Rowland Penny
2021-Jul-14 12:26 UTC
[Samba] I can't login into my Linux client with Samba DC users.
On Wed, 2021-07-14 at 13:22 +0200, L.P.H. van Belle via samba wrote:> > 1- Why Windows client working with it without any problem? > Because when the join the primary DNS domain is always correct > And you most probely did set the ip's of the DC's as resolvers for > them. > > You asked this before and we asked info before.. > Im still waiting.. (thats why i also didnt reply before)..You should have seen what I wrote before deleting it!> > Most probley your error is in the resolving order.Could be, but doubtful.> Run this on 1 DC and 1 member. > https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh > > DONT change the structures of the setup when you anonymize it. > > Now this : samba-tool domain info 192.168.56.7 > Why are you not using : samba-tool domain info hostname.fqdn > Im just wondering.Because it works and 'samba-tool domain info --help' returns: Usage: samba-tool domain info <ip_address> [options]> So my advice is, try to avoid testing with ipnumbers and start > testing with FQDN's. > This will help in finding/and later avoiding resolving problems. > > > Greetz, > > Louis > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > Jason Long via samba > > Verzonden: woensdag 14 juli 2021 13:09 > > Aan: sambalist; Rowland Penny > > Onderwerp: Re: [Samba] I can't login into my Linux client > > with Samba DC users. > > > > Thanks. > > 1- Why Windows client working with it without any problem? > > 2- How can I fix it? > > > > > > > > > > > > > > On Wednesday, July 14, 2021, 03:32:21 PM GMT+4:30, Rowland > > Penny via samba <samba at lists.samba.org> wrote: > > > > > > > > > > > > On Wed, 2021-07-14 at 10:41 +0000, Jason Long wrote: > > > Thank you. > > > > > > As you see: > > > # samba-tool domain info 192.168.56.7 > > > Forest : mydomain.z > > > Domain : mydomain.z > > > Netbios domain : MYDOMAIN > > > DC name : mydc.mydomain.z > > > DC netbios name : MYDC > > > Server site : Default-First-Site-Name > > > Client site : Default-First-Site-Name > > > > > > If my configuration is wrong, then how can I fix it? > > > > > > > > > > > > > > > > > > On Monday, July 12, 2021, 11:29:30 PM GMT+4:30, Rowland Penny via > > > samba <samba at lists.samba.org> wrote: > > > > > > > > > > > > > > > > > > On Mon, 2021-07-12 at 18:44 +0000, Jason Long via samba wrote: > > > > Hello, > > > > I had a thread with the name "I can't join my Linux client to > > > > my > > > > Samba DC." and I joined my Linux client to my Samba DC, > > but I can't > > > > login into my Linux client with my Samba DC users. > > > > I have a Samba DC as below: > > > > > > > > > > > > # samba-tool domain info 192.168.56.7 > > > > Forest : mydomain.z > > > > Domain : mydomain.z > > > > Netbios domain : MYDOMAIN > > > > DC name : mydc.mydomain.z > > > > DC netbios name : MYDC > > > > Server site : Default-First-Site-Name > > > > Client site : Default-First-Site-Name > > > > > > > > > > > > > > > > > > > > And I want to join my Linux client to my Samba DC. The content > > > > of > > > > "smb.conf" file on my Linux client is: > > > > > > > > > > > > [global] > > > > workgroup = MYDC > > > > security = ADS > > > > realm = MYDC.MYDOMAIN.Z > > > > > > Your realm isn't 'MYDC.MYDOMAIN.Z' , from what you have posted, > > > your > > > realm should be 'MYDOMAIN.Z' > > > > > > Also, I doubt that your workgroup name is 'MYDC' as this appears > > > to > > > be > > > your DCs short hostname. If your workgroup (aka NetBios domain > > > name) > > > is > > > the same as your DC's short hostname, then I suggest you fix this > > > > > > > You have set your workgroup to 'MYDC' and you also posted 'DC > > netbios > > name : MYDC', you also posted 'Netbios domain : MYDOMAIN', > > another > > name for 'Netbios domain' is 'workgroup'. > > 'DC netbios name' != 'Netbios domain' > > > > You also seem to be using the DC's FQDN for the realm, it > > should be the > > dns domain in uppercase, which in your case seems to be > > 'MYDOMAIN.Z' > > > > > > Rowland > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > >
Jason Long
2021-Jul-16 05:27 UTC
[Samba] I can't login into my Linux client with Samba DC users.
Hello, I did: # samba-tool domain info mydc Forest? ? ? ? ? ?: mydomain.z Domain? ? ? ? ? ?: mydomain.z Netbios domain? ?: MYDOMAIN DC name? ? ? ? ? : mydc.mydomain.z DC netbios name? : MYDC Server site? ? ? : Default-First-Site-Name Client site? ? ? : Default-First-Site-Name And I executed that script on both of server and client: On Server: https://paste.ubuntu.com/p/pZ9Rnk7Kpc/ On Client: https://paste.ubuntu.com/p/msCDTgrZPS/ Thanks. On Wednesday, July 14, 2021, 04:56:58 PM GMT+4:30, Rowland Penny via samba <samba at lists.samba.org> wrote: On Wed, 2021-07-14 at 13:22 +0200, L.P.H. van Belle via samba wrote:> > 1- Why Windows client working with it without any problem? > Because when the join the primary DNS domain is always correct > And you most probely did set the ip's of the DC's as resolvers for > them. > > You asked this before and we asked info before.. > Im still waiting.. (thats why i also didnt reply before)..You should have seen what I wrote before deleting it!> > Most probley your error is in the resolving order.Could be, but doubtful.> Run this on 1 DC and 1 member. > https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh > > DONT change the structures of the setup when you anonymize it. > > Now this :? samba-tool domain info 192.168.56.7 > Why are you not using : samba-tool domain info hostname.fqdn > Im just wondering.Because it works and 'samba-tool domain info --help' returns: Usage: samba-tool domain info <ip_address> [options]> So my advice is, try to avoid testing with ipnumbers and start > testing with FQDN's. > This will help in finding/and later avoiding resolving problems. > > > Greetz, > > Louis > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > Jason Long via samba > > Verzonden: woensdag 14 juli 2021 13:09 > > Aan: sambalist; Rowland Penny > > Onderwerp: Re: [Samba] I can't login into my Linux client > > with Samba DC users. > > > > Thanks. > > 1- Why Windows client working with it without any problem? > > 2- How can I fix it? > > > > > > > > > > > > > > On Wednesday, July 14, 2021, 03:32:21 PM GMT+4:30, Rowland > > Penny via samba <samba at lists.samba.org> wrote: > > > > > > > > > > > > On Wed, 2021-07-14 at 10:41 +0000, Jason Long wrote: > > > Thank you. > > > > > > As you see: > > > # samba-tool domain info 192.168.56.7 > > > Forest? ? ? ? ? : mydomain.z > > > Domain? ? ? ? ? : mydomain.z > > > Netbios domain? : MYDOMAIN > > > DC name? ? ? ? ? : mydc.mydomain.z > > > DC netbios name? : MYDC > > > Server site? ? ? : Default-First-Site-Name > > > Client site? ? ? : Default-First-Site-Name > > > > > > If my configuration is wrong, then how can I fix it? > > > > > > > > > > > > > > > > > > On Monday, July 12, 2021, 11:29:30 PM GMT+4:30, Rowland Penny via > > > samba <samba at lists.samba.org> wrote: > > > > > > > > > > > > > > > > > > On Mon, 2021-07-12 at 18:44 +0000, Jason Long via samba wrote: > > > > Hello, > > > > I had a thread with the name "I can't join my Linux client to > > > > my > > > > Samba DC." and I joined my Linux client to my Samba DC, > > but I can't > > > > login into my Linux client with my Samba DC users. > > > > I have a Samba DC as below: > > > > > > > > > > > > # samba-tool domain info 192.168.56.7 > > > > Forest? ? ? ? ? : mydomain.z > > > > Domain? ? ? ? ? : mydomain.z > > > > Netbios domain? : MYDOMAIN > > > > DC name? ? ? ? ? : mydc.mydomain.z > > > > DC netbios name? : MYDC > > > > Server site? ? ? : Default-First-Site-Name > > > > Client site? ? ? : Default-First-Site-Name > > > > > > > > > > > > > > > > > > > > And I want to join my Linux client to my Samba DC. The content > > > > of > > > > "smb.conf" file on my Linux client is: > > > > > > > > > > > > [global] > > > >? ? workgroup = MYDC > > > >? ? security = ADS > > > >? ? realm = MYDC.MYDOMAIN.Z > > > > > > Your realm isn't 'MYDC.MYDOMAIN.Z' , from what you have posted, > > > your > > > realm should be 'MYDOMAIN.Z' > > > > > > Also, I doubt that your workgroup name is 'MYDC' as this appears > > > to > > > be > > > your DCs short hostname. If your workgroup (aka NetBios domain > > > name) > > > is > > > the same as your DC's short hostname, then I suggest you fix this > > > > > > > You have set your workgroup to 'MYDC' and you also posted 'DC > > netbios > > name? : MYDC', you also posted 'Netbios domain? : MYDOMAIN', > > another > > name for 'Netbios domain' is 'workgroup'. > > 'DC netbios name' != 'Netbios domain' > > > > You also seem to be using the DC's FQDN for the realm, it > > should be the > > dns domain in uppercase, which in your case seems to be > > 'MYDOMAIN.Z' > > > > > > Rowland > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions:? https://lists.samba.org/mailman/options/samba > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions:? https://lists.samba.org/mailman/options/samba > > > > > >-- To unsubscribe from this list go to the following URL and read the instructions:? https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2021-Jul-16 07:37 UTC
[Samba] I can't login into my Linux client with Samba DC users.
Hai Jason,
Ok, now we are getting somewhere.
Server :
2 ipadresses : 10.0.3.15 192.168.56.7 ( assuming 56.7 is you default. )
But did you set your routing correctly for it? we might also need an output off
: ip route
SSSD is installed, remove it and then fix nsswitch.conf
passwd: files winbind sss systemd
group: files winbind sss systemd
Remove sss there.
Change
hosts: files resolve [!UNAVAIL=return] myhostname dns
To
hosts: files dns resolve [!UNAVAIL=return] myhostname
/etc/krb5.conf
Now, depending on IP use. OR remove this part.
[realms]
MYDOMAIN.Z = {
default_domain = mydomain.z
}
[domain_realm]
mydc = MYDOMAIN.Z
All you need is :
[libdefaults]
default_realm = MYDOMAIN.Z
dns_lookup_realm = false
dns_lookup_kdc = true
Your "SERVER" also has IP: 10.0.3.15
Add it in /etc/hosts also.
The order if important..
27.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.56.7 mydc.mydomain.z mydc
10.0.3.15 mydc.mydomain.z # or leave it out, i dont why you use it in your
setup.
And you noticed i removed the "mydc" in the 10.0.3.15 line.
All done, reboot server.
Client is more easy..
FQDN: node3.localhost.localdomain
ipaddress: 192.168.56.9 10.0.3.15
unable to verify DNS kerberos._tcp SRV records
Meaning, the resolving setup is broken in you client.
Hostname FQDN is incorrect.
10.0.3.15 ?? Why thats the same ip as on the SERVER.
So in order, fix on the client :
/etc/hosts
/etc/resolv.conf
/etc/nsswitch.conf
/etc/krb5.conf
Reboot.
Verify client settings again, re-run the script, i know its not fully compliant
with your os but it shows sufficient at the moment.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Jason Long via samba
> Verzonden: vrijdag 16 juli 2021 7:27
> Aan: samba at lists.samba.org; Rowland Penny
> Onderwerp: Re: [Samba] I can't login into my Linux client
> with Samba DC users.
>
> Hello,
> I did:
> # samba-tool domain info mydc
> Forest? ? ? ? ? ?: mydomain.z
> Domain? ? ? ? ? ?: mydomain.z
> Netbios domain? ?: MYDOMAIN
> DC name? ? ? ? ? : mydc.mydomain.z
> DC netbios name? : MYDC
> Server site? ? ? : Default-First-Site-Name
> Client site? ? ? : Default-First-Site-Name
>
> And I executed that script on both of server and client:
>
> On Server:
> https://paste.ubuntu.com/p/pZ9Rnk7Kpc/
>
> On Client:
> https://paste.ubuntu.com/p/msCDTgrZPS/
>
>
> Thanks.
>
>
> On Wednesday, July 14, 2021, 04:56:58 PM GMT+4:30, Rowland
> Penny via samba <samba at lists.samba.org> wrote:
>
>
>
>
>
> On Wed, 2021-07-14 at 13:22 +0200, L.P.H. van Belle via samba wrote:
> > > 1- Why Windows client working with it without any problem?
> > Because when the join the primary DNS domain is always correct
> > And you most probely did set the ip's of the DC's as resolvers
for
> > them.
> >
> > You asked this before and we asked info before..
> > Im still waiting.. (thats why i also didnt reply before)..
>
> You should have seen what I wrote before deleting it!
>
> >
> > Most probley your error is in the resolving order.
>
> Could be, but doubtful.
>
> > Run this on 1 DC and 1 member.
> >
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-c
ollect-debug-info.sh> >
> > DONT change the structures of the setup when you anonymize it.
> >
> > Now this :? samba-tool domain info 192.168.56.7
> > Why are you not using : samba-tool domain info hostname.fqdn
> > Im just wondering.
>
> Because it works and 'samba-tool domain info --help' returns:
>
> Usage: samba-tool domain info <ip_address> [options]
>
>
> > So my advice is, try to avoid testing with ipnumbers and start
> > testing with FQDN's.
> > This will help in finding/and later avoiding resolving problems.
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> > > -----Oorspronkelijk bericht-----
> > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > > Jason Long via samba
> > > Verzonden: woensdag 14 juli 2021 13:09
> > > Aan: sambalist; Rowland Penny
> > > Onderwerp: Re: [Samba] I can't login into my Linux client
> > > with Samba DC users.
> > >
> > > Thanks.
> > > 1- Why Windows client working with it without any problem?
> > > 2- How can I fix it?
> > >
> > >
> > >
> > >
> > >
> > >
> > > On Wednesday, July 14, 2021, 03:32:21 PM GMT+4:30, Rowland
> > > Penny via samba <samba at lists.samba.org> wrote:
> > >
> > >
> > >
> > >
> > >
> > > On Wed, 2021-07-14 at 10:41 +0000, Jason Long wrote:
> > > > Thank you.
> > > >
> > > > As you see:
> > > > # samba-tool domain info 192.168.56.7
> > > > Forest? ? ? ? ? : mydomain.z
> > > > Domain? ? ? ? ? : mydomain.z
> > > > Netbios domain? : MYDOMAIN
> > > > DC name? ? ? ? ? : mydc.mydomain.z
> > > > DC netbios name? : MYDC
> > > > Server site? ? ? : Default-First-Site-Name
> > > > Client site? ? ? : Default-First-Site-Name
> > > >
> > > > If my configuration is wrong, then how can I fix it?
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > On Monday, July 12, 2021, 11:29:30 PM GMT+4:30, Rowland
> Penny via
> > > > samba <samba at lists.samba.org> wrote:
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > On Mon, 2021-07-12 at 18:44 +0000, Jason Long via samba
wrote:
> > > > > Hello,
> > > > > I had a thread with the name "I can't join my
Linux client to
> > > > > my
> > > > > Samba DC." and I joined my Linux client to my
Samba DC,
> > > but I can't
> > > > > login into my Linux client with my Samba DC users.
> > > > > I have a Samba DC as below:
> > > > >
> > > > >
> > > > > # samba-tool domain info 192.168.56.7
> > > > > Forest? ? ? ? ? : mydomain.z
> > > > > Domain? ? ? ? ? : mydomain.z
> > > > > Netbios domain? : MYDOMAIN
> > > > > DC name? ? ? ? ? : mydc.mydomain.z
> > > > > DC netbios name? : MYDC
> > > > > Server site? ? ? : Default-First-Site-Name
> > > > > Client site? ? ? : Default-First-Site-Name
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > And I want to join my Linux client to my Samba DC. The
content
> > > > > of
> > > > > "smb.conf" file on my Linux client is:
> > > > >
> > > > >
> > > > > [global]
> > > > >? ? workgroup = MYDC
> > > > >? ? security = ADS
> > > > >? ? realm = MYDC.MYDOMAIN.Z
> > > >
> > > > Your realm isn't 'MYDC.MYDOMAIN.Z' , from what
you have posted,
> > > > your
> > > > realm should be 'MYDOMAIN.Z'
> > > >
> > > > Also, I doubt that your workgroup name is 'MYDC' as
this appears
> > > > to
> > > > be
> > > > your DCs short hostname. If your workgroup (aka NetBios
domain
> > > > name)
> > > > is
> > > > the same as your DC's short hostname, then I suggest
> you fix this
> > > >
> > >
> > > You have set your workgroup to 'MYDC' and you also posted
'DC
> > > netbios
> > > name? : MYDC', you also posted 'Netbios domain? :
MYDOMAIN',
> > > another
> > > name for 'Netbios domain' is 'workgroup'.
> > > 'DC netbios name' != 'Netbios domain'
> > >
> > > You also seem to be using the DC's FQDN for the realm, it
> > > should be the
> > > dns domain in uppercase, which in your case seems to be
> > > 'MYDOMAIN.Z'
> > >
> > >
> > > Rowland
> > >
> > >
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read
the
> > > instructions:? https://lists.samba.org/mailman/options/samba
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read
the
> > > instructions:? https://lists.samba.org/mailman/options/samba
> > >
> > >
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:? https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>