[Samba] Cannot authenticate the administrator account

Mike 1100100 at gmail.com
Tue Apr 28 15:41:37 MDT 2015 

I wanted to follow up to the list in hopes it will help others with similar
configuration.
Per previous posts --
OS:  CentOS 7.153
Samba:  Version 4.1.17-SerNet-RedHat-11.el7
Samba provisioned to act as: AD DC following Samba Wiki:  Samba AD DC HOWTO
Samba Internal DNS daemon deployed.

1.  Disable selinux.  Unless you have a solid understanding of how to
configure it for your environment, please turn it off.  It is defaulted
ON/Engaged in CentOS 7.  If you don't understand how selinux filters calls
to/from the linux kernel, you may be chasing ghosts in relation to your
Samba 4.x.y AD DC.  For clarification, my sysadmin and security skills are
not expert level.

2.  The following information may have lurked under my nose, but I did not
find mention of it:  There is a configuration file
/etc/default/sernet-samba which requires one small edit for samba to
function.
The setting is defaulted to NONE, but it needs to be set to "ad".

# SAMBA_START_MODE defines how Samba should be started. Valid options are
one of
#   "none"    to not enable it at all,
#   "classic" to use the classic smbd/nmbd/winbind daemons
#   "ad"      to use the Active Directory server (which starts the smbd on
its own)
# (Be aware that you also need to enable the services/init scripts that
# automatically start up the desired daemons.)
SAMBA_START_MODE="ad"
#SAMBA_START_MODE="none"

3.  Upon initial provisioning Samba objects when the machine name (netbios
name?) and the domain/workgroup name are the same so I changed the machine
name to make them different.
It appears necessary to edit the /etc/hosts file and include both of them
in the hosts file:

10.10.10.100  mymachine.example.com  mymachine
10.10.10.100  mydomain.example.com  mydomain

4.  Gotta deal with firewalld.  Either uninstall it and use the iptables
commands you've fought to finally understand over the years; or, use
firewalld and zones, etc.
Open all those scary ports to make sure all the complex AD DC components
work:

firewall-cmd --permanent --add-service=samba
firewall-cmd --permanent --add-port=53/tcp
firewall-cmd --permanent --add-port=53/udp
firewall-cmd --permanent --add-port=88/tcp
firewall-cmd --permanent --add-port=88/udp
firewall-cmd --permanent --add-port=135/tcp
firewall-cmd --permanent --add-port=137/tcp
firewall-cmd --permanent --add-port=137/udp
firewall-cmd --permanent --add-port=138/udp
firewall-cmd --permanent --add-port=139/tcp
firewall-cmd --permanent --add-port=389/tcp
firewall-cmd --permanent --add-port=389/udp
firewall-cmd --permanent --add-port=445/tcp
firewall-cmd --permanent --add-port=464/tcp
firewall-cmd --permanent --add-port=464/udp
firewall-cmd --permanent --add-port=636/tcp
firewall-cmd --permanent --add-port=1024-5000/tcp
firewall-cmd --permanent --add-port=1024-5000/udp
firewall-cmd --permanent --add-port=3268/tcp
firewall-cmd --permanent --add-port=3269/tcp
firewall-cmd --permanent --add-port=5353/tcp
firewall-cmd --permanent --add-port=5353/udp
firewall-cmd --reload


5.  So far, the following works:

smbclient -L localhost -U%
smbclient //mydomain.example.com/netlogon -U Administrator

>From Win 7 Pro or 8.1 Pro client, I can point Windows Explorer to the
Samba4 AD DC box by entering \\10.10.10.100 in the address bar.
I can also provide UserID: Administrator and Password: PaSsW8*rD and see
netlogon, sysvol, and all demo directory shares I created.
I can also read/write to all of them - - - - I was surprised this was
possible without actually joining the domain via (from windows):  Control
Panel ---> System and Security ---> System ---> Change Settings.
It's possible I was able to read/write to the demo shares because they were
previously set --  chmod -R 0777 /demo/share/directory.

I still need to understand samba-tool user creation, settings, and options,
as I cannot yet figure out how to connect to the AD DC box via RSAT Server
Manager app.

6.  Testing DNS --
The suggested tests in the AD DC HOWTO produce errors but the samba log
seems to indicate DNS is okay:

[2015/04/28 17:29:48.986108,  3]
../source4/dsdb/dns/dns_update.c:340(dnsupdate_check_names)
  Calling DNS name update script
[2015/04/28 17:29:48.989054,  3]
../source4/dsdb/dns/dns_update.c:355(dnsupdate_check_names)
  Calling SPN name update script
[2015/04/28 17:29:49.505209,  3]
../source4/dsdb/dns/dns_update.c:325(dnsupdate_spnupdate_done)
  Completed SPN update check OK
[2015/04/28 17:29:49.576183,  3]
../source4/dsdb/dns/dns_update.c:296(dnsupdate_nameupdate_done)
  Completed DNS update check OK

7. Kerberos --
I don't believe this is working yet and will need to RTFM to figure out how
to chase it down.
[root at a10 etc]# ls -alh krb5.conf
lrwxrwxrwx. 1 root root 32 Apr 21 10:31 krb5.conf ->
/var/lib/samba/private/krb5.conf
[root at a10 etc]# klist
klist: Credentials cache file '/tmp/krb5cc_0' not found
[root at a10 etc]#
[root at a10 etc]# kinit administrator at MYDOMAIN.EXAMPLE.COM
kinit: Cannot find KDC for realm "MYDOMAIN.EXAMPLE.COM" while getting
initial credentials
[root at a10 etc]#

More information about the samba mailing list