Issues with QAS when moving from Samba 3.0 to Samba 3.6

I wonder if anyone can help me with some problems that I've been having with QAS since I upgraded my version of Samba.  

I've been using QAS 3.5 on Oracle Linux 5 (RHEL 5 based) and Samba 3.0 since about 2011 with no issues, but we recently needed a feature in Samba 3.3 or above (we chose 3.6.6 as it was in the OEL repo) and since upgrading QAS has failed to work, even when updating to the latest Identity Manager (quest-vasidmap-1.2.4-1) as required.

When running; 

/opt/quest/sbin/vas-samba-config

I get the following (server names have been obfuscated);

Checking for Kerberos 5...
Checking VAS...
Checking /etc/krb5.conf...
running vastool info toconf...
Discovered server: server1.domain.local in Domain domain.local
Discovered server: server2.domain.local in Domain domain.local
Discovered server: server3.domain.local in Domain domain.local
Adding realms configuration for Domain: domain.local
Successfully created realms configuration in file: /tmp/fix3671.tmp.new
updated /etc/krb5.conf, saved backup at /etc/krb5.conf.20140623.3671
Stopping services...
Stopping vasidmapd service: already stopped [ OK ]

Shutting down Winbind services: [ OK ]
/etc/samba/smb.conf: no change required
/etc/opt/quest/vas/vas.conf: no changes required
Renewing the computer account password...
Modified trust account password in secrets database
Testing Samba is joined to Active Directory...
+ /usr/bin/net -s /etc/samba/smb.conf ads testjoin
kerberos_kinit_password hostserver$@STC.LOCAL failed: Preauthentication failed
kerberos_kinit_password hostserver$@STC.LOCAL failed: Preauthentication failed
Join to domain is not valid: Logon failure
ERROR: Samba not joined: 'net ads testjoin' failed

I get the following in the logs;

[2014/06/23 20:38:50.552265, 0] passdb/secrets.c:350(fetch_ldap_pw)
fetch_ldap_pw: neither ldap secret retrieved!
[2014/06/23 20:38:50.552439, 0] lib/smbldap.c:1225(smbldap_connect_system)
failed to bind to server ldap://localhost/ with dn="[Anonymous bind]" Error: Can't contact LDAP server
(unknown)

[2014/06/23 20:39:19.852871, 0] winbindd/winbindd.c:240(winbindd_sig_term_handler)
Got sig[15] terminate (is_parent=1)

Running net ads join works correctly;

Join is OK

But the winbind/RPC fails;

Unable to find a suitable server for domain STC
Join to domain 'STC' is not valid: NT_STATUS_UNSUCCESSFUL

Can anyone point me in the right direction of what could be wrong?  Any help appreciated.

Thanks

 

John

  • Is it the

    $ net rpc testjoin

    that is failing?

  • Jayson

    That's correct, the output of net rpc testjoin is;

    Unable to find a suitable server for domain STC
    Join to domain 'STC' is not valid: NT_STATUS_UNSUCCESSFUL

    Regards

    John

     

  • Try setting in the global section of your smb.conf

    wins server = <ipaddress of a DC in your AD site>

     

    You can get a DC by running:

    $ /opt/quest/bin/vastool info servers

    That will list the servers that QAS knows about. Just pick one of those and use its ipaddress for the wins server setting.

    Is the net rpc testjoin the only thing that is failing or is that just something you are noticing?

  • So I've added the win server and while the following seems to work when running /opt/quest/sbin/vas-samba-config;

    Stopping services... Stopping

    vasidmapd service: already stopped [  OK  ]

    Shutting down Winbind services:   [  OK  ]

    /etc/samba/smb.conf: no change required
    /etc/opt/quest/vas/vas.conf: no changes required Renewing the computer account password... Modified trust account password in secrets database Testing Samba is joined to Active Directory...
    + /usr/bin/net -s /etc/samba/smb.conf ads testjoin Join is OK Restarting services....
    Starting vasidmapd service:  [  OK  ]
    Starting Winbind services:   [  OK  ]

    Summary:

    Samba server:          /usr/sbin/smbd      
    Samba config:          /etc/samba/smb.conf      
    VAS config:            /etc/opt/quest/vas/vas.conf      
    winbind present:       yes

    smb.conf updated:      not needed      
    vas.conf updated:      not needed      
    krb5.conf updated:     yes      
    Host key reset         yes

    vasidmapd (re)started: yes      
    samba (re)started:     yes      
    winbind (re)started:   yes

    But running net rpc testjoin still fails;

    Unable to find a suitable server for domain STC
    Join to domain 'STC' is not valid: NT_STATUS_UNSUCCESSFUL

    Ultimately, I need to get the winbind part working more than anything as I'm trying to get a Squid implementation running with NTLM authentication and the winbind part needs to work... Now I appear to get the following in the nmb log;

     

    [2014/06/24 21:29:10,  0] nmbd/nmbd_browsesync.c:351(find_domain_master_name_query_fail)
      find_domain_master_name_query_fail:
      Unable to find the Domain Master Browser name DOM<1b> for the workgroup DOM.
      Unable to sync browse lists in this workgroup.

    Where DOM is our domain. and the vasidmap log show the following;

     

    [2014/06/24 21:16:27.129859,  0] lib/smbldap.c:1225(smbldap_connect_system)
      failed to bind to server ldap://localhost/ with dn="[Anonymous bind]" Error: Can't contact LDAP server

  • Can you post the output of $ testparm? Just the global section will be fine.