[Samba] Cannot authenticate the administrator account
Rowland Penny
rowlandpenny at googlemail.com
Wed Apr 29 01:55:27 MDT 2015
On 28/04/15 22:41, Mike wrote:
> I wanted to follow up to the list in hopes it will help others with similar
> configuration.
> Per previous posts --
> OS: CentOS 7.153
> Samba: Version 4.1.17-SerNet-RedHat-11.el7
> Samba provisioned to act as: AD DC following Samba Wiki: Samba AD DC HOWTO
> Samba Internal DNS daemon deployed.
>
> 1. Disable selinux. Unless you have a solid understanding of how to
> configure it for your environment, please turn it off. It is defaulted
> ON/Engaged in CentOS 7. If you don't understand how selinux filters calls
> to/from the linux kernel, you may be chasing ghosts in relation to your
> Samba 4.x.y AD DC. For clarification, my sysadmin and security skills are
> not expert level.
>
> 2. The following information may have lurked under my nose, but I did not
> find mention of it: There is a configuration file
> /etc/default/sernet-samba which requires one small edit for samba to
> function.
> The setting is defaulted to NONE, but it needs to be set to "ad".
>
> # SAMBA_START_MODE defines how Samba should be started. Valid options are
> one of
> # "none" to not enable it at all,
> # "classic" to use the classic smbd/nmbd/winbind daemons
> # "ad" to use the Active Directory server (which starts the smbd on
> its own)
> # (Be aware that you also need to enable the services/init scripts that
> # automatically start up the desired daemons.)
> SAMBA_START_MODE="ad"
> #SAMBA_START_MODE="none"
>
> 3. Upon initial provisioning Samba objects when the machine name (netbios
> name?) and the domain/workgroup name are the same so I changed the machine
> name to make them different.
> It appears necessary to edit the /etc/hosts file and include both of them
> in the hosts file:
>
> 10.10.10.100 mymachine.example.com mymachine
> 10.10.10.100 mydomain.example.com mydomain
>
> 4. Gotta deal with firewalld. Either uninstall it and use the iptables
> commands you've fought to finally understand over the years; or, use
> firewalld and zones, etc.
> Open all those scary ports to make sure all the complex AD DC components
> work:
>
> firewall-cmd --permanent --add-service=samba
> firewall-cmd --permanent --add-port=53/tcp
> firewall-cmd --permanent --add-port=53/udp
> firewall-cmd --permanent --add-port=88/tcp
> firewall-cmd --permanent --add-port=88/udp
> firewall-cmd --permanent --add-port=135/tcp
> firewall-cmd --permanent --add-port=137/tcp
> firewall-cmd --permanent --add-port=137/udp
> firewall-cmd --permanent --add-port=138/udp
> firewall-cmd --permanent --add-port=139/tcp
> firewall-cmd --permanent --add-port=389/tcp
> firewall-cmd --permanent --add-port=389/udp
> firewall-cmd --permanent --add-port=445/tcp
> firewall-cmd --permanent --add-port=464/tcp
> firewall-cmd --permanent --add-port=464/udp
> firewall-cmd --permanent --add-port=636/tcp
> firewall-cmd --permanent --add-port=1024-5000/tcp
> firewall-cmd --permanent --add-port=1024-5000/udp
> firewall-cmd --permanent --add-port=3268/tcp
> firewall-cmd --permanent --add-port=3269/tcp
> firewall-cmd --permanent --add-port=5353/tcp
> firewall-cmd --permanent --add-port=5353/udp
> firewall-cmd --reload
>
>
> 5. So far, the following works:
>
> smbclient -L localhost -U%
> smbclient //mydomain.example.com/netlogon -U Administrator
>
> From Win 7 Pro or 8.1 Pro client, I can point Windows Explorer to the
> Samba4 AD DC box by entering \\10.10.10.100 in the address bar.
> I can also provide UserID: Administrator and Password: PaSsW8*rD and see
> netlogon, sysvol, and all demo directory shares I created.
> I can also read/write to all of them - - - - I was surprised this was
> possible without actually joining the domain via (from windows): Control
> Panel ---> System and Security ---> System ---> Change Settings.
> It's possible I was able to read/write to the demo shares because they were
> previously set -- chmod -R 0777 /demo/share/directory.
>
> I still need to understand samba-tool user creation, settings, and options,
> as I cannot yet figure out how to connect to the AD DC box via RSAT Server
> Manager app.
>
> 6. Testing DNS --
> The suggested tests in the AD DC HOWTO produce errors but the samba log
> seems to indicate DNS is okay:
>
> [2015/04/28 17:29:48.986108, 3]
> ../source4/dsdb/dns/dns_update.c:340(dnsupdate_check_names)
> Calling DNS name update script
> [2015/04/28 17:29:48.989054, 3]
> ../source4/dsdb/dns/dns_update.c:355(dnsupdate_check_names)
> Calling SPN name update script
> [2015/04/28 17:29:49.505209, 3]
> ../source4/dsdb/dns/dns_update.c:325(dnsupdate_spnupdate_done)
> Completed SPN update check OK
> [2015/04/28 17:29:49.576183, 3]
> ../source4/dsdb/dns/dns_update.c:296(dnsupdate_nameupdate_done)
> Completed DNS update check OK
>
> 7. Kerberos --
> I don't believe this is working yet and will need to RTFM to figure out how
> to chase it down.
> [root at a10 etc]# ls -alh krb5.conf
> lrwxrwxrwx. 1 root root 32 Apr 21 10:31 krb5.conf ->
> /var/lib/samba/private/krb5.conf
> [root at a10 etc]# klist
> klist: Credentials cache file '/tmp/krb5cc_0' not found
> [root at a10 etc]#
> [root at a10 etc]# kinit administrator at MYDOMAIN.EXAMPLE.COM
> kinit: Cannot find KDC for realm "MYDOMAIN.EXAMPLE.COM" while getting
> initial credentials
> [root at a10 etc]#
OK, you posted this:
It appears necessary to edit the /etc/hosts file and include both of
them in the hosts file:
10.10.10.100 mymachine.example.com mymachine
10.10.10.100 mydomain.example.com mydomain
One of those lines is wrong!
Your kerberos realm *has* to be the same as your DNS domain, so your
machines FQDN would be 'mymachine.mydomain'
i.e. if the hostname of your machine is 'samba' and your domain name
'internal.example.com' & your machines ip is '10.10.10.100', you would
need this line in /etc/hosts:
10.10.10.100 samba.internal.example.com samba
you would need to use the kerberos name 'INTERNAL.EXAMPLE.COM' in
/etc/krb5 and you could use 'INTERNAL' as the workgroup/domain name in
smb.conf, though you could use anything you like.
Rowland
More information about the samba
mailing list