[Samba] setting up a new ADS infrastructure

Stefan Froehlich samba at froehlich.priv.at
Mon Jun 24 07:39:27 UTC 2019 

On Sun, Jun 23, 2019 at 03:34:08PM +0200, Stefan Froehlich via samba wrote:
> No need to be sorry - most likely I'll the whole setup from scratch.

Did so (I am following a script by now, so it does not take too
long), but I feel more and more lost - there must be always
something different I do wrong:

Now I configured DNS the other way round, pointing every host to the
DC and using "dns forwarder = 8.8.8.8" there to resolve the rest of
the world. Problem is that DC does not forward anything (no packets
are leaving the controller on port 53) and answers all external
questions with an empty result set. Is there anything I could have
missed?


And another annoying issue popped up:

At the fileserver I can wbinfo(1) my test account by name and by
uid, I can chown(1) files to it, I can even su(1) or ssh(1) to it
and work at the CLI. But if I want to connect to a share:

| ~# smbclient //herakles/profiles/ -Utest
| Enter SYNTHESIS\test's password: 
| session setup failed: NT_STATUS_ACCESS_DENIED

The log file contains:

| [2019/06/24 09:28:03.876063,  3] ../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac)
|   Found account name from PAC: test [Max Mustermann]
| [2019/06/24 09:28:03.876091,  3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
|   Kerberos ticket principal name is [test at SYNTHESIS.SYNTH.INTERN]
| [2019/06/24 09:28:03.877874,  3] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
|   get_user_from_kerberos_info: Username SYNTHESIS\test is invalid on this system
| [2019/06/24 09:28:03.877895,  3] ../source3/auth/auth_generic.c:147(auth3_generate_session_info_pac)
|   auth3_generate_session_info_pac: Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
| [2019/06/24 09:28:03.877937,  3] ../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
|   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_sesssetup.c:137
| [2019/06/24 09:28:03.878357,  3] ../source3/smbd/server_exit.c:237(exit_server_common)
|   Server exit (NT_STATUS_END_OF_FILE)

How can the username be "invalid", if I can use it for anything else?

The debug info is at <http://froehlich.priv.at/www/samba/> again.

Bye,
Stefan

-- 
Laune mit Stefan, standhaft und blöd!
Sloganizer, https://www.poetron-zone.de/

More information about the samba mailing list