[Samba] Samba4 Kerberos Authentication Error

Marco Shmerykowsky PE marco at sce-engineers.com
Wed Dec 5 15:56:48 UTC 2018 

On 12/5/2018 10:37 AM, Marco Shmerykowsky via samba wrote:
> On Wed, December 5, 2018 9:52 am, Rowland Penny via samba wrote:
>> On Wed, 5 Dec 2018 09:41:13 -0500
>> Marco Shmerykowsky via samba <samba at lists.samba.org> wrote:
>>
>>> I'm trying to setup a Samba4 Active Directory server.
>>>
>>> I've gotten the server running, the IP addresses resolve
>>> properly.  The Windows10 client can join the domain.
>>> I've run the basic checks that seem to be listed
>>> on the samba wiki and get the expected results.
>>>
>>> I've modified nsswitch.conf to include winbind on the
>>> passwd and group lines.
>>>
>>> I've made sure all machines are pointing to the same
>>> NTP server so that time is synched
>>>
>>> I've created a user using -> samba-tool user create jdoe
>>>
>>> I've added the computer using -> samba-tool computer create MACHINE01
>>>
>>> I've created a "test-share" with ownership set to the
>>> group "Domain Users":
>>>
>>> [Test-Share]
>>>          path = /home/test-share
>>>          writable = yes
>>>          create mode = 0770
>>>          directory mode = 0770
>>>          guest ok = no
>>>
>>> When I run Server Manager in Win10 I get an error that
>>> states: "Kerberos authentication error"
>>>
>>> When I try to login with the user, Windows gives me this:
>>>
>>> "We can't sign you in with this credential because your
>>> domain isn't available.  Make sure your device is connected
>>> to your organization's network and try again."
>>>
>>> Login authentication didn't seem to work before I
>>> added the test-share either.
>>>
>>> What did I miss?
>>>
>>
>> You missed posting your smb.conf for a start ;-)
>>
>> Did you actually join the Win10 machine to the domain ?
>> Creating it with samba-tool isn't enough.
>>
>> Rowland
> 
> Smb.conf (domain names made 'generic'):
> 
> # Global parameters
> [global]
>          dns forwarder = 4.2.2.2
>          netbios name = MACHINE254
>          realm = INTERNAL.COMPANY.COM
>          server role = active directory domain controller
>          workgroup = INTERNAL
>          idmap_ldb:use rfc2307 = yes
> 
> [netlogon]
>          path = /var/lib/samba/sysvol/internal.company.com/scripts
>          read only = No
> 
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
> 
> [Test-Share]
>          path = /home/test-share
>          writable = yes
>          create mode = 0770
>          directory mode = 0770
>          guest ok = no
> 
> Windows reported that the machine joined the domain
> when I used the windows interface at System
> Properties -> Computer Name.
> 
> 
One more tidbit.  I ran the provisioning twice.

First time around I used int.company.com and second time around
I used internal.company.com.  Did that leave contradictory
information floating in the system?

---
This email has been checked for viruses by AVG.
https://www.avg.com

More information about the samba mailing list