[Samba] setting up a new ADS infrastructure
rpenny at samba.org
Mon Jun 24 08:12:00 UTC 2019
On 24/06/2019 08:39, Stefan Froehlich via samba wrote:
> On Sun, Jun 23, 2019 at 03:34:08PM +0200, Stefan Froehlich via samba wrote:
>> No need to be sorry - most likely I'll the whole setup from scratch.
> Did so (I am following a script by now, so it does not take too
> long), but I feel more and more lost - there must be always
> something different I do wrong:
Can I see your script ?
You may be doing something wrong.
> Now I configured DNS the other way round, pointing every host to the
> DC and using "dns forwarder = 220.127.116.11" there to resolve the rest of
> the world. Problem is that DC does not forward anything (no packets
> are leaving the controller on port 53) and answers all external
> questions with an empty result set. Is there anything I could have
Which dns server are you using ?
> And another annoying issue popped up:
> At the fileserver I can wbinfo(1) my test account by name and by
> uid, I can chown(1) files to it, I can even su(1) or ssh(1) to it
> and work at the CLI. But if I want to connect to a share:
> | ~# smbclient //herakles/profiles/ -Utest
> | Enter SYNTHESIS\test's password:
> | session setup failed: NT_STATUS_ACCESS_DENIED
> The log file contains:
> | [2019/06/24 09:28:03.876063, 3] ../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac)
> | Found account name from PAC: test [Max Mustermann]
> | [2019/06/24 09:28:03.876091, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
> | Kerberos ticket principal name is [test at SYNTHESIS.SYNTH.INTERN]
> | [2019/06/24 09:28:03.877874, 3] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
> | get_user_from_kerberos_info: Username SYNTHESIS\test is invalid on this system
> | [2019/06/24 09:28:03.877895, 3] ../source3/auth/auth_generic.c:147(auth3_generate_session_info_pac)
> | auth3_generate_session_info_pac: Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
> | [2019/06/24 09:28:03.877937, 3] ../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
> | smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_sesssetup.c:137
> | [2019/06/24 09:28:03.878357, 3] ../source3/smbd/server_exit.c:237(exit_server_common)
> | Server exit (NT_STATUS_END_OF_FILE)
> How can the username be "invalid", if I can use it for anything else?
> The debug info is at <http://froehlich.priv.at/www/samba/> again.
Is the 'acl' package installed ?
More information about the samba