[Samba] Cannot authenticate the administrator account

Rowland Penny rowlandpenny at googlemail.com
Wed Apr 22 10:26:27 MDT 2015


On 22/04/15 16:28, Mike wrote:
> On Wed, Apr 22, 2015 at 10:04 AM, L.P.H. van Belle <belle at bazuin.nl> wrote:
>
>>   Are you sure you have the "correct" administrator password ..
>>
>> this should work ,  echo ${SAMBA_NT_ADMIN_PASS}| smbclient
>> //localhost/netlogon -U Administrator -c 'ls'
>> that does not involve kerberos yet..
>>
>> Please run:
>>
>> SETHOSTNAME=`hostname -s`
>> SETDNSDOMAIN=`hostname -d`
>> SETFQDN=`hostname -f`
>>
>> host -t SRV _ldap._tcp.${SETDNSDOMAIN}.
>>
>> host -t SRV _kerberos._udp.${SETDNSDOMAIN}.
>>
>> host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}.
>> and
>> cat /etc/hosts
>>
>> and these are your DC's ips?
>>
>> nameserver 75.75.76.76
>> nameserver 75.75.75.75
>>
>> Greetz,
>>
>> Louis
>>
>>
> Hi Louis,
>
> I'm definitely using the same Administrator password; wrote it down during
> provisioning.
>
> For my DC's nameservers ---- might I have this wrong?  Those ip's are my
> ISP's nameservers - Xfinity Comcast.
> The actual CentOS server box static ip is 10.10.1.225.  Do I need to delete
> the ISP nameservers and go with 10.10.1.225?
>
> Thank you for all the follow up.
>
> Mike

How should I put this politely, you have to point the DC at itself if 
you only have one DC, if you have two Dcs, then point one at the other, 
then itself:

The kerberos realm must be the same as your DNS domain and it is advised 
that this is not resolvable from the internet.

i.e. if you have one DC and your registered DNS domain is example.com 
and the ipaddress of the DC is 192.168.0.2, then resolv.conf should contain:

search internal.example.com
nameserver 192.168.0.2

Or if you have two Dcs and the ipaddress of the second DC is 192.168.0.3:

First DC (192.168.0.2):

search internal.example.com
nameserver 192.168.0.3
nameserver 192.168.0.2

Second DC (192.168.0.3):

search internal.example.com
nameserver 192.168.0.2
nameserver 192.168.0.3

You can replace 'internal' with anything you like and you do not have to 
use it for the domain/workgroup, but whatever you use, 'hostname -d' 
must show this domain name and you *MUST* use this as the realm name 
when you provision.

Anything that is outside the samba4 AD domain is forwarded to the 
forwarder set in smb.conf, in your case 'dns forwarder = 75.75.76.76'

Rowland



More information about the samba mailing list