[Samba] I can't join the new AD server with Samba4

Rowland Penny rowlandpenny at googlemail.com
Sat Apr 25 09:44:38 MDT 2015 

On 25/04/15 16:24, Daniel Carrasco Marín wrote:
>
>
> 2015-04-25 16:57 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com 
> <mailto:rowlandpenny at googlemail.com>>:
>
>     On 25/04/15 15:44, Daniel Carrasco Marín wrote:
>
>
>
>         On AD server i've linked the kerberos file on samba folder:
>         lrwxrwxrwx 1 root root 32 abr 25 16:23 krb5.conf ->
>         /var/lib/samba/private/krb5.conf
>
>         On client i've the default:
>         [libdefaults]
>                 default_realm = TTU.RED
>
>         # The following krb5.conf variables are only for MIT Kerberos.
>                 krb4_config = /etc/krb.conf
>                 krb4_realms = /etc/krb.realms
>                 kdc_timesync = 1
>                 ccache_type = 4
>                 forwardable = true
>                 proxiable = true
>         ........
>
>         [realms]
>                 TTU.RED = {
>                         kdc = pdc
>                         admin_server = pdc
>                 }
>         ........
>
>
>
>     Use the same krb5.conf as on the DC
>
>
> Ok copied.
>
>
>             Does /etc/krb5.keytab exist, if it does, remove it.
>
>
>         Deleted, but nothing changed.
>
>
>     You will need to try and rejoin the domain
>
>             Does /etc/resolv.conf point to the DC ?
>
>
>         Yes:
>         cat /etc/resolv.conf
>         domain TTU
>         nameserver 192.168.2.251
>
>
>     Please change /etc/resolv.conf to this:
>
>     search ttu.red
>
>     nameserver 192.168.2.251
>
>
> Changed.
>
>
>
>             Are you sure that you are using the correct password for
>             Administrator ?
>
>
>         Yes, even i've tried to cange the PW to another, and other
>         commands works fine, for example with "kinit
>         administrator at TTU.RED" and "klist -c":
>         Ticket cache: FILE:/tmp/krb5cc_0
>         Default principal: administrator at TTU.RED
>
>         Valid starting     Expires            Service principal
>         25/04/15 16:36:10  26/04/15 02:36:10 krbtgt/TTU.RED at TTU.RED
>                 renew until 26/04/15 16:36:06
>
>
>         I've linked the file showed on log to krb5.conf:
>         ln -s /var/run/samba/smb_krb5/krb5.conf.TTU /etc/krb5.conf
>
>         I got the same error:
>         .......
>         ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
>         ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
>         ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
>         ads_sasl_spnego_bind: got server principal name =
>         not_defined_in_RFC4178 at please_ignore
>         ads_krb5_mk_req: krb5_cc_get_principal failed (No existe el
>         fichero o el directorio)
>         ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads]
>         expiration dom, 26 abr 2015 02:37:30 CEST
>         kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid
>         credentials
>         libnet_Join:
>             libnet_JoinCtx: struct libnet_JoinCtx
>                 out: struct libnet_JoinCtx
>                     account_name             : NULL
>                     netbios_domain_name      : 'TTU'
>                     dns_domain_name          : 'ttu.red'
>                     forest_name              : 'ttu.red'
>                     dn                       : NULL
>                     domain_sid               : *
>                         domain_sid               :
>         S-1-5-21-127850397-371183867-665961664 <tel:665961664>
>                     modified_config          : 0x00 (0)
>                     error_string             : 'failed to connect to
>         AD: Invalid credentials'
>                     domain_is_ad             : 0x01 (1)
>                     result                   : WERR_GENERAL_FAILURE
>         Failed to join domain: failed to connect to AD: Invalid
>         credentials
>         return code = -1
>
>         I can run commands like "net ads rpc -U "Administrator" and
>         works fine, i even can get some AD info:
>         # net rpc info -U Administrator
>         Enter Administrator's password:
>         Domain Name: TTU
>         Domain SID: S-1-5-21-127850397-371183867-665961664 <tel:665961664>
>         Sequence number: 1
>         Num users: 144
>         Num domain groups: 42
>         Num local groups: 26
>
>
>         Is strange because as i said, if i create a new domain without
>         upgrade then i can join that domain even without krb5-client
>         installed.
>
>
>
>     what OS are you using ?
>
>
> Debian 7u2
>
>     what version of samba on the member server ?
>
>
> Same as AD:
> Version 4.1.17-Debian
>
>     What packages have you installed to try and get samba working
>
>
> Same packages, latest from wheezy-backports. The only difference is 
> that i've created a new domain instead upgrade the old 3.6 domain.
>
>
>     anything else relevant, apparmor, selinux, firewall etc  ?
>
>
> AD don't have any kind of firewall or apparmor. I don't have Apparmor, 
> and the firewall have the basic configuration on client. I don't know 
> about selinux, but the default configuracion has not changed.
>
> I'm starting to think is better to create a new domain and move the 
> machines and users to the new domain.
>
> Greetings!!
>
>
>
>     Rowland
>
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>
>

OK, I use debian wheezy with samba from backports and this is how I set 
things up on a member server:

Install these packages from backports:

samba samba-common-bin samba-common samba-libs samba-vfs-modules \
samba-dsdb-modules tdb-tools libwbclient0 libsmbclient winbind \
ldb-tools zip arj mktemp acl attr quota krb5-config libnss-winbind \
libpam-winbind libpam-krb5 krb5-user

Create a smb.conf:

[global]
     workgroup = TTU
     security = ADS
     realm = TTU.RED

     dedicated keytab file = /etc/krb5.keytab
     kerberos method = secrets and keytab
     server string = Samba 4 Client %h

     winbind enum users = no
     winbind enum groups = no
     winbind use default domain = yes
     winbind expand groups = 4
     winbind nss info = rfc2307
     winbind refresh tickets = Yes
     winbind offline logon = yes
     winbind normalize names = Yes

     ## map ids outside of domain to tdb files.
     idmap config *:backend = tdb
     idmap config *:range = 2000-9999
     ## map ids from the domain  the ranges may not overlap !
     idmap config TTU : backend = ad
     idmap config TTU : schema_mode = rfc2307
     idmap config TTU : range = 10000-999999

     domain master = no
     local master = no
     preferred master = no
     os level = 20
     map to guest = bad user
     host msdfs = no

     # For ACL support on member server
     vfs objects = acl_xattr
     map acl inherit = Yes
     store dos attributes = Yes

     # Share Setting Globally
     unix extensions = no
     reset on zero vc = yes
     veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
     hide unreadable = yes

alter /etc/krb5.conf

[libdefaults]
     default_realm = TTU.RED
     dns_lookup_realm = false
     dns_lookup_kdc = true

Make sure that the kerberos config file /etc/krb5.conf is correct

[libdefaults]
     default_realm = TTU.RED
     dns_lookup_realm = false
     dns_lookup_kdc = true

Make sure that /etc/resolv.conf is pointing to the domain and the AD DC:

search ttu.red
nameserver <IP_OF_SAMBA4_AD_DC>

You should now be able to join the domain:

net ads join -U Administrator

If this does not work, then it is more likely that the problem lies on 
the AD DC, unless it is something simple like blocked ports on the 
firewall, the easiest way to rule this out, is to turn off the firewall 
temporarily.

Rowland

More information about the samba mailing list