enterprise-support team mailing list archive

Thread
Date
Re: [Question #291733]: Recent updates broke my domain member

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: Pierre Pouchin <question291733@xxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 21 Apr 2016 10:17:33 -0000
Reply-to: question291733@xxxxxxxxxxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx
Question #291733 on samba in Ubuntu changed:
https://answers.launchpad.net/ubuntu/+source/samba/+question/291733

Description changed to:
Hello,


The recent samba updates may have broken my Samba domain.
I'm not using Winbind, Kerberos or Samba4 AD, just an OpenLDAP backend.

I have 4 servers: 2 with Debian Jessie (recently updated too) and 2 with
Ubuntu (12.04 & 14.04).

The Samba PDC is one of the 2 Debian servers.  Since the update though,
both of these still work fine together and with the Windows clients.

However, the two Ubuntu servers are troublesome, although they share the same conf as the Debian domain client.
Trusty keeps giving me "NT_STATUS_NO_LOGON_SERVERS". 

If I try "net use -d 10 testjoin", I get this:

Opening cache file at /var/cache/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
sitename_fetch: No stored sitename for MY.DOMAIN
dsgetdcname_internal: domain_name: MY.DOMAIN, domain_guid: (null), site_name: (null), flags: 0x40000000
debug_dsdcinfo_flags: 0x40000000
        DS_RETURN_DNS_NAME
sitename_fetch: No stored sitename for MY.DOMAIN
dsgetdcname_internal: domain_name: MY.DOMAIN, domain_guid: (null), site_name: (null), flags: 0x40000001
debug_dsdcinfo_flags: 0x40000001
        DS_FORCE_REDISCOVERY DS_RETURN_DNS_NAME
dsgetdcname_rediscover
dns_send_req: Failed to resolve _ldap._tcp.dc._msdcs.MY.DOMAIN (Success)
ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_UNSUCCESSFUL)
internal_resolve_name: looking up MY.DOMAIN#1c (sitename (null))
no entry for MY.DOMAIN#1C found.
discover_dc_netbios: failed to find DC
dsgetdcname_rediscover
dns_send_req: Failed to resolve _ldap._tcp.dc._msdcs.MY.DOMAIN (Success)
ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_UNSUCCESSFUL)
internal_resolve_name: looking up MY.DOMAIN#1c (sitename (null))
no entry for MY.DOMAIN#1C found.
discover_dc_netbios: failed to find DC


As for the Precise server, adding "server signing = auto" in the server
conf solved an initial problem I had with domain membership.

However, users still can't log into this server. I keep getting:

domain_client_validate: unable to validate password for user myuser in
domain MY.DOMAIN to Domain controller MYPDC. Error was
NT_STATUS_ACCESS_DENIED.


What should I do? Roll back to the previous version?


For information:

PDC Samba version: 4.2.10
Debian client version: 4.2.10
Precise client version: 3.6.25-0ubuntu0.12.04.2
Trusty client version: 4.3.8+dfsg-0ubuntu0.14.04.2 0

PDC global conf:

[global]
        workgroup = MY.DOMAIN
        server string = My Server
        map to guest = Bad User
        passdb backend = ldapsam:"ldap://192.168.0.11";
        pam password change = Yes
        obey pam restrictions = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *New*Password:* %n\n *Reenter*New*Password:* %n\n *Password*changed.
        unix password sync = No
        log level = 0
        load printers = no
        printcap name = /dev/null
        disable spoolss = yes
        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
        delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
        set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
        add machine script = /usr/sbin/smbldap-useradd -w -d /dev/null -s /usr/bin/false "%u"
        rename user script = /usr/sbin/smbldap-usermod -r '%unew' '%uold'
        logon script = logon.bat
        logon path =
        logon drive = M:
        domain logons = Yes
        os level = 65
        domain master = Yes
        preferred master = Yes
        wins support = Yes
        ldap admin dn = cn=admin,dc=example,dc=net
        ldap group suffix = ou=groups
        ldap user suffix = ou=people,ou=users
        ldap machine suffix = ou=machines,ou=users
        ldap passwd sync = yes
        ldap suffix = dc=example,dc=net
        ldap ssl = no
        usershare allow guests = Yes
        read only = No
        create mask = 0775
        directory mask = 0775
        guest ok = Yes
        bind interfaces only = True
        interfaces = eth0 192.168.0.11 127.0.0.1
        server signing = auto


Clients conf:
[global]
        workgroup = MY.DOMAIN
        server string = My client
        netbios name = myclient
        security = domain
        map to guest = Bad User
        load printers = no
        passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        unix password sync = yes
        obey pam restrictions = yes
        wins server = 192.168.0.11
        encrypt passwords = true
        show add printer wizard = no
        winbind use default domain = Yes
        passwd program = /usr/bin/passwd %u
        unix extensions = no
        dns proxy = no
        os level = 20
        printcap name = /dev/null
        map untrusted to domain = Yes
        syslog = 0
        panic action = /usr/share/samba/panic-action %d
        disable spoolss = yes
        pam password change = yes
        domain logons = no
        log level = 0
        passdb backend = tdbsam

-- 
You received this question notification because your team Ubuntu
Server/Client Support Team is an answer contact for samba in Ubuntu.