El mar., 5 feb. 2019 a las 17:07, Rowland Penny via samba (< samba at lists.samba.org>) escribió:> On Tue, 5 Feb 2019 16:51:36 -0300 > Sergio Belkin via samba <samba at lists.samba.org> wrote: > > > Hi folks > > > > I'm using samba 4.8.3 in CentOS client and samba 4.9.3 from Van Belle > > repos on server > > > > I cannot join to the domain as > > > > net ads join -k -d 1 > > > > Can you post the following files from both machines: > > /etc/hostname > /etc/hosts > /etc/resolv.conf > /etc/krb5.conf > smb.conf > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaHi Rowland, Centos files: /etc/hostname tiny-fishwife.example.com /etc/hosts 127.0.0.1 localhost localhost.localdomain 192.168.50.30 tiny-fishwife.example.com tiny-fishwife 192.168.254.252 tiny-fishwife.example.com tiny-fishwife 192.168.34.7 tiny-fishwife.example.com tiny-fishwife office.example.com 192.168.34.7 groupware.example.com /etc/resolv.conf domain example.com search example.com nameserver 192.168.34.4 /etc/krb5.conf includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_ccache_name = KEYRING:persistent:%{uid} default_realm = EXAMPLE.COM [realms] EXAMPLE.COM = { } [domain_realm] example.com = EXAMPLE.COM .example.com = EXAMPLE.COM smb.conf [global] workgroup = EXAMPLE.COM server string = NethServer 7.6.1810 final (Samba %v) security = ADS realm = EXAMPLE.COM kerberos method = secrets and keytab netbios name = TINY-FISHWIFE Debian 9 ( Samba Server) files: /etc/hosts 127.0.0.1 localhost 127.0.1.1 dc000.example.com dc000.example.com ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters 192.168.34.4 ldap.example.com ldap sambaexample /etc/hostname dc000.example.com /etc/resolv.conf domain example.com search example.com nameserver 192.168.34.4 /etc/krb5.conf [libdefaults] default_realm = EXAMPLE.COM dns_lookup_kdc = true dns_lookup_realm = false forwardable = true proxiable = true default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 smb.conf: [libdefaults] default_realm = EXAMPLE.COM dns_lookup_kdc = true dns_lookup_realm = false forwardable = true proxiable = true default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 /smb.conf [global] dns forwarder = 192.168.0.2 8.8.8.8 netbios name = DC000 realm = EXAMPLE.COM server role = active directory domain controller workgroup = EXAMPLE idmap_ldb:use rfc2307 = yes # Audit settings full_audit:prefix = %u|%I|%m|%S full_audit:failure = connect full_audit:success = mkdir rmdir read pread write pwrite rename unlink full_audit:facility = local5 full_audit:priority = notice # TLS settings tls enabled = yes tls certfile = tls/ldap.example.com/fullchain1.pem tls keyfile = tls/ldap.example.com/privkey1.pem tls cafile #log auth log level = 1 auth_audit:3 auth_json_audit:3 [netlogon] path = /var/lib/samba/sysvol/example.com/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No Thanks in advance! -- -- Sergio Belkin LPIC-2 Certified - http://www.lpi.org
On Tue, 5 Feb 2019 17:27:08 -0300 Sergio Belkin <sebelk at gmail.com> wrote:> Hi Rowland, > > Centos files: > > /etc/hostname > tiny-fishwife.example.comIt should be just the short hostname 'tiny-fishwife'> > /etc/hosts > 127.0.0.1 localhost localhost.localdomainWhere does this mythical 'localdomain' come from ? That was a rhetorical question, it should just be: 127.0.0.1 localhost> 192.168.50.30 tiny-fishwife.example.com tiny-fishwife > 192.168.254.252 tiny-fishwife.example.com tiny-fishwife > 192.168.34.7 tiny-fishwife.example.com tiny-fishwife > office.example.com > 192.168.34.7 groupware.example.comWhy have you got multiple IP's for the same hostname ?> > /etc/resolv.conf > domain example.com > search example.com > nameserver 192.168.34.4If '192.168.34.4' isn't the ipaddress of the Samba DC, change it to the DC's ipaddress.> > /etc/krb5.conf > includedir /etc/krb5.conf.d/ > includedir /var/lib/sss/pubconf/krb5.include.d/The above two lines are probably a large part of your problem, krb5.conf needs only to be this: [libdefaults] default_realm = EXAMPLE.COM dns_lookup_kdc = true dns_lookup_realm = false> smb.conf > [global] > workgroup = EXAMPLE.COM > server string = NethServer 7.6.1810 final (Samba %v) > security = ADS > realm = EXAMPLE.COM > kerberos method = secrets and keytab > netbios name = TINY-FISHWIFEAh, you seem to be planning on using sssd, we do not support sssd.> > Debian 9 ( Samba Server) files: > > /etc/hosts > 127.0.0.1 localhost > 127.0.1.1 dc000.example.com dc000.example.comI take it that 'dc000' is the Samba AD DC's short hostname, if so, replace 127.0.1.1' with its ipaddress> ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > 192.168.34.4 ldap.example.com ldap sambaexampleThe above line is interesting, you pointed the client at that as its nameserver, if it is the DC's IP, then remove it and create CNAME records in AD.> > /etc/hostname > dc000.example.comAgain, it should just be the short hostname 'dc000'> > /etc/resolv.conf > domain example.com > search example.com > nameserver 192.168.34.4 > > /etc/krb5.conf > [libdefaults] > default_realm = EXAMPLE.COM > dns_lookup_kdc = true > dns_lookup_realm = falseIt only needs to be the above. Rowland
And as last, In smb.conf workgroup = EXAMPLE.COM A dot is not allowed in the workgroup names. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: dinsdag 5 februari 2019 21:52 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Unable to join to a SAMBA4 domain > > On Tue, 5 Feb 2019 17:27:08 -0300 > Sergio Belkin <sebelk at gmail.com> wrote: > > > > Hi Rowland, > > > > Centos files: > > > > /etc/hostname > > tiny-fishwife.example.com > > It should be just the short hostname 'tiny-fishwife' > > > > /etc/hosts > > 127.0.0.1 localhost localhost.localdomain > > Where does this mythical 'localdomain' come from ? > That was a rhetorical question, it should just be: > > 127.0.0.1 localhost > > > 192.168.50.30 tiny-fishwife.example.com tiny-fishwife > > 192.168.254.252 tiny-fishwife.example.com tiny-fishwife > > 192.168.34.7 tiny-fishwife.example.com tiny-fishwife > > office.example.com > > 192.168.34.7 groupware.example.com > > Why have you got multiple IP's for the same hostname ? > > > > > /etc/resolv.conf > > domain example.com > > search example.com > > nameserver 192.168.34.4 > > If '192.168.34.4' isn't the ipaddress of the Samba DC, change > it to the > DC's ipaddress. > > > > > /etc/krb5.conf > > includedir /etc/krb5.conf.d/ > > includedir /var/lib/sss/pubconf/krb5.include.d/ > > The above two lines are probably a large part of your problem, > krb5.conf needs only to be this: > > [libdefaults] > default_realm = EXAMPLE.COM > dns_lookup_kdc = true > dns_lookup_realm = false > > > smb.conf > > [global] > > workgroup = EXAMPLE.COM > > server string = NethServer 7.6.1810 final (Samba %v) > > security = ADS > > realm = EXAMPLE.COM > > kerberos method = secrets and keytab > > netbios name = TINY-FISHWIFE > > Ah, you seem to be planning on using sssd, we do not support sssd. > > > > > Debian 9 ( Samba Server) files: > > > > /etc/hosts > > 127.0.0.1 localhost > > 127.0.1.1 dc000.example.com dc000.example.com > > I take it that 'dc000' is the Samba AD DC's short hostname, if so, > replace 127.0.1.1' with its ipaddress > > > ::1 localhost ip6-localhost ip6-loopback > > ff02::1 ip6-allnodes > > ff02::2 ip6-allrouters > > 192.168.34.4 ldap.example.com ldap sambaexample > > The above line is interesting, you pointed the client at that as its > nameserver, if it is the DC's IP, then remove it and create CNAME > records in AD. > > > > > /etc/hostname > > dc000.example.com > > Again, it should just be the short hostname 'dc000' > > > > > /etc/resolv.conf > > domain example.com > > search example.com > > nameserver 192.168.34.4 > > > > /etc/krb5.conf > > [libdefaults] > > default_realm = EXAMPLE.COM > > dns_lookup_kdc = true > > dns_lookup_realm = false > > It only needs to be the above. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Wed, 6 Feb 2019 08:42:26 +0100 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> And as last, > > In smb.conf > workgroup = EXAMPLE.COM > > A dot is not allowed in the workgroup names. > >Totally missed that in the myriad of other mistakes, it seems if you can get it wrong, the OP did ;-) Rowland
On Wed, 6 Feb 2019 10:21:55 +0100 L.P.H. van Belle <belle at bazuin.nl> wrote:> Gooood morning Rowland. > > Ahh, we can see everything, its good to have one's back.. > :-) > > You've seen : > > https://support.microsoft.com/en-ca/help/4046019/guest-access-in-smb2-disabled-by-default-in-windows-10-and-windows-ser > Guest access in SMB2 disabled by default in Windows 10, Windows > Server 2016 version 1709, and Windows Server 2019 > > One to remember. >I hadn't seen that actual webpage, but I have seen similar ones. I cannot understand why anybody would want to use guest access in an AD domain, you are potentially allowing somebody to do a great deal of damage. Rowland
El mar., 5 feb. 2019 a las 17:52, Rowland Penny via samba (< samba at lists.samba.org>) escribió:> On Tue, 5 Feb 2019 17:27:08 -0300 > Sergio Belkin <sebelk at gmail.com> wrote: > > > > Hi Rowland, > > > > Centos files: > > > > /etc/hostname > > tiny-fishwife.example.com > > It should be just the short hostname 'tiny-fishwife' > > > > /etc/hosts > > 127.0.0.1 localhost localhost.localdomain > > Where does this mythical 'localdomain' come from ? > That was a rhetorical question, it should just be: >Really I don't know, many distros uses by default> > > /etc/krb5.conf > > includedir /etc/krb5.conf.d/ > > includedir /var/lib/sss/pubconf/krb5.include.d/ > > The above two lines are probably a large part of your problem, > krb5.conf needs only to be this: > > [libdefaults] > default_realm = EXAMPLE.COM > dns_lookup_kdc = true > dns_lookup_realm = false > > > smb.conf > > [global] > > workgroup = EXAMPLE.COM > > server string = NethServer 7.6.1810 final (Samba %v) > > security = ADS > > realm = EXAMPLE.COM > > kerberos method = secrets and keytab > > netbios name = TINY-FISHWIFE > > Ah, you seem to be planning on using sssd, we do not support sssd. >Good to know it. What should we use instead? winbind? In connection with /etc/hostname I agree with you but some distros use the fqdn in /etc/hostname and also we have tools that :-/ Thanks for yout help Rowland> > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- -- Sergio Belkin LPIC-2 Certified - http://www.lpi.org