[Samba] Samba 4.1.6-Ubuntu on 14.04 domain join seems successful with caveats, testjoin reports no logon servers...

L.P.H. van Belle belle at bazuin.nl
Tue Nov 17 16:19:50 UTC 2015


Your using a samba3 config on a samba 4. 

Change your config base on : 
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member 


Gr, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Schuyler Bishop
> Verzonden: dinsdag 17 november 2015 17:11
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Samba 4.1.6-Ubuntu on 14.04 domain join seems
> successful with caveats, testjoin reports no logon servers...
> 
> Greetings,
> 
> Long-time but very occasional samba user here with a new challenge (well
> for me at least).
> 
> The basics are that on the domain join, the computer account gets created
> but throws the dns error which based on my searching seems non-fatal.
>  wbinfo -t gives me a succeeded, wbinfo -a klm.com\\me --ntlmv2 works fine
> but yet the net ads testjoin fails.  Logs on the domain controller show "A
> Kerberos authentication ticket (TGT) was requested." with an Audit Success
> after I run the testjoin that fails.
> 
> The AD guys tell me that hij.klm.com is the subdomain that the computer
> account exists in (hence the createcomputer string in the join) and user
> accounts exist in klm.com including my account that I was using to do the
> join (me at klm.com).
> 
> I did a tcpdump on the testjoin and pulled it into wireshark and I see it
> contacting (amongst other things) all of the AD servers in both domains on
> 88/UDP and getting replies so it doesn't smell like a firewall issue.
> 
> Thanks in advance for any help.
> 
> Here's the edited and redacted output from the join (the computer account
> already existed as you can see):
> 
> # net ads join
> createcomputer="OU=XYZ,OU=Production,OU=ABC,OU=DEF,DC=hij,DC=klm,DC=com" -
> U
> me at klm.com -d 1
> Enter me at KLM.COM's password:
> libnet_Join:
>     libnet_JoinCtx: struct libnet_JoinCtx
>         in: struct libnet_JoinCtx
>             dc_name                  : NULL
>             machine_name             : 'this'
>             domain_name              : *
>                 domain_name              : 'HIJ.KLM.COM'
>             account_ou               :
> 'OU=XYZ,OU=Production,OU=ABC,OU=DEF,DC=hij,DC=klm,DC=com'
>             admin_account            : 'me at KLM.COM'
>             machine_password         : NULL
>             join_flags               : 0x00000023 (35)
>                    0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
>                    0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
>                    0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
>                    0: WKSSVC_JOIN_FLAGS_DEFER_SPN
>                    0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
>                    0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
>                         something = something-else
>                    1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
>                    0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
>                    0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
>                    1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
>                    1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
>             os_version               : NULL
>             os_name                  : NULL
>             create_upn               : 0x00 (0)
>             upn                      : NULL
>             modify_config            : 0x00 (0)
>             ads                      : NULL
>             debug                    : 0x01 (1)
>             use_kerberos             : 0x00 (0)
>             secure_channel_type      : SEC_CHAN_WKSTA (2)
> The machine account already exists in the specified OU.
> libnet_Join:
>     libnet_JoinCtx: struct libnet_JoinCtx
>         out: struct libnet_JoinCtx
>             account_name             : NULL
>             netbios_domain_name      : 'HIJ'
>             dns_domain_name          : 'hij.klm.com'
>             forest_name              : 'klm.com'
>             dn                       :
> 'CN=THIS,OU=XYZ,OU=Production,OU=ABC,OU=DEF,DC=hij,DC=klm,DC=com'
>             domain_sid               : *
>                 domain_sid               : *REDACTED*
>             modified_config          : 0x00 (0)
>             error_string             : NULL
>             domain_is_ad             : 0x01 (1)
>             result                   : WERR_OK
> Using short domain name -- HIJ
> Joined 'THIS' to dns domain 'hij.klm.com'
> kerberos_kinit_password THIS$@HIJ.KLM.COM failed: Cannot contact any KDC
> for requested realm
> DNS update failed: kinit failed: Cannot contact any KDC for requested
> realm
> 
> And here's the output from my testjoin:
> 
> # net ads testjoin -d 3
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> params.c:pm_process() - Processing configuration file
> "/etc/samba/smb.conf"
> Processing section "[global]"
> added interface eth0 ip=x.x.x.x bcast=x.x.x.y netmask=255.255.255.0
> Registered MSG_REQ_POOL_USAGE
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> get_dc_list: preferred server list: ", *"
> Successfully contacted LDAP server a.b.c.d
> get_dc_list: preferred server list: ", *"
> get_dc_list: preferred server list: ", *"
> get_dc_list: preferred server list: ", *"
> Successfully contacted LDAP server a.b.c.d
> get_dc_list: preferred server list: ", *"
> get_dc_list: preferred server list: ", *"
> resolve_lmhosts: Attempting lmhosts lookup for name AD1.HIJ.KLM.COM<0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name AD1.HIJ.KLM.COM<0x20>
> resolve_wins: WINS server resolution selected and no WINS servers listed.
> resolve_hosts: Attempting host lookup for name AD1.HIJ.KLM.COM<0x20>
> Successfully contacted LDAP server a.b.c.d
> Connected to LDAP server ad1.hij.klm.com
> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
> ads_sasl_spnego_bind: got server principal name =
> not_defined_in_RFC4178 at please_ignore
> ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
> kerberos_kinit_password THIS$@HIJ.KLM.COM failed: Cannot contact any KDC
> for requested realm
> ads_connect: Cannot contact any KDC for requested realm
> Join to domain is not valid: No logon servers
> return code = -1
> 
> My krb5.conf:
> 
> [libdefaults]
> ticket_lifetime = 24h
> default_realm = HIJ.KLM.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
> 
> krb4_config = /etc/krb.conf
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
> v4_instance_resolve = false
> v4_name_convert = {
> host = {
> rcmd = host
> ftp = ftp
> }
> plain = {
> something = something-else
> }
> }
> fcc-mit-ticketflags = true
> 
> [realms]
> HIJ.KLM.COM = {
> kdc = ad1.hij.klm.com
> kdc = ad2.hij.klm.com
> admin_server = ad.hij.klm.com
> default_domain = hij.klm.com
> }
> 
> [domain_realm]
> .xyz.hij.klm.com = HIJ.KLM.COM
> .hij.klm.com = HIJ.KLM.COM
> 
> [login]
> krb4_convert = true
> krb4_get_tickets = false
> [logging]
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmin.log
> default = FILE:/var/log/krb5lib.log
> 
> My smb.conf:
> 
> [global]
> 
>    workgroup = hij
>    netbios name = this
>    security = ADS
>    realm = HIJ.KLM.COM
>    server string = XYZ server (Samba, Ubuntu)
>    dns proxy = no
>    printcap name = /etc/printcap
>    load printers = no
>    log file = /var/log/samba/log.%m
>    log level = 1
>    max log size = 1000
>    dedicated keytab file = /etc/krb5.keytab
>    encrypt passwords = yes
>    syslog = 0
>    panic action = /usr/share/samba/panic-action %d
>    server role = standalone server
>    passdb backend = tdbsam
>    obey pam restrictions = yes
>    unix password sync = no
>    passwd program = /usr/bin/passwd %u
>    passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>    pam password change = no
>    map to guest = bad user
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba





More information about the samba mailing list