Web lists-archives.com

Re: [Samba] Samba4 Kerberos Authentication Error

On 12/5/2018 10:37 AM, Marco Shmerykowsky via samba wrote:
On Wed, December 5, 2018 9:52 am, Rowland Penny via samba wrote:
On Wed, 5 Dec 2018 09:41:13 -0500
Marco Shmerykowsky via samba <samba@xxxxxxxxxxxxxxx> wrote:

I'm trying to setup a Samba4 Active Directory server.

I've gotten the server running, the IP addresses resolve
properly.  The Windows10 client can join the domain.
I've run the basic checks that seem to be listed
on the samba wiki and get the expected results.

I've modified nsswitch.conf to include winbind on the
passwd and group lines.

I've made sure all machines are pointing to the same
NTP server so that time is synched

I've created a user using -> samba-tool user create jdoe

I've added the computer using -> samba-tool computer create MACHINE01

I've created a "test-share" with ownership set to the
group "Domain Users":

         path = /home/test-share
         writable = yes
         create mode = 0770
         directory mode = 0770
         guest ok = no

When I run Server Manager in Win10 I get an error that
states: "Kerberos authentication error"

When I try to login with the user, Windows gives me this:

"We can't sign you in with this credential because your
domain isn't available.  Make sure your device is connected
to your organization's network and try again."

Login authentication didn't seem to work before I
added the test-share either.

What did I miss?

You missed posting your smb.conf for a start ;-)

Did you actually join the Win10 machine to the domain ?
Creating it with samba-tool isn't enough.


Smb.conf (domain names made 'generic'):

# Global parameters
         dns forwarder =
         netbios name = MACHINE254
         realm = INTERNAL.COMPANY.COM
         server role = active directory domain controller
         workgroup = INTERNAL
         idmap_ldb:use rfc2307 = yes

         path = /var/lib/samba/sysvol/internal.company.com/scripts
         read only = No

         path = /var/lib/samba/sysvol
         read only = No

         path = /home/test-share
         writable = yes
         create mode = 0770
         directory mode = 0770
         guest ok = no

Windows reported that the machine joined the domain
when I used the windows interface at System
Properties -> Computer Name.

One more tidbit.  I ran the provisioning twice.

First time around I used int.company.com and second time around
I used internal.company.com.  Did that leave contradictory
information floating in the system?

This email has been checked for viruses by AVG.

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba