Hello,
since a few days i have a problem to connect to a Win7 Domain Computer with RDP.
The RDP Client shows “Authentifizierungsfehler, die lokale Sicherheitsauthorität (LSA) ist nicht ereichbar.”
The event log on the W7 PC is clean.
Because of the very low performance of the UCS-Server i did a reboot. The performance is o.k. now but the issue is still there. It is a 4.3 UCS server on a ESXI VM.
Then i run the “System Diagnose” in the UCS Webinterface. Here i can see one failure: “KDC Erreichbarkeit kritisch. Die folgenden KDCs waren nicht erreichbar: tcp … udp … Keine erreichbaren KDCs gefunden.”
What step shoud i go to find what’s wrong?
Kind regards
Jochen
Hey,
can you please show the output of the following commands from your DC Master:
ip addr showucr search --brief samba/interfacesgrep interface /etc/samba/smb.conf
Thanks.
Kind regards,
mosu
Hi,
here are the output lines:
ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:f6:2a:c7 brd ff:ff:ff:ff:ff:ff
inet 192.168.76.200/24 brd 192.168.76.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fef6:2ac7/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:80:51:75:21 brd ff:ff:ff:ff:ff:ff
inet 172.17.42.1/16 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:80ff:fe51:7521/64 scope link
valid_lft forever preferred_lft forever
5: vethbb9afc1@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 36:f3:22:69:41:c3 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::34f3:22ff:fe69:41c3/64 scope link
valid_lft forever preferred_lft forever
ucr search --brief samba/interfaces
-bash: ucr: Kommando nicht gefunden.
grep interface /etc/samba/smb.conf
# ignore interfaces in samba/register/exclude/interfaces
bind interfaces only = yes
interfaces = lo eth0
Thank you
Kind regards
Jochen
Hey,
thanks. OK, so it’s not the usual cause I was thinking about. Can you please post the full error messages output by the system check module?
m.
Hey,
yes of course. Where can i find the log file?
And why does ucr search not work?
After a few checks i found another problem. Fetchmail can’t fetch mails from the t-online account.
Apr 4 10:15:55 ucs fetchmail[1783]: konnte kanonischen DNS-Namen von popmail.t-online.de (popmail.t-online.de) nicht finden: Der Name oder der Dienst ist nicht bekannt
Might there be a problmem with the DNS Server?
I can ping popmail.t-online.de as well as any other server.
Kind regards
Jochen
Hey,
with “full output” I meant copy/pasting it from the web interface when you run the diagnostics module.
It does look like a DNS issue, yes. Please show the output of:
ip aucr search --brief nameserverhost $(hostname -f)host popmail.t-online.de 9.9.9.9
Thanks.
m.
Hey,
o.k now i’m on the system with ssh and have no webinterface. I will copy it as soon as possible.
Here are the other output lines.
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:f6:2a:c7 brd ff:ff:ff:ff:ff:ff
inet 192.168.76.200/24 brd 192.168.76.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fef6:2ac7/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:80:51:75:21 brd ff:ff:ff:ff:ff:ff
inet 172.17.42.1/16 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:80ff:fe51:7521/64 scope link
valid_lft forever preferred_lft forever
5: vethbb9afc1@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 36:f3:22:69:41:c3 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::34f3:22ff:fe69:41c3/64 scope link
valid_lft forever preferred_lft forever
host $(hostname -f)
ucs.technik-auer.intranet has address 192.168.76.200
host popmail.t-online.de 9.9.9.9
Using domain server:
Name: 9.9.9.9
Address: 9.9.9.9#53
Aliases:
popmail.t-online.de has address 194.25.134.114
popmail.t-online.de has address 194.25.134.51
popmail.t-online.de has address 194.25.134.50
popmail.t-online.de has address 194.25.134.115
ucr sarch doesn’t work.
Oh,
sorry. I forgot to run ucr as root:
sudo ucr search --brief nameserver
dns/nameserver/registration/forward_zone: <empty>
dns/nameserver/registration/reverse_zone: <empty>
nameserver/external: false
nameserver/option/timeout: 2
nameserver1: 192.168.76.200
nameserver2: <empty>
nameserver3: <empty>
sudo ucr search --brief samba/interfaces
samba/interfaces/bindonly: <empty>
samba/interfaces: <empty>
Hey,
so far this looks fine to me. Some more tests, please:
lsof -PniTCP:88 -sTCP:LISTENiptables -L INPUT -nv | grep -E ':88|policy'host popmail.t-online.de
Another thing: does fetchmail always output this message? Or was that maybe a one-off error?
Kind regards,
mosu
@Moritz_Bunkus can the problem be related with trustdom?
I’m digging some errors and in event viewer and some google let me to this command
root@CCMDC01:~# net rpc trustdom list
Unable to find a suitable server for domain CCM
Couldn't connect to domain controller: NT_STATUS_UNSUCCESSFUL
root@CCMDC01:~# net -d3 rpc trustdom establish ccmdc01
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
added interface lo ip=::1 bcast= netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth0 ip=192.168.120.2 bcast=192.168.120.255 netmask=255.255.255.0
interpret_string_addr_internal: getaddrinfo failed for name eth0_0 (flags 32) [Name or service not known]
interpret_interface: Can't find address for eth0_0
interpret_string_addr_internal: getaddrinfo failed for name eth0_1 (flags 32) [Name or service not known]
interpret_interface: Can't find address for eth0_1
name_resolve_bcast: Attempting broadcast lookup for name CCMDC01<0x1b>
Couldn't find domain controller for domain CCMDC01
return code = -1
root@CCMDC01:~#
@Jochen77 can you run the same commands to check the outputs?
Here is the output:
sudo lsof -PniTCP:88 -sTCP:LISTEN
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
samba 21873 root 24u IPv6 144071 0t0 TCP [::1]:88 (LISTEN)
samba 21873 root 34u IPv4 144075 0t0 TCP 127.0.0.1:88 (LISTEN)
samba 21873 root 38u IPv4 144079 0t0 TCP 192.168.76.200:88 (LISTEN)
sudo iptables -L INPUT -nv | grep -E ':88|policy'
Chain INPUT (policy DROP 0 packets, 0 bytes)
589 30960 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:88
13 3315 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:88
host popmail.t-online.de
popmail.t-online.de has address 194.25.134.51
popmail.t-online.de has address 194.25.134.114
popmail.t-online.de has address 194.25.134.115
popmail.t-online.de has address 194.25.134.50
net rpc trustdom list
Enter Administrator's password:
Trusted domains list:
none
Trusting domains list:
none
@codedmind Your problem is completely different to @Jochen77’s.
@Moritz_Bunkus but i also cannot connect to RDP server members…
I’m able to connect to one server (windows 2008) but i cannot connect to other server (windows 2016), both in same network, and same domain…
The fetchmail problem might be on/off:
now i found the following line in mail.err:
Apr 5 11:01:29 ucs fetchmail[17292]: Authentifikationsfehlschlag bei buero@xxx.de@popmail.t-online.de (vormals autorisiert)
Apr 5 11:01:32 ucs fetchmail[17292]: Authentifikationsfehlschlag bei werkstatt@xxx.de@popmail.t-online.de (vormals autorisiert)
Here is the screenshot form the webgui:
It is strange.
Because the W7 Client wasn’t reachable by RDP i powered it down this morning. Then i looked after the file right issue in the picture above and chaned the folder to the expected 750. To run the Systemdiagnose again i started the client and now i could login local and with RDP. Nothing else changed. I will test it again in a few hours and give a report.
Kind regards
Jochen
O.K. just a short pleasure.
The second time i tried to log in the same behaviour. “Die lokale Sicherheitsautorität (LSA) ist nicht erreichbar.”
And after ater a few minutes the RDP session closes.
Kind regrads
Jochen
Hi there,
I’ve had exactly the same issue. Solved reproducably by the following steps for anyone who is interested:
- Create a local.conf file which is then included in smb.conf:
cat /etc/samba/local.conf
[global]
map untrusted to domain = yes
- ucr commit /etc/samba/smb.conf
- service samba-ad-dc restart
Side note: Running on 4.3-0 errata11, was a 4.2 before.
Side note 2: This also solved in this forum reported Windows Server 2012 issues with upgraded 4.3 instances which could not access shares correctly anymore.
And you will be a happy puppy with uber-fast connections to RDP and CIFS shares again.
Have fun.
- mike
2 Likes
Hey,
reading the smb.conf man page for map untrusted to domain explains very well why this may help. However, the last paragraphs also state that this is not a long-term solution:
“map untrusted to domain = auto” was added and become the default with Samba 4.7.0. As the option is marked as deprecated it will be removed in a future release, while the behavior of “map untrusted to domain = auto” will be kept.
“auto” is what seems to be slow in Samba 4.7. So here’s to hoping the Samba developers can either do something about the big delays with “auto”, or they reconsider removing the option altogether.
Kind regards,
mosu