Description of problem: Computer is a member of NT domain. DC is samba 3.6.12 Since upgrading from F22 -> F23, domain logins no longer work: "Domain Controller unreachable, using cached credentials instead." I'm seeing the following errors in log.winbindd-idmap: [2016/07/22 11:23:28.791764, 10, pid=1153, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1917(cm_open_connection) cm_open_connection: dcname is 'MIMIR' for domain YGGDRASIL [2016/07/22 11:23:28.793277, 10, pid=1153, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1023(cm_prepare_connection) cm_prepare_connection: connecting to DC MIMIR for domain YGGDRASIL ldb: unable to stat module /usr/lib64/samba/ldb : No such file or directory [2016/07/22 11:23:28.794755, 5, pid=1153, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1142(cm_prepare_connection) connecting to MIMIR from THOR using NTLMSSP with username [YGGDRASIL]\[THOR$] [2016/07/22 11:23:28.798607, 0] ../libcli/smb/smb_signing.c:138(smb_signing_good) smb_signing_good: BAD SIG: seq 1 [2016/07/22 11:23:28.798690, 4, pid=1153, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1184(cm_prepare_connection) authenticated session setup failed with NT_STATUS_ACCESS_DENIED and I am also seeing SELinux errors for winbindd: time->Fri Jul 22 09:45:06 2016 type=PROCTITLE msg=audit(1469195106.880:3563): proctitle="/usr/sbin/winbindd" type=PATH msg=audit(1469195106.880:3563): item=0 name="/var/lib/samba/private/msg.sock/1207" inode=2502647 dev=fd:00 mode=0140777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:samba_var_t:s0 nametype=NORMAL type=CWD msg=audit(1469195106.880:3563): cwd="/" type=SOCKADDR msg=audit(1469195106.880:3563): saddr=01002F7661722F6C69622F73616D62612F707269766174652F6D73672E736F636B2F31323037000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 type=SYSCALL msg=audit(1469195106.880:3563): arch=c000003e syscall=46 success=no exit=-13 a0=7 a1=7fff67c8aaa0 a2=0 a3=0 items=1 ppid=1137 pid=1139 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="winbindd" exe="/usr/sbin/winbindd" subj=system_u:system_r:winbind_t:s0 key=(null) type=AVC msg=audit(1469195106.880:3563): avc: denied { sendto } for pid=1139 comm="winbindd" path="/var/lib/samba/private/msg.sock/1207" scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:system_r:nmbd_t:s0 tclass=unix_dgram_socket permissive=0 Version-Release number of selected component (if applicable): samba 4.3.11-1.fc23 How reproducible: 100% reproducible Steps to Reproduce: 1.Login to domain member using domain account Actual results: Login fails: "Domain Controller unreachable, using cached credentials instead." Expected results: Login succeeds Additional info: This ticket https://bugzilla.redhat.com/show_bug.cgi?id=1337569 seems to be the same issue (at least "unable to stat" part) and suggests there is a fix in samba 4.4.3-6
Changed component from samba4 (which seems to be obsolete) to samba
Upgraded samba to 4.4.5-1 from fedora24-updates, issue still present log.winbindd-idmap has changed slightly, no longer seeing "unable to stat module" Still seeing SELinux errors as above 2016/08/01 14:38:37.794851, 10, pid=1161, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1924(cm_open_connection) cm_open_connection: dcname is 'MIMIR' for domain YGGDRASIL [2016/08/01 14:38:37.798119, 10, pid=1161, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1030(cm_prepare_connection) cm_prepare_connection: connecting to DC MIMIR for domain YGGDRASIL [2016/08/01 14:38:37.799741, 5, pid=1161, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1149(cm_prepare_connection) connecting to MIMIR from THOR using NTLMSSP with username [YGGDRASIL]\[THOR$] [2016/08/01 14:38:37.803687, 0] ../libcli/smb/smb_signing.c:138(smb_signing_good) smb_signing_good: BAD SIG: seq 1 [2016/08/01 14:38:37.803758, 4, pid=1161, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1191(cm_prepare_connection) authenticated session setup failed with NT_STATUS_ACCESS_DENIED
The problem is still present in Fedora 24. Joing to classic NT4 style domain fails inf Fedora 24, but works in Fedora 20. $ net join -w oalib.cz -U root Failed to join domain: failed to find DC for domain OALIB.CZ $ net rpc oldjoin -w oalib.cz -U root Failed to join domain: failed to find DC for domain OALIB.CZ When trying to debug problem, it seem like net command is trying to join AD instead of classic domain: net join -w oalib.cz -U root -d3 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[global]" Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[global]" added interface enp8s0 ip=10.0.0.35 bcast=10.0.255.255 netmask=255.255.0.0 get_dc_list: preferred server list: ", *" ads_find_dc: name resolution for realm '' (domain 'OALIB.CZ') failed: NT_STATUS_NO_LOGON_SERVERS libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx in: struct libnet_JoinCtx dc_name : NULL machine_name : 'PITOMA' domain_name : * domain_name : 'OALIB.CZ' domain_name_type : JoinDomNameTypeUnknown (0) account_ou : NULL admin_account : '' admin_domain : NULL machine_password : NULL join_flags : 0x000000c1 (193) 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT 0: WKSSVC_JOIN_FLAGS_DEFER_SPN 1: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED 1: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE 0: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE 0: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE os_version : NULL os_name : NULL os_servicepack : NULL create_upn : 0x00 (0) upn : NULL modify_config : 0x00 (0) ads : NULL debug : 0x01 (1) use_kerberos : 0x00 (0) secure_channel_type : SEC_CHAN_WKSTA (2) desired_encryption_types : 0x0000001f (31) dns_send_req: Failed to resolve _ldap._tcp.dc._msdcs.OALIB.CZ (Success) ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_UNSUCCESSFUL) libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : NULL dns_domain_name : NULL forest_name : NULL dn : NULL domain_sid : NULL domain_sid : (NULL SID) modified_config : 0x00 (0) error_string : 'failed to find DC for domain OALIB.CZ' domain_is_ad : 0x00 (0) set_encryption_types : 0x00000000 (0) result : WERR_DCNOTFOUND Enter root's password: libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx in: struct libnet_JoinCtx dc_name : NULL machine_name : 'PITOMA' domain_name : * domain_name : 'OALIB.CZ' domain_name_type : JoinDomNameTypeUnknown (0) account_ou : NULL admin_account : 'root' admin_domain : NULL machine_password : NULL join_flags : 0x00000023 (35) 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT 0: WKSSVC_JOIN_FLAGS_DEFER_SPN 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE os_version : NULL os_name : NULL os_servicepack : NULL create_upn : 0x00 (0) upn : NULL modify_config : 0x00 (0) ads : NULL debug : 0x01 (1) use_kerberos : 0x00 (0) secure_channel_type : SEC_CHAN_WKSTA (2) desired_encryption_types : 0x0000001f (31) dns_send_req: Failed to resolve _ldap._tcp.dc._msdcs.OALIB.CZ (Success) ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_UNSUCCESSFUL) libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : NULL dns_domain_name : NULL forest_name : NULL dn : NULL domain_sid : NULL domain_sid : (NULL SID) modified_config : 0x00 (0) error_string : 'failed to find DC for domain OALIB.CZ' domain_is_ad : 0x00 (0) set_encryption_types : 0x00000000 (0) result : WERR_DCNOTFOUND Failed to join domain: failed to find DC for domain OALIB.CZ Enter root's password: <password entered> return code = -1 $ net rpc oldjoin -w oalib.cz -U root -d3 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[global]" Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[global]" added interface enp8s0 ip=10.0.0.35 bcast=10.0.255.255 netmask=255.255.0.0 libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx in: struct libnet_JoinCtx dc_name : NULL machine_name : 'PITOMA' domain_name : * domain_name : 'OALIB.CZ' domain_name_type : JoinDomNameTypeUnknown (0) account_ou : NULL admin_account : '' admin_domain : NULL machine_password : NULL join_flags : 0x000000c1 (193) 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT 0: WKSSVC_JOIN_FLAGS_DEFER_SPN 1: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED 1: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE 0: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE 0: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE os_version : NULL os_name : NULL os_servicepack : NULL create_upn : 0x00 (0) upn : NULL modify_config : 0x00 (0) ads : NULL debug : 0x01 (1) use_kerberos : 0x00 (0) secure_channel_type : SEC_CHAN_WKSTA (2) desired_encryption_types : 0x0000001f (31) dns_send_req: Failed to resolve _ldap._tcp.dc._msdcs.OALIB.CZ (Success) ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_UNSUCCESSFUL) libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : NULL dns_domain_name : NULL forest_name : NULL dn : NULL domain_sid : NULL domain_sid : (NULL SID) modified_config : 0x00 (0) error_string : 'failed to find DC for domain OALIB.CZ' domain_is_ad : 0x00 (0) set_encryption_types : 0x00000000 (0) result : WERR_DCNOTFOUND Failed to join domain: failed to find DC for domain OALIB.CZ return code = -1 Debug output from Fedora 20 working setup for comparsion: ========================================================= $ net join -w pslib.cz -U root -d3 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" Processing section "[global]" added interface p4p1 ip=10.0.50.4 bcast=10.0.255.255 netmask=255.255.0.0 Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED get_dc_list: preferred server list: ", *" resolve_lmhosts: Attempting lmhosts lookup for name OALIB.CZ<0x1c> resolve_lmhosts: Attempting lmhosts lookup for name OALIB.CZ<0x1c> resolve_wins: using WINS server 10.0.0.2 and tag '*' Got a positive name query response from 10.0.0.2 ( 10.0.0.2 ) ads_cldap_netlogon: did not get a reply ads_try_connect: CLDAP request 10.0.0.2 failed. resolve_lmhosts: Attempting lmhosts lookup for name OALIB.CZ<0x1b> resolve_lmhosts: Attempting lmhosts lookup for name OALIB.CZ<0x1b> resolve_wins: using WINS server 10.0.0.2 and tag '*' Got a positive name query response from 10.0.0.2 ( 10.0.0.2 ) Connecting to 10.0.0.2 at port 445 rpccli_netlogon_set_trust_password: unable to setup creds (NT_STATUS_ACCESS_DENIED)! rpc command function failed! (NT_STATUS_ACCESS_DENIED) Enter root's password:
I made a mistake in previous post. Working F20 setup for joining NT4 domain: $ net join -w oalib.cz -U root -d3 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" Processing section "[global]" added interface p4p1 ip=10.0.50.4 bcast=10.0.255.255 netmask=255.255.0.0 Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED get_dc_list: preferred server list: ", *" resolve_lmhosts: Attempting lmhosts lookup for name OALIB.CZ<0x1c> resolve_lmhosts: Attempting lmhosts lookup for name OALIB.CZ<0x1c> resolve_wins: using WINS server 10.0.0.2 and tag '*' Got a positive name query response from 10.0.0.2 ( 10.0.0.2 ) ads_cldap_netlogon: did not get a reply ads_try_connect: CLDAP request 10.0.0.2 failed. resolve_lmhosts: Attempting lmhosts lookup for name OALIB.CZ<0x1b> resolve_lmhosts: Attempting lmhosts lookup for name OALIB.CZ<0x1b> resolve_wins: using WINS server 10.0.0.2 and tag '*' Got a positive name query response from 10.0.0.2 ( 10.0.0.2 ) Connecting to 10.0.0.2 at port 445 rpccli_netlogon_set_trust_password: unable to setup creds (NT_STATUS_ACCESS_DENIED)! rpc command function failed! (NT_STATUS_ACCESS_DENIED) Enter root's password: Connecting to 10.0.0.2 at port 445 Doing spnego session setup (blob length=42) got OID=1.3.6.1.4.1.311.2.2.10 got principal=NONE Got challenge flags: Got NTLMSSP neg_flags=0x60898215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60088215 Connecting to 10.0.0.2 at port 445 Joined domain OALIB.CZ. return code = 0
Can you provide these logs with -d10 ?