Mandi! Rowland Penny via samba
In chel di` si favelave...
> Please post the following:
> What desktop are you using (Gnome, KDE, MATE, XFCE, etc).
> What is your login manager (lightdm. gdm3, sddm, etc)
Standard Ubuntu install, so Gnome/GDM.
> confirm the distro and version.
> What version of Samba and where from.
> The contents of /etc/resolv.conf /etc/hostname /etc/hosts /etc/krb5.conf
> /etc/samba/smb.conf /etc/nsswitch.conf
I've run the Louis script:
root at dane:~# bash samba-collect-debug-info.sh
Please wait, collecting debug info.
nameserver 127.0.0.53
samba-collect-debug-info.sh: riga 180: systemd-resolve: comando non trovato
The debug info about your system can be found in this file:
/tmp/samba-debug-info.txt
Please check this and if required, sanitise it.
Then copy & paste it into an email to the samba list
Do not attach it to the email, the Samba mailing list strips attachments.
That produced this:
Config collected --- 2023-06-13-14:59 -----------
Hostname: dane
DNS Domain:
Realm:
FQDN: dane
ipaddress: 10.5.2.191
-----------
This computer is running Ubuntu 22.04.2 LTS x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: enp0s31f6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel
state DOWN group default qlen 1000
link/ether b4:b6:86:37:26:7e brd ff:ff:ff:ff:ff:ff
3: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state
UP group default qlen 1000
link/ether 90:61:ae:b2:70:37 brd ff:ff:ff:ff:ff:ff
inet 10.5.2.191/21 brd 10.5.7.255 scope global dynamic noprefixroute wlp2s0
valid_lft 422sec preferred_lft 422sec
inet6 fe80::4c3b:6af8:609c:4e32/64 scope link noprefixroute
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
127.0.1.1 dane
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
# This is /run/systemd/resolve/stub-resolv.conf managed by
man:systemd-resolved(8).
# Do not edit.
#
# This file might be symlinked as /etc/resolv.conf. If you're looking at
# /etc/resolv.conf and seeing this text, you have followed the symlink.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.
nameserver 127.0.0.53
options edns0 trust-ad
search sv.lnf.it dyn.sv.lnf.it
-----------
systemd stub resolver detected, running command : systemd-resolve --status
-----------
-----------
WARNING: 'kinit Administrator' will fail, you need to fix this.
Unable to verify DNS kerberos._tcp SRV records
-----------
'kinit Administrator' password checked failed.
Wrong password or kerberos REALM problems.
-----------
Samba is running as a Unix domain member
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = AD.FVG.LNF.IT
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu
kdc = kerberos-1.mit.edu
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
CSAIL.MIT.EDU = {
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
ANDREW.CMU.EDU = {
admin_server = kerberos.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos-1.srv.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
kdc = kerberos-3.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementix.org
kdc = kerberos2.dementix.org
admin_server = kerberos.dementix.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
master_kdc = krb5auth1.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
UTORONTO.CA = {
kdc = kerberos1.utoronto.ca
kdc = kerberos2.utoronto.ca
kdc = kerberos3.utoronto.ca
admin_server = kerberos1.utoronto.ca
default_domain = utoronto.ca
}
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
.toronto.edu = UTORONTO.CA
.utoronto.ca = UTORONTO.CA
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: compat winbind
group: compat winbind
shadow: files
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
#
# smb.conf per Client LNF
# (c) Marco Gaiarin (gaio at sv.lnf.it) under GNU GPL Licence 2.0 or newer
# Il file vuole essere una raccolta dei parametri standard, cercando di
# essere un buon punto di partenza per la realizzazione di un file per
# la particolare installazione.
# Leggere con attenzione i commenti e la manpage di smb.conf.
# CHANGELOG
# (Tue Sep 25 14:56:56 CEST 2018)
# + prima versione, a partire dall'equivalente file per Domain Member.
# Parametri globali
#
[global]
# Definizioni del dominio.
#
security = ADS
workgroup = LNFFVG
realm = AD.FVG.LNF.IT
# Configurazione di Winbind/IDMap.
#
# Default idmap config for local BUILTIN accounts and groups
idmap config * : backend = tdb
idmap config * : range = 5000-9999
# The domain
idmap config LNFFVG : backend = ad
idmap config LNFFVG : range = 10000-49999
# Uso dei dati POSIX/rfc2307 (Samba 4.6+)
idmap config LNFFVG : schema_mode = rfc2307
idmap config LNFFVG : unix_nss_info = yes
idmap config LNFFVG : unix_primary_group = yes
## Uso dei dati POSIX/rfc2307 (Samba 4.5-)
#winbind nss info = rfc2307
# Se si usa 'winbind use default domain = yes' ? necessario sincerarsi
che i nomi utente non siano ''overlapping''
# (ovvero utenti definiti nel dominio *e* in /etc/passwd) pena
''confusione'' nella definizione dei gruppi/responsabilit?.
winbind use default domain = yes
# Opzionalmente posso voler abilitare le ''cached
credentials''; oltre ad abilitare questa opzione, occorre anche
abilitarne l'uso
# in winbind. Si veda:
https://wiki.samba.org/index.php/PAM_Offline_Authentication
winbind offline logon = yes
# Workaround Bug #14618
lock directory = /var/cache/samba
# Workaround delay...
winbind request timeout = 5
# Utenti speciali e permessi
# Disabilitazione di qualche account, e definizione dell'account guest (il
default ? gi? 'nobody').
# Tutti gli utenti non conosciuti vengono mappati su guest.
#
#invalid users #guest account = nobody
map to guest = Bad User
#
# Per un DM manteniamo una mappa esplicita locale per alcuni utenti, per
default solo Administrator (su root)
#
username map = /etc/samba/user.map
# Riabilito SMB1; non credo sia strettamente necessario qui, ma serve per il
mount delle home assolutamente, sono necessarie
# alcune UNIX extension...
#
client min protocol = NT1
# Stampanti... siamo un client, disabilito tutto.
#
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# Disabilito gli 'usershare', il default sembra essere 100 per debian.
Vedi:
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900396
#
usershare max shares = 0
# LOG
#
log level = 0 winbind:5
syslog = 0
log file = /var/log/samba/log.%m
max log size = 5000
panic action = /usr/share/samba/panic-action %d
-----------
Running as Unix domain member and user.map detected.
Contents of /etc/samba/user.map
!root = LNFFVG\Administrator LNFFVG\administrator Administrator administrator
Server Role is set to : auto
-----------
This Unix domain member is using 'winbind' in /etc/nsswitch.conf.
-----------
Time on the DC with PDC Emulator role is: 2023-06-13T14:59:30
Time on this computer is: 2023-06-13T14:59:31
Time verified ok, within the allowed 300sec margin.
Time offset is currently : 0 seconds
-----------
Installed packages:
ii acl 2.3.1-1
amd64 access control list - utilities
ii attr 1:2.5.1-1build1
amd64 utilities for manipulating filesystem extended attributes
ii fonts-quicksand 0.2016-2.1
all sans-serif font with round attributes
ii krb5-config 2.6+nmu1ubuntu1
all Configuration files for Kerberos Version 5
ii krb5-locales 1.19.2-2ubuntu0.2
all internationalization support for MIT Kerberos
ii libacl1:amd64 2.3.1-1
amd64 access control list - shared library
ii libattr1:amd64 1:2.5.1-1build1
amd64 extended attribute handling - shared library
ii libgssapi-krb5-2:amd64 1.19.2-2ubuntu0.2
amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libgssapi-krb5-2:i386 1.19.2-2ubuntu0.2
i386 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.19.2-2ubuntu0.2
amd64 MIT Kerberos runtime libraries
ii libkrb5-3:i386 1.19.2-2ubuntu0.2
i386 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.19.2-2ubuntu0.2
amd64 MIT Kerberos runtime libraries - Support library
ii libkrb5support0:i386 1.19.2-2ubuntu0.2
i386 MIT Kerberos runtime libraries - Support library
ii libldb2:amd64 2:2.7.2+samba4.18.3+dfsg-1
amd64 LDAP-like embedded database - shared library
ii libnss-winbind:amd64 2:4.18.3+dfsg-1
amd64 Samba nameservice integration plugins
ii libpam-krb5:amd64 4.11-1build1
amd64 PAM module for MIT Kerberos
ii libpam-winbind:amd64 2:4.18.3+dfsg-1
amd64 Windows domain authentication integration plugin
ii libsmbclient:amd64 2:4.18.3+dfsg-1
amd64 shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.18.3+dfsg-1
amd64 Samba winbind client library
ii python3-ldb 2:2.7.2+samba4.18.3+dfsg-1
amd64 Python 3 bindings for LDB
ii python3-nacl 1.5.0-2
amd64 Python bindings to libsodium (Python 3)
ii python3-samba 2:4.18.3+dfsg-1
amd64 Python 3 bindings for Samba
ii samba 2:4.18.3+dfsg-1
amd64 SMB/CIFS file, print, and login server for Unix
ii samba-ad-provision 2:4.18.3+dfsg-1
all Samba files needed for AD domain provision
ii samba-common 2:4.18.3+dfsg-1
all common files used by both the Samba server and client
ii samba-common-bin 2:4.18.3+dfsg-1
amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.18.3+dfsg-1
amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.18.3+dfsg-1
amd64 Samba core libraries
ii samba-vfs-modules:amd64 2:4.18.3+dfsg-1
amd64 Samba Virtual FileSystem plugins
ii smbclient 2:4.18.3+dfsg-1
amd64 command-line SMB/CIFS clients for Unix
ii winbind 2:4.18.3+dfsg-1
amd64 service to resolve user and group information from Windows NT
servers
-----------
> Is selinux or apparmor involved ?
Ahem... apparmor is installed (as by defaut on Ubuntu, i suppose) but i've
not touched the configuration.
Thanks.
--
Siamo circondati da troppa gente piena di s?. E a quelli pieni di s?,
io preferisco le persone piene di se, di ma, di forse. (Tonio Dell'Olio)