On Wed, 5 Dec 2018 10:56:48 -0500 Marco Shmerykowsky PE via samba <samba at lists.samba.org> wrote:> > On 12/5/2018 10:37 AM, Marco Shmerykowsky via samba wrote: > > On Wed, December 5, 2018 9:52 am, Rowland Penny via samba wrote: > >> On Wed, 5 Dec 2018 09:41:13 -0500 > >> Marco Shmerykowsky via samba <samba at lists.samba.org> wrote: > >> > >>> I'm trying to setup a Samba4 Active Directory server. > >>> > >>> I've gotten the server running, the IP addresses resolve > >>> properly. The Windows10 client can join the domain. > >>> I've run the basic checks that seem to be listed > >>> on the samba wiki and get the expected results. > >>> > >>> I've modified nsswitch.conf to include winbind on the > >>> passwd and group lines. > >>> > >>> I've made sure all machines are pointing to the same > >>> NTP server so that time is synched > >>> > >>> I've created a user using -> samba-tool user create jdoe > >>> > >>> I've added the computer using -> samba-tool computer create > >>> MACHINE01 > >>> > >>> I've created a "test-share" with ownership set to the > >>> group "Domain Users": > >>> > >>> [Test-Share] > >>> path = /home/test-share > >>> writable = yes > >>> create mode = 0770 > >>> directory mode = 0770 > >>> guest ok = no > >>> > >>> When I run Server Manager in Win10 I get an error that > >>> states: "Kerberos authentication error" > >>> > >>> When I try to login with the user, Windows gives me this: > >>> > >>> "We can't sign you in with this credential because your > >>> domain isn't available. Make sure your device is connected > >>> to your organization's network and try again." > >>> > >>> Login authentication didn't seem to work before I > >>> added the test-share either. > >>> > >>> What did I miss? > >>> > >> > >> You missed posting your smb.conf for a start ;-) > >> > >> Did you actually join the Win10 machine to the domain ? > >> Creating it with samba-tool isn't enough. > >> > >> Rowland > > > > Smb.conf (domain names made 'generic'): > > > > # Global parameters > > [global] > > dns forwarder = 4.2.2.2 > > netbios name = MACHINE254 > > realm = INTERNAL.COMPANY.COM > > server role = active directory domain controller > > workgroup = INTERNAL > > idmap_ldb:use rfc2307 = yes > > > > [netlogon] > > path = /var/lib/samba/sysvol/internal.company.com/scripts > > read only = No > > > > [sysvol] > > path = /var/lib/samba/sysvol > > read only = No > > > > [Test-Share] > > path = /home/test-share > > writable = yes > > create mode = 0770 > > directory mode = 0770 > > guest ok = no > > > > Windows reported that the machine joined the domain > > when I used the windows interface at System > > Properties -> Computer Name. > > > > > One more tidbit. I ran the provisioning twice. > > First time around I used int.company.com and second time around > I used internal.company.com. Did that leave contradictory > information floating in the system?No, provided you removed the smb.conf (and the provision would have complained if you hadn't), the next provision would wipe the previous one. This does raise a possibility, The REALM has to be the same as the dns domain, so what is the dns domain name ? easiest way to find out is to open a terminal on the DC and type 'hostname -d', if it isn't 'internal.company.com' then you need to provision again. Another possibility is that you do not have winbind installed. This probably hasn't anything to do with your main problem, but you should change your share to this: [Test-Share] path = /home/test-share read only = No When you get your DC working, set the permissions from Windows, see here: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Rowland
On 12/5/2018 11:14 AM, Rowland Penny via samba wrote:> On Wed, 5 Dec 2018 10:56:48 -0500 > Marco Shmerykowsky PE via samba <samba at lists.samba.org> wrote: > >> >> On 12/5/2018 10:37 AM, Marco Shmerykowsky via samba wrote: >>> On Wed, December 5, 2018 9:52 am, Rowland Penny via samba wrote: >>>> On Wed, 5 Dec 2018 09:41:13 -0500 >>>> Marco Shmerykowsky via samba <samba at lists.samba.org> wrote: >>>> >>>>> I'm trying to setup a Samba4 Active Directory server. >>>>> >>>>> I've gotten the server running, the IP addresses resolve >>>>> properly. The Windows10 client can join the domain. >>>>> I've run the basic checks that seem to be listed >>>>> on the samba wiki and get the expected results. >>>>> >>>>> I've modified nsswitch.conf to include winbind on the >>>>> passwd and group lines. >>>>> >>>>> I've made sure all machines are pointing to the same >>>>> NTP server so that time is synched >>>>> >>>>> I've created a user using -> samba-tool user create jdoe >>>>> >>>>> I've added the computer using -> samba-tool computer create >>>>> MACHINE01 >>>>> >>>>> I've created a "test-share" with ownership set to the >>>>> group "Domain Users": >>>>> >>>>> [Test-Share] >>>>> path = /home/test-share >>>>> writable = yes >>>>> create mode = 0770 >>>>> directory mode = 0770 >>>>> guest ok = no >>>>> >>>>> When I run Server Manager in Win10 I get an error that >>>>> states: "Kerberos authentication error" >>>>> >>>>> When I try to login with the user, Windows gives me this: >>>>> >>>>> "We can't sign you in with this credential because your >>>>> domain isn't available. Make sure your device is connected >>>>> to your organization's network and try again." >>>>> >>>>> Login authentication didn't seem to work before I >>>>> added the test-share either. >>>>> >>>>> What did I miss? >>>>> >>>> >>>> You missed posting your smb.conf for a start ;-) >>>> >>>> Did you actually join the Win10 machine to the domain ? >>>> Creating it with samba-tool isn't enough. >>>> >>>> Rowland >>> >>> Smb.conf (domain names made 'generic'): >>> >>> # Global parameters >>> [global] >>> dns forwarder = 4.2.2.2 >>> netbios name = MACHINE254 >>> realm = INTERNAL.COMPANY.COM >>> server role = active directory domain controller >>> workgroup = INTERNAL >>> idmap_ldb:use rfc2307 = yes >>> >>> [netlogon] >>> path = /var/lib/samba/sysvol/internal.company.com/scripts >>> read only = No >>> >>> [sysvol] >>> path = /var/lib/samba/sysvol >>> read only = No >>> >>> [Test-Share] >>> path = /home/test-share >>> writable = yes >>> create mode = 0770 >>> directory mode = 0770 >>> guest ok = no >>> >>> Windows reported that the machine joined the domain >>> when I used the windows interface at System >>> Properties -> Computer Name. >>> >>> >> One more tidbit. I ran the provisioning twice. >> >> First time around I used int.company.com and second time around >> I used internal.company.com. Did that leave contradictory >> information floating in the system? > > No, provided you removed the smb.conf (and the provision would have > complained if you hadn't), the next provision would wipe the previous > one. > > This does raise a possibility, The REALM has to be the same as the dns > domain, so what is the dns domain name ? > easiest way to find out is to open a terminal on the DC and type > 'hostname -d', if it isn't 'internal.company.com' then you need to > provision again. > > Another possibility is that you do not have winbind installed. > > This probably hasn't anything to do with your main problem, but you > should change your share to this: > > [Test-Share] > path = /home/test-share > read only = No > > When you get your DC working, set the permissions from Windows, see > here: > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > RowlandThe Realm matches the DNS. hostname -d returns -> internal.company.com domain name is internal.company.com I can ping both internal.company.com and machine254.internal.company.com both resolve to the IP of MACHINE254 I checked winbind using the commands on the following page & all returned as expected. https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Testing_the_Winbindd_Connectivity --- This email has been checked for viruses by AVG. https://www.avg.com
On Wed, 5 Dec 2018 11:33:01 -0500 Marco Shmerykowsky PE via samba <samba at lists.samba.org> wrote:> > The Realm matches the DNS. > > hostname -d returns -> internal.company.com > > domain name is internal.company.com > > I can ping both internal.company.com and > machine254.internal.company.com both resolve to the IP of MACHINE254 > > I checked winbind using the commands on the following page & all > returned as expected. > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Testing_the_Winbindd_Connectivity >You have never said what OS you are using, but check /etc/krb5.conf. Does it start with an 'include' line ? If so remove it Can you post the following files /etc/hostname /etc/hosts etc/resolv.conf /etc/krb5.conf /etc/nsswitch.conf Rowland
On Wed, 5 Dec 2018 12:19:39 -0500 Marco Shmerykowsky PE <marco at sce-engineers.com> wrote:> > > -- > > Marco J. Shmerykowsky, PE, F.ASCE > marco at sce-engineers.com > > ----------------------------------------- > Shmerykowsky Consulting Engineers > Structural Analysis & Design > 102 West 38th Street, 2nd Floor > New York, New York 10018 > Tel. (212) 719-9700 Fax. (212) 719-4822 > http://www.sce-engineers.com > ----------------------------------------- > > On 12/5/2018 12:11 PM, Rowland Penny via samba wrote: > > On Wed, 5 Dec 2018 11:33:01 -0500 > > Marco Shmerykowsky PE via samba <samba at lists.samba.org> wrote: > > > >> > >> The Realm matches the DNS. > >> > >> hostname -d returns -> internal.company.com > >> > >> domain name is internal.company.com > >> > >> I can ping both internal.company.com and > >> machine254.internal.company.com both resolve to the IP of > >> MACHINE254 > >> > >> I checked winbind using the commands on the following page & all > >> returned as expected. > >> > >> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Testing_the_Winbindd_Connectivity > >> > > > > You have never said what OS you are using, but check /etc/krb5.conf. > > Does it start with an 'include' line ? > > If so remove it > > > > Can you post the following files > > > > /etc/hostname > > /etc/hosts > > etc/resolv.conf > > /etc/krb5.conf > > /etc/nsswitch.conf > > > > Rowland > > Server: Fedora 29 with Samba 4.9.2 > Client: Windows 10 version 1803 Build 17134.441 > > /etc/hostname: > > machine254 > > /etc/hosts: > > 127.0.0.1 localhost localhost.localdomain localhost4 > localhost4.localdomain4 > ::1 localhost localhost.localdomain localhost6 > localhost6.localdomain6 > 192.168.0.251 machine254.internal.company.com machine254 > > /etc/resolv.conf: > > # Generated by NetworkManager > > nameserver 192.168.0.251 > > /etc/krb5.conf: > > default_realm = INTERNAL.COMPANY.COM > > dns_lookup_realm = false > > dns_lookup_kdc = true > > /etc/nsswitch.conf: > > # Generated by authselect on Fri Jun 1 19:19:08 2018 > > # Do not modify this file manually. > > > > passwd: sss files systemd winbind > > group: sss files systemd winbind > > netgroup: sss files > > automount: sss files > > services: sss files > > sudoers: files sss > > > > shadow: files > > ethers: files > > netmasks: files > > networks: files > > protocols: files > > rpc: files > > hosts: files dns myhostname > > > > aliases: files nisplus > > bootparams: nisplus [NOTFOUND=return] files > > publickey: nisplus > > --- > This email has been checked for viruses by AVG. > https://www.avg.com >Are you using the OS's Samba packages ? If so, you should be aware that they are deemed experimental and do not fully work, they have problems and this could be another one of them. Rowland
On 12/5/2018 12:28 PM, Rowland Penny via samba wrote:> On Wed, 5 Dec 2018 12:19:39 -0500 > Marco Shmerykowsky PE <marco at sce-engineers.com> wrote: > >> >> >> -- >> >> Marco J. Shmerykowsky, PE, F.ASCE >> marco at sce-engineers.com >> >> ----------------------------------------- >> Shmerykowsky Consulting Engineers >> Structural Analysis & Design >> 102 West 38th Street, 2nd Floor >> New York, New York 10018 >> Tel. (212) 719-9700 Fax. (212) 719-4822 >> http://www.sce-engineers.com >> ----------------------------------------- >> >> On 12/5/2018 12:11 PM, Rowland Penny via samba wrote: >>> On Wed, 5 Dec 2018 11:33:01 -0500 >>> Marco Shmerykowsky PE via samba <samba at lists.samba.org> wrote: >>> >>>> >>>> The Realm matches the DNS. >>>> >>>> hostname -d returns -> internal.company.com >>>> >>>> domain name is internal.company.com >>>> >>>> I can ping both internal.company.com and >>>> machine254.internal.company.com both resolve to the IP of >>>> MACHINE254 >>>> >>>> I checked winbind using the commands on the following page & all >>>> returned as expected. >>>> >>>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Testing_the_Winbindd_Connectivity >>>> >>> >>> You have never said what OS you are using, but check /etc/krb5.conf. >>> Does it start with an 'include' line ? >>> If so remove it >>> >>> Can you post the following files >>> >>> /etc/hostname >>> /etc/hosts >>> etc/resolv.conf >>> /etc/krb5.conf >>> /etc/nsswitch.conf >>> >>> Rowland >> >> Server: Fedora 29 with Samba 4.9.2 >> Client: Windows 10 version 1803 Build 17134.441 >> >> /etc/hostname: >> >> machine254 >> >> /etc/hosts: >> >> 127.0.0.1 localhost localhost.localdomain localhost4 >> localhost4.localdomain4 >> ::1 localhost localhost.localdomain localhost6 >> localhost6.localdomain6 >> 192.168.0.251 machine254.internal.company.com machine254 >> >> /etc/resolv.conf: >> >> # Generated by NetworkManager >> >> nameserver 192.168.0.251 >> >> /etc/krb5.conf: >> >> default_realm = INTERNAL.COMPANY.COM >> >> dns_lookup_realm = false >> >> dns_lookup_kdc = true >> >> /etc/nsswitch.conf: >> >> # Generated by authselect on Fri Jun 1 19:19:08 2018 >> >> # Do not modify this file manually. >> >> >> >> passwd: sss files systemd winbind >> >> group: sss files systemd winbind >> >> netgroup: sss files >> >> automount: sss files >> >> services: sss files >> >> sudoers: files sss >> >> >> >> shadow: files >> >> ethers: files >> >> netmasks: files >> >> networks: files >> >> protocols: files >> >> rpc: files >> >> hosts: files dns myhostname >> >> >> >> aliases: files nisplus >> >> bootparams: nisplus [NOTFOUND=return] files >> >> publickey: nisplus >> >> --- >> This email has been checked for viruses by AVG. >> https://www.avg.com >> > > Are you using the OS's Samba packages ? > If so, you should be aware that they are deemed experimental and do not > fully work, they have problems and this could be another one of them. > > Rowland >I was not aware of that. Suggestions?