[Samba] Users unable to reset passwords
Mark Foley
mfoley at novatec-inc.com
Wed May 21 05:47:57 UTC 2025
On Sun May 18 11:44:11 2025 Mark Foley via samba <samba at lists.samba.org>
>
> On Sun May 18 03:22:40 2025 Penny via samba <samba at lists.samba.org> wrote:
> >
> > On Sat, 17 May 2025 00:46:20 -0400
> > Mark Foley via samba <samba at lists.samba.org> wrote:
> >
> > > I'm trying to solve a couple of problems with Samba 4.18.19 and
> > > Windows 11. I've described these in detail in previous messages in
> > > this thread, so I'll be brief here:
[snip]
> > > I'm going to test 3 ways:
> > >
> > > A. I will upgrade Samba to the latest 4.22.1, downloaded from
> > > samba.org, but keeping all the domain users, group, policies, etc.
> > >
> > > B. If that doesn't work I will wipe the system and install and
> > > provision 4.22.1 from scratch.
> > >
> > > C. If that doesn't work I will stage an actual Windows DC and see if
> > > the problem exists on that platform.
> > >
> > > If B does not work but C does, I'll file a bug report for Samba. Then
> > > I'll have to decide whether I want to live with the
> > > password/redirected-folders issues on Samba or go with Windows.
[snip]
> > > Results thus far:
> > >
> > > Plan A
[failed, see previous thread messages ]
> >
> > I think this would have been a lot nearer:
> >
> > ./configure \
> > --enable-fhs \
> > --prefix=/usr \
> > --libdir=/usr/lib64 \
> > --includedir=/usr/include \
> > --bindir=/usr/bin \
> > --sbindir=/usr/sbin \
> > --mandir=/usr/man \
> > --sysconfdir=/etc \
> > --with-configdir=/etc/samba \
> > --with-piddir=/var/run \
> > --with-privatedir=/var/lib/samba/private \
> > --with-privatelibdir=/usr/lib64 \
> > --with-modulesdir=/usr/lib64 \
> > --with-lockdir=/var/cache/samba \
> > --with-logfilebase=/var/log/samba \
> > --localstatedir=/var \
> > --enable-cups \
> > --with-acl-support \
> > --with-automount \
> > --with-quotas \
> > --with-syslog \
> > --with-utmp \
> > --with-winbind \
> > --with-ldap \
> > --with-ads \
> > --without-fam \
> > --with-pam \
> > --with-pammodulesdir=/lib64/security \
> > --build=x86_64-slackware-linux || exit 1
>
> Wow! Thanks for that! I'll use that on my next attempt.
>
[snip]
For "Plan B", I created a completely clean install of Slackware and removed the
supplied Samaba and kinit (MIT) packages. I configured Samba 4.22.1 exaclty per
your (Roland's) suggestion, above, except that I also did --without-systemd and
--disable-cups. (then make, make install)
I followed the Wiki https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
I provisioned as:
samba-tool domain provision \
--use-rfc2307 \
--realm=HPRS.LOCAL \
--domain=HPRS \
--server-role=dc \
--dns-backend=SAMBA_INTERNAL \
--option="interfaces=lo eth0" --option="bind interfaces only=yes"
which failed the first time with "ModuleNotFoundError: No module named
'cryptography'", but I installed that and tried again and it provisioned without
error.
When I got to the testing bits, I had the following errors:
# host -t SRV _ldap._tcp.hprs.local.
Host _ldap._tcp.hprs.local. not found: 3(NXDOMAIN)
# host -t SRV _kerberos._udp.hprs.local.
Host _kerberos._udp.hprs.local. not found: 3(NXDOMAIN)
# host -t A mail.hprs.local.
Host mail.hprs.local. not found: 3(NXDOMAIN)
# host -t PTR 192.168.0.2
Host 2.0.168.192.in-addr.arpa. not found: 3(NXDOMAIN)
# kinit administrator
-su: kinit: command not found
This is disappointing. I did create a reverse zone, and listing that shows:
# samba-tool dns zonelist mail -U Administrator
3 zone(s) found
pszZoneName : 0.168.192.in-addr.arpa
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.hprs.local
pszZoneName : hprs.local
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.hprs.local
pszZoneName : _msdcs.hprs.local
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : ForestDnsZones.hprs.local
So why does "host -t PTR 192.168.0.2" fail?
likewise, there is an A record for 192.168.0.2:
# samba-tool dns query mail.hprs.local hprs.local @ ALL -U administrator
Name=, Records=3, Children=0
SOA: serial=110, refresh=900, retry=600, expire=86400, minttl=3600,
ns=mail.hprs.local., email=hostmaster.hprs.local. (flags=600000f0, serial=110,
ttl=3600)
NS: mail.hprs.local. (flags=600000f0, serial=1, ttl=900)
A: 192.168.0.2 (flags=600000f0, serial=1, ttl=900)
Name=_msdcs, Records=0, Children=0
Name=_sites, Records=0, Children=1
Name=_tcp, Records=0, Children=4
Name=_udp, Records=0, Children=2
Name=DomainDnsZones, Records=0, Children=2
Name=ForestDnsZones, Records=0, Children=2
Name=mail, Records=1, Children=0
A: 192.168.0.2 (flags=f0, serial=1, ttl=900)
So why does "host -t A mail.hprs.local." fail? It seems that 'host mail' should
return results regardless.
> > I personally would just join a test Debian Samba DC and point a client
> > that has been having problems at it.
I've built Samba from a download from samba.org before w/o problem, but not
looking good this time.
If the above DNS issues aren't something simple to resolve, I might go ahead
and try the Debian approach, but that might not be immediate.
More ...
Note that kinit was not found. Does Samba rely on the distro's kinit? I removed
that package because I thought it might be MIT related. Would a non-functioning
Kerberos affect DNS? The wiki https://wiki.samba.org/index.php/Samba_Internal_DNS_Back_End
mentions kerberos.
--Mark
More information about the samba
mailing list