[Samba] Problem with login win10
Rowland penny
rpenny at samba.org
Thu Aug 20 14:32:33 UTC 2020
On 20/08/2020 14:32, admin at prawda.net.pl wrote:
> Debug:
>
> Collected config --- 2020-08-20-15:28 -----------
>
> Hostname: debian
> DNS Domain: prawda.local
A bit late now, but it would have been better to use something like
'ad.prawda.net.pl' for your DNS domain.
> FQDN: debian.prawda.local
> ipaddress: 192.168.0.92 192.168.10.92
You have two IP's, you need to ensure that Samba only uses 192.168.0.92
>
> -----------
>
> Kerberos SRV _kerberos._tcp.prawda.local record verified ok, sample output:
> Server: 192.168.0.92
> Address: 192.168.0.92#53
>
> _kerberos._tcp.prawda.local service = 0 100 88 debian.prawda.local.
> Samba is running as an AD DC
Any chance you could run at least another DC and a separate fileserver ?
> -----------
>
>
> This computer is running Debian 10.4 x86_64
I think I already said this, but I would stop compiling Samba yourself
and use Louis's repo: http://apt.van-belle.nl/
>
> -----------
> running command : ip a
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group
> default qlen 1000
> link/ether ca:d8:84:e0:22:77 brd ff:ff:ff:ff:ff:ff
> inet 192.168.0.92/24 brd 192.168.0.255 scope global eth0
> inet6 fe80::c8d8:84ff:fee0:2277/64 scope link
> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group
> default qlen 1000
> link/ether 32:c0:95:d5:de:50 brd ff:ff:ff:ff:ff:ff
> inet 192.168.10.92/24 brd 192.168.10.255 scope global eth1
> inet6 fe80::30c0:95ff:fed5:de50/64 scope link
Two network interfaces, you need to get Samba to only use one, add to
smb.conf:
interfaces = eth0
bind interfaces only = yes
>
> -----------
> Checking file: /etc/hosts
>
> 127.0.0.1 localhost
> 192.168.0.92 debian.prawda.local debian
>
> 192.168.0.94 magazyn.prawda.net.pl
Remove the '192.168.0.94' line, it isn't in the AD dns domain
> Checking file: /usr/local/samba/etc/smb.conf
>
> # Global parameters
> [global]
> # smb ports = 139
> workgroup = PRAWDA
> realm = PRAWDA.LOCAL
> netbios name = DEBIAN
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbind, ntp_signd, kcc, dnsupdate
> log level = 10
> # log level = 2 passdb:5 auth:5
> log file = /var/log/samba/samba.log.%m
> max log size = 50
> debug timestamp = yes
> # server max protocol = nt1
> min protocol = SMB2
> ntlm auth = yes
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/prawda.local/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
> [profiles]
> comment = Network Profiles Service
> path = /mnt/profile/profiles
> read only = No
> store dos attributes = Yes
> create mask = 0600
> directory mask = 0700
>
> [INSTALKI]
> path = /mnt/profile/instalki
> comment = INSTALKI
> read only = No
> create mode = 0600
> directory mode = 0700
> hosts allow = 192.168.0.0/16,10.0.0.0/8
>
> [DOKUMENTACJE]
> path = /mnt/profile/dokumentacje
> comment = DOKUMENTACJE
> read only = No
> create mode = 0600
> directory mode = 0700
> hosts allow = 192.168.0.0/16,10.0.0.0/8
>
> [ECO-DOKUMENTACJE]
> path = /mnt/profile/eco-dokumentacje
> comment = ECO-DOKUMENTACJE
> read only = No
> create mode = 0600
> directory mode = 0700
> hosts allow = 192.168.0.0/16,10.0.0.0/8
>
> [GOSCIE]
> path = /mnt/profile/goscie
> comment = goscie
> read only = No
> create mode = 0777
> directory mode = 0777
> hosts allow = 192.168.0.0/16,10.0.0.0/8
>
> [JAKOSC]
> path = /mnt/profile/jakosc
> comment = JAKOSC
> read only = No
> create mode = 0600
> directory mode = 0700
> hosts allow = 192.168.0.0/16,10.0.0.0/8
>
> [NICELABEL]
> path = /mnt/profile/nicelabel
> comment = NICELABEL
> read only = No
> create mode = 0600
> directory mode = 0700
> hosts allow = 192.168.0.0/16,10.0.0.0/8
>
> [KADRY]
> path = /mnt/profile/kadry
> comment = KADRY
> read only = No
> create mode = 0600
> directory mode = 0700
> hosts allow = 192.168.0.0/16,10.0.0.0/8
>
> [SPRZEDAZ]
> path = /mnt/profile/sprzedaz
> comment = SPRZEDAZ
> read only = No
> create mode = 0600
> directory mode = 0700
> hosts allow = 192.168.0.0/16,10.0.0.0/8
>
> [SORTOWNIA]
> path = /mnt/profile/sortownia
> comment = SORTOWNIA
> read only = No
> create mode = 0600
> directory mode = 0700
> hosts allow = 192.168.0.0/16,10.0.0.0/8
>
> [KSIEGOWOSC]
> path = /mnt/profile/ksiegowosc
> comment = KSIEGOWOSC
> read only = No
> create mode = 0600
> directory mode = 0700
> hosts allow = 192.168.0.0/16,10.0.0.0/8
>
> [UR]
> path = /mnt/profile/ur
> comment = UR
> read only = No
> create mode = 0600
> directory mode = 0700
> hosts allow = 192.168.0.0/16,10.0.0.0/8
>
> [NORMOWANIE]
> path = /mnt/profile/normowanie
> comment = NORMOWANIE
> read only = No
> create mode = 0600
> directory mode = 0700
> hosts allow = 192.168.0.0/16,10.0.0.0/8
>
> [LEAN]
> path = /mnt/profile/lean
> comment = LEAN
> read only = No
> create mode = 0600
> directory mode = 0700
> hosts allow = 192.168.0.0/16,10.0.0.0/8
>
> [KONTROLING]
> path = /mnt/profile/kontroling
> comment = KONTROLING
> read only = No
> create mode = 0600
> directory mode = 0700
> hosts allow = 192.168.0.0/16,10.0.0.0/8
>
> [ECO-PROGRES]
> path = /mnt/profile/eco-progres
> comment = ECO_PROGRES
> read only = No
> create mode = 0600
> directory mode = 0700
> hosts allow = 192.168.0.0/16,10.0.0.0/8
It is not recommended to use a Samba DC as a fileserver, for numerous
reasons, most of which you have broken, plus your users will be unknown
to the shares because you do not have 'winbind' in the 'passwd' &
'group' lines in /etc/nsswitch.conf
>
>
>
> Detected bind DLZ enabled..
>
> Checking file: /etc/bind/named.conf.options
>
> options {
> directory "/var/cache/bind";
> forwarders {
> 8.8.4.4;
> 8.8.8.8;
> };
> dnssec-validation auto;
That should be 'no'
>
> auth-nxdomain no; # conform to RFC1035
That should be 'yes'
> listen-on port 53 { any; };
> allow-query { any; };
> listen-on-v6 { any; };
> tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
I think you may find that is now '/usr/local/samba/bind-dns/dns.keytab'
> };
>
> -----------
>
> Checking file: /etc/bind/named.conf.local
>
> //
> // Do any local configuration here
> //
>
> // Consider adding the 1918 zones here, if they are not used in your
> // organization
> //include "/etc/bind/zones.rfc1918";
> include "/usr/local/samba/private/named.conf";
Again, that is probably now '/usr/local/samba/bind-dns/named.conf'
>
> -----------
>
> Checking file: /etc/bind/named.conf.default-zones
>
> // prime the server with knowledge of the root servers
> zone "." {
> type hint;
> file "/etc/bind/db.root";
> };
>
> // be authoritative for the localhost forward and reverse zones, and for
> // broadcast zones as per RFC 1912
>
> zone "localhost" {
> type master;
> file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
> type master;
> file "/etc/bind/db.127";
> };
>
> zone "0.in-addr.arpa" {
> type master;
> file "/etc/bind/db.0";
> };
>
> zone "255.in-addr.arpa" {
> type master;
> file "/etc/bind/db.255";
> };
>
> zone "prawda.net.pl" {
> type master;
> file "/etc/bind/slave/prawda.net.pl.root";
> allow-query { any; };
> };
Whilst there isn't anything stopping you having 'prawda.net.pl' in your
AD dns, it isn't recommended either.
> -----------
>
> Samba DNS zone list: 6 zone(s) found
>
> pszZoneName : prawda.local
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
> DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.prawda.local
>
> pszZoneName : 11.10.10.in-addr.arpa
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
> DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.prawda.local
>
> pszZoneName : 30.168.192.in-addr.arpa
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
> DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.prawda.local
Where do the two reverse zones come into AD ?
>
> pszZoneName : 0.168.192.in-addr.arpa
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
> DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.prawda.local
>
> pszZoneName : 10.168.192.in-addr.arpa
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
> DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.prawda.local
That one looks like the reverse zone for 'prawda.net.pl'
>
> pszZoneName : _msdcs.prawda.local
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
> DNS_DP_ENLISTED
> pszDpFqdn : ForestDnsZones.prawda.local
>
> Samba DNS zone list Automated check :
> zone : prawda.local ok, no Bind flat-files found
> -----------
> zone : 11.10.10.in-addr.arpa ok, no Bind flat-files found
> -----------
> zone : 30.168.192.in-addr.arpa ok, no Bind flat-files found
> -----------
>
> ERROR: AD DC zones found in the Bind flat-files
> This is not allowed, you must remove them.
> Conflicting zone name : 0.168.192.in-addr.arpa
> File in question is :
> /etc/bind/0.168.192.in-addr.arpa:0.168.192.in-addr.arpa. IN
> NS ns1.yournameserver.com.
> /etc/bind/0.168.192.in-addr.arpa:0.168.192.in-addr.arpa. IN
> NS ns2.yournameserver.com.
> -----------
>
> ERROR: AD DC zones found in the Bind flat-files
> This is not allowed, you must remove them.
> Conflicting zone name : 10.168.192.in-addr.arpa
> File in question is :
> -----------
>
> ERROR: AD DC zones found in the Bind flat-files
> This is not allowed, you must remove them.
> Conflicting zone name : _msdcs.prawda.local
> File in question is :
> -----------
You appear to be using named flat files as well as them being in AD, if
so, this is not allowed.
Rowland
More information about the samba
mailing list