https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh Collected config --- 2022-01-04-21:34 ----------- Hostname: v-fs5 DNS Domain: ad.corp-web.com FQDN: v-fs5.ad.corp-web.com ipaddress: 10.2.0.45 10.1.0.45 fd00:1:2:3:ff:ff:feab:dc9b 2603:1:2:3:ff:ff:feab:dc9b ----------- Kerberos SRV _kerberos._tcp.ad.corp-web.com record verified ok, sample output: Server: 10.2.0.35 Address: 10.2.0.35#53 _kerberos._tcp.ad.corp-web.com service = 0 100 88 ad-corp3.nc.corp-web.com. Samba is running as a Unix domain member ----------- Checking file: /etc/os-release PRETTY_NAME="Debian GNU/Linux 11 (bullseye)" NAME="Debian GNU/Linux" VERSION_ID="11" VERSION="11 (bullseye)" VERSION_CODENAME=bullseye ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" ----------- This computer is running Debian 11.2 x86_64 ----------- running command : ip a 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host 2: eth0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether aa:00:00:ab:dc:9b brd ff:ff:ff:ff:ff:ff altname enp0s13 altname ens13 inet 10.2.0.45/16 brd 10.2.255.255 scope global eth0 inet6 fd00:1:2:3:ff:ff:feab:dc9b/64 scope global dynamic mngtmpaddr inet6 2603:1:2:3:ff:ff:feab:dc9b/64 scope global dynamic mngtmpaddr inet6 fe80::ff:ff:feab:dc9b/64 scope link 3: eth1: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether aa:00:00:00:6c:16 brd ff:ff:ff:ff:ff:ff altname enp0s14 altname ens14 inet 10.1.0.45/16 brd 10.202.255.255 scope global eth1 inet6 fe80::ff:ff:fe00:6c16/64 scope link ----------- Checking file: /etc/hosts 127.0.0.1 localhost # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters 10.2.0.35 ad-corp3.ad.corp-web.com ad-mo3 fd00:1:2:3::23 ad-corp3.ad.corp-web.com ad-mo3 10.2.0.45 v-fs5.ad.corp-web.com v-fs5 fd00:1:2:3::2d v-fs5.ad.corp-web.com v-fs5 ----------- Checking file: /etc/resolv.conf search ad.corp-web.com CORPOLDWINDOM.local corp-web.com nameserver 10.2.0.35 #nameserver 10.2.0.33 #nameserver 10.2.0.4 #nameserver 10.2.0.5 ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = AD.corp-web.COM dns_lookup_realm = false dns_lookup_kdc = true [realms] AD.corp-web.COM = { default_domain = ad.corp-web.com } [domain_realm] ad-corp3 = AD.corp-web.COM ----------- Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: files winbind group: files winbind shadow: files gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ----------- Checking file: /etc/samba/smb.conf [global] security = ads realm = AD.corp-web.COM workgroup = AD dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab winbind use default domain = yes winbind expand groups = 2 winbind refresh tickets = Yes winbind normalize names = No disable netbios = yes # I like using unix admin tools winbind enum users = yes winbind enum groups = yes # Just copied this from the recommended configuration, modify to reflect your needs. idmap config * : backend = tdb idmap config * : range = 4000-7999 idmap config AD : backend = ad idmap config AD : schema_mode = rfc2307 idmap config AD : range = 10000-19999 idmap config AD : unix_nss_info = yes # disable printing completely load printers = yes printing = cups #printcap name = cups disable spoolss = no rpc_server:spoolss = external rpc_server:spoolssd = fork spoolssd:prefork_min_children = 5 spoolssd:prefork_max_children = 25 spoolssd:prefork_spawn_rate = 5 spoolssd:prefork_max_allowed_clients = 100 spoolssd:prefork_child_min_life = 60 client ldap sasl wrapping = sign #no?#ldap client require strong auth = no ldap server require strong auth = no # user Administrator workaround, without it you are unable to set privileges username map = /etc/samba/user.map # For ACL support on domain member vfs objects = acl_xattr map acl inherit = Yes # turn off usershares usershare max shares = 0 [printers] comment = All Printers browseable = yes ##path = /var/spool/samba path = /samba/network/spool printable = yes #guest ok = no #read only = no #writable = yes #create mask = 0700 #valid users = root @lpadmin "AD\michael_evans" "CORPOLDWINDOM\michael.evans" "@AD\domain admins" "@CORPOLDWINDOM\domain admins" "@domain admins@CORPOLDWINDOM.LOCAL" [print$] comment = Printer Drivers #path = /var/lib/samba/printers path = /samba/network/printerdrivers browseable = yes read only = no guest ok = no write list = root @lpadmin "AD\michael_evans" "CORPOLDWINDOM\michael.evans" "@AD\domain admins" "@CORPOLDWINDOM\domain admins" "@domain admins@CORPOLDWINDOM.LOCAL" # https://support.google.com/a/answer/9193374?hl=en # new username convetion first_last ----------- Running as Unix domain member and user.map detected. Contents of /etc/samba/user.map !root = AD\Administrator Server Role is set to : auto ----------- Installed packages: ii acl 2.2.53-10 amd64 access control list - utilities ii attr 1:2.4.48-6 amd64 utilities for manipulating filesystem extended attributes ii krb5-config 2.6+nmu1 all Configuration files for Kerberos Version 5 ii krb5-user 1.18.3-6+deb11u1 amd64 basic programs to authenticate using MIT Kerberos ii libacl1:amd64 2.2.53-10 amd64 access control list - shared library ii libattr1:amd64 1:2.4.48-6 amd64 extended attribute handling - shared library ii libgssapi-krb5-2:amd64 1.18.3-6+deb11u1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-26-heimdal:amd64 7.7.0+dfsg-2 amd64 Heimdal Kerberos - libraries ii libkrb5-3:amd64 1.18.3-6+deb11u1 amd64 MIT Kerberos runtime libraries ii libkrb5support0:amd64 1.18.3-6+deb11u1 amd64 MIT Kerberos runtime libraries - Support library ii libnss-winbind:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 Samba nameservice integration plugins ii libpam-krb5:amd64 4.9-2 amd64 PAM module for MIT Kerberos ii libpam-winbind:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 Windows domain authentication integration plugin ii libsmbclient:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 shared library for communication with SMB/CIFS servers ii libwbclient0:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 Samba winbind client library ii python3-samba 2:4.13.13+dfsg-1~deb11u2 amd64 Python 3 bindings for Samba ii samba 2:4.13.13+dfsg-1~deb11u2 amd64 SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.13.13+dfsg-1~deb11u2 all common files used by both the Samba server and client ii samba-common-bin 2:4.13.13+dfsg-1~deb11u2 amd64 Samba common files used by both the server and the client ii samba-dsdb-modules:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 Samba Directory Services Database ii samba-libs:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 Samba core libraries ii samba-vfs-modules:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 Samba Virtual FileSystem plugins ii smbclient 2:4.13.13+dfsg-1~deb11u2 amd64 command-line SMB/CIFS clients for Unix ii winbind 2:4.13.13+dfsg-1~deb11u2 amd64 service to resolve user and group information from Windows NT servers -----------