AccountProvider_Error_82 on member NS7 after join

robb · August 2, 2017, 8:58pm

NethServer Version: NS7
Module: Samba4 Account provider

I have NS7 running with a Samba4 AD account provider. To make my network a bit more modular, I decided to install a second NS7 server with 2 networkadapters with only 1 functionality: Gateway. I joined the Samba4 domain with this second server and was confirmed the join was ok.
When I look at Status/Domain Accounts, it has the same info as on the DC.
But when I go to Management/Users and Groups, I get an empty table and red bar: AccountProvider_Error_82

What might have gone wrong here?

davidep · August 3, 2017, 7:42am

Please look into /var/log/messages if you can find further information.

Check if the systems clock difference is less than 5 minutes.

Also run this command and check its output:

/usr/libexec/nethserver/list-users

robb · August 3, 2017, 3:51pm

Times are synce through ntp.org so they are on par with both servers.
outcome of list-users:

[root@fw ~]# /usr/libexec/nethserver/list-users
(82) GSSAPI Error (init): Unspecified GSS failure.  Minor code may provide more information
Server not found in Kerberos database

In /var/log/messages I probably have found the cause:

Aug 2 21:40:49 fw realmd: * Resolving: interlin.nl
Aug 2 21:40:49 fw realmd: * Performing LDAP DSE lookup on: 178.21.118.63
Aug 2 21:40:49 fw realmd: * Successfully discovered: interlin.nl
Aug 2 21:40:49 fw realmd: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli
Aug 2 21:40:49 fw realmd: * LANG=C /usr/sbin/adcli join --verbose --domain interlin.nl --domain-realm INTERLIN.NL --domain-controller 178.21.118.63 --login-type user --login-user rob --stdin-password
Aug 2 21:40:49 fw realmd: * Using domain name: interlin.nl
Aug 2 21:40:49 fw realmd: * Calculated computer account name from fqdn: FW
Aug 2 21:40:49 fw realmd: * Using domain realm: interlin.nl
Aug 2 21:40:49 fw realmd: * Sending netlogon pings to domain controller: cldap://178.21.118.63
Aug 2 21:40:49 fw realmd: * Received NetLogon info from: kvs1.interlin.nl
Aug 2 21:40:49 fw realmd: * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-FO4yYn/krb5.d/adcli-krb5-conf-WtXJr9
Aug 2 21:40:50 fw realmd: * Authenticated as user: rob@INTERLIN.NL

The domain which the server has joined is not the NethServer Samba4 AD DC, but the server where interlin.nl is hosted on a VPS in a datacenter.

Maybe I should opt for a local tld (lan or local or something like that) as Samba4 Domain Or could I make this work and make a domain based on 3 servers of which one is off site? I have my email served on that VPS and it would be nice if it all was the same domain. Would it be possible to use a server to server VPN from home to the datacenter and still have the server in the datacenter have a direct connection to internet with an external IP address?

davidep · August 4, 2017, 7:36am

IIUC, you have two separate DCs with the same domain name? This is a bad situation

Support to multiple DCs is still limited to migration scenarios. In production environments, I recommend only a single DC per domain.

About the domain name, the best practice is pointed out in the manual: use a private subdomain of the public domain; i.e. ad.interlin.nl, corp.interlin.nl, home.interlin.nl…

http://docs.nethserver.org/en/v7/accounts.html#dns-and-ad-domain

This could be viable. I’ve already seen similar deployments. I recommend only one DC: in your case it could be the VPS.

Did you see this #howto? You could grab the network configuration

Configure NethServer 7 DC+VPNs on a dply.co VPS

robb · August 4, 2017, 4:47pm

Ok, I removed the server from the domain by leaving the domain. By mistake I joined interlin.nl instead of ad.interlin.nl
ad.interlin.nl is running on another NS7 on my local network.
After leaving, I joined ad.interlin.nl but I still have the same error: AccountProvider_Error_82

/var/log/messages on the server that joined the domain is here: https://pastebin.com/bGzBpvER

I had to try a few times before the join succeeded. Therefor you see a failed in row #65 and #177
What troubles me is the multiple entries of:

fw admin-todos: (82) GSSAPI Error (init): Unspecified GSS failure. Minor code may provide more information
fw admin-todos: Server not found in Kerberos database

What does that mean? Something wrong with DNS settings?

/edit:
Maybe something that points to the problem:
When I do a klist on the server that joined the domain I get:

[root@fw ~]# klist
klist: Credentials cache keyring ‘persistent:0:0’ not found

Seems trhe server doesn’t get a (valid) Kerberos token?

//edit:
Info from Domain Accounts looks good to me:

Domain ad.interlin.nl

NetBIOS domain name: INTERLIN
LDAP server: 192.168.10.6
LDAP server name: nsdc-ns7.ad.interlin.nl
Realm: AD.INTERLIN.NL
Bind Path: dc=AD,dc=INTERLIN,dc=NL
LDAP port: 389
Server time: Fri, 04 Aug 2017 20:41:11 CEST
KDC server: 192.168.10.6
Server time offset: 0
Last machine account password change: Fri, 04 Aug 2017 20:01:09 CEST

Join is OK
name: FW
objectSid: S-1-5-21-3689670861-2108593795-486037524-1113
accountExpires: 9223372036854775807
sAMAccountName: FW$
dNSHostName: fw.ad.interlin.nl
servicePrincipalName: HOST/FW
servicePrincipalName: HOST/fw.ad.interlin.nl
pwdLastSet: 131463432694462510
whenChanged: 20170804180109.0Z
lastLogon: 131463456721612810
distinguishedName: CN=FW,CN=Computers,DC=ad,DC=interlin,DC=nl

robb · August 5, 2017, 8:48pm

Still puzzled about thius problem. I can’t see any domain accounts on the users and groups page on the 2nd server. Still getting error_82

davidep · August 21, 2017, 10:55am

Could you paste also /etc/krb5.conf contents?

robb · August 27, 2017, 9:40am

Here is the link to patebin of /etc/krb5.conf:
https://pastebin.com/749b6FaU

Should I change the interlin.nl entries to ad.interlin.nl? ONly ad.interlin.nl is on my local LAN.

There is definately something wrong with krb config:

[root@fw ~]# /usr/libexec/nethserver/list-users
klist: Improper format of Kerberos configuration file while initializing krb5
kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library
(82) GSSAPI Error (init): Unspecified GSS failure. Minor code may provide more information
Improper format of Kerberos configuration file

davidep · August 28, 2017, 7:03am

 interlin.nl = INTERLIN.NL
 .interlin.nl = INTERLIN.NL

These two lines map any DNS subdomain of interlin.nl to the Kerberos Realm INTERLIN.NL. Please change them to

ad.interlin.nl = AD.INTERLIN.NL
.ad.internlin.nl = AD.INTERLIN.NL

Also

default_realm = INTERLIN.NL

should be changed to

default_realm = AD.INTERLIN.NL

Perhaps we should get rid of realmd and rely on krb5.conf template… /cc @dev_team

I can’t get why it is “improperly formatted”. Did you change it manually?