Sto ancora cercando di imparare e capire come mantenere correttamente un controller di dominio samba.
Il Problema:
Avevo un'installazione di Samba con AD funzionante ma ora, solo un mese dopo l'ultima aggiunta di un computer a dminio, non funziona più. Su Windows dice "utente sconosciuto o password errata" ma ho verificato essere corretti.
Ho provato a impostare il livello di log su 3 in "smb.conf" e durante il tentativo di unire un computer viene loggato questo
Codice: Seleziona tutto
[2022/10/04 12:11:58.018256, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ admuser@example.net from ipv4:172.27.2.58:50124 for krbtgt/example.net@example.net
[2022/10/04 12:11:58.039839, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: 128
[2022/10/04 12:11:58.040080, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PKINIT pa-data -- admuser@example.net
[2022/10/04 12:11:58.040191, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data -- admuser@example.net
[2022/10/04 12:11:58.040341, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- admuser@example.net
[2022/10/04 12:11:58.043598, 3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2022/10/04 12:11:58.054880, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ admuser@example.net from ipv4:172.27.2.58:50125 for krbtgt/example.net@example.net
[2022/10/04 12:11:58.076255, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: encrypted-timestamp, 128
[2022/10/04 12:11:58.076483, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PKINIT pa-data -- admuser@example.net
[2022/10/04 12:11:58.076587, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data -- admuser@example.net
[2022/10/04 12:11:58.077527, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: ENC-TS Pre-authentication succeeded -- admuser@example.net using aes256-cts-hmac-sha1-96
[2022/10/04 12:11:58.077840, 3] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[admuser@example.net] at [Tue, 04 Oct 2022 12:11:58.077747 CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:172.27.2.58:50125] became [EXAMPLE]\[admuser] [S-1-5-21-578677625-3635414378-1858279571-1104]. local host [NULL]
{"timestamp": "2022-10-04T12:11:58.086113+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "c61be2b0d84a3e12", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": "ipv4:172.27.2.58:50125", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "admuser@example.net", "workstation": null, "becameAccount": "admuser", "becameDomain": "EXAMPLE", "becameSid": "S-1-5-21-578677625-3635414378-1858279571-1104", "mappedAccount": "admuser", "mappedDomain": "EXAMPLE", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "aes256-cts-hmac-sha1-96", "duration": 31663}}
[2022/10/04 12:11:58.160727, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ authtime: 2022-10-04T12:11:58 starttime: unset endtime: 2022-10-04T22:11:58 renew till: 2022-10-11T12:11:58
[2022/10/04 12:11:58.161033, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, 3, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
[2022/10/04 12:11:58.161206, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Requested flags: renewable-ok, canonicalize, renewable, forwardable
[2022/10/04 12:11:58.165799, 3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2022/10/04 12:11:58.178036, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Failed to verify authenticator checksum: Decrypt integrity check failed for checksum type rsa-md5, key type aes256-cts-hmac-sha1-96
[2022/10/04 12:11:58.178282, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Failed parsing TGS-REQ from ipv4:172.27.2.58:50126
Come putete vedere, l'autenticazione qui è segnata come riuscita. Finora è lo stesso problema trovato qua, quindi ho provato i seguenti comandi:
Codice: Seleziona tutto
root@SMBDC1:~# host -t SRV _ldap._tcp.example.net
_ldap._tcp.example.net has SRV record 0 100 389 smbdc1.example.net.
root@SMBDC1:~# host -t SRV _kerebros._udp.example.net
Host _kerebros._udp.example.net not found: 3(NXDOMAIN)
root@SMBDC1:~# host -t A focal.exapmle.net
Host focal.example.net not found: 3(NXDOMAIN)
Inizialmente era funzionante, ma ora dice "Host not found"... cosa potrebbe essere cambiato?
La mia configurazione
Codice: Seleziona tutto
router: 172.27.0.1
smbdc: 172.27.1.1
dns: 172.27.1.2
dhcp range: 172.27.2.2 - 172.27.2.254
Samba runs on an Orange Pi Zero and I connect to it through Putty and FileZilla
I route communication between the xxx.xxx.0.xxx, xxx.xxx.1.xxx and xxx.xxx.2.xxx ip ranges and set the network mask to be 255.255.0.0
Codice: Seleziona tutto
OS: Armbian 22.05.3 Focal with Linux 5.15.48-sunxi
SAMBA: Samba version 4.13.17-Ubuntu
Codice: Seleziona tutto
# Global parameters
[global]
dns forwarder = 172.27.1.2
netbios name = SMBDC1
realm = EXAMPLE.NET
server role = active directory domain controller
workgroup = EXAMPLE
idmap_ldb:use rfc2307 = yes
host msdfs = yes
log level = 3
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/frankini.net/scripts
read only = No
Penso di capire che il record DNS per focal.exapmle.net e _kerebros._udp.example.net non sono più impostati, quindi:
1) A cosa servono? Kerebros credo sia la parte che crea il ponte tra linux Samba e Windows, giusto?
2) Sono DNS locali sulla macchina Samba?
3) Posso aggiungerli di nuovo al record DNS in qualche modo?
Grazie in anticipo