samba - Jul 2018 - Fwd: Fwd: Problem connecting to DC from windows 10. Failed to create user record ... acl: unable to get access to ...

I'm sorry. It's my fault. Only administrator can join a domain, so thats
why I coudn't do it as different user. If I join the domain and restert
windows 10, I can login as differnet user. So it was my fault, I didn't
know about it. Everything works ok.
Now I must add some users to administrators group and create some scripts.

Best regards
Andrzej


sob., 28 lip 2018 o 14:35 Rowland Penny via samba <samba at
lists.samba.org>
napisał(a):
> On Sat, 28 Jul 2018 13:08:55 +0200
> Andrzej Gryko <andrzej.gryko at gmail.com> wrote:
>
> > I installed:
> > Linux samba 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07)
> > x86_64 GNU/Linux
> > samba:
> > Version 4.5.12-Debian
>
> OK, as you are using debian, tryusing Louis's repo, this will get you a
> much more recent version of Samba:
>
> http://apt.van-belle.nl/
>
> >
> > next
> >
> > change in fstab:
> > */ ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1*
>
> Well, undo the change ;-)
> everything you have set is amongst the defaults for ext4
>
> >
> > apt-get install smbclient krb5-user  bind9 attr libpam-winbind
> > libpam-krb5 libnss-winbind krb5-config ntp bind9utils
>
> I am sure they will installed, but check if these are installed:
>
> samba winbind
>
> >
> > While configuring kreberos - defaul kerberos version realm; gryko.org,
> > kerberos servers: *none* (also tried samba.gryko.org), administrative
> > server: *none*
>
> Do not configure kerberos before the provision, once Samba is
> provisioned, you will find that a krb5.conf will have been created for
> you. The provision output will tell you just where it is, but, as you
> are using debian packages, it should here:
>
> /var/lib/samba/private/krb5.conf
>
> Copy this to /etc/krb5.conf
>
> >
> > samba-tool domain provision: gryko.org, gryko, dc, bind9_dlz (also
> > tried samba internal)
> >
> > *My smb.conf:*
> >
> > *[global]
> >        netbios name = SAMBA
> >        realm = GRYKO.ORG
> >        workgroup = GRYKO
> >        server role = active directory domain controller
> >#       os level = 64
>
> >[netlogon]
> >        path = /var/lib/samba/sysvol/gryko.org/scripts
> >        read only = No
> >
> >[sysvol]
> >        path = /var/lib/samba/sysvol
> >        read only = No
> >
> >[homes]
> >        comment = Katalog domowy
> >        read only = No
> >        browseable = No
> >        valid users = %S
>
> >/etc/krb5.conf:*
> > [libdefaults]
> > default_realm = GRYKO.ORG
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> >
> > /etc/bind/named.conf.options:
> > options {
> >         directory "/var/cache/bind";
> >        forwarders {
> >                 8.8.8.8;
> >                 8.8.4.4;
> >         };
> >         dnssec-validation auto;
> >         auth-nxdomain no;    # conform to RFC1035
> >         listen-on port 53 { any; };
> >         allow-query { any; };
> >         tkey-gssapi-keytab
"/var/lib/samba/private/dns.keytab";
> > };
> >
> > */etc/bind/named.conf.local*
> > include "/var/lib/samba/private/named.conf";
> >
> > /etc/resolv.conf
> > domain gryko.org
> > search gryko.org
> > nameserver 172.22.93.70 (router) - also tried itself
>
> The DC MUST use itself as its nameserver
>
> >
> > /etc/hosts
> > 127.0.0.1       localhost
> > 127.0.1.1       samba.gryko.org samba
> > 172.22.93.74    samba.gryko.org samba
> >
> > ::1     localhost ip6-localhost ip6-loopback
> > ff02::1 ip6-allnodes
> > ff02::2 ip6-allrouters
>
> I think I have already said this, remove the '127.0.1.1' line and
if
> anything (such as network manager) is set to use dnsmasq etc, stop them
> from doing this.
>
> >
> > smbclient \\\\172.22.93.74\\sysvol -U administrator - works properly
> > - for different users too.
> >
> > smbclient -L localhost -U agryko
> > Enter agryko's password:
> > Domain=[GRYKO] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
> >
> >         Sharename       Type      Comment
> >         ---------       ----      -------
> >         netlogon        Disk
> >         sysvol          Disk
> >         IPC$            IPC       IPC Service (Samba 4.5.12-Debian)
> > Domain=[GRYKO] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
> >
> >         Server               Comment
> >         ---------            -------
> >
> >         Workgroup            Master
> >         ---------            -------
> >         WORKGROUP            SAMBA
> > (cannot login as 'agryko' from windows to the domain)
> >
>
> You will need to use 'GRYKO\agryko' to login into a domain joined
> windows machine.
>
> I can assure it does work, I am typing this on a Unix domain member and
> can log into a windows domain member ;-)
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Sat, 28 Jul 2018 19:26:06 +0200
Andrzej Gryko <andrzej.gryko at gmail.com> wrote:
> I'm sorry. It's my fault. Only administrator can join a domain, so
> thats why I coudn't do it as different user. If I join the domain and
> restert windows 10, I can login as differnet user. So it was my
> fault, I didn't know about it. Everything works ok.
> Now I must add some users to administrators group and create some
> scripts.
> 
Glad you have got it sorted, but what do you need the scripts for, Most
things can covered by GPO's

Rowland

Thank you for your help. Everything is working, even roaming profiles.

Best regards
Andrzej

sob., 28 lip 2018 o 19:51 Rowland Penny via samba <samba at
lists.samba.org>
napisał(a):
> On Sat, 28 Jul 2018 19:26:06 +0200
> Andrzej Gryko <andrzej.gryko at gmail.com> wrote:
>
> > I'm sorry. It's my fault. Only administrator can join a
domain, so
> > thats why I coudn't do it as different user. If I join the domain
and
> > restert windows 10, I can login as differnet user. So it was my
> > fault, I didn't know about it. Everything works ok.
> > Now I must add some users to administrators group and create some
> > scripts.
> >
>
> Glad you have got it sorted, but what do you need the scripts for, Most
> things can covered by GPO's
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>