Results 1 to 4 of 4

Thread: Connect windows10 to samba-ad-dc

  1. #1
    Join Date
    Aug 2008
    Location
    Belgium
    Posts
    191

    Thumbs down Connect windows10 to samba-ad-dc

    Hello,

    I have installed a samba-ad-dc and try to connect a windows 10 laptop to the domain but receive an error "incorrect parameter"

    My settings:
    server with tumbleweed (with XEN kernel): there I run NTP, DHCP and DNS (chroot with dynamique DNS)
    DNS manage zone pce23.net and I have delegated a sub zone adsam.pce23.net to another server (XEN VM)

    VM:
    here I have a DNS (not chroot) to manage zone adsam.pce23.net: server name is vmsam.adsam.pce23.net
    samba-ad-dc
    ntp

    Result provision samba:
    Code:
    samba-tool domain provision --use-rfc2307 --realm=ADSAM.PCE23.NET --dns-backend=BIND9_DLZ --domain=ADSAM --server-role=dc --adminpass=xxxxxxx
    ...
    Server Role:         active directory domain controller
    Hostname:            vmsam
    NETBIOS domain:      ADSAM
    DNS Domain:          adsam.pc23.net
    Domain SID:          S-1-5-21-2478815240-34117533641-2979103045
    /etc/samba/smb.conf
    Code:
    # Global parameters
    [global]
        netbios name = VMSAM
        realm = ADSAM.PCE23.NET
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
        workgroup = ADSAM
        idmap_ldb:use rfc2307 = yes
        winbind    enum users = yes
        winbind enum groups = yes
    #    activate acl
        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes 
        log level = 3 passdb:5 auth:10 winbind:5
    #    max.protocol =  NT1
        
    [netlogon]
        path = /var/lib/samba/sysvol/adsam.pce23.net/scripts
        read only = No
    
    [sysvol]
        path = /var/lib/samba/sysvol
        read only = No
    I have copied the samba krb5.conf to /etc, added the samba tkey-gssapi-keytab and the samba include in /etc/named.conf, changed the /etc/nsswitch.conf and started samba via "systemctl start samba-ad-dc" ==> Status is active (running)

    Test DNS and SRV records
    Code:
    vmsam:/var/lib/samba # dig +short -t NS adsam.pce23.net
    vmsam.adsam.pce23.net.  
    vmsam:/var/lib/samba # dig +short -t SRV _kerberos._udp.adsam.pce23.net
    0 100 88 vmsam.adsam.pce23.net.
    vmsam:/var/lib/samba # dig +short -t SRV _ldap._tcp.adsam.pce23.net
    0 100 389 vmsam.adsam.pce23.net.
    Connection windows 10:
    first I added a user "wphil" in samba

    in Windows 10 i have the same user "wphil" with same password
    1. I set the domain ADSAM, user wphil and enter the password ==> incorrect parameter
    2. if I enter a non existing domain I receive an error that the domain could not be reached or that the SRV record is missing ==> so domain ADSAM can be reached
    3. If I enter a non valid password I receive an error that the login/password could not be found ==> so the login is recognized
    4. if I use the administrator login password the same error "incorrect parameter" occurs

    In journalctl of the VM if have these messages
    Code:
    May 21 09:30:09 vmsam smbd[4910]: [2018/05/21 09:30:09.362722,  0, pid=4910, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:4>
    May 21 09:30:09 vmsam smbd[4910]:   load_auth_module: can't find auth method samba4!
    May 21 09:30:09 vmsam smbd[4910]: [2018/05/21 09:30:09.367178,  0, pid=4910, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:4>
    May 21 09:30:09 vmsam smbd[4910]:   load_auth_module: can't find auth method samba4!
    May 21 09:30:09 vmsam smbd[4910]: [2018/05/21 09:30:09.444308,  0, pid=4910, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:4>
    May 21 09:30:09 vmsam smbd[4910]:   load_auth_module: can't find auth method samba4!
    May 21 09:30:10 vmsam smbd[4911]: [2018/05/21 09:30:10.138949,  0, pid=4911, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:4>
    May 21 09:30:10 vmsam smbd[4911]:   load_auth_module: can't find auth method samba4!
    May 21 09:30:10 vmsam smbd[4911]: [2018/05/21 09:30:10.209128,  0, pid=4911, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:4>
    May 21 09:30:10 vmsam smbd[4911]:   load_auth_module: can't find auth method samba4!
    I tried to add in smb.conf "max.protocol = NT1" but it seems not valid for AD
    Code:
    May 21 09:42:22 vmsam samba[4319]: [2018/05/21 09:42:22.855009,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
    May 21 09:42:22 vmsam samba[4319]:   /usr/sbin/samba_kcc: Unknown parameter encountered: "max.protocol"
    May 21 09:42:22 vmsam samba[4319]: [2018/05/21 09:42:22.855709,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
    May 21 09:42:22 vmsam samba[4319]:   /usr/sbin/samba_kcc: Ignoring unknown parameter "max.protocol"
    May 21 09:42:22 vmsam samba[4319]: [2018/05/21 09:42:22.975187,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
    May 21 09:42:22 vmsam samba[4319]:   /usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb
    May 21 09:47:23 vmsam samba[4319]: [2018/05/21 09:47:23.118807,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
    May 21 09:47:23 vmsam samba[4319]:   /usr/sbin/samba_kcc: Unknown parameter encountered: "max.protocol"
    May 21 09:47:23 vmsam samba[4319]: [2018/05/21 09:47:23.120012,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
    May 21 09:47:23 vmsam samba[4319]:   /usr/sbin/samba_kcc: Ignoring unknown parameter "max.protocol"
    May 21 09:47:23 vmsam samba[4319]: [2018/05/21 09:47:23.220939,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
    May 21 09:47:23 vmsam samba[4319]:   /usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb
    Any Hint?
    Regards
    Philippe
    Tumbleweed (x86_64) Kernel 5.3.5 with KDE plasma

  2. #2
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,413
    Blog Entries
    2

    Default Re: Connect windows10 to samba-ad-dc

    Probably the first thing you should do is provide the reference (preferably a link if available online) to the Guide you're using to set up. I see there is a SAMBA Wiki for setting up an Active Directory Domain Controller, provisioning a brand new Domain from scratch

    https://wiki.samba.org/index.php/Set...ain_Controller

    I see you're violating one of my personal "Best Practices" whenever you set up any kind of Network Authentication security...
    You're provisioning a network User account with the same name as an existing Local Machine User Account. The two can never be same, similar, or in any way connected, and by naming the two User accounts the same you are setting yourself up for eternally confusing the two.

    If you do what you have done, you should always refer to the network version as "User@domain" and "Domain\User" and never as simply "User" as you seem to be doing which should by default be the Local Machine User account.

    Best is to use a different naming convention for network and machine User accounts so you can differentiate the two at a glance.

    Don't know if that addresses your issue or not...

    HTH,
    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  3. #3
    Join Date
    Aug 2008
    Location
    Belgium
    Posts
    191

    Default Re: Connect windows10 to samba-ad-dc

    Hello,

    Quote Originally Posted by tsu2 View Post
    Probably the first thing you should do is provide the reference (preferably a link if available online) to the Guide you're using to set up. I see there is a SAMBA Wiki for setting up an Active Directory Domain Controller, provisioning a brand new Domain from scratch

    https://wiki.samba.org/index.php/Set...ain_Controller
    Yes I followed these samba wiki and the also the next (sorry some are in french):
    https://doc.ubuntu-fr.org/samba-active-directory
    https://reload.eez.fr/blog:2017:05:2...tive_directory
    https://wiki.archlinux.org/index.php...ain_controller
    https://2stech.ca/index.php/linux/li...on-ubuntu-1404

    I see you're violating one of my personal "Best Practices" whenever you set up any kind of Network Authentication security...
    You're provisioning a network User account with the same name as an existing Local Machine User Account. The two can never be same, similar, or in any way connected, and by naming the two User accounts the same you are setting yourself up for eternally confusing the two.

    If you do what you have done, you should always refer to the network version as "User@domain" and "Domain\User" and never as simply "User" as you seem to be doing which should by default be the Local Machine User account.

    Best is to use a different naming convention for network and machine User accounts so you can differentiate the two at a glance.

    Don't know if that addresses your issue or not...
    HTH,
    TSU
    No I created only the user domain via
    Code:
    samba-tool user create wphil

    and I didn't created the user wphil as unix user


    I don't think that there is problem with the user.
    I searched for a "samba4" auth method but didn't found anything related

    Thanks for your answer
    Philippe
    Tumbleweed (x86_64) Kernel 5.3.5 with KDE plasma

  4. #4
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,413
    Blog Entries
    2

    Default Re: Connect windows10 to samba-ad-dc

    I didn't mean that there is a "wphil" Unix system User and network user...
    I meant that you are making a mistake on your <client> machine(MSWindows in this case) by having a local system user named the same as your network user... These are your words
    first I added a user "wphil" in samba
    in Windows 10 i have the same user "wphil" with same password
    Don't do that.
    When you provide a User name for authentication, if your system will typically query your local system's authentication by default.
    When you provide a User name for network authentication (see my previous post the typical formats for doing so), then your query will be directed across the network to your SAMBA authentication server.

    If you don't use a different naming convention for system User names vs network Domain User names, it's easy to confuse the two and make mistakes.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •