[Samba] Unable to contact active directory or verify claim types

Rowland penny rpenny at samba.org
Mon Feb 3 13:48:54 UTC 2020 

On 03/02/2020 12:40, miguel medalha via samba wrote:
> I am using Samba as Active Directory Domain Controller as well as file
> server, serving a network of Windows clients.
It looks like you are saying that you are using the DC as a fileserver, 
but you haven't shown any shares in your smb.conf (other than netlogon 
and sysvol and these do not count).
>
>   
>
> I recently upgraded a bunch of computers from Windows 7 to Windows 10
> release 1909. I just discovered that Under Windows 10,  as a Domain Admin,
> when I try to add a new permission to a folder or file on Samba shares
> through the Advanced security tab I cannot do it because the box is grayed
> and contains the following message:
>
>   
>
> "Unable to contact active directory or verify claim types"

There are numerous differences between Win 7 and 10, not least is SMBv1 
being turned off by default (not that this should affect you, you have 
it turned off as well), have you read this:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

> The 2 DCs are running Samba 4.8.12 (I know it's old but I could not upgrade
> yet due to hardware/software constraints). Dbcheck gives no errors,
> replication is working fine. DNS is working fine. I see no other problems on
> the network but this one.
>
> The smb.conf on the AD DCS
>
> [global]
>                  workgroup = MYDOMAIN
>                  realm = MYDOMAIN.TLD
>                  server role = active directory domain controller
>                  dns forwarder = x.x.x.x
>                  disable netbios = yes
>                  ntlm auth = no
>                  client ipc signing = mandatory
>                  server min protocol = SMB2_10
>                  client min protocol = SMB2_10
>                  client ipc min protocol = SMB2_10
>                  smb ports = 445
>
> [netlogon]
>                  path = /path/to/sysvol/scripts
>                  read only = no
>                  browsable = yes
>
> [sysvol]
>                  path = /path/to/sysvol/
>                  read only = no
>                  browsable = yes
>
> Any clues? Thank you.
>
Are you running anything else on the DC (sssd for instance) ?

Rowland

More information about the samba mailing list