[Samba] Samba 4.4.2 as AD server: clients OK but server fails "wbinfo -K"
Gerben Roest
g.roest at grepit.nl
Thu Apr 21 08:50:48 UTC 2016
On 21-04-16 09:33, Rowland penny wrote:
> On 20/04/16 22:24, Gerben Roest wrote:
>> I have set up a samba 4.4.2 AD server, and it works fine for its Windows
>> and Linux clients. Only the server itself behaves peculiar:
>>
>> Linux accounts show up as DOMAIN\username (in prompt and with whoami),
>> on all Linux clients the user accounts are normal (just their username),
>>
>> and only on the server "wbinfo -K username" fails. On the clients it
>> works. The server complains about that:
>>
>> 22:59:54 root at sambaserver:samba# wbinfo --verbose -K john
>> Enter john's password:
>> plaintext kerberos password authentication for [john] failed (requesting
>> cctype: FILE)
>> wbcLogonUser(john): error code was NT_STATUS_CONNECTION_DISCONNECTED
>> (0xc000020c)
>> error message was: The transport connection is now disconnected.
>> Could not authenticate user [john] with Kerberos (ccache: FILE)
>>
>> The error in /usr/local/samba-4-4/var/log.wb-DOMAIN is:
>>
>> [2016/04/20 23:00:04.704273, 1]
>> ../source3/librpc/crypto/gse_krb5.c:416(fill_mem_keytab_from_system_keytab)
>>
>> ../source3/librpc/crypto/gse_krb5.c:416: krb5_kt_start_seq_get failed
>> (No such file or directory)
>> [2016/04/20 23:00:04.704321, 0] ../lib/util/fault.c:78(fault_report)
>> ===============================================================
>> [2016/04/20 23:00:04.704369, 0] ../lib/util/fault.c:79(fault_report)
>> INTERNAL ERROR: Signal 11 in pid 8564 (4.4.2)
>> Please read the Trouble-Shooting section of the Samba HOWTO
>> [2016/04/20 23:00:04.704427, 0] ../lib/util/fault.c:81(fault_report)
>> ===============================================================
>> [2016/04/20 23:00:04.704476, 0] ../source3/lib/util.c:791(smb_panic_s3)
>> PANIC (pid 8564): internal error
>>
>>
>> Any ideas?
>>
>> thanks
>>
>> Gerben
>>
>
> Works for me, can you post your smb.conf from the DC
Yes, here it is:
[global]
netbios name = SAMBASERVER
realm = AD.DOMAIN.NL
workgroup = DOMAIN
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
template shell = /bin/bash
template homedir = /home/%U
dns forwarder = 8.8.8.8
kerberos method = secrets and keytab
dedicated keytab file = /usr/local/samba-4.4/private/secrets.keytab
log level = 1
follow symlinks = true
wide links = yes
unix extensions = no
winbind use default domain = yes
logon script = netlogon.bat
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
The clients have this:
[global]
workgroup = DOMAIN
security = ADS
realm = AD.DOMAIN.NL
idmap config *: backend = tdb
idmap config *: range = 100000-200000
idmap config DOMAIN : backend = ad
idmap config DOMAIN : range = 500-30000
idmap config DOMAIN : default = yes
idmap config DOMAIN : schema mode = rfc2307
winbind nss info = rfc2307
allow trusted domains = no
kerberos method = secrets and keytab
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
template shell = /bin/bash
template homedir = /home/%U
password server = 192.168.10.36
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
os level = 0
I have added the 7 lines from the client from idmap config until winbind
nss to the server's smb.conf, but that didn't help.
thanks, best regards
Gerben
More information about the samba
mailing list