[Samba] Cannot authenticate the administrator account
rowlandpenny at googlemail.com
Wed Apr 29 09:33:51 MDT 2015
On 29/04/15 16:05, Mike wrote:
> Louis and Rowland -- thank you, Gents!
> Making progress.
> Kerberos is operational and handing out tickets, but I was only able
> to test using:
> kinit administrator at EXAMPLE.COM <mailto:administrator at EXAMPLE.COM>
> vs. the Samba AD DC HOWTO: administrator at SAMDOM.EXAMPLE.COM
> <mailto:administrator at SAMDOM.EXAMPLE.COM>
The samba howto, is just that, a howto. It is not meant to be followed
to the exact letter.
Before you start to use the howto, you need to know what dns domain to
use, if you have a registered dns domain, it is not recommended to use
this, because if you do, your AD DCs & clients may be resolvable from
the internet. You are recommended to use a sub domain
i.e. if your registered domain is 'example.com', you would use
'internal.example.com' or 'samdom.example.com' or
Once you have decide what your dns domain is going to be called, you
must set the machine that the DC is going to be provisioned on, to use
this domain, give it a fixed ip, set /etc/hosts, make sure that
'hostname -f' returns the correct FQDN and 'hostname -s' returns just
the short hostname.
Once you are sure that the machine knows who it is and where it lives
:-) , you can provision the domain with samba-tool using the DNS domain
as the realm name, the realm name *must* be the uppercase DNS name!
Now having said all this, it seems that the machines DNS name is
'internal.example.com' and the AD DC is using 'example.com'
If the machine you ran the tests on is the DC, it seems that this may be
> - - - - - - - - - - - - - - - - - - - - - - -
> Per Rowland's dns naming example - my hostname output:
> ~]# hostname -s
> ~]# hostname -f
> samba.internal.example.com <http://samba.internal.example.com>
> ~]# hostname -d
> internal.example.com <http://internal.example.com>
> But, this appears incorrect:
> ~]# host -t SRV _ldap._tcp.example.com <http://tcp.example.com>
> _ldap._tcp.example.com <http://tcp.example.com> has SRV record 0 100
> 389 samba.example.com <http://samba.example.com>.
> ~]# host -t SRV _ldap._tcp.internal.example.com
> Host _ldap._tcp.internal.example.com <http://tcp.internal.example.com>
> not found: 3(NXDOMAIN)
> ~]# host -t SRV _ldap._tcp.samba.internal.example.com
> Host _ldap._tcp.samba.internal.example.com
> <http://tcp.samba.internal.example.com> not found: 3(NXDOMAIN)
> ~]# host -t SRV _ldap._tcp.samba.example.com
> Host _ldap._tcp.samba.example.com <http://tcp.samba.example.com> not
> found: 3(NXDOMAIN)
> - - - - - - - - - - - - - - - - - - - - - - - -
> The same results as above when tesing:
> ~]# host -t SRV _kerberos._udp.example.com <http://udp.example.com>
> _kerberos._udp.mwllc.info <http://udp.mwllc.info> has SRV record 0 100
> 88 samba.example.com <http://samba.example.com>.
> and the other combinations report "not found: 3 (NXDOMAIN)
> Did I simply provision the REALM or domain incorrectly from the start?
> testparm -v output shows I provided the following:
> workgroup = INTERNAL
> realm = EXAMPLE.COM <http://EXAMPLE.COM>
> netbios name = SAMBA
More information about the samba