: NT_STATUS_INVALID_PARAMETER_MIX
>>
>
> Looking at this message, I would start with doing some cleanup in your
> smb.conf. I would trim your smb.conf like below:
>
> *Here is the smb.conf dump from DC-1:*
>> # Global parameters
>>
> [global]
>          workgroup = IUMNET
>          realm = IUMNET.EDU.NA
>          netbios name = IUMDCDP01
>          server role = active directory domain controller
>          dns forwarder = 172.16.10.254
>          allow dns updates = nonsecure and secure
>          ntlm auth = yes
>          client use spnego = no
>          client ldap sasl wrapping = sign
>          ldap server require strong auth = no
>          full_audit:prefix = %u|%I|%m|%S
>          full_audit:failure = connect
>          full_audit:success = connect disconnect
>          log level = 9 dns:0
>
> [netlogon]
>          path = /var/lib/samba/sysvol/iumnet.edu.na/scripts
>          read only = No
>          browsable = no
>
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
>
> You'd better switch your DNS to Bind-DLZ. Internal DNS is not that good
> for larger site (looking at your DNS domain name, I guess it might be a
> university). You can take a look there [1]
>
> And I wouldn't store anything else than AD stuff on an AD like below:
>
> [softshare]
>>        path = /home/administrator/ad
>>        read only = No
>>
>
>
>
> *When I ran the same command on DC-2 ( Samba 4.7.4) *
>>
>> smbclient -k //172.16.10.21/Pastel12 -d 9
>>
>
> When doing Kerberos authentication, you shouldn't use ip address,
> otherwise kerberos won't work. Try it again with real DNS name.
>
> > ...
>
>> got OID=1.2.840.48018.1.2.2
>> Kerberos auth with 'administrator@xxxxxxxxxxxxx
>> <mailto:administrator@xxxxxxxxxxxxx>' (IUMNET\root) to access
>> '172.16.10.21' not possible
>> SPNEGO login failed: {Access Denied} A process has requested access to
>> an object but has not been granted those access rights.
>> session setup failed: NT_STATUS_ACCESS_DENIED
>>
>>
> You can cleanup your smb.conf the same way as pointed before.
>
> *Here is the smb.conf dump from DC-2:*
>>
>> # Global parameters
>> [global]
>>         netbios name = IUMSVRPDC
>>         realm = IUMNET.EDU.NA <http://IUMNET.EDU.NA>
>>
>>         workgroup = IUMNET
>>         server role = active directory domain controller
>>         dns forwarder = 172.16.10.254
>> #       server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap
>>         allow dns updates = nonsecure and secure
>>         ntlm auth = yes
>>         ldap server require strong auth = no
>>         time server = Yes
>>         template shell = /bin/bash
>>         template homedir = /home/%U
>> #       idmap config * : backend = tdb
>> #       idmap config *:range = 50000-1000000
>>         full_audit:prefix = %u|%I|%m|%S
>>         full_audit:failure = connect
>>         full_audit:success = connect disconnect
>>         tls enabled = yes
>>         tls keyfile  = tls/key.pem
>>         tls certfile = tls/cert.pem
>>         tls cafile   = tls/ca.pem
>>         log level = 9 dns:0
>>
>> [netlogon]
>>         path = /var/lib/samba/sysvol/iumnet.edu.na/scripts
>>         read only = No
>>          browsable = no
>>
>> [sysvol]
>>         path = /var/lib/samba/sysvol
>>         read only = No
>>
>> *samba-tool drs showrepl on DC-1 is replicating successfully except for
>> below under INBOUND NEIGHBOR: *
>>
>> DC=iumnet,DC=edu,DC=na
>>         Default-First-Site-Name\IUMSVRPDC via RPC
>>                 DSA object GUID: 27182378-a9c7-451e-bb95-7b2172a5f311
>>                 Last attempt @ Tue Jan 16 14:24:05 2018 WAST failed,
>> result 58 (WERR_BAD_NET_RESP)
>>                 17863 consecutive failure(s).
>>                 Last success @ Sat Jan 13 23:16:52 2018 WAST
>>
>
>
> This is probably your error. Replication of your main partition is not
> working. Domain members are changing their machine password one a month. If
> it has been changed on one of the server, but the replication didn't went
> throught to the other, it is normal to get the failure you are having.
>
> You should look at your samba log when trying replication for that
> partition. There is probably a corrupted entry somewhere that is preventing
> replication.
>
>
> *samba-tool drs showrepl on DC-2 is replicating successfully except for
>> below under INBOUND NEIGHBOR: *
>>
>> CN=Configuration,DC=iumnet,DC=edu,DC=na
>>         Default-First-Site-Name\IUMDCDP01 via RPC
>>                 DSA object GUID: 8bf63977-f3b3-445e-8eb3-ff74cdd7e0fe
>>                 Last attempt @ Tue Jan 16 14:26:56 2018 CAT failed,
>> result 58 (WERR_BAD_NET_RESP)
>>                 1926 consecutive failure(s).
>>                 Last success @ Tue Jan  9 14:15:43 2018 CAT
>>
>
> this is not good either, and should be resolved too.
>
> Cheers,
>
> Denis
>
> [1] it is in French, but your favorite search engine should be able to
> translate it for you : https://dev.tranquil.it/wiki/S
> AMBA_-_Integration_avec_bind9
>
>
>>
>>
>> *Harsh Kukreja *Systems Administrator
>>
>> **International University of Namibia* *Tel: 061-4336000 -
>> E-mail: h.kukreja@xxxxxxxxxx
>> <mailto:h.kukreja@xxxxxxxxxx> - Web: _http://www.ium.edu.na
>> <http://www.ium.edu.na/>
>> _Private Bag 14005,Bachbrech. 21-31 Hercules Street, Dorado Park,
>> Windhoek, NAMIBIA
>>
>> ____
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Tue, Jan 16, 2018 at 11:49 AM, Denis Cardon <dcardon@xxxxxxxxxxx
>> <mailto:dcardon@xxxxxxxxxxx>> wrote:
>>
>>     Hi Harsh,
>>
>>
>>         I have two Samba 4 DC’s as below
>>         server-1 with all FSMO roles running Samba 4.6.12 on Ubuntu 12.04
>>         server-2 joined to server-1 as a DC running Samba 4.7.4 Ubuntu
>>         16.04
>>
>>         The problem is when I share files from my Windows 2008 file
>>         sharing server
>>         which shows it is logged on to Server-2 DC and the  client PC
>>         which logs on
>>         to the server-1 DC cannot access the shared folder and gives an
>>         error Logon
>>         Failure: The target account name is incorrect.
>>
>>
>>     Windows error messages are not very sysadmin friendly. Could you
>>     please use instead smbclient command line from a domain member linux
>>     client to do your debugging:
>>      kinit myusername
>>      smbclient -k //win2k8server/sharename -d 9
>>
>>     And do it with both with dc1 on and off.
>>
>>         To fix the problem I have to shutdown server-2 DC and restart my
>>         Windows
>>         File server which logs on to the server-1 and then the client
>>         can access
>>         the shared folder.
>>
>>
>>     Could you check if replication is working properly?
>>      samba-tool drs showrepl
>>
>>         Please assist to fix this issue as I have to run both the DC’s
>>         in the
>>         network.
>>
>>
>>     You should avoid wordings like "please assist for fix". It is deemed
>>     rude (at least in my culture) to give orders to people who don't owe
>>     you anything... They are many kind people on this mailing list that
>>     would be happy to help, but this kind of wording just make them
>>     dismiss your message directly.
>>
>>     Cheers,
>>
>>     Denis
>>
>>
>>         *Harsh Kukreja *Systems Administrator
>>         *International University of Namibia *Tel: 061-4336000 - E-mail:
>>         h.kukreja
>>         @ium.edu.na <http://ium.edu.na> - Web:
>>         *http://www.ium.edu.na <http://www.ium.edu.na/>*Private Bag
>>         14005,Bachbrech. 21-31 Hercules Street, Dorado Park, Windhoek,
>>         NAMIBIA
>>
>>
>>     --
>>     Denis Cardon
>>     Tranquil IT Systems
>>     Les Espaces Jules Verne, bâtiment A
>>     12 avenue Jules Verne
>>     44230 Saint Sébastien sur Loire
>>     tel : +33 (0) 2.40.97.57.55 <tel:%2B33%20%280%29%202.40.97.57.55>
>>     http://www.tranquil-it-systems.fr <http://www.tranquil-it-systems.fr>
>>
>>
>>
> --
> Denis Cardon
> Tranquil IT Systems
> Les Espaces Jules Verne, bâtiment A
> 12 avenue Jules Verne
> 44230 Saint Sébastien sur Loire
> tel : +33 (0) 2.40.97.57.55
> http://www.tranquil-it-systems.fr
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba