[Samba] net ads join fails

Rowland Penny rowlandpenny at googlemail.com
Wed Mar 11 03:08:31 MDT 2015 

On 11/03/15 04:49, Roman Dilken wrote:
> smb.conf and krb5.conf on dc2:
>
> # Global parameters
> [global]        workgroup = AD
>          realm = ad.dilken.eu
>          netbios name = DC2
>          server role = active directory domain controller
>          idmap_ldb:use rfc2307 = yes
>          log level = 5
>
> [netlogon]
>          path = /var/lib/samba/sysvol/ad.dilken.eu/scripts
>          read only = No
>
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
>
> [libdefaults]
>      dns_lookup_realm = true
>      dns_lookup_kdc = true
>      default_realm = AD.DILKEN.EU
>
> smb.conf and krb5.conf on raspberry-pi:
>
> [libdefaults]
>          default_realm = AD.DILKEN.EU
>          dns_lookup_realm = true
>          dns_lookup_kdc = true
>
> [logging]
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmin.log
> default = FILE:/var/log/krb5lib.log
>
> # Global parameters
> [global]
>          workgroup = AD
>          realm = AD.DILKEN.EU
>          netbios name = RASPBERRY-PI
>          server role = active directory domain controller
>          dns forwarder = 192.71.247.247
>          idmap_ldb:use rfc2307 = yes
>          log level = 5
>
> [netlogon]
>          path = /var/lib/samba/sysvol/ad.dilken.eu/scripts
>          read only = No
>
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
>
> I'll check the DNS entries later again.
>
> Greetings
>
>
> Am 10.03.2015 um 22:55 schrieb Rowland Penny:
>
>> Hmm, it should actually be _kerberos._udp.ad.dilken.eu, what is in /etc/krb5.conf on the two DCs, also what is smb.conf on the two DCs
>>
>> Rowland
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

I would expect the smb.conf on both DCs to identical (apart from netbios 
name), but DC2 doesn't have a forwarder, are you using bind9 on this DC ?

If you are using bind, you are missing the 'server services' line, I use 
bind9 and have this in smb.conf:

[global]
         workgroup = EXAMPLE
         realm = example.com
         netbios name = DC01
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbind, ntp_signd, kcc, dnsupdate
         idmap_ldb:use rfc2307 = yes
         template shell = /bin/bash
;        log level = 3

[netlogon]
         path = /var/lib/samba/sysvol/example.com/scripts
         read only = No

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No


/etc/krb5.conf on both my DCs is this:

[libdefaults]
     dns_lookup_realm = false
     dns_lookup_kdc = true
     default_realm = EXAMPLE.COM

/etc/resolv.conf on both my DCs is this:

search example.com
nameserver 127.0.0.1


Rowland

More information about the samba mailing list