[Samba] setting up a new ADS infrastructure

Stefan Froehlich samba at froehlich.priv.at
Mon Jun 24 08:52:07 UTC 2019 

On Mon, Jun 24, 2019 at 09:12:00AM +0100, Rowland penny via samba wrote:
> On 24/06/2019 08:39, Stefan Froehlich via samba wrote:
> >On Sun, Jun 23, 2019 at 03:34:08PM +0200, Stefan Froehlich via
> >samba wrote: (I am following a script by now, so it does not take
> >too long)
> 
> Can I see your script ?
> 
> You may be doing something wrong.

These are only informal scripts and I doubt they will help clearing
this. But you can find them at <http://froehlich.priv.at/www/samba/>
now.

> >
> >Now I configured DNS the other way round, pointing every host to the
> >DC and using "dns forwarder = 8.8.8.8" there to resolve the rest of
> >the world. Problem is that DC does not forward anything (no packets
> >are leaving the controller on port 53) and answers all external
> >questions with an empty result set. Is there anything I could have
> >missed?
> Which dns server are you using ?

I tried my own dns first and switched to 8.8.8.8 afterwards. But as
there are not even udp packets leaving the DC, there must be
something else.

> >| ~# smbclient //herakles/profiles/ -Utest
> >| Enter SYNTHESIS\test's password:
> >| session setup failed: NT_STATUS_ACCESS_DENIED
> >
> >The log file contains:
> >
> >| [2019/06/24 09:28:03.876063,  3] ../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac)
> >|   Found account name from PAC: test [Max Mustermann]
> >| [2019/06/24 09:28:03.876091,  3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
> >|   Kerberos ticket principal name is [test at SYNTHESIS.SYNTH.INTERN]
> >| [2019/06/24 09:28:03.877874,  3] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
> >|   get_user_from_kerberos_info: Username SYNTHESIS\test is invalid on this system
> >| [2019/06/24 09:28:03.877895,  3] ../source3/auth/auth_generic.c:147(auth3_generate_session_info_pac)
> >|   auth3_generate_session_info_pac: Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
> >| [2019/06/24 09:28:03.877937,  3] ../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
> >|   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_sesssetup.c:137
> >| [2019/06/24 09:28:03.878357,  3] ../source3/smbd/server_exit.c:237(exit_server_common)
> >|   Server exit (NT_STATUS_END_OF_FILE)
> >
> >How can the username be "invalid", if I can use it for anything else?
> >The debug info is at <http://froehlich.priv.at/www/samba/> again.

> Is the 'acl' package installed ?

No, but it does not make any difference if I install it (and it was
not installed last week either when this issue did not occur).

I hate it when IT feels non-deterministic :-(

Bye,
Stefan

-- 
Stefan. Für schlimme Blinddaerme in gelben Galaxien!
Sloganizer, https://www.poetron-zone.de/

More information about the samba mailing list