Andrzej Gryko
2018-Jul-27 20:59 UTC
[Samba] Fwd: Fwd: Problem connecting to DC from windows 10. Failed to create user record ... acl: unable to get access to ...
There is no selinux, appamore in running processes, and I didn't touch linux firewall, so it is turned off. Andrzej pt., 27 lip 2018 o 10:14 Rowland Penny <rpenny at samba.org> napisał(a):> On Thu, 26 Jul 2018 23:03:19 +0200 > Andrzej Gryko via samba <samba at lists.samba.org> wrote: > > > I found the problem. I can login as administrator, but not as > > different user - I add different users by "samba-tool user add" or > > smapasswd and it's the same. > > > > No, you have found a further problem ;-) > > The correct command to create a user in Samba AD is 'samba-tool user > create'. You do not use 'smbpasswd' to create an AD user. > > Can we check a few things: > > You have installed Samba packages capable of being an AD DC (I say > capable because red-hat distros, except the latest Fedora, cannot be > AD DC's) > > You have provisioned it correctly > > You have set up the DC OS correctly > > You have joined the windows machine to the domain > > If all the above is correct, it should work, if it doesn't, check if > Selinux, Apparmor or a firewall is getting in the way. > > If after all of the above is checked and it still doesn't work, then > we are going to have to walk through setting a Samba DC, hopefully > this should show what is wrong ;-) > > Rowland > >
Rowland Penny
2018-Jul-27 21:03 UTC
[Samba] Fwd: Fwd: Problem connecting to DC from windows 10. Failed to create user record ... acl: unable to get access to ...
On Fri, 27 Jul 2018 22:59:16 +0200 Andrzej Gryko <andrzej.gryko at gmail.com> wrote:> There is no selinux, appamore in running processes, and I didn't touch > linux firewall, so it is turned off. > > Andrzej > > pt., 27 lip 2018 o 10:14 Rowland Penny <rpenny at samba.org> napisał(a): > > > On Thu, 26 Jul 2018 23:03:19 +0200 > > Andrzej Gryko via samba <samba at lists.samba.org> wrote: > > > > > I found the problem. I can login as administrator, but not as > > > different user - I add different users by "samba-tool user add" or > > > smapasswd and it's the same. > > > > > > > No, you have found a further problem ;-) > > > > The correct command to create a user in Samba AD is 'samba-tool user > > create'. You do not use 'smbpasswd' to create an AD user. > > > > Can we check a few things: > > > > You have installed Samba packages capable of being an AD DC (I say > > capable because red-hat distros, except the latest Fedora, cannot be > > AD DC's) > > > > You have provisioned it correctly > > > > You have set up the DC OS correctly > > > > You have joined the windows machine to the domain > > > > If all the above is correct, it should work, if it doesn't, check if > > Selinux, Apparmor or a firewall is getting in the way. > > > > If after all of the above is checked and it still doesn't work, then > > we are going to have to walk through setting a Samba DC, hopefully > > this should show what is wrong ;-) > > > > Rowland > > > >Can you please answer the questions: What Samba packages are you using ? How did you provision the Samba AD DC ? Have you joined the Windows machine to the domain and if so, how and with what user ? Rowland
Andrzej Gryko
2018-Jul-28 11:08 UTC
[Samba] Fwd: Fwd: Problem connecting to DC from windows 10. Failed to create user record ... acl: unable to get access to ...
I installed: Linux samba 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64 GNU/Linux samba: Version 4.5.12-Debian next change in fstab: */ ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1* apt-get install smbclient krb5-user bind9 attr libpam-winbind libpam-krb5 libnss-winbind krb5-config ntp bind9utils While configuring kreberos - defaul kerberos version realm; gryko.org, kerberos servers: *none* (also tried samba.gryko.org), administrative server: *none* samba-tool domain provision: gryko.org, gryko, dc, bind9_dlz (also tried samba internal) *My smb.conf:* *[global] netbios name = SAMBA realm = GRYKO.ORG <http://GRYKO.ORG> workgroup = GRYKO server role = active directory domain controller# os level = 64[netlogon] path /var/lib/samba/sysvol/gryko.org/scripts <http://gryko.org/scripts> read only = No[sysvol] path = /var/lib/samba/sysvol read only = No[homes] comment = Katalog domowy read only = No browseable No valid users = %S/etc/krb5.conf:* [libdefaults] default_realm = GRYKO.ORG dns_lookup_realm = false dns_lookup_kdc = true /etc/bind/named.conf.options: options { directory "/var/cache/bind"; forwarders { 8.8.8.8; 8.8.4.4; }; dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on port 53 { any; }; allow-query { any; }; tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; }; */etc/bind/named.conf.local* include "/var/lib/samba/private/named.conf"; /etc/resolv.conf domain gryko.org search gryko.org nameserver 172.22.93.70 (router) - also tried itself /etc/hosts 127.0.0.1 localhost 127.0.1.1 samba.gryko.org samba 172.22.93.74 samba.gryko.org samba ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters smbclient \\\\172.22.93.74\\sysvol -U administrator - works properly - for different users too. smbclient -L localhost -U agryko Enter agryko's password: Domain=[GRYKO] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.5.12-Debian) Domain=[GRYKO] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian] Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP SAMBA (cannot login as 'agryko' from windows to the domain) Did I forget about something? Maybe I should try to test domain from console? Best regards Andrzej pt., 27 lip 2018 o 23:04 Rowland Penny via samba <samba at lists.samba.org> napisał(a):> On Fri, 27 Jul 2018 22:59:16 +0200 > Andrzej Gryko <andrzej.gryko at gmail.com> wrote: > > > There is no selinux, appamore in running processes, and I didn't touch > > linux firewall, so it is turned off. > > > > Andrzej > > > > pt., 27 lip 2018 o 10:14 Rowland Penny <rpenny at samba.org> napisał(a): > > > > > On Thu, 26 Jul 2018 23:03:19 +0200 > > > Andrzej Gryko via samba <samba at lists.samba.org> wrote: > > > > > > > I found the problem. I can login as administrator, but not as > > > > different user - I add different users by "samba-tool user add" or > > > > smapasswd and it's the same. > > > > > > > > > > No, you have found a further problem ;-) > > > > > > The correct command to create a user in Samba AD is 'samba-tool user > > > create'. You do not use 'smbpasswd' to create an AD user. > > > > > > Can we check a few things: > > > > > > You have installed Samba packages capable of being an AD DC (I say > > > capable because red-hat distros, except the latest Fedora, cannot be > > > AD DC's) > > > > > > You have provisioned it correctly > > > > > > You have set up the DC OS correctly > > > > > > You have joined the windows machine to the domain > > > > > > If all the above is correct, it should work, if it doesn't, check if > > > Selinux, Apparmor or a firewall is getting in the way. > > > > > > If after all of the above is checked and it still doesn't work, then > > > we are going to have to walk through setting a Samba DC, hopefully > > > this should show what is wrong ;-) > > > > > > Rowland > > > > > > > > Can you please answer the questions: > > What Samba packages are you using ? > > How did you provision the Samba AD DC ? > > Have you joined the Windows machine to the domain and if so, how and > with what user ? > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Reasonably Related Threads
- Fwd: Fwd: Problem connecting to DC from windows 10. Failed to create user record ... acl: unable to get access to ...
- Fwd: Fwd: Problem connecting to DC from windows 10. Failed to create user record ... acl: unable to get access to ...
- Fwd: Fwd: Problem connecting to DC from windows 10. Failed to create user record ... acl: unable to get access to ...
- samba 4.5.12 DC and XP
- samba 4.5.12 DC and XP