Anmeldung mit BDC nicht möglich

german

#1

Hallo,

wir haben bei einem Kunden das Problem, dass sich Benutzer (manchmal) auf einem Windows-Terminalserver nicht als Domänen-Benutzer anmelden können.
Die Fehlermeldung lautet:

“Die Vertrauensstellung zwischen dieser Arbeitsstation und der primären Domäne konnte nicht hergestellt werden”

Wenn der Backup-DC heruntergefahren wird, funktioniert es jedoch (lt. lokalem Admin) immer.

Soweit ich mich erinnere (war jetzt 2 Wochen in Urlaub) habe ich das Skript
/usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh
ausgeführt und es sah ok aus.

Wir haben dort folgende UCS-Version:
version/erratalevel: 234
version/patchlevel: 3
version/releasename: Vahr
version/version: 4.1

Hier die Samba-Config vom PDC:

# Warning: This file is auto-generated and might be overwritten by
#          univention-config-registry.
#          Please edit the following file(s) instead:
# Warnung: Diese Datei wurde automatisch generiert und kann durch
#          univention-config-registry überschrieben werden.
#          Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):
#
#       /etc/univention/templates/files/etc/samba/smb.conf.d/10global
#       /etc/univention/templates/files/etc/samba/smb.conf.d/11univention-smb-service
#       /etc/univention/templates/files/etc/samba/smb.conf.d/21univention-samba_winbind
#       /etc/univention/templates/files/etc/samba/smb.conf.d/31univention-samba_password
#       /etc/univention/templates/files/etc/samba/smb.conf.d/41univention-samba_printing
#       /etc/univention/templates/files/etc/samba/smb.conf.d/51univention-samba_domain
#       /etc/univention/templates/files/etc/samba/smb.conf.d/61univention-samba_misc
#       /etc/univention/templates/files/etc/samba/smb.conf.d/71univention-samba_users
#       /etc/univention/templates/files/etc/samba/smb.conf.d/81univention-quota_scripts
#       /etc/univention/templates/files/etc/samba/smb.conf.d/90univention-samba_user_shares
#       /etc/univention/templates/files/etc/samba/smb.conf.d/91univention-samba_shares
#       /etc/univention/templates/files/etc/samba/smb.conf.d/92univention-samba_shares
#       /etc/univention/templates/files/etc/samba/smb.conf.d/95univention-samba_local_config
#       /etc/univention/templates/files/etc/samba/smb.conf.d/99univention-samba_local_shares
#

; ---------------------<10global>------------------------
[global]
        debug level     = 1
        logging         = file
        max log size    = 0

        netbios name    = pdc
        server role     = active directory domain controller
        server string   = Univention Corporate Server
        server services = -dns -smb +s3fs -nbt
        server role check:inhibit = yes
        # use nmbd; to disable set samba4/service/nmb to s4
        nmbd_proxy_logon:cldap_server=127.0.0.1
        workgroup       = FIRMA
        realm           = FIRMA.AT

        tls enabled     = yes
        tls keyfile     = /etc/univention/ssl/pdc.firma.at/private.key
        tls certfile    = /etc/univention/ssl/pdc.firma.at/cert.pem
        tls cafile      = /etc/univention/ssl/ucsCA/CAcert.pem
        tls verify peer = ca_and_name
        ldap server require strong auth = allow_sasl_over_tls
        dsdb:schema update allowed = no
        max open files = 32808
        machine password timeout        = 0
        acl allow execute always = True

        # ignore interfaces in samba/register/exclude/interfaces
        bind interfaces only = yes
        interfaces = lo eth0

; ---------------------</10global>------------------------
; ---------------------<smb service configuration>-----------------------

        debug hirestimestamp = yes
        debug pid = yes
; ---------------------</smb service configuration>----------------------


        winbind separator = +
        template shell = /bin/bash
        template homedir = /home/%D-%U

        idmap config * : backend = tdb
        idmap config * : range = 300000-400000

        passwd chat = *New*password* %nn *Re-enter*new*password* %nn *password*changed*

        obey pam restrictions = yes
        encrypt passwords = yes

        ; printing
        load printers = yes
        printing = cups
        printcap name = cups
        spoolss: architecture = Windows NT x86

        ; domain service lookup related settings
        preferred master = yes
        local master = yes
        domain master = yes
        wins support = yes

        ; miscellaneous settings, mostly for file services
        oplocks = yes
        large readwrite = yes
        read raw = yes
        write raw = yes
        max xmit = 65535
        acl:search = no
        host msdfs = yes
        kernel oplocks = yes
        deadtime = 15
        getwd cache = yes
        wide links = no
        store dos attributes = yes
        logon home = \pdc%U
        logon drive = I:
        logon path = \pdc%Uwindows-profiles%a
        preserve case = yes
        short preserve case = yes

        guest account = nobody
        map to guest = Bad User
        admin users = administrator join-backup


        usershare max shares = 0


; -----------------------------------------------------------------------------------------------------------
        include = /etc/samba/base.conf
        include = /etc/samba/installs.conf

        include = /etc/samba/shares.conf
        include = /etc/samba/printers.conf



        include = /etc/samba/local.conf

Und vom BDC:

[code]# Warning: This file is auto-generated and might be overwritten by

univention-config-registry.

Please edit the following file(s) instead:

Warnung: Diese Datei wurde automatisch generiert und kann durch

univention-config-registry überschrieben werden.

Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):

/etc/univention/templates/files/etc/samba/smb.conf.d/10global

/etc/univention/templates/files/etc/samba/smb.conf.d/11univention-smb-service

/etc/univention/templates/files/etc/samba/smb.conf.d/21univention-samba_winbind

/etc/univention/templates/files/etc/samba/smb.conf.d/31univention-samba_password

/etc/univention/templates/files/etc/samba/smb.conf.d/41univention-samba_printing

/etc/univention/templates/files/etc/samba/smb.conf.d/51univention-samba_domain

/etc/univention/templates/files/etc/samba/smb.conf.d/61univention-samba_misc

/etc/univention/templates/files/etc/samba/smb.conf.d/71univention-samba_users

/etc/univention/templates/files/etc/samba/smb.conf.d/81univention-quota_scripts

/etc/univention/templates/files/etc/samba/smb.conf.d/90univention-samba_user_shares

/etc/univention/templates/files/etc/samba/smb.conf.d/91univention-samba_shares

/etc/univention/templates/files/etc/samba/smb.conf.d/92univention-samba_shares

/etc/univention/templates/files/etc/samba/smb.conf.d/95univention-samba_local_config

/etc/univention/templates/files/etc/samba/smb.conf.d/99univention-samba_local_shares

; ---------------------<10global>------------------------
[global]
debug level = 1
logging = file
max log size = 0

    netbios name    = bdc
    server role     = active directory domain controller
    server string   = Univention Corporate Server
    server services = -dns -smb +s3fs -nbt
    server role check:inhibit = yes
    # use nmbd; to disable set samba4/service/nmb to s4
    nmbd_proxy_logon:cldap_server=127.0.0.1
    workgroup       = FIRMA
    realm           = FIRMA.AT

    tls enabled     = yes
    tls keyfile     = /etc/univention/ssl/bdc.firma.at/private.key
    tls certfile    = /etc/univention/ssl/bdc.firma.at/cert.pem
    tls cafile      = /etc/univention/ssl/ucsCA/CAcert.pem
    tls verify peer = ca_and_name
    ldap server require strong auth = allow_sasl_over_tls
    dsdb:schema update allowed = no
    max open files = 32808
    machine password timeout        = 0
    acl allow execute always = True

    # ignore interfaces in samba/register/exclude/interfaces
    bind interfaces only = yes
    interfaces = lo eth0

; ---------------------</10global>------------------------
; --------------------------------------------

    debug hirestimestamp = yes
    debug pid = yes

; ---------------------</smb service configuration>----------------------

    winbind separator = +
    template shell = /bin/bash
    template homedir = /home/%D-%U

    idmap config * : backend = tdb
    idmap config * : range = 300000-400000

    passwd chat = *New*password* %nn *Re-enter*new*password* %nn *password*changed*

    obey pam restrictions = yes
    encrypt passwords = yes

    spoolss: architecture = Windows x64

    ; domain service lookup related settings
    preferred master = yes
    local master = yes
    domain master = auto

    ; miscellaneous settings, mostly for file services
    oplocks = yes
    large readwrite = yes
    read raw = yes
    write raw = yes
    max xmit = 65535
    acl:search = no
    host msdfs = yes
    kernel oplocks = yes
    deadtime = 15
    getwd cache = yes
    wide links = no
    store dos attributes = yes
    logon home = \bdc%U
    logon drive = I:
    logon path = \bdc%Uwindows-profiles%a
    preserve case = yes
    short preserve case = yes

    guest account = nobody
    map to guest = Bad User
    admin users = administrator join-backup


    usershare max shares = 0

; -----------------------------------------------------------------------------------------------------------
include = /etc/samba/base.conf
[/code]

Hat jemand Ideen?

TIA,
Roland.


#2

Das sieht mir nach einer gestörten Replikation aus, das Maschinenpaßwort des Terminalservers stimmt auf den DC Back vermutlich nicht. Sieht hier alles in Ordnung aus:

samba-tool drs showrepl

#3

Danke für den Hinweis.

Da gab es tatsächlich Probleme:

SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER
Default-First-Site-NamePDC
DSA Options: 0x00000001
DSA object GUID: 30677309-0b5d-4d68-be04-5e86d296de86
DSA invocationId: b0b438ec-cf30-45da-8978-16c38c367ab5

==== INBOUND NEIGHBORS ====

DC=ForestDnsZones,DC=firma,DC=at
        Default-First-Site-NameBDC via RPC
                DSA object GUID: 11e52d0a-620d-4591-ba4b-ed831cfb2bb9
                Last attempt @ Thu Feb  2 10:00:06 2017 CET failed, result 31 (WERR_GENERAL_FAILURE)
                16285 consecutive failure(s).
                Last success @ NTTIME(0)

DC=DomainDnsZones,DC=firma,DC=at
        Default-First-Site-NameBDC via RPC
                DSA object GUID: 11e52d0a-620d-4591-ba4b-ed831cfb2bb9
                Last attempt @ Thu Feb  2 10:00:06 2017 CET failed, result 31 (WERR_GENERAL_FAILURE)
                16284 consecutive failure(s).
                Last success @ NTTIME(0)

DC=firma,DC=at
        Default-First-Site-NameBDC via RPC
                DSA object GUID: 11e52d0a-620d-4591-ba4b-ed831cfb2bb9
                Last attempt @ Thu Feb  2 10:00:06 2017 CET failed, result 31 (WERR_GENERAL_FAILURE)
                16475 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=firma,DC=at
        Default-First-Site-NameBDC via RPC
                DSA object GUID: 11e52d0a-620d-4591-ba4b-ed831cfb2bb9
                Last attempt @ Thu Feb  2 10:00:06 2017 CET failed, result 31 (WERR_GENERAL_FAILURE)
                16474 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Configuration,DC=firma,DC=at
        Default-First-Site-NameBDC via RPC
                DSA object GUID: 11e52d0a-620d-4591-ba4b-ed831cfb2bb9
                Last attempt @ Thu Feb  2 10:00:06 2017 CET failed, result 31 (WERR_GENERAL_FAILURE)
                16355 consecutive failure(s).
                Last success @ NTTIME(0)

==== OUTBOUND NEIGHBORS ====

DC=ForestDnsZones,DC=firma,DC=at
        Default-First-Site-NameBDC via RPC
                DSA object GUID: 11e52d0a-620d-4591-ba4b-ed831cfb2bb9
                Last attempt @ Thu Feb  2 10:01:03 2017 CET failed, result 31 (WERR_GENERAL_FAILURE)
                780696 consecutive failure(s).
                Last success @ NTTIME(0)

DC=DomainDnsZones,DC=firma,DC=at
        Default-First-Site-NameBDC via RPC
                DSA object GUID: 11e52d0a-620d-4591-ba4b-ed831cfb2bb9
                Last attempt @ Thu Feb  2 10:01:04 2017 CET failed, result 31 (WERR_GENERAL_FAILURE)
                779803 consecutive failure(s).
                Last success @ NTTIME(0)

DC=firma,DC=at
        Default-First-Site-NameBDC via RPC
                DSA object GUID: 11e52d0a-620d-4591-ba4b-ed831cfb2bb9
                Last attempt @ Thu Feb  2 10:01:04 2017 CET failed, result 31 (WERR_GENERAL_FAILURE)
                785903 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=firma,DC=at
        Default-First-Site-NameBDC via RPC
                DSA object GUID: 11e52d0a-620d-4591-ba4b-ed831cfb2bb9
                Last attempt @ Thu Feb  2 10:01:04 2017 CET failed, result 31 (WERR_GENERAL_FAILURE)
                784048 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Configuration,DC=firma,DC=at
        Default-First-Site-NameBDC via RPC
                DSA object GUID: 11e52d0a-620d-4591-ba4b-ed831cfb2bb9
                Last attempt @ Thu Feb  2 10:01:04 2017 CET failed, result 31 (WERR_GENERAL_FAILURE)
                776157 consecutive failure(s).
                Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ====

Connection --
        Connection name: 22e7788a-3282-4fcc-81f9-2c5cb9e15cda
        Enabled        : TRUE
        Server DNS name : bdc.firma.at
        Server DN name  : CN=NTDS Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=firma,DC=at
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!

Ich habe den DC dann neu gejoined und danach sah es so aus:

Default-First-Site-NameBDC
DSA Options: 0x00000001
DSA object GUID: b78a2935-c1a0-4479-9eb2-7e19ccd4a09d
DSA invocationId: cb9195e8-a7d5-4397-a068-1bfb01a8a110

==== INBOUND NEIGHBORS ====

CN=Schema,CN=Configuration,DC=firma,DC=at
        Default-First-Site-NamePDC via RPC
                DSA object GUID: 30677309-0b5d-4d68-be04-5e86d296de86
                Last attempt @ Thu Feb  2 10:06:40 2017 CET was successful
                0 consecutive failure(s).
                Last success @ Thu Feb  2 10:06:40 2017 CET

DC=firma,DC=at
        Default-First-Site-NamePDC via RPC
                DSA object GUID: 30677309-0b5d-4d68-be04-5e86d296de86
                Last attempt @ Thu Feb  2 10:06:40 2017 CET was successful
                0 consecutive failure(s).
                Last success @ Thu Feb  2 10:06:40 2017 CET

DC=ForestDnsZones,DC=firma,DC=at
        Default-First-Site-NamePDC via RPC
                DSA object GUID: 30677309-0b5d-4d68-be04-5e86d296de86
                Last attempt @ Thu Feb  2 10:06:40 2017 CET was successful
                0 consecutive failure(s).
                Last success @ Thu Feb  2 10:06:40 2017 CET

DC=DomainDnsZones,DC=firma,DC=at
        Default-First-Site-NamePDC via RPC
                DSA object GUID: 30677309-0b5d-4d68-be04-5e86d296de86
                Last attempt @ Thu Feb  2 10:06:40 2017 CET was successful
                0 consecutive failure(s).
                Last success @ Thu Feb  2 10:06:40 2017 CET

CN=Configuration,DC=firma,DC=at
        Default-First-Site-NamePDC via RPC
                DSA object GUID: 30677309-0b5d-4d68-be04-5e86d296de86
                Last attempt @ Thu Feb  2 10:06:40 2017 CET was successful
                0 consecutive failure(s).
                Last success @ Thu Feb  2 10:06:40 2017 CET

==== OUTBOUND NEIGHBORS ====

==== KCC CONNECTION OBJECTS ====

Connection --
        Connection name: 6c5f5bd4-d705-415d-9b5b-fac75820e6f1
        Enabled        : TRUE
        Server DNS name : pdc.firma.at
        Server DN name  : CN=NTDS Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=firma,DC=at
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!

Das scheint also den Fehler behoben zu haben, soweit ich das beurteilen kann. :slight_smile:

Wie könnte dieses Problem entstanden sein?

LG,
Roland.


#4

Freut mich, daß sich das Problem erledigt hat.

Zur Ursache kann man vermutlich nur spekulieren.