I'm currently setting up a Samba 4 AD server (on Ubuntu Server 16.04) with about 10 linux/windows members in planning. After successfully provisioning the domain controller I joined the first Xubuntu 16.04 client to the domain.
At first I was able to login at the client with a samba user account. So wbinfo -u and getent passwd both listed all samba accounts. A few minutes later I tried to log in again, but the logon screen only displayed the kerberos warning, that my password is about to expire in 41 days.
getent passwd now only lists the local users. wbinfo -u is inconsistently switching between an empty list and the samba users.
net ads info -d 3 returns the following:
ads_connect: No logon servers
ads_connect: No logon servers
Didn't find the ldap server!
Deleting /var/cache/samba/gencache.tdb and /var/run/samba/gencache_notrans.tdb often changes the output to:
LDAP server: 10.230.44.1
LDAP server name: dc1.samdom.com # not the original domain
Realm: SAMDOM.COM
Bind Path: dc=SAMDOM,dc=COM
LDAP port: 389
Server time: Sa, 15 Okt 2016 18:01:33 CEST
KDC server: 10.230.44.1
Server time offset: 0
But after some time it is falling back to the output above. Sometimes simply waiting also does the trick.
I've got the same problem on a second client but not at the same time.
The server is inside a university network and also serves as a NAT router for the samba clients. However, it is possible for the clients to get internet access, if they use a non-private IP address.
smb.conf of the server:
[global]
workgroup = SAMDOM
realm = SAMDOM.COM
netbios name = DC1
server role = active directory domain controller
dns forwarder = xxx.yyy.xxx.yyy
idmap_ldb:use rfc2307 = Yes
# Only listen to the internal network
interfaces = eno2
bind interfaces only = Yes
[netlogon]
path = /var/lib/samba/sysvol/samdom.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
smb.conf on client:
[global]
netbios name = M1
security = ADS
workgroup = SAMDOM
realm = SAMDOM
log file = /var/log/samba/%m.log
log level = 1
# Default idmap config used for BUILTIN and local windows accounts/groups
idmap config *:backend = tdb
idmap config *:range = 2000-9999
# idmap config for domain SAMDOM
idmap config SAMDOM:backend = rid
idmap config SAMDOM:range = 10000-99999
# Use template settings for login shell and home directory
winbind nss info = template
template shell = /sbin/bash
template homedir = /home/%U
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
encrypt passwords = Yes
The same setup without the server as NAT router but with normal IP addresses returns the same behaviour.
Best Answer
The client realm is
SAMDOMinstead ofSAMDOM.COM.It looks like typo in the question. Also the DC interfaces ought to include the localhost interface
lo.The
net ads infooutput is not debug enabled with-d 3as told.The client and server realms have to match (and should resolve to a DNS domain).
net ads infoattempts to resolve DNS various domain names, including:otherwise it falls back to netbios name resolution on
<your workgroup>#1c.If I delete the caches, the
<your workgroup>#1centry is resolved with the ip of the DC valid for 660 seconds.Else the
<your workgroup>#1cvalue is discarded as its timeout is negative ( equal to0 - <seconds since epoch>).The 660 seconds timeout is the
NAMECACHETIMEOUTvalue.All in all this should get you a step further but not out of the
No logon servererror. Even if the server is resolved, the client will issue a CLDAP netlogon request which will fail.You could check with:
There debug are missing to sort this out.
If it is intermittent, likely another DNS server has stale entries and at times the DC is queried for domain names , while at times the other DNS server is.
NB:
<your realm>,<your workgroup>and<your server ip>are placeholders.