Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Cannot authenticate the administrator account
1,340 views
Skip to first unread message
Mike
Apr 22, 2015, 7:20:03 AM4/22/15
to
AD DC default shares are okay after provisioning -
smbclient -L localhost -U%:
Domain=[CONPAGO] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7]
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba
4.1.17-SerNet-RedHat-11.el7)
Domain=[CONPAGO] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7]
Server Comment
--------- -------
Workgroup Master
--------- -------
Cannot authenticate the administrator account -
smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter Administrator's password:
session setup failed: NT_STATUS_LOGON_FAILURE
- - - - - - - - - - - - - - - - - -
I turned up the log level to 3 and found the following:
[2015/04/22 06:17:54.074716, 0]
../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: RuntimeError: kinit for A10$@MWLLC.INFO failed
(Cannot contact any KDC for requested realm)
A10 is the server hostname, CONPAGO is the domain, and MWLLC.INFO is the
realm.
-----------------------------------------
ps axf | egrep "samba|smbd|nmbd|winbindd"
886 pts/5 S+ 0:00 \_ grep -E --color=auto
samba|smbd|nmbd|winbindd
32620 ? Ss 0:00 samba
32621 ? S 0:00 \_ samba
32623 ? Ss 0:00 | \_ /usr/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
32637 ? S 0:00 | \_ /usr/sbin/smbd -D --option=server
role check:inhibit=yes --foreground
32622 ? S 0:00 \_ samba
32624 ? S 0:00 \_ samba
32625 ? S 0:00 \_ samba
32626 ? S 0:00 \_ samba
32627 ? S 0:00 \_ samba
32628 ? S 0:00 \_ samba
32629 ? S 0:00 \_ samba
32630 ? S 0:00 \_ samba
32631 ? S 0:00 \_ samba
32632 ? S 0:00 \_ samba
32633 ? S 0:00 \_ samba
32634 ? S 0:00 \_ samba
The above looks the same as the troubleshooting page.
------------------------------------------------------------------------
Cannot figure out why kerberos authentication fails.
Also notice nmbd and winbindd logs that say, "server role = 'active
directory domain controller' not compatible with running the <<nmbd>> and
<<winbindd>> binary.
You should start 'samba' instead, and it will control starting the
internal AD DC <<nmbd>> and <<winbindd>> implementation, which is not the
same as this one."
However, I did execute using "samba".
samba-tool testparm -v ---
# Global parameters
[global]
dos charset = CP850
unix charset = UTF8
workgroup = CONPAGO
realm = MWLLC.INFO
netbios name = A10
netbios aliases =
netbios scope =
server string = Samba 4.1.17-SerNet-RedHat-11.el7
interfaces = lo, eno1
bind interfaces only = Yes
config backend = file
server role = active directory domain controller
security = AUTO
auth methods =
encrypt passwords = Yes
client schannel = No
server schannel = No
allow trusted domains = No
map to guest = Never
null passwords = No
obey pam restrictions = No
password server = *
smb passwd file =
private dir = /var/lib/samba/private
passdb backend =
algorithmic rid base = 0
root directory =
guest account =
enable privileges = No
pam password change = No
passwd program =
passwd chat = *new*password* %n\n *new*password* %n\n *changed*
passwd chat debug = No
passwd chat timeout = 0
check password script =
username map =
username level = 0
unix password sync = No
restrict anonymous = 0
lanman auth = No
ntlm auth = Yes
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
client use spnego principal = No
preload modules =
dedicated keytab file =
kerberos method = default
map untrusted to domain = No
log level = 3
syslog = 1
syslog only = No
log file =
max log size = 0
debug timestamp = Yes
debug prefix timestamp = No
debug hires timestamp = Yes
debug pid = No
debug uid = No
debug class = No
enable core files = No
smb ports = 445, 139
large readwrite = Yes
server max protocol = NT1
server min protocol = CORE
client max protocol = NT1
client min protocol = CORE
unicode = Yes
min receivefile size = 0
read raw = Yes
write raw = Yes
disable netbios = No
reset on zero vc = No
log writeable files on exit = No
defer sharing violations = No
nt pipe support = No
nt status support = Yes
max mux = 50
max xmit = 12288
name resolve order = wins, host, bcast
max ttl = 0
max wins ttl = 518400
min wins ttl = 10
time server = No
unix extensions = No
use spnego = Yes
client signing = default
server signing = default
client use spnego = No
client ldap sasl wrapping = plain
enable asu support = No
svcctl list =
cldap port = 389
dgram port = 138
nbt port = 137
krb5 port = 88
kpasswd port = 464
web port = 901
rpc big endian = No
deadtime = 0
getwd cache = No
keepalive = 0
lpq cache time = 0
max smbd processes = 0
max disk size = 0
max open files = 0
socket options = TCP_NODELAY
use mmap = Yes
use ntdb = No
hostname lookups = No
name cache timeout = 0
ctdbd socket =
cluster addresses =
clustering = No
ctdb timeout = 0
ctdb locktime warn threshold = 0
smb2 max read = 0
smb2 max write = 0
smb2 max trans = 0
smb2 max credits = 0
load printers = No
printcap cache time = 0
printcap name =
cups server =
cups encrypt = No
cups connection timeout = 0
iprint server =
disable spoolss = No
addport command =
enumports command =
addprinter command =
deleteprinter command =
show add printer wizard = No
os2 driver map =
mangling method =
mangle prefix = 0
max stat cache size = 0
stat cache = No
machine password timeout = 0
add user script =
rename user script =
delete user script =
add group script =
delete group script =
add user to group script =
delete user from group script =
set primary group script =
add machine script =
shutdown script =
abort shutdown script =
username map script =
username map cache time = 0
logon script =
logon path =
logon drive =
logon home =
domain logons = No
init logon delayed hosts =
init logon delay = 0
os level = 0
lm announce = No
lm interval = 0
preferred master = Auto
local master = Yes
domain master = Auto
browse list = No
enhanced browsing = No
dns proxy = Yes
wins proxy = No
wins server =
wins support = No
wins hook =
lock spin time = 0
oplock break wait time = 0
ldap admin dn =
ldap delete dn = No
ldap group suffix =
ldap idmap suffix =
ldap machine suffix =
ldap passwd sync = yes
ldap replication sleep = 0
ldap suffix =
ldap ssl = no
ldap ssl ads = No
ldap deref = never
ldap follow referral = No
ldap timeout = 0
ldap connection timeout = 0
ldap page size = 0
ldap user suffix =
ldap debug level = 0
ldap debug threshold = 0
eventlog list =
add share command =
change share command =
delete share command =
config file =
preload =
lock directory = /var/cache/samba
state directory = /var/lib/samba
cache directory = /var/cache/samba
pid directory = /var/run/samba
ntp signd socket directory = /var/lib/samba/ntp_signd
utmp directory =
wtmp directory =
utmp = No
default service =
message command =
get quota command =
set quota command =
remote announce =
remote browse sync =
nbt client socket address =
nmbd bind explicit broadcast = No
homedir map =
afs username map =
afs token lifetime = 0
log nt token command =
NIS homedir = No
registry shares = No
usershare allow guests = No
usershare max shares = 0
usershare owner only = No
usershare path =
usershare prefix allow list =
usershare prefix deny list =
usershare template share =
allow insecure wide links = No
async smb echo handler = No
panic action =
perfcount module =
host msdfs = Yes
passdb expand explicit = No
idmap backend =
idmap cache time = 0
idmap negative cache time = 0
idmap uid =
idmap gid =
template homedir = /home/%WORKGROUP%/%ACCOUNTNAME%
template shell = /bin/false
winbind separator = \
winbind cache time = 0
winbind reconnect delay = 0
winbind request timeout = 0
winbind max clients = 0
winbind enum users = No
winbind enum groups = No
winbind use default domain = No
winbind trusted domains only = No
winbind nested groups = No
winbind expand groups = 0
winbind nss info =
winbind refresh tickets = No
winbind offline logon = No
winbind normalize names = No
winbind rpc only = No
create krb5 conf = No
ncalrpc dir = /var/run/samba/ncalrpc
winbind max domain connections = 0
winbindd socket directory = /var/run/samba/winbindd
winbindd privileged socket directory =
/var/lib/samba/winbindd_privileged
winbind sealed pipes = Yes
allow dns updates = secure only
dns forwarder = 75.75.76.76
dns update command = /usr/sbin/samba_dnsupdate
nsupdate command = /usr/bin/nsupdate -g
rndc command = /usr/sbin/rndc
multicast dns register = No
samba kcc command = /usr/sbin/samba_kcc
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, dns
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6,
backupkey, dnsserver
spn update command = /usr/sbin/samba_spnupdate
share backend = classic
tls enabled = Yes
tls keyfile = tls/key.pem
tls certfile = tls/cert.pem
tls cafile = tls/ca.pem
tls crlfile =
tls dh params file =
idmap_ldb:use rfc2307 = yes
prefork children:smb = 4
registry:hkey_users = hku.ldb
registry:hkey_local_machine = hklm.ldb
[netlogon]
path = /var/lib/samba/sysvol/mwllc.info/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
(END)
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
smbclient -L localhost -U%:
Domain=[CONPAGO] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7]
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba
4.1.17-SerNet-RedHat-11.el7)
Domain=[CONPAGO] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7]
Server Comment
--------- -------
Workgroup Master
--------- -------
Cannot authenticate the administrator account -
smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter Administrator's password:
session setup failed: NT_STATUS_LOGON_FAILURE
- - - - - - - - - - - - - - - - - -
I turned up the log level to 3 and found the following:
[2015/04/22 06:17:54.074716, 0]
../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: RuntimeError: kinit for A10$@MWLLC.INFO failed
(Cannot contact any KDC for requested realm)
A10 is the server hostname, CONPAGO is the domain, and MWLLC.INFO is the
realm.
-----------------------------------------
ps axf | egrep "samba|smbd|nmbd|winbindd"
886 pts/5 S+ 0:00 \_ grep -E --color=auto
samba|smbd|nmbd|winbindd
32620 ? Ss 0:00 samba
32621 ? S 0:00 \_ samba
32623 ? Ss 0:00 | \_ /usr/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
32637 ? S 0:00 | \_ /usr/sbin/smbd -D --option=server
role check:inhibit=yes --foreground
32622 ? S 0:00 \_ samba
32624 ? S 0:00 \_ samba
32625 ? S 0:00 \_ samba
32626 ? S 0:00 \_ samba
32627 ? S 0:00 \_ samba
32628 ? S 0:00 \_ samba
32629 ? S 0:00 \_ samba
32630 ? S 0:00 \_ samba
32631 ? S 0:00 \_ samba
32632 ? S 0:00 \_ samba
32633 ? S 0:00 \_ samba
32634 ? S 0:00 \_ samba
The above looks the same as the troubleshooting page.
------------------------------------------------------------------------
Cannot figure out why kerberos authentication fails.
Also notice nmbd and winbindd logs that say, "server role = 'active
directory domain controller' not compatible with running the <<nmbd>> and
<<winbindd>> binary.
You should start 'samba' instead, and it will control starting the
internal AD DC <<nmbd>> and <<winbindd>> implementation, which is not the
same as this one."
However, I did execute using "samba".
samba-tool testparm -v ---
# Global parameters
[global]
dos charset = CP850
unix charset = UTF8
workgroup = CONPAGO
realm = MWLLC.INFO
netbios name = A10
netbios aliases =
netbios scope =
server string = Samba 4.1.17-SerNet-RedHat-11.el7
interfaces = lo, eno1
bind interfaces only = Yes
config backend = file
server role = active directory domain controller
security = AUTO
auth methods =
encrypt passwords = Yes
client schannel = No
server schannel = No
allow trusted domains = No
map to guest = Never
null passwords = No
obey pam restrictions = No
password server = *
smb passwd file =
private dir = /var/lib/samba/private
passdb backend =
algorithmic rid base = 0
root directory =
guest account =
enable privileges = No
pam password change = No
passwd program =
passwd chat = *new*password* %n\n *new*password* %n\n *changed*
passwd chat debug = No
passwd chat timeout = 0
check password script =
username map =
username level = 0
unix password sync = No
restrict anonymous = 0
lanman auth = No
ntlm auth = Yes
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
client use spnego principal = No
preload modules =
dedicated keytab file =
kerberos method = default
map untrusted to domain = No
log level = 3
syslog = 1
syslog only = No
log file =
max log size = 0
debug timestamp = Yes
debug prefix timestamp = No
debug hires timestamp = Yes
debug pid = No
debug uid = No
debug class = No
enable core files = No
smb ports = 445, 139
large readwrite = Yes
server max protocol = NT1
server min protocol = CORE
client max protocol = NT1
client min protocol = CORE
unicode = Yes
min receivefile size = 0
read raw = Yes
write raw = Yes
disable netbios = No
reset on zero vc = No
log writeable files on exit = No
defer sharing violations = No
nt pipe support = No
nt status support = Yes
max mux = 50
max xmit = 12288
name resolve order = wins, host, bcast
max ttl = 0
max wins ttl = 518400
min wins ttl = 10
time server = No
unix extensions = No
use spnego = Yes
client signing = default
server signing = default
client use spnego = No
client ldap sasl wrapping = plain
enable asu support = No
svcctl list =
cldap port = 389
dgram port = 138
nbt port = 137
krb5 port = 88
kpasswd port = 464
web port = 901
rpc big endian = No
deadtime = 0
getwd cache = No
keepalive = 0
lpq cache time = 0
max smbd processes = 0
max disk size = 0
max open files = 0
socket options = TCP_NODELAY
use mmap = Yes
use ntdb = No
hostname lookups = No
name cache timeout = 0
ctdbd socket =
cluster addresses =
clustering = No
ctdb timeout = 0
ctdb locktime warn threshold = 0
smb2 max read = 0
smb2 max write = 0
smb2 max trans = 0
smb2 max credits = 0
load printers = No
printcap cache time = 0
printcap name =
cups server =
cups encrypt = No
cups connection timeout = 0
iprint server =
disable spoolss = No
addport command =
enumports command =
addprinter command =
deleteprinter command =
show add printer wizard = No
os2 driver map =
mangling method =
mangle prefix = 0
max stat cache size = 0
stat cache = No
machine password timeout = 0
add user script =
rename user script =
delete user script =
add group script =
delete group script =
add user to group script =
delete user from group script =
set primary group script =
add machine script =
shutdown script =
abort shutdown script =
username map script =
username map cache time = 0
logon script =
logon path =
logon drive =
logon home =
domain logons = No
init logon delayed hosts =
init logon delay = 0
os level = 0
lm announce = No
lm interval = 0
preferred master = Auto
local master = Yes
domain master = Auto
browse list = No
enhanced browsing = No
dns proxy = Yes
wins proxy = No
wins server =
wins support = No
wins hook =
lock spin time = 0
oplock break wait time = 0
ldap admin dn =
ldap delete dn = No
ldap group suffix =
ldap idmap suffix =
ldap machine suffix =
ldap passwd sync = yes
ldap replication sleep = 0
ldap suffix =
ldap ssl = no
ldap ssl ads = No
ldap deref = never
ldap follow referral = No
ldap timeout = 0
ldap connection timeout = 0
ldap page size = 0
ldap user suffix =
ldap debug level = 0
ldap debug threshold = 0
eventlog list =
add share command =
change share command =
delete share command =
config file =
preload =
lock directory = /var/cache/samba
state directory = /var/lib/samba
cache directory = /var/cache/samba
pid directory = /var/run/samba
ntp signd socket directory = /var/lib/samba/ntp_signd
utmp directory =
wtmp directory =
utmp = No
default service =
message command =
get quota command =
set quota command =
remote announce =
remote browse sync =
nbt client socket address =
nmbd bind explicit broadcast = No
homedir map =
afs username map =
afs token lifetime = 0
log nt token command =
NIS homedir = No
registry shares = No
usershare allow guests = No
usershare max shares = 0
usershare owner only = No
usershare path =
usershare prefix allow list =
usershare prefix deny list =
usershare template share =
allow insecure wide links = No
async smb echo handler = No
panic action =
perfcount module =
host msdfs = Yes
passdb expand explicit = No
idmap backend =
idmap cache time = 0
idmap negative cache time = 0
idmap uid =
idmap gid =
template homedir = /home/%WORKGROUP%/%ACCOUNTNAME%
template shell = /bin/false
winbind separator = \
winbind cache time = 0
winbind reconnect delay = 0
winbind request timeout = 0
winbind max clients = 0
winbind enum users = No
winbind enum groups = No
winbind use default domain = No
winbind trusted domains only = No
winbind nested groups = No
winbind expand groups = 0
winbind nss info =
winbind refresh tickets = No
winbind offline logon = No
winbind normalize names = No
winbind rpc only = No
create krb5 conf = No
ncalrpc dir = /var/run/samba/ncalrpc
winbind max domain connections = 0
winbindd socket directory = /var/run/samba/winbindd
winbindd privileged socket directory =
/var/lib/samba/winbindd_privileged
winbind sealed pipes = Yes
allow dns updates = secure only
dns forwarder = 75.75.76.76
dns update command = /usr/sbin/samba_dnsupdate
nsupdate command = /usr/bin/nsupdate -g
rndc command = /usr/sbin/rndc
multicast dns register = No
samba kcc command = /usr/sbin/samba_kcc
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, dns
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6,
backupkey, dnsserver
spn update command = /usr/sbin/samba_spnupdate
share backend = classic
tls enabled = Yes
tls keyfile = tls/key.pem
tls certfile = tls/cert.pem
tls cafile = tls/ca.pem
tls crlfile =
tls dh params file =
idmap_ldb:use rfc2307 = yes
prefork children:smb = 4
registry:hkey_users = hku.ldb
registry:hkey_local_machine = hklm.ldb
[netlogon]
path = /var/lib/samba/sysvol/mwllc.info/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
(END)
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
Apr 22, 2015, 7:30:03 AM4/22/15
to
can you try the following..
and post the result back.
and /etc/resolv.conf
and /etc/krb5.conf
copy past it, but set the admin pass fist.
then whats the output.
SAMBA_NT_ADMIN_PASS="PUT_YOUR-ADMINISTRATOR_PASSWORD_HERE"
SETFQDN=`hostname -f`
echo "NT Authentication test"
echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon -U Administrator -c 'ls'
echo "Kerberos Authentication"
echo ${SAMBA_NT_ADMIN_PASS} | kinit Administrator
smbclient //${SETFQDN}/netlogon -U Administrator -c 'ls' -k
kdestroy
>-----Oorspronkelijk bericht-----
>Van: 110...@gmail.com [mailto:samba-...@lists.samba.org]
>Namens Mike
>Verzonden: woensdag 22 april 2015 13:14
>Aan: samba
>Onderwerp: [Samba] Cannot authenticate the administrator account
and post the result back.
and /etc/resolv.conf
and /etc/krb5.conf
copy past it, but set the admin pass fist.
then whats the output.
SAMBA_NT_ADMIN_PASS="PUT_YOUR-ADMINISTRATOR_PASSWORD_HERE"
SETFQDN=`hostname -f`
echo "NT Authentication test"
echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon -U Administrator -c 'ls'
echo "Kerberos Authentication"
echo ${SAMBA_NT_ADMIN_PASS} | kinit Administrator
smbclient //${SETFQDN}/netlogon -U Administrator -c 'ls' -k
kdestroy
>-----Oorspronkelijk bericht-----
>Van: 110...@gmail.com [mailto:samba-...@lists.samba.org]
>Namens Mike
>Verzonden: woensdag 22 april 2015 13:14
>Aan: samba
>Onderwerp: [Samba] Cannot authenticate the administrator account
Mike
Apr 22, 2015, 7:40:02 AM4/22/15
to
Thanks for your help, LPH - - - I am commuting to work right now.......will
try it when I can get through a few daily hurdles at the office. :-)
try it when I can get through a few daily hurdles at the office. :-)
Mike
Apr 22, 2015, 9:50:03 AM4/22/15
to
> can you try the following..
> and post the result back.
> and /etc/resolv.conf
> and /etc/krb5.conf
>
> copy past it, but set the admin pass fist.
> then whats the output.
>
> SAMBA_NT_ADMIN_PASS="PUT_YOUR-ADMINISTRATOR_PASSWORD_HERE"
> SETFQDN=`hostname -f`
>
> echo "NT Authentication test"
> echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon -U
> Administrator -c 'ls'
>
> echo "Kerberos Authentication"
> echo ${SAMBA_NT_ADMIN_PASS} | kinit Administrator
> smbclient //${SETFQDN}/netlogon -U Administrator -c 'ls' -k
> kdestroy
>
[root@a10 ~]# cat /etc/resolv.conf
> and post the result back.
> and /etc/resolv.conf
> and /etc/krb5.conf
>
> copy past it, but set the admin pass fist.
> then whats the output.
>
> SAMBA_NT_ADMIN_PASS="PUT_YOUR-ADMINISTRATOR_PASSWORD_HERE"
> SETFQDN=`hostname -f`
>
> echo "NT Authentication test"
> echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon -U
> Administrator -c 'ls'
>
> echo "Kerberos Authentication"
> echo ${SAMBA_NT_ADMIN_PASS} | kinit Administrator
> smbclient //${SETFQDN}/netlogon -U Administrator -c 'ls' -k
> kdestroy
>
# Generated by NetworkManager
search conpago.mwllc.info
nameserver 75.75.76.76
nameserver 75.75.75.75
[root@a10 etc]# cat krb5.conf
[libdefaults]
default_realm = MWLLC.INFO
dns_lookup_realm = false
dns_lookup_kdc = true
[root@a10 etc]# SETFQDN=`hostname -f`
[root@a10 etc]# echo "NT Authentication test"
NT Authentication test
[root@a10 etc]# echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon
-U Administrator -c 'ls'
Enter Administrator's password:
session setup failed: NT_STATUS_LOGON_FAILURE
[root@a10 etc]# echo "Kerberos Authentication"
session setup failed: NT_STATUS_LOGON_FAILURE
Kerberos Authentication
[root@a10 etc]# echo ${SAMBA_NT_ADMIN_PASS} | kinit Administrator
kinit: Cannot find KDC for realm "MWLLC.INFO" while getting initial
credentials
[root@a10 etc]# smbclient //${SETFQDN}/netlogon -U Administrator -c 'ls' -k
cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: No such
file or directory
session setup failed: NT_STATUS_UNSUCCESSFUL
[root@a10 etc]# kdestroy
L.P.H. van Belle
Apr 22, 2015, 10:10:03 AM4/22/15
to
Are you sure you have the "correct" administrator password ..
this should work , echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon -U Administrator -c 'ls'
that does not involve kerberos yet..
Please run:
SETHOSTNAME=`hostname -s`
SETDNSDOMAIN=`hostname -d`
SETFQDN=`hostname -f`
host -t SRV _ldap._tcp.${SETDNSDOMAIN}.
host -t SRV _kerberos._udp.${SETDNSDOMAIN}.
host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}.
and
cat /etc/hosts
and these are your DC's ips?
nameserver 75.75.76.76
nameserver 75.75.75.75
Greetz,
Louis
this should work , echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon -U Administrator -c 'ls'
that does not involve kerberos yet..
Please run:
SETHOSTNAME=`hostname -s`
SETDNSDOMAIN=`hostname -d`
SETFQDN=`hostname -f`
host -t SRV _ldap._tcp.${SETDNSDOMAIN}.
host -t SRV _kerberos._udp.${SETDNSDOMAIN}.
host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}.
and
cat /etc/hosts
and these are your DC's ips?
nameserver 75.75.76.76
nameserver 75.75.75.75
Greetz,
Louis
Rowland Penny
Apr 22, 2015, 11:10:03 AM4/22/15
to
[root@a10 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search conpago.mwllc.info
nameserver 75.75.76.76
nameserver 75.75.75.75
Rowland
L.P.H. van Belle
Apr 22, 2015, 11:20:02 AM4/22/15
to
ahh. stupid me.. yes..
but this should have worked, with the correct pass..
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: rowlan...@googlemail.com
>[mailto:samba-...@lists.samba.org] Namens Rowland Penny
>Verzonden: woensdag 22 april 2015 17:02
>Aan: sa...@lists.samba.org
but this should have worked, with the correct pass..
echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon -U Administrator -c 'ls'
Thanx for pointing me.. ;-)
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: rowlan...@googlemail.com
>[mailto:samba-...@lists.samba.org] Namens Rowland Penny
>Verzonden: woensdag 22 april 2015 17:02
>Aan: sa...@lists.samba.org
Rowland Penny
Apr 22, 2015, 11:20:03 AM4/22/15
to
The DC ip info should be in /etc/network/interfaces (on debian) and
network manager removed.
Rowland Penny
Apr 22, 2015, 11:20:03 AM4/22/15
to
Mike
Apr 22, 2015, 11:30:02 AM4/22/15
to
On Wed, Apr 22, 2015 at 10:04 AM, L.P.H. van Belle <be...@bazuin.nl> wrote:
> Are you sure you have the "correct" administrator password ..
>
> this should work , echo ${SAMBA_NT_ADMIN_PASS}| smbclient
> //localhost/netlogon -U Administrator -c 'ls'
> that does not involve kerberos yet..
>
> Please run:
>
> SETHOSTNAME=`hostname -s`
> SETDNSDOMAIN=`hostname -d`
> SETFQDN=`hostname -f`
>
> host -t SRV _ldap._tcp.${SETDNSDOMAIN}.
>
> host -t SRV _kerberos._udp.${SETDNSDOMAIN}.
>
> host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}.
> and
> cat /etc/hosts
>
> and these are your DC's ips?
>
> nameserver 75.75.76.76
> nameserver 75.75.75.75
>
> Greetz,
>
> Louis
>
>
Hi Louis,
> Are you sure you have the "correct" administrator password ..
>
> this should work , echo ${SAMBA_NT_ADMIN_PASS}| smbclient
> //localhost/netlogon -U Administrator -c 'ls'
> that does not involve kerberos yet..
>
> Please run:
>
> SETHOSTNAME=`hostname -s`
> SETDNSDOMAIN=`hostname -d`
> SETFQDN=`hostname -f`
>
> host -t SRV _ldap._tcp.${SETDNSDOMAIN}.
>
> host -t SRV _kerberos._udp.${SETDNSDOMAIN}.
>
> host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}.
> and
> cat /etc/hosts
>
> and these are your DC's ips?
>
> nameserver 75.75.76.76
> nameserver 75.75.75.75
>
> Greetz,
>
> Louis
>
>
I'm definitely using the same Administrator password; wrote it down during
provisioning.
For my DC's nameservers ---- might I have this wrong? Those ip's are my
ISP's nameservers - Xfinity Comcast.
The actual CentOS server box static ip is 10.10.1.225. Do I need to delete
the ISP nameservers and go with 10.10.1.225?
Thank you for all the follow up.
Mike
Mike
Apr 22, 2015, 11:40:03 AM4/22/15
to
On Wed, Apr 22, 2015 at 11:09 AM, L.P.H. van Belle <be...@bazuin.nl> wrote:
> but this should have worked, with the correct pass..
> echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon -U
> Administrator -c 'ls'
>
>
Something almost worked ----
> but this should have worked, with the correct pass..
> echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon -U
> Administrator -c 'ls'
>
>
[root@a10 ~]# echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon
-U Administrator -c 'ls'
Enter Administrator's password:
Anonymous login successful
Enter Administrator's password:
Domain=[CONPAGO] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7]
tree connect failed: NT_STATUS_ACCESS_DENIED
[root@a10 ~]#
Andrey Repin
Apr 22, 2015, 12:00:03 PM4/22/15
to
Greetings, Rowland Penny!
>> [root@a10 ~]# cat /etc/resolv.conf
>> # Generated by NetworkManager
>> search conpago.mwllc.info
>> nameserver 75.75.76.76
>> nameserver 75.75.75.75
>>
>> His realm (from krb5.conf) is 'MWLLC.INFO'
>>
>> Rowland
>>
> and another thing, why is NetworkManager setting /etc/resolv.conf anyway ?
> The DC ip info should be in /etc/network/interfaces (on debian) and
> network manager removed.
No. More like the network DHCP server should be set correctly to point to a
DNS server that could resolve AD zone.
This is nothing that should be changed on local client. The network setup is
just wrong like that and needs fix.
--
With best regards,
Andrey Repin
Wednesday, April 22, 2015 18:44:15
Sorry for my terrible english...
>> [root@a10 ~]# cat /etc/resolv.conf
>> # Generated by NetworkManager
>> search conpago.mwllc.info
>> nameserver 75.75.76.76
>> nameserver 75.75.75.75
>>
>> His realm (from krb5.conf) is 'MWLLC.INFO'
>>
>> Rowland
>>
> and another thing, why is NetworkManager setting /etc/resolv.conf anyway ?
> The DC ip info should be in /etc/network/interfaces (on debian) and
> network manager removed.
DNS server that could resolve AD zone.
This is nothing that should be changed on local client. The network setup is
just wrong like that and needs fix.
--
With best regards,
Andrey Repin
Wednesday, April 22, 2015 18:44:15
Sorry for my terrible english...
Sketch
Apr 22, 2015, 12:30:03 PM4/22/15
to
On Wed, 22 Apr 2015, Mike wrote:
> Something almost worked ----
>
> [root@a10 ~]# echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon
> -U Administrator -c 'ls'
> Enter Administrator's password:
> Anonymous login successful
> Domain=[CONPAGO] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7]
> tree connect failed: NT_STATUS_ACCESS_DENIED
I noticed in your original email you are using rfc2307 extensions, but
> Something almost worked ----
>
> [root@a10 ~]# echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon
> -U Administrator -c 'ls'
> Enter Administrator's password:
> Anonymous login successful
> Domain=[CONPAGO] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7]
> tree connect failed: NT_STATUS_ACCESS_DENIED
there is nothing in your config about winbind. AFAIK, "smbd" (the samba
file server) does not talk to the DC (the process named "samba") directly,
it uses system authentication. So if getent passwd Administrator does not
work, you won't be able to log in. If you're using rfc2307 extensions
rather than automatic mapping, you will have to give the Administrator
account a uid (and probably a gid for it's primary group, as well), if you
haven't already.
Rowland Penny
Apr 22, 2015, 12:30:04 PM4/22/15
to
you only have one DC, if you have two Dcs, then point one at the other,
then itself:
The kerberos realm must be the same as your DNS domain and it is advised
that this is not resolvable from the internet.
i.e. if you have one DC and your registered DNS domain is example.com
and the ipaddress of the DC is 192.168.0.2, then resolv.conf should contain:
search internal.example.com
nameserver 192.168.0.2
Or if you have two Dcs and the ipaddress of the second DC is 192.168.0.3:
First DC (192.168.0.2):
search internal.example.com
nameserver 192.168.0.3
nameserver 192.168.0.2
Second DC (192.168.0.3):
search internal.example.com
nameserver 192.168.0.2
nameserver 192.168.0.3
You can replace 'internal' with anything you like and you do not have to
use it for the domain/workgroup, but whatever you use, 'hostname -d'
must show this domain name and you *MUST* use this as the realm name
when you provision.
Anything that is outside the samba4 AD domain is forwarded to the
forwarder set in smb.conf, in your case 'dns forwarder = 75.75.76.76'
Rowland
Rowland Penny
Apr 22, 2015, 12:40:03 PM4/22/15
to
On 22/04/15 17:25, Sketch wrote:
> On Wed, 22 Apr 2015, Mike wrote:
>
>> Something almost worked ----
>>
>> [root@a10 ~]# echo ${SAMBA_NT_ADMIN_PASS}| smbclient
>> //localhost/netlogon
>> -U Administrator -c 'ls'
>> Enter Administrator's password:
>> Anonymous login successful
>> Domain=[CONPAGO] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7]
>> tree connect failed: NT_STATUS_ACCESS_DENIED
>
> I noticed in your original email you are using rfc2307 extensions, but
> there is nothing in your config about winbind. AFAIK, "smbd" (the
> samba file server) does not talk to the DC (the process named "samba")
> directly, it uses system authentication. So if getent passwd
> Administrator does not work, you won't be able to log in. If you're
> using rfc2307 extensions rather than automatic mapping, you will have
> to give the Administrator account a uid (and probably a gid for it's
> primary group, as well), if you haven't already.
The OP is trying to authenticate on the samba4 AD DC, out of the box,
> On Wed, 22 Apr 2015, Mike wrote:
>
>> Something almost worked ----
>>
>> [root@a10 ~]# echo ${SAMBA_NT_ADMIN_PASS}| smbclient
>> //localhost/netlogon
>> -U Administrator -c 'ls'
>> Enter Administrator's password:
>> Anonymous login successful
>> Domain=[CONPAGO] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7]
>> tree connect failed: NT_STATUS_ACCESS_DENIED
>
> I noticed in your original email you are using rfc2307 extensions, but
> there is nothing in your config about winbind. AFAIK, "smbd" (the
> samba file server) does not talk to the DC (the process named "samba")
> directly, it uses system authentication. So if getent passwd
> Administrator does not work, you won't be able to log in. If you're
> using rfc2307 extensions rather than automatic mapping, you will have
> to give the Administrator account a uid (and probably a gid for it's
> primary group, as well), if you haven't already.
without any mods, this is the only machine that you are guaranteed to
get a response.
I also think that he is trying to run the DC on a dhcp client, not a
good idea.
Rowland
Mike
Apr 22, 2015, 1:50:03 PM4/22/15
to
Uggh, this is killing me.
/etc/resolv.conf:
search conpago.mwllc.info
nameserver 10.10.1.225
and the failures continue:
[root@a10 ~]# smbclient -L localhost -U%
Connection to localhost failed (Error NT_STATUS_CONNECTION_REFUSED)
[root@a10 ~]# smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter Administrator's password:
Connection to localhost failed (Error NT_STATUS_CONNECTION_REFUSED)
[root@a10 ~]#
/etc/resolv.conf:
search conpago.mwllc.info
nameserver 10.10.1.225
and the failures continue:
[root@a10 ~]# smbclient -L localhost -U%
Connection to localhost failed (Error NT_STATUS_CONNECTION_REFUSED)
[root@a10 ~]# smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter Administrator's password:
Connection to localhost failed (Error NT_STATUS_CONNECTION_REFUSED)
[root@a10 ~]#
Mike
Apr 22, 2015, 1:50:04 PM4/22/15
to
Somehow /var/run/samba got erased......I don't know how or why.
Recreated /var/run/samba and now:
smbclient -L localhost -U%
smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter Administrator's password:
session setup failed: NT_STATUS_LOGON_FAILURE
[root@a10 run]#
Recreated /var/run/samba and now:
smbclient -L localhost -U%
Domain=[CONPAGO] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7]
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba
4.1.17-SerNet-RedHat-11.el7)
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba
4.1.17-SerNet-RedHat-11.el7)
Domain=[CONPAGO] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7]
Server Comment
--------- -------
Workgroup Master
--------- -------
But same failure here:
--------- -------
Workgroup Master
--------- -------
smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter Administrator's password:
[root@a10 run]#
Rowland Penny
Apr 22, 2015, 2:10:02 PM4/22/15
to
On 22/04/15 18:47, Mike wrote:
> Somehow /var/run/samba got erased......I don't know how or why.
> Recreated /var/run/samba and now:
> smbclient -L localhost -U%
> Domain=[CONPAGO] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7]
>
> Sharename Type Comment
> --------- ---- -------
> netlogon Disk
> sysvol Disk
> IPC$ IPC IPC Service (Samba
> 4.1.17-SerNet-RedHat-11.el7)
> Domain=[CONPAGO] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7]
>
> Server Comment
> --------- -------
>
> Workgroup Master
> --------- -------
>
>
> But same failure here:
>
> smbclient //localhost/netlogon -UAdministrator -c 'ls'
> Enter Administrator's password:
> session setup failed: NT_STATUS_LOGON_FAILURE
> [root@a10 run]#
>
>
As far as I can see you only testing at the moment, so can I suggest
> Somehow /var/run/samba got erased......I don't know how or why.
> Recreated /var/run/samba and now:
> smbclient -L localhost -U%
> Domain=[CONPAGO] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7]
>
> Sharename Type Comment
> --------- ---- -------
> netlogon Disk
> sysvol Disk
> IPC$ IPC IPC Service (Samba
> 4.1.17-SerNet-RedHat-11.el7)
> Domain=[CONPAGO] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7]
>
> Server Comment
> --------- -------
>
> Workgroup Master
> --------- -------
>
>
> But same failure here:
>
> smbclient //localhost/netlogon -UAdministrator -c 'ls'
> Enter Administrator's password:
> session setup failed: NT_STATUS_LOGON_FAILURE
> [root@a10 run]#
>
>
that you switch OS to Debian wheezy and then use Louis's script to
install your DC, this should get you a DC that works as expected.
See here for Louis's script: https://secure.bazuin.nl/scripts/
Rowland
Mike
Apr 22, 2015, 2:50:03 PM4/22/15
to
Thanks, Rowland.
I'll give it some thought.
At this point, I may even go back to slackware or gentoo.
It is a bit much learning all the new system tools (systemd, systemctl,
firewalld, NetworkManager, etc.) while moving from a samba standalone
configuration to AD/DC, DNS, Kerberos, all for the first time.
I'm also considering calling Pantek.com - - - I've had some very good
experiences with them in the past.
At any rate, thanks for your time today.
Best regards,
Mike
On Wed, Apr 22, 2015 at 2:01 PM, Rowland Penny <rowlan...@googlemail.com>
wrote:
I'll give it some thought.
At this point, I may even go back to slackware or gentoo.
It is a bit much learning all the new system tools (systemd, systemctl,
firewalld, NetworkManager, etc.) while moving from a samba standalone
configuration to AD/DC, DNS, Kerberos, all for the first time.
I'm also considering calling Pantek.com - - - I've had some very good
experiences with them in the past.
At any rate, thanks for your time today.
Best regards,
Mike
On Wed, Apr 22, 2015 at 2:01 PM, Rowland Penny <rowlan...@googlemail.com>
wrote:
Rowland Penny
Apr 22, 2015, 3:00:03 PM4/22/15
to
On 22/04/15 19:40, Mike wrote:
> Thanks, Rowland.
> I'll give it some thought.
> At this point, I may even go back to slackware or gentoo.
> It is a bit much learning all the new system tools (systemd,
> systemctl, firewalld, NetworkManager, etc.) while moving from a samba
> standalone configuration to AD/DC, DNS, Kerberos, all for the first time.
Debian wheezy does not come with the first two of those so called tools
> Thanks, Rowland.
> I'll give it some thought.
> At this point, I may even go back to slackware or gentoo.
> It is a bit much learning all the new system tools (systemd,
> systemctl, firewalld, NetworkManager, etc.) while moving from a samba
> standalone configuration to AD/DC, DNS, Kerberos, all for the first time.
and you can safely remove the last from a wheezy DC, it is not needed.
If you are used to using gentoo, then debian should be a breeze :-)
Louis's script works, it just needs some info from you, if you do decide
to go down this path and have any questions, you know where we are :-)
Rowland
>
> I'm also considering calling Pantek.com - - - I've had some very good
> experiences with them in the past.
>
> At any rate, thanks for your time today.
>
> Best regards,
>
> Mike
>
>
Mike
Apr 28, 2015, 5:50:02 PM4/28/15
to
I wanted to follow up to the list in hopes it will help others with similar
configuration.
Per previous posts --
OS: CentOS 7.153
Samba: Version 4.1.17-SerNet-RedHat-11.el7
Samba provisioned to act as: AD DC following Samba Wiki: Samba AD DC HOWTO
Samba Internal DNS daemon deployed.
1. Disable selinux. Unless you have a solid understanding of how to
configure it for your environment, please turn it off. It is defaulted
ON/Engaged in CentOS 7. If you don't understand how selinux filters calls
to/from the linux kernel, you may be chasing ghosts in relation to your
Samba 4.x.y AD DC. For clarification, my sysadmin and security skills are
not expert level.
2. The following information may have lurked under my nose, but I did not
find mention of it: There is a configuration file
/etc/default/sernet-samba which requires one small edit for samba to
function.
The setting is defaulted to NONE, but it needs to be set to "ad".
# SAMBA_START_MODE defines how Samba should be started. Valid options are
one of
# "none" to not enable it at all,
# "classic" to use the classic smbd/nmbd/winbind daemons
# "ad" to use the Active Directory server (which starts the smbd on
its own)
# (Be aware that you also need to enable the services/init scripts that
# automatically start up the desired daemons.)
SAMBA_START_MODE="ad"
#SAMBA_START_MODE="none"
3. Upon initial provisioning Samba objects when the machine name (netbios
name?) and the domain/workgroup name are the same so I changed the machine
name to make them different.
It appears necessary to edit the /etc/hosts file and include both of them
in the hosts file:
10.10.10.100 mymachine.example.com mymachine
10.10.10.100 mydomain.example.com mydomain
4. Gotta deal with firewalld. Either uninstall it and use the iptables
commands you've fought to finally understand over the years; or, use
firewalld and zones, etc.
Open all those scary ports to make sure all the complex AD DC components
work:
firewall-cmd --permanent --add-service=samba
firewall-cmd --permanent --add-port=53/tcp
firewall-cmd --permanent --add-port=53/udp
firewall-cmd --permanent --add-port=88/tcp
firewall-cmd --permanent --add-port=88/udp
firewall-cmd --permanent --add-port=135/tcp
firewall-cmd --permanent --add-port=137/tcp
firewall-cmd --permanent --add-port=137/udp
firewall-cmd --permanent --add-port=138/udp
firewall-cmd --permanent --add-port=139/tcp
firewall-cmd --permanent --add-port=389/tcp
firewall-cmd --permanent --add-port=389/udp
firewall-cmd --permanent --add-port=445/tcp
firewall-cmd --permanent --add-port=464/tcp
firewall-cmd --permanent --add-port=464/udp
firewall-cmd --permanent --add-port=636/tcp
firewall-cmd --permanent --add-port=1024-5000/tcp
firewall-cmd --permanent --add-port=1024-5000/udp
firewall-cmd --permanent --add-port=3268/tcp
firewall-cmd --permanent --add-port=3269/tcp
firewall-cmd --permanent --add-port=5353/tcp
firewall-cmd --permanent --add-port=5353/udp
firewall-cmd --reload
5. So far, the following works:
smbclient -L localhost -U%
smbclient //mydomain.example.com/netlogon -U Administrator
From Win 7 Pro or 8.1 Pro client, I can point Windows Explorer to the
Samba4 AD DC box by entering \\10.10.10.100 in the address bar.
I can also provide UserID: Administrator and Password: PaSsW8*rD and see
netlogon, sysvol, and all demo directory shares I created.
I can also read/write to all of them - - - - I was surprised this was
possible without actually joining the domain via (from windows): Control
Panel ---> System and Security ---> System ---> Change Settings.
It's possible I was able to read/write to the demo shares because they were
previously set -- chmod -R 0777 /demo/share/directory.
I still need to understand samba-tool user creation, settings, and options,
as I cannot yet figure out how to connect to the AD DC box via RSAT Server
Manager app.
6. Testing DNS --
The suggested tests in the AD DC HOWTO produce errors but the samba log
seems to indicate DNS is okay:
[2015/04/28 17:29:48.986108, 3]
../source4/dsdb/dns/dns_update.c:340(dnsupdate_check_names)
Calling DNS name update script
[2015/04/28 17:29:48.989054, 3]
../source4/dsdb/dns/dns_update.c:355(dnsupdate_check_names)
Calling SPN name update script
[2015/04/28 17:29:49.505209, 3]
../source4/dsdb/dns/dns_update.c:325(dnsupdate_spnupdate_done)
Completed SPN update check OK
[2015/04/28 17:29:49.576183, 3]
../source4/dsdb/dns/dns_update.c:296(dnsupdate_nameupdate_done)
Completed DNS update check OK
7. Kerberos --
I don't believe this is working yet and will need to RTFM to figure out how
to chase it down.
[root@a10 etc]# ls -alh krb5.conf
lrwxrwxrwx. 1 root root 32 Apr 21 10:31 krb5.conf ->
/var/lib/samba/private/krb5.conf
[root@a10 etc]# klist
klist: Credentials cache file '/tmp/krb5cc_0' not found
[root@a10 etc]#
[root@a10 etc]# kinit admini...@MYDOMAIN.EXAMPLE.COM
kinit: Cannot find KDC for realm "MYDOMAIN.EXAMPLE.COM" while getting
configuration.
Per previous posts --
OS: CentOS 7.153
Samba: Version 4.1.17-SerNet-RedHat-11.el7
Samba provisioned to act as: AD DC following Samba Wiki: Samba AD DC HOWTO
Samba Internal DNS daemon deployed.
1. Disable selinux. Unless you have a solid understanding of how to
configure it for your environment, please turn it off. It is defaulted
ON/Engaged in CentOS 7. If you don't understand how selinux filters calls
to/from the linux kernel, you may be chasing ghosts in relation to your
Samba 4.x.y AD DC. For clarification, my sysadmin and security skills are
not expert level.
2. The following information may have lurked under my nose, but I did not
find mention of it: There is a configuration file
/etc/default/sernet-samba which requires one small edit for samba to
function.
The setting is defaulted to NONE, but it needs to be set to "ad".
# SAMBA_START_MODE defines how Samba should be started. Valid options are
one of
# "none" to not enable it at all,
# "classic" to use the classic smbd/nmbd/winbind daemons
# "ad" to use the Active Directory server (which starts the smbd on
its own)
# (Be aware that you also need to enable the services/init scripts that
# automatically start up the desired daemons.)
SAMBA_START_MODE="ad"
#SAMBA_START_MODE="none"
3. Upon initial provisioning Samba objects when the machine name (netbios
name?) and the domain/workgroup name are the same so I changed the machine
name to make them different.
It appears necessary to edit the /etc/hosts file and include both of them
in the hosts file:
10.10.10.100 mymachine.example.com mymachine
10.10.10.100 mydomain.example.com mydomain
4. Gotta deal with firewalld. Either uninstall it and use the iptables
commands you've fought to finally understand over the years; or, use
firewalld and zones, etc.
Open all those scary ports to make sure all the complex AD DC components
work:
firewall-cmd --permanent --add-service=samba
firewall-cmd --permanent --add-port=53/tcp
firewall-cmd --permanent --add-port=53/udp
firewall-cmd --permanent --add-port=88/tcp
firewall-cmd --permanent --add-port=88/udp
firewall-cmd --permanent --add-port=135/tcp
firewall-cmd --permanent --add-port=137/tcp
firewall-cmd --permanent --add-port=137/udp
firewall-cmd --permanent --add-port=138/udp
firewall-cmd --permanent --add-port=139/tcp
firewall-cmd --permanent --add-port=389/tcp
firewall-cmd --permanent --add-port=389/udp
firewall-cmd --permanent --add-port=445/tcp
firewall-cmd --permanent --add-port=464/tcp
firewall-cmd --permanent --add-port=464/udp
firewall-cmd --permanent --add-port=636/tcp
firewall-cmd --permanent --add-port=1024-5000/tcp
firewall-cmd --permanent --add-port=1024-5000/udp
firewall-cmd --permanent --add-port=3268/tcp
firewall-cmd --permanent --add-port=3269/tcp
firewall-cmd --permanent --add-port=5353/tcp
firewall-cmd --permanent --add-port=5353/udp
firewall-cmd --reload
5. So far, the following works:
smbclient -L localhost -U%
smbclient //mydomain.example.com/netlogon -U Administrator
From Win 7 Pro or 8.1 Pro client, I can point Windows Explorer to the
Samba4 AD DC box by entering \\10.10.10.100 in the address bar.
I can also provide UserID: Administrator and Password: PaSsW8*rD and see
netlogon, sysvol, and all demo directory shares I created.
I can also read/write to all of them - - - - I was surprised this was
possible without actually joining the domain via (from windows): Control
Panel ---> System and Security ---> System ---> Change Settings.
It's possible I was able to read/write to the demo shares because they were
previously set -- chmod -R 0777 /demo/share/directory.
I still need to understand samba-tool user creation, settings, and options,
as I cannot yet figure out how to connect to the AD DC box via RSAT Server
Manager app.
6. Testing DNS --
The suggested tests in the AD DC HOWTO produce errors but the samba log
seems to indicate DNS is okay:
[2015/04/28 17:29:48.986108, 3]
../source4/dsdb/dns/dns_update.c:340(dnsupdate_check_names)
Calling DNS name update script
[2015/04/28 17:29:48.989054, 3]
../source4/dsdb/dns/dns_update.c:355(dnsupdate_check_names)
Calling SPN name update script
[2015/04/28 17:29:49.505209, 3]
../source4/dsdb/dns/dns_update.c:325(dnsupdate_spnupdate_done)
Completed SPN update check OK
[2015/04/28 17:29:49.576183, 3]
../source4/dsdb/dns/dns_update.c:296(dnsupdate_nameupdate_done)
Completed DNS update check OK
7. Kerberos --
I don't believe this is working yet and will need to RTFM to figure out how
to chase it down.
[root@a10 etc]# ls -alh krb5.conf
lrwxrwxrwx. 1 root root 32 Apr 21 10:31 krb5.conf ->
/var/lib/samba/private/krb5.conf
[root@a10 etc]# klist
klist: Credentials cache file '/tmp/krb5cc_0' not found
[root@a10 etc]#
[root@a10 etc]# kinit admini...@MYDOMAIN.EXAMPLE.COM
kinit: Cannot find KDC for realm "MYDOMAIN.EXAMPLE.COM" while getting
initial credentials
[root@a10 etc]#
[root@a10 etc]#
L.P.H. van Belle
Apr 29, 2015, 3:10:03 AM4/29/15
to
Hai Mike,
>It appears necessary to edit the /etc/hosts file and include
>both of them
>in the hosts file:
>
>10.10.10.100 mymachine.example.com mymachine
>10.10.10.100 mydomain.example.com mydomain
remove the domain line here in hosts.
if you run :
hostname -s ( name )
hostname -f ( name.domain.tld )
hostname -d ( domain.tld )
if one of these is incorrect, then yes, your setup wil fail.
make sure your resolv.conf is correct.
like to start with:
search domain.tld
nameserver yourDC_1
if hostname -d stil fails, add above the search line:
domain domain.tld
now copy the krb5 file and dont symlink it.
mv /etc/krb5.conf /etc/krb5.conf.old
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
now try to kinit again.
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Verzonden: dinsdag 28 april 2015 23:42
>CC: samba
>It appears necessary to edit the /etc/hosts file and include
>both of them
>in the hosts file:
>
>10.10.10.100 mymachine.example.com mymachine
>10.10.10.100 mydomain.example.com mydomain
if you run :
hostname -s ( name )
hostname -f ( name.domain.tld )
hostname -d ( domain.tld )
if one of these is incorrect, then yes, your setup wil fail.
make sure your resolv.conf is correct.
like to start with:
search domain.tld
nameserver yourDC_1
if hostname -d stil fails, add above the search line:
domain domain.tld
now copy the krb5 file and dont symlink it.
mv /etc/krb5.conf /etc/krb5.conf.old
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
now try to kinit again.
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Verzonden: dinsdag 28 april 2015 23:42
>CC: samba
>Onderwerp: Re: [Samba] Cannot authenticate the administrator account
>
>
Rowland Penny
Apr 29, 2015, 4:00:03 AM4/29/15
to
It appears necessary to edit the /etc/hosts file and include both of
them in the hosts file:
10.10.10.100 mymachine.example.com mymachine
10.10.10.100 mydomain.example.com mydomain
Your kerberos realm *has* to be the same as your DNS domain, so your
machines FQDN would be 'mymachine.mydomain'
i.e. if the hostname of your machine is 'samba' and your domain name
'internal.example.com' & your machines ip is '10.10.10.100', you would
need this line in /etc/hosts:
10.10.10.100 samba.internal.example.com samba
you would need to use the kerberos name 'INTERNAL.EXAMPLE.COM' in
/etc/krb5 and you could use 'INTERNAL' as the workgroup/domain name in
smb.conf, though you could use anything you like.
Rowland
Mike
Apr 29, 2015, 11:10:04 AM4/29/15
to
Louis and Rowland -- thank you, Gents!
Making progress.
Kerberos is operational and handing out tickets, but I was only able to
test using:
kinit admini...@EXAMPLE.COM
vs. the Samba AD DC HOWTO: admini...@SAMDOM.EXAMPLE.COM
- - - - - - - - - - - - - - - - - - - - - - -
Per Rowland's dns naming example - my hostname output:
~]# hostname -s
samba
~]# hostname -f
samba.internal.example.com
~]# hostname -d
internal.example.com
But, this appears incorrect:
~]# host -t SRV _ldap._tcp.example.com
_ldap._tcp.example.com has SRV record 0 100 389 samba.example.com.
~]# host -t SRV _ldap._tcp.internal.example.com
Host _ldap._tcp.internal.example.com not found: 3(NXDOMAIN)
~]# host -t SRV _ldap._tcp.samba.internal.example.com
Host _ldap._tcp.samba.internal.example.com not found: 3(NXDOMAIN)
~]# host -t SRV _ldap._tcp.samba.example.com
Host _ldap._tcp.samba.example.com not found: 3(NXDOMAIN)
- - - - - - - - - - - - - - - - - - - - - - - -
The same results as above when tesing:
~]# host -t SRV _kerberos._udp.example.com
_kerberos._udp.mwllc.info has SRV record 0 100 88 samba.example.com.
and the other combinations report "not found: 3 (NXDOMAIN)
Did I simply provision the REALM or domain incorrectly from the start?
testparm -v output shows I provided the following:
workgroup = INTERNAL
realm = EXAMPLE.COM
netbios name = SAMBA
Making progress.
Kerberos is operational and handing out tickets, but I was only able to
test using:
kinit admini...@EXAMPLE.COM
vs. the Samba AD DC HOWTO: admini...@SAMDOM.EXAMPLE.COM
- - - - - - - - - - - - - - - - - - - - - - -
Per Rowland's dns naming example - my hostname output:
~]# hostname -s
samba
~]# hostname -f
samba.internal.example.com
~]# hostname -d
internal.example.com
But, this appears incorrect:
~]# host -t SRV _ldap._tcp.example.com
_ldap._tcp.example.com has SRV record 0 100 389 samba.example.com.
~]# host -t SRV _ldap._tcp.internal.example.com
Host _ldap._tcp.internal.example.com not found: 3(NXDOMAIN)
~]# host -t SRV _ldap._tcp.samba.internal.example.com
Host _ldap._tcp.samba.internal.example.com not found: 3(NXDOMAIN)
~]# host -t SRV _ldap._tcp.samba.example.com
Host _ldap._tcp.samba.example.com not found: 3(NXDOMAIN)
- - - - - - - - - - - - - - - - - - - - - - - -
The same results as above when tesing:
~]# host -t SRV _kerberos._udp.example.com
_kerberos._udp.mwllc.info has SRV record 0 100 88 samba.example.com.
and the other combinations report "not found: 3 (NXDOMAIN)
Did I simply provision the REALM or domain incorrectly from the start?
testparm -v output shows I provided the following:
workgroup = INTERNAL
realm = EXAMPLE.COM
netbios name = SAMBA
Rowland Penny
Apr 29, 2015, 11:40:04 AM4/29/15
to
On 29/04/15 16:05, Mike wrote:
> Louis and Rowland -- thank you, Gents!
> Making progress.
>
> Kerberos is operational and handing out tickets, but I was only able
> to test using:
>
> kinit admini...@EXAMPLE.COM <mailto:admini...@EXAMPLE.COM>
> Louis and Rowland -- thank you, Gents!
> Making progress.
>
> Kerberos is operational and handing out tickets, but I was only able
> to test using:
>
> <mailto:admini...@SAMDOM.EXAMPLE.COM>
The samba howto, is just that, a howto. It is not meant to be followed
to the exact letter.
Before you start to use the howto, you need to know what dns domain to
use, if you have a registered dns domain, it is not recommended to use
this, because if you do, your AD DCs & clients may be resolvable from
the internet. You are recommended to use a sub domain
i.e. if your registered domain is 'example.com', you would use
'internal.example.com' or 'samdom.example.com' or
'anything_you_like.example.com'.
Once you have decide what your dns domain is going to be called, you
must set the machine that the DC is going to be provisioned on, to use
this domain, give it a fixed ip, set /etc/hosts, make sure that
'hostname -f' returns the correct FQDN and 'hostname -s' returns just
the short hostname.
Once you are sure that the machine knows who it is and where it lives
:-) , you can provision the domain with samba-tool using the DNS domain
as the realm name, the realm name *must* be the uppercase DNS name!
Now having said all this, it seems that the machines DNS name is
'internal.example.com' and the AD DC is using 'example.com'
If the machine you ran the tests on is the DC, it seems that this may be
your problem.
Rowland
>
> - - - - - - - - - - - - - - - - - - - - - - -
> Per Rowland's dns naming example - my hostname output:
>
> ~]# hostname -s
> samba
> ~]# hostname -f
> ~]# hostname -d
> internal.example.com <http://internal.example.com>
>
> But, this appears incorrect:
>
> ~]# host -t SRV _ldap._tcp.example.com <http://tcp.example.com>
> _ldap._tcp.example.com <http://tcp.example.com> has SRV record 0 100
> 389 samba.example.com <http://samba.example.com>.
> <http://tcp.internal.example.com>
> Host _ldap._tcp.internal.example.com <http://tcp.internal.example.com>
> <http://tcp.samba.internal.example.com>
> Host _ldap._tcp.samba.internal.example.com
> <http://tcp.samba.internal.example.com> not found: 3(NXDOMAIN)
> <http://tcp.samba.example.com>
> Host _ldap._tcp.samba.example.com <http://tcp.samba.example.com> not
> found: 3(NXDOMAIN)
>
> - - - - - - - - - - - - - - - - - - - - - - - -
> The same results as above when tesing:
>
> ~]# host -t SRV _kerberos._udp.example.com <http://udp.example.com>
>
> - - - - - - - - - - - - - - - - - - - - - - - -
> The same results as above when tesing:
>
> _kerberos._udp.mwllc.info <http://udp.mwllc.info> has SRV record 0 100
> 88 samba.example.com <http://samba.example.com>.
>
> and the other combinations report "not found: 3 (NXDOMAIN)
>
>
> Did I simply provision the REALM or domain incorrectly from the start?
> testparm -v output shows I provided the following:
>
> workgroup = INTERNAL
> realm = EXAMPLE.COM <http://EXAMPLE.COM>
> and the other combinations report "not found: 3 (NXDOMAIN)
>
>
> Did I simply provision the REALM or domain incorrectly from the start?
> testparm -v output shows I provided the following:
>
> workgroup = INTERNAL
Mike
Apr 29, 2015, 11:50:03 AM4/29/15
to
Back to the RE-provision workbench. :-)
Sketch
Apr 29, 2015, 11:50:04 AM4/29/15
to
On Wed, 29 Apr 2015, Mike wrote:
> Did I simply provision the REALM or domain incorrectly from the start?
> testparm -v output shows I provided the following:
>
> workgroup = INTERNAL
> realm = EXAMPLE.COM
> netbios name = SAMBA
Looks that way to me. Your realm should include the workgroup name:
> Did I simply provision the REALM or domain incorrectly from the start?
> testparm -v output shows I provided the following:
>
> workgroup = INTERNAL
> realm = EXAMPLE.COM
> netbios name = SAMBA
INTERNAL.EXAMPLE.COM.
See:
https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Server_Information
It _might_ work if you don't specify the domain when you kinit ("kinit
Administrator"), since kerberos will normally look up the default domain,
or use whatever is configured as default in your krb5.conf, but I suspect
you will have issues with anything that tries to do automatic ticket
acquisition.
Mike
Apr 29, 2015, 12:40:04 PM4/29/15
to
So close . . .
Reprovision completed.
Server Role: active directory domain controller
Hostname: internal
NetBIOS Domain: INTERNAL
DNS Domain: internal.example.com
DOMAIN SID: S-1-5-21-123456789-123456789-123456789
----------------------------------------------
]# hostname -f
internal.example.com
]# hostname -s
internal
]# hostname -d
example.com
---------------------------------------------
DNS test all work correctly.
---------------------------------------------
]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admini...@EXAMPLE.COM
Valid starting Expires Service principal
04/29/2015 10:20:18 04/29/2015 20:20:18 krbtgt/EXAMP...@EXAMPLE.COM
renew until 04/30/2015 10:19:53
BUT ---
]# kinit admini...@EXAMPLE.COM
kinit: Cannot find KDC for realm "EXAMPLE.COM" while getting initial
credentials
]# kinit admini...@INTERNAL.EXAMPLE.COM
kinit: Cannot contact any KDC for realm 'INTERNAL.EXAMPLE.COM' while
getting initial credentials
Reprovision completed.
Server Role: active directory domain controller
Hostname: internal
NetBIOS Domain: INTERNAL
DNS Domain: internal.example.com
DOMAIN SID: S-1-5-21-123456789-123456789-123456789
----------------------------------------------
]# hostname -f
internal.example.com
]# hostname -s
internal
]# hostname -d
example.com
---------------------------------------------
DNS test all work correctly.
---------------------------------------------
]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admini...@EXAMPLE.COM
Valid starting Expires Service principal
04/29/2015 10:20:18 04/29/2015 20:20:18 krbtgt/EXAMP...@EXAMPLE.COM
renew until 04/30/2015 10:19:53
BUT ---
]# kinit admini...@EXAMPLE.COM
kinit: Cannot find KDC for realm "EXAMPLE.COM" while getting initial
credentials
]# kinit admini...@INTERNAL.EXAMPLE.COM
kinit: Cannot contact any KDC for realm 'INTERNAL.EXAMPLE.COM' while
getting initial credentials
Rowland Penny
Apr 29, 2015, 12:50:05 PM4/29/15
to
On 29/04/15 17:31, Mike wrote:
> So close . . .
>
> Reprovision completed.
>
> Server Role: active directory domain controller
>
> Hostname: internal
>
> NetBIOS Domain: INTERNAL
>
> DNS Domain: internal.example.com
>
> DOMAIN SID: S-1-5-21-123456789-123456789-123456789
>
> ----------------------------------------------
>
> ]# hostname -f
> internal.example.com
>
> ]# hostname -s
> internal
>
> ]# hostname -d
>
> example.com
>
>
I will try again, your hostname is just one word, the domain name can
> So close . . .
>
> Reprovision completed.
>
> Server Role: active directory domain controller
>
> Hostname: internal
>
> NetBIOS Domain: INTERNAL
>
> DNS Domain: internal.example.com
>
> DOMAIN SID: S-1-5-21-123456789-123456789-123456789
>
> ----------------------------------------------
>
> ]# hostname -f
> internal.example.com
>
> ]# hostname -s
> internal
>
> ]# hostname -d
>
> example.com
>
>
and should be multiple words.
i.e. your hostname could be 'dc' and the domain name could be
'internal.example.com', this would make your FQDN 'dc.internal.example.com'
With this, the last part of the provision output should be something
like this:
Server Role: active directory domain controller
DOMAIN SID: S-1-5-21-3439746342-3860244441-329711412
The provision command would be something like this:
samba-tool domain provision --realm=internal.example.com
--domain=INTERNAL --adminpass=XXXXXXXXXX --use-rfc2307 --server-role=dc
Rowland
Andrey Repin
Apr 29, 2015, 3:30:04 PM4/29/15
to
Greetings, Mike!
> So close . . .
> Reprovision completed.
> Server Role: active directory domain controller
> Hostname: internal
> NetBIOS Domain: INTERNAL
> DNS Domain: internal.example.com
You're AGAIN confusing hostname and domain (realm) name!
> DOMAIN SID: S-1-5-21-123456789-123456789-123456789
> ----------------------------------------------
> ]# hostname -f
> internal.example.com
Given your Samba configuration, this should reply
internal.internal.example.com
And this should reply
internal.example.com
> ---------------------------------------------
> DNS test all work correctly.
No, they aren't.
> ---------------------------------------------
> ]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: admini...@EXAMPLE.COM
> Valid starting Expires Service principal
> 04/29/2015 10:20:18 04/29/2015 20:20:18 krbtgt/EXAMP...@EXAMPLE.COM
> renew until 04/30/2015 10:19:53
> BUT ---
> ]# kinit admini...@EXAMPLE.COM
> kinit: Cannot find KDC for realm "EXAMPLE.COM" while getting initial
> credentials
> ]# kinit admini...@INTERNAL.EXAMPLE.COM
> kinit: Cannot contact any KDC for realm 'INTERNAL.EXAMPLE.COM' while
> getting initial credentials
This only reinforces my claim that you again confused the terms and
misconfigured your setup.
If you really just testing it, get back to
netbios name = DC1
Your DNS tests must show
hostname --short: dc1
hostname --domain: example.com
hostname --fqdn: dc1.example.com
If you are experimenting with a copy of live setup, please start showing real
data as you enter it, it'll lead to a faster resolution.
--
With best regards,
Andrey Repin
Wednesday, April 29, 2015 22:10:15
Sorry for my terrible english...
> So close . . .
> Reprovision completed.
> Server Role: active directory domain controller
> Hostname: internal
> NetBIOS Domain: INTERNAL
> DNS Domain: internal.example.com
> DOMAIN SID: S-1-5-21-123456789-123456789-123456789
> ----------------------------------------------
> ]# hostname -f
> internal.example.com
internal.internal.example.com
And this should reply
internal.example.com
> ---------------------------------------------
> DNS test all work correctly.
> ---------------------------------------------
> ]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: admini...@EXAMPLE.COM
> Valid starting Expires Service principal
> 04/29/2015 10:20:18 04/29/2015 20:20:18 krbtgt/EXAMP...@EXAMPLE.COM
> renew until 04/30/2015 10:19:53
> BUT ---
> ]# kinit admini...@EXAMPLE.COM
> kinit: Cannot find KDC for realm "EXAMPLE.COM" while getting initial
> credentials
> ]# kinit admini...@INTERNAL.EXAMPLE.COM
> kinit: Cannot contact any KDC for realm 'INTERNAL.EXAMPLE.COM' while
> getting initial credentials
misconfigured your setup.
If you really just testing it, get back to
netbios name = DC1
Your DNS tests must show
hostname --short: dc1
hostname --domain: example.com
hostname --fqdn: dc1.example.com
If you are experimenting with a copy of live setup, please start showing real
data as you enter it, it'll lead to a faster resolution.
--
With best regards,
Andrey Repin
Sorry for my terrible english...
Andrey Repin
Apr 29, 2015, 3:30:05 PM4/29/15
to
Greetings, Sketch!
>> Did I simply provision the REALM or domain incorrectly from the start?
>> testparm -v output shows I provided the following:
>>
>> workgroup = INTERNAL
>> realm = EXAMPLE.COM
>> netbios name = SAMBA
> Looks that way to me. Your realm should include the workgroup name:
> INTERNAL.EXAMPLE.COM.
> See:
> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Server_Information
> It _might_ work if you don't specify the domain when you kinit ("kinit
> Administrator"), since kerberos will normally look up the default domain,
> or use whatever is configured as default in your krb5.conf, but I suspect
> you will have issues with anything that tries to do automatic ticket
> acquisition.
Nothing is "SHOULD" as long as the settings follow basic requirements
(single-label NETBIOS domain name, resolvable REALM name).
I.e. I have domains provisioned with "ADS.<netbios domain name>.<tld>"
All works fine, given correct DNS configuration.
--
With best regards,
Andrey Repin
Wednesday, April 29, 2015 22:07:19
Sorry for my terrible english...
>> Did I simply provision the REALM or domain incorrectly from the start?
>> testparm -v output shows I provided the following:
>>
>> workgroup = INTERNAL
>> realm = EXAMPLE.COM
>> netbios name = SAMBA
> Looks that way to me. Your realm should include the workgroup name:
> INTERNAL.EXAMPLE.COM.
> See:
> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Server_Information
> It _might_ work if you don't specify the domain when you kinit ("kinit
> Administrator"), since kerberos will normally look up the default domain,
> or use whatever is configured as default in your krb5.conf, but I suspect
> you will have issues with anything that tries to do automatic ticket
> acquisition.
(single-label NETBIOS domain name, resolvable REALM name).
I.e. I have domains provisioned with "ADS.<netbios domain name>.<tld>"
All works fine, given correct DNS configuration.
--
With best regards,
Andrey Repin
Sorry for my terrible english...
Sketch
Apr 29, 2015, 3:40:03 PM4/29/15
to
On Wed, 29 Apr 2015, Andrey Repin wrote:
> Greetings, Sketch!
name does not have to match the workgroup name?
> Greetings, Sketch!
>
>>> workgroup = INTERNAL
>>> realm = EXAMPLE.COM
>>> netbios name = SAMBA
>
>> Looks that way to me. Your realm should include the workgroup name:
>> INTERNAL.EXAMPLE.COM.
>
>>> workgroup = INTERNAL
>>> realm = EXAMPLE.COM
>>> netbios name = SAMBA
>
>> Looks that way to me. Your realm should include the workgroup name:
>> INTERNAL.EXAMPLE.COM.
>
> Nothing is "SHOULD" as long as the settings follow basic requirements
> (single-label NETBIOS domain name, resolvable REALM name).
> I.e. I have domains provisioned with "ADS.<netbios domain name>.<tld>"
> All works fine, given correct DNS configuration.
Netbios name is basically irrelevant here. Do you mean that the realm
> (single-label NETBIOS domain name, resolvable REALM name).
> I.e. I have domains provisioned with "ADS.<netbios domain name>.<tld>"
> All works fine, given correct DNS configuration.
name does not have to match the workgroup name?
Andrey Repin
Apr 29, 2015, 4:30:04 PM4/29/15
to
Greetings, Sketch!
>>>> workgroup = INTERNAL
>>>> realm = EXAMPLE.COM
>>>> netbios name = SAMBA
>>
>>> Looks that way to me. Your realm should include the workgroup name:
>>> INTERNAL.EXAMPLE.COM.
>>
>> Nothing is "SHOULD" as long as the settings follow basic requirements
>> (single-label NETBIOS domain name, resolvable REALM name).
>> I.e. I have domains provisioned with "ADS.<netbios domain name>.<tld>"
>> All works fine, given correct DNS configuration.
> Netbios name is basically irrelevant here.
NETBIOS HOST name? Irrelevant. NETBIOS DOMAIN name? Not quite.
>>>> workgroup = INTERNAL
>>>> realm = EXAMPLE.COM
>>>> netbios name = SAMBA
>>
>>> Looks that way to me. Your realm should include the workgroup name:
>>> INTERNAL.EXAMPLE.COM.
>>
>> Nothing is "SHOULD" as long as the settings follow basic requirements
>> (single-label NETBIOS domain name, resolvable REALM name).
>> I.e. I have domains provisioned with "ADS.<netbios domain name>.<tld>"
>> All works fine, given correct DNS configuration.
> Netbios name is basically irrelevant here.
> Do you mean that the realm
> name does not have to match the workgroup name?
from domain suffix provided by DHCP or configured in system settings.
But the end result is that the system receive correct DNS name once and then
work out from that purely through DNS.
I can show you examples of systems working from both premises in the same
domain.
P.S.
Please don't CC me, I'm subscribed to the list.
--
With best regards,
Andrey Repin
Sorry for my terrible english...
Rowland Penny
Apr 29, 2015, 4:30:04 PM4/29/15
to
On 29/04/15 20:37, Sketch wrote:
> On Wed, 29 Apr 2015, Andrey Repin wrote:
>
>> Greetings, Sketch!
>>
>>>> workgroup = INTERNAL
>>>> realm = EXAMPLE.COM
>>>> netbios name = SAMBA
>>
>>> Looks that way to me. Your realm should include the workgroup name:
>>> INTERNAL.EXAMPLE.COM.
>>
>> Nothing is "SHOULD" as long as the settings follow basic requirements
>> (single-label NETBIOS domain name, resolvable REALM name).
>> I.e. I have domains provisioned with "ADS.<netbios domain name>.<tld>"
>> All works fine, given correct DNS configuration.
>
> Netbios name is basically irrelevant here. Do you mean that the realm
> name does not have to match the workgroup name?
I don't know how I can say this plainer, the only thing that has to
> On Wed, 29 Apr 2015, Andrey Repin wrote:
>
>> Greetings, Sketch!
>>
>>>> workgroup = INTERNAL
>>>> realm = EXAMPLE.COM
>>>> netbios name = SAMBA
>>
>>> Looks that way to me. Your realm should include the workgroup name:
>>> INTERNAL.EXAMPLE.COM.
>>
>> Nothing is "SHOULD" as long as the settings follow basic requirements
>> (single-label NETBIOS domain name, resolvable REALM name).
>> I.e. I have domains provisioned with "ADS.<netbios domain name>.<tld>"
>> All works fine, given correct DNS configuration.
>
> Netbios name is basically irrelevant here. Do you mean that the realm
> name does not have to match the workgroup name?
match is the realm name and the dns domain name, if your dns domain name
is 'internal.example.com' then your kerberos realm must be
'INTERNAL.EXAMPLE.COM'
The netbios domain name (also known as workgroup name), can be
*anything* you like, but it is usually the lefthand hand part of the dns
domain name, 'INTERNAL' from the given example, but you could use
'BUTTERCUP' or 'MOON' or *ANYTHING* else, just as long as it is a single
word, of not more than 15 characters.
Rowland
Sketch
Apr 29, 2015, 4:40:04 PM4/29/15
to
On Wed, 29 Apr 2015, Andrey Repin wrote:
>> Netbios name is basically irrelevant here.
>
> NETBIOS HOST name? Irrelevant. NETBIOS DOMAIN name? Not quite.
>
>> Do you mean that the realm
>> name does not have to match the workgroup name?
>
> There's no such requirement. AD domain is resolved from NETBIOS multicast or
> from domain suffix provided by DHCP or configured in system settings.
> But the end result is that the system receive correct DNS name once and then
> work out from that purely through DNS.
Makes sense. I know the netbios name should only matter for older
>
> NETBIOS HOST name? Irrelevant. NETBIOS DOMAIN name? Not quite.
>
>> Do you mean that the realm
>> name does not have to match the workgroup name?
>
> There's no such requirement. AD domain is resolved from NETBIOS multicast or
> from domain suffix provided by DHCP or configured in system settings.
> But the end result is that the system receive correct DNS name once and then
> work out from that purely through DNS.
clients, but I thought Samba still cared about it. I guess the DC
shouldn't, though, since it's a modern DC.
Mike
Apr 29, 2015, 4:40:04 PM4/29/15
to
Andrey, thanks for your help.
It's discouraging getting stuck on these fundamentals, not making progress.
Can you tell me how I would provision the following:
hostnamectl status reports:
Static hostname: a10
The registered FQDN is: mwllc.info
I'd like to name the domain on the samba server: conpago.mwllc.info
The static IP on the CentOS Samba box is set to: 10.10.1.225.
Using INTERNAL_DNS setting and dns forwarder is set to my ISP's
nameserver: 75.75.76.76
What's the correct provisioning parameters?
Thank you for your patience.
Mike
It's discouraging getting stuck on these fundamentals, not making progress.
Can you tell me how I would provision the following:
hostnamectl status reports:
Static hostname: a10
The registered FQDN is: mwllc.info
I'd like to name the domain on the samba server: conpago.mwllc.info
The static IP on the CentOS Samba box is set to: 10.10.1.225.
Using INTERNAL_DNS setting and dns forwarder is set to my ISP's
nameserver: 75.75.76.76
What's the correct provisioning parameters?
Thank you for your patience.
Mike
Mike
Apr 29, 2015, 4:50:04 PM4/29/15
to
Rowland,
I definitely don't want to vex you. You've been very generous with your
help.
If I can't get it right using Andrey's provisioning example, I'll reach out
for some commercial samba support.
Best regards,
Mike
On Wed, Apr 29, 2015 at 4:24 PM, Rowland Penny <rowlan...@googlemail.com>
wrote:
I definitely don't want to vex you. You've been very generous with your
help.
If I can't get it right using Andrey's provisioning example, I'll reach out
for some commercial samba support.
Best regards,
Mike
On Wed, Apr 29, 2015 at 4:24 PM, Rowland Penny <rowlan...@googlemail.com>
wrote:
Andrey Repin
Apr 29, 2015, 5:00:03 PM4/29/15
to
Greetings, Sketch!
>>> Netbios name is basically irrelevant here.
>>
>> NETBIOS HOST name? Irrelevant. NETBIOS DOMAIN name? Not quite.
>>
>>> Do you mean that the realm
>>> name does not have to match the workgroup name?
>>
>> There's no such requirement. AD domain is resolved from NETBIOS multicast or
>> from domain suffix provided by DHCP or configured in system settings.
>> But the end result is that the system receive correct DNS name once and then
>> work out from that purely through DNS.
> Makes sense. I know the netbios name should only matter for older
> clients, but I thought Samba still cared about it.
It do care, but not in the sense that you thought.
The NETBIOS domain name is important, but there's no strings attached, other
than technical restrictions to the name length and composition.
> I guess the DC shouldn't, though, since it's a modern DC.
That's largely true. DC's work over DNS from the start.
--
With best regards,
Andrey Repin
Wednesday, April 29, 2015 23:36:37
Sorry for my terrible english...
>>> Netbios name is basically irrelevant here.
>>
>> NETBIOS HOST name? Irrelevant. NETBIOS DOMAIN name? Not quite.
>>
>>> Do you mean that the realm
>>> name does not have to match the workgroup name?
>>
>> There's no such requirement. AD domain is resolved from NETBIOS multicast or
>> from domain suffix provided by DHCP or configured in system settings.
>> But the end result is that the system receive correct DNS name once and then
>> work out from that purely through DNS.
> Makes sense. I know the netbios name should only matter for older
> clients, but I thought Samba still cared about it.
The NETBIOS domain name is important, but there's no strings attached, other
than technical restrictions to the name length and composition.
> I guess the DC shouldn't, though, since it's a modern DC.
--
With best regards,
Andrey Repin
Sorry for my terrible english...
Mike
Apr 30, 2015, 10:40:04 AM4/30/15
to
SUCCESS.........up to the point of kerberos tickets.
((What a difference a night's sleep can do for logic neurons.))
Everything works with the provisioning now except for kerberos.
The setup follows and ends with the kinit, klist, and kvno errors/failures:
[root@dc1 ~]# hostname -f
dc1.internal.example.com
[root@dc1 ~]# hostname -s
dc1
[root@dc1 ~]# hostname -d
internal.example.com
[root@dc1 ~]# hostnamectl status
Static hostname: dc1.internal.example.com
Icon name: computer-server
Chassis: server
Machine ID: 57ccaldjfre9tuq34uadl5fjgq9823uadog
Boot ID: f4c1eqa9e8rt709q23y849tyqghlkqdhfg9
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-229.1.2.el7.x86_64
Architecture: x86_64
[root@dc1 ~]# cat /etc/resolv.conf
domain internal.example.com
search internal.example.com
nameserver 10.10.1.225
[root@dc1 ~]# cat /etc/hosts
127.0.0.1 dc1.internal.example.com dc1
127.0.0.1 localhost
10.10.1.225 dc1.internal.example.com dc1
[root@dc1 ~]# cat /etc/samba/smb.conf
# Global parameters
[global]
workgroup = INTERNAL
realm = INTERNAL.EXAMPLE.COM
netbios name = dc1
interfaces = lo, eno1
bind interfaces only = Yes
server role = active directory domain controller
dns forwarder = 75.75.76.76
idmap_ldb:use rfc2307 = yes
[root@dc1 ~]# smbclient //internal.example.com/netlogon -UAdministrator -c
. D 0 Thu Apr 30 09:36:14 2015
.. D 0 Thu Apr 30 09:36:20 2015
51175 blocks of size 1048576. 48360 blocks available
[root@dc1 ~]# host -t SRV _ldap._tcp.internal.example.com.
_ldap._tcp.internal.example.com has SRV record 0 100 389
dc1.internal.example.com.
[root@dc1 ~]# host -t SRV _kerberos._udp.internal.example.com.
_kerberos._udp.internal.example.com has SRV record 0 100 88
dc1.internal.example.com.
[root@dc1 ~]# host -t A dc1.internal.example.com.
dc1.internal.example.com has address 10.10.1.225
[root@dc1 ~]#
[root@dc1 ~]# kinit admini...@INTERNAL.EXAMPLE.COM
Password for admini...@INTERNAL.EXAMPLE.COM:
kinit: Preauthentication failed while getting initial credentials
[root@dc1 ~]# cat /etc/krb5.conf
[libdefaults]
default_realm = INTERNAL.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
[root@dc1 ~]# klist
[root@dc1 ~]# kvno admini...@INTERNAL.EXAMPLE.COM
kvno: Credentials cache file '/tmp/krb5cc_0' not found while getting client
principal name
[root@dc1 ~]#
((What a difference a night's sleep can do for logic neurons.))
Everything works with the provisioning now except for kerberos.
The setup follows and ends with the kinit, klist, and kvno errors/failures:
[root@dc1 ~]# hostname -f
dc1.internal.example.com
[root@dc1 ~]# hostname -s
dc1
[root@dc1 ~]# hostname -d
internal.example.com
[root@dc1 ~]# hostnamectl status
Static hostname: dc1.internal.example.com
Icon name: computer-server
Chassis: server
Machine ID: 57ccaldjfre9tuq34uadl5fjgq9823uadog
Boot ID: f4c1eqa9e8rt709q23y849tyqghlkqdhfg9
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-229.1.2.el7.x86_64
Architecture: x86_64
[root@dc1 ~]# cat /etc/resolv.conf
domain internal.example.com
search internal.example.com
nameserver 10.10.1.225
[root@dc1 ~]# cat /etc/hosts
127.0.0.1 dc1.internal.example.com dc1
127.0.0.1 localhost
10.10.1.225 dc1.internal.example.com dc1
[root@dc1 ~]# cat /etc/samba/smb.conf
# Global parameters
[global]
workgroup = INTERNAL
realm = INTERNAL.EXAMPLE.COM
netbios name = dc1
interfaces = lo, eno1
bind interfaces only = Yes
server role = active directory domain controller
dns forwarder = 75.75.76.76
idmap_ldb:use rfc2307 = yes
[root@dc1 ~]# smbclient //internal.example.com/netlogon -UAdministrator -c
'ls'
Enter Administrator's password:
Domain=[INTERNAL] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7]
Enter Administrator's password:
. D 0 Thu Apr 30 09:36:14 2015
.. D 0 Thu Apr 30 09:36:20 2015
51175 blocks of size 1048576. 48360 blocks available
[root@dc1 ~]# host -t SRV _ldap._tcp.internal.example.com.
_ldap._tcp.internal.example.com has SRV record 0 100 389
dc1.internal.example.com.
[root@dc1 ~]# host -t SRV _kerberos._udp.internal.example.com.
_kerberos._udp.internal.example.com has SRV record 0 100 88
dc1.internal.example.com.
[root@dc1 ~]# host -t A dc1.internal.example.com.
dc1.internal.example.com has address 10.10.1.225
[root@dc1 ~]#
[root@dc1 ~]# kinit admini...@INTERNAL.EXAMPLE.COM
Password for admini...@INTERNAL.EXAMPLE.COM:
kinit: Preauthentication failed while getting initial credentials
[root@dc1 ~]# cat /etc/krb5.conf
[libdefaults]
default_realm = INTERNAL.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
[root@dc1 ~]# klist
klist: Credentials cache file '/tmp/krb5cc_0' not found
[root@dc1 ~]#
[root@dc1 ~]# kvno admini...@INTERNAL.EXAMPLE.COM
kvno: Credentials cache file '/tmp/krb5cc_0' not found while getting client
principal name
[root@dc1 ~]#
Sketch
Apr 30, 2015, 10:50:03 AM4/30/15
to
On Thu, 30 Apr 2015, Mike wrote:
> Everything works with the provisioning now except for kerberos.
>
> Everything works with the provisioning now except for kerberos.
>
> [root@dc1 ~]# kinit admini...@INTERNAL.EXAMPLE.COM
> Password for admini...@INTERNAL.EXAMPLE.COM:
> kinit: Preauthentication failed while getting initial credentials
In my experience, preauthentication failed typically means you mistyped
> Password for admini...@INTERNAL.EXAMPLE.COM:
> kinit: Preauthentication failed while getting initial credentials
your password. :)
L.P.H. van Belle
Apr 30, 2015, 10:50:05 AM4/30/15
to
Hai Mike,
in /etc/hosts
remove the line :
127.0.0.1 dc1.internal.example.com dc1
and try again.
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: 110...@gmail.com [mailto:samba-...@lists.samba.org]
>Namens Mike
>Aan: samba
>Onderwerp: Re: [Samba] Cannot authenticate the administrator account
>
>
L.P.H. van Belle
Apr 30, 2015, 11:00:06 AM4/30/15
to
yes,, change the password of the administrator. ;-)
and if that does not work, an extra tip, worth a try.
in smb.conf
> interfaces = lo, eno1
try with lo, 10.10.1.225
There are know problems with interface detection on some OS-ses.. ( like ubuntu 12.04 )
Now i only work ( almost only ) with debian, and im avoiding this by setting ip and not interface name.
so i dont know if centos also has this problem, but its one thing you can try also.
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: smb...@rednsx.org [mailto:samba-...@lists.samba.org]
>Namens Sketch
>Verzonden: donderdag 30 april 2015 16:42
and if that does not work, an extra tip, worth a try.
in smb.conf
> interfaces = lo, eno1
try with lo, 10.10.1.225
There are know problems with interface detection on some OS-ses.. ( like ubuntu 12.04 )
Now i only work ( almost only ) with debian, and im avoiding this by setting ip and not interface name.
so i dont know if centos also has this problem, but its one thing you can try also.
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: smb...@rednsx.org [mailto:samba-...@lists.samba.org]
>Namens Sketch
>Verzonden: donderdag 30 april 2015 16:42
>Aan: samba
>Onderwerp: Re: [Samba] Cannot authenticate the administrator account
>
>Onderwerp: Re: [Samba] Cannot authenticate the administrator account
>
Mike
Apr 30, 2015, 11:00:06 AM4/30/15
to
On Thu, Apr 30, 2015 at 10:41 AM, L.P.H. van Belle <be...@bazuin.nl> wrote:
>
> Hai Mike,
>
> in /etc/hosts
> remove the line :
> 127.0.0.1 dc1.internal.example.com dc1
>
> and try again.
>
> Greetz,
>
> Louis
>
>
Perfect. Works! :-)
>
> Hai Mike,
>
> in /etc/hosts
> remove the line :
> 127.0.0.1 dc1.internal.example.com dc1
>
> and try again.
>
> Greetz,
>
> Louis
>
>
I'll ask the question -- Why does domain pointer to localhost ip throw off
access to the kerberos database?
Mike
L.P.H. van Belle
May 1, 2015, 2:10:03 AM5/1/15
to
why... uhmm if im correct..
i'll try to explain. . my english is not that good.. ;-)
Your kerberos request => Resolving => resolving order, ( hosts files => DNS )
because of the hostfile, the server reports ip 127.0.0.1 for your hostname. ( from hosts )
But the correct one ( and the kerberosserver knows the correct ip ) is your other ip.
kerberes need A and PTR record to be able to authenticate, and i thinks because of this, it fails.
Hard to explain for me in english, so if im somewhere unclear, correct me
so never set the the "localhost ip adres " for the same hostname..
but good to know that the message :
kinit: Preauthentication failed while getting initial credentials
can be a resolving problem.
Greetz,
Louis
Van: Mike [mailto:110...@gmail.com]
Verzonden: donderdag 30 april 2015 16:57
Aan: L.P.H. van Belle
CC: sa...@lists.samba.org
Onderwerp: Re: [Samba] Cannot authenticate the administrator account
i'll try to explain. . my english is not that good.. ;-)
Your kerberos request => Resolving => resolving order, ( hosts files => DNS )
because of the hostfile, the server reports ip 127.0.0.1 for your hostname. ( from hosts )
But the correct one ( and the kerberosserver knows the correct ip ) is your other ip.
kerberes need A and PTR record to be able to authenticate, and i thinks because of this, it fails.
Hard to explain for me in english, so if im somewhere unclear, correct me
so never set the the "localhost ip adres " for the same hostname..
but good to know that the message :
kinit: Preauthentication failed while getting initial credentials
Greetz,
Louis
Van: Mike [mailto:110...@gmail.com]
Verzonden: donderdag 30 april 2015 16:57
Aan: L.P.H. van Belle
CC: sa...@lists.samba.org
Onderwerp: Re: [Samba] Cannot authenticate the administrator account
Andrey Repin
May 1, 2015, 6:00:03 PM5/1/15
to
Greetings, L.P.H. van Belle!
> yes,, change the password of the administrator. ;-)
> and if that does not work, an extra tip, worth a try.
> in smb.conf
>> interfaces = lo, eno1
> try with lo, 10.10.1.225
> There are know problems with interface detection on some OS-ses.. ( like ubuntu 12.04 )
> Now i only work ( almost only ) with debian, and im avoiding this by setting ip and not interface name.
> so i dont know if centos also has this problem, but its one thing you can try also.
I'm going as far as setting up the network address (i.e. 10.10.1.0/24) so that
I can use the same config file on all member servers.
--
With best regards,
Andrey Repin
Friday, May 1, 2015 02:07:40
Sorry for my terrible english...
> yes,, change the password of the administrator. ;-)
> and if that does not work, an extra tip, worth a try.
> in smb.conf
>> interfaces = lo, eno1
> try with lo, 10.10.1.225
> There are know problems with interface detection on some OS-ses.. ( like ubuntu 12.04 )
> Now i only work ( almost only ) with debian, and im avoiding this by setting ip and not interface name.
> so i dont know if centos also has this problem, but its one thing you can try also.
I can use the same config file on all member servers.
--
With best regards,
Andrey Repin
Sorry for my terrible english...
0 new messages