Can't get Samba account provider work

I ve reinstalled NS 7b2 five times. I can get Samba account provider works. Any advices?
I first setup Organization contacts and get a self signed certificate, start as a dns and dhcp server (on green interface) , then go to software center, check Samba Account provider. click add. When software finished installation whith an error, then restarted (someone in the forum recommend that)
After reboot, a yellow box in the dashboard suggest to change administrator password. When i click on that link webgui stop working and the only solution i found is start over whith the installation.

Hi @Auto_Bitacora, could you look at /var/log/messages? Is there any relevant log line about errors?

Looks i have a problem with the administrator password

Sep 15 16:48:00 plantaserver2 systemd-nspawn: CentOS Linux 7 (Core)
Sep 15 16:48:00 plantaserver2 systemd-nspawn: Kernel 3.10.0-327.28.3.el7.x86_64 on an x86_64
Sep 15 16:48:10 plantaserver2 kernel: br0: port 2(vb-nsdc) entered forwarding state
Sep 15 16:48:20 plantaserver2 esmith::event[2437]: Action: /etc/e-smith/events/nethserver-dc-save/S95nethserver-dc-waitstart SUCCESS [25.209353]
Sep 15 16:48:20 plantaserver2 /sbin/e-smith/db[3035]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||LdapURI||Provider|none|status|disabled
Sep 15 16:48:20 plantaserver2 /sbin/e-smith/db[3035]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns|192.168.200.2|LdapURI||Provider|none|status|disabled
Sep 15 16:48:20 plantaserver2 /sbin/e-smith/db[3035]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns|192.168.200.2|LdapURI||Provider|none|status|disabled
Sep 15 16:48:20 plantaserver2 /sbin/e-smith/db[3035]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns|192.168.200.2|LdapURI||Provider|ad|status|disabled
Sep 15 16:48:20 plantaserver2 /sbin/e-smith/db[3035]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns|192.168.200.2|LdapURI||Provider|ad|status|disabled
Sep 15 16:48:20 plantaserver2 /sbin/e-smith/db[3035]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns|192.168.200.2|LdapURI||Provider|ad|status|enabled
Sep 15 16:48:20 plantaserver2 systemd: Stopping DNS caching server....
Sep 15 16:48:20 plantaserver2 dnsmasq[2922]: exiting on receipt of SIGTERM
Sep 15 16:48:20 plantaserver2 systemd: Started DNS caching server..
Sep 15 16:48:20 plantaserver2 systemd: Starting DNS caching server....
Sep 15 16:48:20 plantaserver2 dnsmasq[3042]: started, version 2.66 cachesize 4000
Sep 15 16:48:20 plantaserver2 dnsmasq[3042]: compile time options: IPv6 GNU-getopt DBus no-i18n IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth
Sep 15 16:48:20 plantaserver2 dnsmasq-dhcp[3042]: DHCP, IP range 192.168.200.100 -- 192.168.200.254, lease time 10m
Sep 15 16:48:20 plantaserver2 dnsmasq-tftp[3042]: TFTP root is /var/lib/tftpboot
Sep 15 16:48:20 plantaserver2 dnsmasq[3042]: using nameserver 192.168.200.2#53 for domain kloncor.com.ar
Sep 15 16:48:20 plantaserver2 dnsmasq[3042]: using nameserver 8.8.8.8#53
Sep 15 16:48:20 plantaserver2 dnsmasq[3042]: using nameserver 200.69.193.1#53
Sep 15 16:48:20 plantaserver2 dnsmasq[3042]: read /etc/hosts - 4 addresses
Sep 15 16:48:20 plantaserver2 dnsmasq-dhcp[3042]: read /etc/dnsmasq-dhcp-hosts
Sep 15 16:48:20 plantaserver2 systemd: Stopped System Security Services Daemon.
Sep 15 16:48:20 plantaserver2 dbus[844]: [system] Activating service name='org.freedesktop.realmd' (using servicehelper)
Sep 15 16:48:20 plantaserver2 dbus-daemon: dbus[844]: [system] Activating service name='org.freedesktop.realmd' (using servicehelper)
Sep 15 16:48:21 plantaserver2 dbus[844]: [system] Successfully activated service 'org.freedesktop.realmd'
Sep 15 16:48:21 plantaserver2 dbus-daemon: dbus[844]: [system] Successfully activated service 'org.freedesktop.realmd'
Sep 15 16:48:21 plantaserver2 dbus[844]: [system] Activating via systemd: service name='org.freedesktop.PolicyKit1' unit='polkit.service'
Sep 15 16:48:21 plantaserver2 dbus-daemon: dbus[844]: [system] Activating via systemd: service name='org.freedesktop.PolicyKit1' unit='polkit.service'
Sep 15 16:48:21 plantaserver2 systemd: Starting Authorization Manager...
Sep 15 16:48:21 plantaserver2 polkitd[3054]: Started polkitd version 0.112
Sep 15 16:48:21 plantaserver2 dbus[844]: [system] Successfully activated service 'org.freedesktop.PolicyKit1'
Sep 15 16:48:21 plantaserver2 dbus-daemon: dbus[844]: [system] Successfully activated service 'org.freedesktop.PolicyKit1'
Sep 15 16:48:21 plantaserver2 systemd: Started Authorization Manager.
Sep 15 16:48:21 plantaserver2 realmd: * Resolving: _ldap._tcp.kloncor.com.ar
Sep 15 16:48:21 plantaserver2 realmd: * Performing LDAP DSE lookup on: 192.168.200.2
Sep 15 16:48:21 plantaserver2 realmd: * Successfully discovered: kloncor.com.ar
Sep 15 16:48:21 plantaserver2 realmd: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
Sep 15 16:48:21 plantaserver2 realmd: * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.IV2WNY -U Administrator ads join kloncor.com.ar
Sep 15 16:48:21 plantaserver2 realmd: Enter Administrator's password:
Sep 15 16:48:21 plantaserver2 realmd: Failed to join domain: failed to lookup DC info for domain 'kloncor.com.ar' over rpc: The connection was refused
Sep 15 16:48:21 plantaserver2 realmd: ! Joining the domain kloncor.com.ar failed
Sep 15 16:48:21 plantaserver2 esmith::event[2437]: Password for Administrator: See: journalctl REALMD_OPERATION=r1751.3045
Sep 15 16:48:21 plantaserver2 esmith::event[2437]: realm: Couldn't join realm: Joining the domain kloncor.com.ar failed
Sep 15 16:48:21 plantaserver2 esmith::event[2437]: 
Sep 15 16:48:21 plantaserver2 esmith::event[2437]: [WARNING] DC join attempt 1 of 3 failed! Wait a few seconds...
Sep 15 16:48:26 plantaserver2 realmd: * Resolving: _ldap._tcp.kloncor.com.ar
Sep 15 16:48:26 plantaserver2 realmd: * Performing LDAP DSE lookup on: 192.168.200.2
Sep 15 16:48:26 plantaserver2 realmd: * Successfully discovered: kloncor.com.ar
Sep 15 16:48:26 plantaserver2 realmd: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
Sep 15 16:48:26 plantaserver2 realmd: * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.GU2LNY -U Administrator ads join kloncor.com.ar
Sep 15 16:48:27 plantaserver2 realmd: Enter Administrator's password:gss_init_sec_context failed with [Unspecified GSS failure.  Minor code may provide more information: Server not found in Kerberos database]
Sep 15 16:48:27 plantaserver2 realmd: kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred.
Sep 15 16:48:27 plantaserver2 realmd: 
Sep 15 16:48:27 plantaserver2 realmd: Failed to join domain: failed to connect to AD: An internal error occurred.
Sep 15 16:48:27 plantaserver2 realmd: ! Joining the domain kloncor.com.ar failed
Sep 15 16:48:27 plantaserver2 esmith::event[2437]: Password for Administrator: See: journalctl REALMD_OPERATION=r1756.3092
Sep 15 16:48:27 plantaserver2 esmith::event[2437]: realm: Couldn't join realm: Joining the domain kloncor.com.ar failed
Sep 15 16:48:27 plantaserver2 esmith::event[2437]: 
Sep 15 16:48:27 plantaserver2 esmith::event[2437]: [WARNING] DC join attempt 2 of 3 failed! Wait a few seconds...
Sep 15 16:48:32 plantaserver2 realmd: * Resolving: _ldap._tcp.kloncor.com.ar
Sep 15 16:48:32 plantaserver2 realmd: * Performing LDAP DSE lookup on: 192.168.200.2
Sep 15 16:48:32 plantaserver2 realmd: * Successfully discovered: kloncor.com.ar
Sep 15 16:48:32 plantaserver2 realmd: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
Sep 15 16:48:32 plantaserver2 realmd: * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.FSCHNY -U Administrator ads join kloncor.com.ar
Sep 15 16:48:32 plantaserver2 realmd: Enter Administrator's password:gss_init_sec_context failed with [Unspecified GSS failure.  Minor code may provide more information: Server not found in Kerberos database]
Sep 15 16:48:32 plantaserver2 realmd: kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred.
Sep 15 16:48:32 plantaserver2 realmd: 
Sep 15 16:48:32 plantaserver2 realmd: Failed to join domain: failed to connect to AD: An internal error occurred.
Sep 15 16:48:32 plantaserver2 realmd: ! Joining the domain kloncor.com.ar failed
Sep 15 16:48:32 plantaserver2 esmith::event[2437]: Password for Administrator: See: journalctl REALMD_OPERATION=r1762.3103
Sep 15 16:48:32 plantaserver2 esmith::event[2437]: realm: Couldn't join realm: Joining the domain kloncor.com.ar failed
Sep 15 16:48:32 plantaserver2 esmith::event[2437]: 
Sep 15 16:48:32 plantaserver2 esmith::event[2437]: [WARNING] DC join attempt 3 of 3 failed! Wait a few seconds...
Sep 15 16:48:37 plantaserver2 esmith::event[2437]: [ERROR] DC join failed
Sep 15 16:48:37 plantaserver2 esmith::event[2437]: Action: /etc/e-smith/events/nethserver-dc-save/S96nethserver-dc-join FAILED: 1 [17.784079]
Sep 15 16:48:38 plantaserver2 esmith::event[2437]: Password complexity activated!
Sep 15 16:48:38 plantaserver2 esmith::event[2437]: Password history length changed!
Sep 15 16:48:38 plantaserver2 esmith::event[2437]: Minimum password age changed!
Sep 15 16:48:38 plantaserver2 esmith::event[2437]: Maximum password age changed!
Sep 15 16:48:38 plantaserver2 esmith::event[2437]: All changes applied successfully!
Sep 15 16:48:38 plantaserver2 esmith::event[2437]: Action: /etc/e-smith/events/nethserver-dc-save/S97nethserver-dc-password-policy SUCCESS [0.537472]
Sep 15 16:48:38 plantaserver2 esmith::event[2437]: Event: nethserver-dc-save FAILED
Sep 15 16:48:40 plantaserver2 dnsmasq-dhcp[3042]: DHCPREQUEST(br0) 192.168.200.121 00:23:5a:31:ca:b6
Sep 15 16:48:40 plantaserver2 dnsmasq-dhcp[3042]: DHCPACK(br0) 192.168.200.121 00:23:5a:31:ca:b6 tsistemas2

The first attempt to join fails because smbd is not running at that moment. This should not be a problem, because we now try again after 5 secondsā€¦

This seems the symptom of the real problemā€¦

What was the error? Do you have any log excerpt with it?

BTW, reboot is not necessary!

Is 13 characters, that by adding the ā€œnsdc-ā€ prefix becomes 18 chars. This exceedes the 15 chars NetBIOS name limit. I donā€™t know if it is a problem butā€¦ /cc @quality_team

Could you try with a shorter hostname? Iā€™d go with ā€œplanta2ā€. Under ā€œServer nameā€ page set as FQDN ā€œplanta2.kloncor.com.arā€, before installing the ā€œSamba Account Providerā€ module. If you already installed it, remove it and apply the ā€œFactory resetā€ procedure they suggested you some days ago.

Letā€™s see how it goesā€¦

2 Likes

I played a litle bit with a vm.
When I use a short FQDN (ns7test.ns7.lan) after factory reset the DC, everything seems to work fine.

When I use a log FQDN (clonetestns7test.ns7.lan) I get this error:

After reboot:

and sssd service is stopped.
So I think youā€™re right with your suggestion with the FQDN @davidep
Is it possible to check in this field the maximum length of FQDN? Would avoid similar problems.

2 Likes

Those are great news! :smile: Thanks a lot @flatspin :thumbsup:

Please compare your log files with those above from @Auto_Bitacora and attach them here: could you confirm the error is the same?

Will try to reproduce tommorow. Crashed this machine.:blush: Donā€™t know how, but itā€™s gone. Luckily it was only a cloned vm :joy:

Good morning @davidep

this looks very similar, but not identical:

Sep 20 08:31:33 clonetestns7b2 systemd: Started Authorization Manager.
Sep 20 08:31:33 clonetestns7b2 realmd: * Resolving: _ldap._tcp.ns7.lan
Sep 20 08:31:33 clonetestns7b2 realmd: * Performing LDAP DSE lookup on: 192.168.0.239
Sep 20 08:31:33 clonetestns7b2 realmd: * Successfully discovered: ns7.lan
Sep 20 08:31:33 clonetestns7b2 realmd: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
Sep 20 08:31:33 clonetestns7b2 realmd: * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.C05AOY -U Administrator ads join ns7.lan
Sep 20 08:31:33 clonetestns7b2 realmd: Enter Administratorā€™s password:gss_init_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Server not found in Kerberos database]
Sep 20 08:31:33 clonetestns7b2 realmd: kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred.
Sep 20 08:31:33 clonetestns7b2 realmd:
Sep 20 08:31:33 clonetestns7b2 realmd: Failed to join domain: failed to connect to AD: An internal error occurred.
Sep 20 08:31:33 clonetestns7b2 realmd: ! Joining the domain ns7.lan failed
Sep 20 08:31:33 clonetestns7b2 esmith::event[1768]: Password for Administrator: See: journalctl REALMD_OPERATION=r103.3526
Sep 20 08:31:33 clonetestns7b2 esmith::event[1768]: realm: Couldnā€™t join realm: Joining the domain ns7.lan failed
Sep 20 08:31:33 clonetestns7b2 esmith::event[1768]:
Sep 20 08:31:33 clonetestns7b2 esmith::event[1768]: [WARNING] DC join attempt 1 of 3 failed! Wait a few secondsā€¦

In my case an internalt error occured, in his case the connection was refused.
No administrator is created during setup. But on network panel I get the ā€œset passwordā€ message. :confused:

I can reproduce my error. Everytime when I take a long FQDN, I get an error.

Oh, I have to mention, that I have to delete the bridge manually after factory reset to get nsdc working again. Otherwise the bridge canā€™t be created during setup, and the vb-nsdc was not joined anymore to the bridge. So I had to do it manually. So best way is to delete the bridge in network panel before setup nsdc again.

Hope this helps.

Regards. Ralf.

3 Likes

They are the same!

This sounds strange because if a green bridge already exist it should be selected automaticallyā€¦

Anyway thanks again @flatspin now I can open a bug!

More info from Red Hat:
https://bugzilla.redhat.com/show_bug.cgi?id=1001667

I want to highlight this link I found there:

The NetBIOS name is the OEM representation of the DNS host name up to MAX_COMPUTERNAME_LENGTH characters. If you set a DNS host name of more than MAX_COMPUTERNAME_LENGTH characters, the NetBIOS name is set to a truncated version of the DNS host name. Otherwise, the whole DNS host name is translated into the OEM NetBIOS name. Warning: If you modify the NetBIOS name so that it is not a truncated mapping of the DNS name, you will break applications that use functions such as DnsHostnameToComputerName which rely on this convention.

4 Likes

Hi @Auto_Bitacora, did you try it with a short FQDN? Did it work?

Thanks for reporting.

1 Like

Can someone point me at the Domain reset procedure. I have a system I need to change the Samba configuration on. Much thanks.

http://docs.nethserver.org/projects/nethserver-devel/en/v7b/nethserver-dc.html#factory-reset

:stuck_out_tongue_winking_eye:

2 Likes

Thank you!

I agree with you! Our FQDN module must check the length of the host name part. The NetBIOS limit of 15 chars seems acceptable for a host name.

This is my experiment:

NethServer FQDN: vm5verylongnamemorethan15.dpnet.nethesis.it
NethServer host name: vm5verylongnamemorethan15

When this server join the Samba AD domain a kerberos error occurs. I fixed that errorā€¦ But still a problem:

Sep 20 17:50:47 vm5verylongnamemorethan15 realmd: * Resolving: _ldap._tcp.dpnet.nethesis.it
Sep 20 17:50:47 vm5verylongnamemorethan15 realmd: * Performing LDAP DSE lookup on: 192.168.122.55
Sep 20 17:50:47 vm5verylongnamemorethan15 realmd: * Successfully discovered: dpnet.nethesis.it
Sep 20 17:50:47 vm5verylongnamemorethan15 realmd: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
Sep 20 17:50:47 vm5verylongnamemorethan15 realmd: * Joining using a truncated netbios name: VM5VERYLONGNAME
Sep 20 17:50:47 vm5verylongnamemorethan15 realmd: * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.N8NIOY -U Administrator ads join dpnet.nethesis.it
Sep 20 17:50:52 vm5verylongnamemorethan15 realmd: Enter Administrator's password:DNS update failed: NT_STATUS_INVALID_PARAMETER
Sep 20 17:50:52 vm5verylongnamemorethan15 realmd: 
Sep 20 17:50:52 vm5verylongnamemorethan15 realmd: Using short domain name -- DPNET
Sep 20 17:50:52 vm5verylongnamemorethan15 realmd: Joined 'VM5VERYLONGNAME' to dns domain 'dpnet.nethesis.it'
Sep 20 17:50:52 vm5verylongnamemorethan15 realmd: No DNS domain configured for vm5verylongname. Unable to perform DNS Update.

In AD LDAP the long host name appears truncated to 15 chars on every attribute:

name: VM5VERYLONGNAME
objectSid: S-1-5-21-2837209932-2259985391-103392534-1103
sAMAccountName: VM5VERYLONGNAME$
dNSHostName: vm5verylongname.dpnet.nethesis.it
servicePrincipalName: HOST/VM5VERYLONGNAME
servicePrincipalName: HOST/vm5verylongname.dpnet.nethesis.it
distinguishedName: CN=VM5VERYLONGNAME,CN=Computers,DC=dpnet,DC=nethesis,DC=it

This seems a good reason to limit the host name part to 15 chars.

Please comment,
/cc @dev_team @quality_team @support_team

2 Likes

I agree, 15 chars are acceptable, but the usable length for FQDN is only 10 chars, because in case of a AD setup the part ā€œnsdc-ā€ is added, or isnā€™t that affected?
Then maybe the ā€œnsdc-ā€ for the DC could be shortend to only ā€œdc-ā€, so the usable FQDN-length for a DC would be 12 chars.

1 Like

You said it! The bugfix limit the nsdc name to 15 chars automatically. Have a look to my pull request on GitHub for details.

Even I donā€™t like Microsoft limitations, I agree with this: we must survive in a Windows scenario! :smiley:

3 Likes

We have the bug fix on nethserver-testing /cc @quality_team

On a clean machine

yum --enablerepo=nethserver-testing update nethserver-{base,sssd,dc} 

Please, see the test cases in the bug tracker!

https://github.com/NethServer/dev/issues/5110#issuecomment-248328526

4 Likes

I think you did it!!! It works!

I did a clean install. All updates and
I gave a long name (verylongnamens7test2.ns7.lan)
Installed directly from nethserver-testing the packages.
Started dc with green bridge.
And voila:

and

No errors in messages.log relating to sssd or nsdc.

Congratulations @davidep . :+1: :tada:

PS: I had to do yum install ā€¦otherwise nethserver-dc wouldnā€™t be installed on a clean machine.

4 Likes