[Samba] Fwd: Fwd: Problem connecting to DC from windows 10. Failed to create user record ... acl: unable to get access to ...

Andrzej Gryko andrzej.gryko at gmail.com
Sat Jul 28 17:26:06 UTC 2018 

I'm sorry. It's my fault. Only administrator can join a domain, so thats
why I coudn't do it as different user. If I join the domain and restert
windows 10, I can login as differnet user. So it was my fault, I didn't
know about it. Everything works ok.
Now I must add some users to administrators group and create some scripts.

Best regards
Andrzej


sob., 28 lip 2018 o 14:35 Rowland Penny via samba <samba at lists.samba.org>
napisaƂ(a):

> On Sat, 28 Jul 2018 13:08:55 +0200
> Andrzej Gryko <andrzej.gryko at gmail.com> wrote:
>
> > I installed:
> > Linux samba 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07)
> > x86_64 GNU/Linux
> > samba:
> > Version 4.5.12-Debian
>
> OK, as you are using debian, tryusing Louis's repo, this will get you a
> much more recent version of Samba:
>
> http://apt.van-belle.nl/
>
> >
> > next
> >
> > change in fstab:
> > */ ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1*
>
> Well, undo the change ;-)
> everything you have set is amongst the defaults for ext4
>
> >
> > apt-get install smbclient krb5-user  bind9 attr libpam-winbind
> > libpam-krb5 libnss-winbind krb5-config ntp bind9utils
>
> I am sure they will installed, but check if these are installed:
>
> samba winbind
>
> >
> > While configuring kreberos - defaul kerberos version realm; gryko.org,
> > kerberos servers: *none* (also tried samba.gryko.org), administrative
> > server: *none*
>
> Do not configure kerberos before the provision, once Samba is
> provisioned, you will find that a krb5.conf will have been created for
> you. The provision output will tell you just where it is, but, as you
> are using debian packages, it should here:
>
> /var/lib/samba/private/krb5.conf
>
> Copy this to /etc/krb5.conf
>
> >
> > samba-tool domain provision: gryko.org, gryko, dc, bind9_dlz (also
> > tried samba internal)
> >
> > *My smb.conf:*
> >
> > *[global]
> >        netbios name = SAMBA
> >        realm = GRYKO.ORG
> >        workgroup = GRYKO
> >        server role = active directory domain controller
> >#       os level = 64
>
> >[netlogon]
> >        path = /var/lib/samba/sysvol/gryko.org/scripts
> >        read only = No
> >
> >[sysvol]
> >        path = /var/lib/samba/sysvol
> >        read only = No
> >
> >[homes]
> >        comment = Katalog domowy
> >        read only = No
> >        browseable = No
> >        valid users = %S
>
> >/etc/krb5.conf:*
> > [libdefaults]
> > default_realm = GRYKO.ORG
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> >
> > /etc/bind/named.conf.options:
> > options {
> >         directory "/var/cache/bind";
> >        forwarders {
> >                 8.8.8.8;
> >                 8.8.4.4;
> >         };
> >         dnssec-validation auto;
> >         auth-nxdomain no;    # conform to RFC1035
> >         listen-on port 53 { any; };
> >         allow-query { any; };
> >         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> > };
> >
> > */etc/bind/named.conf.local*
> > include "/var/lib/samba/private/named.conf";
> >
> > /etc/resolv.conf
> > domain gryko.org
> > search gryko.org
> > nameserver 172.22.93.70 (router) - also tried itself
>
> The DC MUST use itself as its nameserver
>
> >
> > /etc/hosts
> > 127.0.0.1       localhost
> > 127.0.1.1       samba.gryko.org samba
> > 172.22.93.74    samba.gryko.org samba
> >
> > ::1     localhost ip6-localhost ip6-loopback
> > ff02::1 ip6-allnodes
> > ff02::2 ip6-allrouters
>
> I think I have already said this, remove the '127.0.1.1' line and if
> anything (such as network manager) is set to use dnsmasq etc, stop them
> from doing this.
>
> >
> > smbclient \\\\172.22.93.74\\sysvol -U administrator - works properly
> > - for different users too.
> >
> > smbclient -L localhost -U agryko
> > Enter agryko's password:
> > Domain=[GRYKO] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
> >
> >         Sharename       Type      Comment
> >         ---------       ----      -------
> >         netlogon        Disk
> >         sysvol          Disk
> >         IPC$            IPC       IPC Service (Samba 4.5.12-Debian)
> > Domain=[GRYKO] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
> >
> >         Server               Comment
> >         ---------            -------
> >
> >         Workgroup            Master
> >         ---------            -------
> >         WORKGROUP            SAMBA
> > (cannot login as 'agryko' from windows to the domain)
> >
>
> You will need to use 'GRYKO\agryko' to login into a domain joined
> windows machine.
>
> I can assure it does work, I am typing this on a Unix domain member and
> can log into a windows domain member ;-)
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list