miguel medalha
2020-Feb-03 12:40 UTC
[Samba] Unable to contact active directory or verify claim types
I am using Samba as Active Directory Domain Controller as well as file
server, serving a network of Windows clients.
I recently upgraded a bunch of computers from Windows 7 to Windows 10
release 1909. I just discovered that Under Windows 10, as a Domain Admin,
when I try to add a new permission to a folder or file on Samba shares
through the Advanced security tab I cannot do it because the box is grayed
and contains the following message:
"Unable to contact active directory or verify claim types"
The basic permissions work without problems, only the Advanced ones have
this problem.
If I log on to a Windows 7 client with the same account, everything works
perfectly.
When I try the same on a file located in the local hard disk, the above
message does not appear but the box is also grayed out. Once again, it works
perfectly under Windows 7.
The 2 DCs are running Samba 4.8.12 (I know it's old but I could not upgrade
yet due to hardware/software constraints). Dbcheck gives no errors,
replication is working fine. DNS is working fine. I see no other problems on
the network but this one.
The smb.conf on the AD DCS
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.TLD
server role = active directory domain controller
dns forwarder = x.x.x.x
disable netbios = yes
ntlm auth = no
client ipc signing = mandatory
server min protocol = SMB2_10
client min protocol = SMB2_10
client ipc min protocol = SMB2_10
smb ports = 445
[netlogon]
path = /path/to/sysvol/scripts
read only = no
browsable = yes
[sysvol]
path = /path/to/sysvol/
read only = no
browsable = yes
Any clues? Thank you.
Rowland penny
2020-Feb-03 13:48 UTC
[Samba] Unable to contact active directory or verify claim types
On 03/02/2020 12:40, miguel medalha via samba wrote:> I am using Samba as Active Directory Domain Controller as well as file > server, serving a network of Windows clients.It looks like you are saying that you are using the DC as a fileserver, but you haven't shown any shares in your smb.conf (other than netlogon and sysvol and these do not count).> > > > I recently upgraded a bunch of computers from Windows 7 to Windows 10 > release 1909. I just discovered that Under Windows 10, as a Domain Admin, > when I try to add a new permission to a folder or file on Samba shares > through the Advanced security tab I cannot do it because the box is grayed > and contains the following message: > > > > "Unable to contact active directory or verify claim types"There are numerous differences between Win 7 and 10, not least is SMBv1 being turned off by default (not that this should affect you, you have it turned off as well), have you read this: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs> The 2 DCs are running Samba 4.8.12 (I know it's old but I could not upgrade > yet due to hardware/software constraints). Dbcheck gives no errors, > replication is working fine. DNS is working fine. I see no other problems on > the network but this one. > > The smb.conf on the AD DCS > > [global] > workgroup = MYDOMAIN > realm = MYDOMAIN.TLD > server role = active directory domain controller > dns forwarder = x.x.x.x > disable netbios = yes > ntlm auth = no > client ipc signing = mandatory > server min protocol = SMB2_10 > client min protocol = SMB2_10 > client ipc min protocol = SMB2_10 > smb ports = 445 > > [netlogon] > path = /path/to/sysvol/scripts > read only = no > browsable = yes > > [sysvol] > path = /path/to/sysvol/ > read only = no > browsable = yes > > Any clues? Thank you. >Are you running anything else on the DC (sssd for instance) ? Rowland