[Samba] security = ads parameter not working in samba 4.9.5
Sac Isilia
udaypratap.singh65 at gmail.com
Wed Dec 11 12:54:20 UTC 2019
Hi Belle,
Below is the output after I performed the suggested steps.
root at esmad1apl01:~# net ads join -U media\\svc_domjoin02 -d6
INFO: Current debug levels:
all: 6
tdb: 6
printdrivers: 6
lanman: 6
smb: 6
rpc_parse: 6
rpc_srv: 6
rpc_cli: 6
passdb: 6
sam: 6
auth: 6
winbind: 6
vfs: 6
idmap: 6
quota: 6
acls: 6
locking: 6
msdfs: 6
dmapi: 6
registry: 6
scavenger: 6
dns: 6
ldb: 6
tevent: 6
auth_audit: 6
auth_json_audit: 6
kerberos: 6
drs_repl: 6
smb2: 6
smb2_credits: 6
dsdb_audit: 6
dsdb_json_audit: 6
dsdb_password_audit: 6
dsdb_password_json_audit: 6
dsdb_transaction_audit: 6
dsdb_transaction_json_audit: 6
dsdb_group_audit: 6
dsdb_group_json_audit: 6
lp_load_ex: refreshing parameters
Initialising global parameters
INFO: Current debug levels:
all: 6
tdb: 6
printdrivers: 6
lanman: 6
smb: 6
rpc_parse: 6
rpc_srv: 6
rpc_cli: 6
passdb: 6
sam: 6
auth: 6
winbind: 6
vfs: 6
idmap: 6
quota: 6
acls: 6
locking: 6
msdfs: 6
dmapi: 6
registry: 6
scavenger: 6
dns: 6
ldb: 6
tevent: 6
auth_audit: 6
auth_json_audit: 6
kerberos: 6
drs_repl: 6
smb2: 6
smb2_credits: 6
dsdb_audit: 6
dsdb_json_audit: 6
dsdb_password_audit: 6
dsdb_password_json_audit: 6
dsdb_transaction_audit: 6
dsdb_transaction_json_audit: 6
dsdb_group_audit: 6
dsdb_group_json_audit: 6
Processing section "[global]"
doing parameter workgroup = EMEA-MEDIA
doing parameter realm = EMEA.MEDIA.GLOBAL.LOC
doing parameter security = ADS
doing parameter dedicated keytab file = /etc/krb5.keytab
doing parameter kerberos method = secrets and keytab
doing parameter winbind use default domain = yes
doing parameter winbind expand groups = 2
doing parameter winbind refresh tickets = Yes
doing parameter idmap config * : backend = tdb
doing parameter idmap config * : range = 3000-7999
doing parameter idmap config EMEA-MEDIA : backend = ad
doing parameter idmap config EMEA-MEDIA : schema_mode = rfc2307
doing parameter idmap config EMEA-MEDIA : unix_nss_info = yes
doing parameter idmap config EMEA-MEDIA : range = 16777216-33554431
doing parameter domain master = no
doing parameter local master = no
doing parameter preferred master = no
doing parameter username map = /etc/samba/user.map
doing parameter vfs objects = acl_xattr
doing parameter map acl inherit = yes
doing parameter store dos attributes = yes
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 1000
doing parameter logging = file
doing parameter panic action = /usr/share/samba/panic-action %d
pm_process() returned Yes
Registering messaging pointer for type 2 - private_data=(nil)
Registering messaging pointer for type 9 - private_data=(nil)
Registered MSG_REQ_POOL_USAGE
Registering messaging pointer for type 11 - private_data=(nil)
Registering messaging pointer for type 12 - private_data=(nil)
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Registering messaging pointer for type 1 - private_data=(nil)
Registering messaging pointer for type 5 - private_data=(nil)
Registering messaging pointer for type 51 - private_data=(nil)
lp_load_ex: refreshing parameters
Freeing parametrics:
Initialising global parameters
INFO: Current debug levels:
all: 6
tdb: 6
printdrivers: 6
lanman: 6
smb: 6
rpc_parse: 6
rpc_srv: 6
rpc_cli: 6
passdb: 6
sam: 6
auth: 6
winbind: 6
vfs: 6
idmap: 6
quota: 6
acls: 6
locking: 6
msdfs: 6
dmapi: 6
registry: 6
scavenger: 6
dns: 6
ldb: 6
tevent: 6
auth_audit: 6
auth_json_audit: 6
kerberos: 6
drs_repl: 6
smb2: 6
smb2_credits: 6
dsdb_audit: 6
dsdb_json_audit: 6
dsdb_password_audit: 6
dsdb_password_json_audit: 6
dsdb_transaction_audit: 6
dsdb_transaction_json_audit: 6
dsdb_group_audit: 6
dsdb_group_json_audit: 6
Processing section "[global]"
doing parameter workgroup = EMEA-MEDIA
doing parameter realm = EMEA.MEDIA.GLOBAL.LOC
doing parameter security = ADS
doing parameter dedicated keytab file = /etc/krb5.keytab
doing parameter kerberos method = secrets and keytab
doing parameter winbind use default domain = yes
doing parameter winbind expand groups = 2
doing parameter winbind refresh tickets = Yes
doing parameter idmap config * : backend = tdb
doing parameter idmap config * : range = 3000-7999
doing parameter idmap config EMEA-MEDIA : backend = ad
doing parameter idmap config EMEA-MEDIA : schema_mode = rfc2307
doing parameter idmap config EMEA-MEDIA : unix_nss_info = yes
doing parameter idmap config EMEA-MEDIA : range = 16777216-33554431
doing parameter domain master = no
doing parameter local master = no
doing parameter preferred master = no
doing parameter username map = /etc/samba/user.map
doing parameter vfs objects = acl_xattr
doing parameter map acl inherit = yes
doing parameter store dos attributes = yes
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 1000
doing parameter logging = file
doing parameter panic action = /usr/share/samba/panic-action %d
pm_process() returned Yes
Netbios name list:-
my_netbios_names[0]="ESMAD1APL01"
added interface ens192 ip=10.34.54.152 bcast=10.34.54.255
netmask=255.255.255.0
Enter media\svc_domjoin02's password:
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'ESMAD1APL01'
domain_name : *
domain_name : 'EMEA.MEDIA.GLOBAL.LOC'
domain_name_type : JoinDomNameTypeDNS (1)
account_ou : NULL
admin_account : 'media\svc_domjoin02'
admin_domain : NULL
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
os_servicepack : NULL
create_upn : 0x00 (0)
upn : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
desired_encryption_types : 0x0000001f (31)
Opening cache file at /var/cache/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
sitename_fetch: Returning sitename for realm 'EMEA.MEDIA.GLOBAL.LOC':
"ESMAD2"
ads_dns_lookup_srv: 2 records returned in the answer section.
sitename_fetch: Returning sitename for realm 'EMEA.MEDIA.GLOBAL.LOC':
"ESMAD2"
no entry for ESMAD2DCM03.emea.media.global.loc#20 found.
resolve_hosts: Attempting host lookup for name
ESMAD2DCM03.emea.media.global.loc<0x20>
namecache_store: storing 1 address for
ESMAD2DCM03.emea.media.global.loc#20: 10.34.54.47
Connecting to 10.34.54.47 at port 445
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 87040
SO_RCVBUF = 372480
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_TARGET_TYPE_DOMAIN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
signed SMB2 message
signed SMB2 message
Bind RPC Pipe: host ESMAD2DCM03.emea.media.global.loc auth_type 0,
auth_level 1
rpc_api_pipe: host ESMAD2DCM03.emea.media.global.loc
signed SMB2 message
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host ESMAD2DCM03.emea.media.global.loc
signed SMB2 message
rpc_read_send: data_to_read: 32
rpc_api_pipe: host ESMAD2DCM03.emea.media.global.loc
signed SMB2 message
rpc_read_send: data_to_read: 212
rpc_api_pipe: host ESMAD2DCM03.emea.media.global.loc
signed SMB2 message
rpc_read_send: data_to_read: 32
signed SMB2 message
saf_fetch: failed to find server for "emea.media.global.loc" domain
get_dc_list: preferred server list: ", *"
resolve_ads: Attempting to resolve KDCs for emea.media.global.loc using DNS
ads_dns_lookup_srv: 2 records returned in the answer section.
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 10.34.54.46:88 10.34.54.47:88
saf_fetch: failed to find server for "emea.media.global.loc" domain
get_dc_list: preferred server list: ", *"
resolve_ads: Attempting to resolve KDCs for emea.media.global.loc using DNS
ads_dns_lookup_srv: 19 records returned in the answer section.
get_dc_list: returning 19 ip addresses in an ordered list
get_dc_list: 10.34.54.47:88 10.57.102.101:88 10.43.2.2:88 10.19.26.136:88
10.48.128.12:88 10.53.75.3:88 10.19.26.137:88 10.10.136.85:88
10.10.136.101:88 10.53.4.3:88 10.34.54.46:88 10.8.32.53:88 10.53.4.2:88
10.19.17.132:88 10.49.67.180:88 10.8.32.54:88 10.10.136.95:88
10.19.17.133:88 10.49.214.7:88
create_local_private_krb5_conf_for_domain: wrote file
/var/run/samba/smb_krb5/krb5.conf.EMEA-MEDIA with realm
EMEA.MEDIA.GLOBAL.LOC KDC list = kdc = 10.34.54.47
kdc = 10.34.54.46
kdc = 10.43.2.2
kdc = 10.19.26.136
sitename_fetch: Returning sitename for realm 'EMEA.MEDIA.GLOBAL.LOC':
"ESMAD2"
name ESMAD2DCM03.emea.media.global.loc#20 found.
ads_try_connect: sending CLDAP request to 10.34.54.47 (realm:
emea.media.global.loc)
Successfully contacted LDAP server 10.34.54.47
Connected to LDAP server ESMAD2DCM03.emea.media.global.loc
KDC time offset is 0 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
kerberos_kinit_password svc_domjoin02 at EMEA.MEDIA.GLOBAL.LOC failed: Client
not found in Kerberos database
ads_sasl_spnego_gensec_bind(KRB5) failed for
ldap/esmad2dcm03.emea.media.global.loc with user[svc_domjoin02]
realm=[EMEA.MEDIA.GLOBAL.LOC]: Client not found in Kerberos database
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : 'ESMAD1APL01$'
netbios_domain_name : 'EMEA-MEDIA'
dns_domain_name : 'emea.media.global.loc'
forest_name : 'global.loc'
dn : NULL
domain_guid : 28b8ead4-212a-4eb4-b9ce-b9b2096fab5e
domain_sid : *
domain_sid :
S-1-5-21-1175101033-2187731779-11171261
modified_config : 0x00 (0)
error_string : 'failed to connect to AD: Client not
found in Kerberos database'
domain_is_ad : 0x01 (1)
set_encryption_types : 0x00000000 (0)
krb5_salt : NULL
result : WERR_NERR_DEFAULTJOINREQUIRED
Failed to join domain: failed to connect to AD: Client not found in
Kerberos database
return code = -1
root at esmad1apl01:~# systemctl unmask smbd winbind
Removed /etc/systemd/system/smbd.service.
Removed /etc/systemd/system/winbind.service.
root at esmad1apl01:~# systemctl enable smbd winbind
Synchronizing state of smbd.service with SysV service script with
/lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable smbd
Synchronizing state of winbind.service with SysV service script with
/lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable winbind
Created symlink /etc/systemd/system/multi-user.target.wants/smbd.service ->
/lib/systemd/system/smbd.service.
Created symlink /etc/systemd/system/multi-user.target.wants/winbind.service
-> /lib/systemd/system/winbind.service.
root at esmad1apl01:~# systemctl start smbd winbind
Job for winbind.service failed because the control process exited with
error code.
See "systemctl status winbind.service" and "journalctl -xe" for details.
Regards
Sachin Kumar
On Tue, Dec 10, 2019 at 6:21 PM L.P.H. van Belle via samba <
samba at lists.samba.org> wrote:
> I've re-read this thread but its a bit confusing due to 2 persons with the
> same probem in one thread.
>
> Im thinking here, how is samba started, since winbind is not running.
> Im suspecting samba-addc or samba is starting. Not smbd nmbd winbind.
>
> I suggest to run this:
>
> Disable that all again.
> systemctl disable samba-addc samba smbd nmbd winbind
> systemctl mask samba-addc samba smbd nmbd winbind
> systemctl stop samba-addc samba smbd nmbd winbind
>
> Make sure you config matches up with we already showed.
> my setup or Rowland's are the same.
>
> Now try to join again with :
> net ads join -UAdministrator -d6
> And post the needed output to see what is still going on.
>
> Enable only the needed for a member server.
> !note, only nmbd if you really need, less remove it from the below lines.
>
> systemctl unmask smbd winbind nmbd
> systemctl enable smbd winbind nmbd
>
> systemctl start smbd winbind
>
> Greetz,
>
> Louis
> (ps. Expect slow responce from me, im on vacation)
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Rowland penny via samba
> > Verzonden: dinsdag 10 december 2019 12:29
> > Aan: sambalist
> > Onderwerp: Re: [Samba] security = ads parameter not working
> > in samba 4.9.5
> >
> > On 10/12/2019 11:10, Sac Isilia wrote:
> > > Hi Rowland,
> > >
> > > Please let me know what else I can try from my side. We are
> > stuck as
> > > the server cant be joined to domain.
> > >
> > Sorry, I thought you had fixed this :-(
> >
> > You seem to be doing everything correctly, so it should work, but
> > obviously, it isn't for you.
> >
> > Can I suggest you use Louis's repo: http://apt.van-belle.nl/
> >
> > This will get you a more up to date Samba version and may, by itself,
> > fix your problem.
> >
> > Try this smb.conf:
> >
> > [global]
> > workgroup = SAMDOM
> > security = ADS
> > realm = SAMDOM.EXAMPLE.COM
> >
> > dedicated keytab file = /etc/krb5.keytab
> > kerberos method = secrets and keytab
> >
> > winbind use default domain = yes
> > winbind expand groups = 2
> > winbind refresh tickets = Yes
> >
> > idmap config *:backend = tdb
> > idmap config *:range = 3000-7999
> > idmap config SAMDOM : backend = rid
> > idmap config SAMDOM : range = 10000-999999
> > template shell = /bin/bash
> > template homedir = /home/%U
> >
> > # user Administrator workaround, without it you are
> > unable to set
> > privileges
> > username map = /etc/samba/user.map
> >
> > # For ACL support on domain member
> > vfs objects = acl_xattr
> > map acl inherit = Yes
> > store dos attributes = Yes
> >
> > # disable printing completely
> > load printers = no
> > printing = bsd
> > printcap name = /dev/null
> > disable spoolss = yes
> >
> > # logging
> > log level = 4
> >
> > Create /etc/samba/user.map
> > !root = SAMDOM\Administrator
> >
> > Replace 'SAMDOM' with your workgroup name and the realm name
> > 'SAMDOM.EXAMPLE.COM' with your realm name (which must be the
> > dns domain
> > in uppercase)
> >
> > If this doesn't work, I am running out of ideas, it normally
> > just works.
> >
> > Rowland
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list