[Samba] I can't join the new AD server with Samba4
Rowland Penny
rowlandpenny at googlemail.com
Sat Apr 25 10:56:21 MDT 2015
On 25/04/15 17:24, Daniel Carrasco Marín wrote:
> Hi,
>
> The smb.conf is the default after the upgrade:
> cat /etc/samba/smb.conf
> # Global parameters
> [global]
> workgroup = TTU
> realm = ttu.red
> netbios name = PDC
> interfaces = lo, eth0
> bind interfaces only = Yes
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbind, ntp_signd, kcc, dnsupdate
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /server/samba/sysvol/ttu.red/scripts
> read only = No
>
> [sysvol]
> path = /server/samba/sysvol
> read only = No
>
hmm, don't know if it means anything, but you say you are using debian,
so why is the path to sysvol '/server/samba' and not '/var/lib/samba' ?
can you post the output of 'samba -b'
Rowland
> and yes, it has a fixed IP.
>
> I don't know if is important, but the dns backend is Bind 9.9. I've
> tested the dns with "samba_dnsupdate --verbose" and looks fine:
> IPs: ['192.168.2.251']
> Looking for DNS entry A pdc.ttu.red 192.168.2.251 as pdc.ttu.red.
> Looking for DNS entry A ttu.red 192.168.2.251 as ttu.red.
> Looking for DNS entry SRV _ldap._tcp.ttu.red pdc.ttu.red 389 as
> _ldap._tcp.ttu.red.
> Checking 0 100 389 pdc.ttu.red. against SRV _ldap._tcp.ttu.red
> pdc.ttu.red 389
> Looking for DNS entry SRV _ldap._tcp.dc._msdcs.ttu.red pdc.ttu.red 389
> as _ldap._tcp.dc._msdcs.ttu.red.
> Checking 0 100 389 pdc.ttu.red. against SRV
> _ldap._tcp.dc._msdcs.ttu.red pdc.ttu.red 389
> Looking for DNS entry SRV
> _ldap._tcp.981b82ce-75a3-453f-a1b1-140194960bac.domains._msdcs.ttu.red
> pdc.ttu.red 389 as
> _ldap._tcp.981b82ce-75a3-453f-a1b1-140194960bac.domains._msdcs.ttu.red.
> Checking 0 100 389 pdc.ttu.red. against SRV
> _ldap._tcp.981b82ce-75a3-453f-a1b1-140194960bac.domains._msdcs.ttu.red
> pdc.ttu.red 389
> Looking for DNS entry SRV _kerberos._tcp.ttu.red pdc.ttu.red 88 as
> _kerberos._tcp.ttu.red.
> Checking 0 100 88 pdc.ttu.red. against SRV _kerberos._tcp.ttu.red
> pdc.ttu.red 88
> Looking for DNS entry SRV _kerberos._udp.ttu.red pdc.ttu.red 88 as
> _kerberos._udp.ttu.red.
> Checking 0 100 88 pdc.ttu.red. against SRV _kerberos._udp.ttu.red
> pdc.ttu.red 88
> Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.ttu.red pdc.ttu.red
> 88 as _kerberos._tcp.dc._msdcs.ttu.red.
> Checking 0 100 88 pdc.ttu.red. against SRV
> _kerberos._tcp.dc._msdcs.ttu.red pdc.ttu.red 88
> Looking for DNS entry SRV _kpasswd._tcp.ttu.red pdc.ttu.red 464 as
> _kpasswd._tcp.ttu.red.
> Checking 0 100 464 pdc.ttu.red. against SRV _kpasswd._tcp.ttu.red
> pdc.ttu.red 464
> Looking for DNS entry SRV _kpasswd._udp.ttu.red pdc.ttu.red 464 as
> _kpasswd._udp.ttu.red.
> Checking 0 100 464 pdc.ttu.red. against SRV _kpasswd._udp.ttu.red
> pdc.ttu.red 464
> Looking for DNS entry CNAME
> 00b7f230-fa13-4e51-9e36-0c95360029a5._msdcs.ttu.red pdc.ttu.red as
> 00b7f230-fa13-4e51-9e36-0c95360029a5._msdcs.ttu.red.
> Looking for DNS entry SRV
> _ldap._tcp.Default-First-Site-Name._sites.ttu.red pdc.ttu.red 389 as
> _ldap._tcp.Default-First-Site-Name._sites.ttu.red.
> Checking 0 100 389 pdc.ttu.red. against SRV
> _ldap._tcp.Default-First-Site-Name._sites.ttu.red pdc.ttu.red 389
> Looking for DNS entry SRV
> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ttu.red
> pdc.ttu.red 389 as
> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ttu.red.
> Checking 0 100 389 pdc.ttu.red. against SRV
> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ttu.red
> pdc.ttu.red 389
> Looking for DNS entry SRV
> _kerberos._tcp.Default-First-Site-Name._sites.ttu.red pdc.ttu.red 88
> as _kerberos._tcp.Default-First-Site-Name._sites.ttu.red.
> Checking 0 100 88 pdc.ttu.red. against SRV
> _kerberos._tcp.Default-First-Site-Name._sites.ttu.red pdc.ttu.red 88
> Looking for DNS entry SRV
> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ttu.red
> pdc.ttu.red 88 as
> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ttu.red.
> Checking 0 100 88 pdc.ttu.red. against SRV
> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ttu.red
> pdc.ttu.red 88
> Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.ttu.red pdc.ttu.red
> 389 as _ldap._tcp.pdc._msdcs.ttu.red.
> Checking 0 100 389 pdc.ttu.red. against SRV
> _ldap._tcp.pdc._msdcs.ttu.red pdc.ttu.red 389
> Looking for DNS entry A gc._msdcs.ttu.red 192.168.2.251 as
> gc._msdcs.ttu.red.
> Looking for DNS entry SRV _gc._tcp.ttu.red pdc.ttu.red 3268 as
> _gc._tcp.ttu.red.
> Checking 0 100 3268 pdc.ttu.red. against SRV _gc._tcp.ttu.red
> pdc.ttu.red 3268
> Looking for DNS entry SRV _ldap._tcp.gc._msdcs.ttu.red pdc.ttu.red
> 3268 as _ldap._tcp.gc._msdcs.ttu.red.
> Checking 0 100 3268 pdc.ttu.red. against SRV
> _ldap._tcp.gc._msdcs.ttu.red pdc.ttu.red 3268
> Looking for DNS entry SRV
> _gc._tcp.Default-First-Site-Name._sites.ttu.red pdc.ttu.red 3268 as
> _gc._tcp.Default-First-Site-Name._sites.ttu.red.
> Checking 0 100 3268 pdc.ttu.red. against SRV
> _gc._tcp.Default-First-Site-Name._sites.ttu.red pdc.ttu.red 3268
> Looking for DNS entry SRV
> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.ttu.red
> pdc.ttu.red 3268 as
> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.ttu.red.
> Checking 0 100 3268 pdc.ttu.red. against SRV
> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.ttu.red
> pdc.ttu.red 3268
> Looking for DNS entry A DomainDnsZones.ttu.red 192.168.2.251 as
> DomainDnsZones.ttu.red.
> Looking for DNS entry SRV _ldap._tcp.DomainDnsZones.ttu.red
> pdc.ttu.red 389 as _ldap._tcp.DomainDnsZones.ttu.red.
> Checking 0 100 389 pdc.ttu.red. against SRV
> _ldap._tcp.DomainDnsZones.ttu.red pdc.ttu.red 389
> Looking for DNS entry SRV
> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.ttu.red
> pdc.ttu.red 389 as
> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.ttu.red.
> Checking 0 100 389 pdc.ttu.red. against SRV
> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.ttu.red
> pdc.ttu.red 389
> Looking for DNS entry A ForestDnsZones.ttu.red 192.168.2.251 as
> ForestDnsZones.ttu.red.
> Looking for DNS entry SRV _ldap._tcp.ForestDnsZones.ttu.red
> pdc.ttu.red 389 as _ldap._tcp.ForestDnsZones.ttu.red.
> Checking 0 100 389 pdc.ttu.red. against SRV
> _ldap._tcp.ForestDnsZones.ttu.red pdc.ttu.red 389
> Looking for DNS entry SRV
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ttu.red
> pdc.ttu.red 389 as
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ttu.red.
> Checking 0 100 389 pdc.ttu.red. against SRV
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ttu.red
> pdc.ttu.red 389
> No DNS updates needed
>
> The krb5.conf is the linked version:
> [libdefaults]
> default_realm = TTU.RED
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
>
> and i can join the AD and use the RSAT tools with a Windows Machine.
>
> Greetings!!
>
> 2015-04-25 18:11 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com
> <mailto:rowlandpenny at googlemail.com>>:
>
> On 25/04/15 17:07, Daniel Carrasco Marín wrote:
>
> Thanks for all your help.
>
> I've got the same error, then i think maybe is a problem
> related with upgrade. Maybe any wrong permissions or info on
> old samba server.
> I'll try to create a new domain with right data and migrate
> all machines (fortunately are few computers). I think is the best.
>
> Greetings!!
>
> 2015-04-25 17:44 GMT+02:00 Rowland Penny
> <rowlandpenny at googlemail.com
> <mailto:rowlandpenny at googlemail.com>
> <mailto:rowlandpenny at googlemail.com
> <mailto:rowlandpenny at googlemail.com>>>:
>
> On 25/04/15 16:24, Daniel Carrasco Marín wrote:
>
>
>
> 2015-04-25 16:57 GMT+02:00 Rowland Penny
> <rowlandpenny at googlemail.com
> <mailto:rowlandpenny at googlemail.com>
> <mailto:rowlandpenny at googlemail.com
> <mailto:rowlandpenny at googlemail.com>>
> <mailto:rowlandpenny at googlemail.com
> <mailto:rowlandpenny at googlemail.com>
>
> <mailto:rowlandpenny at googlemail.com
> <mailto:rowlandpenny at googlemail.com>>>>:
>
>
> On 25/04/15 15:44, Daniel Carrasco Marín wrote:
>
>
>
> On AD server i've linked the kerberos file on
> samba
> folder:
> lrwxrwxrwx 1 root root 32 abr 25 16:23
> krb5.conf ->
> /var/lib/samba/private/krb5.conf
>
> On client i've the default:
> [libdefaults]
> default_realm = TTU.RED
>
> # The following krb5.conf variables are only
> for MIT
> Kerberos.
> krb4_config = /etc/krb.conf
> krb4_realms = /etc/krb.realms
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
> ........
>
> [realms]
> TTU.RED = {
> kdc = pdc
> admin_server = pdc
> }
> ........
>
>
>
> Use the same krb5.conf as on the DC
>
>
> Ok copied.
>
>
> Does /etc/krb5.keytab exist, if it does,
> remove it.
>
>
> Deleted, but nothing changed.
>
>
> You will need to try and rejoin the domain
>
> Does /etc/resolv.conf point to the DC ?
>
>
> Yes:
> cat /etc/resolv.conf
> domain TTU
> nameserver 192.168.2.251
>
>
> Please change /etc/resolv.conf to this:
>
> search ttu.red
>
> nameserver 192.168.2.251
>
>
> Changed.
>
>
>
> Are you sure that you are using the correct
> password for
> Administrator ?
>
>
> Yes, even i've tried to cange the PW to
> another, and other
> commands works fine, for example with "kinit
> administrator at TTU.RED" and "klist -c":
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administrator at TTU.RED
>
> Valid starting Expires Service principal
> 25/04/15 16:36:10 26/04/15 02:36:10
> krbtgt/TTU.RED at TTU.RED
> renew until 26/04/15 16:36:06
>
>
> I've linked the file showed on log to krb5.conf:
> ln -s /var/run/samba/smb_krb5/krb5.conf.TTU
> /etc/krb5.conf
>
> I got the same error:
> .......
> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
> ads_sasl_spnego_bind: got
> OID=1.3.6.1.4.1.311.2.2.10
> ads_sasl_spnego_bind: got server principal name =
> not_defined_in_RFC4178 at please_ignore
> ads_krb5_mk_req: krb5_cc_get_principal failed (No
> existe el
> fichero o el directorio)
> ads_cleanup_expired_creds: Ticket in
> ccache[MEMORY:net_ads]
> expiration dom, 26 abr 2015 02:37:30 CEST
> kinit succeeded but ads_sasl_spnego_krb5_bind
> failed:
> Invalid
> credentials
> libnet_Join:
> libnet_JoinCtx: struct libnet_JoinCtx
> out: struct libnet_JoinCtx
> account_name : NULL
> netbios_domain_name : 'TTU'
> dns_domain_name : 'ttu.red'
> forest_name : 'ttu.red'
> dn : NULL
> domain_sid : *
> domain_sid :
> S-1-5-21-127850397-371183867-665961664
> <tel:665961664> <tel:665961664 <tel:665961664>>
> <tel:665961664 <tel:665961664> <tel:665961664
> <tel:665961664>>>
> modified_config : 0x00 (0)
> error_string : 'failed to
> connect to
> AD: Invalid credentials'
> domain_is_ad : 0x01 (1)
> result :
> WERR_GENERAL_FAILURE
> Failed to join domain: failed to connect to
> AD: Invalid
> credentials
> return code = -1
>
> I can run commands like "net ads rpc -U
> "Administrator" and
> works fine, i even can get some AD info:
> # net rpc info -U Administrator
> Enter Administrator's password:
> Domain Name: TTU
> Domain SID:
> S-1-5-21-127850397-371183867-665961664 <tel:665961664>
> <tel:665961664 <tel:665961664>> <tel:665961664
> <tel:665961664> <tel:665961664 <tel:665961664>>>
>
> Sequence number: 1
> Num users: 144
> Num domain groups: 42
> Num local groups: 26
>
>
> Is strange because as i said, if i create a
> new domain
> without
> upgrade then i can join that domain even without
> krb5-client
> installed.
>
>
>
> what OS are you using ?
>
>
> Debian 7u2
>
> what version of samba on the member server ?
>
>
> Same as AD:
> Version 4.1.17-Debian
>
> What packages have you installed to try and get
> samba working
>
>
> Same packages, latest from wheezy-backports. The only
> difference is that i've created a new domain instead
> upgrade
> the old 3.6 domain.
>
>
> anything else relevant, apparmor, selinux,
> firewall etc ?
>
>
> AD don't have any kind of firewall or apparmor. I
> don't have
> Apparmor, and the firewall have the basic configuration on
> client. I don't know about selinux, but the default
> configuracion has not changed.
>
> I'm starting to think is better to create a new domain and
> move the machines and users to the new domain.
>
> Greetings!!
>
>
>
> Rowland
>
> -- To unsubscribe from this list go to the
> following
> URL and read the
> instructions:
> https://lists.samba.org/mailman/options/samba
>
>
>
> OK, I use debian wheezy with samba from backports and this
> is how
> I set things up on a member server:
>
> Install these packages from backports:
>
> samba samba-common-bin samba-common samba-libs
> samba-vfs-modules \
> samba-dsdb-modules tdb-tools libwbclient0 libsmbclient
> winbind \
> ldb-tools zip arj mktemp acl attr quota krb5-config
> libnss-winbind \
> libpam-winbind libpam-krb5 krb5-user
>
> Create a smb.conf:
>
> [global]
> workgroup = TTU
> security = ADS
> realm = TTU.RED
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> server string = Samba 4 Client %h
>
> winbind enum users = no
> winbind enum groups = no
> winbind use default domain = yes
> winbind expand groups = 4
> winbind nss info = rfc2307
> winbind refresh tickets = Yes
> winbind offline logon = yes
> winbind normalize names = Yes
>
> ## map ids outside of domain to tdb files.
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> ## map ids from the domain the ranges may not overlap !
> idmap config TTU : backend = ad
> idmap config TTU : schema_mode = rfc2307
> idmap config TTU : range = 10000-999999
>
> domain master = no
> local master = no
> preferred master = no
> os level = 20
> map to guest = bad user
> host msdfs = no
>
> # For ACL support on member server
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
>
> # Share Setting Globally
> unix extensions = no
> reset on zero vc = yes
> veto files =
> /.bash_logout/.bash_profile/.bash_history/.bashrc/
> hide unreadable = yes
>
> alter /etc/krb5.conf
>
> [libdefaults]
> default_realm = TTU.RED
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> Make sure that the kerberos config file /etc/krb5.conf is
> correct
>
> [libdefaults]
> default_realm = TTU.RED
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> Make sure that /etc/resolv.conf is pointing to the domain
> and the
> AD DC:
>
> search ttu.red
> nameserver <IP_OF_SAMBA4_AD_DC>
>
> You should now be able to join the domain:
>
> net ads join -U Administrator
>
> If this does not work, then it is more likely that the problem
> lies on the AD DC, unless it is something simple like blocked
> ports on the firewall, the easiest way to rule this out, is to
> turn off the firewall temporarily.
>
>
> Rowland
> -- To unsubscribe from this list go to the following
> URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
> OK, but before you do, you could check the AD DC, could you post
> the smb.conf from the DC ?
> Does the DC have a fixed ip ?
>
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list