[Samba] Cannot join Ubuntu12.04 Samba 4.1.17 to domain
L.P.H. van Belle
belle at bazuin.nl
Mon Jun 8 06:08:00 MDT 2015
Hai,
After reading all below i can only conclude this must be firewalling, as Rowland is saying also.
check if all of these ports are acceccable for the server your trying to join.
tcp 0 0 192.168.X.1:1024 0.0.0.0:* LISTEN 2146/samba
tcp 0 0 192.168.X.1:135 0.0.0.0:* LISTEN 2146/samba
tcp 0 0 192.168.X.1:139 0.0.0.0:* LISTEN 2147/smbd
tcp 0 0 192.168.X.1:3268 0.0.0.0:* LISTEN 2162/samba
tcp 0 0 192.168.X.1:3269 0.0.0.0:* LISTEN 2162/samba
tcp 0 0 192.168.X.1:389 0.0.0.0:* LISTEN 2162/samba
tcp 0 0 192.168.X.1:42 0.0.0.0:* LISTEN 2157/samba
tcp 0 0 192.168.X.1:445 0.0.0.0:* LISTEN 2147/smbd
tcp 0 0 192.168.X.1:464 0.0.0.0:* LISTEN 2170/samba
tcp 0 0 192.168.X.1:636 0.0.0.0:* LISTEN 2162/samba
tcp 0 0 192.168.X.1:88 0.0.0.0:* LISTEN 2170/samba
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: rowlandpenny at googlemail.com
>[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: maandag 8 juni 2015 13:21
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Cannot join Ubuntu12.04 Samba 4.1.17 to domain
>
>On 08/06/15 10:42, ivenhov wrote:
>> Thanks all for helping with this and for script
>> Still no luck though.
>>
>> I've modified scripts as they had some bugs, my output and
>modified version
>> at the end.
>> As I mentioned, I don't have any issues with joining samba
>4.1 or 4.2 in the
>> lab, only on that site.
>>
>>>> if so, try the following.
>>>> in resolv.conf, add
>>>> search mynat.myco.bcu myco.bcu
>> I haven't tried that yet. Will do next.
>>
>> There is myco.bcu domain along with mynat.myco.bcu, I'm not
>sure if that
>> makes it more tricky.
>> In the meantime there were some firewall issues discovered and fixed
>> (filtering of the IPs connecting to LDAP ports). Issue
>persists though.
>>
>> I don't have full access unfortunately to see exactly what's
>happening on AD
>> but I can make necessary changes on samba box.
>>
>> At this point I'm thinking error:
>> Failed to join domain: failed to connect to AD: Cannot
>contact any KDC for
>> requested realm
>>
>> is a bogus and real problem lies somewhere else (shown by result
>> WERR_DEFAULT_JOIN_REQUIRED and WERR_GENERAL_FAILURE)
>>
>>>> Could it be that allowing a normal user to join computers has been
>>>> turned off ?
>> Yes it is possible. But apparently my user should have
>enough permission (I
>> sceptical)
>> Does user doing join has to be Domain Admin, or only
>permission to creating
>> objects in OU is necessary?
>> How can I check via command line if user have enough permissions ?
>>
>> In my lab I get WERR_DEFAULT_JOIN_REQUIRED when user is not
>DomainAdmin.
>>
>> Here are my results and modified scripts.
>>
>>
>> m at serv1602:~$ ./script1.sh
>> Content of /etc/resolv.conf
>> ------------------------
>> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
>> resolvconf(8)
>> # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE
>OVERWRITTEN
>> nameserver 10.80.8.88
>> nameserver 10.80.96.13
>> nameserver 10.80.96.17
>> ------------------------------------------------
>>
>> Content of /etc/hosts
>> ------------------------
>> 127.0.0.1 localhost
>> 10.80.100.74 serv1602.mynat.myco.bcu serv1602
>> 10.80.8.88 dc1001.mynat.myco.bcu
>> 10.80.137.41 dc1003.mynat.myco.bcu
>> ------------------------------------------------
>>
>> Content of /etc/hostname
>> ------------------------
>> serv1602.mynat.myco.bcu
>> ------------------------------------------------
>>
>> Local names
>> ------------------------
>> domain: mynat.myco.bcu
>> host long: serv1602.mynat.myco.bcu
>> host short: serv1602
>> ------------------------------------------------
>> test 1
>> testing of : host -t SRV _ldap._tcp.mynat.myco.bcu. : ok
>> test 2
>> testing of : host -t SRV _kerberos._udp.mynat.myco.bcu. : ok
>> test3
>> testing of : host -t A serv1602.mynat.myco.bcu. : ok
>> ------------------------------------------------
>>
>>
>> domain: mynat.myco.bcu
>> host: serv1602.mynat.myco.bcu
>> host short: serv1602
>> m at serv1602:~$
>> m at serv1602:~$
>> m at serv1602:~$ ./script2.sh
>> myco.bcu
>> testing of : host -t SRV _ldap._tcp.myco.bcu. : ok
>> testing of : host -t SRV _kerberos._udp.myco.bcu. : ok
>> testing of : host -t A serv1602.mynat.myco.bcu. : ok
>> m at serv1602:~$
>> m at serv1602:~$
>> m at serv1602:~$
>> m at serv1602:~$
>> m at serv1602:~$
>> m at serv1602:~$ cat ./script1.sh
>> #!/bin/bash
>>
>> echo "Content of /etc/resolv.conf"
>> echo -e "------------------------"
>> cat /etc/resolv.conf
>> echo -e "------------------------------------------------"
>>
>> echo -e "\nContent of /etc/hosts"
>> echo -e "------------------------"
>> cat /etc/hosts
>> echo -e "------------------------------------------------"
>>
>> echo -e "\nContent of /etc/hostname"
>> echo -e "------------------------"
>> cat /etc/hostname
>> echo -e "------------------------------------------------"
>>
>> SETDNSDOMAIN=`hostname -d`
>> SETHOSTNAME=`hostname -f`
>> SETSHORTHOSTNAME=`hostname -s`
>>
>> echo -e "\nLocal names"
>> echo -e "------------------------"
>> echo "domain: " $SETDNSDOMAIN
>> echo "host long:" $SETHOSTNAME
>> echo "host short:" $SETSHORTHOSTNAME
>> echo -e "------------------------------------------------"
>>
>> echo "test 1"
>> if [ -z "`host -t SRV _ldap._tcp.${SETDNSDOMAIN}. | grep
>'not found'`" ];
>> then
>> echo "testing of : host -t SRV
>_ldap._tcp.${SETDNSDOMAIN}. : ok"
>> else
>> echo "testing of : host -t SRV
>_ldap._tcp.${SETDNSDOMAIN}. : FAILED"
>> fi
>>
>> echo "test 2"
>> if [ -z "`host -t SRV _kerberos._udp.${SETDNSDOMAIN}. | grep
>"not found" `"
>> ]; then
>> echo "testing of : host -t SRV
>_kerberos._udp.${SETDNSDOMAIN}. : ok";
>> else
>> echo "testing of : host -t SRV
>_kerberos._udp.${SETDNSDOMAIN}. :
>> FAILED";
>> fi
>>
>> echo "test3"
>> if [ -z "`host -t A ${SETSHORTHOSTNAME}.${SETDNSDOMAIN}. |
>grep "not found"
>> `" ]; then
>> echo "testing of : host -t A
>${SETSHORTHOSTNAME}.${SETDNSDOMAIN}. : ok";
>> else
>> echo "testing of : host -t A
>${SETSHORTHOSTNAME}.${SETDNSDOMAIN}. :
>> FAILED";
>> fi
>>
>> echo -e "------------------------------------------------\n\n"
>>
>> echo "domain: " $SETDNSDOMAIN
>> echo "host:" $SETHOSTNAME
>> echo "host short:" $SETSHORTHOSTNAME
>> m at serv1602:~$
>> m at serv1602:~$
>> m at serv1602:~$
>> m at serv1602:~$
>> m at serv1602:~$ cat ./script2.sh
>> #!/bin/bash
>>
>> SETDNSDOMAIN="myco.bcu"
>> SETHOSTNAME=`hostname -f`
>>
>> echo $SETDNSDOMAIN
>> if [ -z "`host -t SRV _ldap._tcp.${SETDNSDOMAIN}. | grep
>'not found'`" ];
>> then
>> echo "testing of : host -t SRV
>_ldap._tcp.${SETDNSDOMAIN}. : ok"
>> else
>> echo "testing of : host -t SRV
>_ldap._tcp.${SETDNSDOMAIN}. : FAILED"
>> fi
>> if [ -z "`host -t SRV _kerberos._udp.${SETDNSDOMAIN}. | grep
>"not found" `"
>> ]; then
>> echo "testing of : host -t SRV
>_kerberos._udp.${SETDNSDOMAIN}. : ok";
>> else
>> echo "testing of : host -t SRV
>_kerberos._udp.${SETDNSDOMAIN}. :
>> FAILED";
>> fi
>> if [ -z "`host -t A ${SETHOSTNAME}. | grep "not found" `" ]; then
>> echo "testing of : host -t A ${SETHOSTNAME}. : ok";
>> else
>> echo "testing of : host -t A ${SETHOSTNAME}. : FAILED";
>> fi
>> m at serv1602:~$
>>
>>
>>
>>
>> --
>> View this message in context:
>http://samba.2283325.n4.nabble.com/Cannot-join-Ubuntu12-04-Samb
>a-4-1-17-to-domain-tp4684555p4686918.html
>> Sent from the Samba - General mailing list archive at Nabble.com.
>
>There was another instance similar to this over the weekend,
>everything
>seemed to be ok, but a DC join couldn't find the original DC. This
>turned out to be a firewall issue, so could this be your problem ?
>
>Rowland
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list