[Samba] I can't join the new AD server with Samba4
Daniel Carrasco Marín
danielmadrid19 at gmail.com
Sat Apr 25 11:07:52 MDT 2015
2015-04-25 18:56 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:
> On 25/04/15 17:24, Daniel Carrasco Marín wrote:
>
>> Hi,
>>
>> The smb.conf is the default after the upgrade:
>> cat /etc/samba/smb.conf
>> # Global parameters
>> [global]
>> workgroup = TTU
>> realm = ttu.red
>> netbios name = PDC
>> interfaces = lo, eth0
>> bind interfaces only = Yes
>> server role = active directory domain controller
>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>> winbind, ntp_signd, kcc, dnsupdate
>> idmap_ldb:use rfc2307 = yes
>>
>> [netlogon]
>> path = /server/samba/sysvol/ttu.red/scripts
>> read only = No
>>
>> [sysvol]
>> path = /server/samba/sysvol
>> read only = No
>>
>>
> hmm, don't know if it means anything, but you say you are using debian, so
> why is the path to sysvol '/server/samba' and not '/var/lib/samba' ?
>
I've moved the sysvol folder to another path. I like to use that path
because it helps in future upgrades. If I need some extra space I only have
to attach a disk, copy all data to new disk and mount that disk on /server.
The samba folder with all the other stuff still on /var/lib/samba.
# samba -b
Samba version: 4.1.17-Debian
Build environment:
Build host: Linux pontus 3.14-1-amd64 #1 SMP Debian 3.14.12-1
(2014-07-11) x86_64 GNU/Linux
Paths:
BINDIR: /usr/bin
SBINDIR: /usr/sbin
CONFIGFILE: /etc/samba/smb.conf
NCALRPCDIR: /var/run/samba/ncalrpc
LOGFILEBASE: /var/log/samba
LMHOSTSFILE: /etc/samba/lmhosts
DATADIR: /usr/share
MODULESDIR: /usr/lib/x86_64-linux-gnu/samba
LOCKDIR: /var/run/samba
STATEDIR: /var/lib/samba
CACHEDIR: /var/cache/samba
PIDDIR: /var/run/samba
PRIVATE_DIR: /var/lib/samba/private
CODEPAGEDIR: /usr/share/samba/codepages
SETUPDIR: /usr/share/samba/setup
WINBINDD_SOCKET_DIR: /var/run/samba/winbindd
WINBINDD_PRIVILEGED_SOCKET_DIR: /var/lib/samba/winbindd_privileged
NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd
Greetings!!
> can you post the output of 'samba -b'
>
> Rowland
>
> and yes, it has a fixed IP.
>>
>> I don't know if is important, but the dns backend is Bind 9.9. I've
>> tested the dns with "samba_dnsupdate --verbose" and looks fine:
>> IPs: ['192.168.2.251']
>> Looking for DNS entry A pdc.ttu.red 192.168.2.251 as pdc.ttu.red.
>> Looking for DNS entry A ttu.red 192.168.2.251 as ttu.red.
>> Looking for DNS entry SRV _ldap._tcp.ttu.red pdc.ttu.red 389 as
>> _ldap._tcp.ttu.red.
>> Checking 0 100 389 pdc.ttu.red. against SRV _ldap._tcp.ttu.red
>> pdc.ttu.red 389
>> Looking for DNS entry SRV _ldap._tcp.dc._msdcs.ttu.red pdc.ttu.red 389 as
>> _ldap._tcp.dc._msdcs.ttu.red.
>> Checking 0 100 389 pdc.ttu.red. against SRV _ldap._tcp.dc._msdcs.ttu.red
>> pdc.ttu.red 389
>> Looking for DNS entry SRV
>> _ldap._tcp.981b82ce-75a3-453f-a1b1-140194960bac.domains._msdcs.ttu.red
>> pdc.ttu.red 389 as
>> _ldap._tcp.981b82ce-75a3-453f-a1b1-140194960bac.domains._msdcs.ttu.red.
>> Checking 0 100 389 pdc.ttu.red. against SRV
>> _ldap._tcp.981b82ce-75a3-453f-a1b1-140194960bac.domains._msdcs.ttu.red
>> pdc.ttu.red 389
>> Looking for DNS entry SRV _kerberos._tcp.ttu.red pdc.ttu.red 88 as
>> _kerberos._tcp.ttu.red.
>> Checking 0 100 88 pdc.ttu.red. against SRV _kerberos._tcp.ttu.red
>> pdc.ttu.red 88
>> Looking for DNS entry SRV _kerberos._udp.ttu.red pdc.ttu.red 88 as
>> _kerberos._udp.ttu.red.
>> Checking 0 100 88 pdc.ttu.red. against SRV _kerberos._udp.ttu.red
>> pdc.ttu.red 88
>> Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.ttu.red pdc.ttu.red 88
>> as _kerberos._tcp.dc._msdcs.ttu.red.
>> Checking 0 100 88 pdc.ttu.red. against SRV
>> _kerberos._tcp.dc._msdcs.ttu.red pdc.ttu.red 88
>> Looking for DNS entry SRV _kpasswd._tcp.ttu.red pdc.ttu.red 464 as
>> _kpasswd._tcp.ttu.red.
>> Checking 0 100 464 pdc.ttu.red. against SRV _kpasswd._tcp.ttu.red
>> pdc.ttu.red 464
>> Looking for DNS entry SRV _kpasswd._udp.ttu.red pdc.ttu.red 464 as
>> _kpasswd._udp.ttu.red.
>> Checking 0 100 464 pdc.ttu.red. against SRV _kpasswd._udp.ttu.red
>> pdc.ttu.red 464
>> Looking for DNS entry CNAME
>> 00b7f230-fa13-4e51-9e36-0c95360029a5._msdcs.ttu.red pdc.ttu.red as
>> 00b7f230-fa13-4e51-9e36-0c95360029a5._msdcs.ttu.red.
>> Looking for DNS entry SRV
>> _ldap._tcp.Default-First-Site-Name._sites.ttu.red pdc.ttu.red 389 as
>> _ldap._tcp.Default-First-Site-Name._sites.ttu.red.
>> Checking 0 100 389 pdc.ttu.red. against SRV
>> _ldap._tcp.Default-First-Site-Name._sites.ttu.red pdc.ttu.red 389
>> Looking for DNS entry SRV
>> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ttu.red pdc.ttu.red 389
>> as _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ttu.red.
>> Checking 0 100 389 pdc.ttu.red. against SRV
>> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ttu.red pdc.ttu.red 389
>> Looking for DNS entry SRV
>> _kerberos._tcp.Default-First-Site-Name._sites.ttu.red pdc.ttu.red 88 as
>> _kerberos._tcp.Default-First-Site-Name._sites.ttu.red.
>> Checking 0 100 88 pdc.ttu.red. against SRV
>> _kerberos._tcp.Default-First-Site-Name._sites.ttu.red pdc.ttu.red 88
>> Looking for DNS entry SRV
>> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ttu.red pdc.ttu.red
>> 88 as _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ttu.red.
>> Checking 0 100 88 pdc.ttu.red. against SRV
>> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ttu.red pdc.ttu.red
>> 88
>> Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.ttu.red pdc.ttu.red 389
>> as _ldap._tcp.pdc._msdcs.ttu.red.
>> Checking 0 100 389 pdc.ttu.red. against SRV _ldap._tcp.pdc._msdcs.ttu.red
>> pdc.ttu.red 389
>> Looking for DNS entry A gc._msdcs.ttu.red 192.168.2.251 as
>> gc._msdcs.ttu.red.
>> Looking for DNS entry SRV _gc._tcp.ttu.red pdc.ttu.red 3268 as
>> _gc._tcp.ttu.red.
>> Checking 0 100 3268 pdc.ttu.red. against SRV _gc._tcp.ttu.red pdc.ttu.red
>> 3268
>> Looking for DNS entry SRV _ldap._tcp.gc._msdcs.ttu.red pdc.ttu.red 3268
>> as _ldap._tcp.gc._msdcs.ttu.red.
>> Checking 0 100 3268 pdc.ttu.red. against SRV _ldap._tcp.gc._msdcs.ttu.red
>> pdc.ttu.red 3268
>> Looking for DNS entry SRV _gc._tcp.Default-First-Site-Name._sites.ttu.red
>> pdc.ttu.red 3268 as _gc._tcp.Default-First-Site-Name._sites.ttu.red.
>> Checking 0 100 3268 pdc.ttu.red. against SRV
>> _gc._tcp.Default-First-Site-Name._sites.ttu.red pdc.ttu.red 3268
>> Looking for DNS entry SRV
>> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.ttu.red pdc.ttu.red
>> 3268 as _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.ttu.red.
>> Checking 0 100 3268 pdc.ttu.red. against SRV
>> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.ttu.red pdc.ttu.red 3268
>> Looking for DNS entry A DomainDnsZones.ttu.red 192.168.2.251 as
>> DomainDnsZones.ttu.red.
>> Looking for DNS entry SRV _ldap._tcp.DomainDnsZones.ttu.red pdc.ttu.red
>> 389 as _ldap._tcp.DomainDnsZones.ttu.red.
>> Checking 0 100 389 pdc.ttu.red. against SRV
>> _ldap._tcp.DomainDnsZones.ttu.red pdc.ttu.red 389
>> Looking for DNS entry SRV
>> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.ttu.red
>> pdc.ttu.red 389 as
>> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.ttu.red.
>> Checking 0 100 389 pdc.ttu.red. against SRV
>> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.ttu.red
>> pdc.ttu.red 389
>> Looking for DNS entry A ForestDnsZones.ttu.red 192.168.2.251 as
>> ForestDnsZones.ttu.red.
>> Looking for DNS entry SRV _ldap._tcp.ForestDnsZones.ttu.red pdc.ttu.red
>> 389 as _ldap._tcp.ForestDnsZones.ttu.red.
>> Checking 0 100 389 pdc.ttu.red. against SRV
>> _ldap._tcp.ForestDnsZones.ttu.red pdc.ttu.red 389
>> Looking for DNS entry SRV
>> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ttu.red
>> pdc.ttu.red 389 as
>> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ttu.red.
>> Checking 0 100 389 pdc.ttu.red. against SRV
>> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ttu.red
>> pdc.ttu.red 389
>> No DNS updates needed
>>
>> The krb5.conf is the linked version:
>> [libdefaults]
>> default_realm = TTU.RED
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>>
>>
>> and i can join the AD and use the RSAT tools with a Windows Machine.
>>
>> Greetings!!
>>
>> 2015-04-25 18:11 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>>:
>>
>> On 25/04/15 17:07, Daniel Carrasco Marín wrote:
>>
>> Thanks for all your help.
>>
>> I've got the same error, then i think maybe is a problem
>> related with upgrade. Maybe any wrong permissions or info on
>> old samba server.
>> I'll try to create a new domain with right data and migrate
>> all machines (fortunately are few computers). I think is the best.
>>
>> Greetings!!
>>
>> 2015-04-25 17:44 GMT+02:00 Rowland Penny
>> <rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>
>> <mailto:rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>>>:
>>
>> On 25/04/15 16:24, Daniel Carrasco Marín wrote:
>>
>>
>>
>> 2015-04-25 16:57 GMT+02:00 Rowland Penny
>> <rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>
>> <mailto:rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>>
>> <mailto:rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>
>>
>> <mailto:rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>>>>:
>>
>>
>> On 25/04/15 15:44, Daniel Carrasco Marín wrote:
>>
>>
>>
>> On AD server i've linked the kerberos file on
>> samba
>> folder:
>> lrwxrwxrwx 1 root root 32 abr 25 16:23
>> krb5.conf ->
>> /var/lib/samba/private/krb5.conf
>>
>> On client i've the default:
>> [libdefaults]
>> default_realm = TTU.RED
>>
>> # The following krb5.conf variables are only
>> for MIT
>> Kerberos.
>> krb4_config = /etc/krb.conf
>> krb4_realms = /etc/krb.realms
>> kdc_timesync = 1
>> ccache_type = 4
>> forwardable = true
>> proxiable = true
>> ........
>>
>> [realms]
>> TTU.RED = {
>> kdc = pdc
>> admin_server = pdc
>> }
>> ........
>>
>>
>>
>> Use the same krb5.conf as on the DC
>>
>>
>> Ok copied.
>>
>>
>> Does /etc/krb5.keytab exist, if it does,
>> remove it.
>>
>>
>> Deleted, but nothing changed.
>>
>>
>> You will need to try and rejoin the domain
>>
>> Does /etc/resolv.conf point to the DC ?
>>
>>
>> Yes:
>> cat /etc/resolv.conf
>> domain TTU
>> nameserver 192.168.2.251
>>
>>
>> Please change /etc/resolv.conf to this:
>>
>> search ttu.red
>>
>> nameserver 192.168.2.251
>>
>>
>> Changed.
>>
>>
>>
>> Are you sure that you are using the correct
>> password for
>> Administrator ?
>>
>>
>> Yes, even i've tried to cange the PW to
>> another, and other
>> commands works fine, for example with "kinit
>> administrator at TTU.RED" and "klist -c":
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: administrator at TTU.RED
>>
>> Valid starting Expires Service principal
>> 25/04/15 16:36:10 26/04/15 02:36:10
>> krbtgt/TTU.RED at TTU.RED
>> renew until 26/04/15 16:36:06
>>
>>
>> I've linked the file showed on log to krb5.conf:
>> ln -s /var/run/samba/smb_krb5/krb5.conf.TTU
>> /etc/krb5.conf
>>
>> I got the same error:
>> .......
>> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
>> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
>> ads_sasl_spnego_bind: got
>> OID=1.3.6.1.4.1.311.2.2.10
>> ads_sasl_spnego_bind: got server principal name =
>> not_defined_in_RFC4178 at please_ignore
>> ads_krb5_mk_req: krb5_cc_get_principal failed (No
>> existe el
>> fichero o el directorio)
>> ads_cleanup_expired_creds: Ticket in
>> ccache[MEMORY:net_ads]
>> expiration dom, 26 abr 2015 02:37:30 CEST
>> kinit succeeded but ads_sasl_spnego_krb5_bind
>> failed:
>> Invalid
>> credentials
>> libnet_Join:
>> libnet_JoinCtx: struct libnet_JoinCtx
>> out: struct libnet_JoinCtx
>> account_name : NULL
>> netbios_domain_name : 'TTU'
>> dns_domain_name : 'ttu.red'
>> forest_name : 'ttu.red'
>> dn : NULL
>> domain_sid : *
>> domain_sid :
>> S-1-5-21-127850397-371183867-665961664
>> <tel:665961664> <tel:665961664 <tel:665961664>>
>> <tel:665961664 <tel:665961664> <tel:665961664
>> <tel:665961664>>>
>> modified_config : 0x00 (0)
>> error_string : 'failed to
>> connect to
>> AD: Invalid credentials'
>> domain_is_ad : 0x01 (1)
>> result :
>> WERR_GENERAL_FAILURE
>> Failed to join domain: failed to connect to
>> AD: Invalid
>> credentials
>> return code = -1
>>
>> I can run commands like "net ads rpc -U
>> "Administrator" and
>> works fine, i even can get some AD info:
>> # net rpc info -U Administrator
>> Enter Administrator's password:
>> Domain Name: TTU
>> Domain SID:
>> S-1-5-21-127850397-371183867-665961664 <tel:665961664>
>> <tel:665961664 <tel:665961664>> <tel:665961664
>>
>> <tel:665961664> <tel:665961664 <tel:665961664>>>
>>
>> Sequence number: 1
>> Num users: 144
>> Num domain groups: 42
>> Num local groups: 26
>>
>>
>> Is strange because as i said, if i create a
>> new domain
>> without
>> upgrade then i can join that domain even without
>> krb5-client
>> installed.
>>
>>
>>
>> what OS are you using ?
>>
>>
>> Debian 7u2
>>
>> what version of samba on the member server ?
>>
>>
>> Same as AD:
>> Version 4.1.17-Debian
>>
>> What packages have you installed to try and get
>> samba working
>>
>>
>> Same packages, latest from wheezy-backports. The only
>> difference is that i've created a new domain instead
>> upgrade
>> the old 3.6 domain.
>>
>>
>> anything else relevant, apparmor, selinux,
>> firewall etc ?
>>
>>
>> AD don't have any kind of firewall or apparmor. I
>> don't have
>> Apparmor, and the firewall have the basic configuration on
>> client. I don't know about selinux, but the default
>> configuracion has not changed.
>>
>> I'm starting to think is better to create a new domain and
>> move the machines and users to the new domain.
>>
>> Greetings!!
>>
>>
>>
>> Rowland
>>
>> -- To unsubscribe from this list go to the
>> following
>> URL and read the
>> instructions:
>> https://lists.samba.org/mailman/options/samba
>>
>>
>>
>> OK, I use debian wheezy with samba from backports and this
>> is how
>> I set things up on a member server:
>>
>> Install these packages from backports:
>>
>> samba samba-common-bin samba-common samba-libs
>> samba-vfs-modules \
>> samba-dsdb-modules tdb-tools libwbclient0 libsmbclient
>> winbind \
>> ldb-tools zip arj mktemp acl attr quota krb5-config
>> libnss-winbind \
>> libpam-winbind libpam-krb5 krb5-user
>>
>> Create a smb.conf:
>>
>> [global]
>> workgroup = TTU
>> security = ADS
>> realm = TTU.RED
>>
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>> server string = Samba 4 Client %h
>>
>> winbind enum users = no
>> winbind enum groups = no
>> winbind use default domain = yes
>> winbind expand groups = 4
>> winbind nss info = rfc2307
>> winbind refresh tickets = Yes
>> winbind offline logon = yes
>> winbind normalize names = Yes
>>
>> ## map ids outside of domain to tdb files.
>> idmap config *:backend = tdb
>> idmap config *:range = 2000-9999
>> ## map ids from the domain the ranges may not overlap !
>> idmap config TTU : backend = ad
>> idmap config TTU : schema_mode = rfc2307
>> idmap config TTU : range = 10000-999999
>>
>> domain master = no
>> local master = no
>> preferred master = no
>> os level = 20
>> map to guest = bad user
>> host msdfs = no
>>
>> # For ACL support on member server
>> vfs objects = acl_xattr
>> map acl inherit = Yes
>> store dos attributes = Yes
>>
>> # Share Setting Globally
>> unix extensions = no
>> reset on zero vc = yes
>> veto files =
>> /.bash_logout/.bash_profile/.bash_history/.bashrc/
>> hide unreadable = yes
>>
>> alter /etc/krb5.conf
>>
>> [libdefaults]
>> default_realm = TTU.RED
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>>
>> Make sure that the kerberos config file /etc/krb5.conf is
>> correct
>>
>> [libdefaults]
>> default_realm = TTU.RED
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>>
>> Make sure that /etc/resolv.conf is pointing to the domain
>> and the
>> AD DC:
>>
>> search ttu.red
>> nameserver <IP_OF_SAMBA4_AD_DC>
>>
>> You should now be able to join the domain:
>>
>> net ads join -U Administrator
>>
>> If this does not work, then it is more likely that the problem
>> lies on the AD DC, unless it is something simple like blocked
>> ports on the firewall, the easiest way to rule this out, is to
>> turn off the firewall temporarily.
>>
>>
>> Rowland
>> -- To unsubscribe from this list go to the following
>> URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
>> OK, but before you do, you could check the AD DC, could you post
>> the smb.conf from the DC ?
>> Does the DC have a fixed ip ?
>>
>>
>> Rowland
>>
>> -- To unsubscribe from this list go to the following URL and read
>> the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list