3

I've gotten a Samba 4 AD DC setup running on Ubuntu 18.04 LTS. I used this tutorial to make it work:

https://www.tecmint.com/install-samba4-active-directory-ubuntu/

The problem is I can't get my Windows 7 or 10 clients to connect to the domain.

Here is my krb5.conf file:

[logging]
default = FILE:/var/log/krb-def.log
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/lrb-adm.log

[libdefaults]
default_realm = MVPOSERVER.LAN

[realms]
MVPOSERVER.LAN = {
   default_domain = mvposerver.lan
   kdc = adc1.mvposerver.lan:88
}

My hosts file:

127.0.0.1   localhost
192.168.9.50    mvposerver
192.168.9.50    mvposerver.lan adc1 _kerberos._udp _ldap._tcp _ldap._tcp.dc._msdcs
192.168.9.50    adc1.mvposerver.lan
192.168.9.50    _kerberos._udp.mvposerver.lan
192.168.9.50    _ldap._tcp.mvposerver.lan
192.168.9.50    _ldap._tcp.dc._msdcs.mvposerver.lan

My netplan IP config is:

network:
  version: 2
  renderer: NetworkManager
  ethernets:
    enp1s0:
      dhcp4: no
      dhcp6: no
      addresses: [192.168.9.50/24]
      gateway4:  192.168.9.250
      nameservers:
              search: [mvposerver.lan]
              addresses: [127.0.0.1, 192.168.9.250]

Samba config:

enter image description here

Host returns the IP:

# host -t A mvposerver.lan
mvposerver.lan has address 192.168.9.50

Hostname of the server is adc1. klist returns the created Admin, so it's connecting:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@MVPOSERVER.LAN

Valid starting       Expires              Service principal
06/18/2019 15:34:17  06/19/2019 01:34:17  krbtgt/MVPOSERVER.LAN@MVPOSERVER.LAN
    renew until 06/19/2019 15:34:14

And samba-tool works for user listing:

# samba-tool user list
Administrator
krbtgt
Guest

Yet connecting Windows 7 Pro won't return ping on the hostname, nor will it connect to the controller. If I ping the hostname mvposerver.lan, which does return the IP on the server itself, it won't resolve it:

enter image description here enter image description here enter image description here

If I ping the Samba NETBIOS name it does return an IP:

enter image description here

Also, I know Kerberos is working, because in Windows 7 if I make my domain mvposerver instead of mvposerver.lan it does ask me to connect using credentials, but then errors out after:

enter image description here enter image description here enter image description here

I also can't ping google.com or any other domain name from the Windows client once on DNS through the DC. I can ping google.com from the DC server in terminal just fine, I can also ping 8.8.8.8 from the client, just not domain resolve.

EDIT

I installed Bind9, setup DNS records, now the server won't ping it's own hostname, nor does the client still. But client does have internet now.

DNS Setup:

enter image description here

EDIT2

I have updated my DNS records and got DNS working, now the client has internet and detects the hostnames correctly:

enter image description here enter image description here enter image description here enter image description here enter image description here

So now the client finds the DC by hostname just fine, and it even finds the hostname and IP, but it can't find the DC software running, even though Samba says it's there.

jfreak53
  • 188
  • 1
  • 3
  • 25

2 Answers2

0

This sounds like a DNS problem. I'm assuming the hosts file you showed is on the server? That's for the server's DNS client component, not for the server's DNS Server component. That's also not going to help other clients resolve DNS for AD.

Do you have a DNS server hosting the DNS zone for AD? If not, you need one and you need to configure the clients that you want to join to the domain to use it.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • Thanks. As I put above the client computer I changed it's primary DNS server to the Host: https://i.stack.imgur.com/50lyE.png – jfreak53 Jun 19 '19 at 16:19
  • Right. So the server is running DNS and has a DNS zone for AD and has all of the correct A and SRV records? – joeqwerty Jun 19 '19 at 16:31
  • No, server is not running NameD or anything like that, the only thing on the server running DNS is the `/etc/hosts` file that points those domains to it's IP. Does the server need NameD running then as well? – jfreak53 Jun 19 '19 at 18:00
  • I installed Bind9, setup DNS records, now the server doesn't ping itself from the hostname, nor does the client still. But client does have internet now. – jfreak53 Jun 19 '19 at 18:26
  • 2
    AD requires a DNS server to host the AD DNS zones and the accompanying A, SRV, etc. records. You'll need to make sure that Bind is setup correctly and that you have a DNS zone and DNS records for AD. Maybe this will help - https://www.serverlab.ca/tutorials/linux/network-services/using-linux-bind-dns-servers-for-active-directory-domains/ – joeqwerty Jun 19 '19 at 20:48
  • DNS records are setup correctly now, the client can now find the IP address and host, but now says it cannot find the domain controller running. Please see updated info above. – jfreak53 Jun 20 '19 at 20:19
0

I'd add this to SAMBA configuration:

Under [Global] add:

min protocol = SMB2

Then restart it.

( SMB1 is deprecated )

Allan Wallace
  • 271
  • 1
  • 4