[Samba] Samba4 Kerberos Authentication Error
Marco Shmerykowsky PE
marco at sce-engineers.com
Wed Dec 5 15:56:48 UTC 2018
On 12/5/2018 10:37 AM, Marco Shmerykowsky via samba wrote:
> On Wed, December 5, 2018 9:52 am, Rowland Penny via samba wrote:
>> On Wed, 5 Dec 2018 09:41:13 -0500
>> Marco Shmerykowsky via samba <samba at lists.samba.org> wrote:
>>> I'm trying to setup a Samba4 Active Directory server.
>>> I've gotten the server running, the IP addresses resolve
>>> properly. The Windows10 client can join the domain.
>>> I've run the basic checks that seem to be listed
>>> on the samba wiki and get the expected results.
>>> I've modified nsswitch.conf to include winbind on the
>>> passwd and group lines.
>>> I've made sure all machines are pointing to the same
>>> NTP server so that time is synched
>>> I've created a user using -> samba-tool user create jdoe
>>> I've added the computer using -> samba-tool computer create MACHINE01
>>> I've created a "test-share" with ownership set to the
>>> group "Domain Users":
>>> path = /home/test-share
>>> writable = yes
>>> create mode = 0770
>>> directory mode = 0770
>>> guest ok = no
>>> When I run Server Manager in Win10 I get an error that
>>> states: "Kerberos authentication error"
>>> When I try to login with the user, Windows gives me this:
>>> "We can't sign you in with this credential because your
>>> domain isn't available. Make sure your device is connected
>>> to your organization's network and try again."
>>> Login authentication didn't seem to work before I
>>> added the test-share either.
>>> What did I miss?
>> You missed posting your smb.conf for a start ;-)
>> Did you actually join the Win10 machine to the domain ?
>> Creating it with samba-tool isn't enough.
> Smb.conf (domain names made 'generic'):
> # Global parameters
> dns forwarder = 22.214.171.124
> netbios name = MACHINE254
> realm = INTERNAL.COMPANY.COM
> server role = active directory domain controller
> workgroup = INTERNAL
> idmap_ldb:use rfc2307 = yes
> path = /var/lib/samba/sysvol/internal.company.com/scripts
> read only = No
> path = /var/lib/samba/sysvol
> read only = No
> path = /home/test-share
> writable = yes
> create mode = 0770
> directory mode = 0770
> guest ok = no
> Windows reported that the machine joined the domain
> when I used the windows interface at System
> Properties -> Computer Name.
One more tidbit. I ran the provisioning twice.
First time around I used int.company.com and second time around
I used internal.company.com. Did that leave contradictory
information floating in the system?
This email has been checked for viruses by AVG.
More information about the samba