https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh Collected config --- 2022-01-04-21:33 ----------- Hostname: ad-corp3 DNS Domain: ad.corp-web.com FQDN: ad-corp3.ad.corp-web.com ipaddress: 10.2.0.35 10.1.0.35 fd00:1:2:3:ff:ff:fec9:32b3 2603:1:2:3:ff:ff:fec9:32b3 fd00:1:2:3::23 ----------- Kerberos SRV _kerberos._tcp.ad.corp-web.com record verified ok, sample output: Server: 127.0.0.1 Address: 127.0.0.1#53 _kerberos._tcp.ad.corp-web.com service = 0 100 88 ad-corp3.nc.corp-web.com. Samba is running as an AD DC ----------- Checking file: /etc/os-release PRETTY_NAME="Debian GNU/Linux 11 (bullseye)" NAME="Debian GNU/Linux" VERSION_ID="11" VERSION="11 (bullseye)" VERSION_CODENAME=bullseye ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" ----------- This computer is running Debian 11.2 x86_64 ----------- running command : ip a 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host 2: eth0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether aa:00:00:c9:32:b3 brd ff:ff:ff:ff:ff:ff altname enp0s13 altname ens13 inet 10.2.0.35/16 brd 10.2.255.255 scope global eth0 inet6 fd00:1:2:3:ff:ff:fec9:32b3/64 scope global dynamic mngtmpaddr inet6 2603:1:2:3:ff:ff:fec9:32b3/64 scope global dynamic mngtmpaddr inet6 fd00:1:2:3::23/64 scope global inet6 fe80::ff:ff:fec9:32b3/64 scope link 3: eth1: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether aa:00:00:59:16:67 brd ff:ff:ff:ff:ff:ff altname enp0s14 altname ens14 inet 10.1.0.35/16 brd 10.202.255.255 scope global eth1 inet6 fe80::ff:ff:fe59:1667/64 scope link ----------- Checking file: /etc/hosts 127.0.0.1 localhost 10.2.0.16 h-2.corp-web.com h-2 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters 10.2.0.17 h-3.corp-web.com h-3 10.2.0.18 h-4.corp-web.com h-4 10.2.0.35 ad-corp3.ad.corp-web.com ad-mo3 fd00:1:2:3::23 ad-corp3.ad.corp-web.com ad-mo3 ----------- Checking file: /etc/resolv.conf search ad.corp-web.com CORPOLDWINDOM.local. corp-web.com. nameserver 127.0.0.1 ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = AD.corp-web.COM dns_lookup_realm = false dns_lookup_kdc = true [realms] AD.corp-web.COM = { default_domain = ad.corp-web.com } [domain_realm] ad-corp3 = AD.corp-web.COM ----------- Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: files group: files shadow: files gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ----------- Checking file: /etc/samba/smb.conf # Global parameters [global] bind interfaces only = Yes dns forwarder = 10.2.0.10 interfaces = lo 10.2.0.35 fd00:1:2:3::23 server role = active directory domain controller netbios name = ad-corp3 realm = AD.corp-web.COM workgroup = AD idmap_ldb:use rfc2307 = yes ### WARNING ### DO NOT config __ idmap __ on a domain controller! [sysvol] path = /var/lib/samba/sysvol read only = No [netlogon] path = /var/lib/samba/sysvol/ad.corp-web.com/scripts read only = No ----------- BIND_DLZ not detected in smb.conf ----------- Installed packages: ii acl 2.2.53-10 amd64 access control list - utilities ii attr 1:2.4.48-6 amd64 utilities for manipulating filesystem extended attributes ii krb5-config 2.6+nmu1 all Configuration files for Kerberos Version 5 ii krb5-user 1.18.3-6+deb11u1 amd64 basic programs to authenticate using MIT Kerberos ii libacl1:amd64 2.2.53-10 amd64 access control list - shared library ii libattr1:amd64 1:2.4.48-6 amd64 extended attribute handling - shared library ii libgssapi-krb5-2:amd64 1.18.3-6+deb11u1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-26-heimdal:amd64 7.7.0+dfsg-2 amd64 Heimdal Kerberos - libraries ii libkrb5-3:amd64 1.18.3-6+deb11u1 amd64 MIT Kerberos runtime libraries ii libkrb5support0:amd64 1.18.3-6+deb11u1 amd64 MIT Kerberos runtime libraries - Support library ii libnss-winbind:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 Samba nameservice integration plugins ii libpam-krb5:amd64 4.9-2 amd64 PAM module for MIT Kerberos ii libpam-winbind:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 Windows domain authentication integration plugin ii libwbclient0:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 Samba winbind client library ii python3-samba 2:4.13.13+dfsg-1~deb11u2 amd64 Python 3 bindings for Samba ii samba 2:4.13.13+dfsg-1~deb11u2 amd64 SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.13.13+dfsg-1~deb11u2 all common files used by both the Samba server and client ii samba-common-bin 2:4.13.13+dfsg-1~deb11u2 amd64 Samba common files used by both the server and the client ii samba-dsdb-modules:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 Samba Directory Services Database ii samba-libs:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 Samba core libraries ii samba-vfs-modules:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 Samba Virtual FileSystem plugins ii winbind 2:4.13.13+dfsg-1~deb11u2 amd64 service to resolve user and group information from Windows NT servers -----------