DNS and GENSEC issues when running the samba binary
|
View:
New views
8 Messages
—
Rating Filter:
Alert me
|
 |
DNS and GENSEC issues when running the samba binary
by hzine
::
Rate this Message:
Hi,
After start the following command: $ sudo bin/samba -i -M single -d4 I got the errors below periodically. I have a Windows Server 2008 DC on 143.106.167.147 and the samba DC is on 143.106.167.143. The AD full domain name is "winserverad.ltc.inovasoft.unicamp.br". I have a bind9 server that have a zone for "winserverad.ltc.inovasoft.unicamp.br" that forward the requests the w2k8 DNS server. Before running the binary, I runned scripting/devel/drs/vampire_ad.sh to vampire w2k8 AD. The name "a7b3d65b-2a90-4786-ad93-cdee0850bff8._ msdcs.winserverad.ltc.inovasoft.unicamp.br" should be resolved to the w2k8 server IP (I can`t resolve this name on my Linux box). After a restart of the w2k8 server, the GENSEC issues disappeared, but now they are appearing again. I'm using the git tree with revision number 4a4f420481cae5ba82a42d6763d3732defccac24 (October 15). Contents of /etc/resolv.conf: domain ltc.inovasoft.unicamp.br search WINSERVERAD.LTC.INOVASOFT.UNICAMP.BR ltc.inovasoft.unicamp.br nameserver 127.0.0.1 The errors: [...] dreplsrv_periodic_schedule(5) scheduled for: Wed Nov 4 02:18:49 2009 BRST Mapped to DCERPC endpoint 135 added interface ip=143.106.167.143 nmask=255.255.255.224 added interface ip=127.0.0.1 nmask=255.0.0.0 dreplsrv_notify_schedule(5) scheduled for: Wed Nov 4 02:18:49 2009 BRST dns child failed to find name 'a7b3d65b-2a90-4786-ad93-cdee0850bff8._msdcs.winse rverad.ltc.inovasoft.unicamp.br' of type A dreplsrv_op_pull_source(WERR_BADFILE/NT_STATUS_NO_SUCH_DEVICE) failures[1] added interface ip=143.106.167.143 nmask=255.255.255.224 added interface ip=127.0.0.1 nmask=255.0.0.0 Could not find GENSEC backend for auth_type=16 Failed to start GENSEC client mechanism (null): NT_STATUS_INVALID_PARAMETER Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 - NT_STATUS_INVALID_ PARAMETER dreplsrv_op_pull_source(WERR_INVALID_PARAM/NT_STATUS_INVALID_INFO_CLASS) failure s[1] [...] Are there any additional configuration need to solve that ? Thanks, Erick Nogueira do Nascimento |
|
|
Re: DNS and GENSEC issues when running the samba binary
by Eduardo Lima-6
::
Rate this Message:
Hi guys,
I'm having exactly the same problem here. Does anyone have any idea of what might be causing this issue? It seems to be a missed step during the setup of Samba and Windows but I can't find out where is the problem. Thanks. -- Eduardo Lima Sent from Campinas, SP, Brazil 2009/11/4 Erick Nascimento <erick.nogueira.nascimento@...> > Hi, > > After start the following command: > $ sudo bin/samba -i -M single -d4 > > I got the errors below periodically. > > I have a Windows Server 2008 DC on 143.106.167.147 and the samba DC is on > 143.106.167.143. > The AD full domain name is "winserverad.ltc.inovasoft.unicamp.br". I have > a bind9 server that have a zone for "winserverad.ltc.inovasoft.unicamp.br" > that forward the requests the w2k8 DNS server. > Before running the binary, I runned scripting/devel/drs/vampire_ad.sh to > vampire w2k8 AD. > > The name "a7b3d65b-2a90-4786-ad93-cdee0850bff8._ > msdcs.winserverad.ltc.inovasoft.unicamp.br" > should be resolved to the w2k8 server IP (I can`t resolve this name on my > Linux box). > After a restart of the w2k8 server, the GENSEC issues disappeared, but now > they are appearing again. > I'm using the git tree with revision number > 4a4f420481cae5ba82a42d6763d3732defccac24 > (October 15). > > Contents of /etc/resolv.conf: > domain ltc.inovasoft.unicamp.br > search WINSERVERAD.LTC.INOVASOFT.UNICAMP.BR ltc.inovasoft.unicamp.br > nameserver 127.0.0.1 > > The errors: > [...] > dreplsrv_periodic_schedule(5) scheduled for: Wed Nov 4 02:18:49 2009 BRST > Mapped to DCERPC endpoint 135 > added interface ip=143.106.167.143 nmask=255.255.255.224 > added interface ip=127.0.0.1 nmask=255.0.0.0 > dreplsrv_notify_schedule(5) scheduled for: Wed Nov 4 02:18:49 2009 BRST > dns child failed to find name > 'a7b3d65b-2a90-4786-ad93-cdee0850bff8._msdcs.winse > rverad.ltc.inovasoft.unicamp.br' of type A > dreplsrv_op_pull_source(WERR_BADFILE/NT_STATUS_NO_SUCH_DEVICE) failures[1] > added interface ip=143.106.167.143 nmask=255.255.255.224 > added interface ip=127.0.0.1 nmask=255.0.0.0 > Could not find GENSEC backend for auth_type=16 > Failed to start GENSEC client mechanism (null): NT_STATUS_INVALID_PARAMETER > Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 - > NT_STATUS_INVALID_ > PARAMETER > dreplsrv_op_pull_source(WERR_INVALID_PARAM/NT_STATUS_INVALID_INFO_CLASS) > failure > s[1] > [...] > > Are there any additional configuration need to solve that ? > > Thanks, > Erick Nogueira do Nascimento > > |
|
|
Re: DNS and GENSEC issues when running the samba binary
by cd1
::
Rate this Message:
I just noticed something by looking at Erick's log. I don't even know if
it's related to this problem but I'm wondering why it happens. Here's part of the error log: Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 - > NT_STATUS_INVALID_ PARAMETER That UUID is the same one that is shown when I try to run "samba" here, on my machine. They're different computers, different domains. Shouldn't those UUIDs be different for each one of us? 2009/11/6 Eduardo Lima <eduardoll@...> > Hi guys, > > I'm having exactly the same problem here. Does anyone have any idea of what > might be causing this issue? > > It seems to be a missed step during the setup of Samba and Windows but I > can't find out where is the problem. > > Thanks. > > -- > Eduardo Lima > Sent from Campinas, SP, Brazil > > 2009/11/4 Erick Nascimento <erick.nogueira.nascimento@...> > > Hi, >> >> After start the following command: >> $ sudo bin/samba -i -M single -d4 >> >> I got the errors below periodically. >> >> I have a Windows Server 2008 DC on 143.106.167.147 and the samba DC is on >> 143.106.167.143. >> The AD full domain name is "winserverad.ltc.inovasoft.unicamp.br". I have >> a bind9 server that have a zone for "winserverad.ltc.inovasoft.unicamp.br" >> that forward the requests the w2k8 DNS server. >> Before running the binary, I runned scripting/devel/drs/vampire_ad.sh to >> vampire w2k8 AD. >> >> The name "a7b3d65b-2a90-4786-ad93-cdee0850bff8._ >> msdcs.winserverad.ltc.inovasoft.unicamp.br" >> should be resolved to the w2k8 server IP (I can`t resolve this name on my >> Linux box). >> After a restart of the w2k8 server, the GENSEC issues disappeared, but now >> they are appearing again. >> I'm using the git tree with revision number >> 4a4f420481cae5ba82a42d6763d3732defccac24 >> (October 15). >> >> Contents of /etc/resolv.conf: >> domain ltc.inovasoft.unicamp.br >> search WINSERVERAD.LTC.INOVASOFT.UNICAMP.BR ltc.inovasoft.unicamp.br >> nameserver 127.0.0.1 >> >> The errors: >> [...] >> dreplsrv_periodic_schedule(5) scheduled for: Wed Nov 4 02:18:49 2009 BRST >> Mapped to DCERPC endpoint 135 >> added interface ip=143.106.167.143 nmask=255.255.255.224 >> added interface ip=127.0.0.1 nmask=255.0.0.0 >> dreplsrv_notify_schedule(5) scheduled for: Wed Nov 4 02:18:49 2009 BRST >> dns child failed to find name >> 'a7b3d65b-2a90-4786-ad93-cdee0850bff8._msdcs.winse >> rverad.ltc.inovasoft.unicamp.br' of type A >> dreplsrv_op_pull_source(WERR_BADFILE/NT_STATUS_NO_SUCH_DEVICE) failures[1] >> added interface ip=143.106.167.143 nmask=255.255.255.224 >> added interface ip=127.0.0.1 nmask=255.0.0.0 >> Could not find GENSEC backend for auth_type=16 >> Failed to start GENSEC client mechanism (null): >> NT_STATUS_INVALID_PARAMETER >> Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 - >> NT_STATUS_INVALID_ >> PARAMETER >> dreplsrv_op_pull_source(WERR_INVALID_PARAM/NT_STATUS_INVALID_INFO_CLASS) >> failure >> s[1] >> [...] >> >> Are there any additional configuration need to solve that ? >> >> Thanks, >> Erick Nogueira do Nascimento >> >> > -- CrÃstian Deives dos Santos Viana [aka CD1] |
|
|
Re: DNS and GENSEC issues when running the samba binary
by Andrew Bartlett
::
Rate this Message:
On Fri, 2009-11-06 at 16:55 -0200, CrÃstian Viana wrote:
> I just noticed something by looking at Erick's log. I don't even know if > it's related to this problem but I'm wondering why it happens. > > Here's part of the error log: > > Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 - > > NT_STATUS_INVALID_ > > PARAMETER The NT_STATUS_INVALID_PARAMETER may be due to Kerberos not working. If we can't contact the KDC, then the Kerberos mechanisms return this error to indicate that they can't be used. The code requires kerberos (for Win2000 compatibility), and so this error is returned. > > That UUID is the same one that is shown when I try to run "samba" here, on > my machine. They're different computers, different domains. Shouldn't those > UUIDs be different for each one of us? This is a pipe UUID. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. |
|
|
Re: DNS and GENSEC issues when running the samba binary
by tridge@samba.org
::
Rate this Message:
Hi Eduardo and Erick,
This almost certainly means your bind9 configuration is incorrect. To diagnose/fix these types of problems you should do this: 1) first check that you can resolve the name using the 'host' command on Linux, pointing it directly at the windows box. For example: host -t SRV _ldap._tcp.DOMAIN 143.106.167.147 where DOMAIN is the DNS domain name you are looking for. In the example Erick gave this would be: winserverad.ltc.inovasoft.unicamp.br You should get back something like this: _ldap._tcp.DOMAIN has SRV record 0 100 389 xxx.DOMAIN where 'xxx' is the hostname of the DC. If that doesn't work, then either you have the wrong name, or your windows DC is not configured correctly. Is 'winserverad' really the name of the Windows domain? 2) when that works, then try it on the name that is failing in the logs (the GUID name in _msdcs). It is probably a CNAME so change the query from a SRV record to a CNAME 3) once that works, you need to make sure your local bind9 config is right. For example, in /etc/named.conf.local you may have an entry like this: zone "winserverad.ltc.inovasoft.unicamp.br" IN { type forward; forwarders { 143.106.167.147; }; }; Alternatively, you may be using a include file. Now restart bind (with /etc/init.d/bind9 restart) and look in its syslog file (try /var/log/daemon.log). Does it report any errors? A very common cause of errors is apparmor restrictions. Try running aa-logprof and see if bind9 is asking for permissions on any files that apparmore is denying. 3) when you think you have the bind9 config right, try the 'host' command again but pointing at localhost: host -t SRV _ldap._tcp.DOMAIN 127.0.0.1 If it doesn't work then look carefully again at your bind9 config. Check for errors in the bind9 log file. Cheers, Tridge |
|
|
Re: DNS and GENSEC issues when running the samba binary
by tridge@samba.org
::
Rate this Message:
Hi Cr stian,
> Here's part of the error log: > > Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 - > > NT_STATUS_INVALID_ > > PARAMETER > > > That UUID is the same one that is shown when I try to run "samba" here, on > my machine. They're different computers, different domains. Shouldn't those > UUIDs be different for each one of us? UUIDs are used for both machine specific IDs and for IDS that are common to all computers. In this case the above ID is the 'pipe' UUID of the DRSUAPI pipe. If you look in librpc/idl/drsuapi.idl then you'll see a line like this: uuid("e3514235-4b06-11d1-ab04-00c04fc2dcd2") which says that this pipe is identified by that UUID. If you see a UUID and wonder if it might be a fixed uuid like this, then try "git grep" to find it in the Samba source code. For example: git grep -i -n e3514235-4b06-11d1-ab04-00c04fc2dcd2 run that in the top level directory and it will show you any cases where that UUID is embedded in the Samba source code. You could also put it into a Google search. Cheers, Tridge |
|
|
Re: DNS and GENSEC issues when running the samba binary
by Eduardo Lima-6
::
Rate this Message:
Hi Tridge,
Is it possible to this problem be a bug in the samba's code? Everything was configured as expected. Provision and Vampire were working well, but the replication was failing. Then I did a "git pull" and the "GENSEC" message is not appearing anymore but the replication is only working from Windows to Samba. From Samba to Windows it is still not replicating. Thanks. -- Eduardo Lima Sent from Campinas, SP, Brazil 2009/11/8 <tridge@...> > Hi Eduardo and Erick, > > This almost certainly means your bind9 configuration is incorrect. To > diagnose/fix these types of problems you should do this: > > 1) first check that you can resolve the name using the 'host' command > on Linux, pointing it directly at the windows box. For example: > > host -t SRV _ldap._tcp.DOMAIN 143.106.167.147 > > where DOMAIN is the DNS domain name you are looking for. In the > example Erick gave this would be: > > winserverad.ltc.inovasoft.unicamp.br > > You should get back something like this: > > _ldap._tcp.DOMAIN has SRV record 0 100 389 xxx.DOMAIN > > where 'xxx' is the hostname of the DC. > > If that doesn't work, then either you have the wrong name, or your > windows DC is not configured correctly. Is 'winserverad' really the > name of the Windows domain? > > 2) when that works, then try it on the name that is failing in the > logs (the GUID name in _msdcs). It is probably a CNAME so change the > query from a SRV record to a CNAME > > 3) once that works, you need to make sure your local bind9 config is > right. For example, in /etc/named.conf.local you may have an entry > like this: > > zone "winserverad.ltc.inovasoft.unicamp.br" IN { > type forward; > forwarders { > 143.106.167.147; > }; > }; > > Alternatively, you may be using a include file. Now restart bind > (with /etc/init.d/bind9 restart) and look in its syslog file (try > /var/log/daemon.log). Does it report any errors? A very common cause > of errors is apparmor restrictions. Try running aa-logprof and see > if bind9 is asking for permissions on any files that apparmore is > denying. > > 3) when you think you have the bind9 config right, try the 'host' > command again but pointing at localhost: > > host -t SRV _ldap._tcp.DOMAIN 127.0.0.1 > > If it doesn't work then look carefully again at your bind9 > config. Check for errors in the bind9 log file. > > > Cheers, Tridge > |
|
|
Re: DNS and GENSEC issues when running the samba binary
by tridge@samba.org
::
Rate this Message:
Hi Eduardo,
> Is it possible to this problem be a bug in the samba's code? there are probably hundreds of bugs in this code, so yes, it could be a Samba bug. > Everything was configured as expected. Provision and Vampire were working > well, but the replication was failing. Then I did a "git pull" and the > "GENSEC" message is not appearing anymore but the replication is only > working from Windows to Samba. From Samba to Windows it is still not > replicating. I'd need a lot more detail on exactly what is going wrong (what messages are displayed) to help you diagnose this. Saying it is "failing" doesn't really tell me much. If you like, you could also setup your test machine to allow me to ssh in, and we can use a shared screen session to help debug it. Grab me on IRC to organise this if you want to. Cheers, Tridge |
signature.asc (196 bytes) | Free embeddable forum powered by Nabble | Forum Help |
