[Samba] Fwd: Fwd: Problem connecting to DC from windows 10. Failed to create user record ... acl: unable to get access to ...
Andrzej Gryko
andrzej.gryko at gmail.com
Sat Jul 28 17:26:06 UTC 2018
I'm sorry. It's my fault. Only administrator can join a domain, so thats
why I coudn't do it as different user. If I join the domain and restert
windows 10, I can login as differnet user. So it was my fault, I didn't
know about it. Everything works ok.
Now I must add some users to administrators group and create some scripts.
Best regards
Andrzej
sob., 28 lip 2018 o 14:35 Rowland Penny via samba <samba at lists.samba.org>
napisaĆ(a):
> On Sat, 28 Jul 2018 13:08:55 +0200
> Andrzej Gryko <andrzej.gryko at gmail.com> wrote:
>
> > I installed:
> > Linux samba 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07)
> > x86_64 GNU/Linux
> > samba:
> > Version 4.5.12-Debian
>
> OK, as you are using debian, tryusing Louis's repo, this will get you a
> much more recent version of Samba:
>
> http://apt.van-belle.nl/
>
> >
> > next
> >
> > change in fstab:
> > */ ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1*
>
> Well, undo the change ;-)
> everything you have set is amongst the defaults for ext4
>
> >
> > apt-get install smbclient krb5-user bind9 attr libpam-winbind
> > libpam-krb5 libnss-winbind krb5-config ntp bind9utils
>
> I am sure they will installed, but check if these are installed:
>
> samba winbind
>
> >
> > While configuring kreberos - defaul kerberos version realm; gryko.org,
> > kerberos servers: *none* (also tried samba.gryko.org), administrative
> > server: *none*
>
> Do not configure kerberos before the provision, once Samba is
> provisioned, you will find that a krb5.conf will have been created for
> you. The provision output will tell you just where it is, but, as you
> are using debian packages, it should here:
>
> /var/lib/samba/private/krb5.conf
>
> Copy this to /etc/krb5.conf
>
> >
> > samba-tool domain provision: gryko.org, gryko, dc, bind9_dlz (also
> > tried samba internal)
> >
> > *My smb.conf:*
> >
> > *[global]
> > netbios name = SAMBA
> > realm = GRYKO.ORG
> > workgroup = GRYKO
> > server role = active directory domain controller
> ># os level = 64
>
> >[netlogon]
> > path = /var/lib/samba/sysvol/gryko.org/scripts
> > read only = No
> >
> >[sysvol]
> > path = /var/lib/samba/sysvol
> > read only = No
> >
> >[homes]
> > comment = Katalog domowy
> > read only = No
> > browseable = No
> > valid users = %S
>
> >/etc/krb5.conf:*
> > [libdefaults]
> > default_realm = GRYKO.ORG
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> >
> > /etc/bind/named.conf.options:
> > options {
> > directory "/var/cache/bind";
> > forwarders {
> > 8.8.8.8;
> > 8.8.4.4;
> > };
> > dnssec-validation auto;
> > auth-nxdomain no; # conform to RFC1035
> > listen-on port 53 { any; };
> > allow-query { any; };
> > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> > };
> >
> > */etc/bind/named.conf.local*
> > include "/var/lib/samba/private/named.conf";
> >
> > /etc/resolv.conf
> > domain gryko.org
> > search gryko.org
> > nameserver 172.22.93.70 (router) - also tried itself
>
> The DC MUST use itself as its nameserver
>
> >
> > /etc/hosts
> > 127.0.0.1 localhost
> > 127.0.1.1 samba.gryko.org samba
> > 172.22.93.74 samba.gryko.org samba
> >
> > ::1 localhost ip6-localhost ip6-loopback
> > ff02::1 ip6-allnodes
> > ff02::2 ip6-allrouters
>
> I think I have already said this, remove the '127.0.1.1' line and if
> anything (such as network manager) is set to use dnsmasq etc, stop them
> from doing this.
>
> >
> > smbclient \\\\172.22.93.74\\sysvol -U administrator - works properly
> > - for different users too.
> >
> > smbclient -L localhost -U agryko
> > Enter agryko's password:
> > Domain=[GRYKO] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
> >
> > Sharename Type Comment
> > --------- ---- -------
> > netlogon Disk
> > sysvol Disk
> > IPC$ IPC IPC Service (Samba 4.5.12-Debian)
> > Domain=[GRYKO] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
> >
> > Server Comment
> > --------- -------
> >
> > Workgroup Master
> > --------- -------
> > WORKGROUP SAMBA
> > (cannot login as 'agryko' from windows to the domain)
> >
>
> You will need to use 'GRYKO\agryko' to login into a domain joined
> windows machine.
>
> I can assure it does work, I am typing this on a Unix domain member and
> can log into a windows domain member ;-)
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list