Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - chris.holmes

Pages: [1]
1
Description:
Zentyal 6.1.6 - Ubuntu 18.04.6 LTS
Modules - Network, Firewall, DNS, Logs, NTP, Domain Controller and File Sharing

System is apt-get updated and apt-get upgraded

Production Level Domain Controller only. 75 user license. 73 user accounts.

Running in a VM on an Unraid server that is not part of the domain.
Windows 10 computers joined to domain.
Other Unraid servers joined to domain as file servers.

No ebox packages.
Domain Controller is rebooted weekly and has been running flawlessly for over 2 years.

Hypothesis
Domain based issues with computer to computer authentication.

Specifics:
- Mounting a Windows Share <REMOTE COMPUTER> from a Slackware Linux based (Unraid) <SERVER> no longer works.
- Has been working for close to 2 years until now.

SYSLOG from Unraid Server
<SERVER> kernel: CIFS: Attempting to mount \\<REMOTE COMPUTER>\ServerData
<SERVER> kernel: CIFS: Status code returned 0xc000018d STATUS_TRUSTED_RELATIONSHIP_FAILURE
<SERVER> kernel: CIFS: VFS: \\<REMOTE COMPUTER> Send error in SessSetup = -5
<SERVER> kernel: CIFS: VFS: cifs_mount failed w/return code = -5
<SERVER> unassigned.devices: SMB 3.1.1 mount failed: 'mount error(5): Input/output error

The mounting script goes through SMB 3.0, 2.0 and 1.0 with the same error.

Lookup up this error:
0xc000018d STATUS_TRUSTED_RELATIONSHIP_FAILURE
Comes up with this description.
The logon request failed because the trust relationship between this workstation and the primary domain failed.

Troubleshooting
Removing a couple of computers/servers from the domain and rejoining it doesn't fix this.
The same <REMOTE COMPUTER> (Windows 10) can connect to the Slackware Linux (Unraid) SMB share with no issues.
Two other Unraid servers with different versions of Unraid have the same issue.
Trying to manually make the connection from the command line generate the same error.

Non specific error code issues that might be related.
- Windows Remote Assistance stopped working unless initiated by end user.
   - Been all through the Firewall issues.
   - Remote Desktop does work.
- USB shared printer are acting like they are only capable of one way communication.
   - Adding a shared USB printer works fine.
   - Label printers that don't require bi-directional communication work.
   - Been through all the Firewall is not the issues.

Things I've Done:
- do-release-upgrade caused a major issue. Failed to enable the MySQL service during upgrade. Failed. Revereted VM to previous state.
- Posted this in the Unraid forms as well.
- Looking for info on how to upgrade Zentyal to 6.2 or beyond and/or which order to upgrade the Ubuntu LTS Release.
- Creating a test envionment for this VM tomorrow.

Please request any info you may need to help solve this. Thank you.

Win 10 update (KB5028166) - uninstall and re-apply - Fixed all my issues

Note: uninstalling the update then rebooting the system triggered installing the update before the login screen.
FALSE This did not happen. The update was removed and stayed removed, but it looks like it will re-install on the next run of Windows Update.

This has to do with a SAMBA bug. https://forum.zentyal.org/index.php/topic,35598.0.html

Fixed the following issues I was having.
- Unraid mounting an SMB share on a Window 10 Workstation
- Remote Assistance now works when initiated remotely
- Shared bi-directional USB laser printer now works from remote workstations

The Actual Samba Bug - https://bugzilla.samba.org/show_bug.cgi?id=15418

SOLVED-ISH - There is no fix for Samba for Ubuntu 18.04.6 yet. Don't reapply KB5028166 until there is.

SOLVED Patch for 18.04 LTS Bionic - https://launchpad.net/~ahasenack/+archive/ubuntu/samba-kb5028166/


2
I've come up with a solution but I'm not sure what the cause is.

Problem: User logging into a domain connection computer for the first time. (no profile on the machine, roaming or non-roaming profile doesn't matter)
User is presented with the "Hi, we are setting things up for you..." animation. This animation runs for 15 minutes or until the power management turns the screen off.
Then the user can log in. All subsiquent logins are fast. Connecting for the first time via Remote Desktop Connection doesn't present the "Hi... " animation and logs in almost right away.

Solution: Use a GPO to disable the "Hi..." animation on login. First time login's directly on the machine go quickly.
Computer Configuration > Administrative Templates > System > Logon
Set the “Show First Sign-In Animation” option to “Disabled”

Zentyal Core 6.1.6 - Windows 10 Pro 2004, 1909, 1804 (tested broken and fixed)

Not sure if this is part of a bigger problem but I think it can be marked as solved.

3
Zentyal Version 6.1.6 running only as a domain controller / DNS server.
Primary and Secondary DNS Servers. NOT using roaming profiles. Have all my scripts and the workstation group policy backed up.

Problem 1: My Primary domain controller (PDC) is dead.
Secondary Domain Controller is functional (SDC), domain authentication is working. The license key is the only thing left of the PDC.
What do I need to do to create a new Primary Domain Controller for my domain so I don't loose all the user accounts, connected computers etc.?

I'm assuming turn the SDC into a PDC and create a new SDC, but documentation on that is mainly on migrating from a Windows PDC.

Problem 2: (which lead to the dead PDC)
DNS not updating automatically. Got the following error after adding the noexpiry flag to the dns-<PDC> account.

Exit value: 1 at root command kinit -k -t /var/lib/samba/private/dns.keytab dns-zentyal failed.
Error output: kinit: Password incorrect

How do I properly set the password in the dns.keytab file to get DNS updating properly again?

Explaination of Problem 2:
The password for the dns-<PDC> was manually changed via the Users and Computer Management screen. The fix I found to reset the password on the dns-<PDC> account was the start of the cause of Problem 1.
THIS IS BAD DO NOT DO - (samba_upgradedns --dns-backend=local then back to BIND9_DLZ)

This is me putting down the shovel to get out of the hole. Thank you in advance.

Pages: [1]