Re: [Samba] Failover
Hi, Actually my main problem atm, I can't open the shares from windows 7 clients (object couldn't found), \\domain\share and also \10.48.16.155\share is working perfectly from windows XP clients. Both DC are running his own DNS server (i am using bind9) and also their own sysvol and stuffz. Only the data part controlled by drbd+heartbeat. Refards, Robert 2013/10/14 Daniel Müller muel...@tropenklinik.de By the way! All your DCs should be able to run the 10.48.16.155!?? And all your shares are mapped like this : \\10.48.16.155\share!? How do you manage the second Controller to take over when the Master DC is down. It is important to have the DC slave dns working. With the internal DNS or dlz_bind I did not succeed to manage this. Only flat files could do the job for me. So the best thing to do Is to map like \\your.domain\share. No failover Ip is needed. Greetings Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Robert Gurdon Gesendet: Montag, 7. Oktober 2013 16:15 An: samba@lists.samba.org Betreff: [Samba] Failover Hi guys, I have a domain with Samba 4.0.5 domain controllers and also a failover DRBD shared disk, where the active DC controlls the access to the disk. DOMAINC01 - 10.48.16.150 DOMAINC02 - 10.48.16.151 DOMAINCHA - 10.48.16.155 this would be the failover IP, which works perfectly on Windows XP clients. I can see the shares, just like on DOMAINC01 or DOMAINC02 and if the users has the proper credentials they can write open etc. But when I try to do the same on a Windows 7 client I simply get an error message You dont have the proper rights to open the directory I guess because of the DOMAINCHA virtual controller is not in the AC, but shall I add a computer to the AC so my win7 clients could open the available shares? Thanks, Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Failover
Hi guys, I have a domain with Samba 4.0.5 domain controllers and also a failover DRBD shared disk, where the active DC controlls the access to the disk. DOMAINC01 - 10.48.16.150 DOMAINC02 - 10.48.16.151 DOMAINCHA - 10.48.16.155 this would be the failover IP, which works perfectly on Windows XP clients. I can see the shares, just like on DOMAINC01 or DOMAINC02 and if the users has the proper credentials they can write open etc. But when I try to do the same on a Windows 7 client I simply get an error message You dont have the proper rights to open the directory I guess because of the DOMAINCHA virtual controller is not in the AC, but shall I add a computer to the AC so my win7 clients could open the available shares? Thanks, Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Upgrade
Hi Guys, Well I made a bad decision and installed Samba4 from zentyal repo, I would like to upgrade it, is it enough to backup all files from %installation folder%/private directory and then copy into the newly installed version's private folder? Thanks, Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Local login
Hi, I tested my failover yesterday and a strange problem came up. While my dc01 was down I could not login on dc02 with any of my local accounts. After dc01 was online again, login was OK. My nsswitch.conf is a regular file: passwd: compat winbind group: compat winbind shadow: compat As I read about nsswitch, with this config it should try to authenticate the user from the local files, passwd, group etc and after the search isn't succes goes to search in winbind. Looks like cant find the users in the local files and try to search in winbind but that neither have local accounts information. Shall I change compat to files? Since I dont use +- for NIS database in passwd and group files. -- Kind regards: Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] failover shares
Hi, I have a failover configuration. The domain controller's IP: 10.23.14.150 as dc01 The failover IP is: 10.23.14.155 as dcha I added an A and a CNAME record to the dns for the failover IP. It is working, i can see the shares, but I could not enter to any share as user, as Administrator it works. I tried to add the interface variable (i am not sure this is available in samba4), that wasn't helped. Thanks, Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Shares on failover IP
Hi, I have a failover configuration. The domain controller's IP: 10.23.14.150 as dc01 The failover IP is: 10.23.14.155 as dcha I added an A and a CNAME record to the dns for the failover IP. It is working, i can see the shares, but I could not enter to any share as user, as Administrator it works. I tried to add the interface variable (i am not sure this is available in samba4), that wasn't helped. Thanks, Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Sync - sysvol and getfacl
Hi, I'm using Samba 4.0.5 and when I use ls -la or getfacl on eg: sysvol/Policies directory Samba dies with this error message: == samba/samba.log == [2013/07/10 07:49:30, 0] ../lib/util/fault.c:72(fault_report) === [2013/07/10 07:49:30, 0] ../lib/util/fault.c:73(fault_report) INTERNAL ERROR: Signal 11 in pid 3222 (4.0.5) Please read the Trouble-Shooting section of the Samba HOWTO [2013/07/10 07:49:30, 0] ../lib/util/fault.c:75(fault_report) === but the command gave this info: # file: Policies/ # owner: root # group: 300 user::rwx user:root:rwx group::rwx group:300:rwx group:301:r-x group:302:rwx group:303:r-x group:304:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:group::--- default:group:300:rwx default:group:301:r-x default:group:302:rwx default:group:303:r-x default:group:304:rwx default:mask::rwx default:other::--- It is interesting because I dont have that kind of groups with those ID's (according to getent group and wbinfo -g) except 304 which is Group Policy Creator Owners. I suppose the other four groups are (checked from windows side): Administrators, Server Operators, SYSTEM and Authenticated Users. Can I do anything with this? My next question is: sysvol sync. My PDC's and BDC's user and group ID's are totaly different. Is it possible to set my PDC/BDC ID's equal, because as I see BDC couldn't do his job while this isn't solved. Regards, Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getfacl - winbind
Hi, LIttle update. As I discovered this problem happens only when you make the users home directory from RSAT (profiles - Start directory I'm not sure this is the correct name in the RSAT). When you let the system make the home directories the problem was not came up! I made a mkhomedir file to /usr/shares/pam-configs ; ran pam-aut-config Then su - user and the system creates the user's homedir. After this you can set the permissions with setflac and (re)set your user's start directory. Regards, Robert 2013/5/30 Sandbox sandbox...@gmail.com Hi, A nice problem came up. If I want to set directory permissions with getfacl or ls -la that directory or wbinfo --uid-info winbind is dieing and I got this error message in samba.log: == samba/samba.log == [2013/05/30 15:03:31, 0] ../lib/util/fault.c:72(fault_report) === [2013/05/30 15:03:31, 0] ../lib/util/fault.c:73(fault_report) INTERNAL ERROR: Signal 11 in pid 3658 (4.0.5) Please read the Trouble-Shooting section of the Samba HOWTO [2013/05/30 15:03:31, 0] ../lib/util/fault.c:75(fault_report) === [2013/05/30 15:03:31, 0] ../lib/util/fault.c:144(smb_panic_default) PANIC: internal error The weird thing is getfacl working smooth on the directories in the domain root eg: TEST.DOMAIN/group01, but winbind?? dies when I want to list any subdirectory eg: TEST.DOMAIN/group01/user01 Regards, Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] getfacl - winbind
Hi, A nice problem came up. If I want to set directory permissions with getfacl or ls -la that directory or wbinfo --uid-info winbind is dieing and I got this error message in samba.log: == samba/samba.log == [2013/05/30 15:03:31, 0] ../lib/util/fault.c:72(fault_report) === [2013/05/30 15:03:31, 0] ../lib/util/fault.c:73(fault_report) INTERNAL ERROR: Signal 11 in pid 3658 (4.0.5) Please read the Trouble-Shooting section of the Samba HOWTO [2013/05/30 15:03:31, 0] ../lib/util/fault.c:75(fault_report) === [2013/05/30 15:03:31, 0] ../lib/util/fault.c:144(smb_panic_default) PANIC: internal error The weird thing is getfacl working smooth on the directories in the domain root eg: TEST.DOMAIN/group01, but winbind?? dies when I want to list any subdirectory eg: TEST.DOMAIN/group01/user01 Regards, Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Sysvol replication
Hi I thinking about HA+DRBD, you can mount the partition with acl, user_xattr settings, I using this method for shares, this should work with the sysvol directory too?! Btw,is it possible to store the PDC's *.tdb files on that kind of partition and when the PDC dies the BDC's HA mounts the shares/tdb/sysvol partitions and loads the correct smb.conf. For me it make sense, since all data is available only for the active server. Of course you have to back up the tdb files with tdbbackup. Regards, Robert 2013-05-29 09:30 keltezéssel, Jim Potter írta: Hi, Sorry about late reply... I've been baning my head againstr replication here for a while... GlusterFS - it seems to have problems with the extended attributes specifically on the point where the gluster FS is mounted. For example: I have a standard debian setup with sysvol in /var/lib/samba/ and mount a gluster sysvol partition here (with xattrs) I can set attributes within the partition fine, but I can't set the attributes on the sysvol folder itself, or they won't inherit properly... I also came unstuck on uidnumbers across DCs (see previous email), but I was just getting an error from GPMC saying permissions were all wrong (paraphrased!) My next approach (not tested yet) is to get the mount point out of the share, eg: - mount gluster FS in /srv/glusterMounts/sysvol and in here have a directory sysvol which I share as my sysvol share: [sysvol] path = /srv/glusterMounts/sysvol/sysvol How do you do it to get it to work? cheers Jim On 15/04/2013 08:25, Daniel Müller wrote: For my interest!? What are your issues about gluster not working replicating sysvol? Greetings Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Jim Potter Gesendet: Sonntag, 14. April 2013 22:34 An: samba Betreff: [Samba] Sysvol replication Hi all, Has anyone actually got sysvol replication working between 2 (or more) Samba4 DCs? I've tried gluster, inosync, csync and rsync and keep getting stuck on issues with the extended attributes. Is there a roadmap or any clues of a date when MSFRS or DFS replication will be part of Samb4? thanks again, Jim -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Üdvözlettel / Kind regards: SandBoX ;) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smb.conf sync
I solved the shared data problem with heartbeat+drbd combo so that should not be a problem. TDB files data should be syncronized between my domain members or am I wrong? Regards, Robert 2013/5/27 Marc Muehlfeld sa...@marc-muehlfeld.de Hello Robert, Am 27.05.2013 21:37, schrieb Sandbox: Just a quick question. Do I have to syncronise my smb.conf file between my servers? No. And it would be a bad idea. Each Samba server has it's own smb.conf, with it's own shares/paths/server name/etc. If you mix there something (e. g. twice the same DC name in your network), you maybe confuse everything in your network. That was the reason why I thought about this, I sat up the DC, and joined to the DC with my other Samba. But I asked myself if the master server dies for any reason the member server how could provide the shares if there is only basic smb.conf settings on the member server. It's not just done with syncing the smb.conf. If an other server should take over the job of the failed one, you also would need the whole share data on the second host, the servers tdb files, etc - what brings you to the clustering topic. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] smb.conf sync
Hi, Just a quick question. Do I have to syncronise my smb.conf file between my servers? Thanks, Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smb.conf sync
2013-05-27 17:07 keltezéssel, Marc Muehlfeld írta: Hello Robert, Am 27.05.2013 11:15, schrieb Sandbox: Just a quick question. Do I have to syncronise my smb.conf file between my servers? No. And it would be a bad idea. Each Samba server has it's own smb.conf, with it's own shares/paths/server name/etc. If you mix there something (e. g. twice the same DC name in your network), you maybe confuse everything in your network. Regards Marc Hi Marc, That was the reason why I thought about this, I sat up the DC, and joined to the DC with my other Samba. But I asked myself if the master server dies for any reason the member server how could provide the shares if there is only basic smb.conf settings on the member server. Regards, Robert -- Üdvözlettel / Kind regards: SandBoX ;) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Domain Join
Hi
I did the ldapsearch query the result is:
ldap_bind: Invalid credentials (49)
additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE
Simple nmap result:
22/tcp open ssh
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
636/tcp open ldapssl
1024/tcp open kdm
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
ldapsearch query with debug level 1
ldap_create
ldap_url_parse_ext(ldap://domainc01.test.domain.lan)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP domainc01.test.domain.lan:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.48.16.150:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 63 bytes to sd 3
ldap_result ld 0x7f99785fd490 msgid 1
wait4msg ld 0x7f99785fd490 msgid 1 (infinite timeout)
wait4msg continue ld 0x7f99785fd490 msgid 1 all 1
** ld 0x7f99785fd490 Connections:
* host: domainc01.test.domain.lan port: 389 (default)
refcnt: 2 status: Connected
last used: Thu May 23 07:58:13 2013
** ld 0x7f99785fd490 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x7f99785fd490 request count 1 (abandoned 0)
** ld 0x7f99785fd490 Response Queue:
Empty
ld 0x7f99785fd490 response count 0
ldap_chkResponseList ld 0x7f99785fd490 msgid 1 all 1
ldap_chkResponseList returns ld 0x7f99785fd490 NULL
ldap_int_select
read1msg: ld 0x7f99785fd490 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 55 contents:
read1msg: ld 0x7f99785fd490 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x7f99785fd490 0 new referrals
read1msg: mark request completed, ld 0x7f99785fd490 msgid 1
request done: ld 0x7f99785fd490 msgid 1
res_errno: 49, res_error: Simple Bind Failed: NT_STATUS_LOGON_FAILURE,
res_matched:
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_err2string
ldap_bind: Invalid credentials (49)
additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed
As I see the member server could connect to the exisiting samba server and
there is a password problem.
It is weird cos I double checked the password and it should be correct :/
Cheers,
Robert
2013/5/22 Marc Muehlfeld sa...@marc-muehlfeld.de
Hello Robert,
Am 22.05.2013 15:56, schrieb Sandbox:
Finding a writeable DC for domain 'test.domain.lan'
Found DC domainc01.test.domain.lan
Password for [WORKGROUP\Administrator]:
Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -
SASL:[GSS-SPNEGO]: NT_STATUS_LOGON_FAILURE
Failed to connect to 'ldap://domainc01.test.domain.**lan' with backend
'ldap': (null)
...
Just some toughts on that:
* Do you have any special characters in your password? E. g. german
umlauts are making trouble here if set on windows and when the password is
validated from unix services against AD.
* Can you do a ldapsearch from the new machine in the existing directory
or is the access there also denied?
# ldapsearch -h domainc01.test.domain.lan -b dc=test,dc=domain,dc=lan -LLL
-D cn=Administrator,. -W
* Kerberos settings are all fine and you can get a ticket?
https://wiki.samba.org/index.**php/Samba4/HOWTO/Join_a_**
domain_as_a_DC#Getting_ready_**for_joining_Samba_as_a_DC_to_**
an_existing_domainhttps://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#Getting_ready_for_joining_Samba_as_a_DC_to_an_existing_domain
Regards,
Marc
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Domain Join
Hi,
ldapsearch is working perfectly, I accidentaly forgot to the cn=user
before dn= settings :/
Robert
2013/5/23 Sandbox sandbox...@gmail.com
Hi
I did the ldapsearch query the result is:
ldap_bind: Invalid credentials (49)
additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE
Simple nmap result:
22/tcp open ssh
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
636/tcp open ldapssl
1024/tcp open kdm
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
ldapsearch query with debug level 1
ldap_create
ldap_url_parse_ext(ldap://domainc01.test.domain.lan)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP domainc01.test.domain.lan:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.48.16.150:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 63 bytes to sd 3
ldap_result ld 0x7f99785fd490 msgid 1
wait4msg ld 0x7f99785fd490 msgid 1 (infinite timeout)
wait4msg continue ld 0x7f99785fd490 msgid 1 all 1
** ld 0x7f99785fd490 Connections:
* host: domainc01.test.domain.lan port: 389 (default)
refcnt: 2 status: Connected
last used: Thu May 23 07:58:13 2013
** ld 0x7f99785fd490 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x7f99785fd490 request count 1 (abandoned 0)
** ld 0x7f99785fd490 Response Queue:
Empty
ld 0x7f99785fd490 response count 0
ldap_chkResponseList ld 0x7f99785fd490 msgid 1 all 1
ldap_chkResponseList returns ld 0x7f99785fd490 NULL
ldap_int_select
read1msg: ld 0x7f99785fd490 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 55 contents:
read1msg: ld 0x7f99785fd490 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x7f99785fd490 0 new referrals
read1msg: mark request completed, ld 0x7f99785fd490 msgid 1
request done: ld 0x7f99785fd490 msgid 1
res_errno: 49, res_error: Simple Bind Failed: NT_STATUS_LOGON_FAILURE,
res_matched:
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_err2string
ldap_bind: Invalid credentials (49)
additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed
As I see the member server could connect to the exisiting samba server and
there is a password problem.
It is weird cos I double checked the password and it should be correct :/
Cheers,
Robert
2013/5/22 Marc Muehlfeld sa...@marc-muehlfeld.de
Hello Robert,
Am 22.05.2013 15:56, schrieb Sandbox:
Finding a writeable DC for domain 'test.domain.lan'
Found DC domainc01.test.domain.lan
Password for [WORKGROUP\Administrator]:
Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -
SASL:[GSS-SPNEGO]: NT_STATUS_LOGON_FAILURE
Failed to connect to 'ldap://domainc01.test.domain.**lan' with backend
'ldap': (null)
...
Just some toughts on that:
* Do you have any special characters in your password? E. g. german
umlauts are making trouble here if set on windows and when the password is
validated from unix services against AD.
* Can you do a ldapsearch from the new machine in the existing directory
or is the access there also denied?
# ldapsearch -h domainc01.test.domain.lan -b dc=test,dc=domain,dc=lan
-LLL -D cn=Administrator,. -W
* Kerberos settings are all fine and you can get a ticket?
https://wiki.samba.org/index.**php/Samba4/HOWTO/Join_a_**
domain_as_a_DC#Getting_ready_**for_joining_Samba_as_a_DC_to_**
an_existing_domainhttps://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#Getting_ready_for_joining_Samba_as_a_DC_to_an_existing_domain
Regards,
Marc
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Domain Join
Hi Folks,
A little update :)
I succesfully joined to the domain with this command:
samba-tool domain join test.domain.lan DC -UAdministrator
--realm=domainc01.test.domain.lan --dns-backend=BIND9_DLZ
For some reason i had to write the master§s fqdn name into the --realm
section.
Btw, it's weird now. when i try to run the kinit administrator command on
the slave server I've got the
kinit: krb5_get_init_creds: Clock skew too great error.
It's weird becaouse i ran ntpdate sync on both machine :)
Cheers,
Robert
2013/5/23 Sandbox sandbox...@gmail.com
Hi,
ldapsearch is working perfectly, I accidentaly forgot to the cn=user
before dn= settings :/
Robert
2013/5/23 Sandbox sandbox...@gmail.com
Hi
I did the ldapsearch query the result is:
ldap_bind: Invalid credentials (49)
additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE
Simple nmap result:
22/tcp open ssh
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
636/tcp open ldapssl
1024/tcp open kdm
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
ldapsearch query with debug level 1
ldap_create
ldap_url_parse_ext(ldap://domainc01.test.domain.lan)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP domainc01.test.domain.lan:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.48.16.150:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 63 bytes to sd 3
ldap_result ld 0x7f99785fd490 msgid 1
wait4msg ld 0x7f99785fd490 msgid 1 (infinite timeout)
wait4msg continue ld 0x7f99785fd490 msgid 1 all 1
** ld 0x7f99785fd490 Connections:
* host: domainc01.test.domain.lan port: 389 (default)
refcnt: 2 status: Connected
last used: Thu May 23 07:58:13 2013
** ld 0x7f99785fd490 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x7f99785fd490 request count 1 (abandoned 0)
** ld 0x7f99785fd490 Response Queue:
Empty
ld 0x7f99785fd490 response count 0
ldap_chkResponseList ld 0x7f99785fd490 msgid 1 all 1
ldap_chkResponseList returns ld 0x7f99785fd490 NULL
ldap_int_select
read1msg: ld 0x7f99785fd490 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 55 contents:
read1msg: ld 0x7f99785fd490 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x7f99785fd490 0 new referrals
read1msg: mark request completed, ld 0x7f99785fd490 msgid 1
request done: ld 0x7f99785fd490 msgid 1
res_errno: 49, res_error: Simple Bind Failed: NT_STATUS_LOGON_FAILURE,
res_matched:
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_err2string
ldap_bind: Invalid credentials (49)
additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed
As I see the member server could connect to the exisiting samba server
and there is a password problem.
It is weird cos I double checked the password and it should be correct :/
Cheers,
Robert
2013/5/22 Marc Muehlfeld sa...@marc-muehlfeld.de
Hello Robert,
Am 22.05.2013 15:56, schrieb Sandbox:
Finding a writeable DC for domain 'test.domain.lan'
Found DC domainc01.test.domain.lan
Password for [WORKGROUP\Administrator]:
Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -
SASL:[GSS-SPNEGO]: NT_STATUS_LOGON_FAILURE
Failed to connect to 'ldap://domainc01.test.domain.**lan' with backend
'ldap': (null)
...
Just some toughts on that:
* Do you have any special characters in your password? E. g. german
umlauts are making trouble here if set on windows and when the password is
validated from unix services against AD.
* Can you do a ldapsearch from the new machine in the existing directory
or is the access there also denied?
# ldapsearch -h domainc01.test.domain.lan -b dc=test,dc=domain,dc=lan
-LLL -D cn=Administrator,. -W
* Kerberos settings are all fine and you can get a ticket?
https://wiki.samba.org/index.**php/Samba4/HOWTO/Join_a_**
domain_as_a_DC#Getting_ready_**for_joining_Samba_as_a_DC_to_**
an_existing_domainhttps://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#Getting_ready_for_joining_Samba_as_a_DC_to_an_existing_domain
Regards,
Marc
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] Domain Join
Hello, I would like to join my samba4 to my existing samba4 DC. The existing samba4 is a fresh, default install, every tests worked fine, provisioned like this: samba-tool domain provision --realm=test.domain.lan --domain=test.domain --host-ip=10.48.16.150 --adminpass='password' --dns-backend=BIND9_DLZ --ldapadminpass='password' --server-role=dc --use-xattrs=yes --use-rfc2307 --function-level=2008_R2 When I run: samba-tool domain join test.domain.lan DC -UAdministrator --realm=test.domain.lan --dns-backend=BIND9_DLZ I got this error message when i wrote the correct LDAP password, if I wrote the incorrect password it just keep asking for the password. Finding a writeable DC for domain 'test.domain.lan' Found DC domainc01.test.domain.lan Password for [WORKGROUP\Administrator]: Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - SASL:[GSS-SPNEGO]: NT_STATUS_LOGON_FAILURE Failed to connect to 'ldap://domainc01.test.domain.lan' with backend 'ldap': (null) ERROR(ldb): uncaught exception - None File /opt/samba4/lib/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /opt/samba4/lib/python2.7/site-packages/samba/netcmd/domain.py, line 552, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File /opt/samba4/lib/python2.7/site-packages/samba/join.py, line 1082, in join_DC machinepass, use_ntvfs, dns_backend, promote_existing) File /opt/samba4/lib/python2.7/site-packages/samba/join.py, line 78, in __init__ credentials=ctx.creds, lp=ctx.lp) File /opt/samba4/lib/python2.7/site-packages/samba/samdb.py, line 56, in __init__ options=options) File /opt/samba4/lib/python2.7/site-packages/samba/__init__.py, line 114, in __init__ self.connect(url, flags, options) File /opt/samba4/lib/python2.7/site-packages/samba/samdb.py, line 71, in connect options=options) Did I miss someting? Thanks, Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Domain Join
Hi Marc, 2013-05-22 18:55 keltezéssel, Marc Muehlfeld írta: Hello Robert, Am 22.05.2013 15:56, schrieb Sandbox: Finding a writeable DC for domain 'test.domain.lan' Found DC domainc01.test.domain.lan Password for [WORKGROUP\Administrator]: Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - SASL:[GSS-SPNEGO]: NT_STATUS_LOGON_FAILURE Failed to connect to 'ldap://domainc01.test.domain.lan' with backend 'ldap': (null) ... Just some toughts on that: * Do you have any special characters in your password? E. g. german umlauts are making trouble here if set on windows and when the password is validated from unix services against AD. I do't have any special character in the password. * Can you do a ldapsearch from the new machine in the existing directory or is the access there also denied? # ldapsearch -h domainc01.test.domain.lan -b dc=test,dc=domain,dc=lan -LLL -D cn=Administrator,. -W I'll check it tomorrow. * Kerberos settings are all fine and you can get a ticket? https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#Getting_ready_for_joining_Samba_as_a_DC_to_an_existing_domain Looks fine, I've got the ticket on both servers Regards, Marc -- Kind regards: Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Im just curious
2013-05-17 00:43 keltezéssel, Marc Muehlfeld írta: Hello, Am 16.05.2013 22:41, schrieb Sandbox: Is it possible (well, look like it works) to include a preconfigured bind zone to samba named.conf, so I don't get that annoying zone conflict error message while I start bind? Actualy, the important question is, this kind of configuration could interfere with samba4 if the server is configured to use BIND9_DLZ? Do you mean, that you have already a zone in Bind and now you want the BIND9_DLZ module to use that zone for your AD? A mixed zonefile (samba LDB and Bind)? I think this is not possible and you won't be able to administrate it from windows or by samba-tool. There was a BIND9_flatfile option for provisioning in the past. But Kai Blin (he wrote the internal DNS server) told me yesterday on SambaXP, that this option is very old and there's not really a documentation how to make it run. So this isn't a good solution, either. But you could write a small script, to import your existing records with samba-tool into the samba LDB (of course you can keep Bind and use the DLZ module, if you like that backend). Regards, Marc Actualy I have lot of printers in my old bind config, so i thought I can use that configuration just for the printers and using samba's bind9_dlz option for pcs and domain. -- Kind regards: Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Im just curious
Hi, Is it possible (well, look like it works) to include a preconfigured bind zone to samba named.conf, so I don't get that annoying zone conflict error message while I start bind? Actualy, the important question is, this kind of configuration could interfere with samba4 if the server is configured to use BIND9_DLZ? -- Kind regards: Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
