Hi I am running samba 4 on debian jessie. The ad directory controller is running and i can login whit oser accounts but i cant manage them from RSAT on Windows 10. It says "the server is not operational". After that i have changed the dns in the network settings of the client and it works partialy, i can open the user management but i cant change anything.. I have read about problems in dns configuration, becaus of that i checked the settings on myopenwrt router and adjusted them. Now nslookup on my domain works but the error remains... Whats the problem? The domain on the router, wich have dns resolution is "danger.zone" my server is "c3po.danger.zone" The router resolves other clients like voip.danger.zone or r2d2.danger.zone ecc.. do i need to add a subdomain like "high.danger.zone" and cal the server "c3po.high.danger.zone" or does it work whit that settings.. I have tried to forvard the dns requests to the server in order to disable the openwrt dns but the error remains... here some settings hosts file 192.168.1.10 c3po.danger.zone c3po resolv.conf search danger.zone nameserver 192.168.1.10 smb.conf [global] workgroup = DANGER realm = DANGER.ZONE netbios name = C3PO server role = active directory domain controller dns forwarder = 8.8.8.8 server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns, smb dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/danger.zone/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No [shared] comment = Shared Folder path = /media/shared read only = No directory mask = 0770 create mask = 0770 [Users] directory_mode : parameter = 0700 read only = no path = /media/users csc policy = documents krb5.conf [libdefaults] default_realm = DANGER.ZONE dns_lookup_realm = false dns_lookup_kdc = true
On 24/02/16 12:20, Oskar Perger wrote:> Hi > I am running samba 4 on debian jessie. The ad directory controller is > running and i can login whit oser accounts but i cant manage them from RSAT > on Windows 10. It says "the server is not operational". After that i have > changed the dns in the network settings of the client and it works > partialy, i can open the user management but i cant change anything.. I > have read about problems in dns configuration, becaus of that i checked the > settings on myopenwrt router and adjusted them. Now nslookup on my domain > works but the error remains... Whats the problem? > > The domain on the router, wich have dns resolution is > "danger.zone" > my server is > "c3po.danger.zone" > The router resolves other clients like voip.danger.zone or r2d2.danger.zone > ecc.. > do i need to add a subdomain like "high.danger.zone" and cal the server > "c3po.high.danger.zone" or does it work whit that settings.. > I have tried to forvard the dns requests to the server in order to disable > the openwrt dns but the error remains... > > here some settings > hosts file > 192.168.1.10 c3po.danger.zone c3po > > resolv.conf > search danger.zone > nameserver 192.168.1.10 > > smb.conf > > [global] > workgroup = DANGER > realm = DANGER.ZONE > netbios name = C3PO > server role = active directory domain controller > dns forwarder = 8.8.8.8 > server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbind, ntp_signd, kcc, dnsupdate, dns, smb > dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, > netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, > backupkey, dnsserver, winreg, srvsvc > idmap_ldb:use rfc2307 = yes > > [netlogon] > path = /var/lib/samba/sysvol/danger.zone/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > [shared] > comment = Shared Folder > path = /media/shared > read only = No > directory mask = 0770 > create mask = 0770 > > [Users] > directory_mode : parameter = 0700 > read only = no > path = /media/users > csc policy = documents > > krb5.conf > [libdefaults] > default_realm = DANGER.ZONE > dns_lookup_realm = false > dns_lookup_kdc = trueYour Samba4 AD DC needs to be the nameserver for your AD, anything that it doesn't know (things outside the domain) should be forwarded to your router. To put it another way, your domain clients should use the AD DC for their nameserver *not* your router! Rowland
You should be able to keep clients using the DNS service on the router if you create a zone on that DNS server which will forward all request related to AD zones to AD DNS servers. zone "ad.domain.tld" IN { type forward; forward only; forwarders { A.B.C.D; A.B.F.H; }; Then clients don't need reconfiguration, they still can surf the Big Net, they can use AD. 2016-02-24 13:36 GMT+01:00 Rowland penny <rpenny at samba.org>:> On 24/02/16 12:20, Oskar Perger wrote: > >> Hi >> I am running samba 4 on debian jessie. The ad directory controller is >> running and i can login whit oser accounts but i cant manage them from >> RSAT >> on Windows 10. It says "the server is not operational". After that i have >> changed the dns in the network settings of the client and it works >> partialy, i can open the user management but i cant change anything.. I >> have read about problems in dns configuration, becaus of that i checked >> the >> settings on myopenwrt router and adjusted them. Now nslookup on my domain >> works but the error remains... Whats the problem? >> >> The domain on the router, wich have dns resolution is >> "danger.zone" >> my server is >> "c3po.danger.zone" >> The router resolves other clients like voip.danger.zone or >> r2d2.danger.zone >> ecc.. >> do i need to add a subdomain like "high.danger.zone" and cal the server >> "c3po.high.danger.zone" or does it work whit that settings.. >> I have tried to forvard the dns requests to the server in order to disable >> the openwrt dns but the error remains... >> >> here some settings >> hosts file >> 192.168.1.10 c3po.danger.zone c3po >> >> resolv.conf >> search danger.zone >> nameserver 192.168.1.10 >> >> smb.conf >> >> [global] >> workgroup = DANGER >> realm = DANGER.ZONE >> netbios name = C3PO >> server role = active directory domain controller >> dns forwarder = 8.8.8.8 >> server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, >> winbind, ntp_signd, kcc, dnsupdate, dns, smb >> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, >> netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, >> backupkey, dnsserver, winreg, srvsvc >> idmap_ldb:use rfc2307 = yes >> >> [netlogon] >> path = /var/lib/samba/sysvol/danger.zone/scripts >> read only = No >> >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> >> [shared] >> comment = Shared Folder >> path = /media/shared >> read only = No >> directory mask = 0770 >> create mask = 0770 >> >> [Users] >> directory_mode : parameter = 0700 >> read only = no >> path = /media/users >> csc policy = documents >> >> krb5.conf >> [libdefaults] >> default_realm = DANGER.ZONE >> dns_lookup_realm = false >> dns_lookup_kdc = true >> > > Your Samba4 AD DC needs to be the nameserver for your AD, anything that it > doesn't know (things outside the domain) should be forwarded to your > router. To put it another way, your domain clients should use the AD DC for > their nameserver *not* your router! > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >