Hi Louis,
Thank you for that.
I don’t have a /var/lib/samba/bind-dns/dns/ , only have
/var/lib/samba/private/dns.
Apparmor is now stopped and masked. I had masked the smbd and nmbd post the
migration, have masked the winbind now.
Have edited samba and bind as per your suggestion, changed the
named.conf.options and krb5.conf
Rebooted the server post the changes and tried to join a windows 7 machine
again, same message in the logs. I used my account this time
I suspect an issue here, especially the last line. This is from the
log.192.168.14.153 (samba log)
Adding homes service for user 'LIN\pghimire' using home directory:
'/home/LIN/pghimire'
get_auth_event_server: Failed to find 'auth_event' registered on the
message bus to send JSON authentication events to:
NT_STATUS_OBJECT_NAME_NOT_FOUND
[2019/05/06 09:39:15.172941, 2]
../source3/modules/vfs_acl_xattr.c:236(connect_acl_xattr)
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service IPC$
[2019/05/06 09:39:15.174415, 4]
../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (1153, 100) - sec_ctx_stack_ndx = 0
[2019/05/06 09:39:15.174700, 0] ../source3/lib/util.c:815(smb_panic_s3)
PANIC (pid 351): sys_setgroups failed
Regards,
Praveen Ghimire
-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of L.P.H. van
Belle via samba
Sent: Monday, 6 May 2019 7:20 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Doman join issues
Hai,
1) apparmor, disable it, and try again, so we can confirm if its an apparmor
settings.
2) winbind is starting from systemd while as AD-DC you should disable that.
- stop the member parts of samba and systemd.
systemctl stop winbind smbd nmbd samba
systemctl disable winbind smbd nmbd samba
systemctl mask winbind smbd nmbd samba
- enable the samba-ad-dc part in systemd.
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
systemdct start samba-ad-dc
Using bind9?
systemctl edit samba-ad-dc
Add:
[Unit]
After=network.target network-online.target bind9.service
systemctl edit bind9
Add:
[Service]
ExecReload> /var/lib/samba/private/krb5.conf r,
> /var/lib/samba/private/dns.keytab r,
> /var/lib/samba/private/named.conf r,
> /var/lib/samba/private/dns/** rwk,
Also add in advanced for 4.9+ and apparmor.
And if you look in that apparmor file, you will see :
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.named>
So use the local/usr.sbin.named file, that tracking changes more easy.
/var/lib/samba/bind-dns/dns/ rw,
/var/lib/samba/bind-dns/dns.keytab rw,
/var/lib/samba/bind-dns/dns/named.conf r,
/var/lib/samba/bind-dns/dns/named.conf.update r,
/var/lib/samba/bind-dns/dns/named.txt rw,
And, ive added some parts below.
>
> /etc/krb5.conf
> [libdefaults]
> default_realm = lin.com
HERE : LIN.COM
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
Remove this part as of here : > [realms]
> lin.com = {
> kdc = linserver01
> admin_server = linserver01
>
> }
To here.
>
> /etc/bind/named.conf
>
> include "/etc/bind/named.conf.options"; include
> "/etc/bind/named.conf.local"; include
> "/etc/bind/named.conf.default-zones";
> include "/var/lib/samba/private/named.conf";
>
> /etc/bind/named.conf.options
> options {
> directory "/var/cache/bind";
> forwarders { 8.8.8.8; 8.8.4.4; };
> dnssec-validation no;
> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> // auth-nxdomain no; # conform to RFC1035
auth-nxdomain yes; # because this server is controling the AD domain.
> listen-on-v6 { any; };
> };
>
Greetz,
Louis
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________