Problem with LDAP/SMB sync on two UCS'

onex · July 18, 2017, 9:13am

Hello,

the last days I notices problems with answers from our servers to dns queries.
I created new entries on our master, which could be resolved from our slave.
Then I started digging (in the dirt) and found out, that there seams to be certificate problems on our slave with samba and ldap.
On the master I get the following output, when I ran the command univention-s4search cn=master msDS-KeyVersionNumber

# record 1
dn: CN=MASTER,OU=Domain Controllers,DC=onex,DC=local
msDS-KeyVersionNumber: 40

# Referral
ref: ldap://onex.local/CN=Configuration,DC=onex,DC=local

# Referral
ref: ldap://onex.local/DC=DomainDnsZones,DC=onex,DC=local

# Referral
ref: ldap://onex.local/DC=ForestDnsZones,DC=onex,DC=local

# returned 4 records
# 1 entries
# 3 referrals

on the slave I get this output:

WARNING: The "syslog" option is deprecated
TLS failed to missing crlfile  - with 'tls verify peer = as_strict_as_possible'
Failed to connect to ldap URL 'ldaps://datengrube.onex.local' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER_MIX
Failed to connect to 'ldaps://datengrube.onex.local' with backend 'ldaps': (null)
Failed to connect to ldaps://datengrube.onex.local - (null)

I tried setting the ucr variable
ucr set samba/tls/verify/peer="ca_and_name"
and noticed no changes to /etc/samba/smb.conf, so I edited the config and restartet samba for testing.
Now, the certificate-warning is gone, but smb-authentication doesn’t work.

I tried a rejoin of the slave, but without any changes, so I’m a little bit confused and don’t know, what to check next.
As this slave is a backup domain controller, we have massive authentication problems in our network, so any help to fix this issue would be fine.

Thanks in advance,
Christian.

Update:
After unsetting tls verify peer in the config and resetting, with service restarts between, I get this error:

WARNING: The "syslog" option is deprecated
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER
Failed to bind - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED -  <SASL:[GSS-SPNEGO]: Sign or Seal are required.> <>
Failed to connect to 'ldaps://datengrube.onex.local' with backend 'ldaps': (null)
Failed to connect to ldaps://datengrube.onex.local - (null)

onex · July 20, 2017, 2:50pm

No one has any idea? Do I really have to open a support ticket?

Gohmann · July 22, 2017, 9:52am

So, you have a Master and a Slave, both with Samba 4. On the Master, univention-samba4 works and on the Slave it doesn’t work and you have already successfully rejoined the Slave. Right?

Can you post your TLS settings:
testparm -vs | grep tls

And a search with debug, for example:
univention-s4search -s base dn -d 12

onex · July 24, 2017, 7:48am

Hi,

on the master, testparm outputs:

Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[homes]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[LexmarkW840]"
Processing section "[Phaser8400DP]"
Processing section "[TASKalfa250ci]"
Loaded services file OK.
'winbind separator = +' might cause problems with group membership.

WARNING: You have some share names that are longer than 12 characters.
These may not be accessible to some older clients.
(Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.)
Server role: ROLE_ACTIVE_DIRECTORY_DC

	ldap server require strong auth = allow_sasl_over_tls
	ldap ssl = start tls
	tls cafile = /etc/univention/ssl/ucsCA/CAcert.pem
	tls certfile = /etc/univention/ssl/master.onex.local/cert.pem
	tls crlfile = 
	tls dh params file = 
	tls enabled = Yes
	tls keyfile = /etc/univention/ssl/master.onex.local/private.key
	tls priority = NORMAL:-VERS-SSL3.0
	tls verify peer = ca_and_name

on the slave, I have this output:

Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
WARNING: The "syslog" option is deprecated
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[homes]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[images]"
Processing section "[firma]"
Processing section "[projects]"
Processing section "[unterlagen]"
Processing section "[tmp]"
Processing section "[websites]"
Processing section "[all]"
Processing section "[library]"
Processing section "[development]"
Loaded services file OK.
'winbind separator = +' might cause problems with group membership.

Server role: ROLE_ACTIVE_DIRECTORY_DC

	ldap ssl = start tls
	tls cafile = /etc/univention/ssl/ucsCA/CAcert.pem
	tls certfile = /etc/univention/ssl/datengrube.onex.local/cert.pem
	tls crlfile = 
	tls dh params file = 
	tls enabled = Yes
	tls keyfile = /etc/univention/ssl/datengrube.onex.local/private.key
	tls priority = NORMAL:-VERS-SSL3.0
	tls verify peer = as_strict_as_possible

I do not understand, why tls verify peer is set to ca_and_name on the master and as_strict_as_possible on the slave.

On both servers, the UCR variable samba/tls/verify/peer is empty.

univention-s4search -s base dn -d 12 outputs on the master:

pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Security token SIDs (1):
  SID[  0]: S-1-5-18
 Privileges (0xFFFFFFFFFFFFFFFF):
  Privilege[  0]: SeMachineAccountPrivilege
  Privilege[  1]: SeTakeOwnershipPrivilege
  Privilege[  2]: SeBackupPrivilege
  Privilege[  3]: SeRestorePrivilege
  Privilege[  4]: SeRemoteShutdownPrivilege
  Privilege[  5]: SePrintOperatorPrivilege
  Privilege[  6]: SeAddUsersPrivilege
  Privilege[  7]: SeDiskOperatorPrivilege
  Privilege[  8]: SeSecurityPrivilege
  Privilege[  9]: SeSystemtimePrivilege
  Privilege[ 10]: SeShutdownPrivilege
  Privilege[ 11]: SeDebugPrivilege
  Privilege[ 12]: SeSystemEnvironmentPrivilege
  Privilege[ 13]: SeSystemProfilePrivilege
  Privilege[ 14]: SeProfileSingleProcessPrivilege
  Privilege[ 15]: SeIncreaseBasePriorityPrivilege
  Privilege[ 16]: SeLoadDriverPrivilege
  Privilege[ 17]: SeCreatePagefilePrivilege
  Privilege[ 18]: SeIncreaseQuotaPrivilege
  Privilege[ 19]: SeChangeNotifyPrivilege
  Privilege[ 20]: SeUndockPrivilege
  Privilege[ 21]: SeManageVolumePrivilege
  Privilege[ 22]: SeImpersonatePrivilege
  Privilege[ 23]: SeCreateGlobalPrivilege
  Privilege[ 24]: SeEnableDelegationPrivilege
 Rights (0x               0):
added interface lo ip=::1 bcast= netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth0 ip=2a01:4d80:1258:250::6 bcast= netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=192.168.250.6 bcast=192.168.250.255 netmask=255.255.255.0
added interface eth1 ip=2a01:4d80:1258:249::6 bcast= netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=192.168.249.6 bcast=192.168.249.255 netmask=255.255.255.0
added interface lo ip=::1 bcast= netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth0 ip=2a01:4d80:1258:250::6 bcast= netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=192.168.250.6 bcast=192.168.250.255 netmask=255.255.255.0
added interface eth1 ip=2a01:4d80:1258:249::6 bcast= netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=192.168.249.6 bcast=192.168.249.255 netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name master.onex.local<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Received smb_krb5 packet of length 254
Received smb_krb5 packet of length 1327
kinit for master$@ONEX.LOCAL succeeded
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will have no cryptographic protection
# record 1
dn: DC=onex,DC=local

# returned 1 records
# 1 entries
# 0 referrals

and on the slave:

pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Security token SIDs (1):
  SID[  0]: S-1-5-18
 Privileges (0xFFFFFFFFFFFFFFFF):
  Privilege[  0]: SeMachineAccountPrivilege
  Privilege[  1]: SeTakeOwnershipPrivilege
  Privilege[  2]: SeBackupPrivilege
  Privilege[  3]: SeRestorePrivilege
  Privilege[  4]: SeRemoteShutdownPrivilege
  Privilege[  5]: SePrintOperatorPrivilege
  Privilege[  6]: SeAddUsersPrivilege
  Privilege[  7]: SeDiskOperatorPrivilege
  Privilege[  8]: SeSecurityPrivilege
  Privilege[  9]: SeSystemtimePrivilege
  Privilege[ 10]: SeShutdownPrivilege
  Privilege[ 11]: SeDebugPrivilege
  Privilege[ 12]: SeSystemEnvironmentPrivilege
  Privilege[ 13]: SeSystemProfilePrivilege
  Privilege[ 14]: SeProfileSingleProcessPrivilege
  Privilege[ 15]: SeIncreaseBasePriorityPrivilege
  Privilege[ 16]: SeLoadDriverPrivilege
  Privilege[ 17]: SeCreatePagefilePrivilege
  Privilege[ 18]: SeIncreaseQuotaPrivilege
  Privilege[ 19]: SeChangeNotifyPrivilege
  Privilege[ 20]: SeUndockPrivilege
  Privilege[ 21]: SeManageVolumePrivilege
  Privilege[ 22]: SeImpersonatePrivilege
  Privilege[ 23]: SeCreateGlobalPrivilege
  Privilege[ 24]: SeEnableDelegationPrivilege
 Rights (0x               0):
TLS failed to missing crlfile  - with 'tls verify peer = as_strict_as_possible'
Failed to connect to ldap URL 'ldaps://datengrube.onex.local' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER_MIX
Failed to connect to 'ldaps://datengrube.onex.local' with backend 'ldaps': (null)
Failed to connect to ldaps://datengrube.onex.local - (null)

onex · August 3, 2017, 2:39pm

For all users with a similar problem:

The problem was an old, not updated samba-template.

cp /etc/univention/templates/files/etc/samba/smb.conf.d/10global.dpkg-dist /etc/univention/templates/files/etc/samba/smb.conf.d/10global
ucr commit /etc/samba/smb.conf
/etc/init.d/samba-ad-dc restart

did the trick, now everything works perfect.
My special thanks goes to Stefan Gohmann (Univention Support Team)