[Samba] Samba 4.1.6-Ubuntu on 14.04 domain join seems successful with caveats, testjoin reports no logon servers...

Schuyler Bishop schuyler.bishop at gmail.com
Tue Nov 17 16:11:11 UTC 2015 

Greetings,

Long-time but very occasional samba user here with a new challenge (well
for me at least).

The basics are that on the domain join, the computer account gets created
but throws the dns error which based on my searching seems non-fatal.
 wbinfo -t gives me a succeeded, wbinfo -a klm.com\\me --ntlmv2 works fine
but yet the net ads testjoin fails.  Logs on the domain controller show "A
Kerberos authentication ticket (TGT) was requested." with an Audit Success
after I run the testjoin that fails.

The AD guys tell me that hij.klm.com is the subdomain that the computer
account exists in (hence the createcomputer string in the join) and user
accounts exist in klm.com including my account that I was using to do the
join (me at klm.com).

I did a tcpdump on the testjoin and pulled it into wireshark and I see it
contacting (amongst other things) all of the AD servers in both domains on
88/UDP and getting replies so it doesn't smell like a firewall issue.

Thanks in advance for any help.

Here's the edited and redacted output from the join (the computer account
already existed as you can see):

# net ads join
createcomputer="OU=XYZ,OU=Production,OU=ABC,OU=DEF,DC=hij,DC=klm,DC=com" -U
me at klm.com -d 1
Enter me at KLM.COM's password:
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        in: struct libnet_JoinCtx
            dc_name                  : NULL
            machine_name             : 'this'
            domain_name              : *
                domain_name              : 'HIJ.KLM.COM'
            account_ou               :
'OU=XYZ,OU=Production,OU=ABC,OU=DEF,DC=hij,DC=klm,DC=com'
            admin_account            : 'me at KLM.COM'
            machine_password         : NULL
            join_flags               : 0x00000023 (35)
                   0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
                   0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
                   0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
                   0: WKSSVC_JOIN_FLAGS_DEFER_SPN
                   0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
                   0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
                        something = something-else
                   1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
                   0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
                   0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
                   1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
                   1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
            os_version               : NULL
            os_name                  : NULL
            create_upn               : 0x00 (0)
            upn                      : NULL
            modify_config            : 0x00 (0)
            ads                      : NULL
            debug                    : 0x01 (1)
            use_kerberos             : 0x00 (0)
            secure_channel_type      : SEC_CHAN_WKSTA (2)
The machine account already exists in the specified OU.
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : NULL
            netbios_domain_name      : 'HIJ'
            dns_domain_name          : 'hij.klm.com'
            forest_name              : 'klm.com'
            dn                       :
'CN=THIS,OU=XYZ,OU=Production,OU=ABC,OU=DEF,DC=hij,DC=klm,DC=com'
            domain_sid               : *
                domain_sid               : *REDACTED*
            modified_config          : 0x00 (0)
            error_string             : NULL
            domain_is_ad             : 0x01 (1)
            result                   : WERR_OK
Using short domain name -- HIJ
Joined 'THIS' to dns domain 'hij.klm.com'
kerberos_kinit_password THIS$@HIJ.KLM.COM failed: Cannot contact any KDC
for requested realm
DNS update failed: kinit failed: Cannot contact any KDC for requested realm

And here's the output from my testjoin:

# net ads testjoin -d 3
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
added interface eth0 ip=x.x.x.x bcast=x.x.x.y netmask=255.255.255.0
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
get_dc_list: preferred server list: ", *"
Successfully contacted LDAP server a.b.c.d
get_dc_list: preferred server list: ", *"
get_dc_list: preferred server list: ", *"
get_dc_list: preferred server list: ", *"
Successfully contacted LDAP server a.b.c.d
get_dc_list: preferred server list: ", *"
get_dc_list: preferred server list: ", *"
resolve_lmhosts: Attempting lmhosts lookup for name AD1.HIJ.KLM.COM<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name AD1.HIJ.KLM.COM<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name AD1.HIJ.KLM.COM<0x20>
Successfully contacted LDAP server a.b.c.d
Connected to LDAP server ad1.hij.klm.com
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
ads_sasl_spnego_bind: got server principal name =
not_defined_in_RFC4178 at please_ignore
ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
kerberos_kinit_password THIS$@HIJ.KLM.COM failed: Cannot contact any KDC
for requested realm
ads_connect: Cannot contact any KDC for requested realm
Join to domain is not valid: No logon servers
return code = -1

My krb5.conf:

[libdefaults]
ticket_lifetime = 24h
default_realm = HIJ.KLM.COM
dns_lookup_realm = false
dns_lookup_kdc = false

krb4_config = /etc/krb.conf
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true

[realms]
HIJ.KLM.COM = {
kdc = ad1.hij.klm.com
kdc = ad2.hij.klm.com
admin_server = ad.hij.klm.com
default_domain = hij.klm.com
}

[domain_realm]
.xyz.hij.klm.com = HIJ.KLM.COM
.hij.klm.com = HIJ.KLM.COM

[login]
krb4_convert = true
krb4_get_tickets = false
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log

My smb.conf:

[global]

   workgroup = hij
   netbios name = this
   security = ADS
   realm = HIJ.KLM.COM
   server string = XYZ server (Samba, Ubuntu)
   dns proxy = no
   printcap name = /etc/printcap
   load printers = no
   log file = /var/log/samba/log.%m
   log level = 1
   max log size = 1000
   dedicated keytab file = /etc/krb5.keytab
   encrypt passwords = yes
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   server role = standalone server
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = no
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = no
   map to guest = bad user

More information about the samba mailing list