[Samba] Fwd: Fwd: Problem connecting to DC from windows 10. Failed to create user record ... acl: unable to get access to ...

Andrzej Gryko andrzej.gryko at gmail.com
Sat Jul 28 11:08:55 UTC 2018 

I installed:
Linux samba 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64
GNU/Linux
samba:
Version 4.5.12-Debian

next

change in fstab:
*/ ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1*

apt-get install smbclient krb5-user  bind9 attr libpam-winbind libpam-krb5
libnss-winbind krb5-config ntp bind9utils

While configuring kreberos - defaul kerberos version realm; gryko.org,
kerberos servers: *none* (also tried samba.gryko.org), administrative
server: *none*

samba-tool domain provision: gryko.org, gryko, dc, bind9_dlz (also tried
samba internal)

*My smb.conf:*






*[global]        netbios name = SAMBA        realm = GRYKO.ORG
<http://GRYKO.ORG>        workgroup = GRYKO        server role = active
directory domain controller#       os level = 64[netlogon]        path =
/var/lib/samba/sysvol/gryko.org/scripts <http://gryko.org/scripts>
read only = No[sysvol]        path = /var/lib/samba/sysvol        read only
= No[homes]        comment = Katalog domowy   read only = No   browseable =
No   valid users = %S/etc/krb5.conf:*
[libdefaults]
        default_realm = GRYKO.ORG
        dns_lookup_realm = false
        dns_lookup_kdc = true

/etc/bind/named.conf.options:
options {
        directory "/var/cache/bind";
       forwarders {
                8.8.8.8;
                8.8.4.4;
        };
        dnssec-validation auto;
        auth-nxdomain no;    # conform to RFC1035
        listen-on port 53 { any; };
        allow-query { any; };
        tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};

*/etc/bind/named.conf.local*
include "/var/lib/samba/private/named.conf";

/etc/resolv.conf
domain gryko.org
search gryko.org
nameserver 172.22.93.70 (router) - also tried itself

/etc/hosts
127.0.0.1       localhost
127.0.1.1       samba.gryko.org samba
172.22.93.74    samba.gryko.org samba

::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

smbclient \\\\172.22.93.74\\sysvol -U administrator - works properly - for
different users too.

smbclient -L localhost -U agryko
Enter agryko's password:
Domain=[GRYKO] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk
        sysvol          Disk
        IPC$            IPC       IPC Service (Samba 4.5.12-Debian)
Domain=[GRYKO] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            SAMBA
(cannot login as 'agryko' from windows to the domain)



Did I forget about something? Maybe I should try to test domain from
console?

Best regards
Andrzej



pt., 27 lip 2018 o 23:04 Rowland Penny via samba <samba at lists.samba.org>
napisał(a):

> On Fri, 27 Jul 2018 22:59:16 +0200
> Andrzej Gryko <andrzej.gryko at gmail.com> wrote:
>
> > There is no selinux, appamore in running processes, and I didn't touch
> > linux firewall, so it is turned off.
> >
> > Andrzej
> >
> > pt., 27 lip 2018 o 10:14 Rowland Penny <rpenny at samba.org> napisał(a):
> >
> > > On Thu, 26 Jul 2018 23:03:19 +0200
> > > Andrzej Gryko via samba <samba at lists.samba.org> wrote:
> > >
> > > > I found the problem. I can login as administrator, but not as
> > > > different user - I add different users by "samba-tool user add" or
> > > > smapasswd and it's the same.
> > > >
> > >
> > > No, you have found a further problem ;-)
> > >
> > > The correct command to create a user in Samba AD is 'samba-tool user
> > > create'. You do not use 'smbpasswd' to create an AD user.
> > >
> > > Can we check a few things:
> > >
> > > You have installed Samba packages capable of being an AD DC (I say
> > > capable because red-hat distros, except the latest Fedora, cannot be
> > > AD DC's)
> > >
> > > You have provisioned it correctly
> > >
> > > You have set up the DC OS correctly
> > >
> > > You have joined the windows machine to the domain
> > >
> > > If all the above is correct, it should work, if it doesn't, check if
> > > Selinux, Apparmor or a firewall is getting in the way.
> > >
> > > If after all of the above is checked and it still doesn't work, then
> > > we are going to have to walk through setting a Samba DC, hopefully
> > > this should show what is wrong ;-)
> > >
> > > Rowland
> > >
> > >
>
> Can you please answer the questions:
>
> What Samba packages are you using ?
>
> How did you provision the Samba AD DC ?
>
> Have you joined the Windows machine to the domain and if so, how and
> with what user ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list