debian 10: I can not integrate a linux machine into a Samba Ad
L.P.H. van Belle
belle at bazuin.nl
Thu May 9 08:18:30 UTC 2019
Hai,
Im reposting this in the normal samba list, these are config errors, not software errors.
Please continue there.
Your seeing these problems because your mixing domain member and AD-DC settings in smb.conf
The DC config by example.
workgroup = LENZSPITZE
realm = LENZSPITZE.CALAIS.FE
netbios name = NORDEND
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,winbindd, ntp_signd, kcc
log level = 1
log file = /var/log/samba/log.%m
max log size = 1000
template shell=/bin/bash
idmap_ldb:use rfc2307 = yes
I suggest you read these to start with.
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
And https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
Your member settings are also wrong, these are using absolete settings.
The member config by example.
[global]
security = ADS
realm = LENZSPITZE.CALAIS.FE
workgroup = LENZSPITZE
netbios name = TESTBURGERS
idmap config LENZSPITZE : backend = rid
idmap config LENZSPITZE : schema_mode = rfc2307
idmap config LENZSPITZE : range = 10000-3999999
idmap config LENZSPITZE : unix_nss_info = yes
template homedir =/etudiants/%U
template shell =/bin/bash
winbind nss info = rfc2307
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
# renew the kerberos ticket
winbind refresh tickets = yes winbind use default domain = yes
# user Administrator workaround, without it you are unable to set privileges
# not needed if you only run winbind
# Set on member and DC.
username map = /etc/samba/samba_usermapping
# For ACL support on member servers with shares
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
Read through these howtos, these are optimized for Debian.
https://github.com/thctlo/samba4/blob/master/howtos/stretch-base-2.0-samba-minimal-ad.txt
That shows howto setup a DC, its getting old and needs an update but it still correct.
This shows the setup of a AD-backend not RID, the difference can be found in the wiki link above.
And for a member
https://github.com/thctlo/samba4/blob/master/howtos/stretch-base-3.2-samba-member-fileserver.txt
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba-technical
> [mailto:samba-technical-bounces at lists.samba.org] Namens
> nathalie ramat via samba-technical
> Verzonden: donderdag 9 mei 2019 9:29
> Aan: samba-technical at lists.samba.org
> Onderwerp: debian 10: I can not integrate a linux machine
> into a Samba Ad
>
> Hello
>
>
>
> I have a old version of samba which communicate with users
> windows 7 and user debian Linux.I have to integrate new
> machines under Windows 10.
>
> I am testing the samba version 4.9.5.
> I am use the packages of debian testing (debian 10) for a
> server and the user.
>
>
> I want to use samba as AD. I have generated my AD with the
> following command : samba-tool domain provision --use-rfc2307
> --interactive
> everything was generated correctly apparently
>
>
> But when I execute the commande samba -i I have the following errors :
>
> /usr/sbin/smbd: pid_to_procid: messaging_dgm_get_unique failed: Aucun
> fichier ou dossier de ce type
> /usr/sbin/smbd: send_all_fn: messaging_send_buf to 16162 failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> /usr/sbin/smbd: pid_to_procid: messaging_dgm_get_unique failed: Aucun
> fichier ou dossier de ce type
> /usr/sbin/smbd: send_all_fn: messaging_send_buf to 24980 failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> /usr/sbin/smbd: pid_to_procid: messaging_dgm_get_unique failed: Aucun
> fichier ou dossier de ce type
> /usr/sbin/smbd: send_all_fn: messaging_send_buf to 16173 failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> /usr/sbin/smbd: pid_to_procid: messaging_dgm_get_unique failed: Aucun
> fichier ou dossier de ce type
> /usr/sbin/smbd: send_all_fn: messaging_send_buf to 31019 failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
>
>
>
>
> Nevertheless, I can to integrate my windows machines (7 and
> 10) into my domain.
>
>
> But for my linux machines - impossible
>
> if I use the command net rpc join -S
> nordend.LENZSPITZE.CALAIS.FR -U administrator .The client
> wait and doesn't ask the password
>
> or if i use net ads join -S nordend.LENZSPITZE.CALAIS.FR -U
> administrator the linux client asks for the password - and
> wait for the answer of the server
>
> In the logs of the server , I realized that he was trying to
> identify the machine via the kerberos database.
>
> However, the machine could not generate a kerberos ticket
> because I can
> not join her to the domain.
>
>
> Kerberos: AS-REQTESTBUGSTER$@LENZSPITZE.CALAIS.FR from
> ipv4:192.168.22.xxx:59861 for
> krbtgt/LENZSPITZE.CALAIS.FR at LENZSPITZE.CALAIS.FR
> Kerberos: UNKNOWN --TESTBUGSTER$@LENZSPITZE.CALAIS.FR: no such entry
> found in hdb
> Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
> [(null)]\[TESTBUGSTER$@LENZSPITZE.CALAIS.FR] at [Fri, 26 Apr 2019
> 12:39:14.537545 CEST] with [(null)] status [NT_STATUS_NO_SUCH_USER]
> workstation [(null)] remote host [ipv4:192.168.22.xxx:59861] mapped to
> [(null)]\[(null)]. local host [NULL]
> {"timestamp": "2019-04-26T12:39:14.537598+0200", "type":
> "Authentication", "Authentication": {"version": {"major": 1, "minor":
> 0}, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": null,
> "remoteAddress": "ipv4:192.168.22.xx:59861", "serviceDescription":
> "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication",
> "clientDomain": null, "clientAccount":
> "TESTBUGSTER$@LENZSPITZE.CALAIS.FR", "workstation": null,
> "becameAccount": null, "becameDomain": null, "becameSid": null,
> "mappedAccount": null, "mappedDomain": null, "netlogonComputer": null,
> "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000",
> "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null,
> "passwordType": null, "duration": 2589}}
>
> /usr/sbin/smbd: ldb_wrap open of secrets.ldb
> /usr/sbin/smbd: Got NTLMSSP neg_flags=0x62088215
> /usr/sbin/smbd: Got user=[TESTBUGSTER$] domain=[LENZSPITZE]
> workstation=[TESTBUGSTER] len1=24 len2=356
> /usr/sbin/smbd: auth_check_password_send: Checking password
> for unmapped
> user [LENZSPITZE]\[TESTBUGSTER$]@[TESTBUGSTER]
> /usr/sbin/smbd: auth_check_password_send: user is:
> [LENZSPITZE]\[TESTBUGSTER$]@[TESTBUGSTER]
> /usr/sbin/smbd: sam_search_user: Couldn't find user [TESTBUGSTER$] in
> samdb, under DC=lenzspitze,DC=calais,DC=fr
> /usr/sbin/smbd: auth_check_password_recv: sam authentication for user
> [LENZSPITZE\TESTBUGSTER$] FAILED with error NT_STATUS_NO_SUCH_USER,
> authoritative=1
> /usr/sbin/smbd: Auth: [SMB2,NTLMSSP] user
> [LENZSPITZE]\[TESTBUGSTER$] at
> [ven., 26 avril 2019 12:39:14.561942 CEST] with [NTLMv2] status
> [NT_STATUS_NO_SUCH_USER] workstation [TESTBUGSTER] remote host
> [ipv4:192.168.22.xxx:58998] mapped to
> [LENZSPITZE]\[TESTBUGSTER$]. local
> host [ipv4:192.168.22.xxx:445]
> /usr/sbin/smbd: {"timestamp":
> "2019-04-26T12:39:14.562671+0200", "type":
> "Authentication", "Authentication": {"version": {"major": 1, "minor":
> 0}, "status": "NT_STATUS_NO_SUCH_USER", "localAddress":
> "ipv4:192.168.22.xxx:445", "remoteAddress":
> "ipv4:192.168.22.xxx:58998",
> "serviceDescription": "SMB2", "authDescription": "NTLMSSP",
> "clientDomain": "LENZSPITZE", "clientAccount": "TESTBUGSTER$",
> "workstation": "TESTBUGSTER", "becameAccount": null, "becameDomain":
> null, "becameSid": null, "mappedAccount": "TESTBUGSTER$",
> "mappedDomain": "LENZSPITZE", "netlogonComputer": null,
> "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000",
> "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null,
> "passwordType": "NTLMv2", "duration": 11627}}
> /usr/sbin/smbd: gensec_spnego_server_negTokenTarg_step:
> SPNEGO(ntlmssp)
> login failed: NT_STATUS_NO_SUCH_USER
>
> When I execute on the server : smbclient -L localhost -U administrator
>
> I get the following answer
>
> Sharename Type Comment
> --------- ---- -------
> homes Disk
> profiles Disk
> print$ Disk Printer Drivers
> IPC$ IPC IPC Service (Samba 4.9.5-Debian)
> Administrator Disk Home directory of
> LENZSPITZE/Administrator
> Reconnecting with SMB1 for workgroup listing.
>
> Server Comment
> --------- -------
> NORDEND Samba 4.9.5-Debian
>
> Workgroup Master
> --------- -------
> LENZSPITZE
>
>
> I think the client and the server do not use the same protocols
> communications (net rpc --> SMB1/CIFS ? ).
> How can I add my linux Machine to my AD ?
>
>
>
> I configured smb.conf at my server :
>
>
> # global parameters
> [global]
> workgroup = LENZSPITZE
> realm = lenzspitze.calais.fr
> netbios name = NORDEND
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
> kdc, drepl,winbindd, ntp_signd, kcc
> log level = 3
> log file = /var/log/samba/log.%m
> max log size = 1000
> template shell=/bin/bash
> idmap_ldb:use rfc2307 = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> winbind separator = /
> idmap config *:backend = tdb
> idmap config *:range = 1000-19000éré correctement semble-t-il.
> host msdfs = no
> security = user
> name resolve order = host
> # ntlm auth = yes
> # raw NTLMV2 auth = yes
> # lanman auth =yes
> # vfs objects = acl_xattr
> map acl inherit = Yes
> # store dos attributes = Yes
>
>
> [netlogon]
> path =
> /var/lib/samba/var/locks/sysvol/lenzspitze.calais.fr/scripts
> read only = no
> browsable = no
>
> [sysvol]
> path= /var/lib/samba/var/locks/sysvol
> read only = no
> browsable = no
>
> [homes]
> path=/home/%G/%U
> read only = no
> writable = yes
>
>
> [profiles]
> path=/resultats/profiles
> read only = no
> writable =yes
>
>
> [printers]
> comment = All Printers
> browseable = no
> path = /var/spool/samba
> printable = yes
> guest ok = no
> read only = yes
> create mask = 0700
>
> # Windows clients look for this share name as a source of downloadable
> # printer drivers
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/printers
> browseable = yes
> read only = yes
> guest ok = no
>
>
>
> and my linux user :
>
>
> [global]
> security = ads
> realm = lenzspitze.calais.fr
> workgroup = LENZSPITZE
> netbios name = testbugster
> winbind separator = /
> ntlm auth = yes
> idmap uid = 0-50000
> idmap gid = 0-50000
> winbind enum users = yes
> winbind enum groups = yes
> idmap config LENZSPITZE : backend = rid
> idmap config LENZSPITZE : base_rid = 0
> template homedir =/etudiants/%U
> template shell =/bin/bash
> encrypt passwords = yes
> winbind nss info = rfc2307
> kerberos method = secrets and keytab
> winbind use default domain = yes
> log file =/var/log/samba/log.%m
> log level = 3
>
>
>
> Thank you for your help
>
>
> Sincerely yours
>
> --
> Nathalie RAMAT-LECLERCQ
>
> Service Informatique
>
> Universite du Littoral-Côte d'Opale
> SCoSI - Service Commun du Système d'Information
> Pôle Systèmes et réseaux
>
> Centre de Gestion Universitaire de Calais
> 50 rue ferdinand Buisson
> C.S 80699
> 62228 CALAIS CEDEX
>
>
>
>
>
>
More information about the samba-technical
mailing list