[Samba] Cannot join Ubuntu12.04 Samba 4.1.17 to domain
Rowland Penny
rowlandpenny at googlemail.com
Mon Jun 8 06:10:58 MDT 2015
On 08/06/15 13:08, L.P.H. van Belle wrote:
> Hai,
>
> After reading all below i can only conclude this must be firewalling, as Rowland is saying also.
>
> check if all of these ports are acceccable for the server your trying to join.
>
> tcp 0 0 192.168.X.1:1024 0.0.0.0:* LISTEN 2146/samba
> tcp 0 0 192.168.X.1:135 0.0.0.0:* LISTEN 2146/samba
> tcp 0 0 192.168.X.1:139 0.0.0.0:* LISTEN 2147/smbd
> tcp 0 0 192.168.X.1:3268 0.0.0.0:* LISTEN 2162/samba
> tcp 0 0 192.168.X.1:3269 0.0.0.0:* LISTEN 2162/samba
> tcp 0 0 192.168.X.1:389 0.0.0.0:* LISTEN 2162/samba
> tcp 0 0 192.168.X.1:42 0.0.0.0:* LISTEN 2157/samba
> tcp 0 0 192.168.X.1:445 0.0.0.0:* LISTEN 2147/smbd
> tcp 0 0 192.168.X.1:464 0.0.0.0:* LISTEN 2170/samba
> tcp 0 0 192.168.X.1:636 0.0.0.0:* LISTEN 2162/samba
> tcp 0 0 192.168.X.1:88 0.0.0.0:* LISTEN 2170/samba
>
> Greetz,
>
> Louis
>
>> -----Oorspronkelijk bericht-----
>> Van: rowlandpenny at googlemail.com
>> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>> Verzonden: maandag 8 juni 2015 13:21
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Cannot join Ubuntu12.04 Samba 4.1.17 to domain
>>
>> On 08/06/15 10:42, ivenhov wrote:
>>> Thanks all for helping with this and for script
>>> Still no luck though.
>>>
>>> I've modified scripts as they had some bugs, my output and
>> modified version
>>> at the end.
>>> As I mentioned, I don't have any issues with joining samba
>> 4.1 or 4.2 in the
>>> lab, only on that site.
>>>
>>>>> if so, try the following.
>>>>> in resolv.conf, add
>>>>> search mynat.myco.bcu myco.bcu
>>> I haven't tried that yet. Will do next.
>>>
>>> There is myco.bcu domain along with mynat.myco.bcu, I'm not
>> sure if that
>>> makes it more tricky.
>>> In the meantime there were some firewall issues discovered and fixed
>>> (filtering of the IPs connecting to LDAP ports). Issue
>> persists though.
>>> I don't have full access unfortunately to see exactly what's
>> happening on AD
>>> but I can make necessary changes on samba box.
>>>
>>> At this point I'm thinking error:
>>> Failed to join domain: failed to connect to AD: Cannot
>> contact any KDC for
>>> requested realm
>>>
>>> is a bogus and real problem lies somewhere else (shown by result
>>> WERR_DEFAULT_JOIN_REQUIRED and WERR_GENERAL_FAILURE)
>>>
>>>>> Could it be that allowing a normal user to join computers has been
>>>>> turned off ?
>>> Yes it is possible. But apparently my user should have
>> enough permission (I
>>> sceptical)
>>> Does user doing join has to be Domain Admin, or only
>> permission to creating
>>> objects in OU is necessary?
>>> How can I check via command line if user have enough permissions ?
>>>
>>> In my lab I get WERR_DEFAULT_JOIN_REQUIRED when user is not
>> DomainAdmin.
>>> Here are my results and modified scripts.
>>>
>>>
>>> m at serv1602:~$ ./script1.sh
>>> Content of /etc/resolv.conf
>>> ------------------------
>>> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
>>> resolvconf(8)
>>> # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE
>> OVERWRITTEN
>>> nameserver 10.80.8.88
>>> nameserver 10.80.96.13
>>> nameserver 10.80.96.17
>>> ------------------------------------------------
>>>
>>> Content of /etc/hosts
>>> ------------------------
>>> 127.0.0.1 localhost
>>> 10.80.100.74 serv1602.mynat.myco.bcu serv1602
>>> 10.80.8.88 dc1001.mynat.myco.bcu
>>> 10.80.137.41 dc1003.mynat.myco.bcu
>>> ------------------------------------------------
>>>
>>> Content of /etc/hostname
>>> ------------------------
>>> serv1602.mynat.myco.bcu
>>> ------------------------------------------------
>>>
>>> Local names
>>> ------------------------
>>> domain: mynat.myco.bcu
>>> host long: serv1602.mynat.myco.bcu
>>> host short: serv1602
>>> ------------------------------------------------
>>> test 1
>>> testing of : host -t SRV _ldap._tcp.mynat.myco.bcu. : ok
>>> test 2
>>> testing of : host -t SRV _kerberos._udp.mynat.myco.bcu. : ok
>>> test3
>>> testing of : host -t A serv1602.mynat.myco.bcu. : ok
>>> ------------------------------------------------
>>>
>>>
>>> domain: mynat.myco.bcu
>>> host: serv1602.mynat.myco.bcu
>>> host short: serv1602
>>> m at serv1602:~$
>>> m at serv1602:~$
>>> m at serv1602:~$ ./script2.sh
>>> myco.bcu
>>> testing of : host -t SRV _ldap._tcp.myco.bcu. : ok
>>> testing of : host -t SRV _kerberos._udp.myco.bcu. : ok
>>> testing of : host -t A serv1602.mynat.myco.bcu. : ok
>>> m at serv1602:~$
>>> m at serv1602:~$
>>> m at serv1602:~$
>>> m at serv1602:~$
>>> m at serv1602:~$
>>> m at serv1602:~$ cat ./script1.sh
>>> #!/bin/bash
>>>
>>> echo "Content of /etc/resolv.conf"
>>> echo -e "------------------------"
>>> cat /etc/resolv.conf
>>> echo -e "------------------------------------------------"
>>>
>>> echo -e "\nContent of /etc/hosts"
>>> echo -e "------------------------"
>>> cat /etc/hosts
>>> echo -e "------------------------------------------------"
>>>
>>> echo -e "\nContent of /etc/hostname"
>>> echo -e "------------------------"
>>> cat /etc/hostname
>>> echo -e "------------------------------------------------"
>>>
>>> SETDNSDOMAIN=`hostname -d`
>>> SETHOSTNAME=`hostname -f`
>>> SETSHORTHOSTNAME=`hostname -s`
>>>
>>> echo -e "\nLocal names"
>>> echo -e "------------------------"
>>> echo "domain: " $SETDNSDOMAIN
>>> echo "host long:" $SETHOSTNAME
>>> echo "host short:" $SETSHORTHOSTNAME
>>> echo -e "------------------------------------------------"
>>>
>>> echo "test 1"
>>> if [ -z "`host -t SRV _ldap._tcp.${SETDNSDOMAIN}. | grep
>> 'not found'`" ];
>>> then
>>> echo "testing of : host -t SRV
>> _ldap._tcp.${SETDNSDOMAIN}. : ok"
>>> else
>>> echo "testing of : host -t SRV
>> _ldap._tcp.${SETDNSDOMAIN}. : FAILED"
>>> fi
>>>
>>> echo "test 2"
>>> if [ -z "`host -t SRV _kerberos._udp.${SETDNSDOMAIN}. | grep
>> "not found" `"
>>> ]; then
>>> echo "testing of : host -t SRV
>> _kerberos._udp.${SETDNSDOMAIN}. : ok";
>>> else
>>> echo "testing of : host -t SRV
>> _kerberos._udp.${SETDNSDOMAIN}. :
>>> FAILED";
>>> fi
>>>
>>> echo "test3"
>>> if [ -z "`host -t A ${SETSHORTHOSTNAME}.${SETDNSDOMAIN}. |
>> grep "not found"
>>> `" ]; then
>>> echo "testing of : host -t A
>> ${SETSHORTHOSTNAME}.${SETDNSDOMAIN}. : ok";
>>> else
>>> echo "testing of : host -t A
>> ${SETSHORTHOSTNAME}.${SETDNSDOMAIN}. :
>>> FAILED";
>>> fi
>>>
>>> echo -e "------------------------------------------------\n\n"
>>>
>>> echo "domain: " $SETDNSDOMAIN
>>> echo "host:" $SETHOSTNAME
>>> echo "host short:" $SETSHORTHOSTNAME
>>> m at serv1602:~$
>>> m at serv1602:~$
>>> m at serv1602:~$
>>> m at serv1602:~$
>>> m at serv1602:~$ cat ./script2.sh
>>> #!/bin/bash
>>>
>>> SETDNSDOMAIN="myco.bcu"
>>> SETHOSTNAME=`hostname -f`
>>>
>>> echo $SETDNSDOMAIN
>>> if [ -z "`host -t SRV _ldap._tcp.${SETDNSDOMAIN}. | grep
>> 'not found'`" ];
>>> then
>>> echo "testing of : host -t SRV
>> _ldap._tcp.${SETDNSDOMAIN}. : ok"
>>> else
>>> echo "testing of : host -t SRV
>> _ldap._tcp.${SETDNSDOMAIN}. : FAILED"
>>> fi
>>> if [ -z "`host -t SRV _kerberos._udp.${SETDNSDOMAIN}. | grep
>> "not found" `"
>>> ]; then
>>> echo "testing of : host -t SRV
>> _kerberos._udp.${SETDNSDOMAIN}. : ok";
>>> else
>>> echo "testing of : host -t SRV
>> _kerberos._udp.${SETDNSDOMAIN}. :
>>> FAILED";
>>> fi
>>> if [ -z "`host -t A ${SETHOSTNAME}. | grep "not found" `" ]; then
>>> echo "testing of : host -t A ${SETHOSTNAME}. : ok";
>>> else
>>> echo "testing of : host -t A ${SETHOSTNAME}. : FAILED";
>>> fi
>>> m at serv1602:~$
>>>
>>>
>>>
>>>
>>> --
>>> View this message in context:
>> http://samba.2283325.n4.nabble.com/Cannot-join-Ubuntu12-04-Samb
>> a-4-1-17-to-domain-tp4684555p4686918.html
>>> Sent from the Samba - General mailing list archive at Nabble.com.
>> There was another instance similar to this over the weekend,
>> everything
>> seemed to be ok, but a DC join couldn't find the original DC. This
>> turned out to be a firewall issue, so could this be your problem ?
>>
>> Rowland
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
Even easier way, turn off the firewall on the DC, if it now works, it is
the firewall :-)
Rowland
More information about the samba
mailing list