samba - Jul 2018 - Fwd: Fwd: Problem connecting to DC from windows 10. Failed to create user record ... acl: unable to get access to ...

I found the problem. I can login as administrator, but not as different
user - I add different users by "samba-tool user add" or smapasswd and
it's
the same.

Regards

czw., 26 lip 2018 o 21:56 Rowland Penny <rpenny at samba.org> napisał(a):
> On Thu, 26 Jul 2018 21:22:23 +0200
> Andrzej Gryko via samba <samba at lists.samba.org> wrote:
>
> > ---------- Forwarded message ---------
> > From: Rowland Penny via samba <samba at lists.samba.org>
> > Date: śr., 25 lip 2018 o 18:36
> > Subject: Re: [Samba] Fwd: Problem connecting to DC from windows 10.
> > Failed to create user record ... acl: unable to get access to ...
> > To: <samba at lists.samba.org>
> >
> >
> > On Wed, 25 Jul 2018 08:55:01 +0200
> > Andrzej Gryko via samba <samba at lists.samba.org> wrote:
> >
> > > Avahi is not running.
> > > My smb.conf:
> > > # Global parameters
> > > [global]
> > >         netbios name = SAMBA
> > >         realm = GRYKO.LOCAL
> > >         server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
kdc,
> > > drepl, winbindd, ntp_signd, kcc, dnsupdate
> > >         workgroup = GRYKO
> > >         server role = active directory domain controller
> > >
> > > [netlogon]
> > >         path = /var/lib/samba/sysvol/gryko.local/scripts
> > >         read only = No
> > >
> > > [sysvol]
> > >         path = /var/lib/samba/sysvol
> > >         read only = No
> > >
> > > I didn't tell that I ran debian on Microsoft Hyper-V machine,
I try
> > > to connect to DC typing "gryko.local" as a domain in
win 10 system
> > > properties, and next typing username and password (also I type
> > > domainname\username and password).
> > >
> > > I installed two virtual machines and on both there is the same
error
> > > in log.samba.
> > > I installed samba by: " *apt-get install samba smbclient
bind9
> > > krb5-user" and next I installed winbind by apt-get too.*
> > >
> >
> > >So you are trying to log into the DC as a user, then you need some
> > >more packages installed.
> > >
> > >attr libpam-winbind libpam-krb5 libnss-winbind krb5-config ntp
> > >bind9utils Note: some of these may already be installed.
> > >
> > >By default, you cannot log into a DC
> > >
> > >Rowland
> >
> > I installed new debian, configured domain gryko.org.
>
> How are you configuring the domain ?
> I hope you mean you are provisioning the domain.
>
> > installed every
> > mentioned package and it is exacly the same if username and password
> > are correct:
> > [2018/07/26 21:09:49.736794,  0]
> > ../source4/dsdb/common/util_samr.c:192(dsdb_add_user)
> >   Failed to create user record
> > CN=ANDRZEJ-DESKTOP,CN=Computers,DC=gryko,DC=org: acl: unable to get
> > access to CN=ANDRZEJ-DESKTOP,CN=Computers,DC=gryko,DC=org
>
> How are you trying to create the above record, it is undoubtedly a
> computer record and should be created by the join.
>
> >
> > I found in google same examples and I'm follow them.
>
> Most of the examples you find on the internet are like the curates egg,
> good in parts, bad in others. Can I suggest you read the Samba wiki:
>
> https://wiki.samba.org/index.php/Main_Page
>
> Rowland
>
> >
> > Any more ideas?
> >
> > regards
> > Andrzej
>
>

On Thu, 26 Jul 2018 23:03:19 +0200
Andrzej Gryko via samba <samba at lists.samba.org> wrote:
> I found the problem. I can login as administrator, but not as
> different user - I add different users by "samba-tool user add"
or
> smapasswd and it's the same.
> 
No, you have found a further problem ;-)

The correct command to create a user in Samba AD is 'samba-tool user
create'. You do not use 'smbpasswd' to create an AD user.

Can we check a few things:

You have installed Samba packages capable of being an AD DC (I say
capable because red-hat distros, except the latest Fedora, cannot be
AD DC's)

You have provisioned it correctly

You have set up the DC OS correctly

You have joined the windows machine to the domain

If all the above is correct, it should work, if it doesn't, check if
Selinux, Apparmor or a firewall is getting in the way.

If after all of the above is checked and it still doesn't work, then
we are going to have to walk through setting a Samba DC, hopefully
this should show what is wrong ;-)

Rowland

There is no selinux, appamore in running processes, and I didn't touch
linux firewall, so it is turned off.

Andrzej

pt., 27 lip 2018 o 10:14 Rowland Penny <rpenny at samba.org> napisał(a):
> On Thu, 26 Jul 2018 23:03:19 +0200
> Andrzej Gryko via samba <samba at lists.samba.org> wrote:
>
> > I found the problem. I can login as administrator, but not as
> > different user - I add different users by "samba-tool user
add" or
> > smapasswd and it's the same.
> >
>
> No, you have found a further problem ;-)
>
> The correct command to create a user in Samba AD is 'samba-tool user
> create'. You do not use 'smbpasswd' to create an AD user.
>
> Can we check a few things:
>
> You have installed Samba packages capable of being an AD DC (I say
> capable because red-hat distros, except the latest Fedora, cannot be
> AD DC's)
>
> You have provisioned it correctly
>
> You have set up the DC OS correctly
>
> You have joined the windows machine to the domain
>
> If all the above is correct, it should work, if it doesn't, check if
> Selinux, Apparmor or a firewall is getting in the way.
>
> If after all of the above is checked and it still doesn't work, then
> we are going to have to walk through setting a Samba DC, hopefully
> this should show what is wrong ;-)
>
> Rowland
>
>