Hallo,
wir haben bei einem Kunden das Problem, dass sich Benutzer (manchmal) auf einem Windows-Terminalserver nicht als Domänen-Benutzer anmelden können.
Die Fehlermeldung lautet:
“Die Vertrauensstellung zwischen dieser Arbeitsstation und der primären Domäne konnte nicht hergestellt werden”
Wenn der Backup-DC heruntergefahren wird, funktioniert es jedoch (lt. lokalem Admin) immer.
Soweit ich mich erinnere (war jetzt 2 Wochen in Urlaub) habe ich das Skript
/usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh
ausgeführt und es sah ok aus.
Wir haben dort folgende UCS-Version:
version/erratalevel: 234
version/patchlevel: 3
version/releasename: Vahr
version/version: 4.1
Hier die Samba-Config vom PDC:
# Warning: This file is auto-generated and might be overwritten by
# univention-config-registry.
# Please edit the following file(s) instead:
# Warnung: Diese Datei wurde automatisch generiert und kann durch
# univention-config-registry überschrieben werden.
# Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):
#
# /etc/univention/templates/files/etc/samba/smb.conf.d/10global
# /etc/univention/templates/files/etc/samba/smb.conf.d/11univention-smb-service
# /etc/univention/templates/files/etc/samba/smb.conf.d/21univention-samba_winbind
# /etc/univention/templates/files/etc/samba/smb.conf.d/31univention-samba_password
# /etc/univention/templates/files/etc/samba/smb.conf.d/41univention-samba_printing
# /etc/univention/templates/files/etc/samba/smb.conf.d/51univention-samba_domain
# /etc/univention/templates/files/etc/samba/smb.conf.d/61univention-samba_misc
# /etc/univention/templates/files/etc/samba/smb.conf.d/71univention-samba_users
# /etc/univention/templates/files/etc/samba/smb.conf.d/81univention-quota_scripts
# /etc/univention/templates/files/etc/samba/smb.conf.d/90univention-samba_user_shares
# /etc/univention/templates/files/etc/samba/smb.conf.d/91univention-samba_shares
# /etc/univention/templates/files/etc/samba/smb.conf.d/92univention-samba_shares
# /etc/univention/templates/files/etc/samba/smb.conf.d/95univention-samba_local_config
# /etc/univention/templates/files/etc/samba/smb.conf.d/99univention-samba_local_shares
#
; ---------------------<10global>------------------------
[global]
debug level = 1
logging = file
max log size = 0
netbios name = pdc
server role = active directory domain controller
server string = Univention Corporate Server
server services = -dns -smb +s3fs -nbt
server role check:inhibit = yes
# use nmbd; to disable set samba4/service/nmb to s4
nmbd_proxy_logon:cldap_server=127.0.0.1
workgroup = FIRMA
realm = FIRMA.AT
tls enabled = yes
tls keyfile = /etc/univention/ssl/pdc.firma.at/private.key
tls certfile = /etc/univention/ssl/pdc.firma.at/cert.pem
tls cafile = /etc/univention/ssl/ucsCA/CAcert.pem
tls verify peer = ca_and_name
ldap server require strong auth = allow_sasl_over_tls
dsdb:schema update allowed = no
max open files = 32808
machine password timeout = 0
acl allow execute always = True
# ignore interfaces in samba/register/exclude/interfaces
bind interfaces only = yes
interfaces = lo eth0
; ---------------------</10global>------------------------
; ---------------------<smb service configuration>-----------------------
debug hirestimestamp = yes
debug pid = yes
; ---------------------</smb service configuration>----------------------
winbind separator = +
template shell = /bin/bash
template homedir = /home/%D-%U
idmap config * : backend = tdb
idmap config * : range = 300000-400000
passwd chat = *New*password* %nn *Re-enter*new*password* %nn *password*changed*
obey pam restrictions = yes
encrypt passwords = yes
; printing
load printers = yes
printing = cups
printcap name = cups
spoolss: architecture = Windows NT x86
; domain service lookup related settings
preferred master = yes
local master = yes
domain master = yes
wins support = yes
; miscellaneous settings, mostly for file services
oplocks = yes
large readwrite = yes
read raw = yes
write raw = yes
max xmit = 65535
acl:search = no
host msdfs = yes
kernel oplocks = yes
deadtime = 15
getwd cache = yes
wide links = no
store dos attributes = yes
logon home = \pdc%U
logon drive = I:
logon path = \pdc%Uwindows-profiles%a
preserve case = yes
short preserve case = yes
guest account = nobody
map to guest = Bad User
admin users = administrator join-backup
usershare max shares = 0
; -----------------------------------------------------------------------------------------------------------
include = /etc/samba/base.conf
include = /etc/samba/installs.conf
include = /etc/samba/shares.conf
include = /etc/samba/printers.conf
include = /etc/samba/local.conf
Und vom BDC:
[code]# Warning: This file is auto-generated and might be overwritten by
univention-config-registry.
Please edit the following file(s) instead:
Warnung: Diese Datei wurde automatisch generiert und kann durch
univention-config-registry überschrieben werden.
Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):
/etc/univention/templates/files/etc/samba/smb.conf.d/10global
/etc/univention/templates/files/etc/samba/smb.conf.d/11univention-smb-service
/etc/univention/templates/files/etc/samba/smb.conf.d/21univention-samba_winbind
/etc/univention/templates/files/etc/samba/smb.conf.d/31univention-samba_password
/etc/univention/templates/files/etc/samba/smb.conf.d/41univention-samba_printing
/etc/univention/templates/files/etc/samba/smb.conf.d/51univention-samba_domain
/etc/univention/templates/files/etc/samba/smb.conf.d/61univention-samba_misc
/etc/univention/templates/files/etc/samba/smb.conf.d/71univention-samba_users
/etc/univention/templates/files/etc/samba/smb.conf.d/81univention-quota_scripts
/etc/univention/templates/files/etc/samba/smb.conf.d/90univention-samba_user_shares
/etc/univention/templates/files/etc/samba/smb.conf.d/91univention-samba_shares
/etc/univention/templates/files/etc/samba/smb.conf.d/92univention-samba_shares
/etc/univention/templates/files/etc/samba/smb.conf.d/95univention-samba_local_config
/etc/univention/templates/files/etc/samba/smb.conf.d/99univention-samba_local_shares
; ---------------------<10global>------------------------
[global]
debug level = 1
logging = file
max log size = 0
netbios name = bdc
server role = active directory domain controller
server string = Univention Corporate Server
server services = -dns -smb +s3fs -nbt
server role check:inhibit = yes
# use nmbd; to disable set samba4/service/nmb to s4
nmbd_proxy_logon:cldap_server=127.0.0.1
workgroup = FIRMA
realm = FIRMA.AT
tls enabled = yes
tls keyfile = /etc/univention/ssl/bdc.firma.at/private.key
tls certfile = /etc/univention/ssl/bdc.firma.at/cert.pem
tls cafile = /etc/univention/ssl/ucsCA/CAcert.pem
tls verify peer = ca_and_name
ldap server require strong auth = allow_sasl_over_tls
dsdb:schema update allowed = no
max open files = 32808
machine password timeout = 0
acl allow execute always = True
# ignore interfaces in samba/register/exclude/interfaces
bind interfaces only = yes
interfaces = lo eth0
; ---------------------</10global>------------------------
; --------------------------------------------
debug hirestimestamp = yes
debug pid = yes
; ---------------------</smb service configuration>----------------------
winbind separator = +
template shell = /bin/bash
template homedir = /home/%D-%U
idmap config * : backend = tdb
idmap config * : range = 300000-400000
passwd chat = *New*password* %nn *Re-enter*new*password* %nn *password*changed*
obey pam restrictions = yes
encrypt passwords = yes
spoolss: architecture = Windows x64
; domain service lookup related settings
preferred master = yes
local master = yes
domain master = auto
; miscellaneous settings, mostly for file services
oplocks = yes
large readwrite = yes
read raw = yes
write raw = yes
max xmit = 65535
acl:search = no
host msdfs = yes
kernel oplocks = yes
deadtime = 15
getwd cache = yes
wide links = no
store dos attributes = yes
logon home = \bdc%U
logon drive = I:
logon path = \bdc%Uwindows-profiles%a
preserve case = yes
short preserve case = yes
guest account = nobody
map to guest = Bad User
admin users = administrator join-backup
usershare max shares = 0
; -----------------------------------------------------------------------------------------------------------
include = /etc/samba/base.conf
[/code]
Hat jemand Ideen?
TIA,
Roland.