[Samba] I can't join the new AD server with Samba4

Daniel Carrasco Marín danielmadrid19 at gmail.com
Sat Apr 25 10:24:32 MDT 2015


Hi,

The smb.conf is the default after the upgrade:
cat /etc/samba/smb.conf
# Global parameters
[global]
        workgroup = TTU
        realm = ttu.red
        netbios name = PDC
        interfaces = lo, eth0
        bind interfaces only = Yes
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate
        idmap_ldb:use rfc2307 = yes

[netlogon]
        path = /server/samba/sysvol/ttu.red/scripts
        read only = No

[sysvol]
        path = /server/samba/sysvol
        read only = No

and yes, it has a fixed IP.

I don't know if is important, but the dns backend is Bind 9.9. I've tested
the dns with "samba_dnsupdate --verbose" and looks fine:
IPs: ['192.168.2.251']
Looking for DNS entry A pdc.ttu.red 192.168.2.251 as pdc.ttu.red.
Looking for DNS entry A ttu.red 192.168.2.251 as ttu.red.
Looking for DNS entry SRV _ldap._tcp.ttu.red pdc.ttu.red 389 as
_ldap._tcp.ttu.red.
Checking 0 100 389 pdc.ttu.red. against SRV _ldap._tcp.ttu.red pdc.ttu.red
389
Looking for DNS entry SRV _ldap._tcp.dc._msdcs.ttu.red pdc.ttu.red 389 as
_ldap._tcp.dc._msdcs.ttu.red.
Checking 0 100 389 pdc.ttu.red. against SRV _ldap._tcp.dc._msdcs.ttu.red
pdc.ttu.red 389
Looking for DNS entry SRV
_ldap._tcp.981b82ce-75a3-453f-a1b1-140194960bac.domains._msdcs.ttu.red
pdc.ttu.red 389 as
_ldap._tcp.981b82ce-75a3-453f-a1b1-140194960bac.domains._msdcs.ttu.red.
Checking 0 100 389 pdc.ttu.red. against SRV
_ldap._tcp.981b82ce-75a3-453f-a1b1-140194960bac.domains._msdcs.ttu.red
pdc.ttu.red 389
Looking for DNS entry SRV _kerberos._tcp.ttu.red pdc.ttu.red 88 as
_kerberos._tcp.ttu.red.
Checking 0 100 88 pdc.ttu.red. against SRV _kerberos._tcp.ttu.red
pdc.ttu.red 88
Looking for DNS entry SRV _kerberos._udp.ttu.red pdc.ttu.red 88 as
_kerberos._udp.ttu.red.
Checking 0 100 88 pdc.ttu.red. against SRV _kerberos._udp.ttu.red
pdc.ttu.red 88
Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.ttu.red pdc.ttu.red 88
as _kerberos._tcp.dc._msdcs.ttu.red.
Checking 0 100 88 pdc.ttu.red. against SRV _kerberos._tcp.dc._msdcs.ttu.red
pdc.ttu.red 88
Looking for DNS entry SRV _kpasswd._tcp.ttu.red pdc.ttu.red 464 as
_kpasswd._tcp.ttu.red.
Checking 0 100 464 pdc.ttu.red. against SRV _kpasswd._tcp.ttu.red
pdc.ttu.red 464
Looking for DNS entry SRV _kpasswd._udp.ttu.red pdc.ttu.red 464 as
_kpasswd._udp.ttu.red.
Checking 0 100 464 pdc.ttu.red. against SRV _kpasswd._udp.ttu.red
pdc.ttu.red 464
Looking for DNS entry CNAME
00b7f230-fa13-4e51-9e36-0c95360029a5._msdcs.ttu.red pdc.ttu.red as
00b7f230-fa13-4e51-9e36-0c95360029a5._msdcs.ttu.red.
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.ttu.red
pdc.ttu.red 389 as _ldap._tcp.Default-First-Site-Name._sites.ttu.red.
Checking 0 100 389 pdc.ttu.red. against SRV
_ldap._tcp.Default-First-Site-Name._sites.ttu.red pdc.ttu.red 389
Looking for DNS entry SRV
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ttu.red pdc.ttu.red 389
as _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ttu.red.
Checking 0 100 389 pdc.ttu.red. against SRV
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ttu.red pdc.ttu.red 389
Looking for DNS entry SRV
_kerberos._tcp.Default-First-Site-Name._sites.ttu.red pdc.ttu.red 88 as
_kerberos._tcp.Default-First-Site-Name._sites.ttu.red.
Checking 0 100 88 pdc.ttu.red. against SRV
_kerberos._tcp.Default-First-Site-Name._sites.ttu.red pdc.ttu.red 88
Looking for DNS entry SRV
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ttu.red pdc.ttu.red
88 as _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ttu.red.
Checking 0 100 88 pdc.ttu.red. against SRV
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ttu.red pdc.ttu.red
88
Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.ttu.red pdc.ttu.red 389 as
_ldap._tcp.pdc._msdcs.ttu.red.
Checking 0 100 389 pdc.ttu.red. against SRV _ldap._tcp.pdc._msdcs.ttu.red
pdc.ttu.red 389
Looking for DNS entry A gc._msdcs.ttu.red 192.168.2.251 as
gc._msdcs.ttu.red.
Looking for DNS entry SRV _gc._tcp.ttu.red pdc.ttu.red 3268 as
_gc._tcp.ttu.red.
Checking 0 100 3268 pdc.ttu.red. against SRV _gc._tcp.ttu.red pdc.ttu.red
3268
Looking for DNS entry SRV _ldap._tcp.gc._msdcs.ttu.red pdc.ttu.red 3268 as
_ldap._tcp.gc._msdcs.ttu.red.
Checking 0 100 3268 pdc.ttu.red. against SRV _ldap._tcp.gc._msdcs.ttu.red
pdc.ttu.red 3268
Looking for DNS entry SRV _gc._tcp.Default-First-Site-Name._sites.ttu.red
pdc.ttu.red 3268 as _gc._tcp.Default-First-Site-Name._sites.ttu.red.
Checking 0 100 3268 pdc.ttu.red. against SRV
_gc._tcp.Default-First-Site-Name._sites.ttu.red pdc.ttu.red 3268
Looking for DNS entry SRV
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.ttu.red pdc.ttu.red
3268 as _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.ttu.red.
Checking 0 100 3268 pdc.ttu.red. against SRV
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.ttu.red pdc.ttu.red 3268
Looking for DNS entry A DomainDnsZones.ttu.red 192.168.2.251 as
DomainDnsZones.ttu.red.
Looking for DNS entry SRV _ldap._tcp.DomainDnsZones.ttu.red pdc.ttu.red 389
as _ldap._tcp.DomainDnsZones.ttu.red.
Checking 0 100 389 pdc.ttu.red. against SRV
_ldap._tcp.DomainDnsZones.ttu.red pdc.ttu.red 389
Looking for DNS entry SRV
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.ttu.red
pdc.ttu.red 389 as
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.ttu.red.
Checking 0 100 389 pdc.ttu.red. against SRV
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.ttu.red
pdc.ttu.red 389
Looking for DNS entry A ForestDnsZones.ttu.red 192.168.2.251 as
ForestDnsZones.ttu.red.
Looking for DNS entry SRV _ldap._tcp.ForestDnsZones.ttu.red pdc.ttu.red 389
as _ldap._tcp.ForestDnsZones.ttu.red.
Checking 0 100 389 pdc.ttu.red. against SRV
_ldap._tcp.ForestDnsZones.ttu.red pdc.ttu.red 389
Looking for DNS entry SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ttu.red
pdc.ttu.red 389 as
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ttu.red.
Checking 0 100 389 pdc.ttu.red. against SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ttu.red
pdc.ttu.red 389
No DNS updates needed

The krb5.conf is the linked version:
[libdefaults]
        default_realm = TTU.RED
        dns_lookup_realm = false
        dns_lookup_kdc = true


and i can join the AD and use the RSAT tools with a Windows Machine.

Greetings!!

2015-04-25 18:11 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:

> On 25/04/15 17:07, Daniel Carrasco Marín wrote:
>
>> Thanks for all your help.
>>
>> I've got the same error, then i think maybe is a problem related with
>> upgrade. Maybe any wrong permissions or info on old samba server.
>> I'll try to create a new domain with right data and migrate all machines
>> (fortunately are few computers). I think is the best.
>>
>> Greetings!!
>>
>> 2015-04-25 17:44 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>>:
>>
>>     On 25/04/15 16:24, Daniel Carrasco Marín wrote:
>>
>>
>>
>>         2015-04-25 16:57 GMT+02:00 Rowland Penny
>>         <rowlandpenny at googlemail.com
>>         <mailto:rowlandpenny at googlemail.com>
>>         <mailto:rowlandpenny at googlemail.com
>>
>>         <mailto:rowlandpenny at googlemail.com>>>:
>>
>>
>>             On 25/04/15 15:44, Daniel Carrasco Marín wrote:
>>
>>
>>
>>                 On AD server i've linked the kerberos file on samba
>>         folder:
>>                 lrwxrwxrwx 1 root root 32 abr 25 16:23 krb5.conf ->
>>                 /var/lib/samba/private/krb5.conf
>>
>>                 On client i've the default:
>>                 [libdefaults]
>>                         default_realm = TTU.RED
>>
>>                 # The following krb5.conf variables are only for MIT
>>         Kerberos.
>>                         krb4_config = /etc/krb.conf
>>                         krb4_realms = /etc/krb.realms
>>                         kdc_timesync = 1
>>                         ccache_type = 4
>>                         forwardable = true
>>                         proxiable = true
>>                 ........
>>
>>                 [realms]
>>                         TTU.RED = {
>>                                 kdc = pdc
>>                                 admin_server = pdc
>>                         }
>>                 ........
>>
>>
>>
>>             Use the same krb5.conf as on the DC
>>
>>
>>         Ok copied.
>>
>>
>>                     Does /etc/krb5.keytab exist, if it does, remove it.
>>
>>
>>                 Deleted, but nothing changed.
>>
>>
>>             You will need to try and rejoin the domain
>>
>>                     Does /etc/resolv.conf point to the DC ?
>>
>>
>>                 Yes:
>>                 cat /etc/resolv.conf
>>                 domain TTU
>>                 nameserver 192.168.2.251
>>
>>
>>             Please change /etc/resolv.conf to this:
>>
>>             search ttu.red
>>
>>             nameserver 192.168.2.251
>>
>>
>>         Changed.
>>
>>
>>
>>                     Are you sure that you are using the correct
>>         password for
>>                     Administrator ?
>>
>>
>>                 Yes, even i've tried to cange the PW to another, and other
>>                 commands works fine, for example with "kinit
>>                 administrator at TTU.RED" and "klist -c":
>>                 Ticket cache: FILE:/tmp/krb5cc_0
>>                 Default principal: administrator at TTU.RED
>>
>>                 Valid starting     Expires            Service principal
>>                 25/04/15 16:36:10  26/04/15 02:36:10
>>         krbtgt/TTU.RED at TTU.RED
>>                         renew until 26/04/15 16:36:06
>>
>>
>>                 I've linked the file showed on log to krb5.conf:
>>                 ln -s /var/run/samba/smb_krb5/krb5.conf.TTU /etc/krb5.conf
>>
>>                 I got the same error:
>>                 .......
>>                 ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
>>                 ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
>>                 ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
>>                 ads_sasl_spnego_bind: got server principal name =
>>                 not_defined_in_RFC4178 at please_ignore
>>                 ads_krb5_mk_req: krb5_cc_get_principal failed (No
>>         existe el
>>                 fichero o el directorio)
>>                 ads_cleanup_expired_creds: Ticket in
>>         ccache[MEMORY:net_ads]
>>                 expiration dom, 26 abr 2015 02:37:30 CEST
>>                 kinit succeeded but ads_sasl_spnego_krb5_bind failed:
>>         Invalid
>>                 credentials
>>                 libnet_Join:
>>                     libnet_JoinCtx: struct libnet_JoinCtx
>>                         out: struct libnet_JoinCtx
>>                             account_name             : NULL
>>                             netbios_domain_name      : 'TTU'
>>                             dns_domain_name          : 'ttu.red'
>>                             forest_name              : 'ttu.red'
>>                             dn                       : NULL
>>                             domain_sid               : *
>>                                 domain_sid               :
>>                 S-1-5-21-127850397-371183867-665961664 <tel:665961664>
>>         <tel:665961664 <tel:665961664>>
>>                             modified_config          : 0x00 (0)
>>                             error_string             : 'failed to
>>         connect to
>>                 AD: Invalid credentials'
>>                             domain_is_ad             : 0x01 (1)
>>                             result                   :
>>         WERR_GENERAL_FAILURE
>>                 Failed to join domain: failed to connect to AD: Invalid
>>                 credentials
>>                 return code = -1
>>
>>                 I can run commands like "net ads rpc -U
>>         "Administrator" and
>>                 works fine, i even can get some AD info:
>>                 # net rpc info -U Administrator
>>                 Enter Administrator's password:
>>                 Domain Name: TTU
>>                 Domain SID: S-1-5-21-127850397-371183867-665961664
>>         <tel:665961664> <tel:665961664 <tel:665961664>>
>>
>>                 Sequence number: 1
>>                 Num users: 144
>>                 Num domain groups: 42
>>                 Num local groups: 26
>>
>>
>>                 Is strange because as i said, if i create a new domain
>>         without
>>                 upgrade then i can join that domain even without
>>         krb5-client
>>                 installed.
>>
>>
>>
>>             what OS are you using ?
>>
>>
>>         Debian 7u2
>>
>>             what version of samba on the member server ?
>>
>>
>>         Same as AD:
>>         Version 4.1.17-Debian
>>
>>             What packages have you installed to try and get samba working
>>
>>
>>         Same packages, latest from wheezy-backports. The only
>>         difference is that i've created a new domain instead upgrade
>>         the old 3.6 domain.
>>
>>
>>             anything else relevant, apparmor, selinux, firewall etc  ?
>>
>>
>>         AD don't have any kind of firewall or apparmor. I don't have
>>         Apparmor, and the firewall have the basic configuration on
>>         client. I don't know about selinux, but the default
>>         configuracion has not changed.
>>
>>         I'm starting to think is better to create a new domain and
>>         move the machines and users to the new domain.
>>
>>         Greetings!!
>>
>>
>>
>>             Rowland
>>
>>             --     To unsubscribe from this list go to the following
>>         URL and read the
>>             instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
>>     OK, I use debian wheezy with samba from backports and this is how
>>     I set things up on a member server:
>>
>>     Install these packages from backports:
>>
>>     samba samba-common-bin samba-common samba-libs samba-vfs-modules \
>>     samba-dsdb-modules tdb-tools libwbclient0 libsmbclient winbind \
>>     ldb-tools zip arj mktemp acl attr quota krb5-config libnss-winbind \
>>     libpam-winbind libpam-krb5 krb5-user
>>
>>     Create a smb.conf:
>>
>>     [global]
>>         workgroup = TTU
>>         security = ADS
>>         realm = TTU.RED
>>
>>         dedicated keytab file = /etc/krb5.keytab
>>         kerberos method = secrets and keytab
>>         server string = Samba 4 Client %h
>>
>>         winbind enum users = no
>>         winbind enum groups = no
>>         winbind use default domain = yes
>>         winbind expand groups = 4
>>         winbind nss info = rfc2307
>>         winbind refresh tickets = Yes
>>         winbind offline logon = yes
>>         winbind normalize names = Yes
>>
>>         ## map ids outside of domain to tdb files.
>>         idmap config *:backend = tdb
>>         idmap config *:range = 2000-9999
>>         ## map ids from the domain  the ranges may not overlap !
>>         idmap config TTU : backend = ad
>>         idmap config TTU : schema_mode = rfc2307
>>         idmap config TTU : range = 10000-999999
>>
>>         domain master = no
>>         local master = no
>>         preferred master = no
>>         os level = 20
>>         map to guest = bad user
>>         host msdfs = no
>>
>>         # For ACL support on member server
>>         vfs objects = acl_xattr
>>         map acl inherit = Yes
>>         store dos attributes = Yes
>>
>>         # Share Setting Globally
>>         unix extensions = no
>>         reset on zero vc = yes
>>         veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
>>         hide unreadable = yes
>>
>>     alter /etc/krb5.conf
>>
>>     [libdefaults]
>>         default_realm = TTU.RED
>>         dns_lookup_realm = false
>>         dns_lookup_kdc = true
>>
>>     Make sure that the kerberos config file /etc/krb5.conf is correct
>>
>>     [libdefaults]
>>         default_realm = TTU.RED
>>         dns_lookup_realm = false
>>         dns_lookup_kdc = true
>>
>>     Make sure that /etc/resolv.conf is pointing to the domain and the
>>     AD DC:
>>
>>     search ttu.red
>>     nameserver <IP_OF_SAMBA4_AD_DC>
>>
>>     You should now be able to join the domain:
>>
>>     net ads join -U Administrator
>>
>>     If this does not work, then it is more likely that the problem
>>     lies on the AD DC, unless it is something simple like blocked
>>     ports on the firewall, the easiest way to rule this out, is to
>>     turn off the firewall temporarily.
>>
>>
>>     Rowland
>>     --     To unsubscribe from this list go to the following URL and read
>> the
>>     instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
> OK, but before you do, you could check the AD DC, could you post the
> smb.conf from the DC ?
> Does the DC have a fixed ip ?
>
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list