[Samba] Joining Domain
Rowland Penny
rowlandpenny at googlemail.com
Sat Aug 30 04:17:11 MDT 2014
On 29/08/14 12:37, Andre Kruger wrote:
> You could install samba from the package repository but it is old 3.5.x.
>
> I compiled samba from source. I downloaded the latest tarball from the samba.org site.
>
> I also struggled a bit with gcc but eventually figured out installing the "developer/gcc-3" package satisfied the samba configure script.
>
> I also installed "system/library/math/header-math" as well as one or two other packages which I can't remember off the top of my head what they were.
>
> Thanks for the support Roland. I was just thinking that if Kerberos was at fault I would expect an error from klist, but it could be certain pieces that are broken I suppose.
>
> "ads_setup_sasl_wrapping()" and "ads_sasl_spnego_krb5_bind" seem to be at the root of my problem.
>
>
> Regards
> André
>
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
> Sent: 29 August 2014 11:33
> To: sambalist
> Subject: Re: [Samba] Joining Domain
>
> On 29/08/14 09:53, Andre Kruger wrote:
>> I am still stumped on this one. My enctypes are as follows in this particular order as well. Are they correct?:
>>
>> default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
>> RC4-HMAC DES-CBC-CRC DES-CBC-MD5 default_tkt_enctypes =
>> aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC
>> DES-CBC-MD5 preferred_enctypes = aes256-cts-hmac-sha1-96
>> aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5
>>
>> I am not sure but if my Kerberos was the problem wouldn't kinit fail?
>>
>> Further to the problem the following commands all return valid results:
>>
>> ./wbinfo -p
>> Ping to winbindd succeeded
>>
>> ./wbinfo -P
>> checking the NETLOGON dc connection to "DC1.ad.domain.com" succeeded
>>
>> ./wbinfo --dc-info=ad.domain.com
>> DC1.ad.trw.com (1.1.1.1) <---- just changed for security purposes but the correct IP is returned.
>>
>> ./wbinfo -t
>> checking the trust secret for domain DOMAIN via RPC calls succeeded
>>
>> ./wbinfo --domain-info=ad.domain.com
>> Name : DOMAIN
>> Alt_Name : ad.domain.com
>> SID : S-1-5-21-2387652445-1625808259-2938664994
>> Active Directory : Yes
>> Native : Yes
>> Primary : Yes
>>
>> By looking at the above I'd say that everything is working as it should? Is there something I may have missed?
> Well everything seems OK (aka it matches what I get on an Linux AD client)
>
>> However, I am still unable to list users and groups or assign an AD user or group to my file system. I am sure this stems from the fact that I am unable to use "net ads join" to join my domain but instead I have to use "net rpc join". Even now after joining with "net rpc join" I seem to have problem with the RPC calls, but the ADS calls succeed.
>>
>> ./net rpc info -U krugera
>> Unable to find a suitable server for domain DOMAIN
>>
>> ./net ads info -U krugera
>> Enter krugera's password:
>> LDAP server: 1.1.1.1
>> LDAP server name: DC1.ad.trw.com
>> Realm: AD.DOMAIN.COM
>> Bind Path: dc=AD,dc=DOMAIN,dc=COM
>> LDAP port: 389
>> Server time: Fri, 29 Aug 2014 10:38:24 SAST KDC server: 1.1.1.1 Server
>> time offset: 0
>>
>>
>> I do get the same error messages in my logs now as I do when I try to join my domain with the "net ads join" command. I don't understand the error messages and google doesn't help and I see a long history on the list about this problem. Is there anybody can shed light on these particular failures:
>>
>>
>> When I execute wbinfo -u I get the following showing up in my logs:
>>
>> ==> /var/adm/messages <==
>> Aug 29 10:04:56 sambatest winbindd[546]: [ID 702911 daemon.error] [2014/08/29 10:04:56.014638, 0] ../source3/libads/sasl.c:673(ads_sasl_spnego_gsskrb5_bind)
>> Aug 29 10:04:56 sambatest winbindd[546]: [ID 702911 daemon.error] ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED
>> Aug 29 10:04:56 sambatest winbindd[546]: [ID 702911 daemon.error] [2014/08/29 10:04:56.187569, 0] ../source3/libads/sasl.c:994(ads_sasl_spnego_bind)
>> Aug 29 10:04:56 sambatest winbindd[546]: [ID 702911 daemon.error] kinit succeeded but ads_sasl_spnego_krb5_bind failed: Can't contact LDAP server
>>
>> ==> /var/samba/log/log.wb-ADTRW <==
>> [2014/08/29 10:04:56.014638, 0] ../source3/libads/sasl.c:673(ads_sasl_spnego_gsskrb5_bind)
>> ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED
>> [2014/08/29 10:04:56.187569, 0] ../source3/libads/sasl.c:994(ads_sasl_spnego_bind)
>> kinit succeeded but ads_sasl_spnego_krb5_bind failed: Can't contact
>> LDAP server
>>
>>
>> ads_sasl_spnego_gsskrb5_bind <---- This error seems to be the source off all my problems.
>>
> Which is why I was suspecting kerberos.
> Just how did you build samba4 ?, what packages did you install and where from ?
> I installed openindiana in a VM, but that was just about as far as I got, probably need to do a bit more investigation, I couldn't get samba configure to find gcc, it is so much easier on Linux.
>
> Rowland
>
>>
>> -----Original Message-----
>> From: samba-bounces at lists.samba.org
>> [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
>> Sent: 27 August 2014 17:18
>> To: samba at lists.samba.org
>> Subject: Re: [Samba] Joining Domain
>>
>> On 27/08/14 15:52, Andre Kruger wrote:
>>> UPDATE:
>>>
>>> I got the samba server to join my domain using
>>>
>>> net rpc join -U krugersa
>>>
>>> instead of
>>>
>>> net ads join -U krugersa
>>>
>>> The new problem I have now is similar to my previous problem. First things first. I started winbindd interactively, ""winbindd -I". I can then list all of our domains using "wbinfo --all-domains". The command returns results as expected.
>>>
>>> Next I can check the secret between my samba server and AD using "wbindo -t". I get expected results:
>>> "checking the trust secret for domain DOMAIN via RPC calls succeeded".
>>>
>>>
>>> However, when I try and list either AD users or groups using "wbinfo -u" or "wibinfo -g", immediately after issuing the command I get the following on the winbinnd interactive window:
>>>
>>> ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED kinit
>>> succeeded but ads_sasl_spnego_krb5_bind failed: NT_STATUS_NOT_SUPPORTED <----- This is the same error message as before when I was trying to join my domain using "net ads join..."
>>>
>>>
>>>
>>>
>>> kerberos_kinit_password SAMBATEST$@AD.DOMAIN.COM failed: Clock skew too great <----- I have no idea where this is coming from. The clocks on my samba server and my DC are exactly the same. And SAMBATEST??
>>> ===============================================================
>>> INTERNAL ERROR: Signal 11 in pid 1167 (4.1.11) Please read the
>>> Trouble-Shooting section of the Samba HOWTO
>>> ===============================================================
>>> PANIC (pid 1167): internal error
>>> BACKTRACE: 37 stack frames:
>>> #0 /usr/local/samba/lib/libsmbconf.so.0'log_stack_trace+0x27 [0xfea32d1c]
>>> #1 /usr/local/samba/lib/libsmbconf.so.0'smb_panic_s3+0x63 [0xfea32bc0]
>>> #2 /usr/local/samba/lib/libsamba-util.so.0.0.1'smb_panic+0x2a [0xfedba2fa]
>>> #3 /usr/local/samba/lib/libsamba-util.so.0.0.1'sig_fault+0x0 [0xfedba05a]
>>> #4 /usr/local/samba/lib/libsamba-util.so.0.0.1'sig_fault+0x11 [0xfedba06b]
>>> #5 /lib/libc.so.1'__sighndlr+0x15 [0xfeeefc25]
>>> #6 /lib/libc.so.1'call_user_handler+0x2a2 [0xfeee298e]
>>> #7 /lib/libnsl.so.1'inet_pton4+0x1c [0xfeb03c3c]
>>> #8 /lib/libnsl.so.1'inet_pton+0x29 [0xfeb03bed]
>>> #9 /usr/local/samba/lib/libsamba-util.so.0.0.1'is_ipaddress_v4+0x2b [0xfedb5cf1]
>>> #10 /usr/local/samba/lib/libsamba-util.so.0.0.1'is_ipaddress+0x22 [0xfedb5e27]
>>> #11 /usr/local/samba/lib/private/libgse.so'internal_resolve_name+0x9d [0xfeabb4ed]
>>> #12 /usr/local/samba/lib/private/libgse.so'get_dc_list+0x333 [0xfeabc8c2]
>>> #13 /usr/local/samba/lib/private/libgse.so'get_sorted_dc_list+0xba [0xfeabcffe]
>>> #14 /usr/local/samba/sbin/winbindd'get_dcs+0x1b2 [0x809a4c3]
>>> #15 /usr/local/samba/sbin/winbindd'find_new_dc+0x59 [0x809a809]
>>> #16 /usr/local/samba/sbin/winbindd'cm_open_connection+0x3d5 [0x809b19a]
>>> #17 /usr/local/samba/sbin/winbindd'init_dc_connection_network+0x90 [0x809b799]
>>> #18 /usr/local/samba/sbin/winbindd'init_dc_connection+0x51 [0x809b819]
>>> #19 /usr/local/samba/sbin/winbindd'get_cache+0x99 [0x8084209]
>>> #20 /usr/local/samba/sbin/winbindd'enum_dom_groups+0x20 [0x8087e0c]
>>> #21 /usr/local/samba/sbin/winbindd'_wbint_QueryGroupList+0x67 [0x80ae7c8]
>>> #22 /usr/local/samba/sbin/winbindd'api_wbint_QueryGroupList+0x196 [0x80ce945]
>>> #23 /usr/local/samba/sbin/winbindd'winbindd_dual_ndrcmd+0x15e [0x80ada27]
>>> #24 /usr/local/samba/sbin/winbindd'child_process_request+0xd0 [0x80aa143]
>>> #25 /usr/local/samba/sbin/winbindd'child_handler+0xea [0x80ac590]
>>> #26 /usr/local/samba/lib/private/libtevent.so.0.9.18'poll_event_loop_poll+0x55b [0xfed7789a]
>>> #27 /usr/local/samba/lib/private/libtevent.so.0.9.18'poll_event_loop_once+0x98 [0xfed77ac0]
>>> #28 /usr/local/samba/lib/private/libtevent.so.0.9.18'_tevent_loop_once+0xc9 [0xfed74178]
>>> #29 /usr/local/samba/sbin/winbindd'fork_domain_child+0x8c3 [0x80acfe0]
>>> #30 /usr/local/samba/sbin/winbindd'wb_child_request_trigger+0x55 [0x80a92a0]
>>> #31 /usr/local/samba/lib/private/libtevent.so.0.9.18'tevent_queue_immediate_trigger+0x6b [0xfed75007]
>>> #32 /usr/local/samba/lib/private/libtevent.so.0.9.18'tevent_common_loop_immediate+0x18b [0xfed74cea]
>>> #33 /usr/local/samba/lib/private/libtevent.so.0.9.18'poll_event_loop_once+0x4b [0xfed77a73]
>>> #34 /usr/local/samba/lib/private/libtevent.so.0.9.18'_tevent_loop_once+0xc9 [0xfed74178]
>>> #35 /usr/local/samba/sbin/winbindd'main+0xac5 [0x8080dc1]
>>> #36 /usr/local/samba/sbin/winbindd'_start+0x83 [0x8074053] dumping
>>> core in /var/samba/log/cores/winbindd
>>> ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED kinit
>>> succeeded but ads_sasl_spnego_krb5_bind failed:
>>> NT_STATUS_NOT_SUPPORTED
>>> ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED kinit
>>> succeeded but ads_sasl_spnego_krb5_bind failed:
>>> NT_STATUS_NOT_SUPPORTED
>>> ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED kinit
>>> succeeded but ads_sasl_spnego_krb5_bind failed:
>>> NT_STATUS_NOT_SUPPORTED
>>> ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED
>>> ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED kinit
>>> succeeded but ads_sasl_spnego_krb5_bind failed:
>>> NT_STATUS_NOT_SUPPORTED
>>> ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED
>>> tdb_chainlock_with_timeout_internal: alarm (40) timed out for key
>>> DC1.ad.domain.com in tdb /usr/local/samba/var/lock/mutex.tdb
>>> tdb_chainlock_with_timeout_internal: alarm (40) timed out for key
>>> DC1.ad.domain.com in tdb /usr/local/samba/var/lock/mutex.tdb
>>> cm_prepare_connection: mutex grab failed for DC1.ad.domain.com
>>> cm_prepare_connection: mutex grab failed for DC1.ad.domain.com
>>> tdb_chainlock_with_timeout_internal: alarm (40) timed out for key
>>> DC1.ad.domain.com in tdb /usr/local/samba/var/lock/mutex.tdb
>>> cm_prepare_connection: mutex grab failed for DC1.ad.domain.com
>>> ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED kinit
>>> succeeded but ads_sasl_spnego_krb5_bind failed:
>>> NT_STATUS_NOT_SUPPORTED
>>>
>>> When I stop winbindd interactive I get the following output:
>>>
>>> Kinit failed: Clock skew too great
>>> ^CGot sig[2] terminate (is_parent=1)
>>> Got sig[2] terminate (is_parent=0)
>>> Got sig[2] terminate (is_parent=0)
>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>> idmap_close: referenced symbol not found
>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>> (is_parent=0)
>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>> (is_parent=0)
>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>> (is_parent=0)
>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>> (is_parent=0)
>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>> (is_parent=0)
>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>> (is_parent=0)
>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>> (is_parent=0)
>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>> (is_parent=0)
>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>> (is_parent=0)
>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>> (is_parent=0)
>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>> (is_parent=0)
>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>> (is_parent=0)
>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>> (is_parent=0) Got sig[2] terminate (is_parent=0)
>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>> idmap_close: referenced symbol not found
>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>> idmap_close: referenced symbol not found Got sig[2] terminate
>>> (is_parent=0)
>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>> idmap_close: referenced symbol not found
>>> ld.so.1: winbindd: fatal: relocation error: file winbindd: symbol
>>> idmap_close: referenced symbol not found Killed
>>>
>>>
>>> My smb.conf
>>>
>>> [global]
>>> workgroup = DOMAIN
>>> realm = AD.DOMAIN.COM
>>> server string = Samba
>>> security = ADS
>>> log file = /var/samba/log/log.%m
>>> max log size = 50000
>>> client ldap sasl wrapping = sign
>>> load printers = No
>>> local master = No
>>> domain master = No
>>> dns proxy = No
>>> winbind enum users = Yes
>>> winbind enum groups = Yes
>>> winbind use default domain = Yes
>>> winbind nss info = rfc2307
>>> idmap config *:range = 70001-800000
>>> idmap config SAMDOM:backend = ad
>>> idmap config SAMDOM:schema_mode = rfc2307
>>> idmap config SAMDOM:range = 500-40000
>>> idmap config * : backend = tdb
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: samba-bounces at lists.samba.org
>>> [mailto:samba-bounces at lists.samba.org] On Behalf Of Andre Kruger
>>> Sent: 27 August 2014 13:18
>>> To: samba at lists.samba.org
>>> Subject: Re: [Samba] Joining Domain
>>>
>>> I made the change that you suggest but I still get the exact same error message. Just to clarify:
>>>
>>> 1. I added " idmap config DOMAIN : schema_mode = rfc2307"
>>> 1. Yes, the krugersa account has the rights required. I join other machines to my domain using this account. Administrator isn't used.
>>> 2. idmap config DOMAIN : backend = ad/rid <- I assume this does not impact joining the domain? It is used after the domain has been joined successfully.
>>>
>>> The is my global section as it is now:
>>>
>>> [global]
>>> workgroup = DOMAIN
>>> realm = AD.DOMAIN.COM
>>> server string = Samba
>>> security = ADS
>>> log file = /var/samba/log/log.%m
>>> max log size = 50000
>>> client ldap sasl wrapping = sign
>>> load printers = No
>>> local master = No
>>> domain master = No
>>> dns proxy = No
>>> winbind separator = +
>>> winbind enum users = Yes
>>> winbind enum groups = Yes
>>> winbind use default domain = Yes
>>> idmap config DOMAIN : range = 20000-800000
>>> idmap config DOMAIN : backend = ad
>>> idmap config DOMAIN : schema_mode = rfc2307
>>> idmap config * : backend = tdb <- I don't get this line, it is not in my smb.conf file but when I parse the file with testparm it is in the output. Why?
>>>
>>>
>>> -----Original Message-----
>>> From: samba-bounces at lists.samba.org
>>> [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
>>> Sent: 27 August 2014 11:31
>>> To: samba at lists.samba.org
>>> Subject: Re: [Samba] Joining Domain
>>>
>>> On 27/08/14 10:21, Andre Kruger wrote:
>>>> I have successfully compiled and installed Samba 4.1.11 from source on OpenIndiana 151a8.
>>>>
>>>> I tested the server by creating a folder and adding a local samba user (smbpasswd -a) and mapping a drive from my Windows machine which successded. I was able to access the test file in the folder as well as edit and save it.
>>>>
>>>> Now I am trying to join my samba server to my domain but it is failing and the error messages are not helping much and google's responses aren't really helping.
>>>>
>>>> Can anybody on the list help? When I try and join the domain I get the following error message:
>>>>
>>>> ./net ads join -U krugersa
>>>> Enter krugersa's password:
>>> Does 'krugersa' have the required permissions to join to the domain ?
>>> have you tried with 'Administrator' ?
>>>
>>>> ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED kinit
>>>> succeeded but ads_sasl_spnego_krb5_bind failed:
>>>> NT_STATUS_NOT_SUPPORTED Failed to join domain: failed to connect to
>>>> AD: NT_STATUS_NOT_SUPPORTED
>>>>
>>>>
>>>> What causes samba to output this particular error message? "NT_STATUS_NOT_SUPPORTED" is very general...
>>>>
>>>> A copy of my smb.conf file:
>>>>
>>>> [global]
>>>> workgroup = DOMAIN
>>>> realm = AD.DOMAIN.COM
>>>> server string = Samba
>>>> security = ADS
>>>> log file = /var/samba/log/log.%m
>>>> max log size = 50000
>>>> client ldap sasl wrapping = sign
>>>> load printers = No
>>>> local master = No
>>>> domain master = No
>>>> dns proxy = No
>>>> winbind separator = +
>>>> winbind enum users = Yes
>>>> winbind enum groups = Yes
>>>> winbind use default domain = Yes
>>>> idmap config * : range = 20000-800000
>>>> idmap config * : backend = tdb
>>> You appear to have a portion missing:
>>>
>>> idmap config DOMAIN : backend = ad
>>> idmap config DOMAIN : range = 10000-999999
>>> idmap config DOMAIN : schema_mode = rfc2307
>>>
>>> Adjust the range to suit your setup, if your AD users do not have uidNumber's change 'ad' to 'rid'
>>>
>>> Rowland
>>>
>>>> [homes]
>>>> comment = Home Directories
>>>> read only = No
>>>> browseable = No
>>>>
>>>> [printers]
>>>> comment = All Printers
>>>> path = /var/spool/samba
>>>> printable = Yes
>>>> print ok = Yes
>>>> browseable = No
>>>>
>>>> [testperm]
>>>> path = /testperm
>>>> valid users = @DOMAIN+Admins
>>>> read only = No
>>>> create mask = 0770
>>>> directory mask = 0770
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>> I 'think' that your problem has something to do with kerberos, can you
>> check that you have the required enctypes in krb5.conf
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
OK, I finally got samba4 to build on openindiana and set it up as a
client (based on how I would do it for Debian) and joined it to the
domain, so far so good. Running the 'wbinfo -u' & 'wbinfo -g' commands
worked as expected, but getent wouldn't.
I then remembered that when I used to compile samba4 myself, that I had
to create the the links to 'libnss_winbind.so' to get winbind to work.
So I went looking for the file, this was problem one, I couldn't find
it, but I did find 'nss_winbind.so.1' so copied it to /usr/lib and setup
symlinks to ~.so & ~.so.2, no good, tried the same in /usr/lib/amd64 but
just the same, no domain users from 'getent' . I am convinced that this
is the problem, but do not know why I got nss_winbind.so.1 instead of
nss_winbind.so and if this is the correct file, then just where do I
need to put it.
Rowland
More information about the samba
mailing list