so I've got the dreaded 'samba keeps asking for password' issue in Debian Stretch.
My environment:
2x AD DCs running WS2012R2
A few physical computers and several VMs running on ESXi 6.7
All machines can log into domain and access domain shares
All machines can authenticate using the domain users
Samba changed the syntax for smb.conf in version 4.6 so I thought it might have been a problem related to the Stretch standard repo packages being 4.5.12, so I added a Samba repo for Ubuntu called 'Samba Latest':
https://launchpad.net/~linux-schools/+archive/ubuntu/samba-latest
I'm currently using the one for Xenial, which is 4.7.8
I derived my AD join configuration straight from the Samba official wiki. It's been trivial in the past for me to get machines ranging from FreeBSD 11.1-RELEASE to OpenSUSE Leap 15 for the Raspberry Pi 3B+ working with Samba using my configuration. It doesn't make any sense that it wouldn't work with Debian Stretch with either the 4.5.12 standard repo packages or the 4.7.8 packages from Samba-latest.
I also just set up Ubuntu 18.04 Bionic Beaver on a laptop and was able to authenticate as domain users for the desktop and via SSH and su. I am surprised that Debian would be giving me issues if Ubuntu is working fine because they are so similar.
So the only one that isn't working is Debian Stretch. Shame, since usually I like Debian very much, but it seems to really suck for Samba out of the box.
Please note, that I tried all the variables I am about to detail on both the standard repo Samba version 4.5.12 and also the Samba-latest repo 4.7.8
Here's my configs:
[global]
netbios name = DEBIAN
security = ADS
workgroup = WEBTOOL
realm = WEBTOOL.SPACE
client use spnego = no
client signing = auto
;server signing = auto
;client ntlmv2 auth = yes
;encrypt passwords = yes
log file = /var/log/samba/%m.log
log level = 1
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config WEBTOOL : backend = ad
idmap config WEBTOOL : schema_mode = rfc2307
idmap config WEBTOOL : range = 10000-999999
idmap config WEBTOOL : unix_nss_info = yes
idmap config WEBTOOL : unix_primary_group = yes
;winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind offline logon = yes
;winbind nested groups = yes
winbind refresh tickets = yes
winbind nss info = rfc2307
;winbind nss info = template
;template shell = /bin/bash
;template homedir = /home/%D/%U
My hostname and /etc/hosts settings are correct, my dns pointers point to the two DCs.
My NTP is synced as checked with ntpq -p and:
$ date
Sat Jun 30 16:52:23 PDT 2018
Matches all other computers on my domain.
I have krb5-user installed and got keytabs from the DCs as administrator as both user and root.
My kinit works but my net ads join -k or net ads join -U [email protected] shows:
$ sudo net ads join -U [email protected]
Enter [email protected]'s password:
Using short domain name -- WEBTOOL
Joined 'DEBIAN' to dns domain 'webtool.space'
DNS Update for debian.webtool.space failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL
I don't have this message on any of my other VMs, but I should note that if I did in the past the VM would still join the domain and act properly, and then it was just a matter of figuring out the issue from there.
Here's what I've tried:
Commenting out anything to do with authentication in the first paragraph of [global]
Changing client use spnego = yes to = no,
Changing client signing = yes to = auto,
Commenting out server signing = yes and trying = auto,
Commenting out client ntlmv2 auth = yes
Commenting out encrypt passwords = yes and changing it to = no
Does anyone have any ideas?
0 Answers