[Samba] can't log in as domain admin

Gary Dale garydale at torfree.net
Sat Oct 24 17:20:42 UTC 2015 

On 24/10/15 04:41 AM, Rowland Penny wrote:
> On 24/10/15 01:26, Gary Dale wrote:
>> I'm running Debian/Jessie (stable) on an AMD64 machine, with Samba
>> Version 4.1.17-Debian. This is the domain controller, DNS server,
>> Time server and File server for the local network.
>>
>> The problem I'm having is that Windows machines sometimes can't open
>> files for editing. Other files in the same directory don't have that
>> problem.
>>
>> When I look at the Unix permissions, the files causing problems have
>> a windows user number as the owner while the ones that don't cause
>> problems are owned by nobody. In both cases the Unix permissions are
>> everyone has read-write-execute access to the files. Changing the
>> Unix permission had no impact.
>>
>> Where I hit the snag however was trying to change the ACLs so that
>> Domain Users should have read/write/execute permissions. I can't log
>> in with the domain administrator account on any of the Windows
>> machines. I get an error message saying user name or password is
>> incorrect.
>>
>> I've used smb-tool on the DC to change the password so I know it is
>> correct. And Domain Admins are in the local Administrators group on
>> the Windows machines.
>>
>> Any tips on tracking down the problem?
>>
>
> If you are getting files that belong to numbers instead of names, this
> usually means that Unix doesn't know who the users are, do your
> windows users have a uidNumber? Also does 'Domain Users' have a
> gidNumber?
>
> To test your Administrator password, you could try to obtain a
> kerberos ticket on the Samba4 DC:
>
> kinit Administrator
>
> You should get asked for the password and then the command should
> return without error to the prompt i.e. there should be no output.
>
> Are the windows machines joined to the domain? and are you trying to
> log into the windows machines as DOMAIN\Administrator? local
> Administrator != domain Administrator.
>
> Rowland
>
OK, got it. The /etc/krb5.conf link was pointing to a non-existent file.

-----------------


kinit returns Configuration file does not specify default realm when 
parsing name Administrator

And I hoped I was being clear that I was trying to log in as a Domain 
Admin, not a local one. All the machines are joined to domain and the 
users are logging with domain accounts.

More information about the samba mailing list