Connect windows10 to samba-ad-dc

Hello,

I have installed a samba-ad-dc and try to connect a windows 10 laptop to the domain but receive an error “incorrect parameter”

My settings:
server with tumbleweed (with XEN kernel): there I run NTP, DHCP and DNS (chroot with dynamique DNS)
DNS manage zone pce23.net and I have delegated a sub zone adsam.pce23.net to another server (XEN VM)

VM:
here I have a DNS (not chroot) to manage zone adsam.pce23.net: server name is vmsam.adsam.pce23.net
samba-ad-dc
ntp

Result provision samba:

samba-tool domain provision --use-rfc2307 --realm=ADSAM.PCE23.NET --dns-backend=BIND9_DLZ --domain=ADSAM --server-role=dc --adminpass=xxxxxxx
...
Server Role:         active directory domain controller
Hostname:            vmsam
NETBIOS domain:      ADSAM
DNS Domain:          adsam.pc23.net
Domain SID:          S-1-5-21-2478815240-34117533641-2979103045

/etc/samba/smb.conf

#[size=3] Global parameters
[global]
    netbios name = VMSAM
    realm = ADSAM.PCE23.NET
    server role = active directory domain controller
    server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
    workgroup = ADSAM
    idmap_ldb:use rfc2307 = yes
    winbind    enum users = yes
    winbind enum groups = yes
#    activate acl
    vfs objects = acl_xattr
    map acl inherit = yes
    store dos attributes = yes 
    log level = 3 passdb:5 auth:10 winbind:5
#    max.protocol =  NT1
    
[netlogon]
    path = /var/lib/samba/sysvol/adsam.pce23.net/scripts
    read only = No[/size]

[sysvol]
    path = /var/lib/samba/sysvol
    read only = No

I have copied the samba krb5.conf to /etc, added the samba tkey-gssapi-keytab and the samba include in /etc/named.conf, changed the /etc/nsswitch.conf and started samba via “systemctl start samba-ad-dc” ==> Status is active (running)

Test DNS and SRV records

vmsam:/var/lib/samba # dig +short -t NS adsam.pce23.net
vmsam.adsam.pce23.net.  
vmsam:/var/lib/samba # dig +short -t SRV _kerberos._udp.adsam.pce23.net
0 100 88 vmsam.adsam.pce23.net.
vmsam:/var/lib/samba # dig +short -t SRV _ldap._tcp.adsam.pce23.net
0 100 389 vmsam.adsam.pce23.net.

Connection windows 10:
first I added a user “wphil” in samba

in Windows 10 i have the same user “wphil” with same password

  1. I set the domain ADSAM, user wphil and enter the password ==> incorrect parameter
  2. if I enter a non existing domain I receive an error that the domain could not be reached or that the SRV record is missing ==> so domain ADSAM can be reached :slight_smile:
  3. If I enter a non valid password I receive an error that the login/password could not be found ==> so the login is recognized:)
  4. if I use the administrator login password the same error “incorrect parameter” occurs

In journalctl of the VM if have these messages

May 21 09:30:09 vmsam smbd[4910]: [2018/05/21 09:30:09.362722,  0, pid=4910, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:4>
May 21 09:30:09 vmsam smbd[4910]:   load_auth_module: can't find auth method samba4!
May 21 09:30:09 vmsam smbd[4910]: [2018/05/21 09:30:09.367178,  0, pid=4910, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:4>
May 21 09:30:09 vmsam smbd[4910]:   load_auth_module: can't find auth method samba4!
May 21 09:30:09 vmsam smbd[4910]: [2018/05/21 09:30:09.444308,  0, pid=4910, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:4>
May 21 09:30:09 vmsam smbd[4910]:   load_auth_module: can't find auth method samba4!
May 21 09:30:10 vmsam smbd[4911]: [2018/05/21 09:30:10.138949,  0, pid=4911, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:4>
May 21 09:30:10 vmsam smbd[4911]:   load_auth_module: can't find auth method samba4!
May 21 09:30:10 vmsam smbd[4911]: [2018/05/21 09:30:10.209128,  0, pid=4911, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:4>
May 21 09:30:10 vmsam smbd[4911]:   load_auth_module: can't find auth method samba4!

I tried to add in smb.conf “max.protocol = NT1” but it seems not valid for AD

May 21 09:42:22 vmsam samba[4319]: [2018/05/21 09:42:22.855009,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
May 21 09:42:22 vmsam samba[4319]:   /usr/sbin/samba_kcc: Unknown parameter encountered: "max.protocol"
May 21 09:42:22 vmsam samba[4319]: [2018/05/21 09:42:22.855709,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
May 21 09:42:22 vmsam samba[4319]:   /usr/sbin/samba_kcc: Ignoring unknown parameter "max.protocol"
May 21 09:42:22 vmsam samba[4319]: [2018/05/21 09:42:22.975187,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
May 21 09:42:22 vmsam samba[4319]:   /usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb
May 21 09:47:23 vmsam samba[4319]: [2018/05/21 09:47:23.118807,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
May 21 09:47:23 vmsam samba[4319]:   /usr/sbin/samba_kcc: Unknown parameter encountered: "max.protocol"
May 21 09:47:23 vmsam samba[4319]: [2018/05/21 09:47:23.120012,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
May 21 09:47:23 vmsam samba[4319]:   /usr/sbin/samba_kcc: Ignoring unknown parameter "max.protocol"
May 21 09:47:23 vmsam samba[4319]: [2018/05/21 09:47:23.220939,  0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
May 21 09:47:23 vmsam samba[4319]:   /usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb

Any Hint?
Regards
Philippe

Probably the first thing you should do is provide the reference (preferably a link if available online) to the Guide you’re using to set up. I see there is a SAMBA Wiki for setting up an Active Directory Domain Controller, provisioning a brand new Domain from scratch

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

I see you’re violating one of my personal “Best Practices” whenever you set up any kind of Network Authentication security…
You’re provisioning a network User account with the same name as an existing Local Machine User Account. The two can never be same, similar, or in any way connected, and by naming the two User accounts the same you are setting yourself up for eternally confusing the two.

If you do what you have done, you should always refer to the network version as “User@domain” and “Domain\User” and never as simply “User” as you seem to be doing which should by default be the Local Machine User account.

Best is to use a different naming convention for network and machine User accounts so you can differentiate the two at a glance.

Don’t know if that addresses your issue or not…

HTH,
TSU

Hello,

Yes I followed these samba wiki and the also the next (sorry some are in french):
https://doc.ubuntu-fr.org/samba-active-directory
https://reload.eez.fr/blog:2017:05:24:samba4_en_active_directory
https://wiki.archlinux.org/index.php/Samba/Active_Directory_domain_controller
https://2stech.ca/index.php/linux/linuxtutotials/tutorials/234-samba-active-directory-with-bind-dns-backend-on-ubuntu-1404

I see you’re violating one of my personal “Best Practices” whenever you set up any kind of Network Authentication security…
You’re provisioning a network User account with the same name as an existing Local Machine User Account. The two can never be same, similar, or in any way connected, and by naming the two User accounts the same you are setting yourself up for eternally confusing the two.

If you do what you have done, you should always refer to the network version as “User@domain” and “Domain\User” and never as simply “User” as you seem to be doing which should by default be the Local Machine User account.

Best is to use a different naming convention for network and machine User accounts so you can differentiate the two at a glance.

Don’t know if that addresses your issue or not…
HTH,
TSU

No I created only the user domain via

samba-tool user create wphil

[FONT=Latin Modern Mono Light Cond][size=2]
[/size][/FONT][size=2]and I didn’t created the user wphil as unix user[/size]

I don’t think that there is problem with the user.
I searched for a “samba4” auth method but didn’t found anything related

Thanks for your answer
Philippe

I didn’t mean that there is a “wphil” Unix system User and network user…
I meant that you are making a mistake on your <client> machine(MSWindows in this case) by having a local system user named the same as your network user… These are your words

first I added a user “wphil” in samba

in Windows 10 i have the same user “wphil” with same password

Don’t do that.
When you provide a User name for authentication, if your system will typically query your local system’s authentication by default.
When you provide a User name for network authentication (see my previous post the typical formats for doing so), then your query will be directed across the network to your SAMBA authentication server.

If you don’t use a different naming convention for system User names vs network Domain User names, it’s easy to confuse the two and make mistakes.

TSU