[Samba] issue joining domain and now logging in

Diego Franchini diego.tartol at gmail.com
Sat Oct 15 20:15:38 UTC 2022 

Yes, the resolv.conf is as follows:


*search fritz.boxnameserver 172.27.1.4*

Doing a fresh install of samba with 4.15.9 works, and a fresh install on
4.16.5, following the same procedure, doesn't.

this is what I do:

*:~# sudo apt-get update && sudo apt-get upgrade*
*:~# *
*nano /etc/hosts*
*:~# *
*nano /etc/hostname    #to change name of device*
*:~# *
*nano /etc/dhcpcd.conf*
*:~# **apt-get install samba krb5-config krb5-user winbind smbclient
samba-dsdb-modules samba-vfs-modules*

the hosts file:








*127.0.0.1   localhost#127.0.1.1   SMBDC1::1         localhost SMBDC1
ip6-localhost ip6-loopbackfe00::0     ip6-localnetff00::0
ip6-mcastprefixff02::1     ip6-allnodesff02::2     ip6-allrouters172.27.1.4
 SMBDC1.example.com <http://SMBDC1.example.com> SMBDC1*

the dhcpdc.conf file:






*interface eth0static ip_address=172.27.1.4/24 <http://172.27.1.4/24>static
routers=172.27.0.1static domain_name_servers=172.27.1.4static
domain_search=example.com <http://example.com>*

then I do the following


*:~# reboot now*

*:~# rm /etc/samba/smb.conf*




*:~# rm /etc/krb5.conf:~# rm /var/run/samba/*.tdb:~# rm
/var/run/samba/*.ldb:~# rm /var/lib/samba/*.tdb**:~#*




*rm /var/lib/samba/*.ldb:~# rm /var/cache/samba/*.tdb:~# rm
/var/cache/samba/*.ldb:~# rm /var/lib/samba/private/*.tdb:~# rm
/var/lib/samba/private/*.ldb:~# samba-tool domain provision --use-rfc2307
--interactive*

and follow the guided setup, inputting the same data if 4.15.9 and 4.16.5.

Then I execute these commands

*:~# nano /etc/samba/smb.conf*





*:~# cp /var/lib/samba/private/krb5.conf /etc/krb5.conf:~# systemctl
disable --now smbd nmbd winbind systemd-resolved:~# systemctl unmask
samba-ad-dc.service:~# systemctl enable --now
samba-ad-dc.service:~# samba-tool domain level show:~# reboot now*

the smb.conf file:







*# Global parameters[global]        dns forwarder = 172.27.1.2
netbios name = SMBDC1        realm = EXAMPLE.COM <http://EXAMPLE.COM>
  server role = active directory domain controller        workgroup = *
*EXAMPLE*



*        idmap_ldb:use rfc2307 = yes        host msdfs = yes[sysvol]
path = /var/lib/samba/sysvol*



*        read only = No[netlogon]        path =
/var/lib/samba/sysvol/frankini.net/scripts <http://frankini.net/scripts>
    read only = No*

the krb5.conf file:


*[libdefaults]        default_realm = * *EXAMPLE*







*.COM        dns_lookup_realm = false        dns_lookup_kdc =
true[realms]FRANKINI.NET <http://FRANKINI.NET> = {        default_domain =
example.net <http://example.net>}[domain_realm]        SMBDC1 = **EXAMPLE*
*.COM*

when the PI reboots I set from my router the DNS server to be the same IP
as the Samba's and then do these tests:




*:~# host -t SRV _ldap._tcp.gander.bag:~# host -t SRV
_kerberos._udp.gander.bag:~# host -t A Pi4DC.gander.bag*
*:~# sudo kinit Administrator*

If none of these commands result in errors, then it's configured correctly
and fully working.

But perhaps you can spot something fishy in these configurations...

Il giorno sab 15 ott 2022 alle ore 20:11 Rowland Penny via samba <
samba at lists.samba.org> ha scritto:

>
>
> On 15/10/2022 18:57, Diego Franchini wrote:
> > On Samba Version 4.16.5-Debian (OS: Armbian 22.08.4 - Linux
> > 5.19.14-sunxi), I cannot make this command work:
> >
> > root at SMBDC1:~# kinit Administrator
> > kinit: Cannot contact any KDC for realm 'EXAMPLE.COM
> > <http://EXAMPLE.COM>' while getting initial credentials
> >
> > with Samba Version 4.15.9-Ubuntu it works perfectly using the same
> > setup... Should I change some config files to adapt them to the new
> > version perhaps?
> >
>
> I wouldn't think so, it works for me on Raspberry pi OS 64bit using
> 4.16.5 from backports:
>
> adminuser at rpidc1:~ $ sudo kinit Administrator
> Password for Administrator at SAMDOM.EXAMPLE.COM:
> adminuser at rpidc1:~ $ sudo klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: Administrator at SAMDOM.EXAMPLE.COM
>
> Valid starting       Expires              Service principal
> 10/15/2022 19:00:01  10/16/2022 05:00:01
> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
>         renew until 10/16/2022 18:59:43
>
> Is the first nameserver in /etc/resolv.conf the DC's ipaddress (and not
> 127.0.0.1) ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list