Centos 7.4.1708 , Samba 4.7.7 a samba.org-ról, AD

 ( azsebok | 2018. február 12., hétfő - 16:20 )

Üdv Mindenkinek!

Belefutottam egy problémába, amit sajnos nem tudok megoldani.
Telepítettem egy minimal CentOS-t, majd a samba.org-ról letöltöttem és telepítettem a SAMBA-t.
Ez tökéletesen működött is 30 napig. Ekkor jött elő egy probléma: van egy szem PC Win10-zel, ami be van jelentkeztetve a DOMAIN-be. Ha a \\SZERVER útvonalon próbálok kapcsolódni az osztott erőforrásokhoz, autentikációt kér. Ugyanakkor, ha a \\192.168.0.250 módon nyitom meg, simán beenged. Más, a domainokba be nem léptetett gépekről simán megy a megosztásokhoz való csatlakozás NetBIOS-szal is.

A CentOS-en SSSD-vel is be tudtam lépni, de sajnos az sem engedett. Ezért úgy gondoltam, "realm leave DOMAIN", majd "realm join DOMAIN".
Erre ezt kapom:
szerver.domain.ad realmd[17323]: Enter Administrator's password:kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/szerver.domain.ad with user[Administrator] realm[SZERVER.DOMAIN]: Invalid credentials
Failed to join domain: failed to connect to AD: Invalid credentials

Van-e valakinek ötlete, hogy miként tudnám az érvénytelen "credential"-okat törölni anélkül, hogy domain provision lenne belőle újra?
Ja, a /etc/krb5.keytab fájlt is letöröltem, hátha. De nem.
================================
smb.conf:
[global]
dns forwarder = 192.168.150.254
netbios name = SZERVER
realm = SZERVER.DOMAIN.AD
server role = active directory domain controller
workgroup = DOMAIN
kerberos method = secrets and keytab
idmap_ldb:use rfc2307 = yes
username map = /usr/local/samba/etc/user.map
server string = Samba Server Version %v
dedicated keytab file = /etc/krb5.keytab
unix extensions = no
wide links = yes
follow symlinks = yes
log level = 5 vfs:5
log file = /var/log/samba/log.%m
max log size = 1000
allow insecure wide links = yes
vfs objects = audit recycle
store dos attributes = yes
map archive = no
map hidden = no
map read only = no
map system = no

[netlogon]
path = /usr/local/samba/var/locks/sysvol/domain.ad/scripts
read only = No

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

[dokuk]
comment = Dokumentumok
path= /samba/dokuk
valid users = @Dokuk
read only = No
writable = Yes
create mode = 0777
directory mode = 0777
vfs object = full_audit:audit recycle:recycle acl_xattr
recycle:directory_mode = 0777
recycle:touch_mtime = yes
recycle:touch = NO
recycle:keeptree = YES
recycle:versions = YES
recycle:repository = RecycleBin/%U
recycle:maxsize = 0
full_audit:prefix = %u|%I
full_audit:success = all
full_audit:failure = all
full_audit:facility = LOCAL2
full_audit:priority = ALERT

================================
/etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = DOMAIN.AD
default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
DOMAIN.AD = {
kdc = szerver.domain.ad
admin_server = szerver.domain.ad
default_domain = domain.ad
}

[domain_realm]
domain.ad = DOMAIN.AD
.domain.ad = DOMAIN.AD

================================
/etc/sssd/sssd.conf:
[sssd]
domains =
config_file_version = 2
services = nss, pam

(mielőtt realm leav volt, másképp nézett ki... hiába cserélem le az akkori verzióra, nem működik úgy sem, credentials problémák vannak)

Ha más konfig vagy log kéne, szóljatok légyszi', dobom is ide!

Előre is köszönöm!

Hozzászólás megjelenítési lehetőségek

A választott hozzászólás megjelenítési mód a „Beállítás” gombbal rögzíthető.

Ha próbálom generálni a krb5.keytab fájlt, akkor ezt adja vissza:
net ads keytab create -U administrator:
kerberos_kinit_password

failed: Client not found in Kerberos database
kerberos_kinit_password

failed: Client not found in Kerberos database

és ez sem sikerül :(

samba-tool processes:

dnsupdate 5727
cldap_server 5719
rpc_server 5713
nbt_server 5715
winbind_server 5726
kdc_server 5720
notify-daemon 5736
ldap_server 5718
kccsrv 5725
samba 0
dreplsrv 5721
dnssrv 5728

Idézet:
Ez tökéletesen működött is 30 napig.
...
A CentOS-en SSSD-vel is be tudtam lépni, de sajnos az sem engedett.

Tippre itt lesz a gond.
Itt meg a megoldás, ha jól tippelek: https://hup.hu/node/155076?comments_per_page=9999#comment-2134705

Szerk.: kicsit pontosabb idézet, hogy mi a gond. :)

BlackY
--
"en is amikor bejovok dolgozni, nem egy pc-t [..] kapcsolok be, hanem a mainframe-et..." (sj)

Tehát, ha jól értem:
-törlöm a secrets.keytab fájlt, majd exportálok: (a samba a CentOS-re a /usr/local/samba könyvtárba telepít alapból, nekem meg így maradt ;) )
samba-tool domain exportkeytab --principal=SZERVER$ /usr/local/samba/private/secrets.keytab
samba-tool domain exportkeytab --principal=HOST/szerver.domain.ad /usr/local/samba/private/secrets.keytab
samba-tool domain exportkeytab --principal=HOST/szerver /usr/local/samba/private/secrets.keytab

aztán systemctl restart samba.service és jónak kéne lennie?
Sajnos: invalid credentials van most is.

Szerk.:
Közben másik domain admin userrel sikerült generálni a krb5.keytab fájlt (még a fenti lépések előtt), de a csatlakozás a domainhez nem megy. Az egy szem domainbe léptetett kliens továbbra sem csatlakozik NetBIOS-szal.
Lehet, ha kiléptetném a tartományból, majd újra be, akkor működne, de akkor a fehasználói profilokat bukom (nem roaming!).

És tiltsd le az SSSD-ben a keytab frissítést és sssd restart (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/sssd-auto-keytab-renewal)

Egy-egy klist kimenetet tudsz küldeni a secrets.keytab-ról és az /etc/krb5.keytab-ról?

Idézet:
de akkor a fehasználói profilokat bukom (nem roaming!).

Nem buknád (SID-hez köti a rendszer, aminek meg része a Domain SID), de egyelőre ne léptess ki/be.

BlackY
--
"en is amikor bejovok dolgozni, nem egy pc-t [..] kapcsolok be, hanem a mainframe-et..." (sj)

SSSD el sem indul most :(
SSSD couldn't load the configuration database [2]: No such file or directory.
systemd[1]: sssd.service: main process exited, code=exited, status=4/NOPERMISSION
systemd[1]: Failed to start System Security Services Daemon.
systemd[1]: Unit sssd.service entered failed state.
systemd[1]: sssd.service failed.

Szerk.:
(a krb5.keytab root:root, 600, akárcsak a secrets.keytab)
Mást nem néztem.

Ha kiveszem a "ad_maximum_machine_account_password_age = 0" sort, akkor sem.

Keytab name: FILE:/usr/local/samba/private/secrets.keytab
KVNO Timestamp Principal

---- ------------------- ------------------------------------------------------
   3 2018-02-12 19.20.10 SZERVER$@DOMAIN.AD (aes256-cts-hmac-sha1-96) 
   3 2018-02-12 19.20.10 SZERVER$@DOMAIN.AD (aes128-cts-hmac-sha1-96) 
   3 2018-02-12 19.20.10 SZERVER$@DOMAIN.AD (arcfour-hmac) 
   3 2018-02-12 19.20.10 SZERVER$@DOMAIN.AD (des-cbc-md5) 
   3 2018-02-12 19.20.10 SZERVER$@DOMAIN.AD (des-cbc-crc) 
   3 2018-02-12 19.20.42 HOST/SZERVER.DOMAIN.AD@DOMAIN.AD (aes256-cts-hmac-sha1-96) 
   3 2018-02-12 19.20.42 HOST/SZERVER.DOMAIN.AD@DOMAIN.AD (aes128-cts-hmac-sha1-96) 
   3 2018-02-12 19.20.42 HOST/SZERVER.DOMAIN.AD@DOMAIN.AD (arcfour-hmac) 
   3 2018-02-12 19.20.42 HOST/SZERVER.DOMAIN.AD@DOMAIN.AD (des-cbc-md5) 
   3 2018-02-12 19.20.42 HOST/SZERVER.DOMAIN.AD@DOMAIN.AD (des-cbc-crc) 
   3 2018-02-12 19.20.55 HOST/SZERVER@DOMAIN.AD (aes256-cts-hmac-sha1-96) 
   3 2018-02-12 19.20.55 HOST/SZERVER@DOMAIN.AD (aes128-cts-hmac-sha1-96) 
   3 2018-02-12 19.20.55 HOST/SZERVER@DOMAIN.AD (arcfour-hmac) 
   3 2018-02-12 19.20.55 HOST/SZERVER@DOMAIN.AD (des-cbc-md5) 
   3 2018-02-12 19.20.55 HOST/SZERVER@DOMAIN.AD (des-cbc-crc) 


Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   3 2018-02-12 18.36.37  (aes256-cts-hmac-sha1-96) 
   3 2018-02-12 18.36.37  (aes128-cts-hmac-sha1-96) 
   3 2018-02-12 18.36.37  (arcfour-hmac) 
   3 2018-02-12 18.36.37  (des-cbc-md5) 
   3 2018-02-12 18.36.37  (des-cbc-crc) 
   2 2018-02-12 18.36.37  (aes256-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (aes128-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (arcfour-hmac) 
   2 2018-02-12 18.36.37  (des-cbc-md5) 
   2 2018-02-12 18.36.37  (des-cbc-crc) 
   2 2018-02-12 18.36.37  (aes256-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (aes128-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (arcfour-hmac) 
   2 2018-02-12 18.36.37  (des-cbc-md5) 
   2 2018-02-12 18.36.37  (des-cbc-crc) 
   2 2018-02-12 18.36.37  (aes256-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (aes128-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (arcfour-hmac) 
   2 2018-02-12 18.36.37  (des-cbc-md5) 
   2 2018-02-12 18.36.37  (des-cbc-crc) 
   2 2018-02-12 18.36.37  (aes256-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (aes128-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (arcfour-hmac) 
   2 2018-02-12 18.36.37  (des-cbc-md5) 
   2 2018-02-12 18.36.37  (des-cbc-crc) 
   2 2018-02-12 18.36.37  (aes256-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (aes128-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (arcfour-hmac) 
   2 2018-02-12 18.36.37  (des-cbc-md5) 
   2 2018-02-12 18.36.37  (des-cbc-crc) 
   2 2018-02-12 18.36.37  (aes256-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (aes128-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (arcfour-hmac) 
   2 2018-02-12 18.36.37  (des-cbc-md5) 
   2 2018-02-12 18.36.37  (des-cbc-crc) 
   2 2018-02-12 18.36.37  (aes256-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (aes128-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (arcfour-hmac) 
   2 2018-02-12 18.36.37  (des-cbc-md5) 
   2 2018-02-12 18.36.37  (des-cbc-crc) 
   2 2018-02-12 18.36.37  (aes256-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (aes128-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (arcfour-hmac) 
   2 2018-02-12 18.36.37  (des-cbc-md5) 
   2 2018-02-12 18.36.37  (des-cbc-crc) 
   2 2018-02-12 18.36.37  (aes256-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (aes128-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (arcfour-hmac) 
   2 2018-02-12 18.36.37  (des-cbc-md5) 
   2 2018-02-12 18.36.37  (des-cbc-crc) 
   2 2018-02-12 18.36.37  (aes256-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (aes128-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (arcfour-hmac) 
   2 2018-02-12 18.36.37  (des-cbc-md5) 
   2 2018-02-12 18.36.37  (des-cbc-crc) 
   2 2018-02-12 18.36.37  (aes256-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (aes128-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (arcfour-hmac) 
   2 2018-02-12 18.36.37  (des-cbc-md5) 
   2 2018-02-12 18.36.37  (des-cbc-crc) 
   2 2018-02-12 18.36.37  (aes256-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (aes128-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (arcfour-hmac) 
   2 2018-02-12 18.36.37  (des-cbc-md5) 
   2 2018-02-12 18.36.37  (des-cbc-crc) 
   3 2018-02-12 18.36.37 SZERVER$@DOMAIN.AD (aes256-cts-hmac-sha1-96) 
   3 2018-02-12 18.36.37 SZERVER$@DOMAIN.AD (aes128-cts-hmac-sha1-96) 
   3 2018-02-12 18.36.37 SZERVER$@DOMAIN.AD (arcfour-hmac) 
   3 2018-02-12 18.36.37 SZERVER$@DOMAIN.AD (des-cbc-md5) 
   3 2018-02-12 18.36.37 SZERVER$@DOMAIN.AD (des-cbc-crc) 
   2 2018-02-12 18.36.37  (aes256-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (aes128-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (arcfour-hmac) 
   2 2018-02-12 18.36.37  (des-cbc-md5) 
   2 2018-02-12 18.36.37  (des-cbc-crc) 
   2 2018-02-12 18.36.37  (aes256-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (aes128-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (arcfour-hmac) 
   2 2018-02-12 18.36.37  (des-cbc-md5) 
   2 2018-02-12 18.36.37  (des-cbc-crc) 
   2 2018-02-12 18.36.37 HAMBITRM$@DOMAIN.AD (aes256-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37 HAMBITRM$@DOMAIN.AD (aes128-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37 HAMBITRM$@DOMAIN.AD (arcfour-hmac) 
   2 2018-02-12 18.36.37 HAMBITRM$@DOMAIN.AD (des-cbc-md5) 
   2 2018-02-12 18.36.37 HAMBITRM$@DOMAIN.AD (des-cbc-crc) 
   2 2018-02-12 18.36.37  (aes256-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (aes128-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (arcfour-hmac) 
   2 2018-02-12 18.36.37  (des-cbc-md5) 
   2 2018-02-12 18.36.37  (des-cbc-crc) 
   2 2018-02-12 18.36.37  (aes256-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (aes128-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (arcfour-hmac) 
   2 2018-02-12 18.36.37  (des-cbc-md5) 
   2 2018-02-12 18.36.37  (des-cbc-crc) 
   2 2018-02-12 18.36.37  (aes256-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (aes128-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (arcfour-hmac) 
   2 2018-02-12 18.36.37  (des-cbc-md5) 
   2 2018-02-12 18.36.37  (des-cbc-crc) 
   2 2018-02-12 18.36.37  (aes256-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (aes128-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (arcfour-hmac) 
   2 2018-02-12 18.36.37  (des-cbc-md5) 
   2 2018-02-12 18.36.37  (des-cbc-crc) 
   2 2018-02-12 18.36.37  (aes256-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (aes128-cts-hmac-sha1-96) 
   2 2018-02-12 18.36.37  (arcfour-hmac) 
   2 2018-02-12 18.36.37  (des-cbc-md5) 
   2 2018-02-12 18.36.37  (des-cbc-crc) 
   1 2018-02-12 18.36.37  (aes256-cts-hmac-sha1-96) 
   1 2018-02-12 18.36.37  (aes128-cts-hmac-sha1-96) 
   1 2018-02-12 18.36.37  (arcfour-hmac) 
   1 2018-02-12 18.36.37  (des-cbc-md5) 
   1 2018-02-12 18.36.37  (des-cbc-crc) 

Magamnak válaszolok, hogy tudd a fentit szerkeszteni. Az /etc/krb5.keytab tartalmát vedd ki onnan, tele van usernevekkel. (később majd vagy exportálj bele egy host/szerver.domain.ad principalt vagy másold oda a samba keytabját)

Első körben rakjuk helyre a Sambát, utána SSD-zünk :)
kinit most már megy a gépről, tudsz autholni? Kliens gépen egy klist mit mond (Windows lelkivilágát ismerve, gyanús, hogy újra kell majd indítanod előtte a klienst :) )?

BlackY
--
"en is amikor bejovok dolgozni, nem egy pc-t [..] kapcsolok be, hanem a mainframe-et..." (sj)

kinit megy a CentOS-en. Samba secrets.keytab átmásolva /etc/krb5.keytab helyre és néven. így is megy.

Jogos, SAMBA a fontos :D

Windows kliens klistje:

Current LogonId is 0:0x83877

Cached Tickets: (3)

#0>     Client: Administrator @ DOMAIN.AD
        Server: krbtgt/DOMAIN.AD @ DOMAIN.AD
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
        Start Time: 2/12/2018 20:40:03 (local)
        End Time:   2/13/2018 6:40:03 (local)
        Renew Time: 2/19/2018 20:40:03 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called: szerver

#1>     Client: Administrator @ DOMAIN.AD
        Server: cifs/szerver @ DOMAIN.AD
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a80000 -> forwardable renewable pre_authent 0x80000
        Start Time: 2/12/2018 20:40:18 (local)
        End Time:   2/13/2018 6:40:03 (local)
        Renew Time: 2/19/2018 20:40:03 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called: szerver.DOMAIN.AD

#2>     Client: Administrator @ DOMAIN.AD
        Server: LDAP/szerver.DOMAIN.AD/DOMAIN.AD @ DOMAIN.AD
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a80000 -> forwardable renewable pre_authent 0x80000
        Start Time: 2/12/2018 20:40:03 (local)
        End Time:   2/13/2018 6:40:03 (local)
        Renew Time: 2/19/2018 20:40:03 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called: szerver.DOMAIN.AD

Ennek ellenére ugyanaz a helyzet... NetBIOS nem megy, de IP-n igen.

(viszont ha létrehozok egy új felhasználót a "samba-tool"-lal, azzal a windowsos kliensen be tudok jelentkezni, de utána a megosztásokhoz ugyanúgy férek csak hozzá: IP=OK, NetBIOS=NemOK.)

A user nevek nem érdekesek ;) mind cseréltem.

Akkor még négy dolgot próbálj ki:
\\domain.ad\dokuk -ként, \\szerver.domain.ad\dokuk -ként is próbálj hozzá csatlakozni, nézd meg, hogy be van-e állítva a DNS suffix domain.ad-ra ill. nézd meg, hogy van-e reverse-e a 192.168.0.250-nek [Windowst nem nagyon lehet lebeszélni arról, hogy kanonikalizálja a krb hostnevet - vagy semmi ne legyen, vagy a szerver FQDN-je legyen...].

Samba logokban van valami érdemleges, amikor auth hibát kapsz (5-ös log levellel kéne, hogy legyen)?

Szvsz. nem jó, ha fallbackelnie kell NetBIOS-ra.

BlackY
--
"en is amikor bejovok dolgozni, nem egy pc-t [..] kapcsolok be, hanem a mainframe-et..." (sj)

Sem így, sem úgy nem megy.
Primary DNS suffix: domain.ad
Connection-specific DNS Suffix: szerver.domain.ad

samba-tool dns zonelist szerver.domain.ad kimenete:
Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for ncacn_ip_tcp:192.168.0.250[49152,sign,target_hostname=szerver.domain.ad,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=192.168.0.250] NT_STATUS_UNSUCCESSFUL
ERROR: Connecting to DNS RPC server szerver.domain.ad failed with (-1073741823, '{Operation Failed} The requested operation was unsuccessful.')

Szóval, itt kell keresnem a hibát, ahogy látom... Bár a megoldásról gőzöm sincs :(

Samba log részlete, mikor csatlakozni próbálok:

[2018/02/12 21:16:48.027219, 1] ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal)
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Failed to find cifs/szerver@DOMAIN.AD(kvno 3) in keytab MEMORY:m9oPm,KHUKAlYRP9 (aes256-cts-hmac-sha1-96)

[2018/02/12 21:16:48.027242, 1] ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit)
SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE

[2018/02/12 21:16:48.027290, 2] ../auth/gensec/spnego.c:605(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_LOGON_FAILURE

Köszönöm a tippeket!!!

Ez hosszú lesz, elnézést!

Na, pici hosts editálás (valamitől eltűnt a 192.168.0.25 szerver.domain.ad szerver sor... talán egy frissítéstől?) után ez történt:
(ha nem hívod fel a figyelmem, az életben észre nem veszem...)

\\szerver nem megy.
\\domain.ad\ megy.
\\szerver.domain.ad\ nem megy.

(azaz nem enged bejelentkezni, de IP címmel működik - sem smbclienttel, sem a domainbe beléptetett gépről, viszont bármely más gépről megy a \\szerver is.)

Már nincs több ötletem, lassan feladom és jön a domain provision...

nslookup -type A szerver.ad:
Server: szerver.domain.ad
Address: 192.168.0.250

*** szerver.domain.ad can't find A: Non-existent domain

samba-tool dns zonelist szerver.domain.ad kimenete (a pontozott részek között OpenVPN interfészek vannak, hiba nélkül):
pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:szerver.domain.ad[,sign]
Mapped to DCERPC endpoint 135
not adding non-broadcast interface as0t0
not adding non-broadcast interface as0t1

...

added interface em1 ip=192.168.0.250 bcast=192.168.255.255 netmask=255.255.0.0

...
added interface em1 ip=192.168.0.250 bcast=192.168.255.255 netmask=255.255.0.0
resolve_lmhosts: Attempting lmhosts lookup for name szerver.domain.ad<0x20>
startlmhosts: Can't open lmhosts file /usr/local/samba/etc/lmhosts. Error was No such file or directory
Mapped to DCERPC endpoint 49152
...

added interface em1 ip=192.168.0.250 bcast=192.168.255.255 netmask=255.255.0.0
resolve_lmhosts: Attempting lmhosts lookup for name szerver.domain.ad<0x20>
startlmhosts: Can't open lmhosts file /usr/local/samba/etc/lmhosts. Error was No such file or directory
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Ticket in credentials cache for

will expire in 32912 secs
dcerpc: bind_nak reason 0 - NT_STATUS_UNSUCCESSFUL
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
GSSAPI credentials for

will expire in 32912 secs
dcerpc: bind_nak reason 0 - NT_STATUS_UNSUCCESSFUL
Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for ncacn_ip_tcp:192.168.0.250[49152,sign,target_hostname=szerver.domain.ad,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=192.168.0.250] NT_STATUS_UNSUCCESSFUL
ERROR: Connecting to DNS RPC server szerver.domain.ad failed with (-1073741823, '{Operation Failed} The requested operation was unsuccessful.')
File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 44, in dns_connect
dns_conn = dnsserver.dnsserver(binding_str, lp, creds)

======================

Nincs ötletem :(
Kerestem, de nem találtam megoldást.

Most ez a Samba log csatlakozáskor:

[2018/02/14 19:23:36.003439, 3] ../source3/smbd/oplock.c:1329(init_oplocks)
init_oplocks: initializing messages.
[2018/02/14 19:23:36.003453, 5] ../source3/lib/messages.c:450(messaging_register)
Registering messaging pointer for type 774 - private_data=0x56138957ff50
[2018/02/14 19:23:36.003466, 5] ../source3/lib/messages.c:450(messaging_register)
Registering messaging pointer for type 778 - private_data=0x56138957ff50
[2018/02/14 19:23:36.003474, 5] ../source3/lib/messages.c:450(messaging_register)
Registering messaging pointer for type 770 - private_data=0x56138957ff50
[2018/02/14 19:23:36.003482, 5] ../source3/lib/messages.c:450(messaging_register)
Registering messaging pointer for type 787 - private_data=0x56138957ff50
[2018/02/14 19:23:36.003491, 5] ../source3/lib/messages.c:450(messaging_register)
Registering messaging pointer for type 779 - private_data=0x56138957ff50
[2018/02/14 19:23:36.003499, 5] ../source3/lib/messages.c:450(messaging_register)
Registering messaging pointer for type 15 - private_data=(nil)
[2018/02/14 19:23:36.003505, 5] ../source3/lib/messages.c:465(messaging_register)
Overriding messaging pointer for type 15 - private_data=(nil)
[2018/02/14 19:23:36.003513, 5] ../source3/lib/messages.c:497(messaging_deregister)
Deregistering messaging pointer for type 16 - private_data=(nil)
[2018/02/14 19:23:36.003524, 5] ../source3/lib/messages.c:450(messaging_register)
Registering messaging pointer for type 16 - private_data=0x56138957ff50
[2018/02/14 19:23:36.003536, 5] ../source3/lib/messages.c:497(messaging_deregister)
Deregistering messaging pointer for type 33 - private_data=0x56138841fee0
[2018/02/14 19:23:36.003548, 5] ../source3/lib/messages.c:450(messaging_register)
Registering messaging pointer for type 33 - private_data=0x56138957ff50
[2018/02/14 19:23:36.003557, 5] ../source3/lib/messages.c:497(messaging_deregister)
Deregistering messaging pointer for type 790 - private_data=(nil)
[2018/02/14 19:23:36.003569, 5] ../source3/lib/messages.c:450(messaging_register)
Registering messaging pointer for type 790 - private_data=0x56138957ff50
[2018/02/14 19:23:36.003579, 5] ../source3/lib/messages.c:497(messaging_deregister)
Deregistering messaging pointer for type 791 - private_data=(nil)
[2018/02/14 19:23:36.003585, 5] ../source3/lib/messages.c:497(messaging_deregister)
Deregistering messaging pointer for type 1 - private_data=(nil)
[2018/02/14 19:23:36.003590, 5] ../source3/lib/messages.c:450(messaging_register)
Registering messaging pointer for type 1 - private_data=(nil)
[2018/02/14 19:23:36.003699, 3] ../source3/smbd/process.c:1959(process_smb)
Transaction 0 of length 216 (0 toread)
[2018/02/14 19:23:36.003715, 5] ../source3/lib/util.c:173(show_msg)
[2018/02/14 19:23:36.003720, 5] ../source3/lib/util.c:183(show_msg)
size=212
smb_com=0x72
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=24
smb_flg2=51267
smb_tid=0
smb_pid=65534
smb_uid=0
smb_mid=0
smt_wct=0
smb_bcc=177
[2018/02/14 19:23:36.003753, 3] ../source3/smbd/process.c:1539(switch_message)
switch message SMBnegprot (pid 4945) conn 0x0
[2018/02/14 19:23:36.003782, 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2018/02/14 19:23:36.003793, 5] ../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2018/02/14 19:23:36.003804, 5] ../source3/auth/token_util.c:651(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2018/02/14 19:23:36.003824, 5] ../source3/smbd/uid.c:425(smbd_change_to_root_user)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2018/02/14 19:23:36.004477, 3] ../source3/smbd/negprot.c:612(reply_negprot)
Requested protocol [PC NETWORK PROGRAM 1.0]
[2018/02/14 19:23:36.004493, 3] ../source3/smbd/negprot.c:612(reply_negprot)
Requested protocol [MICROSOFT NETWORKS 1.03]
[2018/02/14 19:23:36.004499, 3] ../source3/smbd/negprot.c:612(reply_negprot)
Requested protocol [MICROSOFT NETWORKS 3.0]
[2018/02/14 19:23:36.004504, 3] ../source3/smbd/negprot.c:612(reply_negprot)
Requested protocol [LANMAN1.0]
[2018/02/14 19:23:36.004511, 3] ../source3/smbd/negprot.c:612(reply_negprot)
Requested protocol [LM1.2X002]
[2018/02/14 19:23:36.004516, 3] ../source3/smbd/negprot.c:612(reply_negprot)
Requested protocol [DOS LANMAN2.1]
[2018/02/14 19:23:36.004527, 3] ../source3/smbd/negprot.c:612(reply_negprot)
Requested protocol [LANMAN2.1]
[2018/02/14 19:23:36.004532, 3] ../source3/smbd/negprot.c:612(reply_negprot)
Requested protocol [Samba]
[2018/02/14 19:23:36.004569, 3] ../source3/smbd/negprot.c:612(reply_negprot)
Requested protocol [NT LANMAN 1.0]
[2018/02/14 19:23:36.004601, 3] ../source3/smbd/negprot.c:612(reply_negprot)
Requested protocol [NT LM 0.12]
[2018/02/14 19:23:36.004628, 3] ../source3/smbd/negprot.c:612(reply_negprot)
Requested protocol [SMB 2.002]
[2018/02/14 19:23:36.004638, 3] ../source3/smbd/negprot.c:612(reply_negprot)
Requested protocol [SMB 2.???]
[2018/02/14 19:23:36.004669, 5] ../lib/dbwrap/dbwrap.c:160(dbwrap_check_lock_order)
check lock order 2 for /usr/local/samba/var/lock/serverid.tdb
[2018/02/14 19:23:36.004681, 5] ../lib/dbwrap/dbwrap.c:128(dbwrap_lock_order_state_destructor)
release lock order 2 for /usr/local/samba/var/lock/serverid.tdb
[2018/02/14 19:23:36.004722, 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2018/02/14 19:23:36.004733, 5] ../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2018/02/14 19:23:36.004741, 5] ../source3/auth/token_util.c:651(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2018/02/14 19:23:36.004779, 5] ../source3/smbd/uid.c:425(smbd_change_to_root_user)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2018/02/14 19:23:36.004812, 3] ../source3/smbd/smb2_negprot.c:290(smbd_smb2_request_process_negprot)
Selected protocol SMB2_FF
[2018/02/14 19:23:36.004825, 5] ../source3/auth/auth.c:512(make_auth3_context_for_ntlm)
Making default auth method list for server role = 'active directory domain controller'
[2018/02/14 19:23:36.004837, 5] ../source3/auth/auth.c:48(smb_register_auth)
Attempting to register auth backend trustdomain
[2018/02/14 19:23:36.004847, 5] ../source3/auth/auth.c:60(smb_register_auth)
Successfully added auth method 'trustdomain'
[2018/02/14 19:23:36.004852, 5] ../source3/auth/auth.c:48(smb_register_auth)
Attempting to register auth backend ntdomain
[2018/02/14 19:23:36.004863, 5] ../source3/auth/auth.c:60(smb_register_auth)
Successfully added auth method 'ntdomain'
[2018/02/14 19:23:36.004870, 5] ../source3/auth/auth.c:48(smb_register_auth)
Attempting to register auth backend guest
[2018/02/14 19:23:36.004879, 5] ../source3/auth/auth.c:60(smb_register_auth)
Successfully added auth method 'guest'
[2018/02/14 19:23:36.004887, 5] ../source3/auth/auth.c:48(smb_register_auth)
Attempting to register auth backend sam
[2018/02/14 19:23:36.004892, 5] ../source3/auth/auth.c:60(smb_register_auth)
Successfully added auth method 'sam'
[2018/02/14 19:23:36.004900, 5] ../source3/auth/auth.c:48(smb_register_auth)
Attempting to register auth backend sam_ignoredomain
[2018/02/14 19:23:36.004905, 5] ../source3/auth/auth.c:60(smb_register_auth)
Successfully added auth method 'sam_ignoredomain'
[2018/02/14 19:23:36.004910, 5] ../source3/auth/auth.c:48(smb_register_auth)
Attempting to register auth backend sam_netlogon3
[2018/02/14 19:23:36.004915, 5] ../source3/auth/auth.c:60(smb_register_auth)
Successfully added auth method 'sam_netlogon3'
[2018/02/14 19:23:36.004925, 5] ../source3/auth/auth.c:48(smb_register_auth)
Attempting to register auth backend winbind
[2018/02/14 19:23:36.004931, 5] ../source3/auth/auth.c:60(smb_register_auth)
Successfully added auth method 'winbind'
[2018/02/14 19:23:36.004939, 5] ../source3/auth/auth.c:48(smb_register_auth)
Attempting to register auth backend unix
[2018/02/14 19:23:36.004947, 5] ../source3/auth/auth.c:60(smb_register_auth)
Successfully added auth method 'unix'
[2018/02/14 19:23:36.004959, 5] ../source3/auth/auth.c:48(smb_register_auth)
Attempting to register auth backend samba4
[2018/02/14 19:23:36.004968, 5] ../source3/auth/auth.c:60(smb_register_auth)
Successfully added auth method 'samba4'
[2018/02/14 19:23:36.004976, 5] ../source3/auth/auth.c:400(load_auth_module)
load_auth_module: Attempting to find an auth method to match samba4
[2018/02/14 19:23:36.005821, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'gssapi_spnego' registered
[2018/02/14 19:23:36.005842, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'gssapi_krb5' registered
[2018/02/14 19:23:36.005849, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'gssapi_krb5_sasl' registered
[2018/02/14 19:23:36.005863, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'spnego' registered
[2018/02/14 19:23:36.005878, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'schannel' registered
[2018/02/14 19:23:36.005888, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'naclrpc_as_system' registered
[2018/02/14 19:23:36.005897, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'sasl-EXTERNAL' registered
[2018/02/14 19:23:36.005906, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'ntlmssp' registered
[2018/02/14 19:23:36.005917, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'ntlmssp_resume_ccache' registered
[2018/02/14 19:23:36.005932, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'http_basic' registered
[2018/02/14 19:23:36.005944, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'http_ntlm' registered
[2018/02/14 19:23:36.005954, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'krb5' registered
[2018/02/14 19:23:36.005964, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'fake_gssapi_krb5' registered
[2018/02/14 19:23:36.005973, 5] ../source3/auth/auth.c:425(load_auth_module)
load_auth_module: auth method samba4 has a valid init
[2018/02/14 19:23:36.006775, 3] ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2018/02/14 19:23:36.007022, 3] ../source4/auth/ntlm/auth.c:840(auth_register)
AUTH backend 'sam' registered
[2018/02/14 19:23:36.007036, 3] ../source4/auth/ntlm/auth.c:840(auth_register)
AUTH backend 'sam_ignoredomain' registered
[2018/02/14 19:23:36.007045, 3] ../source4/auth/ntlm/auth.c:840(auth_register)
AUTH backend 'sam_failtrusts' registered
[2018/02/14 19:23:36.007053, 3] ../source4/auth/ntlm/auth.c:840(auth_register)
AUTH backend 'anonymous' registered
[2018/02/14 19:23:36.007062, 3] ../source4/auth/ntlm/auth.c:840(auth_register)
AUTH backend 'winbind' registered
[2018/02/14 19:23:36.007069, 3] ../source4/auth/ntlm/auth.c:840(auth_register)
AUTH backend 'winbind_rodc' registered
[2018/02/14 19:23:36.007076, 3] ../source4/auth/ntlm/auth.c:840(auth_register)
AUTH backend 'winbind_wbclient' registered
[2018/02/14 19:23:36.007084, 3] ../source4/auth/ntlm/auth.c:840(auth_register)
AUTH backend 'name_to_ntstatus' registered
[2018/02/14 19:23:36.007093, 3] ../source4/auth/ntlm/auth.c:840(auth_register)
AUTH backend 'unix' registered
[2018/02/14 19:23:36.008845, 5] ../auth/gensec/gensec_start.c:739(gensec_start_mech)
Starting GENSEC mechanism spnego
[2018/02/14 19:23:36.008918, 5] ../auth/gensec/gensec_start.c:739(gensec_start_mech)
Starting GENSEC submechanism gssapi_krb5
[2018/02/14 19:23:36.009592, 5] ../source4/auth/kerberos/srv_keytab.c:259(smb_krb5_update_keytab)
Opened keytab MEMORY:ZfyBy_p4fgh7g9sz
[2018/02/14 19:23:36.009759, 5] ../source4/auth/kerberos/srv_keytab.c:110(keytab_add_keys)
Added key (kvno 0) to keytab (enctype 1)
[2018/02/14 19:23:36.009797, 5] ../source4/auth/kerberos/srv_keytab.c:110(keytab_add_keys)
Added key (kvno 0) to keytab (enctype 3)
[2018/02/14 19:23:36.009832, 5] ../source4/auth/kerberos/srv_keytab.c:110(keytab_add_keys)
Added key (kvno 0) to keytab (enctype 23)
[2018/02/14 19:23:36.061194, 5] ../source4/auth/kerberos/srv_keytab.c:110(keytab_add_keys)
Added key (kvno 0) to keytab (enctype 17)
[2018/02/14 19:23:36.159744, 5] ../source4/auth/kerberos/srv_keytab.c:110(keytab_add_keys)
Added key (kvno 0) to keytab (enctype 18)
[2018/02/14 19:23:36.160347, 3] ../source3/smbd/negprot.c:753(reply_negprot)
Selected protocol SMB 2.???
[2018/02/14 19:23:36.160388, 5] ../source3/smbd/negprot.c:755(reply_negprot)
negprot index=11
[2018/02/14 19:23:36.160509, 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2018/02/14 19:23:36.160517, 5] ../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2018/02/14 19:23:36.160522, 5] ../source3/auth/token_util.c:651(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2018/02/14 19:23:36.160534, 5] ../source3/smbd/uid.c:425(smbd_change_to_root_user)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2018/02/14 19:23:36.160544, 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2018/02/14 19:23:36.160554, 4] ../source3/smbd/uid.c:491(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2018/02/14 19:23:36.160559, 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2018/02/14 19:23:36.160581, 5] ../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2018/02/14 19:23:36.160622, 5] ../source3/auth/token_util.c:651(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2018/02/14 19:23:36.160763, 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2018/02/14 19:23:36.160806, 3] ../source3/smbd/smb2_negprot.c:290(smbd_smb2_request_process_negprot)
Selected protocol SMB3_11
[2018/02/14 19:23:36.160827, 5] ../source3/auth/auth.c:512(make_auth3_context_for_ntlm)
Making default auth method list for server role = 'active directory domain controller'
[2018/02/14 19:23:36.160834, 5] ../source3/auth/auth.c:400(load_auth_module)
load_auth_module: Attempting to find an auth method to match samba4
[2018/02/14 19:23:36.160853, 5] ../source3/auth/auth.c:425(load_auth_module)
load_auth_module: auth method samba4 has a valid init
[2018/02/14 19:23:36.161184, 3] ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2018/02/14 19:23:36.162492, 5] ../auth/gensec/gensec_start.c:739(gensec_start_mech)
Starting GENSEC mechanism spnego
[2018/02/14 19:23:36.162540, 5] ../auth/gensec/gensec_start.c:739(gensec_start_mech)
Starting GENSEC submechanism gssapi_krb5
[2018/02/14 19:23:36.162770, 5] ../source4/auth/kerberos/srv_keytab.c:259(smb_krb5_update_keytab)
Opened keytab MEMORY:otRFtfrKQUmE4cEZ
[2018/02/14 19:23:36.162829, 5] ../source4/auth/kerberos/srv_keytab.c:110(keytab_add_keys)
Added key (kvno 0) to keytab (enctype 1)
[2018/02/14 19:23:36.162903, 5] ../source4/auth/kerberos/srv_keytab.c:110(keytab_add_keys)
Added key (kvno 0) to keytab (enctype 3)
[2018/02/14 19:23:36.162921, 5] ../source4/auth/kerberos/srv_keytab.c:110(keytab_add_keys)
Added key (kvno 0) to keytab (enctype 23)
[2018/02/14 19:23:36.211428, 5] ../source4/auth/kerberos/srv_keytab.c:110(keytab_add_keys)
Added key (kvno 0) to keytab (enctype 17)
[2018/02/14 19:23:36.307528, 5] ../source4/auth/kerberos/srv_keytab.c:110(keytab_add_keys)
Added key (kvno 0) to keytab (enctype 18)
[2018/02/14 19:23:42.289669, 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2018/02/14 19:23:42.289687, 5] ../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2018/02/14 19:23:42.289692, 5] ../source3/auth/token_util.c:651(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2018/02/14 19:23:42.289705, 5] ../source3/smbd/uid.c:425(smbd_change_to_root_user)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2018/02/14 19:23:42.289726, 5] ../lib/dbwrap/dbwrap.c:160(dbwrap_check_lock_order)
check lock order 1 for /usr/local/samba/var/lock/smbXsrv_session_global.tdb
[2018/02/14 19:23:42.289841, 5] ../lib/dbwrap/dbwrap.c:128(dbwrap_lock_order_state_destructor)
release lock order 1 for /usr/local/samba/var/lock/smbXsrv_session_global.tdb
[2018/02/14 19:23:42.289866, 5] ../source3/auth/auth.c:512(make_auth3_context_for_ntlm)
Making default auth method list for server role = 'active directory domain controller'
[2018/02/14 19:23:42.289888, 5] ../source3/auth/auth.c:400(load_auth_module)
load_auth_module: Attempting to find an auth method to match samba4
[2018/02/14 19:23:42.289900, 5] ../source3/auth/auth.c:425(load_auth_module)
load_auth_module: auth method samba4 has a valid init
[2018/02/14 19:23:42.290224, 3] ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2018/02/14 19:23:42.291415, 5] ../auth/gensec/gensec_start.c:739(gensec_start_mech)
Starting GENSEC mechanism spnego
[2018/02/14 19:23:42.291429, 5] ../lib/dbwrap/dbwrap.c:160(dbwrap_check_lock_order)
check lock order 1 for /usr/local/samba/var/lock/smbXsrv_session_global.tdb
[2018/02/14 19:23:42.291446, 5] ../lib/dbwrap/dbwrap.c:128(dbwrap_lock_order_state_destructor)
release lock order 1 for /usr/local/samba/var/lock/smbXsrv_session_global.tdb
[2018/02/14 19:23:42.291457, 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2018/02/14 19:23:42.291463, 4] ../source3/smbd/uid.c:491(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2018/02/14 19:23:42.291515, 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2018/02/14 19:23:42.291534, 5] ../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2018/02/14 19:23:42.291538, 5] ../source3/auth/token_util.c:651(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2018/02/14 19:23:42.291663, 5] ../auth/gensec/gensec_start.c:739(gensec_start_mech)
Starting GENSEC submechanism gssapi_krb5
[2018/02/14 19:23:42.291892, 5] ../source4/auth/kerberos/srv_keytab.c:259(smb_krb5_update_keytab)
Opened keytab MEMORY:vy8mfAHhKL-oPKFh
[2018/02/14 19:23:42.291963, 5] ../source4/auth/kerberos/srv_keytab.c:110(keytab_add_keys)
Added key (kvno 0) to keytab (enctype 1)
[2018/02/14 19:23:42.291997, 5] ../source4/auth/kerberos/srv_keytab.c:110(keytab_add_keys)
Added key (kvno 0) to keytab (enctype 3)
[2018/02/14 19:23:42.292020, 5] ../source4/auth/kerberos/srv_keytab.c:110(keytab_add_keys)
Added key (kvno 0) to keytab (enctype 23)
[2018/02/14 19:23:42.341139, 5] ../source4/auth/kerberos/srv_keytab.c:110(keytab_add_keys)
Added key (kvno 0) to keytab (enctype 17)
[2018/02/14 19:23:42.439560, 5] ../source4/auth/kerberos/srv_keytab.c:110(keytab_add_keys)
Added key (kvno 0) to keytab (enctype 18)
[2018/02/14 19:23:42.440050, 1] ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal)
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Failed to find cifs/szerver@domain.ad(kvno 3) in keytab MEMORY:vy8mfAHhKL-oPKFh (aes256-cts-hmac-sha1-96)
[2018/02/14 19:23:42.440071, 1] ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit)
SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
[2018/02/14 19:23:42.440090, 2] ../auth/gensec/spnego.c:605(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_LOGON_FAILURE
[2018/02/14 19:23:42.440109, 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2018/02/14 19:23:42.440144, 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2018/02/14 19:23:42.440168, 4] ../source3/smbd/uid.c:491(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2018/02/14 19:23:42.440187, 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2018/02/14 19:23:42.440192, 5] ../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2018/02/14 19:23:42.440198, 5] ../source3/auth/token_util.c:651(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2018/02/14 19:23:42.440209, 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2018/02/14 19:23:42.440250, 3] ../source3/smbd/smb2_server.c:3139(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:134
[2018/02/14 19:23:42.440328, 5] ../lib/dbwrap/dbwrap.c:160(dbwrap_check_lock_order)
check lock order 1 for /usr/local/samba/var/lock/smbXsrv_session_global.tdb
[2018/02/14 19:23:42.440362, 5] ../lib/dbwrap/dbwrap.c:128(dbwrap_lock_order_state_destructor)
release lock order 1 for /usr/local/samba/var/lock/smbXsrv_session_global.tdb
[2018/02/14 19:23:42.440494, 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2018/02/14 19:23:42.440502, 5] ../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2018/02/14 19:23:42.440509, 5] ../source3/auth/token_util.c:651(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2018/02/14 19:23:42.440526, 5] ../source3/smbd/uid.c:425(smbd_change_to_root_user)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2018/02/14 19:23:42.440540, 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2018/02/14 19:23:42.440544, 5] ../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2018/02/14 19:23:42.440549, 5] ../source3/auth/token_util.c:651(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2018/02/14 19:23:42.440558, 5] ../source3/smbd/uid.c:425(smbd_change_to_root_user)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2018/02/14 19:23:42.440565, 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2018/02/14 19:23:42.440571, 5] ../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2018/02/14 19:23:42.440578, 5] ../source3/auth/token_util.c:651(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2018/02/14 19:23:42.440592, 5] ../source3/smbd/uid.c:425(smbd_change_to_root_user)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2018/02/14 19:23:42.440605, 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2018/02/14 19:23:42.440615, 5] ../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2018/02/14 19:23:42.440620, 5] ../source3/auth/token_util.c:651(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2018/02/14 19:23:42.440629, 5] ../source3/smbd/uid.c:425(smbd_change_to_root_user)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2018/02/14 19:23:42.440768, 3] ../source3/smbd/server_exit.c:248(exit_server_common)
Server exit (NT_STATUS_END_OF_FILE)

Internal DNS-t használsz vagy Bind-DLZ-t?

Próbálj meg a szerveren (rootként) futtatni egy samba --verbose --all-names --all-interfaces -t és nézd meg a kimenetét (ha nincs fenn, kell neki a bind-utils/dnsutils/istentudjahogyhívjákésholvanbenneakötőjelcsomag :) ).

Idézet:
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Failed to find cifs/szerver@domain.ad(kvno 3) in keytab MEMORY:vy8mfAHhKL-oPKFh (aes256-cts-hmac-sha1-96)

Ha a DNS már rendben van, rendelj hozzá egy új SPN-t a géphez cifs/szerver néven.

--

(az OP-ban anonimizálási hiba, hogy az smb.conf-ban a REALM-od SZERVER.DOMAIN.AD? Nem simán DOMAIN.AD a krb realmod?)

BlackY
--
"en is amikor bejovok dolgozni, nem egy pc-t [..] kapcsolok be, hanem a mainframe-et..." (sj)

(az OP-ban anonimizálási hiba, hogy az smb.conf-ban a REALM-od SZERVER.DOMAIN.AD? Nem simán DOMAIN.AD a krb realmod?)

Nem, ezt így töltötte ki a Samba, mikor létrehozta a konfigot. Nem bíráltam felül ;)

Hivatkozol erre:
https://hup.hu/node/155076?comments_per_page=9999#comment-2134705

"Listáztasd az összes SPN-t, ami szerepel a secrets.keytab-ban, aztán exportáld az összeset"

Itt megakadtam, kérlek fejtsd ki bővebben, mit értesz az SPN listázása és utána az exportáláson?

(Mivel, hogyan listáztatod, hová és minek? Csupán azért, hogy tudd, miket kell utána exportálni? Bugyuta kérdés, tudom)

Közben másik szál az SSSD-re... ha minden igaz, a config database /var/lib/sss/db/config.ldb alatt van, _elvileg_ ha a helyes privilégiumokkal/labellel/... megcsinálod neki a mappát, a kövi indításkor újra létrehozza. Mi van a /var/lib/sss alatt?

BlackY
--
"en is amikor bejovok dolgozni, nem egy pc-t [..] kapcsolok be, hanem a mainframe-et..." (sj)

[root@szerver]# ls -laR /var/lib/sss/

/var/lib/sss/:
összesen 12
drwxr-xr-x. 9 root root 4096 dec 5 16.35 .
drwxr-xr-x. 61 root root 4096 2016 nov 5 ..
drwx------. 2 sssd sssd 4096 febr 7 19.13 db
drwxr-xr-x. 2 sssd sssd 10 dec 5 16.35 gpo_cache
drwx------. 2 sssd sssd 10 dec 5 16.35 keytabs
drwxr-xr-x. 2 sssd sssd 10 febr 7 21.12 mc
drwxr-xr-x. 3 sssd sssd 87 febr 7 21.06 pipes
drwxr-xr-x. 3 sssd sssd 35 febr 7 19.13 pubconf
drwx------. 2 root root 10 dec 5 16.35 secrets

/var/lib/sss/db:
összesen 8184
drwx------. 2 sssd sssd 4096 febr 7 19.13 .
drwxr-xr-x. 9 root root 4096 dec 5 16.35 ..
-rw------- 1 root root 1609728 febr 7 21.12 cache_domain.ad.ldb
-rw------- 1 root root 3958 febr 2 22.28 ccache_DOMAIN.AD
-rw------- 1 root root 1286144 febr 12 20.38 config.ldb
-rw------- 1 root root 1286144 dec 29 07.33 sssd.ldb
-rw------- 1 root root 1609728 febr 7 21.12 timestamps_domain.ad.ldb

/var/lib/sss/gpo_cache:
összesen 4
drwxr-xr-x. 2 sssd sssd 10 dec 5 16.35 .
drwxr-xr-x. 9 root root 4096 dec 5 16.35 ..

/var/lib/sss/keytabs:
összesen 4
drwx------. 2 sssd sssd 10 dec 5 16.35 .
drwxr-xr-x. 9 root root 4096 dec 5 16.35 ..

/var/lib/sss/mc:
összesen 4
drwxr-xr-x. 2 sssd sssd 10 febr 7 21.12 .
drwxr-xr-x. 9 root root 4096 dec 5 16.35 ..

/var/lib/sss/pipes:
összesen 8
drwxr-xr-x. 3 sssd sssd 87 febr 7 21.06 .
drwxr-xr-x. 9 root root 4096 dec 5 16.35 ..
srw-rw-rw- 1 root root 0 jan 3 00.19 autofs
srw-rw-rw- 1 root root 0 febr 7 08.41 nss
srw-rw-rw- 1 root root 0 febr 7 21.06 pam
drwxr-x---. 2 sssd root 4096 febr 7 21.06 private
srw-rw-rw- 1 root root 0 jan 3 00.19 ssh

/var/lib/sss/pipes/private:
összesen 4
drwxr-x---. 2 sssd root 4096 febr 7 21.06 .
drwxr-xr-x. 3 sssd sssd 87 febr 7 21.06 ..
srw------- 1 root root 0 febr 7 21.06 pam
srw------- 1 root root 0 febr 7 08.41 sbus-dp_domain.ad.27680
srw------- 1 root root 0 febr 2 22.00 sbus-dp_domain.ad.848

/var/lib/sss/pubconf:
összesen 8
drwxr-xr-x. 3 sssd sssd 35 febr 7 19.13 .
drwxr-xr-x. 9 root root 4096 dec 5 16.35 ..
drwxr-xr-x. 2 sssd sssd 4096 febr 7 08.41 krb5.include.d

/var/lib/sss/pubconf/krb5.include.d:
összesen 16
drwxr-xr-x. 2 sssd sssd 4096 febr 7 08.41 .
drwxr-xr-x. 3 sssd sssd 35 febr 7 19.13 ..
-rw-r--r-- 1 root root 15 febr 7 08.41 domain_realm_domain_ad
-rw-r--r-- 1 root root 98 febr 7 08.41 localauth_plugin

/var/lib/sss/secrets:
összesen 4
drwx------. 2 root root 10 dec 5 16.35 .
drwxr-xr-x. 9 root root 4096 dec 5 16.35 ..