[Samba] Problem with AD users and groups

Marcelo Ruriani systemadmin at helpinghandsofgreenup.org
Fri Jun 7 11:56:31 MDT 2013 

On 6/7/13 10:51 AM, Ricky Nance wrote:
> I'd double check on the samba server it self if you can connect to it 
> using smbclient... `smbclient //localhost/sysvol -Uadministrator` .... 
> if that fails try `smbclient //localhost/sysvol -d5 -Uadministrator` 
> and paste the output in your reply. If it succeeds then you can pretty 
> much bet on a connectivity issue... by the way, why isn't samba 
> listening on port 88 in your last mail? It might be worth it to try a 
> `killall samba && sleep 5 && samba -i -M single -d3` and look for any 
> error messages ... anyway those are just a couple of my suggestions.
>
> Ricky
>
>
> On Thu, Jun 6, 2013 at 8:30 PM, Marcelo Ruriani 
> <systemadmin at helpinghandsofgreenup.org 
> <mailto:systemadmin at helpinghandsofgreenup.org>> wrote:
>
>     On 6/6/13 5:15 PM, Marc Muehlfeld wrote:
>
>         Hello Marcelo,
>
>         Am 06.06.2013 22:47, schrieb Marcelo Ruriani:
>
>             It seems I locked myself out. I have tried these steps:
>             turn off the
>             firewall, ntacl sysvol reset, and dis-join from domain.
>             The ntacl sysvol reset returns errors (which I'll post if
>             necessary) the
>             dis-join worked fine but I cannot re-join to the domain
>             because it
>             doesn't detect our domain and throws up an error "domain
>             could not be
>             contacted" and "DNS name doesn't exist".
>
>
>         * IP connection between the hosts is fine? (ping each other)
>
>         * Do you use the internal DNS or Bind DLZ?
>
>         * Is Samba/Bind listening on port 53? Use 'netstat -taunp', to
>         make sure, that nothing else is listening on this port and
>         prevent the correct DNS to start up.
>
>         * Can you check:
>         https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Testing_DNS
>
>
>
>         Regards,
>         Marc
>
>     Dear List & Mark,
>
>         Thank you for the reply. To answer your questions. I am using
>     the internal DNS. The DNS testing reveals that host -t SRV _ldap
>     (and so on) plus host -t SRV _kerberos (and so on) return with a
>     "not found" error. The A record test works fine.
>
>     Samba is listening on TCP port 53, 636, 1024, 3268, 3269, 389, 135
>     (and UDP 53)
>     smbd is listening on TCP port 139, 445
>
>     The clients ping the server (ip and domain name) fine and the
>     server pings the clients fine.
>
>     My followup question will appear after this reply.
>
>     Marcelo
>
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>
>
To list, Mark, Ricky,

     I must admit I am unsure why it isn't listening on port 88! I will 
do that "kill all samba" thing later and reply if that does the trick. 
On the tests you asked me to do, this is my output of terminal: (I 
apologize for formatting)

root at ad:/# /usr/local/samba/bin/smbclient //localhost/sysvol 
-U%administrator

Domain=[AD.HHG.COM] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-94f11e9]

tree connect failed: NT_STATUS_ACCESS_DENIED

root at ad:/# /usr/local/samba/bin/smbclient //localhost/sysvol -d5 
-U%administrator

INFO: Current debug levels:

all: 5

tdb: 5

printdrivers: 5

lanman: 5

smb: 5

rpc_parse: 5

rpc_srv: 5

rpc_cli: 5

passdb: 5

sam: 5

auth: 5

winbind: 5

vfs: 5

idmap: 5

quota: 5

acls: 5

locking: 5

msdfs: 5

dmapi: 5

registry: 5

lp_load_ex: refreshing parameters

Initialising global parameters

rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)

INFO: Current debug levels:

all: 5

tdb: 5

printdrivers: 5

lanman: 5

smb: 5

rpc_parse: 5

rpc_srv: 5

rpc_cli: 5

passdb: 5

sam: 5

auth: 5

winbind: 5

vfs: 5

idmap: 5

quota: 5

acls: 5

locking: 5

msdfs: 5

dmapi: 5

registry: 5

params.c:pm_process() - Processing configuration file 
"/usr/local/samba/etc/smb.conf"

Processing section "[global]"

doing parameter workgroup = AD.HHG.COM

doing parameter realm = HHG.COM

doing parameter netbios name = AD

doing parameter server role = active directory domain controller

doing parameter dns forwarder = 192.168.1.1

pm_process() returned Yes

added interface eth0 ip=fe80::222:19ff:fe95:7f31%eth0 
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::

added interface eth0 ip=192.168.1.10 bcast=192.168.1.255 
netmask=255.255.255.0

Netbios name list:-

my_netbios_names[0]="AD"

Client started (version 4.1.0pre1-GIT-94f11e9).

Opening cache file at /usr/local/samba/var/lock/gencache.tdb

Opening cache file at /usr/local/samba/var/lock/gencache_notrans.tdb

sitename_fetch: No stored sitename for HHG.COM

name localhost#20 found.

Connecting to ::1 at port 445

Socket options:

SO_KEEPALIVE = 0

SO_REUSEADDR = 0

SO_BROADCAST = 0

TCP_NODELAY = 1

TCP_KEEPCNT = 9

TCP_KEEPIDLE = 7200

TCP_KEEPINTVL = 75

IPTOS_LOWDELAY = 0

IPTOS_THROUGHPUT = 0

SO_SNDBUF = 173200

SO_RCVBUF = 87380

SO_SNDLOWAT = 1

SO_RCVLOWAT = 1

SO_SNDTIMEO = 0

SO_RCVTIMEO = 0

TCP_QUICKACK = 1

TCP_DEFER_ACCEPT = 0

session request ok

Domain=[AD.HHG.COM] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-94f11e9]

session setup ok

tree connect failed: NT_STATUS_ACCESS_DENIED


My questions are if the worst were if I had to re-provision, would the 
re-provision be enough? OR Woul d I have to do the entire compile, make, 
install procedure? Thanks.

Marcelo

More information about the samba mailing list