Bug 1359398
| Summary: | Domain login no longer works after F22 -> F23 upgrade | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Martin Vuille <martin_vuille> |
| Component: | samba | Assignee: | Orphan Owner <extras-orphan> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 24 | CC: | abokovoy, anoopcs, asn, extras-orphan, gdeschner, jarrpa, lists, lmohanty, madam, martin_vuille, milan.kerslager, sbose, ssorce |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-05-24 09:22:48 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Changed component from samba4 (which seems to be obsolete) to samba Upgraded samba to 4.4.5-1 from fedora24-updates, issue still present log.winbindd-idmap has changed slightly, no longer seeing "unable to stat module" Still seeing SELinux errors as above 2016/08/01 14:38:37.794851, 10, pid=1161, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1924(cm_open_connection) cm_open_connection: dcname is 'MIMIR' for domain YGGDRASIL [2016/08/01 14:38:37.798119, 10, pid=1161, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1030(cm_prepare_connection) cm_prepare_connection: connecting to DC MIMIR for domain YGGDRASIL [2016/08/01 14:38:37.799741, 5, pid=1161, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1149(cm_prepare_connection) connecting to MIMIR from THOR using NTLMSSP with username [YGGDRASIL]\[THOR$] [2016/08/01 14:38:37.803687, 0] ../libcli/smb/smb_signing.c:138(smb_signing_good) smb_signing_good: BAD SIG: seq 1 [2016/08/01 14:38:37.803758, 4, pid=1161, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1191(cm_prepare_connection) authenticated session setup failed with NT_STATUS_ACCESS_DENIED The problem is still present in Fedora 24.
Joing to classic NT4 style domain fails inf Fedora 24, but works in Fedora 20.
$ net join -w oalib.cz -U root
Failed to join domain: failed to find DC for domain OALIB.CZ
$ net rpc oldjoin -w oalib.cz -U root
Failed to join domain: failed to find DC for domain OALIB.CZ
When trying to debug problem, it seem like net command is trying to join AD instead of classic domain:
net join -w oalib.cz -U root -d3
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
added interface enp8s0 ip=10.0.0.35 bcast=10.0.255.255 netmask=255.255.0.0
get_dc_list: preferred server list: ", *"
ads_find_dc: name resolution for realm '' (domain 'OALIB.CZ') failed: NT_STATUS_NO_LOGON_SERVERS
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'PITOMA'
domain_name : *
domain_name : 'OALIB.CZ'
domain_name_type : JoinDomNameTypeUnknown (0)
account_ou : NULL
admin_account : ''
admin_domain : NULL
machine_password : NULL
join_flags : 0x000000c1 (193)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
1: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
1: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
0: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
os_servicepack : NULL
create_upn : 0x00 (0)
upn : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
desired_encryption_types : 0x0000001f (31)
dns_send_req: Failed to resolve _ldap._tcp.dc._msdcs.OALIB.CZ (Success)
ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_UNSUCCESSFUL)
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : NULL
dns_domain_name : NULL
forest_name : NULL
dn : NULL
domain_sid : NULL
domain_sid : (NULL SID)
modified_config : 0x00 (0)
error_string : 'failed to find DC for domain OALIB.CZ'
domain_is_ad : 0x00 (0)
set_encryption_types : 0x00000000 (0)
result : WERR_DCNOTFOUND
Enter root's password:
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'PITOMA'
domain_name : *
domain_name : 'OALIB.CZ'
domain_name_type : JoinDomNameTypeUnknown (0)
account_ou : NULL
admin_account : 'root'
admin_domain : NULL
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
os_servicepack : NULL
create_upn : 0x00 (0)
upn : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
desired_encryption_types : 0x0000001f (31)
dns_send_req: Failed to resolve _ldap._tcp.dc._msdcs.OALIB.CZ (Success)
ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_UNSUCCESSFUL)
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : NULL
dns_domain_name : NULL
forest_name : NULL
dn : NULL
domain_sid : NULL
domain_sid : (NULL SID)
modified_config : 0x00 (0)
error_string : 'failed to find DC for domain OALIB.CZ'
domain_is_ad : 0x00 (0)
set_encryption_types : 0x00000000 (0)
result : WERR_DCNOTFOUND
Failed to join domain: failed to find DC for domain OALIB.CZ
Enter root's password: <password entered>
return code = -1
$ net rpc oldjoin -w oalib.cz -U root -d3
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
added interface enp8s0 ip=10.0.0.35 bcast=10.0.255.255 netmask=255.255.0.0
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'PITOMA'
domain_name : *
domain_name : 'OALIB.CZ'
domain_name_type : JoinDomNameTypeUnknown (0)
account_ou : NULL
admin_account : ''
admin_domain : NULL
machine_password : NULL
join_flags : 0x000000c1 (193)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
1: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
1: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
0: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
os_servicepack : NULL
create_upn : 0x00 (0)
upn : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
desired_encryption_types : 0x0000001f (31)
dns_send_req: Failed to resolve _ldap._tcp.dc._msdcs.OALIB.CZ (Success)
ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_UNSUCCESSFUL)
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : NULL
dns_domain_name : NULL
forest_name : NULL
dn : NULL
domain_sid : NULL
domain_sid : (NULL SID)
modified_config : 0x00 (0)
error_string : 'failed to find DC for domain OALIB.CZ'
domain_is_ad : 0x00 (0)
set_encryption_types : 0x00000000 (0)
result : WERR_DCNOTFOUND
Failed to join domain: failed to find DC for domain OALIB.CZ
return code = -1
Debug output from Fedora 20 working setup for comparsion:
=========================================================
$ net join -w pslib.cz -U root -d3
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
added interface p4p1 ip=10.0.50.4 bcast=10.0.255.255 netmask=255.255.0.0
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
get_dc_list: preferred server list: ", *"
resolve_lmhosts: Attempting lmhosts lookup for name OALIB.CZ<0x1c>
resolve_lmhosts: Attempting lmhosts lookup for name OALIB.CZ<0x1c>
resolve_wins: using WINS server 10.0.0.2 and tag '*'
Got a positive name query response from 10.0.0.2 ( 10.0.0.2 )
ads_cldap_netlogon: did not get a reply
ads_try_connect: CLDAP request 10.0.0.2 failed.
resolve_lmhosts: Attempting lmhosts lookup for name OALIB.CZ<0x1b>
resolve_lmhosts: Attempting lmhosts lookup for name OALIB.CZ<0x1b>
resolve_wins: using WINS server 10.0.0.2 and tag '*'
Got a positive name query response from 10.0.0.2 ( 10.0.0.2 )
Connecting to 10.0.0.2 at port 445
rpccli_netlogon_set_trust_password: unable to setup creds (NT_STATUS_ACCESS_DENIED)!
rpc command function failed! (NT_STATUS_ACCESS_DENIED)
Enter root's password:
I made a mistake in previous post. Working F20 setup for joining NT4 domain: $ net join -w oalib.cz -U root -d3 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" Processing section "[global]" added interface p4p1 ip=10.0.50.4 bcast=10.0.255.255 netmask=255.255.0.0 Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED get_dc_list: preferred server list: ", *" resolve_lmhosts: Attempting lmhosts lookup for name OALIB.CZ<0x1c> resolve_lmhosts: Attempting lmhosts lookup for name OALIB.CZ<0x1c> resolve_wins: using WINS server 10.0.0.2 and tag '*' Got a positive name query response from 10.0.0.2 ( 10.0.0.2 ) ads_cldap_netlogon: did not get a reply ads_try_connect: CLDAP request 10.0.0.2 failed. resolve_lmhosts: Attempting lmhosts lookup for name OALIB.CZ<0x1b> resolve_lmhosts: Attempting lmhosts lookup for name OALIB.CZ<0x1b> resolve_wins: using WINS server 10.0.0.2 and tag '*' Got a positive name query response from 10.0.0.2 ( 10.0.0.2 ) Connecting to 10.0.0.2 at port 445 rpccli_netlogon_set_trust_password: unable to setup creds (NT_STATUS_ACCESS_DENIED)! rpc command function failed! (NT_STATUS_ACCESS_DENIED) Enter root's password: Connecting to 10.0.0.2 at port 445 Doing spnego session setup (blob length=42) got OID=1.3.6.1.4.1.311.2.2.10 got principal=NONE Got challenge flags: Got NTLMSSP neg_flags=0x60898215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60088215 Connecting to 10.0.0.2 at port 445 Joined domain OALIB.CZ. return code = 0 Can you provide these logs with -d10 ? |
Description of problem: Computer is a member of NT domain. DC is samba 3.6.12 Since upgrading from F22 -> F23, domain logins no longer work: "Domain Controller unreachable, using cached credentials instead." I'm seeing the following errors in log.winbindd-idmap: [2016/07/22 11:23:28.791764, 10, pid=1153, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1917(cm_open_connection) cm_open_connection: dcname is 'MIMIR' for domain YGGDRASIL [2016/07/22 11:23:28.793277, 10, pid=1153, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1023(cm_prepare_connection) cm_prepare_connection: connecting to DC MIMIR for domain YGGDRASIL ldb: unable to stat module /usr/lib64/samba/ldb : No such file or directory [2016/07/22 11:23:28.794755, 5, pid=1153, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1142(cm_prepare_connection) connecting to MIMIR from THOR using NTLMSSP with username [YGGDRASIL]\[THOR$] [2016/07/22 11:23:28.798607, 0] ../libcli/smb/smb_signing.c:138(smb_signing_good) smb_signing_good: BAD SIG: seq 1 [2016/07/22 11:23:28.798690, 4, pid=1153, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1184(cm_prepare_connection) authenticated session setup failed with NT_STATUS_ACCESS_DENIED and I am also seeing SELinux errors for winbindd: time->Fri Jul 22 09:45:06 2016 type=PROCTITLE msg=audit(1469195106.880:3563): proctitle="/usr/sbin/winbindd" type=PATH msg=audit(1469195106.880:3563): item=0 name="/var/lib/samba/private/msg.sock/1207" inode=2502647 dev=fd:00 mode=0140777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:samba_var_t:s0 nametype=NORMAL type=CWD msg=audit(1469195106.880:3563): cwd="/" type=SOCKADDR msg=audit(1469195106.880:3563): saddr=01002F7661722F6C69622F73616D62612F707269766174652F6D73672E736F636B2F31323037000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 type=SYSCALL msg=audit(1469195106.880:3563): arch=c000003e syscall=46 success=no exit=-13 a0=7 a1=7fff67c8aaa0 a2=0 a3=0 items=1 ppid=1137 pid=1139 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="winbindd" exe="/usr/sbin/winbindd" subj=system_u:system_r:winbind_t:s0 key=(null) type=AVC msg=audit(1469195106.880:3563): avc: denied { sendto } for pid=1139 comm="winbindd" path="/var/lib/samba/private/msg.sock/1207" scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:system_r:nmbd_t:s0 tclass=unix_dgram_socket permissive=0 Version-Release number of selected component (if applicable): samba 4.3.11-1.fc23 How reproducible: 100% reproducible Steps to Reproduce: 1.Login to domain member using domain account Actual results: Login fails: "Domain Controller unreachable, using cached credentials instead." Expected results: Login succeeds Additional info: This ticket https://bugzilla.redhat.com/show_bug.cgi?id=1337569 seems to be the same issue (at least "unable to stat" part) and suggests there is a fix in samba 4.4.3-6