Web lists-archives.com

Re: [Samba] Debugging Samba is a total PITA and this needs to improve

Hai Sven, 

And still i see/think you should change some things to get a better base setup. 
And no its not bike shedding....  It is making a standard setup, work from there. 

	default_realm = AD.TAO.AT
	dns_lookup_realm = true	< if you have multple REALM, else false. (default_realm = AD.TAO.AT) 
	dns_lookup_kdc = true

Checking file: /etc/nsswitch.conf
passwd:         files winbind
group:          files winbind
shadow:         files 
( removed winbind from shadow) not used. 

winbind enum users = yes
winbind enum groups = yes
Better no, works the same, but your server is faster. 

#### site.conf
netbios name = villach-file		< in CAPS 

For windows/samba netbios resolving: NETBIOSNAME =! netbiosname 
DNS resolving : NETBIOSNAME == netbiosname 
REALM resolving : REALM =! realm
Dnsdomain name  : realm often looks like dnsdomainname but.. 
			dnsdomainname =! REALM 

.. Clean up you site.conf. Make it as little as possible.

You see this note from the script: 
Running as Unix domain member and no user.map detected. 

Where is you user mapping? You dont use SePrivileges? 
Now its not wrong and possible to run it without, but it is much more work to setup correctly for this. 

And.. You still on 4.5.16, yes, possible, but why do you think i make newer packages. 

Windows and it updates are moving fast, so samba is following fast, while debian is slow. 
Not that's wrong, really i preffer myself slow and good updates, but thats just not the way for samba. 
And this is why i build the samba packages. To keep up with samba. 
You cant fix all with 4.5.16, for that you need higher samba versions. 
I've suggested this to Debian, to make a separated line for samba that follow the main releases of samba. 
But, that as a no-no.., so thats why i supply these, with debian's settings. 
Thats also why i use distro-sambaVERSION , to keep track with samba AND windows. 

Now, last question, on the pc with the "unable to authenticate", any windows event id's with warning/errors? 
You probley looked at that already?? Or not? 

> Top level error I'm seeing is that since today *some* Windows 
> users are denied SMB access to this one member server ("Network password is
> invalid"), but not all users. Worked fine before today.
If you delayed your windows updates for for example 6 day, then this is logical to me. 
Because MS updates are on Tuesday..  

Now, what if you reinstall SMB1 for these windows pc and disable autoremovement. 
Check with Powershel: 	Get-WindowsFeature FS-SMB1 

If thats not the case, then you should check the attributes of the computer in the AD. 
this could be also due to kerberos mismatchings in AD. 

You can check this as followed. 

samba-tool computer show YOUR_COMPUTERNAME_HERE > /tmp/YOUR_COMPUTERNAME_HERE.txt
egrep "dn|name|sAMAccountName|dNSHostName|distinguishedName|servicePrincipalName"  < /tmp/YOUR_COMPUTERNAME_HERE.txt
Safe the file or you keep quering your AD. 

servicePrincipalName: HOST/HOSTNAME.dnsdomain.tld is WRONG ! 

servicePrincipalName: HOST/HOSTNAME is correct. 
servicePrincipalName: HOST/hostname.dnsdomain.tld is correct ! 

So correct: 
HOST/NETBIOSNAME ( uppercase) 
HOST/host.fqdn ( lowercase)
sAMAccountName: NETBIOSNAME$  ( uppercase)  

Check this if this is your case also, there are lots of reports if "unable to authenticate" or lost trust of domain.. 
Due to above. 
If a name is wrong, Open ADSIEdit.  Go to the computer object.  
Don't hit properties of the object just right click and choose rename.  

More below... 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens Sven 
> Schwedas via samba
> Verzonden: dinsdag 21 mei 2019 13:28
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] Debugging Samba is a total PITA and 
> this needs to improve
> The smb.conf hasn't changed since the last three or four times I've
> posted here asking for help:
> https://up.tao.at/u/samba/villach-file.txt
> Top level error I'm seeing is that since today *some* Windows 
> users are
> denied SMB access to this one member server ("Network password is
> invalid"), but not all users. Worked fine before today.
> wbinfo -p/-P work, wbinfo -a shows the same problem of some users
> working, some not: Those that do work, report success with plaintext
> auth, and NT_STATUS_WRONG_PASSWORD for challenge/response auth (wtf?).
> Those that don't work at all, fail plaintext auth and report
> NT_STATUS_INTERNAL_DB_CORRUPTION for challenge/response. Not sure if
> that means anything, given that challenge/response seems to 
> always fail
> with nonsensical error messages. All the other working member servers
> also report NT_STATUS_WRONG_PASSWORD for c/r auth.
> 15 MB/s error logs were not an exaggeration, BTW, that's what 
> I saw when
> I cranked up the logging level to 10, since the default log 
> level didn't
> bother even reporting the logon failures at all (which should be
> sensible defaults, but oh well). Since I don't know what component of
> Samba is responsible here, I don't know for which I should increase
> logging and for which I shouldn't.

man smb.conf /log level   ( + hit 5x n ) and your at the log level point.  ;-) 
That shows this example : 
log level = 1 full_audit:1@/var/log/audit.log

> Now that I'm digging, there also seem to be some generic WERR_BADFILE
> DRS replication errors that our automated monitoring somehow didn't
> catch; and one DC apparently no longer has the DNS entries it should
> have, and samba_dnsupdates alternates between "FORMERR" and "GSS-TSIG
> unsuccessful" which apparently is only supposed to appear with the BIND9
> DNS backend, which we aren't using. These are probably related, but
> again I have no idea where these come from or how to debug them.

Date: Tue, 22 May 2018 15:44:36 +0000
- Dynamic DNS updates with GSS-TSIG against Microsoft or samba DNS servers are not working and fails with the following error: ; TSIG error ...
https://bugzilla.samba.org/show_bug.cgi?id=13019  samba 4.7 and lower. 

You really want to try my packages.. ;-) 
And in your case, update steps, 4.8, and stay there if you want to switch to Buster then 4.9.5 
Or move more up to 4.9 or 4.10. 
Or if the server is an samba only, server, upgrade to buster, but ... Prepair for that, you will hit more then you expecting to hit. 
Not advice, just a suggesting, im not you, i can tell whats best for you, i dont know you complete network. 

> So how was your morning?
Good, thanks for asking. 

And in addition to Rowland, you always replies when im still typing :-p 

>> You need to investigate your DB problems, but just a few comments on 
No, start with your resolving and hostname. 

This is the base and this has to be correct and having this correct, helps in reducing problems in you windows clients. 
And it helps if finding your problem. 



To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba