[Samba] setting up a new ADS infrastructure

Rowland penny rpenny at samba.org
Mon Jun 24 08:12:00 UTC 2019 

On 24/06/2019 08:39, Stefan Froehlich via samba wrote:
> On Sun, Jun 23, 2019 at 03:34:08PM +0200, Stefan Froehlich via samba wrote:
>> No need to be sorry - most likely I'll the whole setup from scratch.
> Did so (I am following a script by now, so it does not take too
> long), but I feel more and more lost - there must be always
> something different I do wrong:

Can I see your script ?

You may be doing something wrong.

>
> Now I configured DNS the other way round, pointing every host to the
> DC and using "dns forwarder = 8.8.8.8" there to resolve the rest of
> the world. Problem is that DC does not forward anything (no packets
> are leaving the controller on port 53) and answers all external
> questions with an empty result set. Is there anything I could have
> missed?
Which dns server are you using ?
>
>
> And another annoying issue popped up:
>
> At the fileserver I can wbinfo(1) my test account by name and by
> uid, I can chown(1) files to it, I can even su(1) or ssh(1) to it
> and work at the CLI. But if I want to connect to a share:
>
> | ~# smbclient //herakles/profiles/ -Utest
> | Enter SYNTHESIS\test's password:
> | session setup failed: NT_STATUS_ACCESS_DENIED
>
> The log file contains:
>
> | [2019/06/24 09:28:03.876063,  3] ../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac)
> |   Found account name from PAC: test [Max Mustermann]
> | [2019/06/24 09:28:03.876091,  3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
> |   Kerberos ticket principal name is [test at SYNTHESIS.SYNTH.INTERN]
> | [2019/06/24 09:28:03.877874,  3] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
> |   get_user_from_kerberos_info: Username SYNTHESIS\test is invalid on this system
> | [2019/06/24 09:28:03.877895,  3] ../source3/auth/auth_generic.c:147(auth3_generate_session_info_pac)
> |   auth3_generate_session_info_pac: Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
> | [2019/06/24 09:28:03.877937,  3] ../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
> |   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_sesssetup.c:137
> | [2019/06/24 09:28:03.878357,  3] ../source3/smbd/server_exit.c:237(exit_server_common)
> |   Server exit (NT_STATUS_END_OF_FILE)
>
> How can the username be "invalid", if I can use it for anything else?
>
> The debug info is at <http://froehlich.priv.at/www/samba/> again.
>
> Bye,
> Stefan
>
Is the 'acl' package installed ?

Rowland

More information about the samba mailing list