[Samba] Samba4 Kerberos Authentication Error

Marco Shmerykowsky PE marco at sce-engineers.com
Wed Dec 5 16:33:01 UTC 2018 

On 12/5/2018 11:14 AM, Rowland Penny via samba wrote:
> On Wed, 5 Dec 2018 10:56:48 -0500
> Marco Shmerykowsky PE via samba <samba at lists.samba.org> wrote:
> 
>>
>> On 12/5/2018 10:37 AM, Marco Shmerykowsky via samba wrote:
>>> On Wed, December 5, 2018 9:52 am, Rowland Penny via samba wrote:
>>>> On Wed, 5 Dec 2018 09:41:13 -0500
>>>> Marco Shmerykowsky via samba <samba at lists.samba.org> wrote:
>>>>
>>>>> I'm trying to setup a Samba4 Active Directory server.
>>>>>
>>>>> I've gotten the server running, the IP addresses resolve
>>>>> properly.  The Windows10 client can join the domain.
>>>>> I've run the basic checks that seem to be listed
>>>>> on the samba wiki and get the expected results.
>>>>>
>>>>> I've modified nsswitch.conf to include winbind on the
>>>>> passwd and group lines.
>>>>>
>>>>> I've made sure all machines are pointing to the same
>>>>> NTP server so that time is synched
>>>>>
>>>>> I've created a user using -> samba-tool user create jdoe
>>>>>
>>>>> I've added the computer using -> samba-tool computer create
>>>>> MACHINE01
>>>>>
>>>>> I've created a "test-share" with ownership set to the
>>>>> group "Domain Users":
>>>>>
>>>>> [Test-Share]
>>>>>           path = /home/test-share
>>>>>           writable = yes
>>>>>           create mode = 0770
>>>>>           directory mode = 0770
>>>>>           guest ok = no
>>>>>
>>>>> When I run Server Manager in Win10 I get an error that
>>>>> states: "Kerberos authentication error"
>>>>>
>>>>> When I try to login with the user, Windows gives me this:
>>>>>
>>>>> "We can't sign you in with this credential because your
>>>>> domain isn't available.  Make sure your device is connected
>>>>> to your organization's network and try again."
>>>>>
>>>>> Login authentication didn't seem to work before I
>>>>> added the test-share either.
>>>>>
>>>>> What did I miss?
>>>>>
>>>>
>>>> You missed posting your smb.conf for a start ;-)
>>>>
>>>> Did you actually join the Win10 machine to the domain ?
>>>> Creating it with samba-tool isn't enough.
>>>>
>>>> Rowland
>>>
>>> Smb.conf (domain names made 'generic'):
>>>
>>> # Global parameters
>>> [global]
>>>           dns forwarder = 4.2.2.2
>>>           netbios name = MACHINE254
>>>           realm = INTERNAL.COMPANY.COM
>>>           server role = active directory domain controller
>>>           workgroup = INTERNAL
>>>           idmap_ldb:use rfc2307 = yes
>>>
>>> [netlogon]
>>>           path = /var/lib/samba/sysvol/internal.company.com/scripts
>>>           read only = No
>>>
>>> [sysvol]
>>>           path = /var/lib/samba/sysvol
>>>           read only = No
>>>
>>> [Test-Share]
>>>           path = /home/test-share
>>>           writable = yes
>>>           create mode = 0770
>>>           directory mode = 0770
>>>           guest ok = no
>>>
>>> Windows reported that the machine joined the domain
>>> when I used the windows interface at System
>>> Properties -> Computer Name.
>>>
>>>
>> One more tidbit.  I ran the provisioning twice.
>>
>> First time around I used int.company.com and second time around
>> I used internal.company.com.  Did that leave contradictory
>> information floating in the system?
> 
> No, provided you removed the smb.conf (and the provision would have
> complained if you hadn't), the next provision would wipe the previous
> one.
> 
> This does raise a possibility, The REALM has to be the same as the dns
> domain, so what is the dns domain name ?
> easiest way to find out is to open a terminal on the DC and type
> 'hostname -d', if it isn't 'internal.company.com' then you need to
> provision again.
> 
> Another possibility is that you do not have winbind installed.
> 
> This probably hasn't anything to do with your main problem, but you
> should change your share to this:
> 
> [Test-Share]
>      path = /home/test-share
>      read only = No
> 
> When you get your DC working, set the permissions from Windows, see
> here:
> 
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> 
> Rowland


The Realm matches the DNS.

hostname -d returns -> internal.company.com

domain name is internal.company.com

I can ping both internal.company.com and machine254.internal.company.com
both resolve to the IP of MACHINE254

I checked winbind using the commands on the following page & all
returned as expected.

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Testing_the_Winbindd_Connectivity

---
This email has been checked for viruses by AVG.
https://www.avg.com

More information about the samba mailing list