| View previous topic :: View next topic |
| Author |
Message |
mrbassie
l33t
Joined: 31 May 2013
Posts: 772
Location: over here
|
 Posted: Tue May 20, 2014 4:50 pm Post subject: Mission critical; I need help with samba-ads,pam,mitkrb5 |
 |
|
Ok, I've edited my thread, previously titled "Audit my smb.conf please"
RECAP/UPDATE:
Ok. Gentoo samba fileserver. It is joined to the windows server 2008 domain. I can use smbclient -L and wbinfo -u and wbinfo -g and I get the expected results. I get a kerberos ticket with kinit.
I created an account on the gentoo box with the same credentials as one of the windows domain admins. That accout can access, read, write and supposedly set permissions on the share, everybody else can see it but not access. It asks for a "network password" (in windows 7).
winbind seems to be working mostly but getent is not. I just get the unix users and groups.
I need to get this box online asap as the current file serve is dying and we need to get as much data onto it as possible, as soon as possible.
I seriously need help urgently, I've been banging my head against a screen for a week. This is a school and it's more important than just me being embarrased.
/etc/samba/smb.conf:
| Code: | [global]
#-------[ Net Hood Settings ]
workgroup = my-domain-name
netbios name = Gentoo
server string = Linux client
interfaces = eth0, lo
socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192 IPTOS_LOWDELAY
os level = 0
#-------[ Log Level ]
log level = 2
#-------[ Server Role Settings ]
security = ads
encrypt passwords = yes
#-------[NT ACL Compatability]
inherit acls = yes
vfs objects = acl_xattr
map acl inherit = yes
map archive = no
map hidden = no
map readonly = no
store dos attributes = yes
nt acl support = true
create mode = 0644
directory mode = 0777
domain master = no
local master = no
preferred master = no
wins proxy = no
dns proxy = no
template homedir = /home/SCHOOL/%U
template shell = /bin/bash
#----[ Winbind communication ]
idmap config *:backend = tdb
idmap config * :range = 10000-20000
idmap config school:backend = ad
idmap config school:schema_mode = ad
idmap config school:range = 500-40000
winbind nss info = rfc2307
winbind use default domain = Yes
winbind enum users = yes
winbind enum groups = yes
winbind: rpc only = yes
winbind refresh tickets = yes
winbind separator = +
kerberos method = secrets and keytab
#-------[Realm]
realm = my-domain-name
#-------[Shares ]
[HOMEWORK SHARE]
path = /SCHOOL/HomeworkShare
comment = Homework Share
browseable = yes
writeable = yes
inherit permissions = Yes
inherit owner = yes
inherit acls = yes
guest ok = yes
security mask = 0777
security = ads
[PUPIL SHARE]
path = /SCHOOL/PupilShare
comment = Pupil Share
browseable = yes
writeable = yes
inherit permissions = yes
inherit owner =yes
inherit acls = yes
create mask = 0644
guest ok = yes
security mask = 0777
[STAFF SHARE]
path = /SCHOOL/StaffShare
comment = Staff Share
browseable = yes
writeable = yes
inherit permissions = yes
inherit acls = yes
inherit owner = yes
create mask = 0644
guest ok = yes
security mask = 0777
read only = no
|
/etc/nsswitch.conf:
| Code: | # /etc/nsswitch.conf:
# $Header: /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/nsswitch.conf,v 1.1 2006/09/29 23:52:23 vapier Exp $
passwd: compat winbind
shadow: compat winbind
group: compat winbind
passwd: db files nis
shadow: db files nis
group: db files nis
hosts: files wins dns
networks: files
services: db files
protocols: db files
rpc: db files winbind
ethers: db files
netmasks: files
netgroup: nis
bootparams: files
automount: files
aliases: files
|
/etc/krb5.conf:
| Code: |
[libdefaults]
default_realm = my-domain-name
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflag = true
default_keytab_name = FILE:/etc/krb5.keytab
|
/etc/conf.d/samba:
| Code: |
#add "winbind" to the daemon_list if you also want winbind to start
daemon_list="smbd nmbd winbind"
#----------------------------------------------------------------------------
# Daemons calls: <daemon_name>_<command_option>
#----------------------------------------------------------------------------
my_service_name="samba"
my_service_PRE="unset TMP TMPDIR"
my_service_POST=""
#----------------------------------------------------------------------------
# Daemons calls: <daemon_name>_<command_option>
#----------------------------------------------------------------------------
smbd_start_options="-D"
smbd_start="start-stop-daemon --start --exec /usr/sbin/smbd -- ${smbd_start_options}"
smbd_stop="start-stop-daemon --stop --exec /usr/sbin/smbd"
smbd_reload="killall -HUP smbd"
nmbd_start_options="-D"
nmbd_start="start-stop-daemon --start --exec /usr/sbin/nmbd -- ${nmbd_start_options}"
nmbd_stop="start-stop-daemon --stop --exec /usr/sbin/nmbd"
nmbd_reload="killall -HUP nmbd"
winbind_start_options="-D"
winbind_start="start-stop-daemon --start --exec /usr/sbin/winbindd -- ${winbind_start_options}"
winbind_stop="start-stop-daemon --stop --exec /usr/sbin/winbindd"
winbind_reload="killall -HUP winbindd"
|
use flags for samba:
| Code: | | ads aio client ldap ldb netapi pam readline server smbclient smbshares winbind |
/etc/pam.d/system-auth-winbind:
| Code: |
#%PAM-1.0
# $Header: /var/cvsroot/gentoo-x86/net-fs/samba/files/3.6/system-auth-winbind.pam,v 1.1 2011/06/30 15:50:28 dagger Exp $
auth required pam_env.so
auth sufficient pam_winbind.so
auth sufficient pam_unix.so shadow likeauth nullok use_first_pass
auth required pam_deny.so
account required pam_unix.so
password required pam_cracklib.so retry=3
password sufficient pam_winbind.so
password sufficient pam_unix.so nullok use_authtok md5 shadow
password required pam_deny.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_limits.so
session required pam_unix.so
|
What have I missed?
I cannot provide information about the domain setup. The person who did it was fired a couple of years ago (I've been there a couple of months) and none of the IT department have access to the administrator account on the domain controller, they are however domain admins but were also uninvolved in the setup. |
|
| Back to top |
|
 |
vaxbrat
l33t
Joined: 05 Oct 2005
Posts: 731
Location: DC Burbs
|
| Posted: Sun May 25, 2014 12:13 am Post subject: Can you get at domain security policy? |
|
|
| Can anyone get at the domain security policy? It's possible that they have hardened the session setup to the point where things stop working. Turn up the debugging to 5 or so on the winbind daemon and then look at its logs in /var/log/samba to see what it may be whining about when trying to do idmap. You may want to blast the winbind tdb files in /var/lib/samba before trying again |
|
| Back to top |
|
|
vaxbrat
l33t
Joined: 05 Oct 2005
Posts: 731
Location: DC Burbs
|
| Posted: Sun May 25, 2014 12:16 am Post subject: maybe do RID instead of ad for idmap |
|
|
| I also do RID instead of AD for the idmap stuff in my smb.conf |
|
| Back to top |
|
|
vaxbrat
l33t
Joined: 05 Oct 2005
Posts: 731
Location: DC Burbs
|
| Posted: Sun May 25, 2014 12:28 am Post subject: sample smb.conf |
|
|
This sample is sort of oldish as you can tell from the syntax for the idmap stanzas. Your syntax is good but might want to go to rid instead of ad.
| Code: | [global]
workgroup = PLAY
realm = PLAY.COM
server string = samba on ur linux box
netbios name = cent62amd64
security = ADS
password server = dc-01.play.com
passdb backend = tdbsam
#
# This backend rule may break depending on samba version installed
# This is the new idmap syntax and will break on a 3.0.x (rh/cent5 bog
# standard box) even though testparm will pass it
#
# If you are a wan with a "partner" and a domain trust, you need to
# rethink the whole winbind implementation and maybe go full ldap
#
idmap backend = rid:PLAY=2000-10000
idmap uid = 2000-10000
idmap gid = 2000-10000
cups options = raw
winbind use default domain = Yes
#
# These enum directives will kill you in a large domain but are
# very useful if you can get away with it
#
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
template shell = /bin/bash
#----------------------------------------------------------------
# hardening countermeasures
#
# This option is only available for newer samba versions (>=3.4.x)
# and matches the DC local security policy:
# Domain Controller: LDAP server signing requirments set to "sign"
#
# Like the next setting for ntlmv2, it will generate the same
# "stronger authentication required" error as the ntlmv2 un-setting
# rhel6/centos6 package samba 3.5.x and thus can support but this
# will drag down performance and should be resisted. Also might
# need a CA cert from the dc? and will probably gen additional events
# in the dc log over kerberos setup.
#
#client ldap sasl wrapping = sign
#
# Needed to avoid the dreaded
# "failed to join domain, stronger authentication required
# even after you have yanked the ldap server signing requirement
#
client ntlmv2 auth = Yes
|
|
|
| Back to top |
|
|
mrbassie
l33t
Joined: 31 May 2013
Posts: 772
Location: over here
|
| Posted: Sun May 25, 2014 9:35 am Post subject: |
|
|
| Thanks, I will try out your suggestions. |
|
| Back to top |
|
|
mrbassie
l33t
Joined: 31 May 2013
Posts: 772
Location: over here
|
| Posted: Sun May 25, 2014 3:03 pm Post subject: Re: sample smb.conf |
|
|
| vaxbrat wrote: | This sample is sort of oldish as you can tell from the syntax for the idmap stanzas. Your syntax is good but might want to go to rid instead of ad.
| Code: |
# These enum directives will kill you in a large domain but are
# very useful if you can get away with it
#
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
template shell = /bin/bash
|
|
The domain I am working within has let's say 1000 unique users, most of those are obviously the studdents, will that be a problem? The Gentoo box will not be holding all that much actual data. |
|
| Back to top |
|
|
vaxbrat
l33t
Joined: 05 Oct 2005
Posts: 731
Location: DC Burbs
|
| Posted: Sun May 25, 2014 5:58 pm Post subject: Can't give you a specific answer |
|
|
I first started doing AD integrations some years ago when samba was at 3.0.x, and Fedora 6 was just coming out. The consensus was that winbind would hit a brick wall when there was thousands of users on the domain. OTOH that was when AD was just rolling out and most domains were still on NT4 style DC's. I don't remember when Winbind started caching the idmap in a local tdb file, but it may have taken care of the issue other than that first time when it needs to get populated.
The majority of my rollouts are in air gapped networks where the domain has only hundreds of users at the most and often much less than that. I couldn't tell you what a modern winbind would do in a Uni or large corporate network where things have been split into separate resource and user domains, and users number in the tens of thousands or more. |
|
| Back to top |
|
|
mrbassie
l33t
Joined: 31 May 2013
Posts: 772
Location: over here
|
| Posted: Sun May 25, 2014 8:12 pm Post subject: |
|
|
| ok, well there are definitely fewer than 2000 users and not all of them will have access. |
|
| Back to top |
|
|
mrbassie
l33t
Joined: 31 May 2013
Posts: 772
Location: over here
|
| Posted: Wed May 28, 2014 11:02 am Post subject: |
|
|
Ok I switched ad to rid, deleted all the .tdb's and logs and rejoined the domain and fired up samba.
log.winbindd shows the following
gid_to_sid: winbind failed to find a sid for gid 0, 1, 2, 3, 4, 6, 10, 11, 26, 27
all the other logs look fine.
It's still not mapping the users/groups.
Am I being stupid expecting it to just do it, do I have to do it manually? |
|
| Back to top |
|
|
vaxbrat
l33t
Joined: 05 Oct 2005
Posts: 731
Location: DC Burbs
|
| Posted: Thu May 29, 2014 1:13 am Post subject: turn up winbind debug level |
|
|
There should be a lot more to the error logging than that. Edit your /etc/conf.d/samba to change your winbindd debug level to 5 or more:
| Code: | winbind_start_options=""
|
goes to something like
| Code: | winbind_start_options="-d5"
|
Also can anyone with domain admin priv's get into the event logs on the dc when you try to hit the idmaps to see if it shows anything on that side? |
|
| Back to top |
|
|
mrbassie
l33t
Joined: 31 May 2013
Posts: 772
Location: over here
|
| Posted: Thu May 29, 2014 9:34 am Post subject: |
|
|
gid_to_sid: winbind failed to find a sid for gid 0
gid_to_sid: winbind failed to find a sid for gid 1
gid_to_sid: winbind failed to find a sid for gid 2
gid_to_sid: winbind failed to find a sid for gid 3
gid_to_sid: winbind failed to find a sid for gid 4
gid_to_sid: winbind failed to find a sid for gid 6
gid_to_sid: winbind failed to find a sid for gid 10
gid_to_sid: winbind failed to find a sid for gid 11
gid_to_sid: winbind failed to find a sid for gid 26
gid_to_sid: winbind failed to find a sid for gid 27
account_policy_get: tdb_fetch_uint32 failed for type 1 (min password length), returning 0
account_policy_get: tdb_fetch_uint32 failed for type 2 (password history), returning 0
account_policy_get: tdb_fetch_uint32 failed for type 3 (user must logon to change password), returning 0
account_policy_get: tdb_fetch_uint32 failed for type 4 (maximum password age), returning 0
account_policy_get: tdb_fetch_uint32 failed for type 5 (minimum password age), returning 0
account_policy_get: tdb_fetch_uint32 failed for type 6 (lockout duration), returning 0
account_policy_get: tdb_fetch_uint32 failed for type 7 (reset count minutes), returning 0
account_policy_get: tdb_fetch_uint32 failed for type 8 (bad lockout attempt), returning 0
account_policy_get: tdb_fetch_uint32 failed for type 9 (disconnect time), returning 0
account_policy_get: tdb_fetch_uint32 failed for type 10 (refuse machine password change), returning 0
[2014/05/29 10:16:21.412870, 5] passdb/pdb_tdb.c:562(tdbsam_getsampwnam)
pdb_getsampwnam (TDB): error fetching database.
Key: USER_root
[2014/05/29 10:16:21.412991, 5] lib/username.c:171(Get_Pwnam_alloc)
Finding user root
[2014/05/29 10:16:21.413019, 5] lib/username.c:116(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is root
[2014/05/29 10:16:21.413071, 5] lib/username.c:149(Get_Pwnam_internals)
Get_Pwnam_internals did find user [root]!
[2014/05/29 10:16:21.413228, 5] lib/gencache.c:68(gencache_init)
Opening cache file at /var/cache/samba/gencache.tdb
[2014/05/29 10:16:21.413312, 5] lib/gencache.c:111(gencache_init)
Opening cache file at /var/cache/samba/gencache_notrans.tdb
[2014/05/29 10:16:21.413481, 5] passdb/lookup_sid.c:1384(gid_to_sid)
gid_to_sid: winbind failed to find a sid for gid 0
[2014/05/29 10:16:21.413521, 5] passdb/lookup_sid.c:1384(gid_to_sid)
gid_to_sid: winbind failed to find a sid for gid 1
[2014/05/29 10:16:21.413555, 5] passdb/lookup_sid.c:1384(gid_to_sid)
gid_to_sid: winbind failed to find a sid for gid 2
[2014/05/29 10:16:21.413588, 5] passdb/lookup_sid.c:1384(gid_to_sid)
gid_to_sid: winbind failed to find a sid for gid 3
[2014/05/29 10:16:21.413621, 5] passdb/lookup_sid.c:1384(gid_to_sid)
gid_to_sid: winbind failed to find a sid for gid 4
[2014/05/29 10:16:21.413655, 5] passdb/lookup_sid.c:1384(gid_to_sid)
gid_to_sid: winbind failed to find a sid for gid 6
[2014/05/29 10:16:21.413689, 5] passdb/lookup_sid.c:1384(gid_to_sid)
gid_to_sid: winbind failed to find a sid for gid 10
[2014/05/29 10:16:21.413722, 5] passdb/lookup_sid.c:1384(gid_to_sid)
gid_to_sid: winbind failed to find a sid for gid 11
[2014/05/29 10:16:21.413755, 5] passdb/lookup_sid.c:1384(gid_to_sid)
gid_to_sid: winbind failed to find a sid for gid 26
[2014/05/29 10:16:21.413789, 5] passdb/lookup_sid.c:1384(gid_to_sid)
gid_to_sid: winbind failed to find a sid for gid 27
[2014/05/29 10:16:21.413866, 5] passdb/pdb_util.c:128(create_builtin_administrators)
create_builtin_administrators: Failed to create Administrators
[2014/05/29 10:16:21.413919, 5] passdb/pdb_util.c:99(create_builtin_users)
create_builtin_users: Failed to create Users
[2014/05/29 10:16:21.414131, 2] ../lib/util/tdb_wrap.c:65(tdb_wrap_log)
tdb(/var/lib/samba/account_policy.tdb): tdb_open_ex: could not open file /var/lib/samba/account_policy.tdb: No such file or directory
[2014/05/29 10:16:21.414159, 3] lib/dbwrap_tdb.c:359(db_open_tdb)
Could not open tdb: No such file or directory |
|
| Back to top |
|
|
mrbassie
l33t
Joined: 31 May 2013
Posts: 772
Location: over here
|
| Posted: Thu May 29, 2014 9:35 am Post subject: |
|
|
tdb(/var/lib/samba/account_policy.tdb): tdb_transaction_start: nesting 1
[2014/05/29 10:16:21.414332, 1] passdb/account_pol.c:331(account_policy_get)
account_policy_get: tdb_fetch_uint32 failed for type 2 (password history), returning 0
[2014/05/29 10:16:21.414357, 5] ../lib/util/tdb_wrap.c:65(tdb_wrap_log)
tdb(/var/lib/samba/account_policy.tdb): tdb_transaction_start: nesting 1
[2014/05/29 10:16:21.414383, 1] passdb/account_pol.c:331(account_policy_get)
account_policy_get: tdb_fetch_uint32 failed for type 3 (user must logon to change password), returning 0
[2014/05/29 10:16:21.414408, 5] ../lib/util/tdb_wrap.c:65(tdb_wrap_log)
tdb(/var/lib/samba/account_policy.tdb): tdb_transaction_start: nesting 1
[2014/05/29 10:16:21.414434, 1] passdb/account_pol.c:331(account_policy_get)
account_policy_get: tdb_fetch_uint32 failed for type 4 (maximum password age), returning 0
[2014/05/29 10:16:21.414458, 5] ../lib/util/tdb_wrap.c:65(tdb_wrap_log)
tdb(/var/lib/samba/account_policy.tdb): tdb_transaction_start: nesting 1
[2014/05/29 10:16:21.414484, 1] passdb/account_pol.c:331(account_policy_get)
account_policy_get: tdb_fetch_uint32 failed for type 5 (minimum password age), returning 0
[2014/05/29 10:16:21.414508, 5] ../lib/util/tdb_wrap.c:65(tdb_wrap_log)
tdb(/var/lib/samba/account_policy.tdb): tdb_transaction_start: nesting 1
[2014/05/29 10:16:21.414534, 1] passdb/account_pol.c:331(account_policy_get)
account_policy_get: tdb_fetch_uint32 failed for type 6 (lockout duration), returning 0
[2014/05/29 10:16:21.414558, 5] ../lib/util/tdb_wrap.c:65(tdb_wrap_log)
tdb(/var/lib/samba/account_policy.tdb): tdb_transaction_start: nesting 1
[2014/05/29 10:16:21.414583, 1] passdb/account_pol.c:331(account_policy_get)
account_policy_get: tdb_fetch_uint32 failed for type 7 (reset count minutes), returning 0
[2014/05/29 10:16:21.414608, 5] ../lib/util/tdb_wrap.c:65(tdb_wrap_log)
tdb(/var/lib/samba/account_policy.tdb): tdb_transaction_start: nesting 1
[2014/05/29 10:16:21.414633, 1] passdb/account_pol.c:331(account_policy_get)
account_policy_get: tdb_fetch_uint32 failed for type 8 (bad lockout attempt), returning 0
[2014/05/29 10:16:21.414658, 5] ../lib/util/tdb_wrap.c:65(tdb_wrap_log)
tdb(/var/lib/samba/account_policy.tdb): tdb_transaction_start: nesting 1
[2014/05/29 10:16:21.414683, 1] passdb/account_pol.c:331(account_policy_get)
account_policy_get: tdb_fetch_uint32 failed for type 9 (disconnect time), returning 0
[2014/05/29 10:16:21.414708, 5] ../lib/util/tdb_wrap.c:65(tdb_wrap_log)
tdb(/var/lib/samba/account_policy.tdb): tdb_transaction_start: nesting 1
[2014/05/29 10:16:21.414733, 1] passdb/account_pol.c:331(account_policy_get)
account_policy_get: tdb_fetch_uint32 failed for type 10 (refuse machine password change), returning 0
[2014/05/29 10:16:21.414758, 5] ../li |
|
| Back to top |
|
|
vaxbrat
l33t
Joined: 05 Oct 2005
Posts: 731
Location: DC Burbs
|
| Posted: Thu May 29, 2014 11:06 pm Post subject: Did those tdb files get re-created or not? |
|
|
Did any of the tdb files come back in /var/lib/samba after you restarted samba? Are they non-zero length? Does "getent passwd" and "getent group" return anything or just the local users and groups? The concerning thing is those low number group to sid errors are for local stuff so I wonder if something is screwed up with your glibc/coreutils/pam/shadow setup somewhere.
You may have to acquaint yourself with wireshark if you don't already know it in order to see what sort of packet traffic is or isn't happening with the ip address for the domain controller when you try to do getent.
If you do have stuff in the tdb files, use tdbdump. You should already have the sys-libs/tdb emerged if you have tdb enabled in your use flags. I don't have this machine I'm posting from joined as an AD member to anything, so this example is probably a default samba install file but here's an example dump of the account_policy.tdb file your logs complain about among other things:
| Code: | # tdbdump /var/lib/samba/account_policy.tdb
{
key(21) = "minimum password age\00"
data(4) = "\00\00\00\00"
}
{
key(31) = "refuse machine password change\00"
data(4) = "\00\00\00\00"
}
{
key(20) = "reset count minutes\00"
data(4) = "\1E\00\00\00"
}
{
key(18) = "PRIV_S-1-5-32-550\00"
data(16) = "\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00"
}
{
key(18) = "PRIV_S-1-5-32-548\00"
data(16) = "\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00"
}
{
key(18) = "PRIV_S-1-5-32-551\00"
data(16) = "\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00"
}
{
key(18) = "PRIV_S-1-5-32-549\00"
data(16) = "\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00"
}
{
key(16) = "disconnect time\00"
data(4) = "\FF\FF\FF\FF"
}
{
key(35) = "user must logon to change password\00"
data(4) = "\00\00\00\00"
}
{
key(17) = "password history\00"
data(4) = "\00\00\00\00"
}
{
key(17) = "lockout duration\00"
data(4) = "\1E\00\00\00"
}
{
key(20) = "min password length\00"
data(4) = "\05\00\00\00"
}
{
key(18) = "PRIV_S-1-5-32-544\00"
data(16) = "\F0\1F\00\00\00\00\00\00\00\00\00\00\00\00\00\00"
}
{
key(13) = "PRIV_S-1-1-0\00"
data(16) = "\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00"
}
{
key(21) = "maximum password age\00"
data(4) = "\FF\FF\FF\FF"
}
{
key(20) = "bad lockout attempt\00"
data(4) = "\00\00\00\00"
}
{
key(13) = "INFO/version\00"
data(4) = "\03\00\00\00" |
|
|
| Back to top |
|
|
mrbassie
l33t
Joined: 31 May 2013
Posts: 772
Location: over here
|
| Posted: Fri May 30, 2014 12:48 pm Post subject: Re: Did those tdb files get re-created or not? |
|
|
| vaxbrat wrote: | Did any of the tdb files come back in /var/lib/samba after you restarted samba? Are they non-zero length? Does "getent passwd" and "getent group" return anything or just the local users and groups? The concerning thing is those low number group to sid errors are for local stuff so I wonder if something is screwed up with your glibc/coreutils/pam/shadow setup somewhere.
You may have to acquaint yourself with wireshark if you don't already know it in order to see what sort of packet traffic is or isn't happening with the ip address for the domain controller when you try to do getent.
If you do have stuff in the tdb files, use tdbdump. You should already have the sys-libs/tdb emerged if you have tdb enabled in your use flags. I don't have this machine I'm posting from joined as an AD member to anything, so this example is probably a default samba install file but here's an example dump of the account_policy.tdb file your logs complain about among other things:
|
Yes the tdb files came back. They are not zero length however group_mapping.tdb is blank. getent only returns local stuff. my account_policy.tdb looks identical to what you posted.
I haven't touched any configs on this system other than what I posted in the op (other than portage stuff obviously).
It's a clean install, all I've done is emerged samba and zfs.
I had a look at the event logs on the domain controller, there's nothing at all relating to this gentoo box.
I can acccess the shares from a linux machine on the network no problem, whenever one of the windows machines tries to access it's throwing up a username and password prompt. |
|
| Back to top |
|
|
vaxbrat
l33t
Joined: 05 Oct 2005
Posts: 731
Location: DC Burbs
|
| Posted: Fri May 30, 2014 5:35 pm Post subject: time for wireshark |
|
|
Looks like you are going to have to use wireshark to see what's going on the wire between your linux box and the dc.
I've only had to do that a couple of times, but the last time was when I inherited a badly setup domain. Thankfully I had authority on the windows side as well and ended up standing up another dc which I migrated the AD database to and then eventually re-built the original to provide redundancy. My Samba problems magically went away as soon as that second dc was running the show and the original had been removed.
My guess on what happened there was that the Kerberos kdc setup in the original dc was all messed up. The windows clients were probably falling back to the old NT4 style hashing without any of the IT monkeys knowing what was going on.. |
|
| Back to top |
|
|
mrbassie
l33t
Joined: 31 May 2013
Posts: 772
Location: over here
|
| Posted: Sat May 31, 2014 4:15 pm Post subject: |
|
|
| I'll emerge wireshark first thing monday. Thanks for all your help btw. It's very hard to find anything useful on the net about this problem, I've seen loads of threads on various *nix forums but no solution that works. |
|
| Back to top |
|
|
mrbassie
l33t
Joined: 31 May 2013
Posts: 772
Location: over here
|
| Posted: Tue Jun 03, 2014 1:09 pm Post subject: |
|
|
Ok so I have wireshark emerged. I've run a simple dumpcap -i eth0 -a duration:60 -w output.pca
I tried getent while doing this on tty2 and I'm getting 95% + of the packets.
I'm finding the man pages a little cryptic...
could you suggest some things to cap and post please? |
|
| Back to top |
|
|
vaxbrat
l33t
Joined: 05 Oct 2005
Posts: 731
Location: DC Burbs
|
| Posted: Tue Jun 03, 2014 8:52 pm Post subject: You might want to run the gui |
|
|
Trying running the wireshark gui live and then applying filters. The most obvious one is to do an ip filter for the ip address of the domain controller. If you click on the "expression" button in the filtering section it will show you a list of what it knows. You want to open the IP treeview and pick address and then type in the ip address. The resulting filter expression will look something like:
Note that you can just type that in without going through all of the popups.
It's going to be a huge dump no matter what and may involve all sorts of stuff that probably doesn't want to be put into an online paste. The wireshark gui knows all of the protocols so you can select packets, open them up and inspect the various fields. The wireshark.org website should be able to lead you through the use of the gui, but the packet stuff is something that you are just going to have to pick up on your own. You might want to pick up the Samba 3 reference in the Bruce Perens open source series:
http://www.amazon.com/Official-Samba-3-Reference-Perens-Source/dp/0131453556/ref=sr_1_1?ie=UTF8&qid=1401828533&sr=8-1&keywords=bruce+perens+samba+3 |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
