[Samba] I can't join the new AD server with Samba4

Daniel Carrasco Marín danielmadrid19 at gmail.com
Sat Apr 25 09:24:06 MDT 2015 

2015-04-25 16:57 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:

> On 25/04/15 15:44, Daniel Carrasco Marín wrote:
>
>>
>>
>> On AD server i've linked the kerberos file on samba folder:
>> lrwxrwxrwx 1 root root 32 abr 25 16:23 krb5.conf ->
>> /var/lib/samba/private/krb5.conf
>>
>> On client i've the default:
>> [libdefaults]
>>         default_realm = TTU.RED
>>
>> # The following krb5.conf variables are only for MIT Kerberos.
>>         krb4_config = /etc/krb.conf
>>         krb4_realms = /etc/krb.realms
>>         kdc_timesync = 1
>>         ccache_type = 4
>>         forwardable = true
>>         proxiable = true
>> ........
>>
>> [realms]
>>         TTU.RED = {
>>                 kdc = pdc
>>                 admin_server = pdc
>>         }
>> ........
>>
>>
>>
> Use the same krb5.conf as on the DC
>

Ok copied.


>
>      Does /etc/krb5.keytab exist, if it does, remove it.
>>
>>
>> Deleted, but nothing changed.
>>
>
> You will need to try and rejoin the domain
>
>      Does /etc/resolv.conf point to the DC ?
>>
>>
>> Yes:
>> cat /etc/resolv.conf
>> domain TTU
>> nameserver 192.168.2.251
>>
>
> Please change /etc/resolv.conf to this:
>
> search ttu.red
>
> nameserver 192.168.2.251
>

Changed.


>
>
>>     Are you sure that you are using the correct password for
>>     Administrator ?
>>
>>
>> Yes, even i've tried to cange the PW to another, and other commands works
>> fine, for example with "kinit administrator at TTU.RED" and "klist -c":
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: administrator at TTU.RED
>>
>> Valid starting     Expires            Service principal
>> 25/04/15 16:36:10  26/04/15 02:36:10 krbtgt/TTU.RED at TTU.RED
>>         renew until 26/04/15 16:36:06
>>
>>
>> I've linked the file showed on log to krb5.conf:
>> ln -s /var/run/samba/smb_krb5/krb5.conf.TTU /etc/krb5.conf
>>
>> I got the same error:
>> .......
>> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
>> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
>> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
>> ads_sasl_spnego_bind: got server principal name =
>> not_defined_in_RFC4178 at please_ignore
>> ads_krb5_mk_req: krb5_cc_get_principal failed (No existe el fichero o el
>> directorio)
>> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration
>> dom, 26 abr 2015 02:37:30 CEST
>> kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
>> libnet_Join:
>>     libnet_JoinCtx: struct libnet_JoinCtx
>>         out: struct libnet_JoinCtx
>>             account_name             : NULL
>>             netbios_domain_name      : 'TTU'
>>             dns_domain_name          : 'ttu.red'
>>             forest_name              : 'ttu.red'
>>             dn                       : NULL
>>             domain_sid               : *
>>                 domain_sid               : S-1-5-21-127850397-371183867-
>> 665961664
>>             modified_config          : 0x00 (0)
>>             error_string             : 'failed to connect to AD: Invalid
>> credentials'
>>             domain_is_ad             : 0x01 (1)
>>             result                   : WERR_GENERAL_FAILURE
>> Failed to join domain: failed to connect to AD: Invalid credentials
>> return code = -1
>>
>> I can run commands like "net ads rpc -U "Administrator" and works fine, i
>> even can get some AD info:
>> # net rpc info -U Administrator
>> Enter Administrator's password:
>> Domain Name: TTU
>> Domain SID: S-1-5-21-127850397-371183867-665961664
>> Sequence number: 1
>> Num users: 144
>> Num domain groups: 42
>> Num local groups: 26
>>
>>
>> Is strange because as i said, if i create a new domain without upgrade
>> then i can join that domain even without krb5-client installed.
>>
>>
>>
> what OS are you using ?
>

Debian 7u2


> what version of samba on the member server ?
>

Same as AD:
Version 4.1.17-Debian


> What packages have you installed to try and get samba working
>

Same packages, latest from wheezy-backports. The only difference is that
i've created a new domain instead upgrade the old 3.6 domain.


>
> anything else relevant, apparmor, selinux, firewall etc  ?


AD don't have any kind of firewall or apparmor. I don't have Apparmor, and
the firewall have the basic configuration on client. I don't know about
selinux, but the default configuracion has not changed.

I'm starting to think is better to create a new domain and move the
machines and users to the new domain.

Greetings!!


>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list