[Samba] I can't login into my Linux client with Samba DC users.
Jason Long
hack3rcon at yahoo.com
Sun Jul 18 08:15:56 UTC 2021
Hello,
Thank you for your info.
The "ip route" command output is:
# ip route
default via 10.0.3.2 dev enp0s8 proto dhcp metric 101
10.0.3.0/24 dev enp0s8 proto kernel scope link src 10.0.3.15 metric 101
192.168.56.0/24 dev enp0s17 proto kernel scope link src 192.168.56.7 metric 100
I installed Samba from its manual and in Samba manual, the "sss" existed. Why "sss" doesn't need?
I edited "/etc/nsswitch.conf" file as below:
passwd: files winbind systemd
group: files winbind systemd
hosts: files dns resolve [!UNAVAIL=return] myhostname
And I changed the content of "/etc/krb5.conf" to:
[libdefaults]
default_realm = MYDOMAIN.Z
dns_lookup_realm = false
dns_lookup_kdc = true
Finally, I added "10.0.3.15 mydc.mydomain.z" to the "/etc/hosts" file and rebooted my server.
Above changes, can make any problem for my Windows clients?
On the Linux client:
I added below lines to the "/etc/hosts" file:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.56.7 mydc.mydomain.z mydc
10.0.3.15 mydc.mydomain.z
And edited "/etc/nsswitch.conf" file as the server.
The content of the "/etc/krb5.conf" file is:
includedir /etc/krb5.conf.d/
[libdefaults]
default_realm = MYDC.MYDOMAIN.Z
dns_lookup_realm = false
dns_lookup_kdc = true
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
dns_canonicalize_hostname = fallback
qualify_shortname = ""
# default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
I rebooted my client and I can't login to my Linux client with my Samba DC usernames.
On Friday, July 16, 2021, 12:08:00 PM GMT+4:30, L.P.H. van Belle via samba <samba at lists.samba.org> wrote:
Hai Jason,
Ok, now we are getting somewhere.
Server :
2 ipadresses : 10.0.3.15 192.168.56.7 ( assuming 56.7 is you default. )
But did you set your routing correctly for it? we might also need an output off : ip route
SSSD is installed, remove it and then fix nsswitch.conf
passwd: files winbind sss systemd
group: files winbind sss systemd
Remove sss there.
Change
hosts: files resolve [!UNAVAIL=return] myhostname dns
To
hosts: files dns resolve [!UNAVAIL=return] myhostname
/etc/krb5.conf
Now, depending on IP use. OR remove this part.
[realms]
MYDOMAIN.Z = {
default_domain = mydomain.z
}
[domain_realm]
mydc = MYDOMAIN.Z
All you need is :
[libdefaults]
default_realm = MYDOMAIN.Z
dns_lookup_realm = false
dns_lookup_kdc = true
Your "SERVER" also has IP: 10.0.3.15
Add it in /etc/hosts also.
The order if important..
27.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.56.7 mydc.mydomain.z mydc
10.0.3.15 mydc.mydomain.z # or leave it out, i dont why you use it in your setup.
And you noticed i removed the "mydc" in the 10.0.3.15 line.
All done, reboot server.
Client is more easy..
FQDN: node3.localhost.localdomain
ipaddress: 192.168.56.9 10.0.3.15
unable to verify DNS kerberos._tcp SRV records
Meaning, the resolving setup is broken in you client.
Hostname FQDN is incorrect.
10.0.3.15 ?? Why thats the same ip as on the SERVER.
So in order, fix on the client :
/etc/hosts
/etc/resolv.conf
/etc/nsswitch.conf
/etc/krb5.conf
Reboot.
Verify client settings again, re-run the script, i know its not fully compliant with your os but it shows sufficient at the moment.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Jason Long via samba
> Verzonden: vrijdag 16 juli 2021 7:27
> Aan: samba at lists.samba.org; Rowland Penny
> Onderwerp: Re: [Samba] I can't login into my Linux client
> with Samba DC users.
>
> Hello,
> I did:
> # samba-tool domain info mydc
> Forest : mydomain.z
> Domain : mydomain.z
> Netbios domain : MYDOMAIN
> DC name : mydc.mydomain.z
> DC netbios name : MYDC
> Server site : Default-First-Site-Name
> Client site : Default-First-Site-Name
>
> And I executed that script on both of server and client:
>
> On Server:
> https://paste.ubuntu.com/p/pZ9Rnk7Kpc/
>
> On Client:
> https://paste.ubuntu.com/p/msCDTgrZPS/
>
>
> Thanks.
>
>
> On Wednesday, July 14, 2021, 04:56:58 PM GMT+4:30, Rowland
> Penny via samba <samba at lists.samba.org> wrote:
>
>
>
>
>
> On Wed, 2021-07-14 at 13:22 +0200, L.P.H. van Belle via samba wrote:
> > > 1- Why Windows client working with it without any problem?
> > Because when the join the primary DNS domain is always correct
> > And you most probely did set the ip's of the DC's as resolvers for
> > them.
> >
> > You asked this before and we asked info before..
> > Im still waiting.. (thats why i also didnt reply before)..
>
> You should have seen what I wrote before deleting it!
>
> >
> > Most probley your error is in the resolving order.
>
> Could be, but doubtful.
>
> > Run this on 1 DC and 1 member.
> >
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-c
ollect-debug-info.sh
> >
> > DONT change the structures of the setup when you anonymize it.
> >
> > Now this : samba-tool domain info 192.168.56.7
> > Why are you not using : samba-tool domain info hostname.fqdn
> > Im just wondering.
>
> Because it works and 'samba-tool domain info --help' returns:
>
> Usage: samba-tool domain info <ip_address> [options]
>
>
> > So my advice is, try to avoid testing with ipnumbers and start
> > testing with FQDN's.
> > This will help in finding/and later avoiding resolving problems.
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> > > -----Oorspronkelijk bericht-----
> > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > > Jason Long via samba
> > > Verzonden: woensdag 14 juli 2021 13:09
> > > Aan: sambalist; Rowland Penny
> > > Onderwerp: Re: [Samba] I can't login into my Linux client
> > > with Samba DC users.
> > >
> > > Thanks.
> > > 1- Why Windows client working with it without any problem?
> > > 2- How can I fix it?
> > >
> > >
> > >
> > >
> > >
> > >
> > > On Wednesday, July 14, 2021, 03:32:21 PM GMT+4:30, Rowland
> > > Penny via samba <samba at lists.samba.org> wrote:
> > >
> > >
> > >
> > >
> > >
> > > On Wed, 2021-07-14 at 10:41 +0000, Jason Long wrote:
> > > > Thank you.
> > > >
> > > > As you see:
> > > > # samba-tool domain info 192.168.56.7
> > > > Forest : mydomain.z
> > > > Domain : mydomain.z
> > > > Netbios domain : MYDOMAIN
> > > > DC name : mydc.mydomain.z
> > > > DC netbios name : MYDC
> > > > Server site : Default-First-Site-Name
> > > > Client site : Default-First-Site-Name
> > > >
> > > > If my configuration is wrong, then how can I fix it?
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > On Monday, July 12, 2021, 11:29:30 PM GMT+4:30, Rowland
> Penny via
> > > > samba <samba at lists.samba.org> wrote:
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > On Mon, 2021-07-12 at 18:44 +0000, Jason Long via samba wrote:
> > > > > Hello,
> > > > > I had a thread with the name "I can't join my Linux client to
> > > > > my
> > > > > Samba DC." and I joined my Linux client to my Samba DC,
> > > but I can't
> > > > > login into my Linux client with my Samba DC users.
> > > > > I have a Samba DC as below:
> > > > >
> > > > >
> > > > > # samba-tool domain info 192.168.56.7
> > > > > Forest : mydomain.z
> > > > > Domain : mydomain.z
> > > > > Netbios domain : MYDOMAIN
> > > > > DC name : mydc.mydomain.z
> > > > > DC netbios name : MYDC
> > > > > Server site : Default-First-Site-Name
> > > > > Client site : Default-First-Site-Name
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > And I want to join my Linux client to my Samba DC. The content
> > > > > of
> > > > > "smb.conf" file on my Linux client is:
> > > > >
> > > > >
> > > > > [global]
> > > > > workgroup = MYDC
> > > > > security = ADS
> > > > > realm = MYDC.MYDOMAIN.Z
> > > >
> > > > Your realm isn't 'MYDC.MYDOMAIN.Z' , from what you have posted,
> > > > your
> > > > realm should be 'MYDOMAIN.Z'
> > > >
> > > > Also, I doubt that your workgroup name is 'MYDC' as this appears
> > > > to
> > > > be
> > > > your DCs short hostname. If your workgroup (aka NetBios domain
> > > > name)
> > > > is
> > > > the same as your DC's short hostname, then I suggest
> you fix this
> > > >
> > >
> > > You have set your workgroup to 'MYDC' and you also posted 'DC
> > > netbios
> > > name : MYDC', you also posted 'Netbios domain : MYDOMAIN',
> > > another
> > > name for 'Netbios domain' is 'workgroup'.
> > > 'DC netbios name' != 'Netbios domain'
> > >
> > > You also seem to be using the DC's FQDN for the realm, it
> > > should be the
> > > dns domain in uppercase, which in your case seems to be
> > > 'MYDOMAIN.Z'
> > >
> > >
> > > Rowland
> > >
> > >
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions: https://lists.samba.org/mailman/options/samba
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions: https://lists.samba.org/mailman/options/samba
> > >
> > >
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list