samba - Jul 2021 - I can't login into my Linux client with Samba DC users.

Hello,
Thank you for your info.
The "ip route" command output is:

# ip route
default via 10.0.3.2 dev enp0s8 proto dhcp metric 101?
10.0.3.0/24 dev enp0s8 proto kernel scope link src 10.0.3.15 metric 101?
192.168.56.0/24 dev enp0s17 proto kernel scope link src 192.168.56.7 metric 100?

I installed Samba from its manual and in Samba manual, the "sss"
existed. Why "sss" doesn't need??

I edited "/etc/nsswitch.conf" file as below:

passwd:? ? ?files winbind systemd
group:? ? ? files winbind systemd
hosts:? ? ? files dns resolve [!UNAVAIL=return] myhostname

And I changed the content of "/etc/krb5.conf" to:

[libdefaults]
? ? ? ? default_realm = MYDOMAIN.Z
? ? ? ? dns_lookup_realm = false
? ? ? ? dns_lookup_kdc = true

Finally, I added "10.0.3.15? mydc.mydomain.z" to the
"/etc/hosts" file and rebooted my server.

Above changes, can make any problem for my Windows clients?


On the Linux client:
I added below lines to the "/etc/hosts" file:

127.0.0.1? ?localhost localhost.localdomain localhost4 localhost4.localdomain4
::1? ? ? ? ?localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.56.7 mydc.mydomain.z mydc
10.0.3.15? mydc.mydomain.z

And edited?"/etc/nsswitch.conf" file as the server.

The content of the?"/etc/krb5.conf" file is:

includedir /etc/krb5.conf.d/
[libdefaults]
? ? default_realm = MYDC.MYDOMAIN.Z
? ? dns_lookup_realm = false
? ? dns_lookup_kdc = true


? ? dns_lookup_realm = false
? ? ticket_lifetime = 24h
? ? renew_lifetime = 7d
? ? forwardable = true
? ? rdns = false
? ? pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
? ? spake_preauth_groups = edwards25519
? ? dns_canonicalize_hostname = fallback
? ? qualify_shortname = ""
#? ? default_realm = EXAMPLE.COM
? ? default_ccache_name = KEYRING:persistent:%{uid}


I rebooted my client and I can't login to my Linux client with my Samba DC
usernames.






On Friday, July 16, 2021, 12:08:00 PM GMT+4:30, L.P.H. van Belle via samba
<samba at lists.samba.org> wrote:





Hai Jason, 

Ok, now we are getting somewhere. 
Server : 
2 ipadresses : 10.0.3.15 192.168.56.7? ( assuming 56.7 is you default. ) 
But did you set your routing correctly for it? we might also need an output off
: ip route

SSSD is installed, remove it and then fix nsswitch.conf
passwd:? ? files winbind sss systemd
group:? ? ? files winbind sss systemd
Remove sss there. 

Change 
hosts:? ? ? files resolve [!UNAVAIL=return] myhostname dns
To
hosts:? ? ? files dns resolve [!UNAVAIL=return] myhostname 

/etc/krb5.conf
Now, depending on IP use. OR remove this part. 
[realms]
MYDOMAIN.Z = {
??? default_domain = mydomain.z
}

[domain_realm]
??? mydc = MYDOMAIN.Z

All you need is : 
[libdefaults]
??? default_realm = MYDOMAIN.Z
??? dns_lookup_realm = false
??? dns_lookup_kdc = true

Your "SERVER" also has IP: 10.0.3.15 
Add it in /etc/hosts also. 
The order if important.. 

27.0.0.1? localhost localhost.localdomain localhost4 localhost4.localdomain4
::1? ? ? ? localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.56.7 mydc.mydomain.z mydc
10.0.3.15? mydc.mydomain.z? # or leave it out, i dont why you use it in your
setup.
And you noticed i removed the "mydc" in the 10.0.3.15 line. 

All done, reboot server. 

Client is more easy.. 

FQDN: node3.localhost.localdomain
ipaddress: 192.168.56.9 10.0.3.15? 

unable to verify DNS kerberos._tcp SRV records


Meaning, the resolving setup is broken in you client. 

Hostname FQDN is incorrect. 
10.0.3.15? ?? Why thats the same ip as on the SERVER. 

So in order, fix on the client :
/etc/hosts
/etc/resolv.conf
/etc/nsswitch.conf
/etc/krb5.conf

Reboot. 

Verify client settings again, re-run the script, i know its not fully compliant
with your os but it shows sufficient at the moment.

Greetz, 

Louis





> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Jason Long via samba
> Verzonden: vrijdag 16 juli 2021 7:27
> Aan: samba at lists.samba.org; Rowland Penny
> Onderwerp: Re: [Samba] I can't login into my Linux client 
> with Samba DC users.
> 
> Hello,
> I did:
> # samba-tool domain info mydc
> Forest? ? ? ? ? ?: mydomain.z
> Domain? ? ? ? ? ?: mydomain.z
> Netbios domain? ?: MYDOMAIN
> DC name? ? ? ? ? : mydc.mydomain.z
> DC netbios name? : MYDC
> Server site? ? ? : Default-First-Site-Name
> Client site? ? ? : Default-First-Site-Name
> 
> And I executed that script on both of server and client:
> 
> On Server:
> https://paste.ubuntu.com/p/pZ9Rnk7Kpc/
> 
> On Client:
> https://paste.ubuntu.com/p/msCDTgrZPS/
> 
> 
> Thanks.
> 
> 
> On Wednesday, July 14, 2021, 04:56:58 PM GMT+4:30, Rowland 
> Penny via samba <samba at lists.samba.org> wrote: 
> 
> 
> 
> 
> 
> On Wed, 2021-07-14 at 13:22 +0200, L.P.H. van Belle via samba wrote:
> > > 1- Why Windows client working with it without any problem?
> > Because when the join the primary DNS domain is always correct
> > And you most probely did set the ip's of the DC's as resolvers
for
> > them. 
> > 
> > You asked this before and we asked info before.. 
> > Im still waiting.. (thats why i also didnt reply before).. 
> 
> You should have seen what I wrote before deleting it!
> 
> > 
> > Most probley your error is in the resolving order. 
> 
> Could be, but doubtful.
> 
> > Run this on 1 DC and 1 member. 
> > 
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-c
ollect-debug-info.sh
> > 
> > DONT change the structures of the setup when you anonymize it. 
> > 
> > Now this :? samba-tool domain info 192.168.56.7
> > Why are you not using : samba-tool domain info hostname.fqdn
> > Im just wondering.
> 
> Because it works and 'samba-tool domain info --help' returns:
> 
> Usage: samba-tool domain info <ip_address> [options]
> 
> 
> > So my advice is, try to avoid testing with ipnumbers and start
> > testing with FQDN's. 
> > This will help in finding/and later avoiding resolving problems. 
> > 
> > 
> > Greetz, 
> > 
> > Louis
> > 
> > 
> > > -----Oorspronkelijk bericht-----
> > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> > > Jason Long via samba
> > > Verzonden: woensdag 14 juli 2021 13:09
> > > Aan: sambalist; Rowland Penny
> > > Onderwerp: Re: [Samba] I can't login into my Linux client 
> > > with Samba DC users.
> > > 
> > > Thanks.
> > > 1- Why Windows client working with it without any problem?
> > > 2- How can I fix it?
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > On Wednesday, July 14, 2021, 03:32:21 PM GMT+4:30, Rowland 
> > > Penny via samba <samba at lists.samba.org> wrote: 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > On Wed, 2021-07-14 at 10:41 +0000, Jason Long wrote:
> > > > Thank you.
> > > > 
> > > > As you see:
> > > > # samba-tool domain info 192.168.56.7
> > > > Forest? ? ? ? ? : mydomain.z
> > > > Domain? ? ? ? ? : mydomain.z
> > > > Netbios domain? : MYDOMAIN
> > > > DC name? ? ? ? ? : mydc.mydomain.z
> > > > DC netbios name? : MYDC
> > > > Server site? ? ? : Default-First-Site-Name
> > > > Client site? ? ? : Default-First-Site-Name
> > > > 
> > > > If my configuration is wrong, then how can I fix it?
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > On Monday, July 12, 2021, 11:29:30 PM GMT+4:30, Rowland 
> Penny via
> > > > samba <samba at lists.samba.org> wrote: 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > On Mon, 2021-07-12 at 18:44 +0000, Jason Long via samba
wrote:
> > > > > Hello,
> > > > > I had a thread with the name "I can't join my
Linux client to
> > > > > my
> > > > > Samba DC." and I joined my Linux client to my
Samba DC,
> > > but I can't
> > > > > login into my Linux client with my Samba DC users.
> > > > > I have a Samba DC as below:
> > > > > 
> > > > > 
> > > > > # samba-tool domain info 192.168.56.7
> > > > > Forest? ? ? ? ? : mydomain.z
> > > > > Domain? ? ? ? ? : mydomain.z
> > > > > Netbios domain? : MYDOMAIN
> > > > > DC name? ? ? ? ? : mydc.mydomain.z
> > > > > DC netbios name? : MYDC
> > > > > Server site? ? ? : Default-First-Site-Name
> > > > > Client site? ? ? : Default-First-Site-Name
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > And I want to join my Linux client to my Samba DC. The
content
> > > > > of
> > > > > "smb.conf" file on my Linux client is:
> > > > > 
> > > > > 
> > > > > [global]
> > > > >? ? workgroup = MYDC
> > > > >? ? security = ADS
> > > > >? ? realm = MYDC.MYDOMAIN.Z
> > > > 
> > > > Your realm isn't 'MYDC.MYDOMAIN.Z' , from what
you have posted,
> > > > your
> > > > realm should be 'MYDOMAIN.Z'
> > > > 
> > > > Also, I doubt that your workgroup name is 'MYDC' as
this appears
> > > > to
> > > > be
> > > > your DCs short hostname. If your workgroup (aka NetBios
domain
> > > > name)
> > > > is
> > > > the same as your DC's short hostname, then I suggest 
> you fix this
> > > > 
> > > 
> > > You have set your workgroup to 'MYDC' and you also posted
'DC
> > > netbios
> > > name? : MYDC', you also posted 'Netbios domain? :
MYDOMAIN',
> > > another
> > > name for 'Netbios domain' is 'workgroup'.
> > > 'DC netbios name' != 'Netbios domain'
> > > 
> > > You also seem to be using the DC's FQDN for the realm, it 
> > > should be the
> > > dns domain in uppercase, which in your case seems to be
> > > 'MYDOMAIN.Z'
> > > 
> > > 
> > > Rowland
> > > 
> > > 
> > > 
> > > -- 
> > > To unsubscribe from this list go to the following URL and read
the
> > > instructions:? https://lists.samba.org/mailman/options/samba
> > > 
> > > -- 
> > > To unsubscribe from this list go to the following URL and read
the
> > > instructions:? https://lists.samba.org/mailman/options/samba
> > > 
> > > 
> > 
> > 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:? https://lists.samba.org/mailman/options/samba
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:? https://lists.samba.org/mailman/options/samba
> 
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:? https://lists.samba.org/mailman/options/samba

On Sun, 2021-07-18 at 08:15 +0000, Jason Long via samba
wrote:
> 
> I installed Samba from its manual and in Samba manual, the "sss"
> existed. Why "sss" doesn't need? 
If sssd is installed, remove it, you cannot use sssd with Samba.
> 
> And I changed the content of "/etc/krb5.conf" to:
> 
> 
> On the Linux client:
> I added below lines to the "/etc/hosts" file:
> 
> 127.0.0.1   localhost localhost.localdomain localhost4
> localhost4.localdomain4
> ::1         localhost localhost.localdomain localhost6
> localhost6.localdomain6
> 192.168.56.7 mydc.mydomain.z mydc
> 10.0.3.15  mydc.mydomain.z
You cannot multihome a DC, choose an ipaddress and use just that one.
> 
> The content of the "/etc/krb5.conf" file is:
> 
> includedir /etc/krb5.conf.d/
> [libdefaults]
>     default_realm = MYDC.MYDOMAIN.Z
HOW MANY TIMES DO I HAVE TO TO TELL YOU, 'MYDC.MYDOMAIN.Z' IS NOT YOUR
REALM!!!

Your realm is 'MYDOMAIN.Z'
>     dns_lookup_realm = false
>     dns_lookup_kdc = true
> 
> 
You can remove the rest of /etc/krb5.conf , you do not need it.
> 
> 
> I rebooted my client and I can't login to my Linux client with my
> Samba DC usernames.
Have you installed winbind and winbind-clients ?

Rowland