[Samba] Cannot authenticate the administrator account
Rowland Penny
rowlandpenny at googlemail.com
Wed Apr 22 10:26:27 MDT 2015
On 22/04/15 16:28, Mike wrote:
> On Wed, Apr 22, 2015 at 10:04 AM, L.P.H. van Belle <belle at bazuin.nl> wrote:
>
>> Are you sure you have the "correct" administrator password ..
>>
>> this should work , echo ${SAMBA_NT_ADMIN_PASS}| smbclient
>> //localhost/netlogon -U Administrator -c 'ls'
>> that does not involve kerberos yet..
>>
>> Please run:
>>
>> SETHOSTNAME=`hostname -s`
>> SETDNSDOMAIN=`hostname -d`
>> SETFQDN=`hostname -f`
>>
>> host -t SRV _ldap._tcp.${SETDNSDOMAIN}.
>>
>> host -t SRV _kerberos._udp.${SETDNSDOMAIN}.
>>
>> host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}.
>> and
>> cat /etc/hosts
>>
>> and these are your DC's ips?
>>
>> nameserver 75.75.76.76
>> nameserver 75.75.75.75
>>
>> Greetz,
>>
>> Louis
>>
>>
> Hi Louis,
>
> I'm definitely using the same Administrator password; wrote it down during
> provisioning.
>
> For my DC's nameservers ---- might I have this wrong? Those ip's are my
> ISP's nameservers - Xfinity Comcast.
> The actual CentOS server box static ip is 10.10.1.225. Do I need to delete
> the ISP nameservers and go with 10.10.1.225?
>
> Thank you for all the follow up.
>
> Mike
How should I put this politely, you have to point the DC at itself if
you only have one DC, if you have two Dcs, then point one at the other,
then itself:
The kerberos realm must be the same as your DNS domain and it is advised
that this is not resolvable from the internet.
i.e. if you have one DC and your registered DNS domain is example.com
and the ipaddress of the DC is 192.168.0.2, then resolv.conf should contain:
search internal.example.com
nameserver 192.168.0.2
Or if you have two Dcs and the ipaddress of the second DC is 192.168.0.3:
First DC (192.168.0.2):
search internal.example.com
nameserver 192.168.0.3
nameserver 192.168.0.2
Second DC (192.168.0.3):
search internal.example.com
nameserver 192.168.0.2
nameserver 192.168.0.3
You can replace 'internal' with anything you like and you do not have to
use it for the domain/workgroup, but whatever you use, 'hostname -d'
must show this domain name and you *MUST* use this as the realm name
when you provision.
Anything that is outside the samba4 AD domain is forwarded to the
forwarder set in smb.conf, in your case 'dns forwarder = 75.75.76.76'
Rowland
More information about the samba
mailing list