samba - Dec 2018 - Samba4 Kerberos Authentication Error

On 12/5/2018 12:28 PM, Rowland Penny via samba wrote:
> On Wed, 5 Dec 2018 12:19:39 -0500
> Marco Shmerykowsky PE <marco at sce-engineers.com> wrote:
> 
>>
>>
>> --
>>
>> Marco J. Shmerykowsky, PE, F.ASCE
>> marco at sce-engineers.com
>>
>> -----------------------------------------
>>      Shmerykowsky Consulting Engineers
>>        Structural Analysis & Design
>>       102 West 38th Street, 2nd Floor
>>           New York, New York 10018
>> Tel. (212) 719-9700 Fax. (212) 719-4822
>>         http://www.sce-engineers.com
>> -----------------------------------------
>>
>> On 12/5/2018 12:11 PM, Rowland Penny via samba wrote:
>>> On Wed, 5 Dec 2018 11:33:01 -0500
>>> Marco Shmerykowsky PE via samba <samba at lists.samba.org>
wrote:
>>>
>>>>
>>>> The Realm matches the DNS.
>>>>
>>>> hostname -d returns -> internal.company.com
>>>>
>>>> domain name is internal.company.com
>>>>
>>>> I can ping both internal.company.com and
>>>> machine254.internal.company.com both resolve to the IP of
>>>> MACHINE254
>>>>
>>>> I checked winbind using the commands on the following page
& all
>>>> returned as expected.
>>>>
>>>>
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Testing_the_Winbindd_Connectivity
>>>>
>>>
>>> You have never said what OS you are using, but check
/etc/krb5.conf.
>>> Does it start with an 'include' line ?
>>> If so remove it
>>>
>>> Can you post the following files
>>>
>>> /etc/hostname
>>> /etc/hosts
>>> etc/resolv.conf
>>> /etc/krb5.conf
>>> /etc/nsswitch.conf
>>>
>>> Rowland
>>
>> Server: Fedora 29 with Samba 4.9.2
>> Client: Windows 10 version 1803 Build 17134.441
>>
>> /etc/hostname:
>>
>> machine254
>>
>> /etc/hosts:
>>
>> 127.0.0.1   localhost localhost.localdomain localhost4
>> localhost4.localdomain4
>> ::1         localhost localhost.localdomain localhost6
>> localhost6.localdomain6
>> 192.168.0.251   machine254.internal.company.com   machine254
>>
>> /etc/resolv.conf:
>>
>> # Generated by NetworkManager
>>
>> nameserver 192.168.0.251
>>
>> /etc/krb5.conf:
>>
>>           default_realm = INTERNAL.COMPANY.COM
>>
>>           dns_lookup_realm = false
>>
>>           dns_lookup_kdc = true
>>
>> /etc/nsswitch.conf:
>>
>> # Generated by authselect on Fri Jun  1 19:19:08 2018
>>
>> # Do not modify this file manually.
>>
>>   
>>
>> passwd:      sss files systemd winbind
>>
>> group:       sss files systemd winbind
>>
>> netgroup:   sss files
>>
>> automount:  sss files
>>
>> services:   sss files
>>
>> sudoers:    files sss
>>
>>   
>>
>> shadow:     files
>>
>> ethers:     files
>>
>> netmasks:   files
>>
>> networks:   files
>>
>> protocols:  files
>>
>> rpc:        files
>>
>> hosts:      files dns myhostname
>>
>>   
>>
>> aliases:    files nisplus
>>
>> bootparams: nisplus [NOTFOUND=return] files
>>
>> publickey:  nisplus
>>
>> ---
>> This email has been checked for viruses by AVG.
>> https://www.avg.com
>>
> 
> Are you using the OS's Samba packages ?
> If so, you should be aware that they are deemed experimental and do not
> fully work, they have problems and this could be another one of them.
> 
> Rowland
> 
I was not aware of that.  Suggestions?

On Wed, 5 Dec 2018 13:00:38 -0500
Marco Shmerykowsky PE via samba <samba at lists.samba.org> wrote:
> > Are you using the OS's Samba packages ?
> > If so, you should be aware that they are deemed experimental and do
> > not fully work, they have problems and this could be another one of
> > them.
> > 
> > Rowland
> > 
> 
> I was not aware of that.  Suggestions?
> 
Note that your problem could be down to the OS Samba packages that use
MIT instead of Heimdal, then again it might not be. Having said that,
because the OS Samba packages are deemed experimental, I wouldn't use
them in production, there are several things that just do not work as
expected.

You options are a bit limited, find Samba packages for your OS that
use Heimdal (Sernet ?), compile Samba yourself or use another OS
(which will probably be from the Debian family).

Rowland

On 12/5/2018 1:27 PM, Rowland Penny via samba wrote:
> On Wed, 5 Dec 2018 13:00:38 -0500
> Marco Shmerykowsky PE via samba <samba at lists.samba.org> wrote:
> 
>>> Are you using the OS's Samba packages ?
>>> If so, you should be aware that they are deemed experimental and do
>>> not fully work, they have problems and this could be another one of
>>> them.
>>>
>>> Rowland
>>>
>>
>> I was not aware of that.  Suggestions?
>>
> 
> Note that your problem could be down to the OS Samba packages that use
> MIT instead of Heimdal, then again it might not be. Having said that,
> because the OS Samba packages are deemed experimental, I wouldn't use
> them in production, there are several things that just do not work as
> expected.
> 
> You options are a bit limited, find Samba packages for your OS that
> use Heimdal (Sernet ?), compile Samba yourself or use another OS
> (which will probably be from the Debian family).
> 
> Rowland
>   
That sucks.  I'm assuming Centos has the same problems?

Does this essentially mean that I need to move all my servers
(which are NT4 domains) over to a new distribution prior to
implementing an Active Directory structure on Samaba?

What is the best distribution to use for a small office?

---
This email has been checked for viruses by AVG.
https://www.avg.com