[Samba] Samba AD 4.8.3 Windows Server 2016 Active Directory Users and Computers: The procedure number is out of range
Rowland Penny
rpenny at samba.org
Wed Jul 18 15:53:53 UTC 2018
On Wed, 18 Jul 2018 17:25:51 +0200
Thomas Glanzmann via samba <samba at lists.samba.org> wrote:
> Hello,
> I try to connect with Active Directory Users and Computers from a
> W2k16 to a Samba 4.8.3 DC. I get the following error message:
>
> https://thomas.glanzmann.de/static/63a3e0ba-8a9d-11e8-891f-f3ff022aacb0/screenshot-x1-2018-07-18-17_12_49.png
>
> ---------------------------
> Active Directory Domain Services
> ---------------------------
> Naming information cannot be located because:
>
> The procedure number is out of range.
>
> Contact your system administrator to verify that your domain is
> properly configured and is currently online.
> --------------------------- OK
> ---------------------------
>
> In the logs with debug level 3 I don't see anything. My Samba Config
> and setup script is here, my logs as well:
>
> https://thomas.glanzmann.de/static/63a3e0ba-8a9d-11e8-891f-f3ff022aacb0/
Your smb.conf is up the spout, there is a number of things wrong with
it.
These are okay:
[global]
netbios name = ad
server role = ACTIVE DIRECTORY DOMAIN CONTROLLER
workgroup = V101
realm = V101.TUVL.DE
interfaces = 10.101.0.1
bind interfaces only = yes
lock directory = /local/samba-config/v101/lock
cache directory = /local/samba-config/v101/cache
pid directory = /local/samba-config/v101/pid
private dir = /local/samba-config/v101/private
state directory = /local/samba-config/v101/state
log file = /local/samba-config/v101/log/%m
These shouldn't be set or are defaults:
name resolve order = host
time server = yes
passdb backend = tdbsam
security = user
domain logons = yes
log level = 3
os level = 64
preferred master = yes
local master = yes
domain master = yes
tls keyfile = key.pem
tls certfile = cert.pem
tls cafile = ca.pem
This is definitely wrong:
dns forwarder = 127.0.0.1
You do not forward to itself.
This is all 'netlogon' needs:
[netlogon]
comment = Domain Logon Service
path = /local/samba-config/v101/netlogon
read only = no
It doesn't need these:
valid users = %U
admin users = Administrator
browseable = no
guest ok = yes
locking = no
'sysvol' is okay except it needs to be writeable.
You also do not set the maximum password age with pdbedit.
>
> But what I really would like to do is enable the following:
>
> https://livelibrary.osisoft.com/LiveLibrary/content/en/vision-v1/GUID-799220A0-4967-45CE-A592-45E3FC10C752#addHistory=true&filename=GUID-4B33BAFA-A923-4550-B3DC-CAD83E3C0587.xml&docid=GUID-799220A0-4967-45CE-A592-45E3FC10C752&inner_id=&tid=&query=&scope=&resource=&toc=false&eventType=lcContent.loadDocGUID-799220A0-4967-45CE-A592-45E3FC10C752
>
> Setup delegation for a machine account 'Trust this computer for
> delegation to any service (Kerberos only)'. Is there a way to do this
> from the command line? For the user account I think that, I found it:
>
> (infra) [/local/samba-config/v101] / /local/samba/bin/samba-tool
> delegation for-any-protocol
> -s /home/sithglan/work/scripts/lab/output/smb-v101.conf Administrator
> on ldb_wrap open of secrets.ldb (infra)
> [/local/samba-config/v101] / /local/samba/bin/samba-tool delegation
> for-any-service
> -s /home/sithglan/work/scripts/lab/output/smb-v101.conf Administrator
> on (infra) [/local/samba-config/v101] / /local/samba/bin/samba-tool
> delegation show
> -s /home/sithglan/work/scripts/lab/output/smb-v101.conf Administrator
>
> Note, my goal is to run 9 different active directory domains in
> different VLANs, so far I succeeded. And with samba my setup time
> went down from 10 minutes to 15 seconds. I'm setting up Active
> Directory Domains for training environments on a regular basis (once
> a week).
>
> I'm grateful for any pointers.
Yes try reading up on Samba AD more before trying to train others on
how to use it. ;-)
Rowland
More information about the samba
mailing list