[Samba] Trouble of setting samba with join AD

Rowland Penny rowlandpenny at googlemail.com
Thu Apr 9 01:39:55 MDT 2015 

On 09/04/15 05:22, Adhi N. Wirawan wrote:
> I used this command to provision the domain
>
> sudo /usr/bin/samba-tool domain provision --realm test.sg --domain TEST
> --adminpass Pa$$worD --server-role=dc
>
> here below i include my /etc/samba/smb.conf :
>
> # Global parameters
> [global]
>          workgroup = TEST
>          realm = TEST.SG
>          netbios name = 4ecapsvsg6
>          server role = active directory domain controller
>          dns forwarder = 10.153.64.1
>          server services = +dns,+dnsupdate
>          allow dns updates = nonsecure and secure
>
>          username map = /etc/samba/smbusers
>          security = ads
>          debug level = 3
>          log level = 0
>          log file = /var/log/samba4/log.%m
>          max log size = 50
>          client lanman auth = yes
>          bind interfaces only = no
>
>          follow symlinks = yes
>          wide links = yes
>          unix extensions = no
>          idmap_ldb:use rfc2307 = Yes
>
>          kdc:service ticket lifetime = 36000
>          kdc:user ticket lifetime = 36000
>          kdc:renewal lifetime = 36000
>
>          #printcap name = /dev/null
>          #load printers = yes
>          #disable spoolss = yes
>          #printing = bsd
>
>          socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 TCP_NODELAY
>          read raw = no
>
> [netlogon]
>          path = /home/samba/netlogon
> #        path = /var/db/samba4/sysvol/test.sg/scripts
>          read only = No
>
> [sysvol]
>          path = /var/db/samba4/sysvol
>          read only = No
>
> [Profiles]
>          path = /mnt/raid/Profiles
>          read only = No
>          create mask = 0600
>          directory mask = 0700
>          hide unreadable = yes
>          store dos attributes = Yes
>          csc policy = disable
>          profile acls = Yes
>
>          vfs object =  recycle
>          recycle:repository = /mnt/raid/.recycle/Profiles/%u/%I/%m/%S
>          recycle:keeptree = Yes
>          recycle:versions = Yes
>          recycle:maxsize = 0
>          recycle:exclude = Thumbs.db *.tmp *.temp ~$*
>          recycle:touch = Yes
>
> # shares
> [public]
>          path = /mnt/raid/public
>          read only = No
>          hide unreadable = No
>
>          vfs object = recycle
>          recycle:repository = /mnt/raid/.recycle/Public/%u/%I/%m/%S
>          recycle:keeptree = Yes
>          recycle:versions = Yes
>          recycle:maxsize = 0
>          recycle:exclude = Thumbs.db *.tmp *.temp ~$*
>
> [TEST]
>          path = /mnt/raid/public
>          read only = No
>          hide unreadable = yes
>
>          vfs object = recycle
>          recycle:repository = /mnt/raid/.recycle/TEST/%u/%I/%m/%S
>          recycle:keeptree = Yes
>          recycle:versions = Yes
>          recycle:maxsize = 0
>          recycle:exclude = Thumbs.db *.tmp *.temp ~$*
>
> [Resources]
>          path = /mnt/raid/Resources
>          read only = No
>          hide unreadable = yes
>
>          vfs object =  recycle
>          recycle:repository = /mnt/raid/.recycle/Resources/%u/%I/%m/%S
>          recycle:keeptree = Yes
>          recycle:versions = Yes
>          recycle:maxsize = 0
>          recycle:exclude = Thumbs.db *.tmp *.temp ~$*
>
> [printers]
>       path = /var/spool/samba
>       printable = yes
>       printing = CUPS
>
> [print$]
>       path = /mnt/raid/PrinterDrivers
>       comment = Printer Drivers
>       writeable = yes
>
> And my /etc/krb5.conf
>
> [logging]
>   default = FILE:/var/log/krb5libs.log
>   kdc = FILE:/var/log/krb5kdc.log
>   admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>   default_realm = TEST.SG
>   default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
> RC4-HMAC DES-CBC-CRC DES-CBC-MD5
>   default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
> RC4-HMAC DES-CBC-CRC DES-CBC-MD5
>   preferred_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
> RC4-HMAC DES-CBC-CRC DES-CBC-MD5
>   dns_lookup_realm = false
>   dns_lookup_kdc = false
>   forwardable = true
>   renewable = true
>   ticket_lifetime = 365d
>   renew_lifetime = 1000d
>
> [realms]
> TEST.SG = {
>    kdc = 4ecapsvsg6.test.sg:88
>    admin_server = 4ecapsvsg6.test.sg:749
>    default_domain = test.sg
>   }
>
> [domain_realm]
>   .test.sg = TEST.SG
>   test.sg = TEST.SG
>
> [appdefaults]
>   pam = {
>     debug = false
>     forwardable = true
>     renewable = true
>     ticket_lifetime = 365d
>     renew_lifetime = 1000d
>     krb4_convert = false
>   }
>
> So how do i 'sanitized' 4ecapsvsg6 ?
>
> -Adhi-
>
> ---CUT---
>
>>> ~# smbclient //4ecapsvsg6/netlogon -UAdministrator%"Pa$$worD" -c 'ls'
>>> session setup failed: NT_STATUS_NO_LOGON_SERVERS
>>>
>>> without it i cannot continue join the domain
>>>
>>> can you help me out here ?
>>>
>> I think we are going have to see the smb.conf (sanitized) from '4ecapsvsg6'
>>
>> How did you provision the domain, what command did you use ?
>>
>> Rowland
>
>

Please put your AD DC smb.conf back to what it was after you provisioned it!

Restart samba and run this command: 'samba-tool testparm -v 
--suppress-prompt'

The output is what your actual smb.conf is, including all of the 
defaults, some of which you seem to have turned off.

Once you have got your samba AD DC working, you can then start to add to 
it, but note that it is not recommended at this time to use the AD DC as 
a fileserver as well.

'sanitizied' means removing anything that would identify your setup by 
replacing things like the domain name with something like 'example.com'

Rowland

More information about the samba mailing list