[Samba] I can't join the new AD server with Samba4
Daniel Carrasco Marín
danielmadrid19 at gmail.com
Sat Apr 25 10:07:03 MDT 2015
Thanks for all your help.
I've got the same error, then i think maybe is a problem related with
upgrade. Maybe any wrong permissions or info on old samba server.
I'll try to create a new domain with right data and migrate all machines (f
ortunately are few computers). I think is the best.
Greetings!!
2015-04-25 17:44 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:
> On 25/04/15 16:24, Daniel Carrasco Marín wrote:
>
>>
>>
>> 2015-04-25 16:57 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>>:
>>
>>
>> On 25/04/15 15:44, Daniel Carrasco Marín wrote:
>>
>>
>>
>> On AD server i've linked the kerberos file on samba folder:
>> lrwxrwxrwx 1 root root 32 abr 25 16:23 krb5.conf ->
>> /var/lib/samba/private/krb5.conf
>>
>> On client i've the default:
>> [libdefaults]
>> default_realm = TTU.RED
>>
>> # The following krb5.conf variables are only for MIT Kerberos.
>> krb4_config = /etc/krb.conf
>> krb4_realms = /etc/krb.realms
>> kdc_timesync = 1
>> ccache_type = 4
>> forwardable = true
>> proxiable = true
>> ........
>>
>> [realms]
>> TTU.RED = {
>> kdc = pdc
>> admin_server = pdc
>> }
>> ........
>>
>>
>>
>> Use the same krb5.conf as on the DC
>>
>>
>> Ok copied.
>>
>>
>> Does /etc/krb5.keytab exist, if it does, remove it.
>>
>>
>> Deleted, but nothing changed.
>>
>>
>> You will need to try and rejoin the domain
>>
>> Does /etc/resolv.conf point to the DC ?
>>
>>
>> Yes:
>> cat /etc/resolv.conf
>> domain TTU
>> nameserver 192.168.2.251
>>
>>
>> Please change /etc/resolv.conf to this:
>>
>> search ttu.red
>>
>> nameserver 192.168.2.251
>>
>>
>> Changed.
>>
>>
>>
>> Are you sure that you are using the correct password for
>> Administrator ?
>>
>>
>> Yes, even i've tried to cange the PW to another, and other
>> commands works fine, for example with "kinit
>> administrator at TTU.RED" and "klist -c":
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: administrator at TTU.RED
>>
>> Valid starting Expires Service principal
>> 25/04/15 16:36:10 26/04/15 02:36:10 krbtgt/TTU.RED at TTU.RED
>> renew until 26/04/15 16:36:06
>>
>>
>> I've linked the file showed on log to krb5.conf:
>> ln -s /var/run/samba/smb_krb5/krb5.conf.TTU /etc/krb5.conf
>>
>> I got the same error:
>> .......
>> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
>> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
>> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
>> ads_sasl_spnego_bind: got server principal name =
>> not_defined_in_RFC4178 at please_ignore
>> ads_krb5_mk_req: krb5_cc_get_principal failed (No existe el
>> fichero o el directorio)
>> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads]
>> expiration dom, 26 abr 2015 02:37:30 CEST
>> kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid
>> credentials
>> libnet_Join:
>> libnet_JoinCtx: struct libnet_JoinCtx
>> out: struct libnet_JoinCtx
>> account_name : NULL
>> netbios_domain_name : 'TTU'
>> dns_domain_name : 'ttu.red'
>> forest_name : 'ttu.red'
>> dn : NULL
>> domain_sid : *
>> domain_sid :
>> S-1-5-21-127850397-371183867-665961664 <tel:665961664>
>> modified_config : 0x00 (0)
>> error_string : 'failed to connect to
>> AD: Invalid credentials'
>> domain_is_ad : 0x01 (1)
>> result : WERR_GENERAL_FAILURE
>> Failed to join domain: failed to connect to AD: Invalid
>> credentials
>> return code = -1
>>
>> I can run commands like "net ads rpc -U "Administrator" and
>> works fine, i even can get some AD info:
>> # net rpc info -U Administrator
>> Enter Administrator's password:
>> Domain Name: TTU
>> Domain SID: S-1-5-21-127850397-371183867-665961664 <tel:665961664
>> >
>> Sequence number: 1
>> Num users: 144
>> Num domain groups: 42
>> Num local groups: 26
>>
>>
>> Is strange because as i said, if i create a new domain without
>> upgrade then i can join that domain even without krb5-client
>> installed.
>>
>>
>>
>> what OS are you using ?
>>
>>
>> Debian 7u2
>>
>> what version of samba on the member server ?
>>
>>
>> Same as AD:
>> Version 4.1.17-Debian
>>
>> What packages have you installed to try and get samba working
>>
>>
>> Same packages, latest from wheezy-backports. The only difference is that
>> i've created a new domain instead upgrade the old 3.6 domain.
>>
>>
>> anything else relevant, apparmor, selinux, firewall etc ?
>>
>>
>> AD don't have any kind of firewall or apparmor. I don't have Apparmor,
>> and the firewall have the basic configuration on client. I don't know about
>> selinux, but the default configuracion has not changed.
>>
>> I'm starting to think is better to create a new domain and move the
>> machines and users to the new domain.
>>
>> Greetings!!
>>
>>
>>
>> Rowland
>>
>> -- To unsubscribe from this list go to the following URL and read
>> the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
> OK, I use debian wheezy with samba from backports and this is how I set
> things up on a member server:
>
> Install these packages from backports:
>
> samba samba-common-bin samba-common samba-libs samba-vfs-modules \
> samba-dsdb-modules tdb-tools libwbclient0 libsmbclient winbind \
> ldb-tools zip arj mktemp acl attr quota krb5-config libnss-winbind \
> libpam-winbind libpam-krb5 krb5-user
>
> Create a smb.conf:
>
> [global]
> workgroup = TTU
> security = ADS
> realm = TTU.RED
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> server string = Samba 4 Client %h
>
> winbind enum users = no
> winbind enum groups = no
> winbind use default domain = yes
> winbind expand groups = 4
> winbind nss info = rfc2307
> winbind refresh tickets = Yes
> winbind offline logon = yes
> winbind normalize names = Yes
>
> ## map ids outside of domain to tdb files.
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> ## map ids from the domain the ranges may not overlap !
> idmap config TTU : backend = ad
> idmap config TTU : schema_mode = rfc2307
> idmap config TTU : range = 10000-999999
>
> domain master = no
> local master = no
> preferred master = no
> os level = 20
> map to guest = bad user
> host msdfs = no
>
> # For ACL support on member server
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
>
> # Share Setting Globally
> unix extensions = no
> reset on zero vc = yes
> veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
> hide unreadable = yes
>
> alter /etc/krb5.conf
>
> [libdefaults]
> default_realm = TTU.RED
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> Make sure that the kerberos config file /etc/krb5.conf is correct
>
> [libdefaults]
> default_realm = TTU.RED
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> Make sure that /etc/resolv.conf is pointing to the domain and the AD DC:
>
> search ttu.red
> nameserver <IP_OF_SAMBA4_AD_DC>
>
> You should now be able to join the domain:
>
> net ads join -U Administrator
>
> If this does not work, then it is more likely that the problem lies on the
> AD DC, unless it is something simple like blocked ports on the firewall,
> the easiest way to rule this out, is to turn off the firewall temporarily.
>
>
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list