[Samba] security = ads parameter not working in samba 4.9.5

Rowland penny rpenny at samba.org
Wed Dec 4 11:54:43 UTC 2019


On 04/12/2019 10:49, Sac Isilia wrote:
> Hi Rowland,
>
> I have done the edits as you suggested  and ran again the script that 
> you provided. Below is the output.


It doesn't appear you have done all the edits or something is re-writing 
various files ;-)

>
> Collected config  --- 2019-12-04-11:46 -----------
>
> Hostname: esmad1apl01
> DNS Domain: emea.media.global.loc
> FQDN: esmad1apl01.emea.media.global.loc
> ipaddress: 10.34.54.152
>
> -----------
>
> Kerberos SRV _kerberos._tcp.emea.media.global.loc record verified ok, 
> sample output:
> ;; Truncated, retrying in TCP mode.
> Server:         10.10.136.85
> Address:        10.10.136.85#53
>
> _kerberos._tcp.emea.media.global.loc    service = 0 100 88 
> EMDC1DCM35.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc    service = 0 100 88 
> EMDC1DCM34.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc    service = 0 100 88 
> RUSPB1DCM02.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc    service = 0 100 88 
> DEDUS3DCM05.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc    service = 0 100 88 
> AZEUW1DCEM02.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc    service = 0 100 88 
> DKCPH1DCM06.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc    service = 0 100 88 
> DKCPH1DCM05.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc    service = 0 100 88 
> RUMSK1DCM07.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc    service = 0 100 88 
> DEHAM3DCM02.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc    service = 0 100 88 
> ESMAD2DCM01.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc    service = 0 100 88 
> AZEUW1DCM06.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc    service = 0 100 88 
> HUBUD2DCM02.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc    service = 0 100 88 
> AZEUW1DCM05.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc    service = 0 100 88 
> EMDC1DCM31.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc    service = 0 100 88 
> ATVIE1DCM03.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc    service = 0 100 88 
> RUMSK1DCM08.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc    service = 0 100 88 
> AZEUW1DCEM01.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc    service = 0 100 88 
> ESMAD2DCM03.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc    service = 0 100 88 
> ZASR1DCM04.emea.media.global.loc.
>
> Wrong password or kerberos REALM problems.
You are either supplying the wrong password for Administrator or you 
have dns problems
> Samba is running as an Unix domain member but 'winbindd' is NOT running.
Why is winbind not running ????
> Check that the winbind package is installed.
> -----------
>
>
> This computer is running Debian 10.2 x86_64
>
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
> group default qlen 1000
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 <http://127.0.0.1/8> scope host lo
>     inet6 ::1/128 scope host
> 2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
> state UP group default qlen 1000
>     link/ether 00:50:56:85:24:4c brd ff:ff:ff:ff:ff:ff
>     inet 10.34.54.152/24 <http://10.34.54.152/24> brd 10.34.54.255 
> scope global ens192
>     inet6 fe80::250:56ff:fe85:244c/64 scope link
>
> -----------
> Checking file: /etc/hosts
> 127.0.0.1       localhost
> #127.0.1.1      debian01.emea.media.global.loc  debian01
> 10.34.54.152 esmad1apl01.emea.media.global.loc esmad1apl01
>
> # The following lines are desirable for IPv6 capable hosts
> ::1     localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> -----------
>
> Checking file: /etc/resolv.conf
> # Generated by NetworkManager
> search emea.media.global.loc media.global.loc dmz.local 
> americas.media.global.loc ymedia.mad
> nameserver 10.10.136.85
> nameserver 10.10.136.95
> nameserver 10.11.137.101
> nameserver 10.11.137.100
> #nameserver 10.34.54.9
> #nameserver 10.34.54.10

You need to stop Network manager altering /etc/resolv.conf

Just a thought, does this machine get its IP via dhcp or is it fixed ?

>
> -----------
>
> Checking file: /etc/krb5.conf
> [libdefaults]
>
>         default_realm = EMEA.MEDIA.GLOBAL.LOC
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
Remove everything else from /etc/krb5.conf, it isn't required.
>
>
> -----------
>
>
> -----------
>
> Checking file: /etc/samba/smb.conf
Please try the smb.conf I suggested
>
>
> -----------
>
> Running as Unix domain member and user.map detected.
>
> Contents of /etc/samba/user.map
>
> !root = MEDIA\\svc_domjoin02

OK, where did 'MEDIA' come from ?

Your workgroup is 'EMEA-MEDIA'

Why have you added an extra forward slash ?

Who is 'svc_domjoin02' ?

Just use the line I suggested.

Rowland





More information about the samba mailing list