samba - Jul 2018 - Fwd: Fwd: Problem connecting to DC from windows 10. Failed to create user record ... acl: unable to get access to ...

I installed:
Linux samba 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64
GNU/Linux
samba:
Version 4.5.12-Debian

next

change in fstab:
*/ ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1*

apt-get install smbclient krb5-user  bind9 attr libpam-winbind libpam-krb5
libnss-winbind krb5-config ntp bind9utils

While configuring kreberos - defaul kerberos version realm; gryko.org,
kerberos servers: *none* (also tried samba.gryko.org), administrative
server: *none*

samba-tool domain provision: gryko.org, gryko, dc, bind9_dlz (also tried
samba internal)

*My smb.conf:*






*[global]        netbios name = SAMBA        realm = GRYKO.ORG
<http://GRYKO.ORG>        workgroup = GRYKO        server role = active
directory domain controller#       os level = 64[netlogon]        path
/var/lib/samba/sysvol/gryko.org/scripts <http://gryko.org/scripts>
read only = No[sysvol]        path = /var/lib/samba/sysvol        read only
= No[homes]        comment = Katalog domowy   read only = No   browseable No  
valid users = %S/etc/krb5.conf:*
[libdefaults]
        default_realm = GRYKO.ORG
        dns_lookup_realm = false
        dns_lookup_kdc = true

/etc/bind/named.conf.options:
options {
        directory "/var/cache/bind";
       forwarders {
                8.8.8.8;
                8.8.4.4;
        };
        dnssec-validation auto;
        auth-nxdomain no;    # conform to RFC1035
        listen-on port 53 { any; };
        allow-query { any; };
        tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};

*/etc/bind/named.conf.local*
include "/var/lib/samba/private/named.conf";

/etc/resolv.conf
domain gryko.org
search gryko.org
nameserver 172.22.93.70 (router) - also tried itself

/etc/hosts
127.0.0.1       localhost
127.0.1.1       samba.gryko.org samba
172.22.93.74    samba.gryko.org samba

::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

smbclient \\\\172.22.93.74\\sysvol -U administrator - works properly - for
different users too.

smbclient -L localhost -U agryko
Enter agryko's password:
Domain=[GRYKO] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk
        sysvol          Disk
        IPC$            IPC       IPC Service (Samba 4.5.12-Debian)
Domain=[GRYKO] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            SAMBA
(cannot login as 'agryko' from windows to the domain)



Did I forget about something? Maybe I should try to test domain from
console?

Best regards
Andrzej



pt., 27 lip 2018 o 23:04 Rowland Penny via samba <samba at
lists.samba.org>
napisał(a):
> On Fri, 27 Jul 2018 22:59:16 +0200
> Andrzej Gryko <andrzej.gryko at gmail.com> wrote:
>
> > There is no selinux, appamore in running processes, and I didn't
touch
> > linux firewall, so it is turned off.
> >
> > Andrzej
> >
> > pt., 27 lip 2018 o 10:14 Rowland Penny <rpenny at samba.org>
napisał(a):
> >
> > > On Thu, 26 Jul 2018 23:03:19 +0200
> > > Andrzej Gryko via samba <samba at lists.samba.org> wrote:
> > >
> > > > I found the problem. I can login as administrator, but not
as
> > > > different user - I add different users by "samba-tool
user add" or
> > > > smapasswd and it's the same.
> > > >
> > >
> > > No, you have found a further problem ;-)
> > >
> > > The correct command to create a user in Samba AD is
'samba-tool user
> > > create'. You do not use 'smbpasswd' to create an AD
user.
> > >
> > > Can we check a few things:
> > >
> > > You have installed Samba packages capable of being an AD DC (I
say
> > > capable because red-hat distros, except the latest Fedora, cannot
be
> > > AD DC's)
> > >
> > > You have provisioned it correctly
> > >
> > > You have set up the DC OS correctly
> > >
> > > You have joined the windows machine to the domain
> > >
> > > If all the above is correct, it should work, if it doesn't,
check if
> > > Selinux, Apparmor or a firewall is getting in the way.
> > >
> > > If after all of the above is checked and it still doesn't
work, then
> > > we are going to have to walk through setting a Samba DC,
hopefully
> > > this should show what is wrong ;-)
> > >
> > > Rowland
> > >
> > >
>
> Can you please answer the questions:
>
> What Samba packages are you using ?
>
> How did you provision the Samba AD DC ?
>
> Have you joined the Windows machine to the domain and if so, how and
> with what user ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Sat, 28 Jul 2018 13:08:55 +0200
Andrzej Gryko <andrzej.gryko at gmail.com> wrote:
> I installed:
> Linux samba 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07)
> x86_64 GNU/Linux
> samba:
> Version 4.5.12-Debian
OK, as you are using debian, tryusing Louis's repo, this will get you a
much more recent version of Samba:

http://apt.van-belle.nl/
> 
> next
> 
> change in fstab:
> */ ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1*
Well, undo the change ;-)
everything you have set is amongst the defaults for ext4
> 
> apt-get install smbclient krb5-user  bind9 attr libpam-winbind
> libpam-krb5 libnss-winbind krb5-config ntp bind9utils
I am sure they will installed, but check if these are installed:

samba winbind 
> 
> While configuring kreberos - defaul kerberos version realm; gryko.org,
> kerberos servers: *none* (also tried samba.gryko.org), administrative
> server: *none*
Do not configure kerberos before the provision, once Samba is
provisioned, you will find that a krb5.conf will have been created for
you. The provision output will tell you just where it is, but, as you
are using debian packages, it should here:

/var/lib/samba/private/krb5.conf

Copy this to /etc/krb5.conf
> 
> samba-tool domain provision: gryko.org, gryko, dc, bind9_dlz (also
> tried samba internal)
> 
> *My smb.conf:*
> 
> *[global]
>        netbios name = SAMBA
>        realm = GRYKO.ORG
>        workgroup = GRYKO
>        server role = active directory domain controller
>#       os level = 64
>[netlogon]
>        path = /var/lib/samba/sysvol/gryko.org/scripts
>        read only = No
>
>[sysvol]
>        path = /var/lib/samba/sysvol
>        read only = No
>
>[homes]
>        comment = Katalog domowy
>        read only = No
>        browseable = No
>        valid users = %S
>/etc/krb5.conf:*
> [libdefaults]
> default_realm = GRYKO.ORG
> dns_lookup_realm = false
> dns_lookup_kdc = true
> 
> /etc/bind/named.conf.options:
> options {
>         directory "/var/cache/bind";
>        forwarders {
>                 8.8.8.8;
>                 8.8.4.4;
>         };
>         dnssec-validation auto;
>         auth-nxdomain no;    # conform to RFC1035
>         listen-on port 53 { any; };
>         allow-query { any; };
>         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> };
> 
> */etc/bind/named.conf.local*
> include "/var/lib/samba/private/named.conf";
> 
> /etc/resolv.conf
> domain gryko.org
> search gryko.org
> nameserver 172.22.93.70 (router) - also tried itself
The DC MUST use itself as its nameserver
> 
> /etc/hosts
> 127.0.0.1       localhost
> 127.0.1.1       samba.gryko.org samba
> 172.22.93.74    samba.gryko.org samba
> 
> ::1     localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
I think I have already said this, remove the '127.0.1.1' line and if
anything (such as network manager) is set to use dnsmasq etc, stop them
from doing this.
> 
> smbclient \\\\172.22.93.74\\sysvol -U administrator - works properly
> - for different users too.
> 
> smbclient -L localhost -U agryko
> Enter agryko's password:
> Domain=[GRYKO] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
> 
>         Sharename       Type      Comment
>         ---------       ----      -------
>         netlogon        Disk
>         sysvol          Disk
>         IPC$            IPC       IPC Service (Samba 4.5.12-Debian)
> Domain=[GRYKO] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
> 
>         Server               Comment
>         ---------            -------
> 
>         Workgroup            Master
>         ---------            -------
>         WORKGROUP            SAMBA
> (cannot login as 'agryko' from windows to the domain)
> 
You will need to use 'GRYKO\agryko' to login into a domain joined
windows machine.

I can assure it does work, I am typing this on a Unix domain member and
can log into a windows domain member ;-)

Rowland

I'm sorry. It's my fault. Only administrator can join a domain, so thats
why I coudn't do it as different user. If I join the domain and restert
windows 10, I can login as differnet user. So it was my fault, I didn't
know about it. Everything works ok.
Now I must add some users to administrators group and create some scripts.

Best regards
Andrzej


sob., 28 lip 2018 o 14:35 Rowland Penny via samba <samba at
lists.samba.org>
napisał(a):
> On Sat, 28 Jul 2018 13:08:55 +0200
> Andrzej Gryko <andrzej.gryko at gmail.com> wrote:
>
> > I installed:
> > Linux samba 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07)
> > x86_64 GNU/Linux
> > samba:
> > Version 4.5.12-Debian
>
> OK, as you are using debian, tryusing Louis's repo, this will get you a
> much more recent version of Samba:
>
> http://apt.van-belle.nl/
>
> >
> > next
> >
> > change in fstab:
> > */ ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1*
>
> Well, undo the change ;-)
> everything you have set is amongst the defaults for ext4
>
> >
> > apt-get install smbclient krb5-user  bind9 attr libpam-winbind
> > libpam-krb5 libnss-winbind krb5-config ntp bind9utils
>
> I am sure they will installed, but check if these are installed:
>
> samba winbind
>
> >
> > While configuring kreberos - defaul kerberos version realm; gryko.org,
> > kerberos servers: *none* (also tried samba.gryko.org), administrative
> > server: *none*
>
> Do not configure kerberos before the provision, once Samba is
> provisioned, you will find that a krb5.conf will have been created for
> you. The provision output will tell you just where it is, but, as you
> are using debian packages, it should here:
>
> /var/lib/samba/private/krb5.conf
>
> Copy this to /etc/krb5.conf
>
> >
> > samba-tool domain provision: gryko.org, gryko, dc, bind9_dlz (also
> > tried samba internal)
> >
> > *My smb.conf:*
> >
> > *[global]
> >        netbios name = SAMBA
> >        realm = GRYKO.ORG
> >        workgroup = GRYKO
> >        server role = active directory domain controller
> >#       os level = 64
>
> >[netlogon]
> >        path = /var/lib/samba/sysvol/gryko.org/scripts
> >        read only = No
> >
> >[sysvol]
> >        path = /var/lib/samba/sysvol
> >        read only = No
> >
> >[homes]
> >        comment = Katalog domowy
> >        read only = No
> >        browseable = No
> >        valid users = %S
>
> >/etc/krb5.conf:*
> > [libdefaults]
> > default_realm = GRYKO.ORG
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> >
> > /etc/bind/named.conf.options:
> > options {
> >         directory "/var/cache/bind";
> >        forwarders {
> >                 8.8.8.8;
> >                 8.8.4.4;
> >         };
> >         dnssec-validation auto;
> >         auth-nxdomain no;    # conform to RFC1035
> >         listen-on port 53 { any; };
> >         allow-query { any; };
> >         tkey-gssapi-keytab
"/var/lib/samba/private/dns.keytab";
> > };
> >
> > */etc/bind/named.conf.local*
> > include "/var/lib/samba/private/named.conf";
> >
> > /etc/resolv.conf
> > domain gryko.org
> > search gryko.org
> > nameserver 172.22.93.70 (router) - also tried itself
>
> The DC MUST use itself as its nameserver
>
> >
> > /etc/hosts
> > 127.0.0.1       localhost
> > 127.0.1.1       samba.gryko.org samba
> > 172.22.93.74    samba.gryko.org samba
> >
> > ::1     localhost ip6-localhost ip6-loopback
> > ff02::1 ip6-allnodes
> > ff02::2 ip6-allrouters
>
> I think I have already said this, remove the '127.0.1.1' line and
if
> anything (such as network manager) is set to use dnsmasq etc, stop them
> from doing this.
>
> >
> > smbclient \\\\172.22.93.74\\sysvol -U administrator - works properly
> > - for different users too.
> >
> > smbclient -L localhost -U agryko
> > Enter agryko's password:
> > Domain=[GRYKO] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
> >
> >         Sharename       Type      Comment
> >         ---------       ----      -------
> >         netlogon        Disk
> >         sysvol          Disk
> >         IPC$            IPC       IPC Service (Samba 4.5.12-Debian)
> > Domain=[GRYKO] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
> >
> >         Server               Comment
> >         ---------            -------
> >
> >         Workgroup            Master
> >         ---------            -------
> >         WORKGROUP            SAMBA
> > (cannot login as 'agryko' from windows to the domain)
> >
>
> You will need to use 'GRYKO\agryko' to login into a domain joined
> windows machine.
>
> I can assure it does work, I am typing this on a Unix domain member and
> can log into a windows domain member ;-)
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>