New users unable to login to domain account

mr8X · October 21, 2020, 4:10am

New users are now showing up in Users on UDM How ever, I cannot sign in a newly created user up on Computer joined to domain. but the older users can be signed in.
This is log.samba.

[2020/10/21 10:50:10.467997,  3, pid=10148] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
  stream_terminate_connection: Terminating connection - 'ldapsrv_call_wait_done: call->wait_recv() - NT_STATUS_LOCAL_DISCONNECT'
[2020/10/21 10:50:10.558830,  3, pid=10136] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
  stream_terminate_connection: Terminating connection - 'ldapsrv_call_wait_done: call->wait_recv() - NT_STATUS_LOCAL_DISCONNECT'
[2020/10/21 10:50:10.863431,  3, pid=14807] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ drquan@FMPHN from ipv4:192.168.1.123:61913 for krbtgt/FMPHN@FMPHN
[2020/10/21 10:50:10.868613,  3, pid=14807] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: UNKNOWN -- drquan@FMPHN: no such entry found in hdb
[2020/10/21 10:50:10.868689,  2, pid=14807] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
  Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[**drquan@FMPHN**] at [Wed, 21 Oct 2020 10:50:10.868665 +07] with [(null)] status [NT_STATUS_NO_SUCH_USER] workstation [(null)] remote host [ipv4:192.168.1.123:61913] mapped to [(null)]\[(null)]. local host [NULL] 
  {"timestamp": "2020-10-21T10:50:10.868734+0700", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 1}, "eventId": 4625, "logonType": 3, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": null, "remoteAddress": "ipv4:192.168.1.123:61913", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "**drquan@FMPHN**", "workstation": null, "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": null, "mappedDomain": null, "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": null, "duration": 5401}}
[2020/10/21 10:50:10.869338,  3, pid=14807] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
  stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'

thank for your help.
version/version: 4.4
version/patchlevel: 6
version/erratalevel: 767

mr8X · October 21, 2020, 4:15am

This is krb5.conf on Master

[libdefaults]
        default_realm = FMPHN.COM
        default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1
        allow_weak_crypto=true
        dns_lookup_kdc =
        dns_lookup_realm = false
        forwardable = true
        proxiable = true
        kdc_timesync = 1
        debug = false
        #
        # The following libdefaults are for clients using the MIT Kerberos library
        #
        permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1
        default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1
        default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1
        ignore_acceptor_hostname = true

[realms]
FMPHN.COM = {
        acl_file = /var/lib/heimdal-kdc/kadmind.acl
        kdc = 127.0.0.1
        admin_server = ucs-master.fmphn.com
        kpasswd_server = 127.0.0.1
}

FMPHN = {
        kdc = 127.0.0.1
        admin_server = ucs-master.fmphn.com
        default_domain = fmphn.com
}
[kdc]
hdb-ldap-create-base = cn=kerberos,dc=fmphn,dc=com
v4-realm = FMPHN.COM

This is krb5.conf on Backup server

[libdefaults]
        default_realm = FMPHN.COM
        default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1
        allow_weak_crypto=true
        dns_lookup_kdc =
        dns_lookup_realm = false
        forwardable = true
        proxiable = true
        kdc_timesync = 1
        debug = false
        #
        # The following libdefaults are for clients using the MIT Kerberos library
        #
        permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1
        default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1
        default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1
        ignore_acceptor_hostname = true

[realms]
FMPHN.COM = {
        acl_file = /var/lib/heimdal-kdc/kadmind.acl
        kdc = 127.0.0.1
        admin_server = ucs-master.fmphn.com  --> master server
        kpasswd_server = 127.0.0.1
}

FMPHN = {
        kdc = 127.0.0.1
        admin_server = ucs-master.fmphn.com  --> master server
        default_domain = fmphn.com
}
[kdc]
hdb-ldap-create-base = cn=kerberos,dc=fmphn,dc=com
v4-realm = FMPHN.COM

mr8X · October 21, 2020, 4:22am

./univention-system-check on Master

running [samba     ] - FAILED   - hosts_sids_equal_in_ucs_and_samba.sh
running [samba     ] - OK       - check_smbclient_via_krb5_keytab.sh
running [samba     ] - OK       - check_for_USN_rollback.sh
running [samba     ] - OK       - cn_idmap_exists.sh
running [samba     ] - OK       - krbtgt_has_rid_502.sh
running [samba     ] - OK       - testjoin.sh
running [samba     ] - FAILED   - check_s4_connector_autostart.sh
running [samba     ] - FAILED   - check_ddns_update.sh
running [listener  ] - OK       - all_handlers_initialized.sh
running [listener  ] - OK       - replication.sh

Tests failed: 3

Test failed: ./univention-system-check.d/samba/hosts_sids_equal_in_ucs_and_samba.sh
 Impact: SID mismatch between ucs and samba my cause permission problems
        + IMPACT='SID mismatch between ucs and samba my cause permission problems'
        ++ which univention-s4search
        + test -e /usr/sbin/univention-s4search
        ++ /usr/sbin/univention-config-registry shell server/role ldap/hostdn
        + eval 'ldap_hostdn=cn=ucs-master,cn=dc,cn=computers,dc=fmphn,dc=com
        server_role=domaincontroller_master'
        ++ ldap_hostdn=cn=ucs-master,cn=dc,cn=computers,dc=fmphn,dc=com
        ++ server_role=domaincontroller_master
        + rc=0
        + read -d '' ldif
        ++ ldbsearch -H /var/lib/samba/private/sam.ldb '(objectClass=computer)' objectSid sAMAccountName
        ++ sed 's/^$/\x00/'
        ++ sed -n 's/^sAMAccountName: \(.*\)/\1/p'

Test failed: ./univention-system-check.d/samba/check_ddns_update.sh
        + . /usr/share/univention-lib/ucr.sh
        ++ ucr shell hostname domainname samba4/role ldap/server/name
        + eval 'domainname=fmphn.com
        hostname=ucs-master
        ldap_server_name=ucs-master.fmphn.com
        samba4_role=DC'
        ++ domainname=fmphn.com
        ++ hostname=ucs-master
        ++ ldap_server_name=ucs-master.fmphn.com
        ++ samba4_role=DC
        + univention-ldapsearch '(&(univentionServerRole=master)(cn=ucs-master)(univentionService=UCS@school)(!(univentionService=S4 Connector)))' dn
        + grep -q '^dn:'
        + univention-ldapsearch 'univentionService=S4 Connector' dn
        + grep -q '^dn:'
        + kdestroy
        + kinit --password-file=/etc/machine.secret 'ucs-master$'
        + trivial_ddns_update_by_machine_principal
        + local rc
        + echo -e 'server ucs-master.fmphn.com\nprereq yxdomain fmphn.com\n'
        + nsupdate -g
        tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Improper format of Kerberos configuration file.

Test failed: ./univention-system-check.d/samba/check_s4_connector_autostart.sh
        +++ hostname
        ++ univention-ldapsearch '(&(cn=ucs-master)(univentionService=S4 Connector))' -LLL dn
        + s4connector_service_set='dn: cn=ucs-master,cn=dc,cn=computers,dc=fmphn,dc=com'
        + '[' -n 'dn: cn=ucs-master,cn=dc,cn=computers,dc=fmphn,dc=com' ']'
        + is_connector_running
        + pgrep -f '/usr/bin/python.*univention/s4connector/s4/main.py'
        + echo 'S4 Connector Service is set but S4 Connector is not running'
        S4 Connector Service is set but S4 Connector is not running
        + exit 1
root@ucs-master:~#

mr8X · October 21, 2020, 4:26am

./univention-system-check on Backup server

Tests failed: 1

Test failed: ./univention-system-check.d/samba/check_dbackup_update.sh
        + . /usr/share/univention-lib/ucr.sh
        ++ ucr shell hostname domainname samba4/role ldap/server/name
        + eval 'domainname=fmphn.com
        hostname=ucs-backup
        ldap_server_name=ucs-backup.fmphn.com
        samba4_role=DC'
        ++ domainname=fmphn.com
        ++ hostname=ucs-backup
        ++ ldap_server_name=ucs-backup.fmphn.com
        ++ samba4_role=DC
        + univention-ldapsearch '(&(univentionServerRole=master)(cn=ucs-backup)(univentionService=UCS@school)(!(univentionService=S4 Connector)))' dn
        + grep -q '^dn:'
        + univention-ldapsearch 'univentionService=S4 Connector' dn
        + grep -q '^dn:'
        + kdestroy
        kdestroy: krb5_cc_destroy: Did not find a plugin for ccache_ops
        + true
        + kinit --password-file=/etc/machine.secret 'ucs-backup$'
        kinit: Password incorrect
        + '[' DC = DC ']'
        + trivial_dbackup_update_by_backup_server_principal
        + local rc
        + kdestroy
        kdestroy: krb5_cc_destroy: Did not find a plugin for ccache_ops
        + true
        + kinit -t /var/lib/samba/private/dns.keytab dns-ucs-backup
        + echo -e 'server ucs-backup.fmphn.com\nprereq yxdomain fmphn.com\n'
        + nsupdate -g
        tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Improper format of Kerberos configuration file.
root@ucs-backup:~#

root@ucs-master:~# univention-s4connector-list-rejected

UCS rejected


S4 rejected


There may be no rejected DNs if the connector is in progress, to be
sure stop the connector before running this script.


        last synced USN: 216494