[Samba] member joined, but...

L.P.H. van Belle belle at bazuin.nl
Wed Apr 2 00:24:48 MDT 2014 

Hai Rowland, 

wel this is in it, is the same as for the 2 DC ( and are ips nameserver in resolv.conf ) 

resolv.conf  
search internal.domain.tld
domain internal.domain.tld
nameserver 192.168.1.1
nameserver 192.168.1.2

krb5.conf 
[libdefaults]
 dns_lookup_realm = true
 dns_lookup_kdc = true
 default_realm = INTERNAL.DOMAIN.TLD 


i dont get it. 
software installed ( from the script i run ) 
apt-get install sernet-samba sernet-samba-winbind fam acl attr quota -y
samba set to classic. 
did kerberos setup. 
checked with klist -e
joined the domain with : net ads join -U Administrator
started up samba : 
/etc/init.d/sernet-samba-smbd start
/etc/init.d/sernet-samba-nmbd start
/etc/init.d/sernet-samba-winbindd start

/etc/pam.d/samba  
# copy from /etc/pam.d/common-auth      - authentication settings common to all services
#
auth    sufficient                      pam_winbind.so
auth    [success=1 default=ignore]      pam_unix.so nullok_secure use_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so

# copy from /etc/pam.d/common-account   - authorization settings common to all services
#
account sufficient pam_winbind.so
account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so
account requisite                       pam_deny.so
account required                        pam_permit.so

# copy from /etc/pam.d/common-session   - session-related modules common to all services
#
session required                        pam_mkhomedir.so
session required                        pam_winbind.so
session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session required                        pam_unix.so

nsswitch.conf
passwd:         compat winbind
group:          compat winbind
shadow:         compat

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files


wbinfo -u
wbinfo -g
is ok, i get the users and groups. 

getent passwd works ( if i set uid/gid in the unix tab of the users/group) 

so looks all fine to me...  so whats going on.. i dont see it. 

Greetz, 

Louis

>-----Oorspronkelijk bericht-----
>Van: belle at bazuin.nl [mailto:samba-bounces at lists.samba.org] 
>Namens L.P.H. van Belle
>Verzonden: dinsdag 1 april 2014 17:00
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] member joined, but...
>
>Hai, 
> 
>I have automated the install of my member server. 
>Followed the wiki : 
>https://wiki.samba.org/index.php/Samba/Domain_Member 
> 
>Everything works nicely, but... .. read on..  ;-) 
> 
>ok, so wiki says: 
>https://wiki.samba.org/index.php/Setup_and_configure_file_shares 
> 
>and now im at the point : SeDiskOperatorPrivilege 
>and .. for the DC's installed this worked without problems... 
> 
>but for the domain member. im getting ... 
> 
>net rpc rights list accounts -Uadministrator
>Enter administrator's password:
>Could not connect to server 127.0.0.1
>The username or password was not correct.
>Connection failed: NT_STATUS_LOGON_FAILURE
>
>net -S servername rpc rights list accounts -Uadministrator
>Enter administrator's password:
>Could not connect to server rtd-mem-001
>The username or password was not correct.
>Connection failed: NT_STATUS_LOGON_FAILURE
>
>net -S servername.internal.domain.tld rpc rights list accounts 
>-Uadministrator
>Enter administrator's password:
>Could not connect to server servername.internal.domain.tld
>The username or password was not correct.
>Connection failed: NT_STATUS_LOGON_FAILURE
>
>and ofcourse setting the Se right didnt work 
> 
>net rpc rights grant 'MYDOMAIN\Domain Admins' 
>SeDiskOperatorPrivilege -Uadministrator
>Enter administrator's password:
>Could not connect to server 127.0.0.1
>The username or password was not correct.
>Connection failed: NT_STATUS_LOGON_FAILURE
>
> 
>so.. 
>/etc/hosts ( checked ) 
>/etc/nsswitch.conf ( checked ) 
>/etc/resolv.conf (check) 
>/var/log/samba/ all logs checked, no errors at all. 
>kinit Administrator  ( checked ) 
> 
>/etc/samba/smb.conf
> 
>[global]
> 
>   workgroup = INTERNAL
>   security = ADS
>   realm = INTERNAL.DOMAIN.TLD
> 
>   idmap config *:backend = tdb
>   idmap config *:range = 500001-800000
>   idmap config BAZRTD:backend = ad
>   idmap config BAZRTD:schema_mode = rfc2307
>   idmap config BAZRTD:range = 10000-400000
> 
>   winbind nss info = rfc2307
>   winbind trusted domains only = no
>   winbind use default domain = yes
>   #winbind enum users  = yes
>   #winbind enum groups = yes
> 
>   template shell = /bin/bash
>   template homedir = /home/samba/DOMAIN/%USERNAME%
> 
>   # For ACL support on member server
>   vfs objects = acl_xattr
>   map acl inherit = Yes
>   store dos attributes = Yes
> 
>   # disable printing completely
>   load printers = no
>   printing = bsd
>   printcap name = /dev/null
>   disable spoolss = yes
> 
> 
> 
>Anyone an idee? 
> 
> 
> 
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list