https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh Collected config --- 2022-01-04-19:28 ----------- Hostname: v-ps4 DNS Domain: CORPOLDWINDOM.local FQDN: V-PS4.CORPOLDWINDOM.local ipaddress: 10.2.0.43 10.1.0.43 fd00:1:2:3:ff:ff:fee3:4f3b 2603:1:2:3:ff:ff:fee3:4f3b ----------- Kerberos SRV _kerberos._tcp.CORPOLDWINDOM.local record verified ok, sample output: Server: 10.2.0.10 Address: 10.2.0.10#53 _kerberos._tcp.CORPOLDWINDOM.local service = 0 100 88 old-win-dc2.CORPOLDWINDOM.local. _kerberos._tcp.CORPOLDWINDOM.local service = 0 100 88 old-win-dc1.CORPOLDWINDOM.local. Samba is running as a Unix domain member ----------- Checking file: /etc/os-release PRETTY_NAME="Debian GNU/Linux 11 (bullseye)" NAME="Debian GNU/Linux" VERSION_ID="11" VERSION="11 (bullseye)" VERSION_CODENAME=bullseye ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" ----------- This computer is running Debian 11.2 x86_64 ----------- running command : ip a 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host 2: eth0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether aa:00:00:e3:4f:3b brd ff:ff:ff:ff:ff:ff altname enp0s13 altname ens13 inet 10.2.0.43/16 brd 10.2.255.255 scope global eth0 inet6 fd00:1:2:3:ff:ff:fee3:4f3b/64 scope global dynamic mngtmpaddr inet6 2603:1:2:3:ff:ff:fee3:4f3b/64 scope global dynamic mngtmpaddr inet6 fe80::ff:ff:fee3:4f3b/64 scope link 3: eth1: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether aa:00:00:ac:bb:72 brd ff:ff:ff:ff:ff:ff altname enp0s14 altname ens14 inet 10.1.0.43/16 brd 10.202.255.255 scope global eth1 inet6 fe80::ff:ff:feac:bb72/64 scope link ----------- Checking file: /etc/hosts 127.0.0.1 localhost # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters 10.2.0.43 V-PS4.CORPOLDWINDOM.local V-PS4 ----------- Checking file: /etc/resolv.conf search CORPOLDWINDOM.local ad.corp-web.com corp-web.com nameserver 10.2.0.10 #nameserver 10.2.0.33 #nameserver 10.2.0.4 #nameserver 10.2.0.5 ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = CORPOLDWINDOM.LOCAL dns_lookup_realm = false dns_lookup_kdc = true default_tkt_enctypes = aes256-cts aes128-cts rc4-hmac arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1 default_tgs_enctypes = aes256-cts aes128-cts rc4-hmac arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1 permitted_enctypes = aes256-cts aes128-cts rc4-hmac arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1 allow_weak_keys = true allow_weak_crypto = true # The following krb5.conf variables are only for MIT Kerberos. # kdc_timesync = 1 # ccache_type = 4 # forwardable = true # proxiable = true # The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # # The only time when you might need to uncomment these lines and change # the enctypes is if you have local software that will break on ticket # caches containing ticket encryption types it doesn't know about (such as # old versions of Sun Java). # The following libdefaults parameters are only for Heimdal Kerberos. # fcc-mit-ticketflags = true #https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh ----------- Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: files winbind group: files winbind shadow: files gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ----------- Checking file: /etc/samba/smb.conf [global] #log level = 0 #log level = 1 printdrivers:10 rpc_parse:10 rpc_srv:10 rpc_cli:10 log level = 10 security = ads realm = CORPOLDWINDOM.LOCAL workgroup = CORPOLDWINDOM dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab client min protocol = NT1 server min protocol = NT1 client max protocol = SMB3 server role = member server winbind use default domain = yes winbind expand groups = 2 winbind refresh tickets = Yes winbind normalize names = No disable netbios = yes winbind enum users = yes winbind enum groups = yes # Just copied this from the recommended configuration, modify to reflect your needs. idmap config * : backend = tdb idmap config * : range = 10000-15999 idmap config CORPOLDWINDOM : backend = ad idmap config CORPOLDWINDOM : schema_mode = rfc2307 idmap config CORPOLDWINDOM : range = 4000-9999 idmap config CORPOLDWINDOM : unix_nss_info = yes load printers = yes printing = cups printcap name = cups disable spoolss = no rpc_server:spoolss = external rpc_server:spoolssd = fork spoolssd:prefork_min_children = 5 spoolssd:prefork_max_children = 25 spoolssd:prefork_spawn_rate = 5 spoolssd:prefork_max_allowed_clients = 100 spoolssd:prefork_child_min_life = 60 client ldap sasl wrapping = sign #no?#ldap client require strong auth = no ldap server require strong auth = no #ntlm auth = yes #kerberos method = secrets and keytab #winbind refresh tickets = true #create krb5 conf = yes #dedicated keytab file = /etc/krb5.keytab #machine password timeout = 0 #client signing = auto #server signing = auto #client use spnego = yes #client ntlmv2 auth = yes #winbind use default domain = yes # user Administrator workaround, without it you are unable to set privileges username map = /etc/samba/user.map # For ACL support on domain member vfs objects = acl_xattr map acl inherit = Yes # turn off usershares usershare max shares = 0 [testshare] comment = testshare path = /samba/network/testshare valid users = "@CORPOLDWINDOM\domain users" "@domain users" "@domain users@CORPOLDWINDOM.LOCAL" scanned read only = No follow symlinks = yes wide links = no [printers] comment = All Printers browseable = yes ##path = /var/spool/samba path = /samba/network/spool printable = yes #guest ok = no #read only = no #writable = yes #create mask = 0700 #valid users = root @lpadmin michael.evans "@domain admins" "@domain admins@CORPOLDWINDOM.LOCAL" "@employees" "@employees@CORPOLDWINDOM.LOCAL" [print$] comment = Printer Drivers #path = /var/lib/samba/printers path = /samba/network/printerdrivers browseable = yes read only = no guest ok = no write list = root @lpadmin michael.evans "@domain admins" "@domain admins@CORPOLDWINDOM.LOCAL" ----------- Running as Unix domain member and user.map detected. Contents of /etc/samba/user.map !root = CORPOLDWINDOM\Administrator Server Role is set to : member server ----------- Installed packages: ii acl 2.2.53-10 amd64 access control list - utilities ii attr 1:2.4.48-6 amd64 utilities for manipulating filesystem extended attributes ii krb5-config 2.6+nmu1 all Configuration files for Kerberos Version 5 ii krb5-user 1.18.3-6+deb11u1 amd64 basic programs to authenticate using MIT Kerberos ii libacl1:amd64 2.2.53-10 amd64 access control list - shared library ii libattr1:amd64 1:2.4.48-6 amd64 extended attribute handling - shared library ii libgssapi-krb5-2:amd64 1.18.3-6+deb11u1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-26-heimdal:amd64 7.7.0+dfsg-2 amd64 Heimdal Kerberos - libraries ii libkrb5-3:amd64 1.18.3-6+deb11u1 amd64 MIT Kerberos runtime libraries ii libkrb5support0:amd64 1.18.3-6+deb11u1 amd64 MIT Kerberos runtime libraries - Support library ii libnss-winbind:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 Samba nameservice integration plugins ii libpam-krb5:amd64 4.9-2 amd64 PAM module for MIT Kerberos ii libpam-winbind:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 Windows domain authentication integration plugin ii libwbclient0:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 Samba winbind client library ii python3-samba 2:4.13.13+dfsg-1~deb11u2 amd64 Python 3 bindings for Samba ii samba 2:4.13.13+dfsg-1~deb11u2 amd64 SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.13.13+dfsg-1~deb11u2 all common files used by both the Samba server and client ii samba-common-bin 2:4.13.13+dfsg-1~deb11u2 amd64 Samba common files used by both the server and the client ii samba-dsdb-modules:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 Samba Directory Services Database ii samba-libs:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 Samba core libraries ii samba-vfs-modules:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 Samba Virtual FileSystem plugins ii winbind 2:4.13.13+dfsg-1~deb11u2 amd64 service to resolve user and group information from Windows NT servers -----------