Thomas Glanzmann
2018-Jul-18 15:25 UTC
[Samba] Samba AD 4.8.3 Windows Server 2016 Active Directory Users and Computers: The procedure number is out of range
Hello, I try to connect with Active Directory Users and Computers from a W2k16 to a Samba 4.8.3 DC. I get the following error message: https://thomas.glanzmann.de/static/63a3e0ba-8a9d-11e8-891f-f3ff022aacb0/screenshot-x1-2018-07-18-17_12_49.png --------------------------- Active Directory Domain Services --------------------------- Naming information cannot be located because: The procedure number is out of range. Contact your system administrator to verify that your domain is properly configured and is currently online. --------------------------- OK --------------------------- In the logs with debug level 3 I don't see anything. My Samba Config and setup script is here, my logs as well: https://thomas.glanzmann.de/static/63a3e0ba-8a9d-11e8-891f-f3ff022aacb0/ But what I really would like to do is enable the following: https://livelibrary.osisoft.com/LiveLibrary/content/en/vision-v1/GUID-799220A0-4967-45CE-A592-45E3FC10C752#addHistory=true&filename=GUID-4B33BAFA-A923-4550-B3DC-CAD83E3C0587.xml&docid=GUID-799220A0-4967-45CE-A592-45E3FC10C752&inner_id=&tid=&query=&scope=&resource=&toc=false&eventType=lcContent.loadDocGUID-799220A0-4967-45CE-A592-45E3FC10C752 Setup delegation for a machine account 'Trust this computer for delegation to any service (Kerberos only)'. Is there a way to do this from the command line? For the user account I think that, I found it: (infra) [/local/samba-config/v101] / /local/samba/bin/samba-tool delegation for-any-protocol -s /home/sithglan/work/scripts/lab/output/smb-v101.conf Administrator on ldb_wrap open of secrets.ldb (infra) [/local/samba-config/v101] / /local/samba/bin/samba-tool delegation for-any-service -s /home/sithglan/work/scripts/lab/output/smb-v101.conf Administrator on (infra) [/local/samba-config/v101] / /local/samba/bin/samba-tool delegation show -s /home/sithglan/work/scripts/lab/output/smb-v101.conf Administrator Note, my goal is to run 9 different active directory domains in different VLANs, so far I succeeded. And with samba my setup time went down from 10 minutes to 15 seconds. I'm setting up Active Directory Domains for training environments on a regular basis (once a week). I'm grateful for any pointers. Cheers, Thomas
Thomas Glanzmann
2018-Jul-18 15:30 UTC
[Samba] Samba AD 4.8.3 Windows Server 2016 Active Directory Users and Computers: The procedure number is out of range
Hello,> Setup delegation for a machine account 'Trust this computer for > delegation to any service (Kerberos only)'. Is there a way to do this > from the command line?this one, I can answer by myself. Just specify the machine account instead of a user account: samba-tool delegation for-any-service IAAS-01\$ on samba-tool delegation for-any-protocol IAAS-01\$ on Cheers, Thomas
Rowland Penny
2018-Jul-18 15:53 UTC
[Samba] Samba AD 4.8.3 Windows Server 2016 Active Directory Users and Computers: The procedure number is out of range
On Wed, 18 Jul 2018 17:25:51 +0200 Thomas Glanzmann via samba <samba at lists.samba.org> wrote:> Hello, > I try to connect with Active Directory Users and Computers from a > W2k16 to a Samba 4.8.3 DC. I get the following error message: > > https://thomas.glanzmann.de/static/63a3e0ba-8a9d-11e8-891f-f3ff022aacb0/screenshot-x1-2018-07-18-17_12_49.png > > --------------------------- > Active Directory Domain Services > --------------------------- > Naming information cannot be located because: > > The procedure number is out of range. > > Contact your system administrator to verify that your domain is > properly configured and is currently online. > --------------------------- OK > --------------------------- > > In the logs with debug level 3 I don't see anything. My Samba Config > and setup script is here, my logs as well: > > https://thomas.glanzmann.de/static/63a3e0ba-8a9d-11e8-891f-f3ff022aacb0/Your smb.conf is up the spout, there is a number of things wrong with it. These are okay: [global] netbios name = ad server role = ACTIVE DIRECTORY DOMAIN CONTROLLER workgroup = V101 realm = V101.TUVL.DE interfaces = 10.101.0.1 bind interfaces only = yes lock directory = /local/samba-config/v101/lock cache directory = /local/samba-config/v101/cache pid directory = /local/samba-config/v101/pid private dir = /local/samba-config/v101/private state directory = /local/samba-config/v101/state log file = /local/samba-config/v101/log/%m These shouldn't be set or are defaults: name resolve order = host time server = yes passdb backend = tdbsam security = user domain logons = yes log level = 3 os level = 64 preferred master = yes local master = yes domain master = yes tls keyfile = key.pem tls certfile = cert.pem tls cafile = ca.pem This is definitely wrong: dns forwarder = 127.0.0.1 You do not forward to itself. This is all 'netlogon' needs: [netlogon] comment = Domain Logon Service path = /local/samba-config/v101/netlogon read only = no It doesn't need these: valid users = %U admin users = Administrator browseable = no guest ok = yes locking = no 'sysvol' is okay except it needs to be writeable. You also do not set the maximum password age with pdbedit.> > But what I really would like to do is enable the following: > > https://livelibrary.osisoft.com/LiveLibrary/content/en/vision-v1/GUID-799220A0-4967-45CE-A592-45E3FC10C752#addHistory=true&filename=GUID-4B33BAFA-A923-4550-B3DC-CAD83E3C0587.xml&docid=GUID-799220A0-4967-45CE-A592-45E3FC10C752&inner_id=&tid=&query=&scope=&resource=&toc=false&eventType=lcContent.loadDocGUID-799220A0-4967-45CE-A592-45E3FC10C752 > > Setup delegation for a machine account 'Trust this computer for > delegation to any service (Kerberos only)'. Is there a way to do this > from the command line? For the user account I think that, I found it: > > (infra) [/local/samba-config/v101] / /local/samba/bin/samba-tool > delegation for-any-protocol > -s /home/sithglan/work/scripts/lab/output/smb-v101.conf Administrator > on ldb_wrap open of secrets.ldb (infra) > [/local/samba-config/v101] / /local/samba/bin/samba-tool delegation > for-any-service > -s /home/sithglan/work/scripts/lab/output/smb-v101.conf Administrator > on (infra) [/local/samba-config/v101] / /local/samba/bin/samba-tool > delegation show > -s /home/sithglan/work/scripts/lab/output/smb-v101.conf Administrator > > Note, my goal is to run 9 different active directory domains in > different VLANs, so far I succeeded. And with samba my setup time > went down from 10 minutes to 15 seconds. I'm setting up Active > Directory Domains for training environments on a regular basis (once > a week). > > I'm grateful for any pointers.Yes try reading up on Samba AD more before trying to train others on how to use it. ;-) Rowland
Thomas Glanzmann
2018-Jul-18 16:18 UTC
[Samba] Samba AD 4.8.3 Windows Server 2016 Active Directory Users and Computers: The procedure number is out of range
Hello Rowland,> These shouldn't be set or are defaults: > name resolve order = host > passdb backend = tdbsam > security = user > domain logons = yes > log level = 3 > os level = 64 > preferred master = yes > local master = yes > domain master = yes > tls keyfile = key.pem > tls certfile = cert.pem > tls cafile = ca.pemI kicked these out. I found the config somewhere on the Internet and left the stuff I did not understand as provided.> time server = yesI have ntpd configured on the ip address which serves time. So I leave it in.> This is definitely wrong: > dns forwarder = 127.0.0.1 > You do not forward to itself.Acutally, I do. I have a recursive bind listening on 127.0.0.1 and recursive name lookup works also via the SAMBA internal DNS implementation. So I'm happy with it.> This is all 'netlogon' needs:> [netlogon] > comment = Domain Logon Service > path = /local/samba-config/v101/netlogon > read only = nofixed.> 'sysvol' is okay except it needs to be writeable.fixed as well.> You also do not set the maximum password age with pdbedit.I do, but you're saying I should not? I do in the shell script: /local/samba/bin/samba-tool user setexpiry Administrator --noexpiry -s ${SAMBACONFIG} /local/samba/bin/pdbedit -s ${SAMBACONFIG} -P "maximum password age" -C -1 While my active directories do not survive one week, I thought just to be on the safe side, I disable password aging. Is there a better way?> Yes try reading up on Samba AD more before trying to train others on > how to use it. ;-)Rest assured, I'm training no one on samba, I just need an active directory to be able show a domain join with VMware products. That's all. However I was quiet impressed how far samba has become. And how good it works. Can you recommend a book or a documentation to get more familiar with SAMBA AD? Thanks a lot. After your cleanup, I can now use Active Directory Users and Computers. My new Samba Config is here: https://thomas.glanzmann.de/static/63a3e0ba-8a9d-11e8-891f-f3ff022aacb0/smb-v101.conf.cleanedup Cheers, Thomas
Possibly Parallel Threads
- Samba AD 4.8.3 Windows Server 2016 Active Directory Users and Computers: The procedure number is out of range
- Samba AD 4.8.3 Windows Server 2016 Active Directory Users and Computers: The procedure number is out of range
- bulk dns add
- While copying files to a samba share: You need permissions to perform this action
- Question about normalization to a set of internal standards