No RDP connection to domain computers

UCS - Univention Corporate Server
#1

Hello,

since a few days i have a problem to connect to a Win7 Domain Computer with RDP.

The RDP Client shows “Authentifizierungsfehler, die lokale Sicherheitsauthorität (LSA) ist nicht ereichbar.”

The event log on the W7 PC is clean.

Because of the very low performance of the UCS-Server i did a reboot. The performance is o.k. now but the issue is still there. It is a 4.3 UCS server on a ESXI VM.

Then i run the “System Diagnose” in the UCS Webinterface. Here i can see one failure: “KDC Erreichbarkeit kritisch. Die folgenden KDCs waren nicht erreichbar: tcp … udp … Keine erreichbaren KDCs gefunden.”

What step shoud i go to find what’s wrong?

Kind regards

Jochen

#2

Hey,

can you please show the output of the following commands from your DC Master:

  • ip addr show
  • ucr search --brief samba/interfaces
  • grep interface /etc/samba/smb.conf

Thanks.

Kind regards,
mosu

#3

Hi,

here are the output lines:

ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0c:29:f6:2a:c7 brd ff:ff:ff:ff:ff:ff
    inet 192.168.76.200/24 brd 192.168.76.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fef6:2ac7/64 scope link
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:80:51:75:21 brd ff:ff:ff:ff:ff:ff
    inet 172.17.42.1/16 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:80ff:fe51:7521/64 scope link
       valid_lft forever preferred_lft forever
5: vethbb9afc1@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
    link/ether 36:f3:22:69:41:c3 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::34f3:22ff:fe69:41c3/64 scope link
       valid_lft forever preferred_lft forever

ucr search --brief samba/interfaces
-bash: ucr: Kommando nicht gefunden.

grep interface /etc/samba/smb.conf
        # ignore interfaces in samba/register/exclude/interfaces
        bind interfaces only = yes
        interfaces = lo eth0

Thank you
Kind regards

Jochen

#4

Hey,

thanks. OK, so it’s not the usual cause I was thinking about. Can you please post the full error messages output by the system check module?

m.

#5

Hey,

yes of course. Where can i find the log file?

And why does ucr search not work?

After a few checks i found another problem. Fetchmail can’t fetch mails from the t-online account.

Apr  4 10:15:55 ucs fetchmail[1783]: konnte kanonischen DNS-Namen von popmail.t-online.de (popmail.t-online.de) nicht finden: Der Name oder der Dienst ist nicht bekannt

Might there be a problmem with the DNS Server?

I can ping popmail.t-online.de as well as any other server.

Kind regards

Jochen

#6

Hey,

with “full output” I meant copy/pasting it from the web interface when you run the diagnostics module.

It does look like a DNS issue, yes. Please show the output of:

  • ip a
  • ucr search --brief nameserver
  • host $(hostname -f)
  • host popmail.t-online.de 9.9.9.9

Thanks.

m.

#7

Hey,

o.k now i’m on the system with ssh and have no webinterface. I will copy it as soon as possible.

Here are the other output lines.

 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0c:29:f6:2a:c7 brd ff:ff:ff:ff:ff:ff
    inet 192.168.76.200/24 brd 192.168.76.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fef6:2ac7/64 scope link
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:80:51:75:21 brd ff:ff:ff:ff:ff:ff
    inet 172.17.42.1/16 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:80ff:fe51:7521/64 scope link
       valid_lft forever preferred_lft forever
5: vethbb9afc1@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
    link/ether 36:f3:22:69:41:c3 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::34f3:22ff:fe69:41c3/64 scope link
       valid_lft forever preferred_lft forever

host $(hostname -f)
ucs.technik-auer.intranet has address 192.168.76.200

host popmail.t-online.de 9.9.9.9
Using domain server:
Name: 9.9.9.9
Address: 9.9.9.9#53
Aliases:

popmail.t-online.de has address 194.25.134.114
popmail.t-online.de has address 194.25.134.51
popmail.t-online.de has address 194.25.134.50
popmail.t-online.de has address 194.25.134.115

ucr sarch doesn’t work.

#8

Oh,

sorry. I forgot to run ucr as root:

sudo ucr search --brief nameserver
dns/nameserver/registration/forward_zone: <empty>
dns/nameserver/registration/reverse_zone: <empty>
nameserver/external: false
nameserver/option/timeout: 2
nameserver1: 192.168.76.200
nameserver2: <empty>
nameserver3: <empty>

sudo ucr search --brief samba/interfaces
samba/interfaces/bindonly: <empty>
samba/interfaces: <empty>
#9

Hey,

so far this looks fine to me. Some more tests, please:

  • lsof -PniTCP:88 -sTCP:LISTEN
  • iptables -L INPUT -nv | grep -E ':88|policy'
  • host popmail.t-online.de

Another thing: does fetchmail always output this message? Or was that maybe a one-off error?

Kind regards,
mosu

#10

@Moritz_Bunkus can the problem be related with trustdom?

I’m digging some errors and in event viewer and some google let me to this command

root@CCMDC01:~# net rpc trustdom list
Unable to find a suitable server for domain CCM
Couldn't connect to domain controller: NT_STATUS_UNSUCCESSFUL
root@CCMDC01:~# net -d3 rpc trustdom establish ccmdc01
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
added interface lo ip=::1 bcast= netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth0 ip=192.168.120.2 bcast=192.168.120.255 netmask=255.255.255.0
interpret_string_addr_internal: getaddrinfo failed for name eth0_0 (flags 32) [Name or service not known]
interpret_interface: Can't find address for eth0_0
interpret_string_addr_internal: getaddrinfo failed for name eth0_1 (flags 32) [Name or service not known]
interpret_interface: Can't find address for eth0_1
name_resolve_bcast: Attempting broadcast lookup for name CCMDC01<0x1b>
Couldn't find domain controller for domain CCMDC01
return code = -1
root@CCMDC01:~#

@Jochen77 can you run the same commands to check the outputs?

#11

Here is the output:

sudo lsof -PniTCP:88 -sTCP:LISTEN
COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
samba   21873 root   24u  IPv6 144071      0t0  TCP [::1]:88 (LISTEN)
samba   21873 root   34u  IPv4 144075      0t0  TCP 127.0.0.1:88 (LISTEN)
samba   21873 root   38u  IPv4 144079      0t0  TCP 192.168.76.200:88 (LISTEN)

sudo iptables -L INPUT -nv | grep -E ':88|policy'
Chain INPUT (policy DROP 0 packets, 0 bytes)
  589 30960 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:88
   13  3315 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:88

host popmail.t-online.de
popmail.t-online.de has address 194.25.134.51
popmail.t-online.de has address 194.25.134.114
popmail.t-online.de has address 194.25.134.115
popmail.t-online.de has address 194.25.134.50
#12 
net rpc trustdom list
Enter Administrator's password:
Trusted domains list:

none

Trusting domains list:

none
#13

@codedmind Your problem is completely different to @Jochen77’s.

#14

@Moritz_Bunkus but i also cannot connect to RDP server members…
I’m able to connect to one server (windows 2008) but i cannot connect to other server (windows 2016), both in same network, and same domain…

#15

The fetchmail problem might be on/off:

now i found the following line in mail.err:

Apr  5 11:01:29 ucs fetchmail[17292]: Authentifikationsfehlschlag bei buero@xxx.de@popmail.t-online.de (vormals autorisiert)
Apr  5 11:01:32 ucs fetchmail[17292]: Authentifikationsfehlschlag bei werkstatt@xxx.de@popmail.t-online.de (vormals autorisiert)
#16

Here is the screenshot form the webgui:

Zwischenablage03

#17

It is strange.

Because the W7 Client wasn’t reachable by RDP i powered it down this morning. Then i looked after the file right issue in the picture above and chaned the folder to the expected 750. To run the Systemdiagnose again i started the client and now i could login local and with RDP. Nothing else changed. I will test it again in a few hours and give a report.

Kind regards

Jochen

#18

O.K. just a short pleasure.

The second time i tried to log in the same behaviour. “Die lokale Sicherheitsautorität (LSA) ist nicht erreichbar.”

And after ater a few minutes the RDP session closes.

Kind regrads

Jochen

#19

Hi there,

I’ve had exactly the same issue. Solved reproducably by the following steps for anyone who is interested:

  1. Create a local.conf file which is then included in smb.conf:

cat /etc/samba/local.conf
[global]
map untrusted to domain = yes

  1. ucr commit /etc/samba/smb.conf
  2. service samba-ad-dc restart

Side note: Running on 4.3-0 errata11, was a 4.2 before.
Side note 2: This also solved in this forum reported Windows Server 2012 issues with upgraded 4.3 instances which could not access shares correctly anymore.

And you will be a happy puppy with uber-fast connections to RDP and CIFS shares again.

Have fun.

- mike

2 Likes
UCS 4.3 Remotedesktop
#20

Hey,

reading the smb.conf man page for map untrusted to domain explains very well why this may help. However, the last paragraphs also state that this is not a long-term solution:

“map untrusted to domain = auto” was added and become the default with Samba 4.7.0. As the option is marked as deprecated it will be removed in a future release, while the behavior of “map untrusted to domain = auto” will be kept.

“auto” is what seems to be slow in Samba 4.7. So here’s to hoping the Samba developers can either do something about the big delays with “auto”, or they reconsider removing the option altogether.

Kind regards,
mosu

Mastodon