Windows Fileserveranmeldung nach UCS Update auf 4.3 nicht möglich

onex · March 19, 2018, 11:08am

Hello,

yesterday I updated a UCS 4.2 to 4.3 and since then shares on a Windows Server 2012R2, which acts as AD client, are not accessable anymore.
Event ID 4625 appears in the event log:

Fehler beim Anmelden eines Kontos.

Antragsteller:
	Sicherheits-ID:		NULL SID
	Kontoname:		-
	Kontodomäne:		-
	Anmelde-ID:		0x0

Anmeldetyp:			3

Konto, für das die Anmeldung fehlgeschlagen ist:
	Sicherheits-ID:		NULL SID
	Kontoname:		user
	Kontodomäne:		domain

Fehlerinformationen:
	Fehlerursache:		Bei der Anmeldung ist ein Fehler aufgetreten.
	Status:			0xC000005E (<--- bedeutet, keine Anmeldeserver verfügbar)
	Unterstatus::		0x0

I removed the server from the domain once and added it again, which works without problems, but SMB is still not available.

Any (quick) help is welcome and many thanks in advance.

Greetings, Christian.

JensB · March 19, 2018, 12:46pm

Ich habe ein ähnliches Problem.
Der Windows-Rechner ist im Explorer nicht mehr unter \\192.168.0.x zu erreichen, ebenso die entsprechende Freigabe. Per ping, nslookup und Tracert ist alles ok. Durch Zufall habe ich jedoch festgestellt, dass der Zugriff über den Namen (\\Servername) funktioniert. Das kann aber nicht die Lösung sein.

onex · March 21, 2018, 4:04pm

moving the topic upwards, maybe one of Univention’s employees will look at it

knebb · March 22, 2018, 7:08am

Hi,

allgemein wird hier Englisch bevorzugt, deshalb die Antwort in Englisch- wenn das nicht geht, nochmal melden.

Is your UCS Server a virtual machine? Or does it provide virtualisation with the UVMM App?

It sounds indeed weird, beeing reachable by ping etc but the Shares only with name. So what does your client says about nslookup <servername>?
Go on the UCS-command line and check the output of the following commands:

ip a
netstat -anp| egrep "samba|smb"

Further steps then as needed.

onex · March 22, 2018, 9:01am

The UCS is virtualized on a VMware infrastructure, as well as the Windows 2k12R2 active directory client.

nslookup prints the correct output for the UCS.

Server:   master.fqdn
Address:  192.168.209.9

Name:     master.fqdn
Address:  192.168.209.9

root@master:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0c:29:20:3f:08 brd ff:ff:ff:ff:ff:ff
    inet 192.168.209.9/24 brd 192.168.209.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe20:3f08/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:8f:b0:7d:eb brd ff:ff:ff:ff:ff:ff
    inet 172.17.42.1/16 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:8fff:feb0:7deb/64 scope link 
       valid_lft forever preferred_lft forever
7: veth44a1a6b@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether a2:e3:aa:60:3e:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::a0e3:aaff:fe60:3e03/64 scope link 
       valid_lft forever preferred_lft forever

root@master:~# netstat -anp| egrep "samba|smb"
tcp        0      0 192.168.209.9:88        0.0.0.0:*               LISTEN      1840/samba          
tcp        0      0 127.0.0.1:88            0.0.0.0:*               LISTEN      1840/samba          
tcp        0      0 192.168.209.9:636       0.0.0.0:*               LISTEN      1837/samba          
tcp        0      0 127.0.0.1:636           0.0.0.0:*               LISTEN      1837/samba          
tcp        0      0 127.0.0.1:445           0.0.0.0:*               LISTEN      1839/smbd           
tcp        0      0 192.168.209.9:445       0.0.0.0:*               LISTEN      1839/smbd           
tcp        0      0 192.168.209.9:49152     0.0.0.0:*               LISTEN      1834/samba          
tcp        0      0 127.0.0.1:49152         0.0.0.0:*               LISTEN      1834/samba          
tcp        0      0 192.168.209.9:49153     0.0.0.0:*               LISTEN      1834/samba          
tcp        0      0 127.0.0.1:49153         0.0.0.0:*               LISTEN      1834/samba          
tcp        0      0 192.168.209.9:49154     0.0.0.0:*               LISTEN      1834/samba          
tcp        0      0 127.0.0.1:49154         0.0.0.0:*               LISTEN      1834/samba          
tcp        0      0 192.168.209.9:3268      0.0.0.0:*               LISTEN      1837/samba          
tcp        0      0 127.0.0.1:3268          0.0.0.0:*               LISTEN      1837/samba          
tcp        0      0 192.168.209.9:3269      0.0.0.0:*               LISTEN      1837/samba          
tcp        0      0 192.168.209.9:389       0.0.0.0:*               LISTEN      1837/samba          
tcp        0      0 127.0.0.1:3269          0.0.0.0:*               LISTEN      1837/samba          
tcp        0      0 127.0.0.1:389           0.0.0.0:*               LISTEN      1837/samba          
tcp        0      0 192.168.209.9:135       0.0.0.0:*               LISTEN      1834/samba          
tcp        0      0 127.0.0.1:135           0.0.0.0:*               LISTEN      1834/samba          
tcp        0      0 192.168.209.9:42        0.0.0.0:*               LISTEN      1835/samba          
tcp        0      0 127.0.0.1:42            0.0.0.0:*               LISTEN      1835/samba          
tcp        0      0 127.0.0.1:139           0.0.0.0:*               LISTEN      1839/smbd           
tcp        0      0 192.168.209.9:139       0.0.0.0:*               LISTEN      1839/smbd           
tcp        0      0 192.168.209.9:464       0.0.0.0:*               LISTEN      1840/samba          
tcp        0      0 127.0.0.1:464           0.0.0.0:*               LISTEN      1840/samba          
tcp6       0      0 ::1:88                  :::*                    LISTEN      1840/samba          
tcp6       0      0 ::1:636                 :::*                    LISTEN      1837/samba          
tcp6       0      0 ::1:445                 :::*                    LISTEN      1839/smbd           
tcp6       0      0 ::1:49152               :::*                    LISTEN      1834/samba          
tcp6       0      0 ::1:49153               :::*                    LISTEN      1834/samba          
tcp6       0      0 ::1:49154               :::*                    LISTEN      1834/samba          
tcp6       0      0 ::1:3268                :::*                    LISTEN      1837/samba          
tcp6       0      0 ::1:3269                :::*                    LISTEN      1837/samba          
tcp6       0      0 ::1:389                 :::*                    LISTEN      1837/samba          
tcp6       0      0 ::1:135                 :::*                    LISTEN      1834/samba          
tcp6       0      0 ::1:139                 :::*                    LISTEN      1839/smbd           
tcp6       0      0 ::1:464                 :::*                    LISTEN      1840/samba          
udp        0      0 192.168.209.9:389       0.0.0.0:*                           1838/samba          
udp        0      0 127.0.0.1:389           0.0.0.0:*                           1838/samba          
udp        0      0 192.168.209.9:464       0.0.0.0:*                           1840/samba          
udp        0      0 127.0.0.1:464           0.0.0.0:*                           1840/samba          
udp        0      0 192.168.209.9:88        0.0.0.0:*                           1840/samba          
udp        0      0 127.0.0.1:88            0.0.0.0:*                           1840/samba          
udp6       0      0 ::1:389                 :::*                                1838/samba          
udp6       0      0 ::1:464                 :::*                                1840/samba          
udp6       0      0 ::1:88                  :::*                                1840/samba          
unix  2      [ ACC ]     STREAM     HÖRT         26633    1834/samba           /var/run/samba/ncalrpc/np/lsass
unix  2      [ ACC ]     STREAM     HÖRT         26635    1834/samba           /var/run/samba/ncalrpc/np/lsarpc
unix  2      [ ]         DGRAM                    820659   30317/winbindd       /var/lib/samba/private/msg.sock/30317
unix  2      [ ACC ]     STREAM     HÖRT         26649    1834/samba           /var/run/samba/ncalrpc/np/netlogon
unix  2      [ ACC ]     STREAM     HÖRT         26651    1834/samba           /var/run/samba/ncalrpc/np/samr
unix  2      [ ]         DGRAM                    26217    1844/samba           /var/lib/samba/private/msg.sock/1844
unix  2      [ ACC ]     STREAM     HÖRT         26653    1834/samba           /var/run/samba/ncalrpc/np/rpcecho
unix  2      [ ACC ]     STREAM     HÖRT         26655    1834/samba           /var/run/samba/ncalrpc/DEFAULT
unix  2      [ ACC ]     STREAM     HÖRT         26667    1834/samba           /var/run/samba/ncalrpc/np/wkssvc
unix  2      [ ACC ]     STREAM     HÖRT         26669    1834/samba           /var/run/samba/ncalrpc/EPMAPPER
unix  2      [ ACC ]     STREAM     HÖRT         26681    1834/samba           /var/run/samba/ncalrpc/np/epmapper
unix  2      [ ]         DGRAM                    26143    1834/samba           /var/lib/samba/private/msg.sock/1834
unix  2      [ ]         DGRAM                    26189    1835/samba           /var/lib/samba/private/msg.sock/1835
unix  2      [ ]         DGRAM                    25449    1837/samba           /var/lib/samba/private/msg.sock/1837
unix  2      [ ACC ]     STREAM     HÖRT         26212    1843/samba           /var/lib/samba/ntp_signd/socket
unix  2      [ ]         DGRAM                    432257   7570/smbd            /var/lib/samba/private/msg.sock/7570
unix  2      [ ]         DGRAM                    25435    1592/samba           /var/lib/samba/private/msg.sock/1592
unix  2      [ ]         DGRAM                    27139    1878/smbd            /var/lib/samba/private/msg.sock/1878
unix  2      [ ]         DGRAM                    27054    1874/winbindd        /var/lib/samba/private/msg.sock/1874
unix  2      [ ]         DGRAM                    26133    1833/samba           /var/lib/samba/private/msg.sock/1833
unix  2      [ ]         DGRAM                    23714    1584/nmbd            /var/lib/samba/private/msg.sock/1584
unix  2      [ ]         DGRAM                    25516    1845/samba           /var/lib/samba/private/msg.sock/1845
unix  2      [ ]         DGRAM                    26486    1847/winbindd        /var/lib/samba/private/msg.sock/1847
unix  2      [ ]         DGRAM                    26510    1839/smbd            /var/lib/samba/private/msg.sock/1839
unix  2      [ ]         DGRAM                    23720    1583/nmbd            /var/lib/samba/private/msg.sock/1583
unix  2      [ ]         DGRAM                    27865    1998/smbd            /var/lib/samba/private/msg.sock/1998
unix  2      [ ACC ]     STREAM     HÖRT         27020    1847/winbindd        /var/run/samba/winbindd/pipe
unix  2      [ ]         DGRAM                    433797   7714/samba           /var/lib/samba/private/msg.sock/7714
unix  2      [ ACC ]     STREAM     HÖRT         26533    1837/samba           /var/lib/samba/private/ldapi
unix  2      [ ]         DGRAM                    820653   30316/winbindd       /var/lib/samba/private/msg.sock/30316
unix  2      [ ACC ]     STREAM     HÖRT         23743    1583/nmbd            /var/run/samba/nmbd/unexpected
unix  2      [ ]         DGRAM                    25450    1838/samba           /var/lib/samba/private/msg.sock/1838
unix  2      [ ]         DGRAM                    26199    1840/samba           /var/lib/samba/private/msg.sock/1840
unix  2      [ ]         DGRAM                    25463    1841/samba           /var/lib/samba/private/msg.sock/1841
unix  2      [ ]         DGRAM                    25464    1842/samba           /var/lib/samba/private/msg.sock/1842
unix  2      [ ACC ]     STREAM     HÖRT         26534    1837/samba           /var/lib/samba/private/ldap_priv/ldapi
unix  2      [ ACC ]     STREAM     HÖRT         27022    1847/winbindd        /var/lib/samba/winbindd_privileged/pipe
unix  2      [ ]         DGRAM                    26211    1843/samba           /var/lib/samba/private/msg.sock/1843
unix  2      [ ACC ]     STREAM     HÖRT         25587    1834/samba           /var/run/samba/ncalrpc/np/dnsserver
unix  2      [ ACC ]     STREAM     HÖRT         25589    1834/samba           /var/run/samba/ncalrpc/np/ntsvcs
unix  2      [ ACC ]     STREAM     HÖRT         25591    1834/samba           /var/run/samba/ncalrpc/np/browser
unix  2      [ ACC ]     STREAM     HÖRT         25593    1834/samba           /var/run/samba/ncalrpc/np/unixinfo
unix  2      [ ACC ]     STREAM     HÖRT         25595    1834/samba           /var/run/samba/ncalrpc/np/protected_storage
unix  3      [ ]         STREAM     VERBUNDEN     25469    1842/samba           
unix  3      [ ]         STREAM     VERBUNDEN     26139    1836/samba           
unix  3      [ ]         STREAM     VERBUNDEN     432690   7714/samba           /var/lib/samba/private/ldap_priv/ldapi
unix  3      [ ]         STREAM     VERBUNDEN     26138    1833/samba           
unix  3      [ ]         STREAM     VERBUNDEN     25470    1846/samba

knebb · March 22, 2018, 9:11am

Just to make sure:
You are on a windows client (who ist joined to the UCS-Domain) and you are trying to access a share which is configured on a Windows2012 server?
Or are you trying to access an UCS share from your win 2012?

Are these original values or did you hide some parts here?

When you try to access are there any strange things logged at the same time in /var/log/samba? Verify the time frame to find entries.

/KNEBB

knebb · March 22, 2018, 9:13am

@JensB I doubt it is related to the original topic.

You can access the share by name, but not by IP. This points to some sort of name resolution or IP configuration. In case this is still valid, I would suggest to create a new topic so we do not get confused here.

Thanks!

/KNEBB

onex · March 22, 2018, 9:23am

I try to access shares on the Windows 2k12R2 server from any possible client outside the domain.
SMB from linux to Windows fails. Same with Windows 7 clients.

The values you mentioned are copied from the eventlog on the W2k12R2 server without modification.

Nothing is logged in any log-file within /var/log/samba/.

I can access the share if I use a local user of this server, but not with any domain-user.
After a timeout, I get this error-message:

Bildschirmfoto vom 2018-03-22 10-24-07

onex · March 26, 2018, 7:34am

no more ideas, @knebb?

codedmind · March 26, 2018, 11:03am

Some problem here
Phisical server cannot access Virtual server by ipadress

Both server as member os domain that is a VM univention machine

knebb · March 27, 2018, 10:12am

Sorry, currently no idea. I assume there is no firewall in-between anywhere?

Another question which came into my mind:

Is it at all valid to access Windows-Servers from a machine which is not part of the AD-Domain? I am not sure about this… you might be right it SHOULD work…but…

On the UCs, samba4 is installed and running?

/KNEBB

Grandjean · March 27, 2018, 3:21pm

Sooo, @codedmind and @JensB can access their shares via the DNS hostname/FQDN of the server but not via the IP.
@onex: Your screenshot also shows only the IP of the server. Did you try to connect via the DNS hostname/FQDN? I’m asking, because accessing via DNS hostname/FQDN is done via Kerberos authentication (at least Kerberos is preferred) while accessing via IP address has to use NTLM for authentication (because Kerberos requires a working DNS resolution). So it might acutally be, that NTLM has some problem, while Kerberos does not (see also https://help.univention.com/t/8373/).
Of course, that’s not a solution, but it might get us closer to the actual problem.

codedmind · March 27, 2018, 3:52pm

@Grandjean i think this is a big issue. I’m having troubles with shares and rdp connections, everything is very slow…

onex · March 27, 2018, 3:57pm

@Grandjean, doesn’t work with FQDN, either.

JensB · March 27, 2018, 6:10pm

I have restored the backup of UCS 4.2-3. On this is the UCR-Variable on DC-Master samba/ntlm/auth empty.
The problem occurred when connecting from a Windows PC to a Windows share.

codedmind · March 28, 2018, 9:59am

Just to be a more clear…

I have 3 servers:
1 - Univention server (VM) as DC
1 - Windows Server 2016 (VM) as member
1 - Windows Server 2008 as member

I’m having issues between windows server, i cannot acess 2016 server shares from 2008 using ip address, only name.

I’m having issues when connection from any computer via Remote desktop to Windows Server 2016 (some times don’t connect other times takes to long), don’t have issues when connect to 2008

vector · March 28, 2018, 2:39pm

There have been some changes in Samba 4.7 regarding smb/smbclient/ntlm:
https://wiki.samba.org/index.php/Samba_4.7_Features_added/changed#smbclient_changes
https://wiki.samba.org/index.php/Samba_4.7_Features_added/changed#smb.conf_changes

Which smb protocol version do the shares use (powershell command Get-SmbConnection)?

onex · March 28, 2018, 3:14pm

no output on this command

klausz · April 4, 2018, 4:50pm

Hallo,

gibt es schon eine Lösung zu diesem Problem?

codedmind · April 4, 2018, 5:29pm

@klausz i’m nothing
Every day i only find more problems…