Zentyal Forum, Linux Small Business Server

Zentyal Server => Directory and Authentication => Topic started by: tvm on January 11, 2016, 09:42:04 pm

Title: Passwords randomly stop working
Post by: tvm on January 11, 2016, 09:42:04 pm
I've added a Zentyal server on bare metal as an additional Domain Controller. I installed using the Development edition image, so it is Zentyal 4.2 on Ubuntu 14.04.

We've been encountering issues with user passwords not working when authenticating with the Zentyal domain controller, but only for some users. One user reported that an old password worked when their new password did not. Resetting the user's password seems to fix the issue for that user, and their new password syncs between all the domain controllers. I figured it was something to do with only users who have changed their passwords and zenytal was for some reason using an old hash, but today an account that has never had a password changed, and that was previously authenticating fine with the Zenytal DC now had the same issue.

Zentyal log

http://paste.ubuntu.com/14472279/



Code: [Select]
ii  zentyal-ca                            4.2                              all          Zentyal - Certification Authority
ii  zentyal-common                        4.2                              all          Zentyal - Common Library
ii  zentyal-core                          4.2.1.3                          all          Zentyal - Core
ii  zentyal-dns                           4.2.0.3                          all          Zentyal - DNS Server
ii  zentyal-firewall                      4.2                              all          Zentyal - Firewall
ii  zentyal-network                       4.2                              all          Zentyal - Network Configuration
ii  zentyal-ntp                           4.2                              all          Zentyal - NTP Service
ii  zentyal-objects                       4.2                              all          Zentyal - Network Objects
ii  zentyal-openvpn                       4.2                              all          Zentyal - VPN
ii  zentyal-samba                         4.2.1                            all          Zentyal - Domain Controller and

File Sharing
ii  zentyal-services                      4.2                              all          Zentyal - Network Services
ii  zentyal-software                      4.2                              all          Zentyal - Software Management
Title: Re: Passwords randomly stop working
Post by: jbahillo on January 11, 2016, 09:58:33 pm
Have you checked sync status with any other DC?
Title: Re: Passwords randomly stop working
Post by: tvm on January 11, 2016, 10:30:19 pm
This is what repadmin /showrepl looks like on the Windows DC

Code: [Select]
Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\SERVER1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 2f9f90df-33e0-445a-857a-6f0d34427e51
DSA invocationID: 2acaf987-92d4-4379-8bb5-711b168a778d

==== INBOUND NEIGHBORS ======================================

DC=DOMAINNAME,DC=int
    VIR\ZENTYAL via RPC
        DSA object GUID: c5c1145a-1c62-4728-8652-59912c466118
        Last attempt @ 2016-01-11 14:12:19 was successful.
    Default-First-Site-Name\SERVER2 via RPC
        DSA object GUID: c9696829-4d61-4785-9e97-3526f8023423
        Last attempt @ 2016-01-11 14:13:05 was successful.

CN=Configuration,DC=DOMAINNAME,DC=int
    Default-First-Site-Name\SERVER2 via RPC
        DSA object GUID: c9696829-4d61-4785-9e97-3526f8023423
        Last attempt @ 2016-01-11 14:01:10 was successful.
    VIR\ZENTYAL via RPC
        DSA object GUID: c5c1145a-1c62-4728-8652-59912c466118
        Last attempt @ 2016-01-11 14:12:20 was successful.

CN=Schema,CN=Configuration,DC=DOMAINNAME,DC=int
    Default-First-Site-Name\SERVER2 via RPC
        DSA object GUID: c9696829-4d61-4785-9e97-3526f8023423
        Last attempt @ 2016-01-11 13:58:00 was successful.
    VIR\ZENTYAL via RPC
        DSA object GUID: c5c1145a-1c62-4728-8652-59912c466118
        Last attempt @ 2016-01-11 14:12:20 was successful.

DC=DomainDnsZones,DC=DOMAINNAME,DC=int
    Default-First-Site-Name\SERVER2 via RPC
        DSA object GUID: c9696829-4d61-4785-9e97-3526f8023423
        Last attempt @ 2016-01-11 14:11:57 was successful.
    VIR\ZENTYAL via RPC
        DSA object GUID: c5c1145a-1c62-4728-8652-59912c466118
        Last attempt @ 2016-01-11 14:12:20 was successful.

DC=ForestDnsZones,DC=DOMAINNAME,DC=int
    Default-First-Site-Name\SERVER2 via RPC
        DSA object GUID: c9696829-4d61-4785-9e97-3526f8023423
        Last attempt @ 2016-01-11 13:58:00 was successful.
    VIR\ZENTYAL via RPC
        DSA object GUID: c5c1145a-1c62-4728-8652-59912c466118
        Last attempt @ 2016-01-11 14:12:21 was successful.
DsReplicaGetInfo() failed with status 8453 (0x2105):
    Replication access was denied.
DsReplicaGetInfo() failed with status 8453 (0x2105):
    Replication access was denied.

And this is what samba-tool drs showrepl looks like on the Zentyal DC

Code: [Select]
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:Zentyal.DOMAINNAME.int[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name Zentyal.DOMAINNAME.int<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name Zentyal.DOMAINNAME.int<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name Zentyal.DOMAINNAME.int<0x20>
Virden\Zentyal
DSA Options: 0x00000001
DSA object GUID: c5c1145a-1c62-4728-8652-59912c466118
DSA invocationId: f83562bb-716b-49d4-80c2-a1e6e53fb42b

==== INBOUND NEIGHBORS ====

CN=Configuration,DC=DOMAINNAME,DC=int
        Default-First-Site-Name\SERVER1 via RPC
                DSA object GUID: 2f9f90df-33e0-445a-857a-6f0d34427e51
                Last attempt @ Mon Jan 11 15:10:45 2016 CST was successful
                0 consecutive failure(s).
                Last success @ Mon Jan 11 15:10:45 2016 CST

CN=Configuration,DC=DOMAINNAME,DC=int
        Default-First-Site-Name\SERVER2 via RPC
                DSA object GUID: c9696829-4d61-4785-9e97-3526f8023423
                Last attempt @ Mon Jan 11 15:10:46 2016 CST was successful
                0 consecutive failure(s).
                Last success @ Mon Jan 11 15:10:46 2016 CST

DC=DOMAINNAME,DC=int
        Default-First-Site-Name\SERVER1 via RPC
                DSA object GUID: 2f9f90df-33e0-445a-857a-6f0d34427e51
                Last attempt @ Mon Jan 11 15:11:47 2016 CST was successful
                0 consecutive failure(s).
                Last success @ Mon Jan 11 15:11:47 2016 CST

DC=DOMAINNAME,DC=int
        Default-First-Site-Name\SERVER2 via RPC
                DSA object GUID: c9696829-4d61-4785-9e97-3526f8023423
                Last attempt @ Mon Jan 11 15:11:46 2016 CST was successful
                0 consecutive failure(s).
                Last success @ Mon Jan 11 15:11:46 2016 CST

CN=Schema,CN=Configuration,DC=DOMAINNAME,DC=int
        Default-First-Site-Name\SERVER1 via RPC
                DSA object GUID: 2f9f90df-33e0-445a-857a-6f0d34427e51
                Last attempt @ Mon Jan 11 15:10:50 2016 CST was successful
                0 consecutive failure(s).
                Last success @ Mon Jan 11 15:10:50 2016 CST

CN=Schema,CN=Configuration,DC=DOMAINNAME,DC=int
        Default-First-Site-Name\SERVER2 via RPC
                DSA object GUID: c9696829-4d61-4785-9e97-3526f8023423
                Last attempt @ Mon Jan 11 15:10:51 2016 CST was successful
                0 consecutive failure(s).
                Last success @ Mon Jan 11 15:10:51 2016 CST

DC=ForestDnsZones,DC=DOMAINNAME,DC=int
        Default-First-Site-Name\SERVER1 via RPC
                DSA object GUID: 2f9f90df-33e0-445a-857a-6f0d34427e51
                Last attempt @ Mon Jan 11 15:10:41 2016 CST was successful
                0 consecutive failure(s).
                Last success @ Mon Jan 11 15:10:41 2016 CST

DC=ForestDnsZones,DC=DOMAINNAME,DC=int
        Default-First-Site-Name\SERVER2 via RPC
                DSA object GUID: c9696829-4d61-4785-9e97-3526f8023423
                Last attempt @ Mon Jan 11 15:10:42 2016 CST was successful
                0 consecutive failure(s).
                Last success @ Mon Jan 11 15:10:42 2016 CST

DC=DomainDnsZones,DC=DOMAINNAME,DC=int
        Default-First-Site-Name\SERVER1 via RPC
                DSA object GUID: 2f9f90df-33e0-445a-857a-6f0d34427e51
                Last attempt @ Mon Jan 11 15:11:37 2016 CST was successful
                0 consecutive failure(s).
                Last success @ Mon Jan 11 15:11:37 2016 CST

DC=DomainDnsZones,DC=DOMAINNAME,DC=int
        Default-First-Site-Name\SERVER2 via RPC
                DSA object GUID: c9696829-4d61-4785-9e97-3526f8023423
                Last attempt @ Mon Jan 11 15:11:56 2016 CST was successful
                0 consecutive failure(s).
                Last success @ Mon Jan 11 15:11:56 2016 CST

==== OUTBOUND NEIGHBORS ====

==== KCC CONNECTION OBJECTS ====

Connection --
        Connection name: add70383-5836-44b2-bb2b-fb0cfa8f0b0b
        Enabled        : TRUE
        Server DNS name : SERVER1.DOMAINNAME.int
        Server DN name  : CN=NTDS Settings,CN=SERVER1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAINNAME,DC=int
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
        Connection name: 4e514f64-52b7-434b-ad26-44a02daf2939
        Enabled        : TRUE
        Server DNS name : SERVER2.DOMAINNAME.int
        Server DN name  : CN=NTDS Settings,CN=SERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAINNAME,DC=int
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!
Title: Re: Passwords randomly stop working
Post by: jbahillo on January 12, 2016, 10:40:09 am
It looks that you have repl issues:

DC=ForestDnsZones,DC=DOMAINNAME,DC=int
    Default-First-Site-Name\SERVER2 via RPC
        DSA object GUID: c9696829-4d61-4785-9e97-3526f8023423
        Last attempt @ 2016-01-11 13:58:00 was successful.
    VIR\ZENTYAL via RPC
        DSA object GUID: c5c1145a-1c62-4728-8652-59912c466118
        Last attempt @ 2016-01-11 14:12:21 was successful.
DsReplicaGetInfo() failed with status 8453 (0x2105):
    Replication access was denied.
DsReplicaGetInfo() failed with status 8453 (0x2105):
    Replication access was denied.

Additionally, on Zentyal server I cannot see outgoing connections, which is defiitely wrong. Given Zentyal is an Additional DC, just try cleaning samba conf on zentyal (/usr/share/zentyal/clean-conf samba), and  then reconfiguring it and reenabling it again (to rejoin the domain)
Title: Re: Passwords randomly stop working
Post by: tvm on January 12, 2016, 04:28:51 pm
I had forgotten to run CMD as admin, when run as admin there are no errors. (I also added /all and everything was successful)

I think I found the problem...My domain has a Windows 2012 R2 DC, so the forest schema is 69. I guess I'm lucky I didn't corrupt the whole AD. Kind of disappointing, I wonder if Samba will ever support the updated schema. I'm kind of surprised I was able to get this far with it. Interestingly enough, the Zentyal documentation seems to suggest that Server 2012 would work, but all Samba4 documentation I have found says Server 2008R2 is the highest schema supported.
Title: Re: Passwords randomly stop working
Post by: jbahillo on January 12, 2016, 04:34:50 pm
Hello:

Samba 4.1 was initially reported to support 2012 but not 2012R2. I guess thy saw some regressions or issues against 2012, and decided to reduce the support to 2008 R2