Hallo,
mein DC-Master hat ein massives Problem mit Samba. Zuerst habe ich bemerkt Das die Anmeldung an Nagios nicht mehr funktioniert. Bei der Fehlersuche habe ich endeckt das 2 Joinscripte ausstehend sind
Die Joinscripte ausführen funktioniert nicht. Mit den Fehlern im Logfile konnte ich nichts anfangen, deshalb habe ich versucht über die Console weiterzukommen, mit folgenden Ergebniss:
root@thhoe108:~# samba-tool drs kcc
Could not find machine account in secrets database: Failed to fetch machine account password for THHOE from both secrets.ldb (Could not find entry to match filter: ‘(&(flatname=THHOE)(objectclass=primaryDomain))’ base: ‘cn=Primary Domains’: No such object: dsdb_search at …/source4/dsdb/common/util.c:4576) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Failed to connect host 127.0.1.1 on port 135 - NT_STATUS_CONNECTION_REFUSED
Failed to connect host 127.0.1.1 (thhoe108.thhoe.lan) on port 135 - NT_STATUS_CONNECTION_REFUSED.
Failed to connect host 127.0.1.1 on port 1024 - NT_STATUS_CONNECTION_REFUSED
Failed to connect host 127.0.1.1 (thhoe108.thhoe.lan) on port 1024 - NT_STATUS_CONNECTION_REFUSED.
ERROR(<class ‘samba.drs_utils.drsException’>): DRS connection to thhoe108.thhoe.lan failed - drsException: DRS connection to thhoe108.thhoe.lan failed: (-1073741790, ‘Access denied’)
File “/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py”, line 41, in drsuapi_connect
(ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
File “/usr/lib/python2.7/dist-packages/samba/drs_utils.py”, line 54, in drsuapi_connect
raise drsException(“DRS connection to %s failed: %s” % (server, e))
root@thhoe108:~#
Daraufhin habe ich alle Joinscripte neu ausgeführt. Das hat aber keine Veränderung gebracht.
das sieht schon sehr kaputt aus. Sie können versuchen, das Samba4 komplett neu provisionieren zu lassen. Dabei wird der aktuelle Inhalt der Samba4-Dateien weggeworfen und aus den Daten im OpenLDAP neu erzeugt.
univention-run-join-scripts started
Di 17. Okt 10:17:58 CEST 2017
RUNNING 97univention-s4-connector.inst
2017-10-17 10:17:58.758134005+02:00 (in joinscript_init)
17.10.17 10:18:00.167 DEBUG_INIT
UNIVENTION_DEBUG_BEGIN : uldap.__open host=thhoe108.thhoe.lan port=7389 base=dc=thhoe,dc=lan
UNIVENTION_DEBUG_END : uldap.__open host=thhoe108.thhoe.lan port=7389 base=dc=thhoe,dc=lan
Not updating connector/s4/ldap/host
Not updating connector/s4/ldap/base
Not updating connector/s4/ldap/ssl
Not updating connector/s4/mapping/group/language
Not updating connector/s4/ldap/protocol
Not updating connector/s4/ldap/socket
Object exists: cn=gPLink,cn=custom attributes,cn=univention,dc=thhoe,dc=lan
Object exists: cn=Builtin,dc=thhoe,dc=lan
Object exists: cn=System,dc=thhoe,dc=lan
Object exists: cn=Policies,cn=System,dc=thhoe,dc=lan
Object exists: ou=Domain Controllers,dc=thhoe,dc=lan
Object exists: cn=WMIPolicy,cn=System,dc=thhoe,dc=lan
Object exists: cn=SOM,cn=WMIPolicy,cn=System,dc=thhoe,dc=lan
Object exists: cn=ldapschema,cn=univention,dc=thhoe,dc=lan
INFO: No change of core data of object msgpo.
INFO: No change of core data of object mswmi.
Object exists: cn=udm_module,cn=univention,dc=thhoe,dc=lan
INFO: No change of core data of object container/msgpo.
No modification: cn=msgpo,cn=ldapschema,cn=univention,dc=thhoe,dc=lan
No modification: cn=mswmi,cn=ldapschema,cn=univention,dc=thhoe,dc=lan
No modification: cn=container/msgpo,cn=udm_module,cn=univention,dc=thhoe,dc=lan
Waiting for activation of the extension object msgpo: OK
Waiting for activation of the extension object mswmi: OK
Waiting for activation of the extension object container/msgpo: OK
Waiting for file /usr/share/pyshared/univention/admin/handlers/container/msgpo.py: OK
Terminating running univention-cli-server processes.
Object exists: cn=udm_module,cn=univention,dc=thhoe,dc=lan
INFO: No change of core data of object settings/mswmifilter.
No modification: cn=settings/mswmifilter,cn=udm_module,cn=univention,dc=thhoe,dc=lan
Waiting for activation of the extension object settings/mswmifilter: OK
Waiting for file /usr/share/pyshared/univention/admin/handlers/settings/mswmifilter.py: OK
Terminating running univention-cli-server processes.
Object exists: cn=ldapschema,cn=univention,dc=thhoe,dc=lan
INFO: No change of core data of object msprintconnectionpolicy.
Object exists: cn=udm_module,cn=univention,dc=thhoe,dc=lan
INFO: No change of core data of object settings/msprintconnectionpolicy.
No modification: cn=msprintconnectionpolicy,cn=ldapschema,cn=univention,dc=thhoe,dc=lan
No modification: cn=settings/msprintconnectionpolicy,cn=udm_module,cn=univention,dc=thhoe,dc=lan
Waiting for activation of the extension object msprintconnectionpolicy: OK
Waiting for activation of the extension object settings/msprintconnectionpolicy: OK
Waiting for file /usr/share/pyshared/univention/admin/handlers/settings/msprintconnectionpolicy.py: OK
Terminating running univention-cli-server processes.
Samba4 does not seem to be provisioned, exiting /usr/lib/univention-install/97univention-s4-connector.inst
EXITCODE=1
RUNNING 98univention-samba4-dns.inst
2017-10-17 10:18:15.128844852+02:00 (in joinscript_init)
Samba4 backend database not available yet, exiting joinscript 98univention-samba4-dns.
EXITCODE=1
Di 17. Okt 10:18:16 CEST 2017
univention-run-join-scripts finished
Das Vorgehen mach den Knowledge-Base-Artikel hat nichts gebracht.
Als letztes kommt
root@thhoe108:~# ldbedit -H /var/lib/samba/private/sam.ldb CN=“RID Set” -b CN="$(ucr get hostname),OU=Domain Controllers,$(ucr get ldap/base)"
no matching records - cannot edit
root@thhoe108:~#
ich konnte mich die letzten Tage nicht melden. Letzte Woche habe ich noch ein Backup eingespielt, habe damit aber immer noch Probleme.
Das Password habe ich geändert. Im Log steht: “Modified 1 records successfully
Changed password OK”
running [basic] - OK - univention_ldapsearch_machine_basic.sh
running [basic] - OK - joinstatus.sh
running [basic] - OK - secure_apt_is_activated.sh
running [basic] - OK - package_status.sh
running [basic] - OK - univention_ldapsearch_machine_kerberos.sh
running [basic] - OK - check_nagios_status.py
running [basic] - OK - check_for_dockerd_process.sh
running [basic] - OK - check_for_ntpd_process.sh
running [dns] - OK - forward_and_reverse_dns_kdc.sh
running [dns] - OK - forward_dns_myself.sh
running [listener] - OK - all_handlers_initialized.sh
running [listener] - OK - replication.sh
running [samba] - OK - check_guid_msdcs_dns_alias.sh
running [samba] - OK - check_s4_connector_autostart.sh
running [samba] - OK - check_winbind_idmap_range.sh
running [samba] - OK - check_for_temporary_udm_sids.sh
running [samba] - OK - check_s4_connector_listener_active.sh
running [samba] - OK - cn_idmap_exists.sh
running [samba] - OK - check_msds_keyversionnumber.sh
running [samba] - OK - krbtgt_has_rid_502.sh
running [samba] - OK - cn_system_exists_only_once.sh
running [samba] - OK - check_samba_processes.sh
running [samba] - OK - no_3000_mapping_in_net_cache.sh
running [samba] - OK - check_ddns_update.sh
running [samba] - OK - check_s4_connector_rejects.sh
running [samba] - OK - testjoin.sh
running [samba] - OK - check_smbclient_via_krb5_keytab.sh
running [samba] - OK - maximum_password_age_smaller_999.sh
running [samba] - FAILED - hosts_sids_equal_in_ucs_and_samba.sh
running [samba] - OK - master_is_member_of_enterprise_domain_controllers.sh
running [samba] - OK - check_samba_drs_replication.sh
running [samba] - OK - wbinfo_checks.sh
running [samba] - OK - disabled_drsuapi_adtakeover_incomplete.sh
Bei der Fehlerdiagnose über UMC kommt Kerperos nicht erreichbar. Welcher Test wird da aufgerufen?
Test failed: univention-system-check.d/samba/hosts_sids_equal_in_ucs_and_samba.sh, Impact: SID mismatch between ucs and samba my cause permission problems
root@thhoe108:~# nmap $(hostname)
Starting Nmap 7.40 ( https://nmap.org ) at 2017-10-26 08:23 CEST
Nmap scan report for thhoe108 (192.168.0.108)
Host is up (0.000010s latency).
rDNS record for 192.168.0.108: thhoe108.thhoe.lan
Not shown: 980 closed ports
PORT STATE SERVICE
22/tcp open ssh
42/tcp open nameserver
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
111/tcp open rpcbind
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
443/tcp open https
445/tcp open microsoft-ds
464/tcp open kpasswd5
636/tcp open ldapssl
749/tcp open kerberos-adm
1024/tcp open kdm
1025/tcp open NFS-or-IIS
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5666/tcp open nrpe
6669/tcp open irc
Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds
root@thhoe108:~#
root@thhoe108:~# univention-s4connector-list-rejected
UCS rejected
S4 rejected
There may be no rejected DNs if the connector is in progress, to be
sure stop the connector before running this script.
last synced USN: 5126
root@thhoe108:~#
root@thhoe108:~# testparm -vs
Load smb config files from /etc/samba/smb.conf
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[homes]"
Processing section "[printers]"
Processing section "[print$]"
Loaded services file OK.
'winbind separator = +' might cause problems with group membership.
Server role: ROLE_ACTIVE_DIRECTORY_DC
# Global parameters
[global]
bind interfaces only = Yes
config backend = file
dos charset = CP850
enable core files = Yes
interfaces = lo eth0
multicast dns register = Yes
netbios aliases =
netbios name = THHOE108
netbios scope =
realm = THHOE.LAN
server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
server string = Univention Corporate Server
share backend = classic
unix charset = UTF-8
workgroup = THHOE
browse list = Yes
domain master = Yes
enhanced browsing = Yes
lm announce = Auto
lm interval = 60
local master = Yes
os level = 20
preferred master = Yes
allow dns updates = secure only
dns forwarder =
dns update command = /usr/sbin/samba_dnsupdate
machine password timeout = 0
nsupdate command = /usr/bin/nsupdate -g
rndc command = /usr/sbin/rndc
spn update command = /usr/sbin/samba_spnupdate
mangle prefix = 1
mangling method = hash2
max stat cache size = 256
stat cache = Yes
client ldap sasl wrapping = sign
ldap admin dn =
ldap connection timeout = 2
ldap delete dn = No
ldap deref = auto
ldap follow referral = Auto
ldap group suffix =
ldap idmap suffix =
ldap machine suffix =
ldap page size = 1000
ldap passwd sync = no
ldap replication sleep = 1000
ldap server require strong auth = allow_sasl_over_tls
ldap ssl = start tls
ldap ssl ads = No
ldap suffix =
ldap timeout = 15
ldap user suffix =
lock spin time = 200
oplock break wait time = 0
smb2 leases = Yes
debug class = No
debug hires timestamp = Yes
debug pid = Yes
debug prefix timestamp = No
debug uid = No
ldap debug level = 0
ldap debug threshold = 10
log file =
logging = file
log level = 2
max log size = 0
syslog = 1
syslog only = No
timestamp logs = Yes
abort shutdown script =
add group script =
add machine script =
add user script =
add user to group script =
allow nt4 crypto = No
delete group script =
delete user from group script =
delete user script =
domain logons = No
enable privileges = Yes
init logon delay = 100
init logon delayed hosts =
logon drive = U:
logon home = \\thhoe106\%U
logon path = \\thhoe106\%U\windows-profiles\%a
logon script =
reject md5 clients = No
set primary group script =
shutdown script =
add share command =
afs token lifetime = 604800
afs username map =
allow insecure wide links = No
async smb echo handler = No
auto services =
cache directory = /var/cache/samba
change notify = Yes
change share command =
cluster addresses =
clustering = No
config file =
ctdbd socket =
ctdb locktime warn threshold = 0
ctdb timeout = 0
default service =
delete share command =
homedir map = auto.home
kernel change notify = Yes
lock directory = /var/run/samba
log writeable files on exit = No
message command =
nbt client socket address = 0.0.0.0
ncalrpc dir = /var/run/samba/ncalrpc
NIS homedir = No
nmbd bind explicit broadcast = Yes
panic action =
perfcount module =
pid directory = /var/run/samba
registry shares = No
remote announce =
remote browse sync =
reset on zero vc = No
smbd profiling level = off
state directory = /var/lib/samba
usershare allow guests = No
usershare max shares = 0
usershare owner only = Yes
usershare path = /var/lib/samba/usershares
usershare prefix allow list =
usershare prefix deny list =
usershare template share =
utmp = No
utmp directory =
wtmp directory =
addport command =
addprinter command =
cups connection timeout = 30
cups encrypt = No
cups server =
deleteprinter command =
disable spoolss = No
enumports command =
iprint server =
load printers = Yes
lpq cache time = 30
os2 driver map =
printcap cache time = 750
printcap name =
show add printer wizard = Yes
cldap port = 389
client ipc max protocol = default
client ipc min protocol = default
client max protocol = default
client min protocol = CORE
client use spnego = Yes
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver
defer sharing violations = Yes
dgram port = 138
disable netbios = No
enable asu support = No
eventlog list =
large readwrite = Yes
lsa over netlogon = No
max mux = 50
max ttl = 259200
max wins ttl = 518400
max xmit = 65535
min receivefile size = 0
min wins ttl = 21600
name resolve order = wins host bcast
nbt port = 137
nt pipe support = Yes
nt status support = Yes
read raw = Yes
rpc big endian = No
rpc server port = 0
server max protocol = SMB3
server min protocol = LANMAN1
server multi channel support = No
smb2 max credits = 8192
smb2 max read = 8388608
smb2 max trans = 8388608
smb2 max write = 8388608
smb ports = 445 139
svcctl list =
time server = No
unicode = Yes
unix extensions = Yes
use spnego = Yes
web port = 901
write raw = Yes
algorithmic rid base = 1000
allow dcerpc auth level connect = No
allow trusted domains = Yes
auth methods =
check password script =
client ipc signing = default
client lanman auth = No
client NTLMv2 auth = Yes
client plaintext auth = No
client schannel = Auto
client signing = default
client use spnego principal = No
dedicated keytab file =
encrypt passwords = Yes
guest account = nobody
kerberos encryption types = all
kerberos method = default
kpasswd port = 464
krb5 port = 88
lanman auth = No
log nt token command =
map to guest = Bad User
map untrusted to domain = No
ntlm auth = Yes
ntp signd socket directory = /var/lib/samba/ntp_signd
null passwords = No
obey pam restrictions = Yes
old password allowed period = 60
pam password change = No
passdb backend = samba_dsdb
passdb expand explicit = No
passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n *password*changed*
passwd chat debug = No
passwd chat timeout = 2
passwd program =
password hash gpg key ids =
password server = *
preload modules =
private dir = /var/lib/samba/private
raw NTLMv2 auth = No
rename user script =
restrict anonymous = 0
root directory =
samba kcc command = /usr/sbin/samba_kcc
security = AUTO
server role = active directory domain controller
server schannel = Auto
server signing = default
smb passwd file = /etc/samba/smbpasswd
tls cafile = /etc/univention/ssl/ucsCA/CAcert.pem
tls certfile = /etc/univention/ssl/thhoe108.thhoe.lan/cert.pem
tls crlfile =
tls dh params file =
tls enabled = Yes
tls keyfile = /etc/univention/ssl/thhoe108.thhoe.lan/private.key
tls priority = NORMAL:-VERS-SSL3.0
tls verify peer = ca_and_name
unix password sync = No
username level = 0
username map =
username map cache time = 0
username map script =
aio max threads = 100
deadtime = 15
getwd cache = Yes
hostname lookups = No
keepalive = 300
max disk size = 0
max open files = 32808
max smbd processes = 0
name cache timeout = 660
socket options = TCP_NODELAY
use mmap = Yes
get quota command =
host msdfs = Yes
set quota command =
create krb5 conf = Yes
idmap backend = tdb
idmap cache time = 604800
idmap gid =
idmap negative cache time = 120
idmap uid =
include system krb5 conf = Yes
neutralize nt4 emulation = No
reject md5 servers = No
require strong key = Yes
template homedir = /home/%D-%U
template shell = /bin/bash
winbind cache time = 300
winbindd privileged socket directory = /var/lib/samba/winbindd_privileged
winbindd socket directory = /var/run/samba/winbindd
winbind enum groups = No
winbind enum users = No
winbind expand groups = 0
winbind max clients = 200
winbind max domain connections = 1
winbind nested groups = Yes
winbind normalize names = No
winbind nss info = template
winbind offline logon = No
winbind reconnect delay = 30
winbind refresh tickets = No
winbind request timeout = 60
winbind rpc only = No
winbind sealed pipes = Yes
winbind separator = +
winbind trusted domains only = No
winbind use default domain = No
dns proxy = Yes
wins hook =
wins proxy = No
wins server =
wins support = Yes
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
acl:search = no
spoolss: architecture = Windows x64
idmap config * : range = 300000-400000
kccsrv:samba_kcc = False
dsdb:schema update allowed = no
nmbd_proxy_logon:cldap_server = 127.0.0.1
server role check:inhibit = yes
idmap config * : backend = tdb
comment =
path =
administrative share = No
browseable = Yes
case sensitive = Auto
default case = lower
delete veto files = No
hide dot files = Yes
hide files =
hide special files = No
hide unreadable = No
hide unwriteable files = No
mangled names = Yes
mangling char = ~
map archive = No
map hidden = No
map readonly = no
map system = No
preserve case = Yes
short preserve case = Yes
store dos attributes = Yes
veto files =
veto oplock files =
blocking locks = Yes
csc policy = manual
fake oplocks = No
kernel oplocks = Yes
kernel share modes = Yes
level2 oplocks = Yes
locking = Yes
oplock contention limit = 2
oplocks = Yes
posix locking = Yes
strict locking = Auto
acl xattr update mtime = No
afs share = No
available = Yes
copy =
delete readonly = No
dfree cache time = 0
dfree command =
directory name cache size = 100
dmapi support = No
dont descend =
dos filemode = No
dos filetime resolution = No
dos filetimes = Yes
fake directory create times = No
follow symlinks = Yes
fstype = NTFS
include = /etc/samba/base.conf
magic output =
magic script =
postexec =
preexec =
preexec close = No
root postexec =
root preexec =
root preexec close = No
spotlight = No
volume =
wide links = No
cups options =
default devmode = Yes
force printername = No
lppause command =
lpq command = %p
lpresume command =
lprm command =
max print jobs = 1000
max reported print jobs = 0
printable = No
print command =
printer name =
printing = cups
printjob username = %U
print notify backchannel = No
queuepause command =
queueresume command =
use client driver = No
acl allow execute always = Yes
acl check permissions = Yes
acl map full control = Yes
durable handles = Yes
ea support = No
map acl inherit = No
nt acl support = Yes
profile acls = No
access based share enum = No
acl group control = No
admin users = administrator join-backup
create mask = 0744
directory mask = 0755
force create mode = 0000
force directory mode = 0000
force group =
force unknown acl user = No
force user =
guest ok = No
guest only = No
hosts allow =
hosts deny =
inherit acls = No
inherit owner = no
inherit permissions = No
invalid users =
read list =
read only = Yes
smb encrypt = default
valid users =
write list =
aio read size = 0
aio write behind =
aio write size = 0
allocation roundup size = 1048576
block size = 1024
max connections = 0
min print space = 0
strict allocate = No
strict rename = No
strict sync = No
sync always = No
use sendfile = No
write cache size = 0
msdfs proxy =
msdfs root = No
msdfs shuffle referrals = No
ntvfs handler = unixuid, default
vfs objects = dfs_samba4 acl_xattr
[netlogon]
comment = Domain logon service
path = /var/lib/samba/sysvol/thhoe.lan/scripts
case sensitive = No
read only = No
[sysvol]
path = /var/lib/samba/sysvol
case sensitive = No
acl xattr update mtime = Yes
read only = No
[homes]
comment = Heimatverzeichnisse
browseable = No
create mask = 0700
directory mask = 0700
read only = No
vfs objects = acl_xattr
[printers]
comment = Drucker
path = /tmp
browseable = No
printable = Yes
create mask = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
read only = No
write list = root Administrator @Printer-Admins
root@thhoe108:~#
sind die Join-Skripte jetzt durchgelaufen?
-> univention-check-join-status
Kann man sich mit dem Maschinen-Konto am Samba (Kerberos) anmelden?
-> kinit --password-file=/etc/machine.secret $(hostname)$
Diese Fehler wird geworfen, wenn der folgende Test schief geht. Wie ist die Ausgabe von:
-> ldbsearch -H tdb:///var/lib/samba/private/sam.ldb -b DC=thhoe,DC=lan -s base dn
