Hello,
when I try to login to AD member via IP-Address from Windows Client it
works.
Login to AD Member from Windows Client via DNS Name fail.
Windows Errorcode: 0x80070035
Dc1: Samba 4.5.12+dfsg-2+deb9u2
AD Member: Samba 4.5.12+dfsg-2+deb9u2
winbindd.log (AD Member)
[2018/06/27 12:49:58.787087, 1]
../source3/winbindd/winbindd_pam.c:2567(winbindd_pam_auth_pac_send)
Error during PAC signature verification: NT_STATUS_UNSUCCESSFUL
[2018/06/27 12:50:17.766117, 1]
../source3/winbindd/winbindd_pam.c:2502(extract_pac_vrfy_sigs)
Failed to initialize kerberos context: Invalid argument
win-client.log (AD Member)
[2018/06/27 12:49:13.354207, 1]
../source3/printing/printer_list.c:234(printer_list_get_last_refresh)
Failed to fetch record!
[2018/06/27 12:49:13.354282, 1]
../source3/smbd/server_reload.c:69(delete_and_reload_printers)
pcap cache not loaded
smb.conf (AD Member)
security = ADS
workgroup = DOM
realm = DOM.EXAMPLE.COM
bind interfaces only = yes
interfaces = lo eth0
log file = /var/log/samba/%m.log
log level = 1
idmap config * : backend = tdb
idmap config * : range = 1000-1005
# idmap config for the DOM domain
idmap config KES:backend = ad
idmap config KES:schema_mode = rfc2307
idmap config KES:range = 1006-999999
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/users/%U
template shell = /bin/bash
winbind use default domain = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
Login via smbclient works also.
Whats wrong?
Best Regards,
On Wed, 27 Jun 2018 13:04:12 +0200 basti via samba <samba at lists.samba.org> wrote:> Hello, > when I try to login to AD member via IP-Address from Windows Client it > works. > > Login to AD Member from Windows Client via DNS Name fail. > Windows Errorcode: 0x80070035 > > Dc1: Samba 4.5.12+dfsg-2+deb9u2 > AD Member: Samba 4.5.12+dfsg-2+deb9u2 > > winbindd.log (AD Member) > > [2018/06/27 12:49:58.787087, 1] > ../source3/winbindd/winbindd_pam.c:2567(winbindd_pam_auth_pac_send) > Error during PAC signature verification: NT_STATUS_UNSUCCESSFUL > [2018/06/27 12:50:17.766117, 1] > ../source3/winbindd/winbindd_pam.c:2502(extract_pac_vrfy_sigs) > Failed to initialize kerberos context: Invalid argument > > > win-client.log (AD Member) > > [2018/06/27 12:49:13.354207, 1] > ../source3/printing/printer_list.c:234(printer_list_get_last_refresh) > Failed to fetch record! > [2018/06/27 12:49:13.354282, 1] > ../source3/smbd/server_reload.c:69(delete_and_reload_printers) > pcap cache not loaded > > > smb.conf (AD Member) > > security = ADS > workgroup = DOM > realm = DOM.EXAMPLE.COM > > bind interfaces only = yes > interfaces = lo eth0 > > log file = /var/log/samba/%m.log > log level = 1 > > idmap config * : backend = tdb > idmap config * : range = 1000-1005The above range is much too small, there are more than 6 'Well known SIDs'> > # idmap config for the DOM domain > idmap config KES:backend = ad > idmap config KES:schema_mode = rfc2307 > idmap config KES:range = 1006-999999I hope this is just a typo, but just in case it isn't, 'KES' != 'DOM' I also hope you don't use sudo on this machine, mainly because you cannot have any local Unix users with the set ranges.> > winbind enum users = yes > winbind enum groups = yes > template homedir = /home/users/%U > template shell = /bin/bash > > winbind use default domain = yes > > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > >Rowland
On 27.06.2018 13:43, Rowland Penny via samba wrote:> On Wed, 27 Jun 2018 13:04:12 +0200 > basti via samba <samba at lists.samba.org> wrote: > >> Hello, >> when I try to login to AD member via IP-Address from Windows Client it >> works. >> >> Login to AD Member from Windows Client via DNS Name fail. >> Windows Errorcode: 0x80070035 >> >> Dc1: Samba 4.5.12+dfsg-2+deb9u2 >> AD Member: Samba 4.5.12+dfsg-2+deb9u2 >> >> winbindd.log (AD Member) >> >> [2018/06/27 12:49:58.787087, 1] >> ../source3/winbindd/winbindd_pam.c:2567(winbindd_pam_auth_pac_send) >> Error during PAC signature verification: NT_STATUS_UNSUCCESSFUL >> [2018/06/27 12:50:17.766117, 1] >> ../source3/winbindd/winbindd_pam.c:2502(extract_pac_vrfy_sigs) >> Failed to initialize kerberos context: Invalid argument >> >> >> win-client.log (AD Member) >> >> [2018/06/27 12:49:13.354207, 1] >> ../source3/printing/printer_list.c:234(printer_list_get_last_refresh) >> Failed to fetch record! >> [2018/06/27 12:49:13.354282, 1] >> ../source3/smbd/server_reload.c:69(delete_and_reload_printers) >> pcap cache not loaded >> >> >> smb.conf (AD Member) >> >> security = ADS >> workgroup = DOM >> realm = DOM.EXAMPLE.COM >> >> bind interfaces only = yes >> interfaces = lo eth0 >> >> log file = /var/log/samba/%m.log >> log level = 1 >> >> idmap config * : backend = tdb >> idmap config * : range = 1000-1005 > > The above range is much too small, there are more than 6 'Well known > SIDs' > >> >> # idmap config for the DOM domain >> idmap config KES:backend = ad >> idmap config KES:schema_mode = rfc2307 >> idmap config KES:range = 1006-999999 > > I hope this is just a typo, but just in case it isn't, 'KES' != 'DOM' > > I also hope you don't use sudo on this machine, mainly because you > cannot have any local Unix users with the set ranges. > >> >> winbind enum users = yes >> winbind enum groups = yes >> template homedir = /home/users/%U >> template shell = /bin/bash >> >> winbind use default domain = yes >> >> vfs objects = acl_xattr >> map acl inherit = yes >> store dos attributes = yes >> >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> >> > > Rowland >That is just a typo, and yes there is only one local user with id 1000.