On Sun, Jun 23, 2019 at 12:21:58PM +0100, Rowland penny via samba wrote:> You are coming from a PDC domain to an AD DC domain, easiest thing first, > you do not use 'wins' with an AD DC, you use 'dns'.I know the latter (had to delegate the zone in bind after all), but "wins support=yes" must have been created either by Debian or by "domain provision".> Can you download this: > > https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.shThe results are available at <http://froehlich.priv.at/samba/>> Can you also supply the AD object for 'Domain Users', I know where > you got '100' from, but I need to see if you used it for the > 'Domain Users' gidNumber.Is available as well (and no, I did not, as I thought that AD numbers have to be in the respective range > 10k) Bye, Stefan -- Der Stein der Weisen, oder warum Stefan so m?chtig eifert! Sloganizer, https://www.poetron-zone.de/
On 23/06/2019 13:16, Stefan Froehlich via samba wrote:> On Sun, Jun 23, 2019 at 12:21:58PM +0100, Rowland penny via samba wrote: >> You are coming from a PDC domain to an AD DC domain, easiest thing first, >> you do not use 'wins' with an AD DC, you use 'dns'. > I know the latter (had to delegate the zone in bind after all), but > "wins support=yes" must have been created either by Debian or by > "domain provision". > >> Can you download this: >> >> https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh > The results are available at <http://froehlich.priv.at/samba/> > >> Can you also supply the AD object for 'Domain Users', I know where >> you got '100' from, but I need to see if you used it for the >> 'Domain Users' gidNumber. > Is available as well (and no, I did not, as I thought that AD > numbers have to be in the respective range > 10k) > > Bye, > Stefan >Sorry but you have a MAJOR problem, you have this on the DC (note: it isn't a PDC, it is a DC): Hostname: controller DNS Domain: synth.intern FQDN: controller.synth.intern ipaddress: 192.168.1.11 ----------- Samba is running as an AD DC Then on the Unix domain member, you have this: Hostname: herakles DNS Domain: synthesis.synth.intern FQDN: herakles.synthesis.synth.intern ipaddress: 192.168.1.13 ----------- Samba is running as a Unix domain member They are not in the same DNS domain and they must be. I will continue examining the two new files. Rowland
On 23/06/2019 13:34, Rowland penny via samba wrote:> On 23/06/2019 13:16, Stefan Froehlich via samba wrote: >> On Sun, Jun 23, 2019 at 12:21:58PM +0100, Rowland penny via samba wrote: >>> You are coming from a PDC domain to an AD DC domain, easiest thing >>> first, >>> you do not use 'wins' with an AD DC, you use 'dns'. >> I know the latter (had to delegate the zone in bind after all), but >> "wins support=yes" must have been created either by Debian or by >> "domain provision". >> >>> Can you download this: >>> >>> https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh >>> >> The results are available at <http://froehlich.priv.at/samba/> >> >>> Can you also supply the AD object for 'Domain Users', I know where >>> you got '100' from, but I need to see if you used it for the >>> 'Domain Users' gidNumber. >> Is available as well (and no, I did not, as I thought that AD >> numbers have to be in the respective range > 10k) >> >> Bye, >> Stefan >> > Sorry but you have a MAJOR problem, you have this on the DC (note: it > isn't a PDC, it is a DC): > > Hostname: controller > DNS Domain: synth.intern > FQDN: controller.synth.intern > ipaddress: 192.168.1.11 > ----------- > Samba is running as an AD DC > > Then on the Unix domain member, you have this: > > Hostname: herakles > DNS Domain: synthesis.synth.intern > FQDN: herakles.synthesis.synth.intern > ipaddress: 192.168.1.13 > ----------- > Samba is running as a Unix domain member > > They are not in the same DNS domain and they must be. > > I will continue examining the two new files. > > Rowland > > >You have a DC in the 'synth.intern' dns domain, yet the Kerberos Realm is 'SYNTHESIS.SYNTH.INTERN', it should be 'SYNTH.INTERN' The Unix domain member is in the 'synthesis.synth.intern' dns domain and its Kerberos Realm is 'SYNTHESIS.SYNTH.INTERN' I am sorry, but you must fix this before anything else has a chance of working, all computers must be in the same dns domain and the Realm must be the dns domain in uppercase. Rowland