[Samba] Problems after PC is joined to the domain - Samba 4

Theodotos Andreou theo at ubuntucy.org
Sun Jun 1 23:24:26 MDT 2014 

On 05/30/2014 02:40 PM, steve wrote:
> On Fri, 2014-05-30 at 14:08 +0300, Theodotos Andreou wrote:
>> On 05/30/2014 01:53 PM, steve wrote:
>>> On Fri, 2014-05-30 at 13:13 +0300, Theodotos Andreou wrote:
>>>> Hello SAMBA community,
>>>>
>>>> I used this guide to join a PC to the domain as member using samba 4:
>>>> https://wiki.samba.org/index.php/Samba4/Domain_Member
>>>>
>>>> I am using Ubuntu 14.04 64 bit and I installed samba from the repos. The
>>>> stock samba version is:
>>>>
>>>> # samba --version
>>>> Version 4.1.6-Ubuntu
>>>>
>>>> When I tried to join the PC to the domain I got:
>>>>
>>>> # net ads join -U admin
>>>> kerberos_kinit_password DOM\admin at DOM.FOREST.INT failed: Client not found in Kerberos database
>>>> Failed to join domain: failed to connect to AD: Client not found in Kerberos database
>>>>
>>>> Nevertheless the PC was joined to the domain despite the above error and
>>>> proceeded with the following steps. But when I try the lists the users
>>>> using 'wbinfo -u' I get some strange behavior. The command takes too
>>>> long to complete and it then gives:
>>>>
>>>> # wbinfo -u --verbose
>>>> FOREST\usbms_somepcname
>>>>
>>>> The second time I run the command it takes again too long but it gives
>>>> out the complete list of AD users. But when I try to login as a
>>>> particular user though I get:
>>>>
>>>> # su - myusername
>>>> No passwd entry for user 'myusername'
>>>> # id myusername
>>>> id: myusername: no such user
>>>>
>>>> This is my smb.conf:
>>>>
>>>> # cat /etc/samba/smb.conf
>>>>     [global]
>>>>
>>>>       netbios name = MYPCNAME
>>>>       workgroup = DOM
>>>>       security = ADS
>>>>       realm = DOM.FOREST.INT
>>>>       encrypt passwords = yes
>>> Hi
>>> try:
>>> add
>>> kerberos method = system keytab
>>> to [global]
>>> and issue:
>>> net ads keytab create -Uadmin
>>> (ru sure admin has sufficient privs to add machines?)?
>>>
>>>
>> I added that line and it gives:
>>
>> # net ads keytab create -U 'DOM\admin'
>> Enter DOM\admin's password:
>> kerberos_kinit_password DOM\admin at DOM..INT failed: Client not found in Kerberos database
>> kerberos_kinit_password DOM\admin at LIM.TEPAK.INT failed: Client not found in Kerberos database
>>
>> After omitting 'DOM\' from the username it gives:
>>
>> # net ads keytab create -U 'admin'
>> Enter admin's password:
>> ads_get_dnshostname: No dNSHostName attribute!
>> ../source3/libads/kerberos_keytab.c:328: unable to determine machine account's dns name in AD!
>>
>> I have changed the true username and domain name for reason of paranoia
>> :) but I am certain that the user I use is a domain admin.
> DNS on Ubuntu:
> http://linuxcostablanca.blogspot.com.es/2014/05/dns-good-enough-for-kerberos.html
>
>
Ok now I have this configuration:

# grep 127 /etc//hosts
127.0.0.1       localhost
127.0.1.1       MYPCNAME.dom.forest.int MYPCNAME

and this:

# cat /etc/hostname
MYPCNAME

Testing:

# hostname -d
dom.forest.int

# domainname
(none)

I have no idea why domainname gives different results than hostname -d

The PC name resolves correctly on DNS:

# host MYPCNAME.dom.forest.int
MYPCNAME.dom.forest.int has address 10.10.10.156

The problem persists:

# net ads keytab create -U admin
Enter admin's password:
ads_get_dnshostname: No dNSHostName attribute!
../source3/libads/kerberos_keytab.c:328: unable to determine machine account's dns name in AD!

Could the problem with the domainname command be related to this? Any 
idea why that happens?

How can I troubleshoot this issue deeper?

More information about the samba mailing list