Web lists-archives.com

Re: [Samba] classicupgrade, net rpc rights grant NT_STATUS_IO_TIMEOUT and NT_STATUS_INTERNAL_ERROR




Am 12.03.2019 um 10:16 schrieb Rowland Penny via samba:
> On Tue, 12 Mar 2019 01:47:53 +0100
> Christian via samba <samba@xxxxxxxxxxxxxxx> wrote:
>
>> Am 11.03.2019 um 09:24 schrieb Rowland Penny via samba:
>>> On Mon, 11 Mar 2019 07:16:30 +0100
>>> Christian via samba <samba@xxxxxxxxxxxxxxx> wrote:
>>>
>>>> Dear all,
>>>>
>>>> we are transitioning from an openldap / MIT KDC setup to a samba4
>>>> AD. I am doing this by setting up a samba NT4 domain, populating
>>>> it from LDAP and sticking in the password hashes which I
>>>> automatically extract from the MIT KDC arc4-hmac keys. Then I run
>>>> the classicupgrade. I do this whole thing from cron in a script
>>>> once a day to be able to slowly migrate services. The MIT /
>>>> openldap and samba4 AD servers are on different machines. My
>>>> script (based on LPHvB's instructions) sets privileges in the
>>>> following way:
>>>>
>>>> [..]
>>>>
>>>> systemctl restart bind9 ntp samba-ad-dc
>>>> sleep 5
>>>> SAMBA_DC_ADMIN_GROUP_CHOICE="BUILTIN\Administrators"
>>>> PRIVS="SeDiskOperatorPrivilege SeTakeOwnershipPrivilege \
>>>> SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege \
>>>> SePrintOperatorPrivilege SeAddUsersPrivilege
>>>> SeDiskOperatorPrivilege \ SeSecurityPrivilege
>>>> SeSystemtimePrivilege SeShutdownPrivilege \ SeDebugPrivilege
>>>> SeSystemEnvironmentPrivilege SeSystemProfilePrivilege \
>>>> SeProfileSingleProcessPrivilege SeIncreaseBasePriorityPrivilege \
>>>> SeLoadDriverPrivilege SeCreatePagefilePrivilege \
>>>> SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege SeUndockPrivilege
>>>> \ SeManageVolumePrivilege SeImpersonatePrivilege
>>>> SeCreateGlobalPrivilege \ SeEnableDelegationPrivilege"
>>>>
>>>> samba-tool user setpassword Administrator \
>>>>   --newpassword="$SAMBA_NT_ADMIN_PASS"
>>>> echo "$SAMBA_NT_ADMIN_PASS" | kinit Administrator
>>>> for priv in $PRIVS ; do
>>>>   while ! net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}"
>>>> $priv \ -U "Administrator%$SAMBA_NT_ADMIN_PASS" ; do
>>>>     echo "Failed to grant $priv ... Retrying ..."
>>>>     sleep 10
>>>>   done
>>>> done
>>>>
>>>> Upon running this, I often get NT_STATUS_INTERNAL_ERROR or
>>>> NT_STATUS_IO_TIMEOUT:
>>>>
>>>> Changed password OK
>>>> Password for Administrator@XXXXXXXXXXXXXXXXX:
>>>> Could not connect to server 127.0.0.1
>>>> Connection failed: NT_STATUS_IO_TIMEOUT
>>>> Failed to grant SeDiskOperatorPrivilege ... Retrying ...
>>>> Could not connect to server 127.0.0.1
>>>> Connection failed: NT_STATUS_IO_TIMEOUT
>>>> Failed to grant SeDiskOperatorPrivilege ... Retrying ...
>>>> Could not connect to server 127.0.0.1
>>>> Connection failed: NT_STATUS_INTERNAL_ERROR
>>>> Failed to grant SeDiskOperatorPrivilege ... Retrying ...
>>>> Successfully granted rights.
>>>> Successfully granted rights.
>>>> Successfully granted rights.
>>>>
>>>> Why would that happen? I can put in as much wait time as I want
>>>> after the initial service restart, and it still happens. I
>>>> obviously work around it by repeating until it proceeds, but I do
>>>> not understand why this is necessary. Any hints would be
>>>> appreciated... Thanks,
>>>>
>>>> Christian
>>>>
>>>>
>>> This looks like a DNS problem, what do you have
>>> in /etc/resolv.conf ? Is Bind9 setting up correctly and running ?
>> Yep. /etc/resolv.conf points to 127.0.0.1 only. Not sure DNS is the
>> issue here as it says it cannot somehow talk to 127.0.0.1...
> Try changing '127.0.0.1' to the DC's actual ipaddress.
>
>>> What OS ?
>> Debian stable with LPHvB 4.8 packages.
> Good, you are using the same packages as myself and it works for me, so
> it sounds like it is a configuration problem somewhere.
>
> Can you post the following files:
> /etc/resolv.conf
> /etc/hostname
> /etc/hosts
> /etc/krb5
> /etc/bind/named.conf
> /etc/bind/named.options
> /etc/bind/named.local

OK, just to make that clear: What I am trying to understand here is why
there have to be a few failures after the service restart. After the
first privilege has eventually been set successfully, all the others go
through just fine. Here is the content of the files:

******** /etc/resolv.conf

nameserver 127.0.0.1
search ad_domain.main_domain main_domain

******** /etc/hostname

dc1

******** /etc/hosts

127.0.0.1       localhost
public_ip       dc1.ad_domain.main_domain dc1

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

******** /etc/krb5.conf

[libdefaults]
    default_realm = AD_DOMAIN_NAME.MAIN_DOMAIN
    dns_lookup_kdc = true
    dns_lookup_realm = false
    forwardable = true
    proxiable = true
    default_tgs_enctypes =  aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5

******** /etc/bind/named.conf

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

******** /etc/bind/named.conf.options

options {
        directory "/var/cache/bind";
        forwarders {
                main_org_dns_1_ip;
                main_org_dns_2_ip;
        };
        dnssec-validation auto;
        auth-nxdomain yes;    # conform to RFC1035 is no
        listen-on-v6 { any; };
        empty-zones-enable no;
        tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};

******** /etc/named.conf.local

include "/var/lib/samba/bind-dns/named.conf";

******** /var/lib/samba/bind-dns/named.conf

dlz "AD DNS Zone" {
     database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";
};

I think this may be related to Louis's instructions for the DC setup; he
also has plenty of "sleep"s in there... Thanks for any insights,

Christian


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba