Re: [Samba] Samba 4 internal DNS - how to modify SOA record
How could one modify a SOA record in rc3? For example, NS part (not NS record) of SOA record points to an absent Windows server. This effectively breaks DNS updates, since there is no such server and if corresponding A record is added, update requests from clients will come unsigned. Editing it directly via LDAP breaks Samba (some sort of checksum/hash?) MMC snap-in says Zone not loaded by DNS server, so it is not possible to use it either. samba-tool dns add|delete|update can't operate on SOA record. Maybe someone could give a link to some document describing dnsRecord, so one could forge a valid record and just change dnsRecord in DC=@ using some LDAP tool? I have the very same problem, does anybody know a way? I am thinking of converting to BIND, modifying and then converting it back to Internal DNS implementation. I doubt that will do the job. As I recall, I forged the dnsRecord manually (record's structure description could be found on the MSDN) and ldbmodify'ed the corresponding ldb on every DC (Samba should not be run). Alternatively, you may just capture the conversation between Samba and MMC snap-in - the value you need is being sent in clear text. Regards, - Dmitry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Internal DNS - TTL enforcement for dynamic updates
Hello! Samba 4 rc 3. I had noticed a strange behavior. If host creates a record, it won't be further updated until the record gets deleted manually. What could cause this? What updates are you expecting? When Windows DHCP client receives a lease or when you manually issue ipconfig /renew command, Windows sends out DNS messages (unsigned, then signed if needed) with UPDATE opcode towards a NS specified in NS field of SOA with a new IP address for the record. I expected Samba to behave like MS DNS server and replace the old record with a new one. Another question: how could the dynamically added record's TTL be enforced? For example, we have a user-based VLAN assignment in our networks. When Windows host boots, it authenticates with machine account and goes to the one of parking VLANs. Later, when user logs in, he gets a different VLAN and different IP address. So, we really want other DNS servers to not cache this records for too long. Normally, this is done by modifying SOA record (and, as I recall, Samba's internal DNS respects TTLs in SOA). But samba-tool can't edit SOA records, MMC DNS snap-in fails to do it too. The TTL only affects caching decisions on the resolver side so the internal DNS actually doesn't do anything with the TTLs apart from serving them out with the record. That's true. But you may specify expire for the whole zone in SOA to force other DNS servers that provide clients with cached recursion to query upstream NS again after the zone is expired, no matter what the TTL for individual records is - that is what I need. Now, if your clients register their DNS records, they get to pick the TTL of the entry themselves. This can probably be affected with a GPO somehow, but I don't know the AD stuff enough to know where to look. When I googled last time, I had seen some Microsoft guys saying it's hardcoded. Not sure if that's true, but it looks like, giving the fact Windows just creates a record with TTL of 1200 seconds, even if DHCP server gives a 10 seconds lasting lease. I don't think the TTL of the SOA record should affect anything apart from how long resolvers cache the SOA record. And that is what I need. As a last resort one could modify SOA record directly via LDAP (e.g. using ldbmodify). This is the method we currently use. One needs to change dnsRecord attribute of DC=@ for domain in question. add: in LDIF should appear before delete: or Samba may become inoperable. Or just pkill samba and use ldbmodify on the .ldb directly. http://msdn.microsoft.com/en-us/library/ee898781(prot.20).aspx describes dnsRecord attribute data format http://msdn.microsoft.com/en-us/library/cc448905(v=prot.20).aspx describes SOA record format Thank you! -- Best regards, Dmitry Khromov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Internal DNS - TTL enforcement for dynamic updates
By the way, maybe an option should be added for Samba internal DNS server that will allow to force TTL of individual records since it's not tunable in Windows? This would be a feature I missed in MS DNS server much. In my opinion, network administrator, not MS DNS client alone, should have a control of records TTL. P.S. When Windows DHCP client receives a lease or when you manually issue ipconfig /renew command Sorry, not /renew, I meant /registerdns. Thanks. -- Best regards, Dmitry Khromov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Internal DNS - TTL enforcement for dynamic updates
I expected Samba to behave like MS DNS server and replace the old record with a new one. Yes, that should work. If it doesn't work for you, you need to tell us some more details about your smb.conf and maybe provide a network capture of the failing DNS update. # cat etc/smb.conf # Global parameters [global] workgroup = MK_KLIN realm = klin.kifato-mk.com netbios name = DC1 interfaces = 192.168.1.24, 127.0.0.1 bind interfaces only = Yes server role = active directory domain controller idmap_ldb:use rfc2307 = yes debug level = 1 wins server = 192.168.1.31 allow dns updates = secure only [netlogon] path = /usr/local/samba/var/locks/sysvol/klin.kifato-mk.com/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No PCAP-formatted dump is attached. According to the dump, Windows just doesn't try to send a signed update after receiveng TKEY. However, this host had succeded at least once today. Rebooted it, now no updates happen, but Samba started to say: [2012/11/01 14:32:30, 1] ../source4/dns_server/dns_server.c:150(dns_process_send) Failed to verify TSIG! Some background: we already had the same symptoms this week for most of our Windows hosts (and some Samba 3 based, too). Yesterday we had to delete the zone (it was somewhat dirty after years on Windows, e.g. MMC DNS said Server couldn't load the zone when you open it on Samba server) and rebuilt it from scratch. As a side effect those TSIG-related messages had gone and records had started to update (one time until deletion). Now it looks like nothing had actually changed. Again, we probably need a network capture to see what's going on with the DNS MMC failing to update the SOA record. Attached (PCAP-formatted). Thanks in advance. -- Best regards, Dmitry Khromov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Internal DNS - TTL enforcement for dynamic updates
According to the dump, Windows just doesn't try to send a signed update after receiveng TKEY. However, this host had succeded at least once today. Rebooted it, now no updates happen, but Samba started to say: [2012/11/01 14:32:30, 1] ../source4/dns_server/dns_server.c:150(dns_process_send) Failed to verify TSIG! Things get even more interesting. Looks like in fact there are two problems. I have another two dumps, illustrating the original issue I was talking about. In dump 1 the host is just booted and the record from the previous boot exists. As you can see Samba says SERVFAIL. debug level = 1 says: [2012/11/01 23:59:44, 1] ../source4/dns_server/dns_query.c:501(handle_tkey) Tkey handshake completed [2012/11/01 23:59:48, 1] ../source4/dns_server/dns_update.c:672(handle_updates) update count is 3 [2012/11/01 23:59:48, 1] ../source4/dns_server/dns_update.c:672(handle_updates) update count is 3 [2012/11/01 23:59:48, 1] ../source4/dns_server/dns_update.c:672(handle_updates) update count is 3 [2012/11/01 23:59:48, 1] ../source4/dns_server/dns_update.c:672(handle_updates) update count is 3 In dump 2 I have just deleted the record. As you can see, only the first update succeeds, then - SERVFAIL again. P.S. Just in case you're suprised with the updates frequency - it's what we really have in production on parking subnets, as a workaround for the Windows 7 DHCPINFORM on non-authoritative subnets problem. -- Best regards, Dmitry Khromov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Internal DNS - TTL enforcement for dynamic updates
Hello. Samba 4 rc 3. I had noticed a strange behavior. If host creates a record, it won't be further updated until the record gets deleted manually. What could cause this? Another question: how could the dynamically added record's TTL be enforced? For example, we have a user-based VLAN assignment in our networks. When Windows host boots, it authenticates with machine account and goes to the one of parking VLANs. Later, when user logs in, he gets a different VLAN and different IP address. So, we really want other DNS servers to not cache this records for too long. Normally, this is done by modifying SOA record (and, as I recall, Samba's internal DNS respects TTLs in SOA). But samba-tool can't edit SOA records, MMC DNS snap-in fails to do it too. Thanks. -- Best regards, Dmitry Khromov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Unable to create GPO with rc3 and a few authentication problems
I had encountered a few problems with 2 Samba 4 rc3 DCs serving domain migrated from Windows 2003 R2. I post them altogether, since they look related. 1. Unable to create or delete GPOs. # bin/samba-tool gpo create somegpo ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - dsdb_access: Access check failed on CN=Policies,CN=System,DC=klin,DC=kifato-mk,DC=com File /usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/gpo.py, line 952, in run self.samdb.add(m) I'm not sure if this is a schema or authentication problem. Could someone suggest how should that be investigated? It looks like in default Windows schema only members of Domain Admins can modify cn=Policies. If one will allow Domain controllers group to have rw access too, the LDAP-related error disappears. However, sysvol FS access error will raise (due to the fact machine accounts do not have write permissions on sysvol/fqdn/Policies after samba-tool ntacl sysvolreset). So, should samba-tool really use machine account for GPO operations? -- Best regards, Dmitry Khromov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Unable to create GPO with rc3 and a few authentication problems
On Wed, 2012-10-31 at 03:33 +0400, Dmitry Khromov wrote: I had encountered a few problems with 2 Samba 4 rc3 DCs serving domain migrated from Windows 2003 R2. I post them altogether, since they look related. 1. Unable to create or delete GPOs. # bin/samba-tool gpo create somegpo ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - dsdb_access: Access check failed on CN=Policies,CN=System,DC=klin,DC=kifato-mk,DC=com File /usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/gpo.py, line 952, in run self.samdb.add(m) I'm not sure if this is a schema or authentication problem. Could someone suggest how should that be investigated? It looks like in default Windows schema only members of Domain Admins can modify cn=Policies. If one will allow Domain controllers group to have rw access too, the LDAP-related error disappears. However, sysvol FS access error will raise (due to the fact machine accounts do not have write permissions on sysvol/fqdn/Policies after samba-tool ntacl sysvolreset). So, should samba-tool really use machine account for GPO operations? Probably not for write operations. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org And it actually doesn't. Sorry, I'm an idiot. I forgot the -k switch, so it was falling back to machine account. Now it says NT_STATUS_INVALID_OWNER in conn.set_acl, but that's a different story. -- Best regards, Dmitry Khromov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Unable to create GPO with rc3 and a few authentication problems
Hello. I had encountered a few problems with 2 Samba 4 rc3 DCs serving domain migrated from Windows 2003 R2. I post them altogether, since they look related. 1. Unable to create or delete GPOs. # bin/samba-tool gpo create somegpo ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - dsdb_access: Access check failed on CN=Policies,CN=System,DC=klin,DC=kifato-mk,DC=com File /usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/gpo.py, line 952, in run self.samdb.add(m) I'm not sure if this is a schema or authentication problem. Could someone suggest how should that be investigated? 2. Some hosts fail to update records via Samba internal DNS (Andrew, sorry for duplicating, but this is updated). It looks like this on debug level = 5: [2012/10/30 02:23:38, 1] ../source4/dns_server/dns_server.c:150(dns_process_send) Failed to verify TSIG! Hosts are Windows XP, Windows 7, Samba 3 on Linux. Some do update succesfully, some can succeed some time (say, 5 hours) later, or may still fail. This is weird. I should mention that we had some problem with Windows 2k3 demotion - during the process it had rewritten the SOA on (the only at that moment) Samba DC and put it's own hostname in SOA's primary NS field. We had to fix that manually by replacing the SOA record in corresponding LDB. Maybe we had just missed something? Any ideas on what's wrong? 3. Some hosts may suddenly reject valid tickets for RPC calls. Somewhat like the previous one. For example, on some non-DC host I do: $ kinit $ #Got a ticket for some admin user, btw MIT is used here $ net rpc shutdown -S somehost -f -k # Samba 3's net command It may succeed for some hosts, but fail with NT_LOGON_FAILURE few hours later, before the ticket expires (and DCs still accept this ticket for e.g. samba-tool drs showrepl). Or it may later suceed for a host it was failing for. Renewing the ticket doesn't change anything. So, something strange for me, too. I had tried to reset some machine accounts and to rejoin some hosts. No luck. 4. Unrelated to the previous ones. Well, I'm sorry, I hadn't read the source to see if this is supposed to happen. But I'd better say that before I forget, just in case. Try to rename some host using Windows GUI (My Computer - Properties) and check if CN, sAMAccountName and member for corresponding groups are changed correctly. In my experience, only sAMAccountName is changed. Once again, sorry if this is OK. Thanks in advance. -- Best regards, Dmitry Khromov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 internal DNS - how to modify SOA record
Hello. How could one modify a SOA record in rc3? For example, NS part (not NS record) of SOA record points to an absent Windows server. This effectively breaks DNS updates, since there is no such server and if corresponding A record is added, update requests from clients will come unsigned. Editing it directly via LDAP breaks Samba (some sort of checksum/hash?) MMC snap-in says Zone not loaded by DNS server, so it is not possible to use it either. samba-tool dns add|delete|update can't operate on SOA record. Maybe someone could give a link to some document describing dnsRecord, so one could forge a valid record and just change dnsRecord in DC=@ using some LDAP tool? Thanks in advance. -- Best regards, Dmitry Khromov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 KDC Windows 7 clients may fail to get a ticket
Hello. Samba 4.1.0pre1-GIT-aad669b, joined as a DC to an existing domain. Windows 7 machines may fail to get a ticket: [2012/10/03 09:31:54, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: AS-REQ con-11$@KLIN.KIFATO-MK.COM from ipv4:192.168.1.138:49682 for krbtgt/klin.kifato-mk@klin.kifato-mk.com [2012/10/03 09:31:54, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Client sent patypes: encrypted-timestamp, 128 [2012/10/03 09:31:54, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for PKINIT pa-data -- con-11$@KLIN.KIFATO-MK.COM [2012/10/03 09:31:54, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for ENC-TS pa-data -- con-11$@KLIN.KIFATO-MK.COM [2012/10/03 09:31:54, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Failed to decrypt PA-DATA -- con-11$@KLIN.KIFATO-MK.COM (enctype aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96 [2012/10/03 09:31:54, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Failed to decrypt PA-DATA -- con-11$@KLIN.KIFATO-MK.COM [2012/10/03 09:31:54, 3] ../source4/smbd/service_stream.c:63(stream_terminate_connection) Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2012/10/03 09:31:54, 3] ../source4/smbd/process_single.c:104(single_terminate) single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] -- Best regards, Dmitry Khromov. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 KDC Windows 7 clients may fail to get a ticket
On Wed, 03 Oct 2012 16:22:27 +1000 Andrew Bartlett abart...@samba.org wrote: What happens when this error occurs? Does something fail on the client? Error like cannot establish domain trust (sorry, it's in Russian) appears on logon screen when you try to log in using any credentials. The client don't even req KDC for user ticket. Is this only shortly after a machine account password change, and pending replication? Does the client retry with the previous machine account password? No, we hadn't touched these accounts for months already (and had joined Samba DC 5 days ago). By the way, XP stations (we have more XP's than Sevens) are unaffected. Thank you. -- Best regards, Dmitry Khromov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 KDC - no such entry found in hdb
:: PEdVSUQ9ZjdkZmUwYjItNzQwNC00Yzc4LWI5ZjAtMDdjOGU2NmY4M2ZiPjs8U0lEPVM tMS01LTIxLTk4NDg2MTQwLTkyNjQyNzg1LTg0NjcxOTk1Mi02MzgzMj47Q0490JvQvtC60LDQu9GM 0L3Ri9C1INCw0LTQvNC40L3QuNGB0YLRgNCw0YLQvtGA0YssT1U9SVQsT1U9RGVwYXJ0bWVudHMsR EM9a2xpbixEQz1raWZhdG8tbWssREM9Y29t memberOf: GUID=ffd72e00-9c15-4b46-bcce-f232c7a772b4;SID=S-1-5-21-98486140-9 2642785-846719952-63819;CN=Plant B,OU=Locations,OU=Organizational,DC=klin,DC =kifato-mk,DC=com msDS-KeyVersionNumber: 3 ldb: ldb_trace_response: DONE error: 0 ldb: ldb_trace_request: SEARCH dn: DC=klin,DC=kifato-mk,DC=com scope: base expr: (|(objectClass=*)(distinguishedName=*)) attr: maxPwdAge control: NONE ldb: ldb_trace_request: (resolve_oids)-search ldb: ldb_trace_next_request: (rootdse)-search ldb: ldb_trace_next_request: (schema_load)-search ldb: ldb_trace_next_request: (lazy_commit)-search ldb: ldb_trace_next_request: (dirsync)-search ldb: ldb_trace_next_request: (paged_results)-search ldb: ldb_trace_next_request: (ranged_results)-search ldb: ldb_trace_next_request: (anr)-search ldb: ldb_trace_next_request: (server_sort)-search ldb: ldb_trace_next_request: (asq)-search ldb: ldb_trace_next_request: (extended_dn_in)-search ldb: ldb_trace_next_request: (descriptor)-search ldb: ldb_trace_next_request: (acl)-search ldb: ldb_trace_next_request: (aclread)-search ldb: ldb_trace_next_request: (operational)-search ldb: ldb_trace_next_request: (rdn_name)-search ldb: ldb_trace_next_request: (extended_dn_out_ldb)-search ldb: ldb_trace_next_request: (show_deleted)-search ldb: ldb_trace_next_request: (partition)-search ldb: partition_request() - (metadata partition) ldb: ldb_trace_next_request: (tdb)-search ldb: ldb_trace_next_request: (aclread)-search ldb: ldb_trace_next_request: (operational)-search ldb: ldb_trace_next_request: (rdn_name)-search ldb: ldb_trace_next_request: (extended_dn_out_ldb)-search ldb: ldb_trace_next_request: (show_deleted)-search ldb: ldb_trace_next_request: (partition)-search ldb: partition_request() - (metadata partition) ldb: ldb_trace_next_request: (tdb)-search ldb: ldb_trace_response: ENTRY dn: DC=klin,DC=kifato-mk,DC=com maxPwdAge: -9223372036854775808 ldb: ldb_trace_response: DONE error: 0 gendb_search_v: DC=klin,DC=kifato-mk,DC=com NULL - 1 ndr_pull_error(11): Pull bytes 2 (../librpc/ndr/ndr_basic.c:103) [] 00 00 00 00 62 00 00 00 00 00 00 00 20 00 20 00 b... . . [0010] 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00. . . . . . . . [0020] 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00. . . . . . . . [0030] 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00. . . . . . . . [0040] 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00. . . . . . . . [0050] 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00. . . . . . . . [0060] 20 00 20 00 20 00 20 00 20 00 20 00 50 00 00 . . . . . .P.. Kerberos: UNKNOWN -- techgr...@klin.kifato-mk.com: no such entry found in hdb What's wrong with them? -- Best regards, Dmitry Khromov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 KDC - no such entry found in hdb
On Mon, 1 Oct 2012 10:43:59 +0400 Dmitry Khromov icechr...@gmail.com wrote: Samba 4.1.0pre1-GIT-aad669b, joined as a DC to an existing domain. At least 6 accounts behave like this: Kerberos: AS-REQ techgr...@klin.kifato-mk.com from ipv4:192.168.1.31:33822 for krbtgt/klin.kifato-mk@klin.kifato-mk.com ... Kerberos: UNKNOWN -- techgr...@klin.kifato-mk.com: no such entry found in hdb This disappears once you reset the password on Windows DC, however not on Samba DC: $ bin/samba-tool user setpassword dummyuser --newpassword=password --URL=ldap://sambadc -U someadminuser%someadminpassword # We hadn't reset password on Windows DC yet GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'sasl-DIGEST-MD5' registered GENSEC backend 'schannel' registered GENSEC backend 'spnego' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered ERROR: Failed to set password for user 'dummyuser': (1, 'LDAP error 1 LDAP_OPERATION S_ERROR - 2020: setup_supplemental_field: failed to pull old supplementalCr edentialsBlob: NT_STATUS_BUFFER_TOO_SMALL ') File /usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/user.py, lin e 547, in run username=username) File /usr/local/samba/lib64/python2.7/site-packages/samba/samdb.py, line 459, in setpassword self.modify_ldif(setpw) File /usr/local/samba/lib64/python2.7/site-packages/samba/__init__.py, line 2 35, in modify_ldif self.modify(msg, controls) Resetting password on Windows DC enables samba-tool to reset password for this account on Samba DC, too. Somewhat broken DB on Windows? Any suggestions on how to fix such accounts in order to be able to reset passwords when Windows DC will be demoted? -- Regards, Dmitry Khromov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] BIND-DLZ refuses to update
: ldb_trace_next_request: (rootdse)-search ldb: ldb_trace_next_request: (schema_load)-search ldb: ldb_trace_next_request: (lazy_commit)-search ldb: ldb_trace_next_request: (dirsync)-search ldb: ldb_trace_next_request: (paged_results)-search ldb: ldb_trace_next_request: (ranged_results)-search ldb: ldb_trace_next_request: (anr)-search ldb: ldb_trace_next_request: (server_sort)-search ldb: ldb_trace_next_request: (asq)-search ldb: ldb_trace_next_request: (extended_dn_in)-search ldb: ldb_trace_next_request: (descriptor)-search ldb: ldb_trace_next_request: (acl)-search ldb: ldb_trace_next_request: (aclread)-search ldb: ldb_trace_next_request: (operational)-search ldb: ldb_trace_next_request: (rdn_name)-search ldb: ldb_trace_next_request: (extended_dn_out_ldb)-search ldb: ldb_trace_next_request: (show_deleted)-search ldb: ldb_trace_next_request: (partition)-search ldb: partition_request() - (metadata partition) ldb: ldb_trace_next_request: (tdb)-search ldb: ldb_trace_next_request: (aclread)-search ldb: ldb_trace_next_request: (operational)-search ldb: ldb_trace_next_request: (rdn_name)-search ldb: ldb_trace_next_request: (extended_dn_out_ldb)-search ldb: ldb_trace_next_request: (show_deleted)-search ldb: ldb_trace_next_request: (partition)-search ldb: partition_request() - (metadata partition) ldb: ldb_trace_next_request: (tdb)-search ldb: ldb_trace_next_request: (show_deleted)-search ldb: ldb_trace_next_request: (partition)-search ldb: partition_request() - (metadata partition) ldb: ldb_trace_next_request: (tdb)-search ldb: partition_request() - (metadata partition) ldb: ldb_trace_next_request: (schema_data)-search ldb: ldb_trace_next_request: (tdb)-search ldb: partition_request() - (metadata partition) ldb: ldb_trace_next_request: (tdb)-search ldb: partition_request() - (metadata partition) ldb: ldb_trace_next_request: (tdb)-search ldb: partition_request() - (metadata partition) ldb: ldb_trace_next_request: (tdb)-search ldb: partition_request() - (metadata partition) ldb: ldb_trace_next_request: (tdb)-search ldb: ldb_trace_response: ENTRY dn: CN=MK_KLIN,CN=Partitions,CN=Configuration,DC=klin,DC=kifato-mk,DC=com nCName: DC=klin,DC=kifato-mk,DC=com dnsRoot: klin.kifato-mk.com ldb: ldb_trace_response: DONE error: 0 ldb: ldb_trace_request: SEARCH dn: DC=klin,DC=kifato-mk,DC=com scope: sub expr: ((objectClass=user)(samAccountName=named)) control: NONE ldb: ldb_trace_request: (resolve_oids)-search ldb: ldb_trace_next_request: (rootdse)-search ldb: ldb_trace_next_request: (schema_load)-search ldb: ldb_trace_next_request: (lazy_commit)-search ldb: ldb_trace_next_request: (dirsync)-search ldb: ldb_trace_next_request: (paged_results)-search ldb: ldb_trace_next_request: (ranged_results)-search ldb: ldb_trace_next_request: (anr)-search ldb: ldb_trace_next_request: (server_sort)-search ldb: ldb_trace_next_request: (asq)-search ldb: ldb_trace_next_request: (extended_dn_in)-search ldb: ldb_trace_next_request: (descriptor)-search ldb: ldb_trace_next_request: (acl)-search ldb: ldb_trace_next_request: (aclread)-search ldb: ldb_trace_next_request: (operational)-search ldb: ldb_trace_next_request: (rdn_name)-search ldb: ldb_trace_next_request: (extended_dn_out_ldb)-search ldb: ldb_trace_next_request: (show_deleted)-search ldb: ldb_trace_next_request: (partition)-search ldb: partition_request() - (metadata partition) ldb: ldb_trace_next_request: (tdb)-search ldb: ldb_trace_next_request: (aclread)-search ldb: ldb_trace_next_request: (operational)-search ldb: ldb_trace_next_request: (rdn_name)-search ldb: ldb_trace_next_request: (extended_dn_out_ldb)-search ldb: ldb_trace_next_request: (show_deleted)-search ldb: ldb_trace_next_request: (partition)-search ldb: partition_request() - (metadata partition) ldb: ldb_trace_next_request: (tdb)-search ldb: ldb_trace_response: REFERRAL ref: ldap://klin.kifato-mk.com/CN=Configuration,DC=klin,DC=kifato-mk,DC=com ldb: ldb_trace_response: REFERRAL ref: ldap://klin.kifato-mk.com/DC=DomainDnsZones,DC=klin,DC=kifato-mk,DC=com ldb: ldb_trace_response: REFERRAL ref: ldap://klin.kifato-mk.com/DC=ForestDnsZones,DC=klin,DC=kifato-mk,DC=com ldb: ldb_trace_response: DONE error: 0 Kerberos: UNKNOWN -- na...@klin.kifato-mk.com: no such entry found in hdb /usr/local/samba/sbin/samba_dnsupdate: dns_tkey_negotiategss: TKEY is unacceptable -- Best regards, Dmitry Khromov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 LDAP returns wrong responses in some cases, BIND-DLZ refuses to update
Hello.
We have a couple of questions regarding Samba 4.1.0pre1-GIT-aad669b running on
Gentoo GNU/Linux
1) Is MS 1.2.840.113556.1.4.1941 operator support implemented (planned to be
implemented) in Samba 4 internal LDAP server? Please compare:
$ ldapsearch -h 192.168.1.32 -x -D
'CN=someadminuser,OU=Administrators,DC=klin,DC=kifato-mk,DC=com' -b
'OU=VLANs,OU=Organizational,DC=klin,DC=kifato-mk,DC=com' -W
'((info=*)(member:1.2.840.113556.1.4.1941:=CN=dummyuser,OU=IT,OU=Departments,DC=klin,DC=kifato-mk,DC=com))'
| tail -n2 # Windows 2003 R2 DC
Enter LDAP Password:
# numResponses: 2
# numEntries: 1
$ ldapsearch -h 192.168.1.31 -x -D
'CN=someadminuser,OU=Administrators,DC=klin,DC=kifato-mk,DC=com' -b
'OU=VLANs,OU=Organizational,DC=klin,DC=kifato-mk,DC=com' -W
'((info=*)(member:1.2.840.113556.1.4.1941:=CN=dummyuser,OU=IT,OU=Departments,DC=klin,DC=kifato-mk,DC=com))'
| tail -n2 # Samba DC
Enter LDAP Password:
# numResponses: 1
First command returns the correct mebership check result. Second - just silenty
returns nothing. Although not that widely used, this operator is quite useful
in some cases, when you just can't implement any loop-based logic. For example,
for us it breaks IEEE 802.1X VLAN assignment with FreeRADIUS.
Replication is working and this account's membership is correct on both DCs.
2) We have a problem with Samba refusing to update DNS records with Gentoo's
BIND 9.9.1_p3 (GSSAPI, DLZ)
BIND log says:
...
named[12365]: samba_dlz: configured writeable zone 'klin.kifato-mk.com'
named[12365]: samba_dlz: configured writeable zone '172.in-addr.arpa'
...
named[12365]: samba b9_putrr: unhandled record type 65281
named[12365]: samba_dlz: starting transaction on zone klin.kifato-mk.com
named[12365]: client 192.168.1.32#1039: view realdns: update
'klin.kifato-mk.com/IN' denied
named[12365]: samba_dlz: cancelling transaction on zone klin.kifato-mk.com
log.samba says:
../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: dns_tkey_negotiategss: TKEY is
unacceptable
Related parts of named.conf:
options {
...
tkey-gssapi-keytab /usr/local/samba/private/dns.keytab;
...
};
view realdns {
...
dlz AD DNS Zones {
database dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so;
};
...
};
Keytab is accessible by named process effective UID. Use of BIND's views
doesn't affect behaviour.
Maybe this is totally wrong, but we had to delete ..trustanchors zone, since
BIND refuses to start with it. By the way, this renders DNS unmanageable:
# bin/samba-tool dns zonelist dc0
Password for [someadminu...@klin.kifato-mk.com]:
ERROR(runtime): uncaught exception - (9717, 'WERR_DNS_ERROR_DS_UNAVAILABLE')
Any suggestions on getting updates to work?
--
Best regards,
Dmitry Khromov
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] DRS replication fails with Windows 2003 R2
In continuation to https://lists.samba.org/archive/samba-technical/2012-September/087072.html Hello. [2012/09/27 14:48:08, 0] ../source4/librpc/rpc/dcerpc_util.c:660(dcerpc_pipe_auth_recv) Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for e3514235-4b06-11d1 ab04-00c04fc2dcd2@ncacn_ip_tcp:6c01aaa6-6374-409d-a7e9-4010964e2dca._msdcs.klin.kifato-mk.com[1026,seal,krb5] NT_STATUS_UNSUCCESSFUL [2012/09/27 14:48:08, 0] ../source4/dsdb/repl/drepl_ridalloc.c:43(drepl_new_rid_pool_callback) ../source4/dsdb/repl/drepl_ridalloc.c:43: RID Manager failed RID allocation - WERR_GENERAL_FAILURE - extended_ret[0x0] I had got same symptoms (on first replication after domain join) with 'master' branch too. I'm still unsure what causes this (Windows Event Log doesn't reveal any errors). But, since partitions had been copied during domain join, I would like to try take the Windows DC down, seize FSMO roles on Samba DC and join another Samba DC using the name Windows DC had. However, we have some GPOs in the Sysvol (and the Sysvol isn't going to replicate). So, my questions are: is it possible to manually replicate Sysvol, or should I just restore GPOs from backups after taking Windows DC down? Will such approach introduce any AD inconsistence/fuctionality problems? Thanks in advance. -- Best regards, Dmitry Khromov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] DRS replication fails with Windows 2003 R2
)) It fails. So, we've done repadmin /kcc on Windows DC to make it know about Samba. dc0 samba # bin/samba-tool drs showrepl Default-First-Site-Name\DC0 DSA Options: 0x0001 DSA object GUID: b4a1f1f7-a83b-4bad-9ab2-08b7c6c13fab DSA invocationId: 381783a5-e86d-47f0-b820-e2c3fbb50cac INBOUND NEIGHBORS DC=klin,DC=kifato-mk,DC=com Default-First-Site-Name\DC1 via RPC DSA object GUID: 6c01aaa6-6374-409d-a7e9-4010964e2dca Last attempt @ Tue Sep 25 20:27:59 2012 MSK failed, result 121 (WERR_SEM_TIMEOUT) 5 consecutive failure(s). Last success @ NTTIME(0) DC=ForestDnsZones,DC=klin,DC=kifato-mk,DC=com Default-First-Site-Name\DC1 via RPC DSA object GUID: 6c01aaa6-6374-409d-a7e9-4010964e2dca Last attempt @ Tue Sep 25 20:24:52 2012 MSK failed, result 31 (WERR_GENERAL_FAILURE) 3 consecutive failure(s). Last success @ NTTIME(0) DC=DomainDnsZones,DC=klin,DC=kifato-mk,DC=com Default-First-Site-Name\DC1 via RPC DSA object GUID: 6c01aaa6-6374-409d-a7e9-4010964e2dca Last attempt @ Tue Sep 25 20:24:53 2012 MSK failed, result 31 (WERR_GENERAL_FAILURE) 4 consecutive failure(s). Last success @ NTTIME(0) CN=Configuration,DC=klin,DC=kifato-mk,DC=com Default-First-Site-Name\DC1 via RPC DSA object GUID: 6c01aaa6-6374-409d-a7e9-4010964e2dca Last attempt @ Tue Sep 25 20:24:53 2012 MSK failed, result 31 (WERR_GENERAL_FAILURE) 3 consecutive failure(s). Last success @ NTTIME(0) CN=Schema,CN=Configuration,DC=klin,DC=kifato-mk,DC=com Default-First-Site-Name\DC1 via RPC DSA object GUID: 6c01aaa6-6374-409d-a7e9-4010964e2dca Last attempt @ Tue Sep 25 20:24:53 2012 MSK failed, result 31 (WERR_GENERAL_FAILURE) 3 consecutive failure(s). Last success @ NTTIME(0) OUTBOUND NEIGHBORS DC=klin,DC=kifato-mk,DC=com Default-First-Site-Name\DC1 via RPC DSA object GUID: 6c01aaa6-6374-409d-a7e9-4010964e2dca Last attempt @ Tue Sep 25 20:28:00 2012 MSK failed, result 31 (WERR_GENERAL_FAILURE) 1 consecutive failure(s). Last success @ NTTIME(0) CN=Configuration,DC=klin,DC=kifato-mk,DC=com Default-First-Site-Name\DC1 via RPC DSA object GUID: 6c01aaa6-6374-409d-a7e9-4010964e2dca Last attempt @ Tue Sep 25 20:26:45 2012 MSK failed, result 31 (WERR_GENERAL_FAILURE) 2 consecutive failure(s). Last success @ NTTIME(0) CN=Schema,CN=Configuration,DC=klin,DC=kifato-mk,DC=com Default-First-Site-Name\DC1 via RPC DSA object GUID: 6c01aaa6-6374-409d-a7e9-4010964e2dca Last attempt @ Tue Sep 25 20:27:59 2012 MSK failed, result 121 (WERR_SEM_TIMEOUT) 1 consecutive failure(s). Last success @ NTTIME(0) KCC CONNECTION OBJECTS Connection -- Connection name: 4740dbe8-cbb3-4717-9ceb-a6480f30e91b Enabled: TRUE Server DNS name : dc1.klin.kifato-mk.com Server DN name : CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=klin,DC=kifato-mk,DC=com TransportType: RPC options: 0x0001 Warning: No NC replicated for Connection! So, the replication fails. Log has the same lines as drs kcc above: dc0 samba # grep 'Failed to bind' /tmp/smb_debug.log | uniq Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for e3514235-4b06-11d1-ab04-00c04fc2dcd2@ncacn_ip_tcp:6c01aaa6-6374-409d-a7e9-4010964e2dca._msdcs.klin.kifato-mk.com[1026,seal,krb5] NT_STATUS_UNSUCCESSFUL Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for e3514235-4b06-11d1-ab04-00c04fc2dcd2@ncacn_ip_tcp:6c01aaa6-6374-409d-a7e9-4010964e2dca._msdcs.klin.kifato-mk.com[1026,seal,krb5] NT_STATUS_IO_TIMEOUT Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for e3514235-4b06-11d1-ab04-00c04fc2dcd2@ncacn_ip_tcp:6c01aaa6-6374-409d-a7e9-4010964e2dca._msdcs.klin.kifato-mk.com[1026,seal,krb5] NT_STATUS_UNSUCCESSFUL Any suggestions? smb_debug.log.xz is attached (sorry for xz, but it's sowemhat long). -- Best regards, Dmitry Khromov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Problems with W2K8R2 - S4 replication
:dreplsrv_notify_op_callback()] dreplsrv_notify: Failed to send DsReplicaSync to 63fe4b85-32e6-46d0-9b0f-462ff7372547._msdcs.klin.kifato-mk.com for CN=Configuration,DC=klin,DC=kifato-mk,DC=com - NT code 0xc0002105 : WERR_DS_DRA_ACCESS_DENIED and so on. Such messages floods for (approximately) an hour, however if I try to transfer some operation master roles to Samba, they appear again and ntdsutil.exe transfer reports errors. Issuing bin/net drs showrepl dc0.klin.kifato-mk.com gives me the following: dc1 samba # bin/net drs showrepl dc0.klin.kifato-mk.com Error while fetching CN=NTDS Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=klin,DC=kifato-mk,DC=com, Possible error: LDAP error 1 LDAP_OPERATIONS_ERROR - 04DC: LdapErr: DSID-0C0906DC, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db0 return code = -1 repadmin.exe /showrepl on the Windows side reports success. Some comments regarding the environment: 1) Currently the AD consists of 1 DC - dc0.klin.kifato-mk.com, Windows Server 2008 R2 Enterpise 2) dc1.klin.kifato-mk.com (the Samba machine) is paravirtualized Gentoo Linux running in Xen. 3) This LDAP directory had been created with Windows Server 2003 R2 Russian, so it's populated with Russian (probably CP-1251 encoded) sAMAccountNames, etc. (e.g. I don't have the Domain administrators group - but its Russian equivalent). I'm interested in Samba4 AD DC functionality, so I'd like to try it out. Hope you'll help me. Best regards, Dmitry Khromov. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
