[Samba] Failed to join domain: failed to find DC for domain...
Rob Campbell
robcampbell08105 at gmail.com
Sat Sep 9 15:29:53 UTC 2023
>
> It looks like DNS is failing, does /etc/resolv.conf look like this:
>
> search home.rob-campbell.lan
> nameserver A.DC.IPADDRESS
>
This is what it looks like in this order (if that matters)
nameserver 10.0.0.10
nameserver 10.0.0.1
search HOME.ROB-CAMPBELL.LAN
>
> While you are checking, does /etc/hosts contain a line like this:
>
> computers_ip computers FQDN computers short_hostname
>
Yes
root at D01:~/.bin# realm leave
root at D01:~/.bin# realm list
root at D01:~/.bin# cp /etc/samba/smb.conf.converted /etc/samba/smb.conf
root at D01:~/.bin# realm list
home.rob-campbell.lan
type: kerberos
realm-name: HOME.ROB-CAMPBELL.LAN
domain-name: home.rob-campbell.lan
configured: kerberos-member
server-software: active-directory
client-software: winbind
required-package: libnss-winbind
required-package: winbind
required-package: libpam-winbind
required-package: samba-common-bin
login-formats: %U
login-policy: allow-any-login
root at D01:~/.bin# net ads join -U administrator
Password for [HOME\administrator]:
Failed to join domain: failed to connect to AD: No logon servers are
currently available to service the logon request.
root at D01:~/.bin# samba-tool domain join home.rob-campbell.lan MEMBER -U
administrator
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'ncalrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Password for [HOME\administrator]:
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
ads_cldap_netlogon: did not get a reply
ads_cldap_netlogon: did not get a reply
No nmbd found
Connecting to 10.0.0.10 at port 445
get_dc_list: preferred server list: ", *"
get_kdc_ip_string: get_kdc_list (site-less) fail NT_STATUS_NO_LOGON_SERVERS
get_kdc_ip_string: Failed to get KDC ip address
ads_cldap_netlogon: did not get a reply
ads_try_connect: CLDAP request 10.0.0.10 failed.
get_dc_list: preferred server list: ", *"
ads_find_dc: falling back to netbios name resolution for domain 'HOME'
(realm 'home.rob-campbell.lan')
get_dc_list: preferred server list: ", *"
ads_find_dc: name resolution for realm 'home.rob-campbell.lan' (domain
'HOME') failed: NT_STATUS_NO_LOGON_SERVERS
get_dc_list: preferred server list: ", *"
Could not look up dc's for domain HOME
ERROR(runtime): uncaught exception - (2694, 'failed to connect to AD: No
logon servers are currently available to service the logon request.')
File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185,
in _run
return self.run(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line 695,
in run
(sid, domain_name) = s3_net.join_member(netbios_name,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
./check_smb.sh
144310 ? Ss 0:00 smbd
144311 ? S 0:00 smbd
144312 ? S 0:00 smbd
144320 ? Ss 0:00 nmbd
144321 pts/1 S+ 0:00 /bin/bash ./check_smb.sh
144323 pts/1 S+ 0:00 grep -E samba|smb|nmb|winbind
root at D01:~/.bin# samba-tool domain join home.rob-campbell.lan MEMBER -U
administrator
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'ncalrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Password for [HOME\administrator]:
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
ads_cldap_netlogon: did not get a reply
ads_cldap_netlogon: did not get a reply
fcntl_lock: fcntl lock gave errno 11 (Resource temporarily unavailable)
fcntl_lock: lock failed at offset 0 count 1 op 6 type 0 (Resource
temporarily unavailable)
resolve_hosts: Attempting host lookup for name
dc01.home.rob-campbell.lan<0x20>
Connecting to 2600:4040:4661:9a00:aaa1:59ff:fe5f:b823 at port 445
get_dc_list: preferred server list: ", *"
get_dc_list: preferred server list: ", *"
ads_cldap_netlogon: did not get a reply
ads_try_connect: CLDAP request 10.0.0.10 failed.
get_dc_list: preferred server list: ", *"
ads_cldap_netlogon: did not get a reply
ads_try_connect: CLDAP request 10.0.0.10 failed.
ads_cldap_netlogon: did not get a reply
ads_try_connect: CLDAP request 2600:4040:4661:9a00:aaa1:59ff:fe5f:b823
failed.
ads_cldap_netlogon: did not get a reply
ads_try_connect: CLDAP request 2600:4040:4661:9a00:b037:5676:5a02:cb00
failed.
ads_cldap_netlogon: did not get a reply
ads_try_connect: CLDAP request 2600:4040:4661:9a00:e2b2:cddc:804a:abed
failed.
ads_find_dc: failed to find a valid DC on our site
(Default-First-Site-Name), Trying to find another DC for realm
'home.rob-campbell.lan' (domain 'HOME')
get_dc_list: preferred server list: ", *"
ads_find_dc: falling back to netbios name resolution for domain 'HOME'
(realm 'home.rob-campbell.lan')
get_dc_list: preferred server list: ", *"
ads_find_dc: name resolution for realm 'home.rob-campbell.lan' (domain
'HOME') failed: NT_STATUS_NO_LOGON_SERVERS
get_dc_list: preferred server list: ", *"
Could not look up dc's for domain HOME
ERROR(runtime): uncaught exception - (2694, 'failed to connect to AD: No
logon servers are currently available to service the logon request.')
File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185,
in _run
return self.run(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line 695,
in run
(sid, domain_name) = s3_net.join_member(netbios_name,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In all things, Be Intentional.
On Sat, Sep 9, 2023 at 3:20 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Fri, 8 Sep 2023 16:46:54 -0400
> Rob Campbell via samba <samba at lists.samba.org> wrote:
>
> > Getting this error when trying to join computer to the domain. I just
> > built a new debian computer for gaming and photo and video editing. I
> > went through the same process as I did before (I created a script to
> > do all of the things I did in the past)
> >
> > net ads join -U administrator
> > Password for [HOME\administrator]:
> > Failed to join domain: failed to find DC for domain HOME - The object
> > was not found.
> >
> > net ads join -U administrator
> > Password for [HOME\administrator]:
> > Failed to join domain: failed to find DC for domain HOME - The object
> > was not found.
> > root at D01:~/.bin# samba-tool domain join home.rob-campbell.lan MEMBER
> > -U administrator
> > GENSEC backend 'gssapi_spnego' registered
> > GENSEC backend 'gssapi_krb5' registered
> > GENSEC backend 'gssapi_krb5_sasl' registered
> > GENSEC backend 'spnego' registered
> > GENSEC backend 'schannel' registered
> > GENSEC backend 'ncalrpc_as_system' registered
> > GENSEC backend 'sasl-EXTERNAL' registered
> > GENSEC backend 'ntlmssp' registered
> > GENSEC backend 'ntlmssp_resume_ccache' registered
> > GENSEC backend 'http_basic' registered
> > GENSEC backend 'http_ntlm' registered
> > GENSEC backend 'http_negotiate' registered
> > GENSEC backend 'krb5' registered
> > GENSEC backend 'fake_gssapi_krb5' registered
> > lp_load_ex: refreshing parameters
> > Initialising global parameters
> > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> > (16384) Processing section "[global]"
> > Password for [HOME\administrator]:
> > Registered MSG_REQ_POOL_USAGE
> > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> > ads_cldap_netlogon: did not get a reply
> > ads_cldap_netlogon: did not get a reply
> > resolve_lmhosts: Attempting lmhosts lookup for name HOME<0x1c>
> > resolve_wins: WINS server resolution selected and no WINS servers
> > listed. name_resolve_bcast: Attempting broadcast lookup for name
> > HOME<0x1c> ERROR(runtime): uncaught exception - (2453, 'failed to
> > find DC for domain HOME - The address handle that was given to the
> > transport was invalid.') File
> > "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185,
> > in _run return self.run(*args, **kwargs)
> > ^^^^^^^^^^^^^^^^^^^^^^^^^
> > File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line
> > 695, in run
> > (sid, domain_name) = s3_net.join_member(netbios_name,
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >
> > From member
> > /etc/krb5.conf
> > [libdefaults]
> > default_realm = HOME.ROB-CAMPBELL.LAN
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> >
> > /etc/samba/smb.conf
> > # Global parameters
> > [global]
> > bind interfaces only = Yes
> > dedicated keytab file = /etc/krb5.keytab
> > interfaces = lo eno1
> > kerberos method = secrets and keytab
> > log file = /var/log/samba/%m.log
> > log level = 3
> > realm = HOME.ROB-CAMPBELL.LAN
> > security = ADS
> > server role = member server
> > template homedir = /home/%U
> > template shell = /bin/bash
> > username map = /etc/samba/user.map
> > winbind refresh tickets = Yes
> > winbind use default domain = Yes
> > workgroup = HOME
> > idmap config home : range = 10000-999999
> <http://voice.google.com/calls?a=nc,%2B10000999999>
> > idmap config home : backend = rid
> > idmap config home : unix_nss_info = yes
> > idmap config * : rangesize = 200000
> > idmap config * : backend = autorid
> > idmap config * : range = 3000-7999
>
> There is a problem, you are using both 'autorid' and the 'rid' idmap
> backends. You are also using a line from the 'ad' setup with the 'rid'
> idmap backend. You either use the 'rid' idmap backend with 'tdb' for
> the default '*' domain, or you just use the 'autorid' idmap backend by
> itself. As you have also set 'winbind use default domain = yes', you
> cannot use the 'autorid' idmap backend, it isn't allowed.
>
> Try it set like this:
>
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config home : backend = rid
> idmap config home : range = 10000-999999
>
> > map acl inherit = Yes
> > vfs objects = acl_xattr
> >
> > I read this page
> > https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage and set my
> > firewall accordingly.
> >
> > # samba-tool domain join home.rob-campbell.lan MEMBER -U administrator
> > lp_load_ex: refreshing parameters
> > Initialising global parameters
> > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> > (16384) Processing section "[global]"
> > Password for [HOME\administrator]:
> > Registered MSG_REQ_POOL_USAGE
> > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> > ads_cldap_netlogon: did not get a reply
> > ads_cldap_netlogon: did not get a reply
> > No nmbd found
> > Connecting to 10.0.0.10 at port 445
> > get_dc_list: preferred server list: ", *"
> > get_kdc_ip_string: get_kdc_list (site-less) fail
> > NT_STATUS_NO_LOGON_SERVERS get_kdc_ip_string: Failed to get KDC ip
> > address ads_cldap_netlogon: did not get a reply
> > ads_try_connect: CLDAP request 10.0.0.10 failed.
> > get_dc_list: preferred server list: ", *"
> > ads_find_dc: falling back to netbios name resolution for domain 'HOME'
> > (realm 'home.rob-campbell.lan')
> > get_dc_list: preferred server list: ", *"
> > ads_find_dc: name resolution for realm 'home.rob-campbell.lan' (domain
> > 'HOME') failed: NT_STATUS_NO_LOGON_SERVERS
> > get_dc_list: preferred server list: ", *"
> > Could not look up dc's for domain HOME
> > ERROR(runtime): uncaught exception - (2694, 'failed to connect to AD:
> > No logon servers are currently available to service the logon
> > request.') File
> > "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185,
> > in _run return self.run(*args, **kwargs)
> > ^^^^^^^^^^^^^^^^^^^^^^^^^
> > File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line
> > 695, in run
> > (sid, domain_name) = s3_net.join_member(netbios_name,
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> It looks like DNS is failing, does /etc/resolv.conf look like this:
>
> search home.rob-campbell.lan
> nameserver A.DC.IPADDRESS
>
This is what it looks like in this order (if that matters)
nameserver 10.0.0.10
nameserver 10.0.0.1
search HOME.ROB-CAMPBELL.LAN
>
> While you are checking, does /etc/hosts contain a line like this:
>
> computers_ip computers FQDN computers short_hostname
>
Yes
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list