[Samba] I can't join the new AD server with Samba4
Rowland Penny
rowlandpenny at googlemail.com
Sat Apr 25 08:57:53 MDT 2015
On 25/04/15 15:44, Daniel Carrasco Marín wrote:
>
>
> On AD server i've linked the kerberos file on samba folder:
> lrwxrwxrwx 1 root root 32 abr 25 16:23 krb5.conf ->
> /var/lib/samba/private/krb5.conf
>
> On client i've the default:
> [libdefaults]
> default_realm = TTU.RED
>
> # The following krb5.conf variables are only for MIT Kerberos.
> krb4_config = /etc/krb.conf
> krb4_realms = /etc/krb.realms
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
> ........
>
> [realms]
> TTU.RED = {
> kdc = pdc
> admin_server = pdc
> }
> ........
>
>
Use the same krb5.conf as on the DC
> Does /etc/krb5.keytab exist, if it does, remove it.
>
>
> Deleted, but nothing changed.
You will need to try and rejoin the domain
> Does /etc/resolv.conf point to the DC ?
>
>
> Yes:
> cat /etc/resolv.conf
> domain TTU
> nameserver 192.168.2.251
Please change /etc/resolv.conf to this:
search ttu.red
nameserver 192.168.2.251
>
> Are you sure that you are using the correct password for
> Administrator ?
>
>
> Yes, even i've tried to cange the PW to another, and other commands
> works fine, for example with "kinit administrator at TTU.RED" and "klist -c":
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administrator at TTU.RED
>
> Valid starting Expires Service principal
> 25/04/15 16:36:10 26/04/15 02:36:10 krbtgt/TTU.RED at TTU.RED
> renew until 26/04/15 16:36:06
>
>
> I've linked the file showed on log to krb5.conf:
> ln -s /var/run/samba/smb_krb5/krb5.conf.TTU /etc/krb5.conf
>
> I got the same error:
> .......
> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
> ads_sasl_spnego_bind: got server principal name =
> not_defined_in_RFC4178 at please_ignore
> ads_krb5_mk_req: krb5_cc_get_principal failed (No existe el fichero o
> el directorio)
> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration
> dom, 26 abr 2015 02:37:30 CEST
> kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
> libnet_Join:
> libnet_JoinCtx: struct libnet_JoinCtx
> out: struct libnet_JoinCtx
> account_name : NULL
> netbios_domain_name : 'TTU'
> dns_domain_name : 'ttu.red'
> forest_name : 'ttu.red'
> dn : NULL
> domain_sid : *
> domain_sid :
> S-1-5-21-127850397-371183867-665961664
> modified_config : 0x00 (0)
> error_string : 'failed to connect to AD:
> Invalid credentials'
> domain_is_ad : 0x01 (1)
> result : WERR_GENERAL_FAILURE
> Failed to join domain: failed to connect to AD: Invalid credentials
> return code = -1
>
> I can run commands like "net ads rpc -U "Administrator" and works
> fine, i even can get some AD info:
> # net rpc info -U Administrator
> Enter Administrator's password:
> Domain Name: TTU
> Domain SID: S-1-5-21-127850397-371183867-665961664
> Sequence number: 1
> Num users: 144
> Num domain groups: 42
> Num local groups: 26
>
>
> Is strange because as i said, if i create a new domain without upgrade
> then i can join that domain even without krb5-client installed.
>
>
what OS are you using ?
what version of samba on the member server ?
What packages have you installed to try and get samba working
anything else relevant, apparmor, selinux, firewall etc ?
Rowland
More information about the samba
mailing list