[Samba] Problems after PC is joined to the domain - Samba 4

Theodotos Andreou theo at ubuntucy.org
Mon Jun 2 23:38:23 MDT 2014 

On 06/02/2014 03:06 PM, steve wrote:
> On Mon, 2014-06-02 at 08:24 +0300, Theodotos Andreou wrote:
>> On 05/30/2014 02:40 PM, steve wrote:
>>> On Fri, 2014-05-30 at 14:08 +0300, Theodotos Andreou wrote:
>>>> On 05/30/2014 01:53 PM, steve wrote:
>>>>> On Fri, 2014-05-30 at 13:13 +0300, Theodotos Andreou wrote:
>>>>>> Hello SAMBA community,
>>>>>>
>>>>>> I used this guide to join a PC to the domain as member using samba 4:
>>>>>> https://wiki.samba.org/index.php/Samba4/Domain_Member
>>>>>>
>>>>>> I am using Ubuntu 14.04 64 bit and I installed samba from the repos. The
>>>>>> stock samba version is:
>>>>>>
>>>>>> # samba --version
>>>>>> Version 4.1.6-Ubuntu
>>>>>>
>>>>>> When I tried to join the PC to the domain I got:
>>>>>>
>>>>>> # net ads join -U admin
>>>>>> kerberos_kinit_password DOM\admin at DOM.FOREST.INT failed: Client not found in Kerberos database
>>>>>> Failed to join domain: failed to connect to AD: Client not found in Kerberos database
>>>>>>
>>>>>> Nevertheless the PC was joined to the domain despite the above error and
>>>>>> proceeded with the following steps. But when I try the lists the users
>>>>>> using 'wbinfo -u' I get some strange behavior. The command takes too
>>>>>> long to complete and it then gives:
>>>>>>
>>>>>> # wbinfo -u --verbose
>>>>>> FOREST\usbms_somepcname
>>>>>>
>>>>>> The second time I run the command it takes again too long but it gives
>>>>>> out the complete list of AD users. But when I try to login as a
>>>>>> particular user though I get:
>>>>>>
>>>>>> # su - myusername
>>>>>> No passwd entry for user 'myusername'
>>>>>> # id myusername
>>>>>> id: myusername: no such user
>>>>>>
>>>>>> This is my smb.conf:
>>>>>>
>>>>>> # cat /etc/samba/smb.conf
>>>>>>      [global]
>>>>>>
>>>>>>        netbios name = MYPCNAME
>>>>>>        workgroup = DOM
>>>>>>        security = ADS
>>>>>>        realm = DOM.FOREST.INT
>>>>>>        encrypt passwords = yes
>>>>> Hi
>>>>> try:
>>>>> add
>>>>> kerberos method = system keytab
>>>>> to [global]
>>>>> and issue:
>>>>> net ads keytab create -Uadmin
>>>>> (ru sure admin has sufficient privs to add machines?)?
>>>>>
>>>>>
>>>> I added that line and it gives:
>>>>
>>>> # net ads keytab create -U 'DOM\admin'
>>>> Enter DOM\admin's password:
>>>> kerberos_kinit_password DOM\admin at DOM..INT failed: Client not found in Kerberos database
>>>> kerberos_kinit_password DOM\admin at LIM.TEPAK.INT failed: Client not found in Kerberos database
>>>>
>>>> After omitting 'DOM\' from the username it gives:
>>>>
>>>> # net ads keytab create -U 'admin'
>>>> Enter admin's password:
>>>> ads_get_dnshostname: No dNSHostName attribute!
>>>> ../source3/libads/kerberos_keytab.c:328: unable to determine machine account's dns name in AD!
>>>>
>>>> I have changed the true username and domain name for reason of paranoia
>>>> :) but I am certain that the user I use is a domain admin.
>>> DNS on Ubuntu:
>>> http://linuxcostablanca.blogspot.com.es/2014/05/dns-good-enough-for-kerberos.html
>>>
>>>
>> Ok now I have this configuration:
>>
>> # grep 127 /etc//hosts
>> 127.0.0.1       localhost
>> 127.0.1.1       MYPCNAME.dom.forest.int MYPCNAME
>>
>> and this:
>>
>> # cat /etc/hostname
>> MYPCNAME
>>
>> Testing:
>>
>> # hostname -d
>> dom.forest.int
>>
>> # domainname
>> (none)
>>
>> I have no idea why domainname gives different results than hostname -d
> It is because you have ignored the information in the link which you
> quote.
>   
>> The PC name resolves correctly on DNS:
>>
>> # host MYPCNAME.dom.forest.int
>> MYPCNAME.dom.forest.int has address 10.10.10.156
>>
>> The problem persists:
>>
>> # net ads keytab create -U admin
>> Enter admin's password:
>> ads_get_dnshostname: No dNSHostName attribute!
>> ../source3/libads/kerberos_keytab.c:328: unable to determine machine account's dns name in AD!
> Of course it can't. Try again. Same link as before, but this time follow
> it correctly.
> HTH
> Steve
>
>
OK I followed the guide blindly:

# grep 127 /etc/hosts
127.0.1.1	MYPCNAME.dom.forest.int MYPCNAME localhost

# cat /etc/hostname
MYPCNAME.dom.forest.int

# grep hosts /etc/nsswitch.conf
hosts:          files dns

# cat /etc/krb5.conf
[libdefaults]
         default_realm = DOM.FOREST.INT
         dns_lookup_realm = false
         dns_lookup_kdc = true


The network interface is configured for DHCP

I don't think /etc/krb5.conf does anything useful because (correct me if 
I am wrong) samba 4 has its own kerberos implementation?

I still get the same behavior:

# hostname -d
dom.forest.int

# domainname
(none)

Now what?

More information about the samba mailing list