[Samba] Samba4 Kerberos Authentication Error
Marco Shmerykowsky PE
marco at sce-engineers.com
Wed Dec 5 15:56:48 UTC 2018
On 12/5/2018 10:37 AM, Marco Shmerykowsky via samba wrote:
> On Wed, December 5, 2018 9:52 am, Rowland Penny via samba wrote:
>> On Wed, 5 Dec 2018 09:41:13 -0500
>> Marco Shmerykowsky via samba <samba at lists.samba.org> wrote:
>>
>>> I'm trying to setup a Samba4 Active Directory server.
>>>
>>> I've gotten the server running, the IP addresses resolve
>>> properly. The Windows10 client can join the domain.
>>> I've run the basic checks that seem to be listed
>>> on the samba wiki and get the expected results.
>>>
>>> I've modified nsswitch.conf to include winbind on the
>>> passwd and group lines.
>>>
>>> I've made sure all machines are pointing to the same
>>> NTP server so that time is synched
>>>
>>> I've created a user using -> samba-tool user create jdoe
>>>
>>> I've added the computer using -> samba-tool computer create MACHINE01
>>>
>>> I've created a "test-share" with ownership set to the
>>> group "Domain Users":
>>>
>>> [Test-Share]
>>> path = /home/test-share
>>> writable = yes
>>> create mode = 0770
>>> directory mode = 0770
>>> guest ok = no
>>>
>>> When I run Server Manager in Win10 I get an error that
>>> states: "Kerberos authentication error"
>>>
>>> When I try to login with the user, Windows gives me this:
>>>
>>> "We can't sign you in with this credential because your
>>> domain isn't available. Make sure your device is connected
>>> to your organization's network and try again."
>>>
>>> Login authentication didn't seem to work before I
>>> added the test-share either.
>>>
>>> What did I miss?
>>>
>>
>> You missed posting your smb.conf for a start ;-)
>>
>> Did you actually join the Win10 machine to the domain ?
>> Creating it with samba-tool isn't enough.
>>
>> Rowland
>
> Smb.conf (domain names made 'generic'):
>
> # Global parameters
> [global]
> dns forwarder = 4.2.2.2
> netbios name = MACHINE254
> realm = INTERNAL.COMPANY.COM
> server role = active directory domain controller
> workgroup = INTERNAL
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /var/lib/samba/sysvol/internal.company.com/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> [Test-Share]
> path = /home/test-share
> writable = yes
> create mode = 0770
> directory mode = 0770
> guest ok = no
>
> Windows reported that the machine joined the domain
> when I used the windows interface at System
> Properties -> Computer Name.
>
>
One more tidbit. I ran the provisioning twice.
First time around I used int.company.com and second time around
I used internal.company.com. Did that leave contradictory
information floating in the system?
---
This email has been checked for viruses by AVG.
https://www.avg.com
More information about the samba
mailing list