Andrzej Gryko
2018-Jul-28 11:08 UTC
[Samba] Fwd: Fwd: Problem connecting to DC from windows 10. Failed to create user record ... acl: unable to get access to ...
I installed: Linux samba 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64 GNU/Linux samba: Version 4.5.12-Debian next change in fstab: */ ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1* apt-get install smbclient krb5-user bind9 attr libpam-winbind libpam-krb5 libnss-winbind krb5-config ntp bind9utils While configuring kreberos - defaul kerberos version realm; gryko.org, kerberos servers: *none* (also tried samba.gryko.org), administrative server: *none* samba-tool domain provision: gryko.org, gryko, dc, bind9_dlz (also tried samba internal) *My smb.conf:* *[global] netbios name = SAMBA realm = GRYKO.ORG <http://GRYKO.ORG> workgroup = GRYKO server role = active directory domain controller# os level = 64[netlogon] path /var/lib/samba/sysvol/gryko.org/scripts <http://gryko.org/scripts> read only = No[sysvol] path = /var/lib/samba/sysvol read only = No[homes] comment = Katalog domowy read only = No browseable No valid users = %S/etc/krb5.conf:* [libdefaults] default_realm = GRYKO.ORG dns_lookup_realm = false dns_lookup_kdc = true /etc/bind/named.conf.options: options { directory "/var/cache/bind"; forwarders { 8.8.8.8; 8.8.4.4; }; dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on port 53 { any; }; allow-query { any; }; tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; }; */etc/bind/named.conf.local* include "/var/lib/samba/private/named.conf"; /etc/resolv.conf domain gryko.org search gryko.org nameserver 172.22.93.70 (router) - also tried itself /etc/hosts 127.0.0.1 localhost 127.0.1.1 samba.gryko.org samba 172.22.93.74 samba.gryko.org samba ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters smbclient \\\\172.22.93.74\\sysvol -U administrator - works properly - for different users too. smbclient -L localhost -U agryko Enter agryko's password: Domain=[GRYKO] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.5.12-Debian) Domain=[GRYKO] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian] Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP SAMBA (cannot login as 'agryko' from windows to the domain) Did I forget about something? Maybe I should try to test domain from console? Best regards Andrzej pt., 27 lip 2018 o 23:04 Rowland Penny via samba <samba at lists.samba.org> napisał(a):> On Fri, 27 Jul 2018 22:59:16 +0200 > Andrzej Gryko <andrzej.gryko at gmail.com> wrote: > > > There is no selinux, appamore in running processes, and I didn't touch > > linux firewall, so it is turned off. > > > > Andrzej > > > > pt., 27 lip 2018 o 10:14 Rowland Penny <rpenny at samba.org> napisał(a): > > > > > On Thu, 26 Jul 2018 23:03:19 +0200 > > > Andrzej Gryko via samba <samba at lists.samba.org> wrote: > > > > > > > I found the problem. I can login as administrator, but not as > > > > different user - I add different users by "samba-tool user add" or > > > > smapasswd and it's the same. > > > > > > > > > > No, you have found a further problem ;-) > > > > > > The correct command to create a user in Samba AD is 'samba-tool user > > > create'. You do not use 'smbpasswd' to create an AD user. > > > > > > Can we check a few things: > > > > > > You have installed Samba packages capable of being an AD DC (I say > > > capable because red-hat distros, except the latest Fedora, cannot be > > > AD DC's) > > > > > > You have provisioned it correctly > > > > > > You have set up the DC OS correctly > > > > > > You have joined the windows machine to the domain > > > > > > If all the above is correct, it should work, if it doesn't, check if > > > Selinux, Apparmor or a firewall is getting in the way. > > > > > > If after all of the above is checked and it still doesn't work, then > > > we are going to have to walk through setting a Samba DC, hopefully > > > this should show what is wrong ;-) > > > > > > Rowland > > > > > > > > Can you please answer the questions: > > What Samba packages are you using ? > > How did you provision the Samba AD DC ? > > Have you joined the Windows machine to the domain and if so, how and > with what user ? > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2018-Jul-28 12:34 UTC
[Samba] Fwd: Fwd: Problem connecting to DC from windows 10. Failed to create user record ... acl: unable to get access to ...
On Sat, 28 Jul 2018 13:08:55 +0200 Andrzej Gryko <andrzej.gryko at gmail.com> wrote:> I installed: > Linux samba 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) > x86_64 GNU/Linux > samba: > Version 4.5.12-DebianOK, as you are using debian, tryusing Louis's repo, this will get you a much more recent version of Samba: http://apt.van-belle.nl/> > next > > change in fstab: > */ ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1*Well, undo the change ;-) everything you have set is amongst the defaults for ext4> > apt-get install smbclient krb5-user bind9 attr libpam-winbind > libpam-krb5 libnss-winbind krb5-config ntp bind9utilsI am sure they will installed, but check if these are installed: samba winbind> > While configuring kreberos - defaul kerberos version realm; gryko.org, > kerberos servers: *none* (also tried samba.gryko.org), administrative > server: *none*Do not configure kerberos before the provision, once Samba is provisioned, you will find that a krb5.conf will have been created for you. The provision output will tell you just where it is, but, as you are using debian packages, it should here: /var/lib/samba/private/krb5.conf Copy this to /etc/krb5.conf> > samba-tool domain provision: gryko.org, gryko, dc, bind9_dlz (also > tried samba internal) > > *My smb.conf:* > > *[global] > netbios name = SAMBA > realm = GRYKO.ORG > workgroup = GRYKO > server role = active directory domain controller ># os level = 64>[netlogon] > path = /var/lib/samba/sysvol/gryko.org/scripts > read only = No > >[sysvol] > path = /var/lib/samba/sysvol > read only = No > >[homes] > comment = Katalog domowy > read only = No > browseable = No > valid users = %S>/etc/krb5.conf:* > [libdefaults] > default_realm = GRYKO.ORG > dns_lookup_realm = false > dns_lookup_kdc = true > > /etc/bind/named.conf.options: > options { > directory "/var/cache/bind"; > forwarders { > 8.8.8.8; > 8.8.4.4; > }; > dnssec-validation auto; > auth-nxdomain no; # conform to RFC1035 > listen-on port 53 { any; }; > allow-query { any; }; > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > }; > > */etc/bind/named.conf.local* > include "/var/lib/samba/private/named.conf"; > > /etc/resolv.conf > domain gryko.org > search gryko.org > nameserver 172.22.93.70 (router) - also tried itselfThe DC MUST use itself as its nameserver> > /etc/hosts > 127.0.0.1 localhost > 127.0.1.1 samba.gryko.org samba > 172.22.93.74 samba.gryko.org samba > > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allroutersI think I have already said this, remove the '127.0.1.1' line and if anything (such as network manager) is set to use dnsmasq etc, stop them from doing this.> > smbclient \\\\172.22.93.74\\sysvol -U administrator - works properly > - for different users too. > > smbclient -L localhost -U agryko > Enter agryko's password: > Domain=[GRYKO] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian] > > Sharename Type Comment > --------- ---- ------- > netlogon Disk > sysvol Disk > IPC$ IPC IPC Service (Samba 4.5.12-Debian) > Domain=[GRYKO] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian] > > Server Comment > --------- ------- > > Workgroup Master > --------- ------- > WORKGROUP SAMBA > (cannot login as 'agryko' from windows to the domain) >You will need to use 'GRYKO\agryko' to login into a domain joined windows machine. I can assure it does work, I am typing this on a Unix domain member and can log into a windows domain member ;-) Rowland
Andrzej Gryko
2018-Jul-28 17:26 UTC
[Samba] Fwd: Fwd: Problem connecting to DC from windows 10. Failed to create user record ... acl: unable to get access to ...
I'm sorry. It's my fault. Only administrator can join a domain, so thats why I coudn't do it as different user. If I join the domain and restert windows 10, I can login as differnet user. So it was my fault, I didn't know about it. Everything works ok. Now I must add some users to administrators group and create some scripts. Best regards Andrzej sob., 28 lip 2018 o 14:35 Rowland Penny via samba <samba at lists.samba.org> napisał(a):> On Sat, 28 Jul 2018 13:08:55 +0200 > Andrzej Gryko <andrzej.gryko at gmail.com> wrote: > > > I installed: > > Linux samba 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) > > x86_64 GNU/Linux > > samba: > > Version 4.5.12-Debian > > OK, as you are using debian, tryusing Louis's repo, this will get you a > much more recent version of Samba: > > http://apt.van-belle.nl/ > > > > > next > > > > change in fstab: > > */ ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1* > > Well, undo the change ;-) > everything you have set is amongst the defaults for ext4 > > > > > apt-get install smbclient krb5-user bind9 attr libpam-winbind > > libpam-krb5 libnss-winbind krb5-config ntp bind9utils > > I am sure they will installed, but check if these are installed: > > samba winbind > > > > > While configuring kreberos - defaul kerberos version realm; gryko.org, > > kerberos servers: *none* (also tried samba.gryko.org), administrative > > server: *none* > > Do not configure kerberos before the provision, once Samba is > provisioned, you will find that a krb5.conf will have been created for > you. The provision output will tell you just where it is, but, as you > are using debian packages, it should here: > > /var/lib/samba/private/krb5.conf > > Copy this to /etc/krb5.conf > > > > > samba-tool domain provision: gryko.org, gryko, dc, bind9_dlz (also > > tried samba internal) > > > > *My smb.conf:* > > > > *[global] > > netbios name = SAMBA > > realm = GRYKO.ORG > > workgroup = GRYKO > > server role = active directory domain controller > ># os level = 64 > > >[netlogon] > > path = /var/lib/samba/sysvol/gryko.org/scripts > > read only = No > > > >[sysvol] > > path = /var/lib/samba/sysvol > > read only = No > > > >[homes] > > comment = Katalog domowy > > read only = No > > browseable = No > > valid users = %S > > >/etc/krb5.conf:* > > [libdefaults] > > default_realm = GRYKO.ORG > > dns_lookup_realm = false > > dns_lookup_kdc = true > > > > /etc/bind/named.conf.options: > > options { > > directory "/var/cache/bind"; > > forwarders { > > 8.8.8.8; > > 8.8.4.4; > > }; > > dnssec-validation auto; > > auth-nxdomain no; # conform to RFC1035 > > listen-on port 53 { any; }; > > allow-query { any; }; > > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > > }; > > > > */etc/bind/named.conf.local* > > include "/var/lib/samba/private/named.conf"; > > > > /etc/resolv.conf > > domain gryko.org > > search gryko.org > > nameserver 172.22.93.70 (router) - also tried itself > > The DC MUST use itself as its nameserver > > > > > /etc/hosts > > 127.0.0.1 localhost > > 127.0.1.1 samba.gryko.org samba > > 172.22.93.74 samba.gryko.org samba > > > > ::1 localhost ip6-localhost ip6-loopback > > ff02::1 ip6-allnodes > > ff02::2 ip6-allrouters > > I think I have already said this, remove the '127.0.1.1' line and if > anything (such as network manager) is set to use dnsmasq etc, stop them > from doing this. > > > > > smbclient \\\\172.22.93.74\\sysvol -U administrator - works properly > > - for different users too. > > > > smbclient -L localhost -U agryko > > Enter agryko's password: > > Domain=[GRYKO] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian] > > > > Sharename Type Comment > > --------- ---- ------- > > netlogon Disk > > sysvol Disk > > IPC$ IPC IPC Service (Samba 4.5.12-Debian) > > Domain=[GRYKO] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian] > > > > Server Comment > > --------- ------- > > > > Workgroup Master > > --------- ------- > > WORKGROUP SAMBA > > (cannot login as 'agryko' from windows to the domain) > > > > You will need to use 'GRYKO\agryko' to login into a domain joined > windows machine. > > I can assure it does work, I am typing this on a Unix domain member and > can log into a windows domain member ;-) > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Reasonably Related Threads
- Fwd: Fwd: Problem connecting to DC from windows 10. Failed to create user record ... acl: unable to get access to ...
- Fwd: Fwd: Problem connecting to DC from windows 10. Failed to create user record ... acl: unable to get access to ...
- Fwd: Fwd: Problem connecting to DC from windows 10. Failed to create user record ... acl: unable to get access to ...
- Fwd: Fwd: Problem connecting to DC from windows 10. Failed to create user record ... acl: unable to get access to ...
- Problem connecting to DC from windows 10. Failed to create user record ... acl: unable to get access to