On 23/06/2019 13:34, Rowland penny via samba wrote:> On 23/06/2019 13:16, Stefan Froehlich via samba wrote: >> On Sun, Jun 23, 2019 at 12:21:58PM +0100, Rowland penny via samba wrote: >>> You are coming from a PDC domain to an AD DC domain, easiest thing >>> first, >>> you do not use 'wins' with an AD DC, you use 'dns'. >> I know the latter (had to delegate the zone in bind after all), but >> "wins support=yes" must have been created either by Debian or by >> "domain provision". >> >>> Can you download this: >>> >>> https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh >>> >> The results are available at <http://froehlich.priv.at/samba/> >> >>> Can you also supply the AD object for 'Domain Users', I know where >>> you got '100' from, but I need to see if you used it for the >>> 'Domain Users' gidNumber. >> Is available as well (and no, I did not, as I thought that AD >> numbers have to be in the respective range > 10k) >> >> Bye, >> Stefan >> > Sorry but you have a MAJOR problem, you have this on the DC (note: it > isn't a PDC, it is a DC): > > Hostname: controller > DNS Domain: synth.intern > FQDN: controller.synth.intern > ipaddress: 192.168.1.11 > ----------- > Samba is running as an AD DC > > Then on the Unix domain member, you have this: > > Hostname: herakles > DNS Domain: synthesis.synth.intern > FQDN: herakles.synthesis.synth.intern > ipaddress: 192.168.1.13 > ----------- > Samba is running as a Unix domain member > > They are not in the same DNS domain and they must be. > > I will continue examining the two new files. > > Rowland > > >You have a DC in the 'synth.intern' dns domain, yet the Kerberos Realm is 'SYNTHESIS.SYNTH.INTERN', it should be 'SYNTH.INTERN' The Unix domain member is in the 'synthesis.synth.intern' dns domain and its Kerberos Realm is 'SYNTHESIS.SYNTH.INTERN' I am sorry, but you must fix this before anything else has a chance of working, all computers must be in the same dns domain and the Realm must be the dns domain in uppercase. Rowland
On Sun, Jun 23, 2019 at 01:53:43PM +0100, Rowland penny via samba wrote:> You have a DC in the 'synth.intern' dns domain, yet the Kerberos Realm is > 'SYNTHESIS.SYNTH.INTERN', it should be 'SYNTH.INTERN' > > The Unix domain member is in the 'synthesis.synth.intern' dns domain and its > Kerberos Realm is 'SYNTHESIS.SYNTH.INTERN' > > I am sorry, but you must fix this before anything else has a > chance of working, all computers must be in the same dns domain > and the Realm must be the dns domain in uppercase.No need to be sorry - most likely I'll the whole setup from scratch. But just to be sure and to avoid new mistakes, after re-reading the samba wiki: I understand that they use the same SAMDOM.EXAMPLE.COM as DNS *and* Windows domain which is (for legacy reasons and for a smoother transition) something I'd rather like to avoid. There is the existing DNS domain synth.intern (driven by bind and generally in a rather good shape) and I want to create the new AD domain SYNTHESIS *below* and independent from that. That's why I created an NS record for synthesis.synth.intern delegating it to the DC and proceeded from there following the wiki with my AD DNS domain being SYNTHESIS.SYNTH.INTERN. Is this possible at all or am I just begging for trouble with such a setup? Bye, Stefan -- Stefan - Das sollten wir vielleicht einmal vertiefen! Sloganizer, https://www.poetron-zone.de/
On 23/06/2019 14:34, Stefan Froehlich via samba wrote:> No need to be sorry - most likely I'll the whole setup from scratch. > But just to be sure and to avoid new mistakes, after re-reading the > samba wiki: > > I understand that they use the same SAMDOM.EXAMPLE.COM as DNS *and* > Windows domain which is (for legacy reasons and for a smoother > transition) something I'd rather like to avoid.'SAMDOM.EXAMPLE.COM' is an example Realm name, you can use whatever you like. However, whatever you use for the DNS domain, MUST be used for the Realm name, but the Realm name must be in uppercase.> > There is the existing DNS domain synth.intern (driven by bind and > generally in a rather good shape) and I want to create the new AD > domain SYNTHESIS *below* and independent from that.So far, this was a good idea.> That's why I created an NS record for synthesis.synth.intern delegating it to the > DC and proceeded from there following the wiki with my AD DNS domain > being SYNTHESIS.SYNTH.INTERN.That is where you went wrong ;-) You should have used the subdomain 'synthesis.synth.intern'? for your AD, totally unconnected to your other DNS server. Your AD DC's are all authoritative for the DNS domain and your AD clients must use the DC's as their nameservers, anything the DC's do not know (anything outside the AD domain) should be forwarded to another DNS server.> Is this possible at all or am I just begging for trouble with such a > setup?No and Yes ;-) Rowland
On Sun, Jun 23, 2019 at 03:34:08PM +0200, Stefan Froehlich via samba wrote:> No need to be sorry - most likely I'll the whole setup from scratch.Did so (I am following a script by now, so it does not take too long), but I feel more and more lost - there must be always something different I do wrong: Now I configured DNS the other way round, pointing every host to the DC and using "dns forwarder = 8.8.8.8" there to resolve the rest of the world. Problem is that DC does not forward anything (no packets are leaving the controller on port 53) and answers all external questions with an empty result set. Is there anything I could have missed? And another annoying issue popped up: At the fileserver I can wbinfo(1) my test account by name and by uid, I can chown(1) files to it, I can even su(1) or ssh(1) to it and work at the CLI. But if I want to connect to a share: | ~# smbclient //herakles/profiles/ -Utest | Enter SYNTHESIS\test's password: | session setup failed: NT_STATUS_ACCESS_DENIED The log file contains: | [2019/06/24 09:28:03.876063, 3] ../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac) | Found account name from PAC: test [Max Mustermann] | [2019/06/24 09:28:03.876091, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) | Kerberos ticket principal name is [test at SYNTHESIS.SYNTH.INTERN] | [2019/06/24 09:28:03.877874, 3] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) | get_user_from_kerberos_info: Username SYNTHESIS\test is invalid on this system | [2019/06/24 09:28:03.877895, 3] ../source3/auth/auth_generic.c:147(auth3_generate_session_info_pac) | auth3_generate_session_info_pac: Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) | [2019/06/24 09:28:03.877937, 3] ../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex) | smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_sesssetup.c:137 | [2019/06/24 09:28:03.878357, 3] ../source3/smbd/server_exit.c:237(exit_server_common) | Server exit (NT_STATUS_END_OF_FILE) How can the username be "invalid", if I can use it for anything else? The debug info is at <http://froehlich.priv.at/www/samba/> again. Bye, Stefan -- Laune mit Stefan, standhaft und bl?d! Sloganizer, https://www.poetron-zone.de/