samba - Jan 2017 - SOLVED(aproximative?): Difficulties with Windows XP: failed to find cifs/fileserver.y.z@Y.Z in keytab (arcfour-hmac-md5)

Samba - General mailing list wrote
> On Tue, 17 Jan 2017 03:03:28 -0800 (PST)
> rawi via samba <
> samba at .samba
> > wrote:
> 
>> Samba - General mailing list wrote
>> 
>> Rowland, thank you
>> 
>> Please note the comments starting with two '#'. They give info
about
>> erroneous behavior I encontered.
>> 
>> The manual says that "domain master = auto" means
"NO", if "domain
>> logons = NO" and this is default.
>> Please note also the behavior of "hosts allow ... except" on
the AD-DC
>> 
>> here it comes...
>> 
>> root at hg-dc1:/etc/samba# cat smb.conf
>> ## Global parameters
>> [global]
>>         workgroup = HUMGEN
>>         realm = HUMGEN.0ZONE
>>         netbios name = HG-DC1
>>         server role = active directory domain controller
>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> drepl, winbindd, ntp_signd, kcc
>> #dnsupdate
>> ## all dns and dhcp is static for humgen.0zone and _msdcs.humgen.0zone
>> ## and contains all I have, inclusive printer and lab devices, which
>> are not in the domain
>> ## all dns tests are positive and all clients get DNS
>> 
>>         idmap_ldb:use rfc2307 = yes
>>         dns-nameservers 127.0.0.1
>> 
>>         tls enabled  = yes
>>         tls keyfile  = tls/myKey.pem
>>         tls certfile = tls/myCert.pem
>>         tls cafile   = 
>> 
>> ## WITHOUT THIS no old WindowsXP will find the AD-DC to join, 
>> ## even if I've already set the IP of the wins server to the AD-DC
in
>> numerical form
>> ## Error is, that no SRV record could be found for the domain. BUT
>> nslookup shows manually all needed
>> ## After the join, WindowsXP seems to stay joined and allow further
>> login ## EVEN if I take these configs back
>> #domain logons = yes
>> #domain master = yes
>> #local master = yes
>> 
>> ## hosts allow on AD-DC breaks everything. 
>> ## No more wbinfo on the DC, no more id or getent passwd on the domain
>> member
>> ## BUG?
>> #hosts allow = X.Y.Z.0/255.255.255.0 localhost EXCEPT X.Y.Z.123
>> 
>> ## don't show the shares
>> browseable = no
>> 
>> map to guest = never
>> 
>> ## allow no local caching of data on the client
>> csc policy = disable
>> 
>> hide unreadable = yes
>> hide dot files = no
>> 
>> ## new session kills possible old connection from the same IP. Avoids
>> lock on files by old connections
>> reset on zero vc = yes
>> 
>> [netlogon]
>>         path = /var/lib/samba/sysvol/humgen.0zone/scripts
>>         read only = Yes
>> 
>> [sysvol]
>>         path = /var/lib/samba/sysvol
>>         read only = No
>> 
>> <<<<< smb.conf AD-DC END
>> 
>> And now as a side note and deja vu for me, look what I wrote in the
>> old smb.conf (still working since 2009) for a NT-domain wth
>> Samba/smbd version 3.4.0 :)
>> 
>> ## samba accepts no new computer in the domain if this
>> ## browse options equals NO ?!
>> preferred master = yes
>> local master = yes
>> domain master = yes
>> 
>> Regards
>> rawi
> 
> OK, first question, are you using BIND9_DLZ on the DC ?
> 
> Rowland
NO BIND9_DLZ, no dns updates.

As mentioned (commented) in the confiig: all dns comes from bind9 from
static zones containing all I have and supplementary all records samba AD-DC
would need (SOA for _msdcs and it's objects etc.).

The newer Windows Versions (7 and 8.1) are doing perfectly.

rawi



--
View this message in context:
http://samba.2283325.n4.nabble.com/Difficulties-with-Windows-XP-failed-to-find-cifs-fileserver-y-z-Y-Z-in-keytab-arcfour-hmac-md5-tp4713385p4713552.html
Sent from the Samba - General mailing list archive at Nabble.com.

On Tue, 17 Jan 2017 03:32:46 -0800 (PST)
rawi via samba <samba at lists.samba.org> wrote:
> Samba - General mailing list wrote
> > On Tue, 17 Jan 2017 03:03:28 -0800 (PST)
> > rawi via samba &lt;
> 
> > samba at .samba
> 
> > &gt; wrote:
> > 
> >> Samba - General mailing list wrote
> >> 
> >> Rowland, thank you
> >> 
> >> Please note the comments starting with two '#'. They give
info
> >> about erroneous behavior I encontered.
> >> 
> >> The manual says that "domain master = auto" means
"NO", if "domain
> >> logons = NO" and this is default.
> >> Please note also the behavior of "hosts allow ...
except" on the
> >> AD-DC
> >> 
> >> here it comes...
> >> 
> >> root at hg-dc1:/etc/samba# cat smb.conf
> >> ## Global parameters
> >> [global]
> >>         workgroup = HUMGEN
> >>         realm = HUMGEN.0ZONE
> >>         netbios name = HG-DC1
> >>         server role = active directory domain controller
> >>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> >> drepl, winbindd, ntp_signd, kcc
> >> #dnsupdate
> >> ## all dns and dhcp is static for humgen.0zone and
> >> _msdcs.humgen.0zone ## and contains all I have, inclusive printer
> >> and lab devices, which are not in the domain
> >> ## all dns tests are positive and all clients get DNS
> >> 
> >>         idmap_ldb:use rfc2307 = yes
> >>         dns-nameservers 127.0.0.1
> >> 
> >>         tls enabled  = yes
> >>         tls keyfile  = tls/myKey.pem
> >>         tls certfile = tls/myCert.pem
> >>         tls cafile   = 
> >> 
> >> ## WITHOUT THIS no old WindowsXP will find the AD-DC to join, 
> >> ## even if I've already set the IP of the wins server to the
AD-DC
> >> in numerical form
> >> ## Error is, that no SRV record could be found for the domain. BUT
> >> nslookup shows manually all needed
> >> ## After the join, WindowsXP seems to stay joined and allow
further
> >> login ## EVEN if I take these configs back
> >> #domain logons = yes
> >> #domain master = yes
> >> #local master = yes
> >> 
> >> ## hosts allow on AD-DC breaks everything. 
> >> ## No more wbinfo on the DC, no more id or getent passwd on the
> >> domain member
> >> ## BUG?
> >> #hosts allow = X.Y.Z.0/255.255.255.0 localhost EXCEPT X.Y.Z.123
> >> 
> >> ## don't show the shares
> >> browseable = no
> >> 
> >> map to guest = never
> >> 
> >> ## allow no local caching of data on the client
> >> csc policy = disable
> >> 
> >> hide unreadable = yes
> >> hide dot files = no
> >> 
> >> ## new session kills possible old connection from the same IP.
> >> Avoids lock on files by old connections
> >> reset on zero vc = yes
> >> 
> >> [netlogon]
> >>         path = /var/lib/samba/sysvol/humgen.0zone/scripts
> >>         read only = Yes
> >> 
> >> [sysvol]
> >>         path = /var/lib/samba/sysvol
> >>         read only = No
> >> 
> >> <<<<< smb.conf AD-DC END
> >> 
> >> And now as a side note and deja vu for me, look what I wrote in
the
> >> old smb.conf (still working since 2009) for a NT-domain wth
> >> Samba/smbd version 3.4.0 :)
> >> 
> >> ## samba accepts no new computer in the domain if this
> >> ## browse options equals NO ?!
> >> preferred master = yes
> >> local master = yes
> >> domain master = yes
> >> 
> >> Regards
> >> rawi
> > 
> > OK, first question, are you using BIND9_DLZ on the DC ?
> > 
> > Rowland
> 
> NO BIND9_DLZ, no dns updates.
> 
> As mentioned (commented) in the confiig: all dns comes from bind9 from
> static zones containing all I have and supplementary all records
> samba AD-DC would need (SOA for _msdcs and it's objects etc.).
> 
> The newer Windows Versions (7 and 8.1) are doing perfectly.
> 
> rawi
> 
> 
> 
And there is your problem, AD lives (or dies) on DNS, unlike NT. You
have this line 'dns-nameservers 127.0.0.1' in your smb.conf. It is
useless, it is pointing to itself and you are not running a dns
server, even if you were running a dns server, it shouldn't point to
itself.

There are those that say you can run a Samba AD DC in the way you are
trying, but that way is not supported.

You need to run a dns server on the DC and point anything outside the
AD domain to another dns server

Supported DNS servers are the internal DNS server or Bind9 with dlz.

I suggest you go and read this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

Rowland

Samba - General mailing list wrote
> And there is your problem, AD lives (or dies) on DNS, unlike NT. You
> have this line 'dns-nameservers 127.0.0.1' in your smb.conf. It is
> useless, it is pointing to itself and you are not running a dns
> server, even if you were running a dns server, it shouldn't point to
> itself.
> 
> There are those that say you can run a Samba AD DC in the way you are
> trying, but that way is not supported.
> 
> You need to run a dns server on the DC and point anything outside the
> AD domain to another dns server
> 
> Supported DNS servers are the internal DNS server or Bind9 with dlz.
> 
> I suggest you go and read this:
> 
>
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
> 
> Rowland
Rowland, thank you!

I've red the "Setting_UP" and many others up and down...

And I know the recommendations, but sometime one needs a special setting.

Even if dns-nameservers 127.0.0.1 is useles, no harm, but I wish o single
name space for all I have, with a part of it in an AD.

That's why I'm trying workarounds and hope on the help of the community,
which has seemingly already achieved such things - as you say - even
unsupported.

It is clear to me, that the Samba Team cannot support any possible
configuration, but a simple workable setup for all.

On the other way, Microsoft doesn't support officially Windows working
flawlessly with Samba in place of it's own servers, but we are doing this
all the time ;)

When I'll reach a stable situation for the clients I have now, I'll
freeze
the installation for another couple of  years and live happily with it.

Regards

rawi



--
View this message in context:
http://samba.2283325.n4.nabble.com/Difficulties-with-Windows-XP-failed-to-find-cifs-fileserver-y-z-Y-Z-in-keytab-arcfour-hmac-md5-tp4713385p4713554.html
Sent from the Samba - General mailing list archive at Nabble.com.