[Samba] Samba4 Kerberos Authentication Error

Marco Shmerykowsky marco at sce-engineers.com
Wed Dec 5 15:37:49 UTC 2018 

On Wed, December 5, 2018 9:52 am, Rowland Penny via samba wrote:
> On Wed, 5 Dec 2018 09:41:13 -0500
> Marco Shmerykowsky via samba <samba at lists.samba.org> wrote:
>
>> I'm trying to setup a Samba4 Active Directory server.
>>
>> I've gotten the server running, the IP addresses resolve
>> properly.  The Windows10 client can join the domain.
>> I've run the basic checks that seem to be listed
>> on the samba wiki and get the expected results.
>>
>> I've modified nsswitch.conf to include winbind on the
>> passwd and group lines.
>>
>> I've made sure all machines are pointing to the same
>> NTP server so that time is synched
>>
>> I've created a user using -> samba-tool user create jdoe
>>
>> I've added the computer using -> samba-tool computer create MACHINE01
>>
>> I've created a "test-share" with ownership set to the
>> group "Domain Users":
>>
>> [Test-Share]
>>         path = /home/test-share
>>         writable = yes
>>         create mode = 0770
>>         directory mode = 0770
>>         guest ok = no
>>
>> When I run Server Manager in Win10 I get an error that
>> states: "Kerberos authentication error"
>>
>> When I try to login with the user, Windows gives me this:
>>
>> "We can't sign you in with this credential because your
>> domain isn't available.  Make sure your device is connected
>> to your organization's network and try again."
>>
>> Login authentication didn't seem to work before I
>> added the test-share either.
>>
>> What did I miss?
>>
>
> You missed posting your smb.conf for a start ;-)
>
> Did you actually join the Win10 machine to the domain ?
> Creating it with samba-tool isn't enough.
>
> Rowland

Smb.conf (domain names made 'generic'):

# Global parameters
[global]
        dns forwarder = 4.2.2.2
        netbios name = MACHINE254
        realm = INTERNAL.COMPANY.COM
        server role = active directory domain controller
        workgroup = INTERNAL
        idmap_ldb:use rfc2307 = yes

[netlogon]
        path = /var/lib/samba/sysvol/internal.company.com/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[Test-Share]
        path = /home/test-share
        writable = yes
        create mode = 0770
        directory mode = 0770
        guest ok = no

Windows reported that the machine joined the domain
when I used the windows interface at System
Properties -> Computer Name.

More information about the samba mailing list