You are not logged in.

Pages: 1

#1 2018-08-16 19:10:15

Colossal
Member
Registered: 2018-08-16
Posts: 3

Joining Samba to an existing Active Directory Domain

Hi all,

I've been attempting to connect my arch based server as a member of an existent AD domain. I've been following the guide at https://wiki.archlinux.org/index.php/Ac … ntegration

I'm able to interface with the Domain Controller through kerberos, and I can login authenticate successfully through 

 kinit -u ADMIN

Unfortunately, after changing my config to what the wiki suggested, the samba daemon will no logger start. I've attached the logs below. The main error seems to be that Samba cannot setup the guest account, but I'm unsure whether that means locally or on the Domain. Any help / info would be greatly appreciated.

journalctl -xe output:

-- Unit smb.service has begun starting up.
Aug 16 14:35:31 REDACTEDHOST smbd[2126]: [2018/08/16 14:35:31.023028,  0] ../source3/auth/auth_util.c:1372(make_new_session_info_guest)
Aug 16 14:35:31 REDACTEDHOST smbd[2126]:   create_local_token failed: NT_STATUS_NO_MEMORY
Aug 16 14:35:31 REDACTEDHOST smbd[2126]: [2018/08/16 14:35:31.023070,  0] ../source3/smbd/server.c:1993(main)
Aug 16 14:35:31 REDACTEDHOST smbd[2126]:   ERROR: failed to setup guest info.
Aug 16 14:35:31 REDACTEDHOST systemd[1]: smb.service: Main process exited, code=exited, status=255/n/a
Aug 16 14:35:31 REDACTEDHOST systemd[1]: smb.service: Failed with result 'exit-code'.
Aug 16 14:35:31 REDACTEDHOST systemd[1]: Failed to start Samba SMB Daemon.
-- Subject: Unit smb.service has failed
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit smb.service has failed.

smb.conf:

 
#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which 
# are not shown in this example
#
# Some options that are often worth tuning have been included as
# commented-out examples in this file.
#  - When such options are commented with ";", the proposed setting
#    differs from the default Samba behaviour
#  - When commented with "#", the proposed setting is the default
#    behaviour of Samba but the option is considered important
#    enough to be mentioned here
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic 
# errors. 

#======================= Global Settings =======================

[global]
   netbios name = REDACTEDHOST
   workgroup = REDACTEDDOMAIN
   realm = REDACTEDDOMAIN.COM
   server string = %h ArchLinux Host
   security = ads
   encrypt passwords = yes
   password server = ad.redacteddomain.com
   client signing = auto
   server signing = auto

   idmap config * : backend = tdb
   idmap config * : range = 10000-20000

   winbind use default domain = Yes
   winbind enum users = Yes
   winbind enum groups = Yes
   winbind nested groups = Yes
   winbind separator = +
   winbind refresh tickets = yes
   winbind offline logon = yes
   winbind cache time = 300
  
   template shell = /bin/bash
   template homedir = /home/%D/%U
      
   preferred master = no
   dns proxy = no
   wins server = ad.REDACTEDDOMAIN.com
   wins proxy = no
   
   inherit acls = Yes
   map acl inherit = Yes
   acl group control = yes
   
   load printers = no
   debug level = 3
   use sendfile = no
   
   client max protocol = SMB3
   client min protocol = SMB2

[demoEngie]
   path = /mnt/demoEng
   read only = no
   valid users = demoEngie bill

[demoAcc]
   path = /mnt/demoAcc
   read only = no
   valid users = demoAcc bill

[bill]
   path = /mnt/bill
   read only = no
   guest ok = no
   valid users = bill

[sharefolder]
   path = /mnt/sharefolder
   read only = no

Offline

#2 2019-06-17 08:07:51

T0MuX
Member
Registered: 2016-11-22
Posts: 4

Re: Joining Samba to an existing Active Directory Domain

Hi ! I have exactly the same issue. I'm following the Arch Wiki https://wiki.archlinux.org/index.php/Ac … ting_Samba but can't start the smb service. The error message is the same "create_local_token failed: NT_STATUS_NO_MEMORY".

My smb.conf (available 1 month from now) : http://paste.alacon.org/45939

" The only real car radio is the one who adjuts with the right foot. "

Offline

#3 2019-06-21 18:38:06

ephreal
Member
Registered: 2014-03-29
Posts: 35

Re: Joining Samba to an existing Active Directory Domain

I don't know if this is the issue, but comparing my currently connected smb.conf to yours, I notice 3 differences. I have the winbind separator commented out, and I have 2 additional config options.

...
dedicated keytab file = /etc/krb5/keytab
kerberos method = secrets and keytab
...
# winbind separator = +
...

Are you able to start winbind?


Also, doing a little more digging into the guest issue specifically brought up a thread from 2018: https://bugzilla.redhat.com/show_bug.cgi?id=1648399

If you think you'd be ok testing a command from there, they were recommending mapping the guest user to the nobody unix group. I can't say if this would work or not as I've never ran the command myself, but it might be worth trying.

net -s /dev/null groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin

Offline

Pages: 1

Board footer

Powered by FluxBB