Web lists-archives.com

[Samba] Samba 4 AD DC on Fedora, problem with GPOs and denied security for machines




Hi,
i need help with strange problem.

I installed Fedora 28 to test Samba 4 AD DC with MIT Kerberos with Windows 10 and Windows 7 clients and i can't run GPOs for machines.
GPOs for users works.

On Fedora 27 is the same problem.

After couple of hours changing settings I make a new installation of Debian 9.4 and everything works "out of the box".

I set all like here:
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
and
https://wiki.samba.org/index.php/Time_Synchronisation

==========
> gpresult /r

RSOP data for MYDOMAIN\Administrator on WIN10ENG : Logging Mode
----------------------------------------------------------------

OS Configuration:            Member Workstation
OS Version:                  10.0.17134
Site Name:                   Default-First-Site-Name
Roaming Profile:             N/A
Local Profile:               C:\Users\Administrator
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=WIN10ENG,CN=Computers,DC=mydomain,DC=com
    Last time Group Policy was applied: 7/3/2018 at 2:15:44 AM
    Group Policy was applied from:      dc1.mydomain.com
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        MYDOMAIN
    Domain Type:                        Windows 2008 or later

    Applied Group Policy Objects
    -----------------------------
        N/A

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

        Default Domain Policy
            Filtering:  Denied (Security)

    The computer is a part of the following security groups
    -------------------------------------------------------
        NULL SID
        NT AUTHORITY\NETWORK
        This Organization
        Untrusted Mandatory Level


USER SETTINGS
--------------
    CN=Administrator,CN=Users,DC=mydomain,DC=com
    Last time Group Policy was applied: 7/3/2018 at 2:16:28 AM
    Group Policy was applied from:      dc1.mydomain.com
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        MYDOMAIN
    Domain Type:                        Windows 2008 or later

    Applied Group Policy Objects
    -----------------------------
        N/A

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

        Default Domain Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Users
        BUILTIN\Administrators
        NT AUTHORITY\INTERACTIVE
        CONSOLE LOGON
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        Domain Admins
        Denied RODC Password Replication Group
        Schema Admins
        Enterprise Admins
        Group Policy Creator Owners
        High Mandatory Level

==========

Maybe problem with GPOs is here:
"The computer is a part of the following security groups: NULL SID"
and
"Default Domain Policy: Filtering:  Denied (Security)"

Some tests from wiki tutorial:

==========
# smbclient -L localhost -U%

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk
        sysvol          Disk
        IPC$            IPC       IPC Service (Samba 4.8.2)
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------

# smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter MYDOMAIN\Administrator's password:
  .                                   D        0  Mon Jul  2 13:46:15 2018
  ..                                  D        0  Mon Jul  2 13:46:19 2018

                14034944 blocks of size 1024. 12061576 blocks available

# host -t SRV _ldap._tcp.mydomain.com.
_ldap._tcp.mydomain.com has SRV record 0 100 389 dc1.mydomain.com.

# host -t SRV _kerberos._udp.mydomain.com.
_kerberos._udp.mydomain.com has SRV record 0 100 88 dc1.mydomain.com.

# host -t A dc1.mydomain.com.
dc1.mydomain.com has address 192.168.206.10

# kinit administrator
Password for administrator@xxxxxxxxxxxx:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@xxxxxxxxxxxx

Valid starting       Expires              Service principal
07/02/2018 14:00:45  07/03/2018 00:00:45  krbtgt/MYDOMAIN.COM@xxxxxxxxxxxx
        renew until 07/03/2018 14:00:41

==========

and configs:

==========

# cat /etc/krb5.conf | grep -v -e '#' -e '^$'
[libdefaults]
    default_realm = MYDOMAIN.COM
    dns_lookup_realm = false
    dns_lookup_kdc = true
    spake_preauth_groups = edwards25519

# cat /etc/samba/smb.conf | grep -v -e '#' -e '^$'
[global]
        dns forwarder = 10.10.10.211
        netbios name = DC1
        realm = MYDOMAIN.COM
        server role = active directory domain controller
        workgroup = MYDOMAIN
        idmap_ldb:use rfc2307 = yes
[netlogon]
        path = /var/lib/samba/sysvol/mydomain.com/scripts
        read only = No
[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

==========

and other tests:

==========

Hi,
i need help with strange problem.

I installed Fedora 28 to test Samba 4 AD DC with MIT Kerberos with Windows 10 and Windows 7 clients and i can't run GPOs for machines.
GPOs for users works.

On Fedora 27 is the same problem.

After couple of hours changing settings I make a new installation of Debian 9.4 and everything works "out of the box".

I set all like here:
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
and
https://wiki.samba.org/index.php/Time_Synchronisation

==========
> gpresult /r

RSOP data for MYDOMAIN\Administrator on WIN10ENG : Logging Mode
----------------------------------------------------------------

OS Configuration:            Member Workstation
OS Version:                  10.0.17134
Site Name:                   Default-First-Site-Name
Roaming Profile:             N/A
Local Profile:               C:\Users\Administrator
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=WIN10ENG,CN=Computers,DC=mydomain,DC=com
    Last time Group Policy was applied: 7/3/2018 at 2:15:44 AM
    Group Policy was applied from:      dc1.mydomain.com
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        MYDOMAIN
    Domain Type:                        Windows 2008 or later

    Applied Group Policy Objects
    -----------------------------
        N/A

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

        Default Domain Policy
            Filtering:  Denied (Security)

    The computer is a part of the following security groups
    -------------------------------------------------------
        NULL SID
        NT AUTHORITY\NETWORK
        This Organization
        Untrusted Mandatory Level


USER SETTINGS
--------------
    CN=Administrator,CN=Users,DC=mydomain,DC=com
    Last time Group Policy was applied: 7/3/2018 at 2:16:28 AM
    Group Policy was applied from:      dc1.mydomain.com
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        MYDOMAIN
    Domain Type:                        Windows 2008 or later

    Applied Group Policy Objects
    -----------------------------
        N/A

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

        Default Domain Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Users
        BUILTIN\Administrators
        NT AUTHORITY\INTERACTIVE
        CONSOLE LOGON
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        Domain Admins
        Denied RODC Password Replication Group
        Schema Admins
        Enterprise Admins
        Group Policy Creator Owners
        High Mandatory Level

==========

Maybe problem with GPOs is here:
The computer is a part of the following security groups: NULL SID
and
Default Domain Policy: Filtering:  Denied (Security)

Some tests from wiki tutorial:

==========
# smbclient -L localhost -U%

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk
        sysvol          Disk
        IPC$            IPC       IPC Service (Samba 4.8.2)
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------

# smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter MYDOMAIN\Administrator's password:
  .                                   D        0  Mon Jul  2 13:46:15 2018
  ..                                  D        0  Mon Jul  2 13:46:19 2018

                14034944 blocks of size 1024. 12061576 blocks available

# host -t SRV _ldap._tcp.mydomain.com.
_ldap._tcp.mydomain.com has SRV record 0 100 389 dc1.mydomain.com.

# host -t SRV _kerberos._udp.mydomain.com.
_kerberos._udp.mydomain.com has SRV record 0 100 88 dc1.mydomain.com.

# host -t A dc1.mydomain.com.
dc1.mydomain.com has address 192.168.206.10

# kinit administrator
Password for administrator@xxxxxxxxxxxx:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@xxxxxxxxxxxx

Valid starting       Expires              Service principal
07/02/2018 14:00:45  07/03/2018 00:00:45  krbtgt/MYDOMAIN.COM@xxxxxxxxxxxx
        renew until 07/03/2018 14:00:41

==========

and configs:

==========

# cat /etc/krb5.conf | grep -v -e '#' -e '^$'
[libdefaults]
    default_realm = MYDOMAIN.COM
    dns_lookup_realm = false
    dns_lookup_kdc = true
    spake_preauth_groups = edwards25519

# cat /etc/samba/smb.conf | grep -v -e '#' -e '^$'
[global]
        dns forwarder = 10.10.10.211
        netbios name = DC1
        realm = MYDOMAIN.COM
        server role = active directory domain controller
        workgroup = MYDOMAIN
        idmap_ldb:use rfc2307 = yes
[netlogon]
        path = /var/lib/samba/sysvol/mydomain.com/scripts
        read only = No
[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

# cat /var/lib/samba/private/kdc.conf | grep -v -e '#' -e '^$'
[kdcdefaults]
        kdc_ports = 88
        kdc_tcp_ports = 88
        kadmind_port = 464
[realms]
        MYDOMAIN.COM = {
        }
        mydomain.com = {
        }
        MYDOMAIN = {
        }
[dbmodules]
        db_module_dir = /usr/lib64/krb5/plugins/kdb
        MYDOMAIN.COM = {
                db_library = samba
        }
        mydomain.com = {
                db_library = samba
        }
        MYDOMAIN = {
                db_library = samba
        }
[logging]
        kdc = FILE:/var/log/samba/mit_kdc.log
        admin_server = FILE:/var/log/samba/mit_kadmin.log

==========

and other info:

==========

# samba-tool group listmembers 'Domain Computers'
WIN10$
WIN10ENG$

# samba-tool group listmembers 'Domain Users'
krbtgt
Administrator

# samba-tool gpo listall
GPO          : {6AC1786C-016F-11D2-945F-00C04FB984F9}
display name : Default Domain Controllers Policy
path : \\mydomain.com\sysvol\mydomain.com\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9} dn : CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com
version      : 0
flags        : NONE

GPO          : {31B2F340-016D-11D2-945F-00C04FB984F9}
display name : Default Domain Policy
path : \\mydomain.com\sysvol\mydomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9} dn : CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com
version      : 0
flags        : NONE

# pdbedit -Lv -d 3 WIN10$
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
ldb_wrap open of idmap.ldb
Unix username:        WIN10$
NT username:
Account Flags:        [W          ]
User SID:             S-1-5-21-1300050927-3033631407-1805921976-1103
Primary Group SID:    S-1-5-21-1300050927-3033631407-1805921976-515
Full Name:
Home Directory:
HomeDir Drive:        (null)
Logon Script:
Profile Path:
Domain:
Account desc:
Workstations:
Munged dial:
Logon time:           Tue, 03 Jul 2018 10:12:17 CEST
Logoff time:          0
Kickoff time:         Thu, 14 Sep 30828 03:48:05 CET
Password last set:    Mon, 02 Jul 2018 15:35:38 CEST
Password can change:  Mon, 02 Jul 2018 15:35:38 CEST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

# pdbedit -Lv -d 3 Administrator
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
ldb_wrap open of idmap.ldb
Unix username:        Administrator
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-1300050927-3033631407-1805921976-500
Primary Group SID:    S-1-5-21-1300050927-3033631407-1805921976-513
Full Name:
Home Directory:
HomeDir Drive:        (null)
Logon Script:
Profile Path:
Domain:
Account desc:         Built-in account for administering the computer/domain
Workstations:
Munged dial:
Logon time:           Tue, 03 Jul 2018 12:24:10 CEST
Logoff time:          0
Kickoff time:         Thu, 14 Sep 30828 03:48:05 CET
Password last set:    Mon, 02 Jul 2018 13:46:19 CEST
Password can change:  Mon, 02 Jul 2018 13:46:19 CEST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

==========

some logs:

==========

# cat /var/log/samba/log.samba

[2018/07/03 09:53:34.446521, 0] ../source4/smbd/server.c:466(binary_smbd_main)
  samba version 4.8.2 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2018
[2018/07/03 09:53:35.314221, 0] ../source4/smbd/server.c:638(binary_smbd_main)
  binary_smbd_main: samba: using 'standard' process model
[2018/07/03 09:53:37.069464, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
  /usr/sbin/krb5kdc: krb5kdc: starting...

# cat /var/log/samba/log.samba (log level = 3)

[2018/07/03 13:08:54.701296, 3] ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2018/07/03 13:08:56.158460, 3] ../libcli/auth/schannel_state_tdb.c:362(schannel_store_challenge_tdb) schannel_store_challenge_tdb: stored challenge info for 'WIN10ENG' with key CHALLENGE/3939 [2018/07/03 13:08:56.162929, 3] ../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'ldapsrv_call_wait_done: call->wait_recv() - NT_STATUS_LOCAL_DISCONNECT' [2018/07/03 13:08:56.167539, 3] ../libcli/auth/schannel_state_tdb.c:121(schannel_store_session_key_tdb) schannel_store_session_key_tdb: stored schannel info with key SECRETS/SCHANNEL/WIN10ENG [2018/07/03 13:08:56.169422, 3] ../auth/auth_log.c:760(log_authentication_event_human_readable) Auth: [NETLOGON,ServerAuthenticate] user [MYDOMAIN]\[WIN10ENG$] at [Tue, 03 Jul 2018 13:08:56.169397 CEST] with [HMAC-SHA256] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:192.168.206.102:49677] became [MYDOMAIN]\[WIN10ENG$] [S-1-5-21-1300050927-3033631407-1805921976-1104]. local host [ipv4:192.168.206.10:49153] NETLOGON computer [WIN10ENG] trust account [WIN10ENG$]
[2018/07/03 13:08:56.169728,  3] ../auth/auth_log.c:591(log_no_json)
  log_no_json: JSON auth logs not available unless compiled with jansson
[2018/07/03 13:08:56.197063, 2] ../source4/rpc_server/dcerpc_server.c:76(dcesrv_assoc_group_reference) ../source4/rpc_server/dcerpc_server.c:76: Failed to find assoc_group 0x0000a4a5 [2018/07/03 13:08:56.198680, 3] ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2018/07/03 13:08:56.200050, 3] ../libcli/auth/schannel_state_tdb.c:190(schannel_fetch_session_key_tdb) schannel_fetch_session_key_tdb: restored schannel info key SECRETS/SCHANNEL/WIN10ENG [2018/07/03 13:08:56.200824, 3] ../libcli/auth/schannel_state_tdb.c:190(schannel_fetch_session_key_tdb) schannel_fetch_session_key_tdb: restored schannel info key SECRETS/SCHANNEL/WIN10ENG [2018/07/03 13:08:56.201092, 3] ../libcli/auth/schannel_state_tdb.c:121(schannel_store_session_key_tdb) schannel_store_session_key_tdb: stored schannel info with key SECRETS/SCHANNEL/WIN10ENG [2018/07/03 13:08:56.209198, 3] ../libcli/auth/schannel_state_tdb.c:190(schannel_fetch_session_key_tdb) schannel_fetch_session_key_tdb: restored schannel info key SECRETS/SCHANNEL/WIN10ENG [2018/07/03 13:08:56.209473, 3] ../libcli/auth/schannel_state_tdb.c:121(schannel_store_session_key_tdb) schannel_store_session_key_tdb: stored schannel info with key SECRETS/SCHANNEL/WIN10ENG [2018/07/03 13:08:56.329474, 3] ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2018/07/03 13:08:56.360224, 3] ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2018/07/03 13:08:56.389213, 3] ../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'ldapsrv_call_wait_done: call->wait_recv() - NT_STATUS_LOCAL_DISCONNECT' [2018/07/03 13:08:56.409493, 3] ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2018/07/03 13:08:56.570344, 3] ../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'ldapsrv_call_wait_done: call->wait_recv() - NT_STATUS_LOCAL_DISCONNECT' [2018/07/03 13:08:56.580480, 3] ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2018/07/03 13:08:56.588002, 3] ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2018/07/03 13:08:56.596842, 3] ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2018/07/03 13:08:56.607760, 3] ../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2018/07/03 13:08:56.611825, 3] ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2018/07/03 13:08:56.613104, 3] ../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2018/07/03 13:08:56.625498, 3] ../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2018/07/03 13:08:56.637539, 3] ../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2018/07/03 13:08:56.764344, 3] ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2018/07/03 13:08:57.117411, 3] ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2018/07/03 13:08:58.562198, 3] ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2018/07/03 13:08:58.894450, 3] ../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'ldapsrv_call_wait_done: call->wait_recv() - NT_STATUS_LOCAL_DISCONNECT' [2018/07/03 13:08:59.592761, 2] ../source4/dns_server/dns_update.c:773(dns_server_process_update)
  Got a dns update request.
[2018/07/03 13:08:59.593268, 2] ../source4/dns_server/dns_update.c:730(dns_update_allowed)
  Update not allowed for unsigned packet.
[2018/07/03 13:08:59.612698, 3] ../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'dns_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2018/07/03 13:08:59.613178, 2] ../source4/dns_server/dns_update.c:773(dns_server_process_update)
  Got a dns update request.
[2018/07/03 13:08:59.614267, 2] ../source4/dns_server/dns_update.c:389(handle_one_update)
  Looking at record:
[2018/07/03 13:08:59.614576, 2] ../source4/dns_server/dns_update.c:390(handle_one_update)
[2018/07/03 13:08:59.614692,  1] ../librpc/ndr/ndr.c:422(ndr_print_debug)
       discard_const(update): struct dns_res_rec
          name                     : 'win10eng.mydomain.com'
          rr_type                  : DNS_QTYPE_AAAA (0x1C)
          rr_class                 : DNS_QCLASS_ANY (0xFF)
          ttl                      : 0x00000000 (0)
          length                   : 0x0000 (0)
          rdata                    : union dns_rdata(case 0x1C)
          ipv6_record              : (null)
          unexpected               : DATA_BLOB length=0
[2018/07/03 13:08:59.616716, 2] ../source4/dns_server/dns_update.c:389(handle_one_update)
  Looking at record:
[2018/07/03 13:08:59.616959, 2] ../source4/dns_server/dns_update.c:390(handle_one_update)
[2018/07/03 13:08:59.617107,  1] ../librpc/ndr/ndr.c:422(ndr_print_debug)
       discard_const(update): struct dns_res_rec
          name                     : 'win10eng.mydomain.com'
          rr_type                  : DNS_QTYPE_A (0x1)
          rr_class                 : DNS_QCLASS_ANY (0xFF)
          ttl                      : 0x00000000 (0)
          length                   : 0x0000 (0)
          rdata                    : union dns_rdata(case 0x1)
          ipv4_record              : (null)
          unexpected               : DATA_BLOB length=0
[2018/07/03 13:08:59.619166, 2] ../source4/dns_server/dns_update.c:389(handle_one_update)
  Looking at record:
[2018/07/03 13:08:59.619421, 2] ../source4/dns_server/dns_update.c:390(handle_one_update)
[2018/07/03 13:08:59.619543,  1] ../librpc/ndr/ndr.c:422(ndr_print_debug)
       discard_const(update): struct dns_res_rec
          name                     : 'win10eng.mydomain.com'
          rr_type                  : DNS_QTYPE_A (0x1)
          rr_class                 : DNS_QCLASS_IN (0x1)
          ttl                      : 0x000004b0 (1200)
          length                   : 0x0004 (4)
          rdata                    : union dns_rdata(case 0x1)
          ipv4_record              : 192.168.206.102
          unexpected               : DATA_BLOB length=0
[2018/07/03 13:09:00.439410, 3] ../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'ldapsrv_call_wait_done: call->wait_recv() - NT_STATUS_LOCAL_DISCONNECT' [2018/07/03 13:09:02.048705, 3] ../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'ntp_signd_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2018/07/03 13:09:04.826540, 3] ../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'ntp_signd_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2018/07/03 13:09:07.183331, 3] ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2018/07/03 13:09:07.184064, 3] ../libcli/auth/schannel_state_tdb.c:190(schannel_fetch_session_key_tdb) schannel_fetch_session_key_tdb: restored schannel info key SECRETS/SCHANNEL/WIN10ENG [2018/07/03 13:09:08.717034, 3] ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2018/07/03 13:09:09.218428, 3] ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2018/07/03 13:09:09.449597, 3] ../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'ldapsrv_call_wait_done: call->wait_recv() - NT_STATUS_LOCAL_DISCONNECT' [2018/07/03 13:09:09.450626, 3] ../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'ldapsrv_call_wait_done: call->wait_recv() - NT_STATUS_LOCAL_DISCONNECT' [2018/07/03 13:09:19.901443, 3] ../source4/smbd/service_stream.c:67(stream_terminate_connection) [2018/07/03 13:09:19.901761, 3] ../source4/smbd/service_stream.c:67(stream_terminate_connection) [2018/07/03 13:09:19.901336, 3] ../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED' stream_terminate_connection: Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED' [2018/07/03 13:09:19.902664, 3] ../source4/smbd/process_single.c:125(single_terminate) stream_terminate_connection: Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED' single_terminate: single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED] [2018/07/03 13:09:19.903527, 3] ../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED' [2018/07/03 13:09:19.904807, 3] ../source4/smbd/process_single.c:125(single_terminate) single_terminate: single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED] [2018/07/03 13:09:19.905532, 3] ../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED' [2018/07/03 13:09:19.905990, 3] ../source4/smbd/process_single.c:125(single_terminate) single_terminate: single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED] [2018/07/03 13:09:50.729042, 3] ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2018/07/03 13:09:50.737605, 3] ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89(dcesrv_drsuapi_DsBind) ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:89: doing DsBind with system_session [2018/07/03 13:09:51.118966, 3] ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2018/07/03 13:09:51.156994, 3] ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2018/07/03 13:09:51.848260, 3] ../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'ldapsrv_call_wait_done: call->wait_recv() - NT_STATUS_LOCAL_DISCONNECT' [2018/07/03 13:09:51.918885, 3] ../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'ldapsrv_call_wait_done: call->wait_recv() - NT_STATUS_LOCAL_DISCONNECT' [2018/07/03 13:10:19.900339, 3] ../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED' [2018/07/03 13:10:19.900598, 3] ../source4/smbd/process_single.c:125(single_terminate) single_terminate: single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED] [2018/07/03 13:10:19.900640, 3] ../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED' [2018/07/03 13:10:19.901027, 3] ../source4/smbd/process_single.c:125(single_terminate) single_terminate: single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED] [2018/07/03 13:10:37.530420, 2] ../source4/dsdb/kcc/kcc_periodic.c:710(kccsrv_samba_kcc)
  Calling samba_kcc script
[2018/07/03 13:10:37.712443, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
  /usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb
[2018/07/03 13:10:37.948734, 3] ../lib/util/util_runcmd.c:291(samba_runcmd_io_handler)
  samba_runcmd_io_handler: Child /usr/sbin/samba_kcc exited 0
[2018/07/03 13:10:37.949167, 3] ../source4/dsdb/kcc/kcc_periodic.c:695(samba_kcc_done)
  Completed samba_kcc OK


# cat /var/log/samba/mit_kdc.log

otp: Loaded
Jul 03 09:53:37 dc1.mydomain.com krb5kdc[1074](info): setting up network...
krb5kdc: setsockopt(16,IPV6_V6ONLY,1) worked
krb5kdc: setsockopt(18,IPV6_V6ONLY,1) worked
Jul 03 09:53:37 dc1.mydomain.com krb5kdc[1074](info): set up 4 sockets
Jul 03 09:53:37 dc1.mydomain.com krb5kdc[1074](info): commencing operation
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): AS_REQ (6 etypes {18 17 23 24 -135 3}) 192.168.206.101: NEEDED_PREAUTH: win10$@mydomain.com for krbtgt/mydomain.com@xxxxxxxxxxxx, Additional pre-authentication required
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): AS_REQ (6 etypes {18 17 23 24 -135 3}) 192.168.206.101: ISSUE: authtime 1530605521, etypes {rep=18 tkt=18 ses=18}, win10$@mydomain.com for krbtgt/mydomain.com@xxxxxxxxxxxx
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): TGS_REQ (5 etypes {18 17 23 24 -135}) 192.168.206.101: ISSUE: authtime 1530605521, etypes {rep=18 tkt=18 ses=18}, WIN10$@MYDOMAIN.COM for ldap/dc1.mydomain.com/mydomain.com@xxxxxxxxxxxx
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): AS_REQ (6 etypes {18 17 23 24 -135 3}) 192.168.206.101: NEEDED_PREAUTH: win10$@mydomain.com for krbtgt/mydomain.com@xxxxxxxxxxxx, Additional pre-authentication required
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): AS_REQ (6 etypes {18 23 -133 -128 24 -135}) 192.168.206.101: ISSUE: authtime 1530605521, etypes {rep=18 tkt=18 ses=18}, win10$@mydomain.com for krbtgt/mydomain.com@xxxxxxxxxxxx
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): TGS_REQ (5 etypes {18 17 23 24 -135}) 192.168.206.101: ISSUE: authtime 1530605521, etypes {rep=18 tkt=18 ses=18}, WIN10$@MYDOMAIN.COM for DNS/dc1.mydomain.com@xxxxxxxxxxxx
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): TGS_REQ (1 etypes {18}) 192.168.206.101: ISSUE: authtime 1530605521, etypes {rep=18 tkt=18 ses=18}, WIN10$@MYDOMAIN.COM for krbtgt/MYDOMAIN.COM@xxxxxxxxxxxx
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): TGS_REQ (5 etypes {18 17 23 24 -135}) 192.168.206.101: ISSUE: authtime 1530605521, etypes {rep=18 tkt=18 ses=18}, WIN10$@MYDOMAIN.COM for cifs/dc1.mydomain.com@xxxxxxxxxxxx
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): AS_REQ (6 etypes {18 17 23 24 -135 3}) 192.168.206.101: NEEDED_PREAUTH: win10$@MYDOMAIN.COM for krbtgt/MYDOMAIN.COM@xxxxxxxxxxxx, Additional pre-authentication required
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): closing down fd 21
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): AS_REQ (6 etypes {18 17 23 24 -135 3}) 192.168.206.101: ISSUE: authtime 1530605521, etypes {rep=18 tkt=18 ses=18}, win10$@MYDOMAIN.COM for krbtgt/MYDOMAIN.COM@xxxxxxxxxxxx
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): TGS_REQ (5 etypes {18 17 23 24 -135}) 192.168.206.101: ISSUE: authtime 1530605521, etypes {rep=18 tkt=18 ses=18}, WIN10$@MYDOMAIN.COM for LDAP/dc1.mydomain.com/mydomain.com@xxxxxxxxxxxx
Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:12:03 dc1.mydomain.com krb5kdc[1074](info): TGS_REQ (5 etypes {18 17 23 24 -135}) 192.168.206.101: ISSUE: authtime 1530605521, etypes {rep=18 tkt=18 ses=18}, WIN10$@MYDOMAIN.COM for WIN10$@MYDOMAIN.COM
Jul 03 10:12:03 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:12:16 dc1.mydomain.com krb5kdc[1074](info): AS_REQ (6 etypes {18 23 -133 -128 24 -135}) 192.168.206.101: NEEDED_PREAUTH: WIN10$@MYDOMAIN.COM for krbtgt/MYDOMAIN.COM@xxxxxxxxxxxx, Additional pre-authentication required
Jul 03 10:12:16 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:12:16 dc1.mydomain.com krb5kdc[1074](info): AS_REQ (6 etypes {18 23 -133 -128 24 -135}) 192.168.206.101: ISSUE: authtime 1530605536, etypes {rep=18 tkt=18 ses=18}, WIN10$@MYDOMAIN.COM for krbtgt/MYDOMAIN.COM@xxxxxxxxxxxx
Jul 03 10:12:16 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:12:16 dc1.mydomain.com krb5kdc[1074](info): TGS_REQ (5 etypes {18 17 23 24 -135}) 192.168.206.101: ISSUE: authtime 1530605536, etypes {rep=18 tkt=18 ses=18}, WIN10$@MYDOMAIN.COM for win10$@MYDOMAIN.COM
Jul 03 10:12:16 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:13:00 dc1.mydomain.com krb5kdc[1074](info): AS_REQ (6 etypes {18 17 23 24 -135 3}) 192.168.206.101: NEEDED_PREAUTH: administrator\@mydomain.com@xxxxxxxxxxxx for krbtgt/MYDOMAIN.COM@xxxxxxxxxxxx, Additional pre-authentication required
Jul 03 10:13:00 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:13:00 dc1.mydomain.com krb5kdc[1074](info): AS_REQ (6 etypes {18 17 23 24 -135 3}) 192.168.206.101: ISSUE: authtime 1530605580, etypes {rep=18 tkt=18 ses=18}, administrator\@mydomain.com@xxxxxxxxxxxx for krbtgt/MYDOMAIN.COM@xxxxxxxxxxxx
Jul 03 10:13:00 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:13:00 dc1.mydomain.com krb5kdc[1074](info): TGS_REQ (5 etypes {18 17 23 24 -135}) 192.168.206.101: ISSUE: authtime 1530605580, etypes {rep=18 tkt=18 ses=18}, Administrator@xxxxxxxxxxxx for host/win10.mydomain.com@xxxxxxxxxxxx
Jul 03 10:13:00 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:13:01 dc1.mydomain.com krb5kdc[1074](info): TGS_REQ (5 etypes {18 17 23 24 -135}) 192.168.206.101: ISSUE: authtime 1530605580, etypes {rep=18 tkt=18 ses=18}, Administrator@xxxxxxxxxxxx for LDAP/dc1.mydomain.com/mydomain.com@xxxxxxxxxxxx
Jul 03 10:13:01 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:13:02 dc1.mydomain.com krb5kdc[1074](info): TGS_REQ (5 etypes {18 17 23 24 -135}) 192.168.206.101: ISSUE: authtime 1530605580, etypes {rep=18 tkt=18 ses=18}, Administrator@xxxxxxxxxxxx for cifs/dc1.mydomain.com/mydomain.com@xxxxxxxxxxxx
Jul 03 10:13:02 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
Jul 03 10:13:02 dc1.mydomain.com krb5kdc[1074](info): TGS_REQ (1 etypes {18}) 192.168.206.101: ISSUE: authtime 1530605580, etypes {rep=18 tkt=18 ses=18}, Administrator@xxxxxxxxxxxx for krbtgt/MYDOMAIN.COM@xxxxxxxxxxxx
Jul 03 10:13:02 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19
nfo): closing down fd 19

==========

Thank you for your time and help

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba