Web lists-archives.com

Re: [Samba] User Permissions issue




Hi Harsh,

Thanks for the suggestion to trim the smb.conf after which the DC-1 is
connecting to the Windows Server 2008 shared folder smbclient -k
//IUMSVRAPP01/Pastel12 -d 9
and DC-2 is also connecting after using the DNS name of the Windows server.

*You'd better switch your DNS to Bind-DLZ. Internal DNS is not that good
for larger site (looking at your DNS domain name, I guess it might be a
university). You can take a look there [1]
Yes you are right we are a University which is growing every year and I
want to switch from INTERNAL DNS to BIND-DLZ. I will follow the
instructions given in your wiki link but before doing I like to clear
few doubts:
1. Can I migrate from Internal to Bind-DLZ in a running samba environment.
2. Will it migrate all the current DNS records.
3. Do I have to do the same migration for other samba DC's in the network.
4. I also have samba RODC in the network so do I have to migrate it from
Internal to Bind-DLZ.
5. Do I have to install Bind-DLZ package on a different machine or it
can be installed on the same Samba machine.



    samba-tool drs showrepl on DC-1 is replicating successfully except for
    below under INBOUND NEIGHBOR: *

    DC=iumnet,DC=edu,DC=na
            Default-First-Site-Name\IUMSVRPDC via RPC
                    DSA object GUID: 27182378-a9c7-451e-bb95-7b2172a5f311
                    Last attempt @ Tue Jan 16 14:24:05 2018 WAST failed,
    result 58 (WERR_BAD_NET_RESP)
                    17863 consecutive failure(s).
                    Last success @ Sat Jan 13 23:16:52 2018 WAST



This is probably your error. Replication of your main partition is not
working. Domain members are changing their machine password one a month.
If it has been changed on one of the server, but the replication didn't
went throught to the other, it is normal to get the failure you are having.

You should look at your samba log when trying replication for that
partition. There is probably a corrupted entry somewhere that is
preventing replication.

Can you please give few steps on how to check the drs replication logs
and find out the corrupted entry and how to remove it.

Also I am trying to remove one offline RODC which I joined last month
for testing by using the command which is failing
samba-tool domain demote
--remove-other-dead-server='iumong-rodc.iumnet.edu.na
<http://iumong-rodc.iumnet.edu.na>' -UAdministrator
ERROR: Demote failed: DemoteException: iumong-rodc.iumnet.edu.na
<http://iumong-rodc.iumnet.edu.na> is not an AD DC in iumnet.edu.na
<http://iumnet.edu.na>
A transaction is still active in ldb context [0x22b0b20] on
tdb:///var/lib/samba/private/sam.ldb

Like Rowland said previously, you should remove all RODC that have been installed prior to Samba 4.7. There are many fixes that have been added since 4.6.

I just demoted a DC on my test network to print you out the list of entries. You'll find the list of entries to remove below, there may be missing entries because it is a RODC, I'll let you handle that :-)

Moreover, you may upgrade all your DC to 4.7.4, it handles better the removal of dead repsfrom/repsto after removal of DC, which are harder to delete by hand.

Cheers,

Denis


Removing nTDSConnection: CN=bcc8c224-6a9f-4103-8888-e558b91dcdb1,CN=NTDS Settings,CN=SRVADS,CN=Servers,CN=saint-seb,CN=Sites,CN=Configuration,DC=test,DC=tranquil,DC=it Removing nTDSDSA: CN=NTDS Settings,CN=WIN-6814UGPEM27,CN=Servers,CN=saint-seb,CN=Sites,CN=Configuration,DC=test,DC=tranquil,DC=it (and any children) Removing RID Set: CN=RID Set,CN=WIN-6814UGPEM27,OU=Domain Controllers,DC=test,DC=tranquil,DC=it Removing computer account: CN=WIN-6814UGPEM27,OU=Domain Controllers,DC=test,DC=tranquil,DC=it (and any child objects)
updating test.tranquil.it keeping 6 values, removing 1 values
updating ForestDnsZones.test.tranquil.it keeping 2 values, removing 1 values
updating DomainDnsZones.test.tranquil.it keeping 2 values, removing 1 values
updating DC=67,DC=149.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it keeping 0 values, removing 1 values updating DC=@,DC=149.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it keeping 2 values, removing 1 values updating DC=@,DC=151.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it keeping 2 values, removing 1 values updating DC=@,DC=0.149.10.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it keeping 2 values, removing 1 values updating DC=_ldap._tcp.saint-seb._sites.DomainDnsZones,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it keeping 1 values, removing 1 values updating DC=_ldap._tcp.saint-seb._sites.ForestDnsZones,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it keeping 1 values, removing 1 values updating DC=_kerberos._tcp.saint-seb._sites,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it keeping 1 values, removing 1 values updating DC=_ldap._tcp.saint-seb._sites,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it keeping 1 values, removing 1 values updating DC=_gc._tcp.saint-seb._sites,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it keeping 1 values, removing 1 values updating DC=_ldap._tcp.DomainDnsZones,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it keeping 2 values, removing 1 values updating DC=_ldap._tcp.ForestDnsZones,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it keeping 2 values, removing 1 values updating DC=_kerberos._tcp,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it keeping 2 values, removing 1 values updating DC=_kerberos._udp,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it keeping 2 values, removing 1 values updating DC=_kpasswd._tcp,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it keeping 2 values, removing 1 values updating DC=_kpasswd._udp,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it keeping 2 values, removing 1 values updating DC=_ldap._tcp,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it keeping 2 values, removing 1 values updating DC=_gc._tcp,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it keeping 2 values, removing 1 values updating DC=@,DC=test.tranquil.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=tranquil,DC=it keeping 5 values, removing 1 values updating DC=_ldap._tcp.7158087d-44be-436a-897b-ea76ba39cf5f.domains,DC=_msdcs.test.tranquil.it,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=tranquil,DC=it keeping 2 values, removing 1 values updating DC=d976907c-3f56-4ab7-9ee1-3cbb3a9acc29,DC=_msdcs.test.tranquil.it,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=tranquil,DC=it keeping 0 values, removing 1 values updating DC=_kerberos._tcp.saint-seb._sites.dc,DC=_msdcs.test.tranquil.it,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=tranquil,DC=it keeping 1 values, removing 1 values updating DC=_ldap._tcp.saint-seb._sites.dc,DC=_msdcs.test.tranquil.it,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=tranquil,DC=it keeping 1 values, removing 1 values updating DC=_ldap._tcp.saint-seb._sites.gc,DC=_msdcs.test.tranquil.it,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=tranquil,DC=it keeping 1 values, removing 1 values updating DC=_kerberos._tcp.dc,DC=_msdcs.test.tranquil.it,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=tranquil,DC=it keeping 2 values, removing 1 values updating DC=_ldap._tcp.dc,DC=_msdcs.test.tranquil.it,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=tranquil,DC=it keeping 2 values, removing 1 values updating DC=_ldap._tcp.gc,DC=_msdcs.test.tranquil.it,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=tranquil,DC=it keeping 2 values, removing 1 values updating DC=@,DC=_msdcs.test.tranquil.it,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=tranquil,DC=it keeping 3 values, removing 1 values Removing Sysvol reference: CN=WIN-6814UGPEM27,CN=Enterprise,CN=Microsoft System Volumes,CN=System,CN=Configuration,DC=test,DC=tranquil,DC=it Removing Sysvol reference: CN=WIN-6814UGPEM27,CN=test.tranquil.it,CN=Microsoft System Volumes,CN=System,CN=Configuration,DC=test,DC=tranquil,DC=it Removing Sysvol reference: CN=WIN-6814UGPEM27,CN=Domain System Volumes (SYSVOL share),CN=File Replication Service,CN=System,DC=test,DC=tranquil,DC=it Removing Sysvol reference: CN=WIN-6814UGPEM27,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=test,DC=tranquil,DC=it




Also I am trying to remove the offline RODC record manually which is failing
ldbedit -e nano -H tdb:///var/lib/samba/private/sam.ldb 'IUMONG-RODC'
failed to delete CN=IUMONG-RODC,OU=Domain
Controllers,DC=iumnet,DC=edu,DC=na -
../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:3643: Failed to
remove backlink of msDS-RevealedDSAs when deleting
CN=IUMONG-RODC,OU=Domain Controllers,DC=iumnet,DC=edu,DC=na: (null)

How can I manually remove the records for the offline DC.

Regards

Harsh



*Harsh Kukreja *Systems Administrator

**International University of Namibia* *Tel: 061-4336000 -
E-mail: h.kukreja@xxxxxxxxxx
<mailto:h.kukreja@xxxxxxxxxx> - Web: _http://www.ium.edu.na
<http://www.ium.edu.na/>
_Private Bag 14005,Bachbrech. 21-31 Hercules Street, Dorado Park,
Windhoek, NAMIBIA

____

	


	





On Tue, Jan 16, 2018 at 3:31 PM, Denis Cardon <dcardon@xxxxxxxxxxx
<mailto:dcardon@xxxxxxxxxxx>> wrote:

    Hi Harsh,


        Thanks for your advise I will not use these wordings here.


    thanks!

        Please check the result below when I run the command on the DC-1
        when
        DC-2 is off or on
        smbclient -k //IUMSVRAPP01/Pastel12 -d 9

    > ...

        session setup failed: NT_STATUS_INVALID_PARAMETER_MIX


    Looking at this message, I would start with doing some cleanup in
    your smb.conf. I would trim your smb.conf like below:

        *Here is the smb.conf dump from DC-1:*
        # Global parameters

    [global]
             workgroup = IUMNET
             realm = IUMNET.EDU.NA <http://IUMNET.EDU.NA>
             netbios name = IUMDCDP01
             server role = active directory domain controller
             dns forwarder = 172.16.10.254
             allow dns updates = nonsecure and secure
             ntlm auth = yes
             client use spnego = no
             client ldap sasl wrapping = sign
             ldap server require strong auth = no
             full_audit:prefix = %u|%I|%m|%S
             full_audit:failure = connect
             full_audit:success = connect disconnect
             log level = 9 dns:0

    [netlogon]
             path = /var/lib/samba/sysvol/iumnet.edu.na/scripts
    <http://iumnet.edu.na/scripts>
             read only = No
             browsable = no

    [sysvol]
             path = /var/lib/samba/sysvol
             read only = No

    You'd better switch your DNS to Bind-DLZ. Internal DNS is not that
    good for larger site (looking at your DNS domain name, I guess it
    might be a university). You can take a look there [1]

    And I wouldn't store anything else than AD stuff on an AD like below:

        [softshare]
               path = /home/administrator/ad
               read only = No




        *When I ran the same command on DC-2 ( Samba 4.7.4) *

        smbclient -k //172.16.10.21/Pastel12
        <http://172.16.10.21/Pastel12> -d 9


    When doing Kerberos authentication, you shouldn't use ip address,
    otherwise kerberos won't work. Try it again with real DNS name.

    > ...

        got OID=1.2.840.48018.1.2.2
        Kerberos auth with 'administrator@xxxxxxxxxxxxx
        <mailto:administrator@xxxxxxxxxxxxx>
        <mailto:administrator@xxxxxxxxxxxxx
        <mailto:administrator@xxxxxxxxxxxxx>>' (IUMNET\root) to access
        '172.16.10.21' not possible
        SPNEGO login failed: {Access Denied} A process has requested
        access to
        an object but has not been granted those access rights.
        session setup failed: NT_STATUS_ACCESS_DENIED


    You can cleanup your smb.conf the same way as pointed before.

        *Here is the smb.conf dump from DC-2:*

        # Global parameters
        [global]
                netbios name = IUMSVRPDC
                realm = IUMNET.EDU.NA <http://IUMNET.EDU.NA>
        <http://IUMNET.EDU.NA>

                workgroup = IUMNET
                server role = active directory domain controller
                dns forwarder = 172.16.10.254
        #       server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap
                allow dns updates = nonsecure and secure
                ntlm auth = yes
                ldap server require strong auth = no
                time server = Yes
                template shell = /bin/bash
                template homedir = /home/%U
        #       idmap config * : backend = tdb
        #       idmap config *:range = 50000-1000000
                full_audit:prefix = %u|%I|%m|%S
                full_audit:failure = connect
                full_audit:success = connect disconnect
                tls enabled = yes
                tls keyfile  = tls/key.pem
                tls certfile = tls/cert.pem
                tls cafile   = tls/ca.pem
                log level = 9 dns:0

        [netlogon]
                path = /var/lib/samba/sysvol/iumnet.edu.na/scripts
        <http://iumnet.edu.na/scripts>
                read only = No
                 browsable = no

        [sysvol]
                path = /var/lib/samba/sysvol
                read only = No

        *samba-tool drs showrepl on DC-1 is replicating successfully
        except for
        below under INBOUND NEIGHBOR: *

        DC=iumnet,DC=edu,DC=na
                Default-First-Site-Name\IUMSVRPDC via RPC
                        DSA object GUID:
        27182378-a9c7-451e-bb95-7b2172a5f311
                        Last attempt @ Tue Jan 16 14:24:05 2018 WAST failed,
        result 58 (WERR_BAD_NET_RESP)
                        17863 consecutive failure(s).
                        Last success @ Sat Jan 13 23:16:52 2018 WAST



    This is probably your error. Replication of your main partition is
    not working. Domain members are changing their machine password one
    a month. If it has been changed on one of the server, but the
    replication didn't went throught to the other, it is normal to get
    the failure you are having.

    You should look at your samba log when trying replication for that
    partition. There is probably a corrupted entry somewhere that is
    preventing replication.


        *samba-tool drs showrepl on DC-2 is replicating successfully
        except for
        below under INBOUND NEIGHBOR: *

        CN=Configuration,DC=iumnet,DC=edu,DC=na
                Default-First-Site-Name\IUMDCDP01 via RPC
                        DSA object GUID:
        8bf63977-f3b3-445e-8eb3-ff74cdd7e0fe
                        Last attempt @ Tue Jan 16 14:26:56 2018 CAT failed,
        result 58 (WERR_BAD_NET_RESP)
                        1926 consecutive failure(s).
                        Last success @ Tue Jan  9 14:15:43 2018 CAT


    this is not good either, and should be resolved too.

    Cheers,

    Denis

    [1] it is in French, but your favorite search engine should be able
    to translate it for you :
    https://dev.tranquil.it/wiki/SAMBA_-_Integration_avec_bind9
    <https://dev.tranquil.it/wiki/SAMBA_-_Integration_avec_bind9>




        *Harsh Kukreja *Systems Administrator

        **International University of Namibia* *Tel: 061-4336000 -
        E-mail: h.kukreja@xxxxxxxxxx <mailto:h.kukreja@xxxxxxxxxx>
        <mailto:h.kukreja@xxxxxxxxxx <mailto:h.kukreja@xxxxxxxxxx>> -
        Web: _http://www.ium.edu.na
        <http://www.ium.edu.na/>
        _Private Bag 14005,Bachbrech. 21-31 Hercules Street, Dorado Park,
        Windhoek, NAMIBIA

        ____










        On Tue, Jan 16, 2018 at 11:49 AM, Denis Cardon
        <dcardon@xxxxxxxxxxx <mailto:dcardon@xxxxxxxxxxx>
        <mailto:dcardon@xxxxxxxxxxx <mailto:dcardon@xxxxxxxxxxx>>> wrote:

            Hi Harsh,


                I have two Samba 4 DC’s as below
                server-1 with all FSMO roles running Samba 4.6.12 on
        Ubuntu 12.04
                server-2 joined to server-1 as a DC running Samba 4.7.4
        Ubuntu
                16.04

                The problem is when I share files from my Windows 2008 file
                sharing server
                which shows it is logged on to Server-2 DC and the
        client PC
                which logs on
                to the server-1 DC cannot access the shared folder and
        gives an
                error Logon
                Failure: The target account name is incorrect.


            Windows error messages are not very sysadmin friendly. Could you
            please use instead smbclient command line from a domain
        member linux
            client to do your debugging:
             kinit myusername
             smbclient -k //win2k8server/sharename -d 9

            And do it with both with dc1 on and off.

                To fix the problem I have to shutdown server-2 DC and
        restart my
                Windows
                File server which logs on to the server-1 and then the
        client
                can access
                the shared folder.


            Could you check if replication is working properly?
             samba-tool drs showrepl

                Please assist to fix this issue as I have to run both
        the DC’s
                in the
                network.


            You should avoid wordings like "please assist for fix". It
        is deemed
            rude (at least in my culture) to give orders to people who
        don't owe
            you anything... They are many kind people on this mailing
        list that
            would be happy to help, but this kind of wording just make them
            dismiss your message directly.

            Cheers,

            Denis


                *Harsh Kukreja *Systems Administrator
                *International University of Namibia *Tel: 061-4336000 -
        E-mail:
                h.kukreja
                @ium.edu.na <http://ium.edu.na> <http://ium.edu.na> - Web:
                *http://www.ium.edu.na <http://www.ium.edu.na/>*Private Bag
                14005,Bachbrech. 21-31 Hercules Street, Dorado Park,
        Windhoek,
                NAMIBIA


            --
            Denis Cardon
            Tranquil IT Systems
            Les Espaces Jules Verne, bâtiment A
            12 avenue Jules Verne
            44230 Saint Sébastien sur Loire
            tel : +33 (0) 2.40.97.57.55
        <tel:%2B33%20%280%29%202.40.97.57.55>
        <tel:%2B33%20%280%29%202.40.97.57.55>
            http://www.tranquil-it-systems.fr
        <http://www.tranquil-it-systems.fr>
        <http://www.tranquil-it-systems.fr
        <http://www.tranquil-it-systems.fr>>



    --
    Denis Cardon
    Tranquil IT Systems
    Les Espaces Jules Verne, bâtiment A
    12 avenue Jules Verne
    44230 Saint Sébastien sur Loire
    tel : +33 (0) 2.40.97.57.55 <tel:%2B33%20%280%29%202.40.97.57.55>
    http://www.tranquil-it-systems.fr <http://www.tranquil-it-systems.fr>



--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba