[Samba] Samba4 Kerberos Authentication Error
Marco Shmerykowsky PE
marco at sce-engineers.com
Wed Dec 5 16:33:01 UTC 2018
On 12/5/2018 11:14 AM, Rowland Penny via samba wrote:
> On Wed, 5 Dec 2018 10:56:48 -0500
> Marco Shmerykowsky PE via samba <samba at lists.samba.org> wrote:
>
>>
>> On 12/5/2018 10:37 AM, Marco Shmerykowsky via samba wrote:
>>> On Wed, December 5, 2018 9:52 am, Rowland Penny via samba wrote:
>>>> On Wed, 5 Dec 2018 09:41:13 -0500
>>>> Marco Shmerykowsky via samba <samba at lists.samba.org> wrote:
>>>>
>>>>> I'm trying to setup a Samba4 Active Directory server.
>>>>>
>>>>> I've gotten the server running, the IP addresses resolve
>>>>> properly. The Windows10 client can join the domain.
>>>>> I've run the basic checks that seem to be listed
>>>>> on the samba wiki and get the expected results.
>>>>>
>>>>> I've modified nsswitch.conf to include winbind on the
>>>>> passwd and group lines.
>>>>>
>>>>> I've made sure all machines are pointing to the same
>>>>> NTP server so that time is synched
>>>>>
>>>>> I've created a user using -> samba-tool user create jdoe
>>>>>
>>>>> I've added the computer using -> samba-tool computer create
>>>>> MACHINE01
>>>>>
>>>>> I've created a "test-share" with ownership set to the
>>>>> group "Domain Users":
>>>>>
>>>>> [Test-Share]
>>>>> path = /home/test-share
>>>>> writable = yes
>>>>> create mode = 0770
>>>>> directory mode = 0770
>>>>> guest ok = no
>>>>>
>>>>> When I run Server Manager in Win10 I get an error that
>>>>> states: "Kerberos authentication error"
>>>>>
>>>>> When I try to login with the user, Windows gives me this:
>>>>>
>>>>> "We can't sign you in with this credential because your
>>>>> domain isn't available. Make sure your device is connected
>>>>> to your organization's network and try again."
>>>>>
>>>>> Login authentication didn't seem to work before I
>>>>> added the test-share either.
>>>>>
>>>>> What did I miss?
>>>>>
>>>>
>>>> You missed posting your smb.conf for a start ;-)
>>>>
>>>> Did you actually join the Win10 machine to the domain ?
>>>> Creating it with samba-tool isn't enough.
>>>>
>>>> Rowland
>>>
>>> Smb.conf (domain names made 'generic'):
>>>
>>> # Global parameters
>>> [global]
>>> dns forwarder = 4.2.2.2
>>> netbios name = MACHINE254
>>> realm = INTERNAL.COMPANY.COM
>>> server role = active directory domain controller
>>> workgroup = INTERNAL
>>> idmap_ldb:use rfc2307 = yes
>>>
>>> [netlogon]
>>> path = /var/lib/samba/sysvol/internal.company.com/scripts
>>> read only = No
>>>
>>> [sysvol]
>>> path = /var/lib/samba/sysvol
>>> read only = No
>>>
>>> [Test-Share]
>>> path = /home/test-share
>>> writable = yes
>>> create mode = 0770
>>> directory mode = 0770
>>> guest ok = no
>>>
>>> Windows reported that the machine joined the domain
>>> when I used the windows interface at System
>>> Properties -> Computer Name.
>>>
>>>
>> One more tidbit. I ran the provisioning twice.
>>
>> First time around I used int.company.com and second time around
>> I used internal.company.com. Did that leave contradictory
>> information floating in the system?
>
> No, provided you removed the smb.conf (and the provision would have
> complained if you hadn't), the next provision would wipe the previous
> one.
>
> This does raise a possibility, The REALM has to be the same as the dns
> domain, so what is the dns domain name ?
> easiest way to find out is to open a terminal on the DC and type
> 'hostname -d', if it isn't 'internal.company.com' then you need to
> provision again.
>
> Another possibility is that you do not have winbind installed.
>
> This probably hasn't anything to do with your main problem, but you
> should change your share to this:
>
> [Test-Share]
> path = /home/test-share
> read only = No
>
> When you get your DC working, set the permissions from Windows, see
> here:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> Rowland
The Realm matches the DNS.
hostname -d returns -> internal.company.com
domain name is internal.company.com
I can ping both internal.company.com and machine254.internal.company.com
both resolve to the IP of MACHINE254
I checked winbind using the commands on the following page & all
returned as expected.
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Testing_the_Winbindd_Connectivity
---
This email has been checked for viruses by AVG.
https://www.avg.com
More information about the samba
mailing list