[Samba] Cannot authenticate the administrator account

L.P.H. van Belle belle at bazuin.nl
Wed Apr 29 01:04:38 MDT 2015

Hai Mike, 

>It appears necessary to edit the /etc/hosts file and include 
>both of them
>in the hosts file:
>  mymachine.example.com  mymachine
>  mydomain.example.com  mydomain 
remove the domain line here in hosts. 

if you run : 
hostname -s 	( name ) 
hostname -f 	( name.domain.tld )
hostname -d 	( domain.tld ) 

if one of these is incorrect, then yes, your setup wil fail. 
make sure your resolv.conf is correct. 

like to start with:
search domain.tld
nameserver yourDC_1 

if hostname -d stil fails, add above the search line:
domain domain.tld 

now copy the krb5 file and dont symlink it. 
mv /etc/krb5.conf /etc/krb5.conf.old
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf

now try to kinit again. 



>-----Oorspronkelijk bericht-----
>Van: 1100100 at gmail.com [mailto:samba-bounces at lists.samba.org] 
>Namens Mike
>Verzonden: dinsdag 28 april 2015 23:42
>CC: samba
>Onderwerp: Re: [Samba] Cannot authenticate the administrator account
>I wanted to follow up to the list in hopes it will help others 
>with similar
>Per previous posts --
>OS:  CentOS 7.153
>Samba:  Version 4.1.17-SerNet-RedHat-11.el7
>Samba provisioned to act as: AD DC following Samba Wiki:  
>Samba Internal DNS daemon deployed.
>1.  Disable selinux.  Unless you have a solid understanding of how to
>configure it for your environment, please turn it off.  It is defaulted
>ON/Engaged in CentOS 7.  If you don't understand how selinux 
>filters calls
>to/from the linux kernel, you may be chasing ghosts in relation to your
>Samba 4.x.y AD DC.  For clarification, my sysadmin and 
>security skills are
>not expert level.
>2.  The following information may have lurked under my nose, 
>but I did not
>find mention of it:  There is a configuration file
>/etc/default/sernet-samba which requires one small edit for samba to
>The setting is defaulted to NONE, but it needs to be set to "ad".
># SAMBA_START_MODE defines how Samba should be started. Valid 
>options are
>one of
>#   "none"    to not enable it at all,
>#   "classic" to use the classic smbd/nmbd/winbind daemons
>#   "ad"      to use the Active Directory server (which starts 
>the smbd on
>its own)
># (Be aware that you also need to enable the services/init scripts that
># automatically start up the desired daemons.)
>3.  Upon initial provisioning Samba objects when the machine 
>name (netbios
>name?) and the domain/workgroup name are the same so I changed 
>the machine
>name to make them different.
>It appears necessary to edit the /etc/hosts file and include 
>both of them
>in the hosts file:
>  mymachine.example.com  mymachine
>  mydomain.example.com  mydomain
>4.  Gotta deal with firewalld.  Either uninstall it and use 
>the iptables
>commands you've fought to finally understand over the years; or, use
>firewalld and zones, etc.
>Open all those scary ports to make sure all the complex AD DC 
>firewall-cmd --permanent --add-service=samba
>firewall-cmd --permanent --add-port=53/tcp
>firewall-cmd --permanent --add-port=53/udp
>firewall-cmd --permanent --add-port=88/tcp
>firewall-cmd --permanent --add-port=88/udp
>firewall-cmd --permanent --add-port=135/tcp
>firewall-cmd --permanent --add-port=137/tcp
>firewall-cmd --permanent --add-port=137/udp
>firewall-cmd --permanent --add-port=138/udp
>firewall-cmd --permanent --add-port=139/tcp
>firewall-cmd --permanent --add-port=389/tcp
>firewall-cmd --permanent --add-port=389/udp
>firewall-cmd --permanent --add-port=445/tcp
>firewall-cmd --permanent --add-port=464/tcp
>firewall-cmd --permanent --add-port=464/udp
>firewall-cmd --permanent --add-port=636/tcp
>firewall-cmd --permanent --add-port=1024-5000/tcp
>firewall-cmd --permanent --add-port=1024-5000/udp
>firewall-cmd --permanent --add-port=3268/tcp
>firewall-cmd --permanent --add-port=3269/tcp
>firewall-cmd --permanent --add-port=5353/tcp
>firewall-cmd --permanent --add-port=5353/udp
>firewall-cmd --reload
>5.  So far, the following works:
>smbclient -L localhost -U%
>smbclient //mydomain.example.com/netlogon -U Administrator
>From Win 7 Pro or 8.1 Pro client, I can point Windows Explorer to the
>Samba4 AD DC box by entering \\ in the address bar.
>I can also provide UserID: Administrator and Password: 
>PaSsW8*rD and see
>netlogon, sysvol, and all demo directory shares I created.
>I can also read/write to all of them - - - - I was surprised this was
>possible without actually joining the domain via (from 
>windows):  Control
>Panel ---> System and Security ---> System ---> Change Settings.
>It's possible I was able to read/write to the demo shares 
>because they were
>previously set --  chmod -R 0777 /demo/share/directory.
>I still need to understand samba-tool user creation, settings, 
>and options,
>as I cannot yet figure out how to connect to the AD DC box via 
>RSAT Server
>Manager app.
>6.  Testing DNS --
>The suggested tests in the AD DC HOWTO produce errors but the samba log
>seems to indicate DNS is okay:
>[2015/04/28 17:29:48.986108,  3]
>  Calling DNS name update script
>[2015/04/28 17:29:48.989054,  3]
>  Calling SPN name update script
>[2015/04/28 17:29:49.505209,  3]
>  Completed SPN update check OK
>[2015/04/28 17:29:49.576183,  3]
>  Completed DNS update check OK
>7. Kerberos --
>I don't believe this is working yet and will need to RTFM to 
>figure out how
>to chase it down.
>[root at a10 etc]# ls -alh krb5.conf
>lrwxrwxrwx. 1 root root 32 Apr 21 10:31 krb5.conf ->
>[root at a10 etc]# klist
>klist: Credentials cache file '/tmp/krb5cc_0' not found
>[root at a10 etc]#
>[root at a10 etc]# kinit administrator at MYDOMAIN.EXAMPLE.COM
>kinit: Cannot find KDC for realm "MYDOMAIN.EXAMPLE.COM" while getting
>initial credentials
>[root at a10 etc]#
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list