[Samba] SOLVED(aproximative?): Difficulties with Windows XP: failed to find cifs/fileserver.y.z at Y.Z in keytab (arcfour-hmac-md5)

Rowland Penny rpenny at samba.org
Tue Jan 17 11:52:22 UTC 2017 

On Tue, 17 Jan 2017 03:32:46 -0800 (PST)
rawi via samba <samba at lists.samba.org> wrote:

> Samba - General mailing list wrote
> > On Tue, 17 Jan 2017 03:03:28 -0800 (PST)
> > rawi via samba <
> 
> > samba at .samba
> 
> > > wrote:
> > 
> >> Samba - General mailing list wrote
> >> 
> >> Rowland, thank you
> >> 
> >> Please note the comments starting with two '#'. They give info
> >> about erroneous behavior I encontered.
> >> 
> >> The manual says that "domain master = auto" means "NO", if "domain
> >> logons = NO" and this is default.
> >> Please note also the behavior of "hosts allow ... except" on the
> >> AD-DC
> >> 
> >> here it comes...
> >> 
> >> root at hg-dc1:/etc/samba# cat smb.conf
> >> ## Global parameters
> >> [global]
> >>         workgroup = HUMGEN
> >>         realm = HUMGEN.0ZONE
> >>         netbios name = HG-DC1
> >>         server role = active directory domain controller
> >>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> >> drepl, winbindd, ntp_signd, kcc
> >> #dnsupdate
> >> ## all dns and dhcp is static for humgen.0zone and
> >> _msdcs.humgen.0zone ## and contains all I have, inclusive printer
> >> and lab devices, which are not in the domain
> >> ## all dns tests are positive and all clients get DNS
> >> 
> >>         idmap_ldb:use rfc2307 = yes
> >>         dns-nameservers 127.0.0.1
> >> 
> >>         tls enabled  = yes
> >>         tls keyfile  = tls/myKey.pem
> >>         tls certfile = tls/myCert.pem
> >>         tls cafile   = 
> >> 
> >> ## WITHOUT THIS no old WindowsXP will find the AD-DC to join, 
> >> ## even if I've already set the IP of the wins server to the AD-DC
> >> in numerical form
> >> ## Error is, that no SRV record could be found for the domain. BUT
> >> nslookup shows manually all needed
> >> ## After the join, WindowsXP seems to stay joined and allow further
> >> login ## EVEN if I take these configs back
> >> #domain logons = yes
> >> #domain master = yes
> >> #local master = yes
> >> 
> >> ## hosts allow on AD-DC breaks everything. 
> >> ## No more wbinfo on the DC, no more id or getent passwd on the
> >> domain member
> >> ## BUG?
> >> #hosts allow = X.Y.Z.0/255.255.255.0 localhost EXCEPT X.Y.Z.123
> >> 
> >> ## don't show the shares
> >> browseable = no
> >> 
> >> map to guest = never
> >> 
> >> ## allow no local caching of data on the client
> >> csc policy = disable
> >> 
> >> hide unreadable = yes
> >> hide dot files = no
> >> 
> >> ## new session kills possible old connection from the same IP.
> >> Avoids lock on files by old connections
> >> reset on zero vc = yes
> >> 
> >> [netlogon]
> >>         path = /var/lib/samba/sysvol/humgen.0zone/scripts
> >>         read only = Yes
> >> 
> >> [sysvol]
> >>         path = /var/lib/samba/sysvol
> >>         read only = No
> >> 
> >> <<<<< smb.conf AD-DC END
> >> 
> >> And now as a side note and deja vu for me, look what I wrote in the
> >> old smb.conf (still working since 2009) for a NT-domain wth
> >> Samba/smbd version 3.4.0 :)
> >> 
> >> ## samba accepts no new computer in the domain if this
> >> ## browse options equals NO ?!
> >> preferred master = yes
> >> local master = yes
> >> domain master = yes
> >> 
> >> Regards
> >> rawi
> > 
> > OK, first question, are you using BIND9_DLZ on the DC ?
> > 
> > Rowland
> 
> NO BIND9_DLZ, no dns updates.
> 
> As mentioned (commented) in the confiig: all dns comes from bind9 from
> static zones containing all I have and supplementary all records
> samba AD-DC would need (SOA for _msdcs and it's objects etc.).
> 
> The newer Windows Versions (7 and 8.1) are doing perfectly.
> 
> rawi
> 
> 
> 

And there is your problem, AD lives (or dies) on DNS, unlike NT. You
have this line 'dns-nameservers 127.0.0.1' in your smb.conf. It is
useless, it is pointing to itself and you are not running a dns
server, even if you were running a dns server, it shouldn't point to
itself.

There are those that say you can run a Samba AD DC in the way you are
trying, but that way is not supported.

You need to run a dns server on the DC and point anything outside the
AD domain to another dns server

Supported DNS servers are the internal DNS server or Bind9 with dlz.

I suggest you go and read this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

Rowland

More information about the samba mailing list