[Samba] setting up a new ADS infrastructure
samba at froehlich.priv.at
Mon Jun 24 08:52:07 UTC 2019
On Mon, Jun 24, 2019 at 09:12:00AM +0100, Rowland penny via samba wrote:
> On 24/06/2019 08:39, Stefan Froehlich via samba wrote:
> >On Sun, Jun 23, 2019 at 03:34:08PM +0200, Stefan Froehlich via
> >samba wrote: (I am following a script by now, so it does not take
> >too long)
> Can I see your script ?
> You may be doing something wrong.
These are only informal scripts and I doubt they will help clearing
this. But you can find them at <http://froehlich.priv.at/www/samba/>
> >Now I configured DNS the other way round, pointing every host to the
> >DC and using "dns forwarder = 220.127.116.11" there to resolve the rest of
> >the world. Problem is that DC does not forward anything (no packets
> >are leaving the controller on port 53) and answers all external
> >questions with an empty result set. Is there anything I could have
> Which dns server are you using ?
I tried my own dns first and switched to 18.104.22.168 afterwards. But as
there are not even udp packets leaving the DC, there must be
> >| ~# smbclient //herakles/profiles/ -Utest
> >| Enter SYNTHESIS\test's password:
> >| session setup failed: NT_STATUS_ACCESS_DENIED
> >The log file contains:
> >| [2019/06/24 09:28:03.876063, 3] ../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac)
> >| Found account name from PAC: test [Max Mustermann]
> >| [2019/06/24 09:28:03.876091, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
> >| Kerberos ticket principal name is [test at SYNTHESIS.SYNTH.INTERN]
> >| [2019/06/24 09:28:03.877874, 3] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
> >| get_user_from_kerberos_info: Username SYNTHESIS\test is invalid on this system
> >| [2019/06/24 09:28:03.877895, 3] ../source3/auth/auth_generic.c:147(auth3_generate_session_info_pac)
> >| auth3_generate_session_info_pac: Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
> >| [2019/06/24 09:28:03.877937, 3] ../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
> >| smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_sesssetup.c:137
> >| [2019/06/24 09:28:03.878357, 3] ../source3/smbd/server_exit.c:237(exit_server_common)
> >| Server exit (NT_STATUS_END_OF_FILE)
> >How can the username be "invalid", if I can use it for anything else?
> >The debug info is at <http://froehlich.priv.at/www/samba/> again.
> Is the 'acl' package installed ?
No, but it does not make any difference if I install it (and it was
not installed last week either when this issue did not occur).
I hate it when IT feels non-deterministic :-(
Stefan. Für schlimme Blinddaerme in gelben Galaxien!
More information about the samba