[Samba] Cannot join Ubuntu12.04 Samba 4.1.17 to domain

Rowland Penny rowlandpenny at googlemail.com
Mon Jun 8 05:21:28 MDT 2015 

On 08/06/15 10:42, ivenhov wrote:
> Thanks all for helping with this and for script
> Still no luck though.
>
> I've modified scripts as they had some bugs, my output and modified version
> at the end.
> As I mentioned, I don't have any issues with joining samba 4.1 or 4.2 in the
> lab, only on that site.
>
>>> if so, try the following.
>>> in resolv.conf, add
>>> search mynat.myco.bcu myco.bcu
> I haven't tried that yet. Will do next.
>
> There is myco.bcu domain along with mynat.myco.bcu, I'm not sure if that
> makes it more tricky.
> In the meantime there were some firewall issues discovered and fixed
> (filtering of the IPs connecting to LDAP ports). Issue persists though.
>
> I don't have full access unfortunately to see exactly what's happening on AD
> but I can make necessary changes on samba box.
>
> At this point I'm thinking error:
> Failed to join domain: failed to connect to AD: Cannot contact any KDC for
> requested realm
>
> is a bogus and real problem lies somewhere else (shown by result
> WERR_DEFAULT_JOIN_REQUIRED and WERR_GENERAL_FAILURE)
>
>>> Could it be that allowing a normal user to join computers has been
>>> turned off ?
> Yes it is possible. But apparently my user should have enough permission (I
> sceptical)
> Does user doing join has to be Domain Admin, or only permission to creating
> objects in OU is necessary?
> How can I check via command line if user have enough permissions ?
>
> In my lab I get WERR_DEFAULT_JOIN_REQUIRED when user is not DomainAdmin.
>
> Here are my results and modified scripts.
>
>
> m at serv1602:~$ ./script1.sh
> Content of /etc/resolv.conf
> ------------------------
> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
> resolvconf(8)
> #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
> nameserver 10.80.8.88
> nameserver 10.80.96.13
> nameserver 10.80.96.17
> ------------------------------------------------
>
> Content of /etc/hosts
> ------------------------
> 127.0.0.1       localhost
> 10.80.100.74    serv1602.mynat.myco.bcu serv1602
> 10.80.8.88      dc1001.mynat.myco.bcu
> 10.80.137.41    dc1003.mynat.myco.bcu
> ------------------------------------------------
>
> Content of /etc/hostname
> ------------------------
> serv1602.mynat.myco.bcu
> ------------------------------------------------
>
> Local names
> ------------------------
> domain:  mynat.myco.bcu
> host long: serv1602.mynat.myco.bcu
> host short: serv1602
> ------------------------------------------------
> test 1
> testing of : host -t SRV _ldap._tcp.mynat.myco.bcu. : ok
> test 2
> testing of : host -t SRV _kerberos._udp.mynat.myco.bcu. : ok
> test3
> testing of : host -t A serv1602.mynat.myco.bcu. : ok
> ------------------------------------------------
>
>
> domain:  mynat.myco.bcu
> host: serv1602.mynat.myco.bcu
> host short: serv1602
> m at serv1602:~$
> m at serv1602:~$
> m at serv1602:~$ ./script2.sh
> myco.bcu
> testing of : host -t SRV _ldap._tcp.myco.bcu. : ok
> testing of : host -t SRV _kerberos._udp.myco.bcu. : ok
> testing of : host -t A serv1602.mynat.myco.bcu. : ok
> m at serv1602:~$
> m at serv1602:~$
> m at serv1602:~$
> m at serv1602:~$
> m at serv1602:~$
> m at serv1602:~$ cat ./script1.sh
> #!/bin/bash
>
> echo "Content of /etc/resolv.conf"
> echo -e "------------------------"
> cat /etc/resolv.conf
> echo -e "------------------------------------------------"
>
> echo -e "\nContent of /etc/hosts"
> echo -e "------------------------"
> cat /etc/hosts
> echo -e "------------------------------------------------"
>
> echo -e "\nContent of /etc/hostname"
> echo -e "------------------------"
> cat /etc/hostname
> echo -e "------------------------------------------------"
>
> SETDNSDOMAIN=`hostname -d`
> SETHOSTNAME=`hostname -f`
> SETSHORTHOSTNAME=`hostname -s`
>
> echo -e "\nLocal names"
> echo -e "------------------------"
> echo "domain: " $SETDNSDOMAIN
> echo "host long:" $SETHOSTNAME
> echo "host short:" $SETSHORTHOSTNAME
> echo -e "------------------------------------------------"
>
> echo "test 1"
> if [ -z "`host -t SRV _ldap._tcp.${SETDNSDOMAIN}. | grep 'not found'`" ];
> then
>          echo "testing of : host -t SRV _ldap._tcp.${SETDNSDOMAIN}. : ok"
> else
>          echo "testing of : host -t SRV _ldap._tcp.${SETDNSDOMAIN}. : FAILED"
> fi
>
> echo "test 2"
> if [ -z "`host -t SRV _kerberos._udp.${SETDNSDOMAIN}. | grep "not found" `"
> ]; then
>       echo "testing of : host -t SRV _kerberos._udp.${SETDNSDOMAIN}. : ok";
> else
>       echo "testing of : host -t SRV _kerberos._udp.${SETDNSDOMAIN}. :
> FAILED";
> fi
>
> echo "test3"
> if [ -z "`host -t A ${SETSHORTHOSTNAME}.${SETDNSDOMAIN}. | grep "not found"
> `" ]; then
>      echo "testing of : host -t A ${SETSHORTHOSTNAME}.${SETDNSDOMAIN}. : ok";
> else
>       echo "testing of : host -t A ${SETSHORTHOSTNAME}.${SETDNSDOMAIN}. :
> FAILED";
> fi
>
> echo -e "------------------------------------------------\n\n"
>
> echo "domain: " $SETDNSDOMAIN
> echo "host:" $SETHOSTNAME
> echo "host short:" $SETSHORTHOSTNAME
> m at serv1602:~$
> m at serv1602:~$
> m at serv1602:~$
> m at serv1602:~$
> m at serv1602:~$ cat ./script2.sh
> #!/bin/bash
>
> SETDNSDOMAIN="myco.bcu"
> SETHOSTNAME=`hostname -f`
>
> echo $SETDNSDOMAIN
> if [ -z "`host -t SRV _ldap._tcp.${SETDNSDOMAIN}. | grep 'not found'`" ];
> then
>          echo "testing of : host -t SRV _ldap._tcp.${SETDNSDOMAIN}. : ok"
> else
>          echo "testing of : host -t SRV _ldap._tcp.${SETDNSDOMAIN}. : FAILED"
> fi
> if [ -z "`host -t SRV _kerberos._udp.${SETDNSDOMAIN}. | grep "not found" `"
> ]; then
>       echo "testing of : host -t SRV _kerberos._udp.${SETDNSDOMAIN}. : ok";
> else
>       echo "testing of : host -t SRV _kerberos._udp.${SETDNSDOMAIN}. :
> FAILED";
> fi
> if [ -z "`host -t A ${SETHOSTNAME}. | grep "not found" `" ]; then
>       echo "testing of : host -t A ${SETHOSTNAME}. : ok";
> else
>       echo "testing of : host -t A ${SETHOSTNAME}. : FAILED";
> fi
> m at serv1602:~$
>
>
>
>
> --
> View this message in context: http://samba.2283325.n4.nabble.com/Cannot-join-Ubuntu12-04-Samba-4-1-17-to-domain-tp4684555p4686918.html
> Sent from the Samba - General mailing list archive at Nabble.com.

There was another instance similar to this over the weekend, everything 
seemed to be ok, but a DC join couldn't find the original DC. This 
turned out to be a firewall issue, so could this be your problem ?

Rowland

More information about the samba mailing list