Samba4 DC-Master funktioniert nicht

german

#1

Hallo,
mein DC-Master hat ein massives Problem mit Samba. Zuerst habe ich bemerkt Das die Anmeldung an Nagios nicht mehr funktioniert. Bei der Fehlersuche habe ich endeckt das 2 Joinscripte ausstehend sind

97univention-s4-connector ausstehend
98univention-samba4-dns ausstehend

Die Joinscripte ausführen funktioniert nicht. Mit den Fehlern im Logfile konnte ich nichts anfangen, deshalb habe ich versucht über die Console weiterzukommen, mit folgenden Ergebniss:

root@thhoe108:~# samba-tool drs kcc
Could not find machine account in secrets database: Failed to fetch machine account password for THHOE from both secrets.ldb (Could not find entry to match filter: ‘(&(flatname=THHOE)(objectclass=primaryDomain))’ base: ‘cn=Primary Domains’: No such object: dsdb_search at …/source4/dsdb/common/util.c:4576) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Failed to connect host 127.0.1.1 on port 135 - NT_STATUS_CONNECTION_REFUSED
Failed to connect host 127.0.1.1 (thhoe108.thhoe.lan) on port 135 - NT_STATUS_CONNECTION_REFUSED.
Failed to connect host 127.0.1.1 on port 1024 - NT_STATUS_CONNECTION_REFUSED
Failed to connect host 127.0.1.1 (thhoe108.thhoe.lan) on port 1024 - NT_STATUS_CONNECTION_REFUSED.
ERROR(<class ‘samba.drs_utils.drsException’>): DRS connection to thhoe108.thhoe.lan failed - drsException: DRS connection to thhoe108.thhoe.lan failed: (-1073741790, ‘Access denied’)
File “/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py”, line 41, in drsuapi_connect
(ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
File “/usr/lib/python2.7/dist-packages/samba/drs_utils.py”, line 54, in drsuapi_connect
raise drsException(“DRS connection to %s failed: %s” % (server, e))
root@thhoe108:~#

Daraufhin habe ich alle Joinscripte neu ausgeführt. Das hat aber keine Veränderung gebracht.

Was kann ich machen um das zu reparieren?

Thomas


#2

Moin,

das sieht schon sehr kaputt aus. Sie können versuchen, das Samba4 komplett neu provisionieren zu lassen. Dabei wird der aktuelle Inhalt der Samba4-Dateien weggeworfen und aus den Daten im OpenLDAP neu erzeugt.

Univention hat einen Knowledge-Base-Artikel geschrieben, wie man das machen kann.

Vorher sinnvollerweise ein Vollbackup des Servers erstellen.

Gruß,
mosu


#3

Hallo,

aber vielleicht jemand anderes hier :slight_smile:


#4

Hier die Logeinträge:

univention-run-join-scripts started
Di 17. Okt 10:17:58 CEST 2017
RUNNING 97univention-s4-connector.inst
2017-10-17 10:17:58.758134005+02:00 (in joinscript_init)
17.10.17 10:18:00.167 DEBUG_INIT
UNIVENTION_DEBUG_BEGIN : uldap.__open host=thhoe108.thhoe.lan port=7389 base=dc=thhoe,dc=lan
UNIVENTION_DEBUG_END : uldap.__open host=thhoe108.thhoe.lan port=7389 base=dc=thhoe,dc=lan
Not updating connector/s4/ldap/host
Not updating connector/s4/ldap/base
Not updating connector/s4/ldap/ssl
Not updating connector/s4/mapping/group/language
Not updating connector/s4/ldap/protocol
Not updating connector/s4/ldap/socket
Object exists: cn=gPLink,cn=custom attributes,cn=univention,dc=thhoe,dc=lan
Object exists: cn=Builtin,dc=thhoe,dc=lan
Object exists: cn=System,dc=thhoe,dc=lan
Object exists: cn=Policies,cn=System,dc=thhoe,dc=lan
Object exists: ou=Domain Controllers,dc=thhoe,dc=lan
Object exists: cn=WMIPolicy,cn=System,dc=thhoe,dc=lan
Object exists: cn=SOM,cn=WMIPolicy,cn=System,dc=thhoe,dc=lan
Object exists: cn=ldapschema,cn=univention,dc=thhoe,dc=lan
INFO: No change of core data of object msgpo.
INFO: No change of core data of object mswmi.
Object exists: cn=udm_module,cn=univention,dc=thhoe,dc=lan
INFO: No change of core data of object container/msgpo.
No modification: cn=msgpo,cn=ldapschema,cn=univention,dc=thhoe,dc=lan
No modification: cn=mswmi,cn=ldapschema,cn=univention,dc=thhoe,dc=lan
No modification: cn=container/msgpo,cn=udm_module,cn=univention,dc=thhoe,dc=lan
Waiting for activation of the extension object msgpo: OK
Waiting for activation of the extension object mswmi: OK
Waiting for activation of the extension object container/msgpo: OK
Waiting for file /usr/share/pyshared/univention/admin/handlers/container/msgpo.py: OK
Terminating running univention-cli-server processes.
Object exists: cn=udm_module,cn=univention,dc=thhoe,dc=lan
INFO: No change of core data of object settings/mswmifilter.
No modification: cn=settings/mswmifilter,cn=udm_module,cn=univention,dc=thhoe,dc=lan
Waiting for activation of the extension object settings/mswmifilter: OK
Waiting for file /usr/share/pyshared/univention/admin/handlers/settings/mswmifilter.py: OK
Terminating running univention-cli-server processes.
Object exists: cn=ldapschema,cn=univention,dc=thhoe,dc=lan
INFO: No change of core data of object msprintconnectionpolicy.
Object exists: cn=udm_module,cn=univention,dc=thhoe,dc=lan
INFO: No change of core data of object settings/msprintconnectionpolicy.
No modification: cn=msprintconnectionpolicy,cn=ldapschema,cn=univention,dc=thhoe,dc=lan
No modification: cn=settings/msprintconnectionpolicy,cn=udm_module,cn=univention,dc=thhoe,dc=lan
Waiting for activation of the extension object msprintconnectionpolicy: OK
Waiting for activation of the extension object settings/msprintconnectionpolicy: OK
Waiting for file /usr/share/pyshared/univention/admin/handlers/settings/msprintconnectionpolicy.py: OK
Terminating running univention-cli-server processes.
Samba4 does not seem to be provisioned, exiting /usr/lib/univention-install/97univention-s4-connector.inst
EXITCODE=1
RUNNING 98univention-samba4-dns.inst
2017-10-17 10:18:15.128844852+02:00 (in joinscript_init)
Samba4 backend database not available yet, exiting joinscript 98univention-samba4-dns.
EXITCODE=1
Di 17. Okt 10:18:16 CEST 2017
univention-run-join-scripts finished

Das Vorgehen mach den Knowledge-Base-Artikel hat nichts gebracht.
Als letztes kommt

root@thhoe108:~# ldbedit -H /var/lib/samba/private/sam.ldb CN=“RID Set” -b CN="$(ucr get hostname),OU=Domain Controllers,$(ucr get ldap/base)"
no matching records - cannot edit
root@thhoe108:~#


#5

Das klingt nicht so richtig gut. Ggf. ist das ursprüngliche Problem ein fehlgeschlagenes Server Password Change:
Manually trigger server password change

Ansonsten mal die Ausgabe hiervon posten (das sind Skripte, welche den Zustand des Servers testen):

curl -OOs https://updates.software-univention.de/download/univention-system-check/univention-system-check.tar.gz{,.gpg}
gpgv --keyring /usr/share/keyrings/univention-archive-key-ucs-4x.gpg \
     univention-system-check.tar.gz.gpg univention-system-check.tar.gz && \
tar -xzf  univention-system-check.tar.gz

python ./univention-system-check

S4 Connector not working
#6

Hallo,

ich konnte mich die letzten Tage nicht melden. Letzte Woche habe ich noch ein Backup eingespielt, habe damit aber immer noch Probleme.
Das Password habe ich geändert. Im Log steht: “Modified 1 records successfully
Changed password OK”

running [basic] - OK - univention_ldapsearch_machine_basic.sh
running [basic] - OK - joinstatus.sh
running [basic] - OK - secure_apt_is_activated.sh
running [basic] - OK - package_status.sh
running [basic] - OK - univention_ldapsearch_machine_kerberos.sh
running [basic] - OK - check_nagios_status.py
running [basic] - OK - check_for_dockerd_process.sh
running [basic] - OK - check_for_ntpd_process.sh
running [dns] - OK - forward_and_reverse_dns_kdc.sh
running [dns] - OK - forward_dns_myself.sh
running [listener] - OK - all_handlers_initialized.sh
running [listener] - OK - replication.sh
running [samba] - OK - check_guid_msdcs_dns_alias.sh
running [samba] - OK - check_s4_connector_autostart.sh
running [samba] - OK - check_winbind_idmap_range.sh
running [samba] - OK - check_for_temporary_udm_sids.sh
running [samba] - OK - check_s4_connector_listener_active.sh
running [samba] - OK - cn_idmap_exists.sh
running [samba] - OK - check_msds_keyversionnumber.sh
running [samba] - OK - krbtgt_has_rid_502.sh
running [samba] - OK - cn_system_exists_only_once.sh
running [samba] - OK - check_samba_processes.sh
running [samba] - OK - no_3000_mapping_in_net_cache.sh
running [samba] - OK - check_ddns_update.sh
running [samba] - OK - check_s4_connector_rejects.sh
running [samba] - OK - testjoin.sh
running [samba] - OK - check_smbclient_via_krb5_keytab.sh
running [samba] - OK - maximum_password_age_smaller_999.sh
running [samba] - FAILED - hosts_sids_equal_in_ucs_and_samba.sh
running [samba] - OK - master_is_member_of_enterprise_domain_controllers.sh
running [samba] - OK - check_samba_drs_replication.sh
running [samba] - OK - wbinfo_checks.sh
running [samba] - OK - disabled_drsuapi_adtakeover_incomplete.sh

Bei der Fehlerdiagnose über UMC kommt Kerperos nicht erreichbar. Welcher Test wird da aufgerufen?

Thomas


#7

Habe eine Zeile Vergessen:

Test failed: univention-system-check.d/samba/hosts_sids_equal_in_ucs_and_samba.sh, Impact: SID mismatch between ucs and samba my cause permission problems


#8

Ein paar weitere Befehle zur Eingrenzung des Problems:

univention-s4search -s base dn
samba-tool processes
nmap $(hostname)
univention-s4connector-list-rejected
testparm -vs

Gibt es mehrere Samba DCs in der Umgebung?


#9

Hallo,

der fehler stellt sich mitlerweile anders dar.

root@thhoe108:~# samba-tool drs kcc
Consistency check on thhoe108.thhoe.lan successful.
root@thhoe108:~#

In der UMC bei der Systemfehlerdiagnose kommt:

Die folgenden KDCs waren nicht erreichbar: tcp thhoe108.thhoe.lan:88, udp thhoe108.thhoe.lan:88 Keine erreichbaren KDCs gefunden.
root@thhoe108:~# univention-s4search -s base dn
# record 1
dn: DC=thhoe,DC=lan

# returned 1 records
# 1 entries
# 0 referrals
root@thhoe108:~#
root@thhoe108:~# samba-tool processes
 Service:                PID
-----------------------------
dnsupdate               1128
cldap_server            1120
rpc_server            18446744073709551615
winbind_server          1133
wrepl_server            1117
kdc_server              1121
notify-daemon           1173
ldap_server             1118
ldap_server             1118
kccsrv                  1126
samba                   1126
dreplsrv                1122
root@thhoe108:~#
root@thhoe108:~# nmap $(hostname)

Starting Nmap 7.40 ( https://nmap.org ) at 2017-10-26 08:23 CEST
Nmap scan report for thhoe108 (192.168.0.108)
Host is up (0.000010s latency).
rDNS record for 192.168.0.108: thhoe108.thhoe.lan
Not shown: 980 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
42/tcp   open  nameserver
53/tcp   open  domain
80/tcp   open  http
88/tcp   open  kerberos-sec
111/tcp  open  rpcbind
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
443/tcp  open  https
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
636/tcp  open  ldapssl
749/tcp  open  kerberos-adm
1024/tcp open  kdm
1025/tcp open  NFS-or-IIS
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
5666/tcp open  nrpe
6669/tcp open  irc

Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds
root@thhoe108:~#
root@thhoe108:~# univention-s4connector-list-rejected

UCS rejected


S4 rejected


There may be no rejected DNs if the connector is in progress, to be
sure stop the connector before running this script.


        last synced USN: 5126
root@thhoe108:~#

root@thhoe108:~# testparm -vs
Load smb config files from /etc/samba/smb.conf
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[homes]"
Processing section "[printers]"
Processing section "[print$]"
Loaded services file OK.
'winbind separator = +' might cause problems with group membership.

Server role: ROLE_ACTIVE_DIRECTORY_DC

# Global parameters
[global]
        bind interfaces only = Yes
        config backend = file
        dos charset = CP850
        enable core files = Yes
        interfaces = lo eth0
        multicast dns register = Yes
        netbios aliases =
        netbios name = THHOE108
        netbios scope =
        realm = THHOE.LAN
        server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
        server string = Univention Corporate Server
        share backend = classic
        unix charset = UTF-8
        workgroup = THHOE
        browse list = Yes
        domain master = Yes
        enhanced browsing = Yes
        lm announce = Auto
        lm interval = 60
        local master = Yes
        os level = 20
        preferred master = Yes
        allow dns updates = secure only
        dns forwarder =
        dns update command = /usr/sbin/samba_dnsupdate
        machine password timeout = 0
        nsupdate command = /usr/bin/nsupdate -g
        rndc command = /usr/sbin/rndc
        spn update command = /usr/sbin/samba_spnupdate
        mangle prefix = 1
        mangling method = hash2
        max stat cache size = 256
        stat cache = Yes
        client ldap sasl wrapping = sign
        ldap admin dn =
        ldap connection timeout = 2
        ldap delete dn = No
        ldap deref = auto
        ldap follow referral = Auto
        ldap group suffix =
        ldap idmap suffix =
        ldap machine suffix =
        ldap page size = 1000
        ldap passwd sync = no
        ldap replication sleep = 1000
        ldap server require strong auth = allow_sasl_over_tls
        ldap ssl = start tls
        ldap ssl ads = No
        ldap suffix =
        ldap timeout = 15
        ldap user suffix =
        lock spin time = 200
        oplock break wait time = 0
        smb2 leases = Yes
        debug class = No
        debug hires timestamp = Yes
        debug pid = Yes
        debug prefix timestamp = No
        debug uid = No
        ldap debug level = 0
        ldap debug threshold = 10
        log file =
        logging = file
        log level = 2
        max log size = 0
        syslog = 1
        syslog only = No
        timestamp logs = Yes
        abort shutdown script =
        add group script =
        add machine script =
        add user script =
        add user to group script =
        allow nt4 crypto = No
        delete group script =
        delete user from group script =
        delete user script =
        domain logons = No
        enable privileges = Yes
        init logon delay = 100
        init logon delayed hosts =
        logon drive = U:
        logon home = \\thhoe106\%U
        logon path = \\thhoe106\%U\windows-profiles\%a
        logon script =
        reject md5 clients = No
        set primary group script =
        shutdown script =
        add share command =
        afs token lifetime = 604800
        afs username map =
        allow insecure wide links = No
        async smb echo handler = No
        auto services =
        cache directory = /var/cache/samba
        change notify = Yes
        change share command =
        cluster addresses =
        clustering = No
        config file =
        ctdbd socket =
        ctdb locktime warn threshold = 0
        ctdb timeout = 0
        default service =
        delete share command =
        homedir map = auto.home
        kernel change notify = Yes
        lock directory = /var/run/samba
        log writeable files on exit = No
        message command =
        nbt client socket address = 0.0.0.0
        ncalrpc dir = /var/run/samba/ncalrpc
        NIS homedir = No
        nmbd bind explicit broadcast = Yes
        panic action =
        perfcount module =
        pid directory = /var/run/samba
        registry shares = No
        remote announce =
        remote browse sync =
        reset on zero vc = No
        smbd profiling level = off
        state directory = /var/lib/samba
        usershare allow guests = No
        usershare max shares = 0
        usershare owner only = Yes
        usershare path = /var/lib/samba/usershares
        usershare prefix allow list =
        usershare prefix deny list =
        usershare template share =
        utmp = No
        utmp directory =
        wtmp directory =
        addport command =
        addprinter command =
        cups connection timeout = 30
        cups encrypt = No
        cups server =
        deleteprinter command =
        disable spoolss = No
        enumports command =
        iprint server =
        load printers = Yes
        lpq cache time = 30
        os2 driver map =
        printcap cache time = 750
        printcap name =
        show add printer wizard = Yes
        cldap port = 389
        client ipc max protocol = default
        client ipc min protocol = default
        client max protocol = default
        client min protocol = CORE
        client use spnego = Yes
        dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver
        defer sharing violations = Yes
        dgram port = 138
        disable netbios = No
        enable asu support = No
        eventlog list =
        large readwrite = Yes
        lsa over netlogon = No
        max mux = 50
        max ttl = 259200
        max wins ttl = 518400
        max xmit = 65535
        min receivefile size = 0
        min wins ttl = 21600
        name resolve order = wins host bcast
        nbt port = 137
        nt pipe support = Yes
        nt status support = Yes
        read raw = Yes
        rpc big endian = No
        rpc server port = 0
        server max protocol = SMB3
        server min protocol = LANMAN1
        server multi channel support = No
        smb2 max credits = 8192
        smb2 max read = 8388608
        smb2 max trans = 8388608
        smb2 max write = 8388608
        smb ports = 445 139
        svcctl list =
        time server = No
        unicode = Yes
        unix extensions = Yes
        use spnego = Yes
        web port = 901
        write raw = Yes
        algorithmic rid base = 1000
        allow dcerpc auth level connect = No
        allow trusted domains = Yes
        auth methods =
        check password script =
        client ipc signing = default
        client lanman auth = No
        client NTLMv2 auth = Yes
        client plaintext auth = No
        client schannel = Auto
        client signing = default
        client use spnego principal = No
        dedicated keytab file =
        encrypt passwords = Yes
        guest account = nobody
        kerberos encryption types = all
        kerberos method = default
        kpasswd port = 464
        krb5 port = 88
        lanman auth = No
        log nt token command =
        map to guest = Bad User
        map untrusted to domain = No
        ntlm auth = Yes
        ntp signd socket directory = /var/lib/samba/ntp_signd
        null passwords = No
        obey pam restrictions = Yes
        old password allowed period = 60
        pam password change = No
        passdb backend = samba_dsdb
        passdb expand explicit = No
        passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n *password*changed*
        passwd chat debug = No
        passwd chat timeout = 2
        passwd program =
        password hash gpg key ids =
        password server = *
        preload modules =
        private dir = /var/lib/samba/private
        raw NTLMv2 auth = No
        rename user script =
        restrict anonymous = 0
        root directory =
        samba kcc command = /usr/sbin/samba_kcc
        security = AUTO
        server role = active directory domain controller
        server schannel = Auto
        server signing = default
        smb passwd file = /etc/samba/smbpasswd
        tls cafile = /etc/univention/ssl/ucsCA/CAcert.pem
        tls certfile = /etc/univention/ssl/thhoe108.thhoe.lan/cert.pem
        tls crlfile =
        tls dh params file =
        tls enabled = Yes
        tls keyfile = /etc/univention/ssl/thhoe108.thhoe.lan/private.key
        tls priority = NORMAL:-VERS-SSL3.0
        tls verify peer = ca_and_name
        unix password sync = No
        username level = 0
        username map =
        username map cache time = 0
        username map script =
        aio max threads = 100
        deadtime = 15
        getwd cache = Yes
        hostname lookups = No
        keepalive = 300
        max disk size = 0
        max open files = 32808
        max smbd processes = 0
        name cache timeout = 660
        socket options = TCP_NODELAY
        use mmap = Yes
        get quota command =
        host msdfs = Yes
        set quota command =
        create krb5 conf = Yes
        idmap backend = tdb
        idmap cache time = 604800
        idmap gid =
        idmap negative cache time = 120
        idmap uid =
        include system krb5 conf = Yes
        neutralize nt4 emulation = No
        reject md5 servers = No
        require strong key = Yes
        template homedir = /home/%D-%U
        template shell = /bin/bash
        winbind cache time = 300
        winbindd privileged socket directory = /var/lib/samba/winbindd_privileged
        winbindd socket directory = /var/run/samba/winbindd
        winbind enum groups = No
        winbind enum users = No
        winbind expand groups = 0
        winbind max clients = 200
        winbind max domain connections = 1
        winbind nested groups = Yes
        winbind normalize names = No
        winbind nss info = template
        winbind offline logon = No
        winbind reconnect delay = 30
        winbind refresh tickets = No
        winbind request timeout = 60
        winbind rpc only = No
        winbind sealed pipes = Yes
        winbind separator = +
        winbind trusted domains only = No
        winbind use default domain = No
        dns proxy = Yes
        wins hook =
        wins proxy = No
        wins server =
        wins support = Yes
        rpc_server:tcpip = no
        rpc_daemon:spoolssd = embedded
        rpc_server:spoolss = embedded
        rpc_server:winreg = embedded
        rpc_server:ntsvcs = embedded
        rpc_server:eventlog = embedded
        rpc_server:srvsvc = embedded
        rpc_server:svcctl = embedded
        rpc_server:default = external
        winbindd:use external pipes = true
        acl:search = no
        spoolss: architecture = Windows x64
        idmap config * : range = 300000-400000
        kccsrv:samba_kcc = False
        dsdb:schema update allowed = no
        nmbd_proxy_logon:cldap_server = 127.0.0.1
        server role check:inhibit = yes
        idmap config * : backend = tdb
        comment =
        path =
        administrative share = No
        browseable = Yes
        case sensitive = Auto
        default case = lower
        delete veto files = No
        hide dot files = Yes
        hide files =
        hide special files = No
        hide unreadable = No
        hide unwriteable files = No
        mangled names = Yes
        mangling char = ~
        map archive = No
        map hidden = No
        map readonly = no
        map system = No
        preserve case = Yes
        short preserve case = Yes
        store dos attributes = Yes
        veto files =
        veto oplock files =
        blocking locks = Yes
        csc policy = manual
        fake oplocks = No
        kernel oplocks = Yes
        kernel share modes = Yes
        level2 oplocks = Yes
        locking = Yes
        oplock contention limit = 2
        oplocks = Yes
        posix locking = Yes
        strict locking = Auto
        acl xattr update mtime = No
        afs share = No
        available = Yes
        copy =
        delete readonly = No
        dfree cache time = 0
        dfree command =
        directory name cache size = 100
        dmapi support = No
        dont descend =
        dos filemode = No
        dos filetime resolution = No
        dos filetimes = Yes
        fake directory create times = No
        follow symlinks = Yes
        fstype = NTFS
        include = /etc/samba/base.conf
        magic output =
        magic script =
        postexec =
        preexec =
        preexec close = No
        root postexec =
        root preexec =
        root preexec close = No
        spotlight = No
        volume =
        wide links = No
        cups options =
        default devmode = Yes
        force printername = No
        lppause command =
        lpq command = %p
        lpresume command =
        lprm command =
        max print jobs = 1000
        max reported print jobs = 0
        printable = No
        print command =
        printer name =
        printing = cups
        printjob username = %U
        print notify backchannel = No
        queuepause command =
        queueresume command =
        use client driver = No
        acl allow execute always = Yes
        acl check permissions = Yes
        acl map full control = Yes
        durable handles = Yes
        ea support = No
        map acl inherit = No
        nt acl support = Yes
        profile acls = No
        access based share enum = No
        acl group control = No
        admin users = administrator join-backup
        create mask = 0744
        directory mask = 0755
        force create mode = 0000
        force directory mode = 0000
        force group =
        force unknown acl user = No
        force user =
        guest ok = No
        guest only = No
        hosts allow =
        hosts deny =
        inherit acls = No
        inherit owner = no
        inherit permissions = No
        invalid users =
        read list =
        read only = Yes
        smb encrypt = default
        valid users =
        write list =
        aio read size = 0
        aio write behind =
        aio write size = 0
        allocation roundup size = 1048576
        block size = 1024
        max connections = 0
        min print space = 0
        strict allocate = No
        strict rename = No
        strict sync = No
        sync always = No
        use sendfile = No
        write cache size = 0
        msdfs proxy =
        msdfs root = No
        msdfs shuffle referrals = No
        ntvfs handler = unixuid, default
        vfs objects = dfs_samba4 acl_xattr


[netlogon]
        comment = Domain logon service
        path = /var/lib/samba/sysvol/thhoe.lan/scripts
        case sensitive = No
        read only = No


[sysvol]
        path = /var/lib/samba/sysvol
        case sensitive = No
        acl xattr update mtime = Yes
        read only = No


[homes]
        comment = Heimatverzeichnisse
        browseable = No
        create mask = 0700
        directory mask = 0700
        read only = No
        vfs objects = acl_xattr


[printers]
        comment = Drucker
        path = /tmp
        browseable = No
        printable = Yes
        create mask = 0700


[print$]
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        read only = No
        write list = root Administrator @Printer-Admins
root@thhoe108:~#

Es gibt einen DC-Backup thhoe105.

Thomas


#10

Hallo,

sind die Join-Skripte jetzt durchgelaufen?
-> univention-check-join-status

Kann man sich mit dem Maschinen-Konto am Samba (Kerberos) anmelden?
-> kinit --password-file=/etc/machine.secret $(hostname)$

Diese Fehler wird geworfen, wenn der folgende Test schief geht. Wie ist die Ausgabe von:
-> ldbsearch -H tdb:///var/lib/samba/private/sam.ldb -b DC=thhoe,DC=lan -s base dn

VG
Felix