Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] net ads info: failed to get server's current time
901 views
Skip to first unread message
Guy-Laurent Subri
Oct 21, 2015, 1:40:04 PM10/21/15
to
Hi all,
We're having issues with Samba at work. I've searched a bit and the only
thing that have caught my eye is this: when I run the 'net ads info'
command on our DC --we have a Debian on which samba4 is installed and
configured as a AD DC-- I have the message "Failed to get server's
current time!", and "Server time: Thu, 01 Jan 1970 01:00:00 CET".
The thing is that if I run the 'date' command, it gives me the correct
date and time. I've checked ntpd and it looks alright too.
I've tried running 'net time set -S ipOfTheDC' thinking it would maybe
set the time correctly with the output of the 'date' command but it
didn't.
Also, but I think this is a known issue, if I run 'net time' I have a
segfault.
Does anybody have an idea of what is going on ? I'm pretty sure
something's wrong here, but I may be wrong too...
Thanks
Guy-Laurent
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
We're having issues with Samba at work. I've searched a bit and the only
thing that have caught my eye is this: when I run the 'net ads info'
command on our DC --we have a Debian on which samba4 is installed and
configured as a AD DC-- I have the message "Failed to get server's
current time!", and "Server time: Thu, 01 Jan 1970 01:00:00 CET".
The thing is that if I run the 'date' command, it gives me the correct
date and time. I've checked ntpd and it looks alright too.
I've tried running 'net time set -S ipOfTheDC' thinking it would maybe
set the time correctly with the output of the 'date' command but it
didn't.
Also, but I think this is a known issue, if I run 'net time' I have a
segfault.
Does anybody have an idea of what is going on ? I'm pretty sure
something's wrong here, but I may be wrong too...
Thanks
Guy-Laurent
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
Oct 21, 2015, 2:10:04 PM10/21/15
to
On 21/10/15 18:35, Guy-Laurent Subri wrote:
> Hi all,
> We're having issues with Samba at work. I've searched a bit and the only
> thing that have caught my eye is this: when I run the 'net ads info'
> command on our DC --we have a Debian on which samba4 is installed and
> configured as a AD DC-- I have the message "Failed to get server's
> current time!", and "Server time: Thu, 01 Jan 1970 01:00:00 CET".
It works for me on a Debian 4.1.17 DC, so you may have something
> Hi all,
> We're having issues with Samba at work. I've searched a bit and the only
> thing that have caught my eye is this: when I run the 'net ads info'
> command on our DC --we have a Debian on which samba4 is installed and
> configured as a AD DC-- I have the message "Failed to get server's
> current time!", and "Server time: Thu, 01 Jan 1970 01:00:00 CET".
mis-configured, have you altered the smb.conf in any way ? do you have
ntp installed and configured correctly ?
Rowland
Guy-Laurent Subri
Oct 22, 2015, 5:00:05 PM10/22/15
to
On Wed, Oct 21, 2015 at 07:06:33PM +0100, Rowland Penny wrote:
>On 21/10/15 18:35, Guy-Laurent Subri wrote:
>> Hi all,
>> We're having issues with Samba at work. I've searched a bit and the only
>> thing that have caught my eye is this: when I run the 'net ads info'
>> command on our DC --we have a Debian on which samba4 is installed and
>> configured as a AD DC-- I have the message "Failed to get server's
>> current time!", and "Server time: Thu, 01 Jan 1970 01:00:00 CET".
>
>It works for me on a Debian 4.1.17 DC, so you may have something
>mis-configured, have you altered the smb.conf in any way ?
I don't think the modifications I did to smb.conf are relevant enough to
>On 21/10/15 18:35, Guy-Laurent Subri wrote:
>> Hi all,
>> We're having issues with Samba at work. I've searched a bit and the only
>> thing that have caught my eye is this: when I run the 'net ads info'
>> command on our DC --we have a Debian on which samba4 is installed and
>> configured as a AD DC-- I have the message "Failed to get server's
>> current time!", and "Server time: Thu, 01 Jan 1970 01:00:00 CET".
>
>It works for me on a Debian 4.1.17 DC, so you may have something
>mis-configured, have you altered the smb.conf in any way ?
cause problem, but here's our smb.conf, just in case:
# Global parameters
[global]
workgroup = TRS-CH
realm = TRS-CH.COM
netbios name = PDC
server role = active directory domain controller
server services = +s3fs, +rpc, +nbt, +wrepl, +ldap, +cldap, +kdc, +drepl,
+winbind, +ntp_signd, +kcc, +dnsupdate
[netlogon]
path = /var/lib/samba/sysvol/trs-ch.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
>do you have ntp installed and configured correctly ?
I also already tested the DNS by running the commands described here:
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
Everything is reachable.
I tested kerberos by doing:
'kinit admini...@TRS-CH.COM'
It showed up when I did 'klist'.
Do you need more information ?
Thanks !
Cheers,
Guy-Laurent Subri
Rowland Penny
Oct 22, 2015, 5:20:04 PM10/22/15
to
I think you need to remove all the '+' signs you have added to the
'server services' line, you normally only use the '+' sign to add a
service to the line, I think you may still be using the un-shown 'dns'
option.
I would also recommend that you use the new separate 'winbindd' instead
of the 'winbind' that you are using. I think that before long the old
'winbind' built into the samba daemon is going to disappear, so you
might as well get used to it now.
Rowland
Rowland Penny
Oct 22, 2015, 6:00:04 PM10/22/15
to
On 22/10/15 22:33, Guy-Laurent Subri wrote:
> Yes, I'm running Bind9.
> If I either remove the + sings or change 'windbind' to 'windbindd' I
> cannot contact the server again. (The result of the command 'net ads
> info' is : no logon servers, didn't find the ldap server).
>
> Cheers,
> Guy-Laurent Subri
OK, I have just joined a new DC to my domain and I am using Bind9 and
this is what I have in smb.conf:
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
Note the lack of '+' signs
This is with Samba 4.3.1
I have also checked and 'net ads info' works as well, so if yours isn't
working, then something else is wrong, can you post your ntp.conf and
bind9 conf files, also your /etc/resolv.conf & /etc/krb5.conf
> If I either remove the + sings or change 'windbind' to 'windbindd' I
> cannot contact the server again. (The result of the command 'net ads
> info' is : no logon servers, didn't find the ldap server).
>
> Cheers,
> Guy-Laurent Subri
OK, I have just joined a new DC to my domain and I am using Bind9 and
this is what I have in smb.conf:
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
Note the lack of '+' signs
This is with Samba 4.3.1
I have also checked and 'net ads info' works as well, so if yours isn't
working, then something else is wrong, can you post your ntp.conf and
bind9 conf files, also your /etc/resolv.conf & /etc/krb5.conf
mathias dufresne
Oct 26, 2015, 10:00:04 AM10/26/15
to
I have no "server services" line in my smb.conf and "net ads info" is
working well using DC running Samba 4.3.1 on Centos 7.
Did you tried without "server services" line?
Cheers,
mathias
working well using DC running Samba 4.3.1 on Centos 7.
Did you tried without "server services" line?
Cheers,
mathias
L.P.H. van Belle
Oct 26, 2015, 10:10:03 AM10/26/15
to
Run : echo "\n" | samba-tool testparm | grep "server service"
What do you see now...
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens mathias dufresne
> Verzonden: maandag 26 oktober 2015 14:56
> Aan: sambalist
> Onderwerp: Re: [Samba] net ads info: failed to get server's current time
What do you see now...
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens mathias dufresne
> Verzonden: maandag 26 oktober 2015 14:56
> Aan: sambalist
> Onderwerp: Re: [Samba] net ads info: failed to get server's current time
mathias dufresne
Oct 26, 2015, 10:20:04 AM10/26/15
to
I had to add "-v" to testparm to get the default services line:
echo "\n" | samba-tool testparm -v | grep "server service"
echo "\n" | samba-tool testparm -v | grep "server service"
L.P.H. van Belle
Oct 26, 2015, 10:30:05 AM10/26/15
to
Hm.. both for for me.. im on samba 4.2.4
You?
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens mathias dufresne
> Verzonden: maandag 26 oktober 2015 15:13
> Aan: sa...@lists.samba.org
You?
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens mathias dufresne
> Aan: sa...@lists.samba.org
mathias dufresne
Oct 26, 2015, 11:30:05 AM10/26/15
to
That was tested on 4.3.1
Rowland Penny
Oct 26, 2015, 12:40:05 PM10/26/15
to
On 26/10/15 13:56, mathias dufresne wrote:
> I have no "server services" line in my smb.conf and "net ads info" is
> working well using DC running Samba 4.3.1 on Centos 7.
>
> Did you tried without "server services" line?
>
> Cheers,
>
> mathias
>
If you provision with 'BIND9_DLZ' you get the 'server services' line in
> I have no "server services" line in my smb.conf and "net ads info" is
> working well using DC running Samba 4.3.1 on Centos 7.
>
> Did you tried without "server services" line?
>
> Cheers,
>
> mathias
>
smb.conf but without 'dns', if you provision using the internal DNS, you
do not get the 'server services' line. If you later change to using
Bind9, you would need to add 'server services -dns' to smb.conf.
mathias dufresne
Oct 27, 2015, 10:40:04 AM10/27/15
to
Thanks for precision Rowland : )
Guy-Laurent Subri
Oct 28, 2015, 6:20:04 AM10/28/15
to
I can try to upgrade if needed.
>I have also checked and 'net ads info' works as well, so if yours isn't
>working, then something else is wrong, can you post your ntp.conf and
>bind9 conf files, also your /etc/resolv.conf & /etc/krb5.conf
>
>Rowland
Here are the files:
>working, then something else is wrong, can you post your ntp.conf and
>bind9 conf files, also your /etc/resolv.conf & /etc/krb5.conf
>
>Rowland
/etc/ntp.conf
-------------
driftfile /var/lib/ntp/ntp.drift
ntpsigndsocket /var/lib/samba/ntp_signd
statsdir /var/log/ntpstats/
server 0.ch.pool.ntp.org
server 1.ch.pool.ntp.org
server 2.ch.pool.ntp.org
server 3.ch.pool.ntp.org
restrict -4 default kod notrap nomodify nopeer noquery mssntp
restrict -6 default kod notrap nomodify nopeer noquery mssntp
restrict 127.0.0.1
restrict ::1
restrict 0.ch.pool.ntp.org mask 255.255.255 nomodify notrap nopeer noquery
broadcast 192.168.123.255
/etc/bind/named.conf
--------------------
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";
/etc/bind/named.conf.options
----------------------------
options {
directory "/var/cache/bind";
forwarders {
192.168.1.185;
};
dnssec-validation auto;
auth-nxdomain no;
allow-query { localhost; any; };
listen-on port 53 { 127.0.0.1; 192.168.1.17; };
listen-on-v6 { any; };
};
/etc/bind/named.conf.local
--------------------------
is empty
/etc/bind/named.conf.default-zones
----------------------------------
zone "." {
type hint;
file "/etc/bind/db.root";
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
/var/lib/samba/private/named.conf
---------------------------------
zone "trs-ch.com." IN {
type master;
file "/var/lib/samba/private/dns/trs-ch.com.zone";
include "/var/lib/samba/private/named.conf.update";
check-names ignore;
};
resolv.conf
-----------
search trs-ch.com
nameserver 192.168.1.17
nameserver 192.168.1.7
krb5.conf
---------
[libdefaults]
default_realm = TRS-CH.COM
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
TRS-CH.COM = {
kdc = 192.168.1.17
admin_server = 192.168.1.17
default_domain = trs-ch.com
}
[TRS-CH.COM]
.trs-ch.com = TRS-CH.COM
trs.ch.com =
TRS-CH.COM
Thank you for your time!
Cheers,
Guy-Laurent
Rowland Penny
Oct 28, 2015, 6:40:03 AM10/28/15
to
On 28/10/15 10:09, Guy-Laurent Subri wrote:
> My version of Samba is 4.1.17. I don't think this changes anything, but
> I can try to upgrade if needed.
OK, looks like you are running Debian, either wheezy using backports or
> My version of Samba is 4.1.17. I don't think this changes anything, but
> I can try to upgrade if needed.
Jessie and my old DC is running wheezy and net ads info works on that.
> Here are the files:
>
> /etc/ntp.conf
> -------------
> driftfile /var/lib/ntp/ntp.drift
> ntpsigndsocket /var/lib/samba/ntp_signd
>
> statsdir /var/log/ntpstats/
>
> server 0.ch.pool.ntp.org
> server 1.ch.pool.ntp.org
> server 2.ch.pool.ntp.org
> server 3.ch.pool.ntp.org
>
> restrict -4 default kod notrap nomodify nopeer noquery mssntp
> restrict -6 default kod notrap nomodify nopeer noquery mssntp
>
> restrict 127.0.0.1
> restrict ::1
>
> restrict 0.ch.pool.ntp.org mask 255.255.255 nomodify notrap nopeer
> noquery
>
> broadcast 192.168.123.255
>
another 3 'restrict' lines to cover them.
> /etc/bind/named.conf
> --------------------
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> include "/var/lib/samba/private/named.conf";
>
> /etc/bind/named.conf.options
> ----------------------------
> options {
> directory "/var/cache/bind";
>
> forwarders {
> 192.168.1.185;
> };
dlz "AD DNS Zone" {
# For BIND 9.8.0
#database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so";
# For BIND 9.9.0
database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
};
>
> resolv.conf
> -----------
> search trs-ch.com
> nameserver 192.168.1.17
> nameserver 192.168.1.7
>
What is the second nameserver ? if it is a second DC, swap them around,
>
> resolv.conf
> -----------
> search trs-ch.com
> nameserver 192.168.1.17
> nameserver 192.168.1.7
>
otherwise remove it.
> krb5.conf
> ---------
> [libdefaults]
> default_realm = TRS-CH.COM
> dns_lookup_realm = false
> dns_lookup_kdc = true
> [realms]
> TRS-CH.COM = {
> kdc = 192.168.1.17
> admin_server = 192.168.1.17
> default_domain = trs-ch.com
> }
> [TRS-CH.COM]
> .trs-ch.com = TRS-CH.COM
> trs.ch.com =
> TRS-CH.COM
>
Rowland
L.P.H. van Belle
Oct 28, 2015, 6:40:03 AM10/28/15
to
Hai,
Copy the code and Set these variable
Run the script, restart samba and login again with an pc.
Should work now, your missing something and. Your not using good ntp servers.
#!/bin/bash
########## NTP Settings needed for a correct funtioning samba AD DC server
## Set to 1 installs the ntp server. (default is ok )
## (default is ok )
NTPD_INSTALL="1"
# if you run the server on a XEN Server, set to 1.
NTPD_XEN_GUEST="0"
## important look for a stratum 1 server in your area
## for a server joining a domain put the ip of the AD server here.
## see also http://support.ntp.org/bin/view/Servers/StratumOneTimeServers
## (default is not ok, change this one to a ntp in your country )
NTPD_SERVER1_EXTERNAL="ntp1.nl.net"
## if you dont have a second ntp server leave empty
NTPD_SERVER2_EXTERNAL=""
## restrict ntpd bind to which interfaces.
## choose, multple options are allowed.
## the options are: lo eth(0..9) wildcard ipv6
## (default is ok, if you interface name is eth0 and you dont use ipv6. )
NTPD_RESTRICT_INTERFACE="lo eth0"
NTPD_RESTRICT_INTERFACE_IGNORE="wildcard ipv6"
## default for sernet samba and debian samba ( should normaly not be changed )
SAMBA_NTP_SIGNPATH="/var/lib/samba/ntp_signd"
## debian default, leave it as is.
NTPD_GROUP="ntp"
########### NTP
apt-get -y --no-install-recommends install ntp
cp /etc/ntp.conf /etc/ntp.conf.backup
echo " " >> /etc/ntp.conf
for x in 0 1 2 3 ; do sed -i "s]server ${x}.debian]#server ${x}.debian]g" /etc/ntp.conf ; done
for i in ${NTPD_RESTRICT_INTERFACE} ; do echo " " >> /etc/ntp.conf; echo "interface listen ${i}" >> /etc/ntp.conf; done
for i2 in ${NTPD_RESTRICT_INTERFACE_IGNORE} ; do echo "interface ignore ${i2}" >> /etc/ntp.conf; done
## setup the ntp source server.
if [ ! -z "${NTPD_SERVER1_EXTERNAL}" ]; then sed -i "s]#server ntp.your-provider.example]server ${NTPD_SERVER1_EXTERNAL} ]g" /etc/ntp.conf; fi
if [ ! -z "${NTPD_SERVER2_EXTERNAL}" ]; then echo "server ${NTPD_SERVER2_EXTERNAL}" /etc/ntp.conf; fi
sed -i "s]restrict -4 default kod notrap nomodify nopeer noquery]restrict -4 default kod notrap nomodify nopeer noquery mssntp]g" /etc/ntp.conf
sed -i "s]restrict -6 default kod notrap nomodify nopeer noquery]restrict -6 default kod notrap nomodify nopeer noquery mssntp]g" /etc/ntp.conf
cat << EOF >> /etc/ntp.conf
ntpsigndsocket /var/lib/samba/ntp_signd
EOF
install -o root -g $NTPD_GROUP -m 0750 -d /var/lib/samba/ntp_signd
service ntp start
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Guy-Laurent Subri
> Verzonden: woensdag 28 oktober 2015 11:09
> Aan: Rowland Penny
> CC: sambalist
> Onderwerp: Re: [Samba] net ads info: failed to get server's current time
Copy the code and Set these variable
Run the script, restart samba and login again with an pc.
Should work now, your missing something and. Your not using good ntp servers.
#!/bin/bash
########## NTP Settings needed for a correct funtioning samba AD DC server
## Set to 1 installs the ntp server. (default is ok )
## (default is ok )
NTPD_INSTALL="1"
# if you run the server on a XEN Server, set to 1.
NTPD_XEN_GUEST="0"
## important look for a stratum 1 server in your area
## for a server joining a domain put the ip of the AD server here.
## see also http://support.ntp.org/bin/view/Servers/StratumOneTimeServers
## (default is not ok, change this one to a ntp in your country )
NTPD_SERVER1_EXTERNAL="ntp1.nl.net"
## if you dont have a second ntp server leave empty
NTPD_SERVER2_EXTERNAL=""
## restrict ntpd bind to which interfaces.
## choose, multple options are allowed.
## the options are: lo eth(0..9) wildcard ipv6
## (default is ok, if you interface name is eth0 and you dont use ipv6. )
NTPD_RESTRICT_INTERFACE="lo eth0"
NTPD_RESTRICT_INTERFACE_IGNORE="wildcard ipv6"
## default for sernet samba and debian samba ( should normaly not be changed )
SAMBA_NTP_SIGNPATH="/var/lib/samba/ntp_signd"
## debian default, leave it as is.
NTPD_GROUP="ntp"
########### NTP
apt-get -y --no-install-recommends install ntp
cp /etc/ntp.conf /etc/ntp.conf.backup
echo " " >> /etc/ntp.conf
for x in 0 1 2 3 ; do sed -i "s]server ${x}.debian]#server ${x}.debian]g" /etc/ntp.conf ; done
for i in ${NTPD_RESTRICT_INTERFACE} ; do echo " " >> /etc/ntp.conf; echo "interface listen ${i}" >> /etc/ntp.conf; done
for i2 in ${NTPD_RESTRICT_INTERFACE_IGNORE} ; do echo "interface ignore ${i2}" >> /etc/ntp.conf; done
## setup the ntp source server.
if [ ! -z "${NTPD_SERVER1_EXTERNAL}" ]; then sed -i "s]#server ntp.your-provider.example]server ${NTPD_SERVER1_EXTERNAL} ]g" /etc/ntp.conf; fi
if [ ! -z "${NTPD_SERVER2_EXTERNAL}" ]; then echo "server ${NTPD_SERVER2_EXTERNAL}" /etc/ntp.conf; fi
sed -i "s]restrict -4 default kod notrap nomodify nopeer noquery]restrict -4 default kod notrap nomodify nopeer noquery mssntp]g" /etc/ntp.conf
sed -i "s]restrict -6 default kod notrap nomodify nopeer noquery]restrict -6 default kod notrap nomodify nopeer noquery mssntp]g" /etc/ntp.conf
cat << EOF >> /etc/ntp.conf
ntpsigndsocket /var/lib/samba/ntp_signd
EOF
install -o root -g $NTPD_GROUP -m 0750 -d /var/lib/samba/ntp_signd
service ntp start
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Guy-Laurent Subri
> Verzonden: woensdag 28 oktober 2015 11:09
> Aan: Rowland Penny
> CC: sambalist
> Onderwerp: Re: [Samba] net ads info: failed to get server's current time
Rowland Penny
Oct 28, 2015, 6:50:03 AM10/28/15
to
On 28/10/15 10:33, L.P.H. van Belle wrote:
> Hai,
>
>
> Copy the code and Set these variable
> Run the script, restart samba and login again with an pc.
> Should work now, your missing something and. Your not using good ntp servers.
They all reply to a ping and a quick google seems to prove they exist
> Hai,
>
>
> Copy the code and Set these variable
> Run the script, restart samba and login again with an pc.
> Should work now, your missing something and. Your not using good ntp servers.
(they must be good time servers, they are Swiss :-D )
I don't think that is the problem though, the OP is using a very strange
Bind setup>
Rowland
L.P.H. van Belle
Oct 28, 2015, 7:20:03 AM10/28/15
to
Hm, the bind setup looks ok ,to me, its a debian Jessie as far i can see.
Its a default setup, almost the same im using and bind is configured to 9.9
So i think one of these 4 problems.
Incorrect rights on /var/lib/samba/ntp_signd
chown root:ntp /var/lib/samba/ntp_signd
chmod 750 /var/lib/samba/ntp_signd
OR
The time on the pc is more than 5 min off.
OR
The pc has just joined the domain and has not rebooted yet.
OR
Pc is resolving to the internet first.
Which make it fail also.
So, check the event logs for the last 3 solutions.
Check the rights on /var/lib/samba/ntp_signd
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Rowland Penny
> Verzonden: woensdag 28 oktober 2015 11:45
> Aan: sa...@lists.samba.org
Its a default setup, almost the same im using and bind is configured to 9.9
So i think one of these 4 problems.
Incorrect rights on /var/lib/samba/ntp_signd
chown root:ntp /var/lib/samba/ntp_signd
chmod 750 /var/lib/samba/ntp_signd
OR
The time on the pc is more than 5 min off.
OR
The pc has just joined the domain and has not rebooted yet.
OR
Pc is resolving to the internet first.
Which make it fail also.
So, check the event logs for the last 3 solutions.
Check the rights on /var/lib/samba/ntp_signd
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Rowland Penny
> Verzonden: woensdag 28 oktober 2015 11:45
> Aan: sa...@lists.samba.org
Rowland Penny
Oct 28, 2015, 7:30:04 AM10/28/15
to
/var/lib/samba/private/named.conf
---------------------------------
zone "trs-ch.com." IN {
type master;
file "/var/lib/samba/private/dns/trs-ch.com.zone";
include "/var/lib/samba/private/named.conf.update";
check-names ignore;
};
# This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support.
#
# This file should be included in your main BIND configuration file
#
# For example with
# include "/var/lib/samba/private/named.conf";
#
# This configures dynamically loadable zones (DLZ) from AD schema
# Uncomment only single database line, depending on your BIND version
#
dlz "AD DNS Zone" {
# For BIND 9.8.0
#database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so";
# For BIND 9.9.0
database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
};
Rowland
# For BIND 9.8.0
#database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so";
# For BIND 9.9.0
database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
};
Guy-Laurent Subri
Oct 28, 2015, 9:20:07 AM10/28/15
to
reminding me it was there!
samba_dlz: Unable to get basedn for /var/lib/samba/private/dns/sam.ldb
- NULL Base DN invalid for a base search
>>
>> resolv.conf
>> -----------
>> search trs-ch.com
>> nameserver 192.168.1.17
>> nameserver 192.168.1.7
>>
>
>What is the second nameserver ? if it is a second DC, swap them around,
>otherwise remove it.
It's another DC, but not for the same realm. I swaped them.
>> resolv.conf
>> -----------
>> search trs-ch.com
>> nameserver 192.168.1.17
>> nameserver 192.168.1.7
>>
>
>What is the second nameserver ? if it is a second DC, swap them around,
>otherwise remove it.
>> krb5.conf
>> ---------
>> [libdefaults]
>> default_realm = TRS-CH.COM
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>> [realms]
>> TRS-CH.COM = {
>> kdc = 192.168.1.17
>> admin_server = 192.168.1.17
>> default_domain = trs-ch.com
>> }
>> [TRS-CH.COM]
>> .trs-ch.com = TRS-CH.COM
>> trs.ch.com =
>> TRS-CH.COM
>>
>
>You only need this in /etc/krb5.conf
>
>[libdefaults]
>default_realm = TRS-CH.COM
>dns_lookup_realm = false
>dns_lookup_kdc = true
Ok, I modified it accordingly
>> ---------
>> [libdefaults]
>> default_realm = TRS-CH.COM
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>> [realms]
>> TRS-CH.COM = {
>> kdc = 192.168.1.17
>> admin_server = 192.168.1.17
>> default_domain = trs-ch.com
>> }
>> [TRS-CH.COM]
>> .trs-ch.com = TRS-CH.COM
>> trs.ch.com =
>> TRS-CH.COM
>>
>
>You only need this in /etc/krb5.conf
>
>[libdefaults]
>default_realm = TRS-CH.COM
>dns_lookup_realm = false
>dns_lookup_kdc = true
Do you know why I have this error ? BTW, sam.ldb is owned by root:root
and is set to rw for user and none to group and world, is this ok ?
Thanks again,
Guy-Laurent
Rowland Penny
Oct 28, 2015, 9:30:03 AM10/28/15
to
forwarder, so make sure you have one and it must be one outside the
Samba4 domain that resolve the rest of the internet.
Does /var/lib/samba/private/dns/sam.ldb exist ? if it does (and it
should) it should belong to root:bind with 0660 permissions (-rw-rw----)
>>>
>>> resolv.conf
>>> -----------
>>> search trs-ch.com
>>> nameserver 192.168.1.17
>>> nameserver 192.168.1.7
>>>
>>
>> What is the second nameserver ? if it is a second DC, swap them around,
>> otherwise remove it.
> It's another DC, but not for the same realm. I swaped them.
>>> krb5.conf
>>> ---------
>>> [libdefaults]
>>> default_realm = TRS-CH.COM
>>> dns_lookup_realm = false
>>> dns_lookup_kdc = true
>>> [realms]
>>> TRS-CH.COM = {
>>> kdc = 192.168.1.17
>>> admin_server = 192.168.1.17
>>> default_domain = trs-ch.com
>>> }
>>> [TRS-CH.COM]
>>> .trs-ch.com = TRS-CH.COM
>>> trs.ch.com =
>>> TRS-CH.COM
>>>
>>
>> You only need this in /etc/krb5.conf
>>
>> [libdefaults]
>> default_realm = TRS-CH.COM
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>
> Ok, I modified it accordingly
>
> Do you know why I have this error ? BTW, sam.ldb is owned by root:root
> and is set to rw for user and none to group and world, is this ok ?
Rowland
Guy-Laurent Subri
Oct 28, 2015, 9:30:03 AM10/28/15
to
Thanks for the script. I ran it. So all my config regarding NTP should
be ok, if I understood correctly ?
Cheers,
Guy-Laurent
be ok, if I understood correctly ?
Cheers,
Guy-Laurent
Guy-Laurent Subri
Oct 28, 2015, 9:50:02 AM10/28/15
to
provisioned with BIND9 instead of internal DNS. The file exists but is
bind:bind with 0664.
>>>>
>>>> resolv.conf
>>>> -----------
>>>> search trs-ch.com
>>>> nameserver 192.168.1.17
>>>> nameserver 192.168.1.7
>>>>
>>>
>>> What is the second nameserver ? if it is a second DC, swap them around,
>>> otherwise remove it.
>> It's another DC, but not for the same realm. I swaped them.
>
>Remove it, your DC should only ask other DCs in its own domain for DNS info
Ok, done. Why is it a problem if my DC asks for DNS info in another
>>>> resolv.conf
>>>> -----------
>>>> search trs-ch.com
>>>> nameserver 192.168.1.17
>>>> nameserver 192.168.1.7
>>>>
>>>
>>> What is the second nameserver ? if it is a second DC, swap them around,
>>> otherwise remove it.
>> It's another DC, but not for the same realm. I swaped them.
>
>Remove it, your DC should only ask other DCs in its own domain for DNS info
domain ?
>>>> krb5.conf
>>>> ---------
>>>> [libdefaults]
>>>> default_realm = TRS-CH.COM
>>>> dns_lookup_realm = false
>>>> dns_lookup_kdc = true
>>>> [realms]
>>>> TRS-CH.COM = {
>>>> kdc = 192.168.1.17
>>>> admin_server = 192.168.1.17
>>>> default_domain = trs-ch.com
>>>> }
>>>> [TRS-CH.COM]
>>>> .trs-ch.com = TRS-CH.COM
>>>> trs.ch.com =
>>>> TRS-CH.COM
>>>>
>>>
>>> You only need this in /etc/krb5.conf
>>>
>>> [libdefaults]
>>> default_realm = TRS-CH.COM
>>> dns_lookup_realm = false
>>> dns_lookup_kdc = true
>>
>> Ok, I modified it accordingly
>>
>> Do you know why I have this error ? BTW, sam.ldb is owned by root:root
>> and is set to rw for user and none to group and world, is this ok ?
>
>If you are talking /var/lib/samba/private/sam.ldb then this is correct.
I was, but I misread the path.
>>>> ---------
>>>> [libdefaults]
>>>> default_realm = TRS-CH.COM
>>>> dns_lookup_realm = false
>>>> dns_lookup_kdc = true
>>>> [realms]
>>>> TRS-CH.COM = {
>>>> kdc = 192.168.1.17
>>>> admin_server = 192.168.1.17
>>>> default_domain = trs-ch.com
>>>> }
>>>> [TRS-CH.COM]
>>>> .trs-ch.com = TRS-CH.COM
>>>> trs.ch.com =
>>>> TRS-CH.COM
>>>>
>>>
>>> You only need this in /etc/krb5.conf
>>>
>>> [libdefaults]
>>> default_realm = TRS-CH.COM
>>> dns_lookup_realm = false
>>> dns_lookup_kdc = true
>>
>> Ok, I modified it accordingly
>>
>> Do you know why I have this error ? BTW, sam.ldb is owned by root:root
>> and is set to rw for user and none to group and world, is this ok ?
>
>If you are talking /var/lib/samba/private/sam.ldb then this is correct.
L.P.H. van Belle
Oct 28, 2015, 9:50:03 AM10/28/15
to
Hai Guy,
Yes, it make a backup of your previous version so you can revert if needed.
And review your config after your run it, you micht see a these line :
restrict
> -4 default kod notrap nomodify nopeer noquery mssntp mssntp
( check if you dont see mssntp 2 x, if so, remove 1 of them )
This is because normaly this is run against a "default" ntp.conf
And change the variables in the script where needed before running it.
Below is my ntp.conf after running the script on a DC !
Member server ntp.conf is bit different
And from a default/clean/unmodded ntp.conf. !
Review it or run the script.
( more about these scripts https://secure.bazuin.nl/scripts/ )
If reviewed manualy, dont forget the rights on
/var/lib/samba/ntp_signd
drwxr-x--- 2 root ntp 4096 Oct 16 16:58 ntp_signd
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile /var/lib/ntp/ntp.drift
# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
# You do need to talk to an NTP server or two (or three).
server ntp1.nl.net
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
# pick a different set every time it starts up. Please consider joining the
# pool: <http://www.pool.ntp.org/join.html>
#server 0.debian.pool.ntp.org iburst
#server 1.debian.pool.ntp.org iburst
#server 2.debian.pool.ntp.org iburst
#server 3.debian.pool.ntp.org iburst
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration.
restrict 127.0.0.1
restrict ::1
# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255
# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines. Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient
# Xen guest adjustments
#dispersion 1.000: Ignore high jitters and offsets as local clock dirfts wildly on xen
#panic 0: set time even if time shift is more than 1000 seconds
tinker panic 0 dispersion 1.000
interface listen lo
interface listen eth0
interface ignore wildcard
interface ignore ipv6
###### Needed for Samba 4
####### in the restrict -4 or -6 added mssntp at the end
# Location of the samba ntp_signed directory
ntpsigndsocket /var/lib/samba/ntp_signd
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Guy-Laurent Subri
> Verzonden: woensdag 28 oktober 2015 14:21
> Aan: sa...@lists.samba.org
Yes, it make a backup of your previous version so you can revert if needed.
And review your config after your run it, you micht see a these line :
restrict
> -4 default kod notrap nomodify nopeer noquery mssntp mssntp
( check if you dont see mssntp 2 x, if so, remove 1 of them )
This is because normaly this is run against a "default" ntp.conf
And change the variables in the script where needed before running it.
Below is my ntp.conf after running the script on a DC !
Member server ntp.conf is bit different
And from a default/clean/unmodded ntp.conf. !
Review it or run the script.
( more about these scripts https://secure.bazuin.nl/scripts/ )
If reviewed manualy, dont forget the rights on
/var/lib/samba/ntp_signd
drwxr-x--- 2 root ntp 4096 Oct 16 16:58 ntp_signd
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile /var/lib/ntp/ntp.drift
# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
# You do need to talk to an NTP server or two (or three).
server ntp1.nl.net
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
# pick a different set every time it starts up. Please consider joining the
# pool: <http://www.pool.ntp.org/join.html>
#server 0.debian.pool.ntp.org iburst
#server 1.debian.pool.ntp.org iburst
#server 2.debian.pool.ntp.org iburst
#server 3.debian.pool.ntp.org iburst
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery mssntp
restrict -6 default kod notrap nomodify nopeer noquery mssntp
# Local users may interrogate the ntp server more closely.
restrict -6 default kod notrap nomodify nopeer noquery mssntp
restrict 127.0.0.1
restrict ::1
# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255
# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines. Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient
# Xen guest adjustments
#dispersion 1.000: Ignore high jitters and offsets as local clock dirfts wildly on xen
#panic 0: set time even if time shift is more than 1000 seconds
tinker panic 0 dispersion 1.000
interface listen lo
interface listen eth0
interface ignore wildcard
interface ignore ipv6
###### Needed for Samba 4
####### in the restrict -4 or -6 added mssntp at the end
# Location of the samba ntp_signed directory
ntpsigndsocket /var/lib/samba/ntp_signd
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Guy-Laurent Subri
> Aan: sa...@lists.samba.org
Guy-Laurent Subri
Oct 28, 2015, 10:10:05 AM10/28/15
to
Reviewing the file, I didn't see any differences between before and
after the script. I guess this means my NTP config was already fine?
Cheers,
Guy-Laurent
On Wed, Oct 28, 2015 at 02:45:21PM +0100, L.P.H. van Belle wrote:
Hai Guy-Laurent, .... ;)
after the script. I guess this means my NTP config was already fine?
Cheers,
Guy-Laurent
On Wed, Oct 28, 2015 at 02:45:21PM +0100, L.P.H. van Belle wrote:
Hai Guy-Laurent, .... ;)
>
>Yes, it make a backup of your previous version so you can revert if needed.
>
>And review your config after your run it, you micht see a these line :
>restrict
>> -4 default kod notrap nomodify nopeer noquery mssntp mssntp
>( check if you dont see mssntp 2 x, if so, remove 1 of them )
>This is because normaly this is run against a "default" ntp.conf
>
>And change the variables in the script where needed before running it.
>
>
>Below is my ntp.conf after running the script on a DC !
>Member server ntp.conf is bit different
>And from a default/clean/unmodded ntp.conf. !
>
>Review it or run the script.
>( more about these scripts https://secure.bazuin.nl/scripts/ )
>
>If reviewed manualy, dont forget the rights on
>/var/lib/samba/ntp_signd
>drwxr-x--- 2 root ntp 4096 Oct 16 16:58 ntp_signd
I have the right permissions on this directory.
>Yes, it make a backup of your previous version so you can revert if needed.
>
>And review your config after your run it, you micht see a these line :
>restrict
>> -4 default kod notrap nomodify nopeer noquery mssntp mssntp
>( check if you dont see mssntp 2 x, if so, remove 1 of them )
>This is because normaly this is run against a "default" ntp.conf
>
>And change the variables in the script where needed before running it.
>
>
>Below is my ntp.conf after running the script on a DC !
>Member server ntp.conf is bit different
>And from a default/clean/unmodded ntp.conf. !
>
>Review it or run the script.
>( more about these scripts https://secure.bazuin.nl/scripts/ )
>
>If reviewed manualy, dont forget the rights on
>/var/lib/samba/ntp_signd
>drwxr-x--- 2 root ntp 4096 Oct 16 16:58 ntp_signd
0 new messages