[Samba] Samba 4.1.6-Ubuntu on 14.04 domain join seems successful with caveats, testjoin reports no logon servers...
L.P.H. van Belle
belle at bazuin.nl
Tue Nov 17 16:19:50 UTC 2015
Your using a samba3 config on a samba 4.
Change your config base on :
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
Gr,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Schuyler Bishop
> Verzonden: dinsdag 17 november 2015 17:11
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Samba 4.1.6-Ubuntu on 14.04 domain join seems
> successful with caveats, testjoin reports no logon servers...
>
> Greetings,
>
> Long-time but very occasional samba user here with a new challenge (well
> for me at least).
>
> The basics are that on the domain join, the computer account gets created
> but throws the dns error which based on my searching seems non-fatal.
> wbinfo -t gives me a succeeded, wbinfo -a klm.com\\me --ntlmv2 works fine
> but yet the net ads testjoin fails. Logs on the domain controller show "A
> Kerberos authentication ticket (TGT) was requested." with an Audit Success
> after I run the testjoin that fails.
>
> The AD guys tell me that hij.klm.com is the subdomain that the computer
> account exists in (hence the createcomputer string in the join) and user
> accounts exist in klm.com including my account that I was using to do the
> join (me at klm.com).
>
> I did a tcpdump on the testjoin and pulled it into wireshark and I see it
> contacting (amongst other things) all of the AD servers in both domains on
> 88/UDP and getting replies so it doesn't smell like a firewall issue.
>
> Thanks in advance for any help.
>
> Here's the edited and redacted output from the join (the computer account
> already existed as you can see):
>
> # net ads join
> createcomputer="OU=XYZ,OU=Production,OU=ABC,OU=DEF,DC=hij,DC=klm,DC=com" -
> U
> me at klm.com -d 1
> Enter me at KLM.COM's password:
> libnet_Join:
> libnet_JoinCtx: struct libnet_JoinCtx
> in: struct libnet_JoinCtx
> dc_name : NULL
> machine_name : 'this'
> domain_name : *
> domain_name : 'HIJ.KLM.COM'
> account_ou :
> 'OU=XYZ,OU=Production,OU=ABC,OU=DEF,DC=hij,DC=klm,DC=com'
> admin_account : 'me at KLM.COM'
> machine_password : NULL
> join_flags : 0x00000023 (35)
> 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
> 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
> 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
> 0: WKSSVC_JOIN_FLAGS_DEFER_SPN
> 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
> 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
> something = something-else
> 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
> 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
> 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
> 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
> 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
> os_version : NULL
> os_name : NULL
> create_upn : 0x00 (0)
> upn : NULL
> modify_config : 0x00 (0)
> ads : NULL
> debug : 0x01 (1)
> use_kerberos : 0x00 (0)
> secure_channel_type : SEC_CHAN_WKSTA (2)
> The machine account already exists in the specified OU.
> libnet_Join:
> libnet_JoinCtx: struct libnet_JoinCtx
> out: struct libnet_JoinCtx
> account_name : NULL
> netbios_domain_name : 'HIJ'
> dns_domain_name : 'hij.klm.com'
> forest_name : 'klm.com'
> dn :
> 'CN=THIS,OU=XYZ,OU=Production,OU=ABC,OU=DEF,DC=hij,DC=klm,DC=com'
> domain_sid : *
> domain_sid : *REDACTED*
> modified_config : 0x00 (0)
> error_string : NULL
> domain_is_ad : 0x01 (1)
> result : WERR_OK
> Using short domain name -- HIJ
> Joined 'THIS' to dns domain 'hij.klm.com'
> kerberos_kinit_password THIS$@HIJ.KLM.COM failed: Cannot contact any KDC
> for requested realm
> DNS update failed: kinit failed: Cannot contact any KDC for requested
> realm
>
> And here's the output from my testjoin:
>
> # net ads testjoin -d 3
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> params.c:pm_process() - Processing configuration file
> "/etc/samba/smb.conf"
> Processing section "[global]"
> added interface eth0 ip=x.x.x.x bcast=x.x.x.y netmask=255.255.255.0
> Registered MSG_REQ_POOL_USAGE
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> get_dc_list: preferred server list: ", *"
> Successfully contacted LDAP server a.b.c.d
> get_dc_list: preferred server list: ", *"
> get_dc_list: preferred server list: ", *"
> get_dc_list: preferred server list: ", *"
> Successfully contacted LDAP server a.b.c.d
> get_dc_list: preferred server list: ", *"
> get_dc_list: preferred server list: ", *"
> resolve_lmhosts: Attempting lmhosts lookup for name AD1.HIJ.KLM.COM<0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name AD1.HIJ.KLM.COM<0x20>
> resolve_wins: WINS server resolution selected and no WINS servers listed.
> resolve_hosts: Attempting host lookup for name AD1.HIJ.KLM.COM<0x20>
> Successfully contacted LDAP server a.b.c.d
> Connected to LDAP server ad1.hij.klm.com
> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
> ads_sasl_spnego_bind: got server principal name =
> not_defined_in_RFC4178 at please_ignore
> ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
> kerberos_kinit_password THIS$@HIJ.KLM.COM failed: Cannot contact any KDC
> for requested realm
> ads_connect: Cannot contact any KDC for requested realm
> Join to domain is not valid: No logon servers
> return code = -1
>
> My krb5.conf:
>
> [libdefaults]
> ticket_lifetime = 24h
> default_realm = HIJ.KLM.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
>
> krb4_config = /etc/krb.conf
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
> v4_instance_resolve = false
> v4_name_convert = {
> host = {
> rcmd = host
> ftp = ftp
> }
> plain = {
> something = something-else
> }
> }
> fcc-mit-ticketflags = true
>
> [realms]
> HIJ.KLM.COM = {
> kdc = ad1.hij.klm.com
> kdc = ad2.hij.klm.com
> admin_server = ad.hij.klm.com
> default_domain = hij.klm.com
> }
>
> [domain_realm]
> .xyz.hij.klm.com = HIJ.KLM.COM
> .hij.klm.com = HIJ.KLM.COM
>
> [login]
> krb4_convert = true
> krb4_get_tickets = false
> [logging]
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmin.log
> default = FILE:/var/log/krb5lib.log
>
> My smb.conf:
>
> [global]
>
> workgroup = hij
> netbios name = this
> security = ADS
> realm = HIJ.KLM.COM
> server string = XYZ server (Samba, Ubuntu)
> dns proxy = no
> printcap name = /etc/printcap
> load printers = no
> log file = /var/log/samba/log.%m
> log level = 1
> max log size = 1000
> dedicated keytab file = /etc/krb5.keytab
> encrypt passwords = yes
> syslog = 0
> panic action = /usr/share/samba/panic-action %d
> server role = standalone server
> passdb backend = tdbsam
> obey pam restrictions = yes
> unix password sync = no
> passwd program = /usr/bin/passwd %u
> passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> pam password change = no
> map to guest = bad user
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list