On 13/06/2023 14:07, Marco Gaiarin via samba wrote:
Hi Marco, please see inline comments:
> root at dane:~# bash samba-collect-debug-info.sh
>
> Please wait, collecting debug info.
>
> nameserver 127.0.0.53
> samba-collect-debug-info.sh: riga 180: systemd-resolve: comando non
trovato
Your nameserver appears to be set to '127.0.0.53' and the script thinks
that systemd-resolved is running, but it probably isn't
>
> Config collected --- 2023-06-13-14:59 -----------
>
> Hostname: dane
> DNS Domain:
> Realm:
> FQDN: dane
> ipaddress: 10.5.2.191
Hmm, it looks like a dns problem, no dns domain
>
> -----------
>
> This computer is running Ubuntu 22.04.2 LTS x86_64
>
> -----------
>
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> 2: enp0s31f6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc
fq_codel state DOWN group default qlen 1000
> link/ether b4:b6:86:37:26:7e brd ff:ff:ff:ff:ff:ff
> 3: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
state UP group default qlen 1000
> link/ether 90:61:ae:b2:70:37 brd ff:ff:ff:ff:ff:ff
> inet 10.5.2.191/21 brd 10.5.7.255 scope global dynamic noprefixroute
wlp2s0
> valid_lft 422sec preferred_lft 422sec
> inet6 fe80::4c3b:6af8:609c:4e32/64 scope link noprefixroute
>
> -----------
>
> Checking file: /etc/hosts
>
> 127.0.0.1 localhost
> 127.0.1.1 dane
I would suggest you change the '127.0.1.1' line to:
127.0.1.1 dane.ad.fvg.lnf.it dane
>
> # The following lines are desirable for IPv6 capable hosts
> ::1 ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff00::0 ip6-mcastprefix
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> -----------
>
> Checking file: /etc/resolv.conf
>
> # This is /run/systemd/resolve/stub-resolv.conf managed by
man:systemd-resolved(8).
Strange, as I said there was a problem with the systemd-resolved
command, but it appears to managing your resolv.conf file ????
>
> nameserver 127.0.0.53
> options edns0 trust-ad
> search sv.lnf.it dyn.sv.lnf.it
Based on the REALM found elsewhere on this post, shouldn't the search
line be:
search ad.fvg.lnf.it
>
> -----------
>
> WARNING: 'kinit Administrator' will fail, you need to fix this.
> Unable to verify DNS kerberos._tcp SRV records
For some reason, kinit is failing, probably a dns problem. Fixing
/etc/hosts and /etc/resolv.conf might fix that.
> Checking file: /etc/krb5.conf
>
> [libdefaults]
> default_realm = AD.FVG.LNF.IT
>
> # The following krb5.conf variables are only for MIT Kerberos.
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
>
> # The following encryption type specification will be used by MIT Kerberos
> # if uncommented. In general, the defaults in the MIT Kerberos code are
> # correct and overriding these specifications only serves to disable new
> # encryption types as they are added, creating interoperability problems.
> #
> # The only time when you might need to uncomment these lines and change
> # the enctypes is if you have local software that will break on ticket
> # caches containing ticket encryption types it doesn't know about (such
as
> # old versions of Sun Java).
>
> # default_tgs_enctypes = des3-hmac-sha1
> # default_tkt_enctypes = des3-hmac-sha1
> # permitted_enctypes = des3-hmac-sha1
>
> # The following libdefaults parameters are only for Heimdal Kerberos.
> fcc-mit-ticketflags = true
>
> [realms]
> ATHENA.MIT.EDU = {
> kdc = kerberos.mit.edu
> kdc = kerberos-1.mit.edu
> kdc = kerberos-2.mit.edu:88
> admin_server = kerberos.mit.edu
> default_domain = mit.edu
> }
> ZONE.MIT.EDU = {
> kdc = casio.mit.edu
> kdc = seiko.mit.edu
> admin_server = casio.mit.edu
> }
> CSAIL.MIT.EDU = {
> admin_server = kerberos.csail.mit.edu
> default_domain = csail.mit.edu
> }
> IHTFP.ORG = {
> kdc = kerberos.ihtfp.org
> admin_server = kerberos.ihtfp.org
> }
> 1TS.ORG = {
> kdc = kerberos.1ts.org
> admin_server = kerberos.1ts.org
> }
> ANDREW.CMU.EDU = {
> admin_server = kerberos.andrew.cmu.edu
> default_domain = andrew.cmu.edu
> }
> CS.CMU.EDU = {
> kdc = kerberos-1.srv.cs.cmu.edu
> kdc = kerberos-2.srv.cs.cmu.edu
> kdc = kerberos-3.srv.cs.cmu.edu
> admin_server = kerberos.cs.cmu.edu
> }
> DEMENTIA.ORG = {
> kdc = kerberos.dementix.org
> kdc = kerberos2.dementix.org
> admin_server = kerberos.dementix.org
> }
> stanford.edu = {
> kdc = krb5auth1.stanford.edu
> kdc = krb5auth2.stanford.edu
> kdc = krb5auth3.stanford.edu
> master_kdc = krb5auth1.stanford.edu
> admin_server = krb5-admin.stanford.edu
> default_domain = stanford.edu
> }
> UTORONTO.CA = {
> kdc = kerberos1.utoronto.ca
> kdc = kerberos2.utoronto.ca
> kdc = kerberos3.utoronto.ca
> admin_server = kerberos1.utoronto.ca
> default_domain = utoronto.ca
> }
>
> [domain_realm]
> .mit.edu = ATHENA.MIT.EDU
> mit.edu = ATHENA.MIT.EDU
> .media.mit.edu = MEDIA-LAB.MIT.EDU
> media.mit.edu = MEDIA-LAB.MIT.EDU
> .csail.mit.edu = CSAIL.MIT.EDU
> csail.mit.edu = CSAIL.MIT.EDU
> .whoi.edu = ATHENA.MIT.EDU
> whoi.edu = ATHENA.MIT.EDU
> .stanford.edu = stanford.edu
> .slac.stanford.edu = SLAC.STANFORD.EDU
> .toronto.edu = UTORONTO.CA
> .utoronto.ca = UTORONTO.CA
>
That is the default /etc/krb5.conf , which I do not use, but it should work.
> # Parametri globali
> #
> [global]
> # Definizioni del dominio.
> #
> security = ADS
> workgroup = LNFFVG
> realm = AD.FVG.LNF.IT
>
> # Configurazione di Winbind/IDMap.
> #
> # Default idmap config for local BUILTIN accounts and groups
> idmap config * : backend = tdb
> idmap config * : range = 5000-9999
> # The domain
> idmap config LNFFVG : backend = ad
> idmap config LNFFVG : range = 10000-49999
> # Uso dei dati POSIX/rfc2307 (Samba 4.6+)
> idmap config LNFFVG : schema_mode = rfc2307
> idmap config LNFFVG : unix_nss_info = yes
> idmap config LNFFVG : unix_primary_group = yes
> ## Uso dei dati POSIX/rfc2307 (Samba 4.5-)
> #winbind nss info = rfc2307
> # Se si usa 'winbind use default domain = yes' ? necessario
sincerarsi che i nomi utente non siano ''overlapping''
> # (ovvero utenti definiti nel dominio *e* in /etc/passwd) pena
''confusione'' nella definizione dei gruppi/responsabilit?.
> winbind use default domain = yes
> # Opzionalmente posso voler abilitare le ''cached
credentials''; oltre ad abilitare questa opzione, occorre anche
abilitarne l'uso
> # in winbind. Si veda:
https://wiki.samba.org/index.php/PAM_Offline_Authentication
> winbind offline logon = yes
> # Workaround Bug #14618
> lock directory = /var/cache/samba
From my (now extensive) testing, it would seem that you do not really
need the 'lock directory' line.
> # Workaround delay...
> winbind request timeout = 5
>
> # Utenti speciali e permessi
> # Disabilitazione di qualche account, e definizione dell'account guest
(il default ? gi? 'nobody').
> # Tutti gli utenti non conosciuti vengono mappati su guest.
> #
> #invalid users > #guest account = nobody
> map to guest = Bad User
> #
> # Per un DM manteniamo una mappa esplicita locale per alcuni utenti, per
default solo Administrator (su root)
> #
> username map = /etc/samba/user.map
>
> # Riabilito SMB1; non credo sia strettamente necessario qui, ma serve per
il mount delle home assolutamente, sono necessarie
> # alcune UNIX extension...
> #
> client min protocol = NT1
I take it that you need SMBv1, if not, I suggest you remove that line.
>
> # Stampanti... siamo un client, disabilito tutto.
> #
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> # Disabilito gli 'usershare', il default sembra essere 100 per
debian. Vedi:
> # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900396
> #
> usershare max shares = 0
>
> # LOG
> #
> log level = 0 winbind:5
> syslog = 0
> log file = /var/log/samba/log.%m
> max log size = 5000
> panic action = /usr/share/samba/panic-action %d
>
> -----------
>
> Running as Unix domain member and user.map detected.
>
> Contents of /etc/samba/user.map
>
> !root = LNFFVG\Administrator LNFFVG\administrator Administrator
administrator
Ah, that is my fault, an early mistake I made, you only need:
!root = LNFFVG\Administrator
>
>> Is selinux or apparmor involved ?
>
> Ahem... apparmor is installed (as by defaut on Ubuntu, i suppose) but
i've
> not touched the configuration.
And you shouldn't have to, it is normally setup for you.
I am having problems in running my Ubuntu 22.04 VM, so I am going to
have to re-install it.
But from the above output, I suggest you peer very closely at your dns.
Does the machine get its ipaddress etc from DHCP ? If so, is it
supplying the correct information ?
Rowland