[Samba] Cannot authenticate the administrator account
L.P.H. van Belle
belle at bazuin.nl
Wed Apr 29 01:04:38 MDT 2015
Hai Mike,
>It appears necessary to edit the /etc/hosts file and include
>both of them
>in the hosts file:
>
>10.10.10.100 mymachine.example.com mymachine
>10.10.10.100 mydomain.example.com mydomain
remove the domain line here in hosts.
if you run :
hostname -s ( name )
hostname -f ( name.domain.tld )
hostname -d ( domain.tld )
if one of these is incorrect, then yes, your setup wil fail.
make sure your resolv.conf is correct.
like to start with:
search domain.tld
nameserver yourDC_1
if hostname -d stil fails, add above the search line:
domain domain.tld
now copy the krb5 file and dont symlink it.
mv /etc/krb5.conf /etc/krb5.conf.old
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
now try to kinit again.
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: 1100100 at gmail.com [mailto:samba-bounces at lists.samba.org]
>Namens Mike
>Verzonden: dinsdag 28 april 2015 23:42
>CC: samba
>Onderwerp: Re: [Samba] Cannot authenticate the administrator account
>
>I wanted to follow up to the list in hopes it will help others
>with similar
>configuration.
>Per previous posts --
>OS: CentOS 7.153
>Samba: Version 4.1.17-SerNet-RedHat-11.el7
>Samba provisioned to act as: AD DC following Samba Wiki:
>Samba AD DC HOWTO
>Samba Internal DNS daemon deployed.
>
>1. Disable selinux. Unless you have a solid understanding of how to
>configure it for your environment, please turn it off. It is defaulted
>ON/Engaged in CentOS 7. If you don't understand how selinux
>filters calls
>to/from the linux kernel, you may be chasing ghosts in relation to your
>Samba 4.x.y AD DC. For clarification, my sysadmin and
>security skills are
>not expert level.
>
>2. The following information may have lurked under my nose,
>but I did not
>find mention of it: There is a configuration file
>/etc/default/sernet-samba which requires one small edit for samba to
>function.
>The setting is defaulted to NONE, but it needs to be set to "ad".
>
># SAMBA_START_MODE defines how Samba should be started. Valid
>options are
>one of
># "none" to not enable it at all,
># "classic" to use the classic smbd/nmbd/winbind daemons
># "ad" to use the Active Directory server (which starts
>the smbd on
>its own)
># (Be aware that you also need to enable the services/init scripts that
># automatically start up the desired daemons.)
>SAMBA_START_MODE="ad"
>#SAMBA_START_MODE="none"
>
>3. Upon initial provisioning Samba objects when the machine
>name (netbios
>name?) and the domain/workgroup name are the same so I changed
>the machine
>name to make them different.
>It appears necessary to edit the /etc/hosts file and include
>both of them
>in the hosts file:
>
>10.10.10.100 mymachine.example.com mymachine
>10.10.10.100 mydomain.example.com mydomain
>
>4. Gotta deal with firewalld. Either uninstall it and use
>the iptables
>commands you've fought to finally understand over the years; or, use
>firewalld and zones, etc.
>Open all those scary ports to make sure all the complex AD DC
>components
>work:
>
>firewall-cmd --permanent --add-service=samba
>firewall-cmd --permanent --add-port=53/tcp
>firewall-cmd --permanent --add-port=53/udp
>firewall-cmd --permanent --add-port=88/tcp
>firewall-cmd --permanent --add-port=88/udp
>firewall-cmd --permanent --add-port=135/tcp
>firewall-cmd --permanent --add-port=137/tcp
>firewall-cmd --permanent --add-port=137/udp
>firewall-cmd --permanent --add-port=138/udp
>firewall-cmd --permanent --add-port=139/tcp
>firewall-cmd --permanent --add-port=389/tcp
>firewall-cmd --permanent --add-port=389/udp
>firewall-cmd --permanent --add-port=445/tcp
>firewall-cmd --permanent --add-port=464/tcp
>firewall-cmd --permanent --add-port=464/udp
>firewall-cmd --permanent --add-port=636/tcp
>firewall-cmd --permanent --add-port=1024-5000/tcp
>firewall-cmd --permanent --add-port=1024-5000/udp
>firewall-cmd --permanent --add-port=3268/tcp
>firewall-cmd --permanent --add-port=3269/tcp
>firewall-cmd --permanent --add-port=5353/tcp
>firewall-cmd --permanent --add-port=5353/udp
>firewall-cmd --reload
>
>
>5. So far, the following works:
>
>smbclient -L localhost -U%
>smbclient //mydomain.example.com/netlogon -U Administrator
>
>From Win 7 Pro or 8.1 Pro client, I can point Windows Explorer to the
>Samba4 AD DC box by entering \\10.10.10.100 in the address bar.
>I can also provide UserID: Administrator and Password:
>PaSsW8*rD and see
>netlogon, sysvol, and all demo directory shares I created.
>I can also read/write to all of them - - - - I was surprised this was
>possible without actually joining the domain via (from
>windows): Control
>Panel ---> System and Security ---> System ---> Change Settings.
>It's possible I was able to read/write to the demo shares
>because they were
>previously set -- chmod -R 0777 /demo/share/directory.
>
>I still need to understand samba-tool user creation, settings,
>and options,
>as I cannot yet figure out how to connect to the AD DC box via
>RSAT Server
>Manager app.
>
>6. Testing DNS --
>The suggested tests in the AD DC HOWTO produce errors but the samba log
>seems to indicate DNS is okay:
>
>[2015/04/28 17:29:48.986108, 3]
>../source4/dsdb/dns/dns_update.c:340(dnsupdate_check_names)
> Calling DNS name update script
>[2015/04/28 17:29:48.989054, 3]
>../source4/dsdb/dns/dns_update.c:355(dnsupdate_check_names)
> Calling SPN name update script
>[2015/04/28 17:29:49.505209, 3]
>../source4/dsdb/dns/dns_update.c:325(dnsupdate_spnupdate_done)
> Completed SPN update check OK
>[2015/04/28 17:29:49.576183, 3]
>../source4/dsdb/dns/dns_update.c:296(dnsupdate_nameupdate_done)
> Completed DNS update check OK
>
>7. Kerberos --
>I don't believe this is working yet and will need to RTFM to
>figure out how
>to chase it down.
>[root at a10 etc]# ls -alh krb5.conf
>lrwxrwxrwx. 1 root root 32 Apr 21 10:31 krb5.conf ->
>/var/lib/samba/private/krb5.conf
>[root at a10 etc]# klist
>klist: Credentials cache file '/tmp/krb5cc_0' not found
>[root at a10 etc]#
>[root at a10 etc]# kinit administrator at MYDOMAIN.EXAMPLE.COM
>kinit: Cannot find KDC for realm "MYDOMAIN.EXAMPLE.COM" while getting
>initial credentials
>[root at a10 etc]#
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list