[Samba] Samba 4.14: Windows Users and Computer / No contact with the following DC...
Denis Morejon
denis.morejon at etecsa.cu
Sat Apr 3 16:29:15 UTC 2021
##### dc1 #######
Collected config --- 2021-04-03-12:16 -----------
Hostname: dc1
DNS Domain: dtcf.etecsa.cu
FQDN: dc1.dtcf.etecsa.cu
ipaddress: 192.168.80.10
-----------
Kerberos SRV _kerberos._tcp.dtcf.etecsa.cu record verified ok, sample
output:
;; Got recursion not available from 192.168.80.10, trying next server
Server: 192.168.80.48
Address: 192.168.80.48#53
_kerberos._tcp.dtcf.etecsa.cu service = 0 100 88 zentyal3.dtcf.etecsa.cu.
_kerberos._tcp.dtcf.etecsa.cu service = 0 100 88 dc2.dtcf.etecsa.cu.
_kerberos._tcp.dtcf.etecsa.cu service = 0 100 88 dc1.dtcf.etecsa.cu.
_kerberos._tcp.dtcf.etecsa.cu service = 0 100 88 zentyal2.dtcf.etecsa.cu.
Samba is running as an AD DC
-----------
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 10.9 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
link/ether c6:87:41:ac:b4:83 brd ff:ff:ff:ff:ff:ff
inet 192.168.80.10/25 brd 192.168.80.127 scope global eth0
inet6 fe80::c487:41ff:feac:b483/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
192.168.80.10 dc1.dtcf.etecsa.cu dc1
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
search dtcf.etecsa.cu
nameserver 192.168.80.10
nameserver 192.168.80.48
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = DTCF.ETECSA.CU
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
DTCF.ETECSA.CU = {
default_domain = dtcf.etecsa.cu
}
[domain_realm]
DC1 = DTCF.ETECSA.CU
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind systemd
group: compat winbind systemd
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /usr/local/samba/etc/smb.conf
# Global parameters
[global]
netbios name = DC1
realm = DTCF.ETECSA.CU
server role = active directory domain controller
workgroup = DTCF
# Agregado
#idmap_ldb:use rfc2307 = yes
#ldap server require strong auth = No
#ntlm auth = yes
#dns forwarder = 192.168.91.16 192.168.91.4
#log level = 1 auth_audit:3
log level = 3
log file = /var/log/samba/samba.log
#server min protocol = NT1
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[netlogon]
path = /usr/local/samba/var/locks/sysvol/dtcf.etecsa.cu/scripts
read only = No
-----------
BIND_DLZ not detected in smb.conf
-----------
Installed packages:
ii acl 2.2.53-4 amd64 access
control list - utilities
ii attr 1:2.4.48-4 amd64 utilities
for manipulating filesystem extended attributes
ii krb5-config 2.6 all Configuration
files for Kerberos Version 5
ii krb5-locales 1.17-3+deb10u1 all
internationalization support for MIT Kerberos
ii krb5-user 1.17-3+deb10u1 amd64 basic
programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-4 amd64 access
control list - shared library
ii libacl1-dev:amd64 2.2.53-4 amd64 access
control list - static libraries and headers
ii libattr1:amd64 1:2.4.48-4 amd64 extended
attribute handling - shared library
ii libattr1-dev:amd64 1:2.4.48-4 amd64 extended
attributes handling - static libraries and headers
ii libgssapi-krb5-2:amd64 1.17-3+deb10u1 amd64 MIT
Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.17-3+deb10u1 amd64 MIT
Kerberos runtime libraries
ii libkrb5support0:amd64 1.17-3+deb10u1 amd64 MIT
Kerberos runtime libraries - Support library
-----------
####### End dc1 ###########
######## dc2 #############
Collected config --- 2021-04-03-12:26 -----------
Hostname: dc2
DNS Domain: dtcf.etecsa.cu
FQDN: dc2.dtcf.etecsa.cu
ipaddress: 192.168.80.48
-----------
Kerberos SRV _kerberos._tcp.dtcf.etecsa.cu record verified ok, sample
output:
;; Got recursion not available from 192.168.80.48, trying next server
Server: 192.168.80.10
Address: 192.168.80.10#53
_kerberos._tcp.dtcf.etecsa.cu service = 0 100 88 zentyal3.dtcf.etecsa.cu.
_kerberos._tcp.dtcf.etecsa.cu service = 0 100 88 dc2.dtcf.etecsa.cu.
_kerberos._tcp.dtcf.etecsa.cu service = 0 100 88 dc1.dtcf.etecsa.cu.
_kerberos._tcp.dtcf.etecsa.cu service = 0 100 88 zentyal2.dtcf.etecsa.cu.
Samba is running as an AD DC
-----------
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 10.9 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
link/ether 52:1f:c5:2f:6b:af brd ff:ff:ff:ff:ff:ff
inet 192.168.80.48/25 brd 192.168.80.127 scope global ens18
inet6 fe80::501f:c5ff:fe2f:6baf/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
192.168.80.48 dc2.dtcf.etecsa.cu dc2
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
search dtcf.etecsa.cu
nameserver 192.168.80.48
nameserver 192.168.80.10
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = DTCF.ETECSA.CU
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
DTCF.ETECSA.CU = {
default_domain = dtcf.etecsa.cu
}
[domain_realm]
DC2 = DTCF.ETECSA.CU
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind systemd
group: compat winbind systemd
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /usr/local/samba/etc/smb.conf
# Global parameters
[global]
netbios name = DC2
realm = DTCF.ETECSA.CU
server role = active directory domain controller
workgroup = DTCF
# Agregado
#idmap_ldb:use rfc2307 = yes
#ldap server require strong auth = No
#ntlm auth = yes
#dns forwarder = 192.168.91.16 192.168.91.4
#log level = 1 auth_audit:3
log level = 3
log file = /var/log/samba/samba.log
#server min protocol = NT1
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[netlogon]
path = /usr/local/samba/var/locks/sysvol/dtcf.etecsa.cu/scripts
read only = No
-----------
BIND_DLZ not detected in smb.conf
-----------
Installed packages:
ii acl 2.2.53-4 amd64 access
control list - utilities
ii attr 1:2.4.48-4 amd64 utilities
for manipulating filesystem extended attributes
ii krb5-config 2.6 all Configuration
files for Kerberos Version 5
ii krb5-locales 1.17-3+deb10u1 all
internationalization support for MIT Kerberos
ii krb5-user 1.17-3+deb10u1 amd64 basic
programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-4 amd64 access
control list - shared library
ii libacl1-dev:amd64 2.2.53-4 amd64 access
control list - static libraries and headers
ii libattr1:amd64 1:2.4.48-4 amd64 extended
attribute handling - shared library
ii libattr1-dev:amd64 1:2.4.48-4 amd64 extended
attributes handling - static libraries and headers
ii libgssapi-krb5-2:amd64 1.17-3+deb10u1 amd64 MIT
Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.17-3+deb10u1 amd64 MIT
Kerberos runtime libraries
ii libkrb5support0:amd64 1.17-3+deb10u1 amd64 MIT
Kerberos runtime libraries - Support library
-----------
##########End dc2 ############
El 3/4/21 a las 04:22, Rowland penny via samba escribió:
> On 02/04/2021 23:40, Denis Morejon via samba wrote:
>> Here my /usr/local/samba/etc/smb.conf on both dc1 and dc2 servers
>>
>> (netbios names with DC1 and DC2 each one)
>>
>> [global]
>> netbios name = DC2
>> realm = DTCF.ETECSA.CU
>> server role = active directory domain controller
>> workgroup = DTCF
>> log level = 1 auth_audit:3
>> log file = /var/log/samba/samba.log
>>
>>
>> [sysvol]
>> path = /usr/local/samba/var/locks/sysvol
>> read only = No
>> [netlogon]
>> path = /usr/local/samba/var/locks/sysvol/dtcf.etecsa.cu/scripts
>> read only = No
>
>
> I feel this must have something to do with your DC's as it works for
> me, Windows 7 in a VM to Samba 4.14.2 DC's.
>
> Can you go here:
> https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh
>
> Download the script and run it on both of your DC's, then post the
> output into a reply to this, do not add attachments, this list strips
> them.
>
> You might want to see here: https://apt.van-belle.nl/
>
> It will save you having to compile Samba yourself.
>
> Rowland
>
>
>
More information about the samba
mailing list