[Samba] Fwd: Fwd: Problem connecting to DC from windows 10. Failed to create user record ... acl: unable to get access to ...
Rowland Penny
rpenny at samba.org
Sat Jul 28 12:34:24 UTC 2018
On Sat, 28 Jul 2018 13:08:55 +0200
Andrzej Gryko <andrzej.gryko at gmail.com> wrote:
> I installed:
> Linux samba 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07)
> x86_64 GNU/Linux
> samba:
> Version 4.5.12-Debian
OK, as you are using debian, tryusing Louis's repo, this will get you a
much more recent version of Samba:
http://apt.van-belle.nl/
>
> next
>
> change in fstab:
> */ ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1*
Well, undo the change ;-)
everything you have set is amongst the defaults for ext4
>
> apt-get install smbclient krb5-user bind9 attr libpam-winbind
> libpam-krb5 libnss-winbind krb5-config ntp bind9utils
I am sure they will installed, but check if these are installed:
samba winbind
>
> While configuring kreberos - defaul kerberos version realm; gryko.org,
> kerberos servers: *none* (also tried samba.gryko.org), administrative
> server: *none*
Do not configure kerberos before the provision, once Samba is
provisioned, you will find that a krb5.conf will have been created for
you. The provision output will tell you just where it is, but, as you
are using debian packages, it should here:
/var/lib/samba/private/krb5.conf
Copy this to /etc/krb5.conf
>
> samba-tool domain provision: gryko.org, gryko, dc, bind9_dlz (also
> tried samba internal)
>
> *My smb.conf:*
>
> *[global]
> netbios name = SAMBA
> realm = GRYKO.ORG
> workgroup = GRYKO
> server role = active directory domain controller
># os level = 64
>[netlogon]
> path = /var/lib/samba/sysvol/gryko.org/scripts
> read only = No
>
>[sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
>[homes]
> comment = Katalog domowy
> read only = No
> browseable = No
> valid users = %S
>/etc/krb5.conf:*
> [libdefaults]
> default_realm = GRYKO.ORG
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> /etc/bind/named.conf.options:
> options {
> directory "/var/cache/bind";
> forwarders {
> 8.8.8.8;
> 8.8.4.4;
> };
> dnssec-validation auto;
> auth-nxdomain no; # conform to RFC1035
> listen-on port 53 { any; };
> allow-query { any; };
> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> };
>
> */etc/bind/named.conf.local*
> include "/var/lib/samba/private/named.conf";
>
> /etc/resolv.conf
> domain gryko.org
> search gryko.org
> nameserver 172.22.93.70 (router) - also tried itself
The DC MUST use itself as its nameserver
>
> /etc/hosts
> 127.0.0.1 localhost
> 127.0.1.1 samba.gryko.org samba
> 172.22.93.74 samba.gryko.org samba
>
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
I think I have already said this, remove the '127.0.1.1' line and if
anything (such as network manager) is set to use dnsmasq etc, stop them
from doing this.
>
> smbclient \\\\172.22.93.74\\sysvol -U administrator - works properly
> - for different users too.
>
> smbclient -L localhost -U agryko
> Enter agryko's password:
> Domain=[GRYKO] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
>
> Sharename Type Comment
> --------- ---- -------
> netlogon Disk
> sysvol Disk
> IPC$ IPC IPC Service (Samba 4.5.12-Debian)
> Domain=[GRYKO] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
>
> Server Comment
> --------- -------
>
> Workgroup Master
> --------- -------
> WORKGROUP SAMBA
> (cannot login as 'agryko' from windows to the domain)
>
You will need to use 'GRYKO\agryko' to login into a domain joined
windows machine.
I can assure it does work, I am typing this on a Unix domain member and
can log into a windows domain member ;-)
Rowland
More information about the samba
mailing list