[Samba] smbclient //server/netlogon -k -c 'ls' fails with "NT_STATUS_LOGON_FAILURE"
Arcadie Cracan
arcadiec at gmail.com
Mon Feb 26 10:27:56 UTC 2018
Dear Rowland,
I have commented out the 'idmap config' options, nothing changed.
Here are my bind9 configs:
/etc/bind/named.conf:
acl goodclients {
192.168.1.0/24;
localhost;
};
include "/etc/bind/named.conf.options";
#include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";
/etc/bind/named.conf.options:
options {
directory "/var/cache/bind";
recursion yes;
allow-query { goodclients; };
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
tkey-domain "INTRA.DAM-APPLICATION.RO";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
213.154.124.1;
193.231.252.1;
};
//
========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//
========================================================================
dnssec-enable yes;
dnssec-validation yes;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { none; };
};
/etc/bind/named.conf.default-zones:
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
/var/lib/samba/private/named.conf:
dlz "AD DNS Zone" {
# For BIND 9.8.x
# database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so";
# For BIND 9.9.x
# database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
# For BIND 9.10.x
database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";
# For BIND 9.11.x
# database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
};
This is (a part of) the output of 'pstree':
├─samba─┬─samba───smbd─┬─cleanupd
│ │ ├─lpqd
│ │ └─smbd-notifyd
│ ├─10*[samba]
│ └─samba───winbindd───winbindd
So, I guess winbindd is running.
Kind regards,
Arcadie Cracan
În ziua de luni, 26 februarie 2018, la 11:49:48 EET, Rowland Penny via samba a
scris:
> On Mon, 26 Feb 2018 11:30:58 +0200
>
> Arcadie Cracan <arcadiec at gmail.com> wrote:
> > /etc/samba/smb.conf:
> > # Global parameters
> > [global]
> >
> > workgroup = DAM
> > realm = INTRA.DAM-APPLICATION.RO
> > netbios name = LOTUS
> > server role = active directory domain controller
> > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> >
> > drepl, winbindd, ntp_signd, kcc, dnsupdate
> >
> > idmap_ldb:use rfc2307 = yes
>
> Everything above looks okay and it also shows you are using Bind9, so
> can you post the contents of the various named.conf files.
>
> > # Default idmap config used for BUILTIN and local
> >
> > accounts/groups idmap config *:backend = tdb
> >
> > idmap config *:range = 2000-9999
> >
> > # idmap config for domain INTRA
> > idmap config INTRA:backend = ad
> > idmap config INTRA:schema_mode = rfc2307
> > idmap config INTRA:range = 10000-99999
> >
> > # Use settings from AD for login shell and home directory
> > winbind nss info = rfc2307
>
> You might as well remove the above lines, they do not work on a DC,
> they never did and anyway 'INTRA' should be 'DAM' if they did work.
> In fact they may be your problem.
>
> Rowland
More information about the samba
mailing list