[Samba] Samba 4.1.6-Ubuntu on 14.04 domain join seems successful with caveats, testjoin reports no logon servers...
Schuyler Bishop
schuyler.bishop at gmail.com
Tue Nov 17 19:32:45 UTC 2015
Hi Rowland,
Thanks for the response. I stripped my smb.conf down to the bare
suggestions and still have a no-go on the testjoin. This really smells to
me like a kerberos configuration issue due to the computer existing in one
and users authenticating from the forrest root. Unfortunately I don't know
where to begin to look for answers as the kerberos configurations I've
found referenced don't have that concept.
On Tue, Nov 17, 2015 at 12:05 PM Rowland Penny <rowlandpenny241155 at gmail.com>
wrote:
> On 17/11/15 16:38, Schuyler Bishop wrote:
> > Hi Louis,
> >
> > Thanks for the reply. Upon checking the URL you sent, I'm not finding
> > which stanzas you're referring to as being samba3 - my smb.conf looks
> > remarkably similar to the sample I see there. Could you perhaps be more
> > specific?
> >
> > Thanks,
> >
> > --Schuyler
> >
> > On Tue, Nov 17, 2015 at 11:23 AM L.P.H. van Belle <belle at bazuin.nl>
> wrote:
> >
> >> Your using a samba3 config on a samba 4.
> >>
> >> Change your config base on :
> >> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
> >>
> >>
> >> Gr,
> >>
> >> Louis
> >>
> >>
> >>
> >>> -----Oorspronkelijk bericht-----
> >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Schuyler
> Bishop
> >>> Verzonden: dinsdag 17 november 2015 17:11
> >>> Aan: samba at lists.samba.org
> >>> Onderwerp: [Samba] Samba 4.1.6-Ubuntu on 14.04 domain join seems
> >>> successful with caveats, testjoin reports no logon servers...
> >>>
> >>> Greetings,
> >>>
> >>> Long-time but very occasional samba user here with a new challenge
> (well
> >>> for me at least).
> >>>
> >>> The basics are that on the domain join, the computer account gets
> created
> >>> but throws the dns error which based on my searching seems non-fatal.
> >>> wbinfo -t gives me a succeeded, wbinfo -a klm.com\\me --ntlmv2 works
> >> fine
> >>> but yet the net ads testjoin fails. Logs on the domain controller show
> >> "A
> >>> Kerberos authentication ticket (TGT) was requested." with an Audit
> >> Success
> >>> after I run the testjoin that fails.
> >>>
> >>> The AD guys tell me that hij.klm.com is the subdomain that the
> computer
> >>> account exists in (hence the createcomputer string in the join) and
> user
> >>> accounts exist in klm.com including my account that I was using to do
> >> the
> >>> join (me at klm.com).
> >>>
> >>> I did a tcpdump on the testjoin and pulled it into wireshark and I see
> it
> >>> contacting (amongst other things) all of the AD servers in both domains
> >> on
> >>> 88/UDP and getting replies so it doesn't smell like a firewall issue.
> >>>
> >>> Thanks in advance for any help.
> >>>
> >>> Here's the edited and redacted output from the join (the computer
> account
> >>> already existed as you can see):
> >>>
> >>> # net ads join
> >>>
> createcomputer="OU=XYZ,OU=Production,OU=ABC,OU=DEF,DC=hij,DC=klm,DC=com"
> >> -
> >>> U
> >>> me at klm.com -d 1
> >>> Enter me at KLM.COM's password:
> >>> libnet_Join:
> >>> libnet_JoinCtx: struct libnet_JoinCtx
> >>> in: struct libnet_JoinCtx
> >>> dc_name : NULL
> >>> machine_name : 'this'
> >>> domain_name : *
> >>> domain_name : 'HIJ.KLM.COM'
> >>> account_ou :
> >>> 'OU=XYZ,OU=Production,OU=ABC,OU=DEF,DC=hij,DC=klm,DC=com'
> >>> admin_account : 'me at KLM.COM'
> >>> machine_password : NULL
> >>> join_flags : 0x00000023 (35)
> >>> 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
> >>> 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
> >>> 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
> >>> 0: WKSSVC_JOIN_FLAGS_DEFER_SPN
> >>> 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
> >>> 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
> >>> something = something-else
> >>> 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
> >>> 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
> >>> 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
> >>> 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
> >>> 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
> >>> os_version : NULL
> >>> os_name : NULL
> >>> create_upn : 0x00 (0)
> >>> upn : NULL
> >>> modify_config : 0x00 (0)
> >>> ads : NULL
> >>> debug : 0x01 (1)
> >>> use_kerberos : 0x00 (0)
> >>> secure_channel_type : SEC_CHAN_WKSTA (2)
> >>> The machine account already exists in the specified OU.
> >>> libnet_Join:
> >>> libnet_JoinCtx: struct libnet_JoinCtx
> >>> out: struct libnet_JoinCtx
> >>> account_name : NULL
> >>> netbios_domain_name : 'HIJ'
> >>> dns_domain_name : 'hij.klm.com'
> >>> forest_name : 'klm.com'
> >>> dn :
> >>> 'CN=THIS,OU=XYZ,OU=Production,OU=ABC,OU=DEF,DC=hij,DC=klm,DC=com'
> >>> domain_sid : *
> >>> domain_sid : *REDACTED*
> >>> modified_config : 0x00 (0)
> >>> error_string : NULL
> >>> domain_is_ad : 0x01 (1)
> >>> result : WERR_OK
> >>> Using short domain name -- HIJ
> >>> Joined 'THIS' to dns domain 'hij.klm.com'
> >>> kerberos_kinit_password THIS$@HIJ.KLM.COM failed: Cannot contact any
> KDC
> >>> for requested realm
> >>> DNS update failed: kinit failed: Cannot contact any KDC for requested
> >>> realm
> >>>
> >>> And here's the output from my testjoin:
> >>>
> >>> # net ads testjoin -d 3
> >>> lp_load_ex: refreshing parameters
> >>> Initialising global parameters
> >>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384)
> >>> params.c:pm_process() - Processing configuration file
> >>> "/etc/samba/smb.conf"
> >>> Processing section "[global]"
> >>> added interface eth0 ip=x.x.x.x bcast=x.x.x.y netmask=255.255.255.0
> >>> Registered MSG_REQ_POOL_USAGE
> >>> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> >>> get_dc_list: preferred server list: ", *"
> >>> Successfully contacted LDAP server a.b.c.d
> >>> get_dc_list: preferred server list: ", *"
> >>> get_dc_list: preferred server list: ", *"
> >>> get_dc_list: preferred server list: ", *"
> >>> Successfully contacted LDAP server a.b.c.d
> >>> get_dc_list: preferred server list: ", *"
> >>> get_dc_list: preferred server list: ", *"
> >>> resolve_lmhosts: Attempting lmhosts lookup for name AD1.HIJ.KLM.COM
> >> <0x20>
> >>> resolve_lmhosts: Attempting lmhosts lookup for name AD1.HIJ.KLM.COM
> >> <0x20>
> >>> resolve_wins: WINS server resolution selected and no WINS servers
> listed.
> >>> resolve_hosts: Attempting host lookup for name AD1.HIJ.KLM.COM<0x20>
> >>> Successfully contacted LDAP server a.b.c.d
> >>> Connected to LDAP server ad1.hij.klm.com
> >>> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
> >>> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
> >>> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
> >>> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
> >>> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
> >>> ads_sasl_spnego_bind: got server principal name =
> >>> not_defined_in_RFC4178 at please_ignore
> >>> ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or
> directory)
> >>> kerberos_kinit_password THIS$@HIJ.KLM.COM failed: Cannot contact any
> KDC
> >>> for requested realm
> >>> ads_connect: Cannot contact any KDC for requested realm
> >>> Join to domain is not valid: No logon servers
> >>> return code = -1
> >>>
> >>> My krb5.conf:
> >>>
> >>> [libdefaults]
> >>> ticket_lifetime = 24h
> >>> default_realm = HIJ.KLM.COM
> >>> dns_lookup_realm = false
> >>> dns_lookup_kdc = false
> >>>
> >>> krb4_config = /etc/krb.conf
> >>> kdc_timesync = 1
> >>> ccache_type = 4
> >>> forwardable = true
> >>> proxiable = true
> >>> v4_instance_resolve = false
> >>> v4_name_convert = {
> >>> host = {
> >>> rcmd = host
> >>> ftp = ftp
> >>> }
> >>> plain = {
> >>> something = something-else
> >>> }
> >>> }
> >>> fcc-mit-ticketflags = true
> >>>
> >>> [realms]
> >>> HIJ.KLM.COM = {
> >>> kdc = ad1.hij.klm.com
> >>> kdc = ad2.hij.klm.com
> >>> admin_server = ad.hij.klm.com
> >>> default_domain = hij.klm.com
> >>> }
> >>>
> >>> [domain_realm]
> >>> .xyz.hij.klm.com = HIJ.KLM.COM
> >>> .hij.klm.com = HIJ.KLM.COM
> >>>
> >>> [login]
> >>> krb4_convert = true
> >>> krb4_get_tickets = false
> >>> [logging]
> >>> kdc = FILE:/var/log/krb5kdc.log
> >>> admin_server = FILE:/var/log/kadmin.log
> >>> default = FILE:/var/log/krb5lib.log
> >>>
> >>> My smb.conf:
> >>>
> >>> [global]
> >>>
> >>> workgroup = hij
> >>> netbios name = this
> >>> security = ADS
> >>> realm = HIJ.KLM.COM
> >>> server string = XYZ server (Samba, Ubuntu)
> >>> dns proxy = no
> >>> printcap name = /etc/printcap
> >>> load printers = no
> >>> log file = /var/log/samba/log.%m
> >>> log level = 1
> >>> max log size = 1000
> >>> dedicated keytab file = /etc/krb5.keytab
> >>> encrypt passwords = yes
> >>> syslog = 0
> >>> panic action = /usr/share/samba/panic-action %d
> >>> server role = standalone server
> >>> passdb backend = tdbsam
> >>> obey pam restrictions = yes
> >>> unix password sync = no
> >>> passwd program = /usr/bin/passwd %u
> >>> passwd chat = *Enter\snew\s*\spassword:* %n\n
> >>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> >>> pam password change = no
> >>> map to guest = bad user
> >>> --
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions: https://lists.samba.org/mailman/options/samba
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
>
> Two things jump out from your smb.conf:
>
> security = ADS
>
> server role = standalone server
>
> Well, which is it?
> Is it a domain member getting its authentication and users & groups from
> AD, or is it a standalone server that stores its users & groups in a
> file on the server?
>
> If it is a domain member, then follow the link Louis provided and remove
> all the un-required lines from your smb.conf.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list