[Samba] Failed to join domain: failed to find DC for domain...

Sat Sep 9 07:18:49 UTC 2023

On Fri, 8 Sep 2023 16:46:54 -0400
Rob Campbell via samba <samba at lists.samba.org> wrote:

> Getting this error when trying to join computer to the domain.  I just
> built a new debian computer for gaming and photo and video editing. I
> went through the same process as I did before (I created a script to
> do all of the things I did in the past)
> 
> net ads join -U administrator
> Password for [HOME\administrator]:
> Failed to join domain: failed to find DC for domain HOME - The object
> was not found.
> 
> net ads join -U administrator
> Password for [HOME\administrator]:
> Failed to join domain: failed to find DC for domain HOME - The object
> was not found.
> root at D01:~/.bin# samba-tool domain join home.rob-campbell.lan MEMBER
> -U administrator
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'ncalrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'http_negotiate' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384) Processing section "[global]"
> Password for [HOME\administrator]:
> Registered MSG_REQ_POOL_USAGE
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> ads_cldap_netlogon: did not get a reply
> ads_cldap_netlogon: did not get a reply
> resolve_lmhosts: Attempting lmhosts lookup for name HOME<0x1c>
> resolve_wins: WINS server resolution selected and no WINS servers
> listed. name_resolve_bcast: Attempting broadcast lookup for name
> HOME<0x1c> ERROR(runtime): uncaught exception - (2453, 'failed to
> find DC for domain HOME - The address handle that was given to the
> transport was invalid.') File
> "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185,
> in _run return self.run(*args, **kwargs)
>            ^^^^^^^^^^^^^^^^^^^^^^^^^
>   File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line
> 695, in run
>     (sid, domain_name) = s3_net.join_member(netbios_name,
>                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> From member
> /etc/krb5.conf
> [libdefaults]
> default_realm = HOME.ROB-CAMPBELL.LAN
> dns_lookup_realm = false
> dns_lookup_kdc = true
> 
> /etc/samba/smb.conf
> # Global parameters
> [global]
> bind interfaces only = Yes
> dedicated keytab file = /etc/krb5.keytab
> interfaces = lo eno1
> kerberos method = secrets and keytab
> log file = /var/log/samba/%m.log
> log level = 3
> realm = HOME.ROB-CAMPBELL.LAN
> security = ADS
> server role = member server
> template homedir = /home/%U
> template shell = /bin/bash
> username map = /etc/samba/user.map
> winbind refresh tickets = Yes
> winbind use default domain = Yes
> workgroup = HOME
> idmap config home : range = 10000-999999
> idmap config home : backend = rid
> idmap config home : unix_nss_info = yes
> idmap config * : rangesize = 200000
> idmap config * : backend = autorid
> idmap config * : range = 3000-7999

There is a problem, you are using both 'autorid' and the 'rid' idmap
backends. You are also using a line from the 'ad' setup with the 'rid'
idmap backend. You either use the 'rid' idmap backend with 'tdb' for
the default '*' domain, or you just use the 'autorid' idmap backend by
itself. As you have also set 'winbind use default domain = yes', you
cannot use the 'autorid' idmap backend, it isn't allowed.

Try it set like this:

idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config home : backend = rid
idmap config home : range = 10000-999999

> map acl inherit = Yes
> vfs objects = acl_xattr
> 
> I read this page
> https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage and set my
> firewall accordingly.
> 
> # samba-tool domain join home.rob-campbell.lan MEMBER -U administrator
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384) Processing section "[global]"
> Password for [HOME\administrator]:
> Registered MSG_REQ_POOL_USAGE
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> ads_cldap_netlogon: did not get a reply
> ads_cldap_netlogon: did not get a reply
> No nmbd found
> Connecting to 10.0.0.10 at port 445
> get_dc_list: preferred server list: ", *"
> get_kdc_ip_string: get_kdc_list (site-less) fail
> NT_STATUS_NO_LOGON_SERVERS get_kdc_ip_string: Failed to get KDC ip
> address ads_cldap_netlogon: did not get a reply
> ads_try_connect: CLDAP request 10.0.0.10 failed.
> get_dc_list: preferred server list: ", *"
> ads_find_dc: falling back to netbios name resolution for domain 'HOME'
> (realm 'home.rob-campbell.lan')
> get_dc_list: preferred server list: ", *"
> ads_find_dc: name resolution for realm 'home.rob-campbell.lan' (domain
> 'HOME') failed: NT_STATUS_NO_LOGON_SERVERS
> get_dc_list: preferred server list: ", *"
> Could not look up dc's for domain HOME
> ERROR(runtime): uncaught exception - (2694, 'failed to connect to AD:
> No logon servers are currently available to service the logon
> request.') File
> "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185,
> in _run return self.run(*args, **kwargs)
>            ^^^^^^^^^^^^^^^^^^^^^^^^^
>   File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line
> 695, in run
>     (sid, domain_name) = s3_net.join_member(netbios_name,
>                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

It looks like DNS is failing, does /etc/resolv.conf look like this:

search home.rob-campbell.lan
nameserver A.DC.IPADDRESS

While you are checking, does /etc/hosts contain a line like this:

computers_ip computers FQDN computers short_hostname

Rowland