[Samba] Samba 4.1.6-Ubuntu on 14.04 domain join seems successful with caveats, testjoin reports no logon servers...
Schuyler Bishop
schuyler.bishop at gmail.com
Tue Nov 17 16:38:52 UTC 2015
Hi Louis,
Thanks for the reply. Upon checking the URL you sent, I'm not finding
which stanzas you're referring to as being samba3 - my smb.conf looks
remarkably similar to the sample I see there. Could you perhaps be more
specific?
Thanks,
--Schuyler
On Tue, Nov 17, 2015 at 11:23 AM L.P.H. van Belle <belle at bazuin.nl> wrote:
> Your using a samba3 config on a samba 4.
>
> Change your config base on :
> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>
>
> Gr,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Schuyler Bishop
> > Verzonden: dinsdag 17 november 2015 17:11
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] Samba 4.1.6-Ubuntu on 14.04 domain join seems
> > successful with caveats, testjoin reports no logon servers...
> >
> > Greetings,
> >
> > Long-time but very occasional samba user here with a new challenge (well
> > for me at least).
> >
> > The basics are that on the domain join, the computer account gets created
> > but throws the dns error which based on my searching seems non-fatal.
> > wbinfo -t gives me a succeeded, wbinfo -a klm.com\\me --ntlmv2 works
> fine
> > but yet the net ads testjoin fails. Logs on the domain controller show
> "A
> > Kerberos authentication ticket (TGT) was requested." with an Audit
> Success
> > after I run the testjoin that fails.
> >
> > The AD guys tell me that hij.klm.com is the subdomain that the computer
> > account exists in (hence the createcomputer string in the join) and user
> > accounts exist in klm.com including my account that I was using to do
> the
> > join (me at klm.com).
> >
> > I did a tcpdump on the testjoin and pulled it into wireshark and I see it
> > contacting (amongst other things) all of the AD servers in both domains
> on
> > 88/UDP and getting replies so it doesn't smell like a firewall issue.
> >
> > Thanks in advance for any help.
> >
> > Here's the edited and redacted output from the join (the computer account
> > already existed as you can see):
> >
> > # net ads join
> > createcomputer="OU=XYZ,OU=Production,OU=ABC,OU=DEF,DC=hij,DC=klm,DC=com"
> -
> > U
> > me at klm.com -d 1
> > Enter me at KLM.COM's password:
> > libnet_Join:
> > libnet_JoinCtx: struct libnet_JoinCtx
> > in: struct libnet_JoinCtx
> > dc_name : NULL
> > machine_name : 'this'
> > domain_name : *
> > domain_name : 'HIJ.KLM.COM'
> > account_ou :
> > 'OU=XYZ,OU=Production,OU=ABC,OU=DEF,DC=hij,DC=klm,DC=com'
> > admin_account : 'me at KLM.COM'
> > machine_password : NULL
> > join_flags : 0x00000023 (35)
> > 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
> > 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
> > 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
> > 0: WKSSVC_JOIN_FLAGS_DEFER_SPN
> > 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
> > 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
> > something = something-else
> > 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
> > 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
> > 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
> > 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
> > 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
> > os_version : NULL
> > os_name : NULL
> > create_upn : 0x00 (0)
> > upn : NULL
> > modify_config : 0x00 (0)
> > ads : NULL
> > debug : 0x01 (1)
> > use_kerberos : 0x00 (0)
> > secure_channel_type : SEC_CHAN_WKSTA (2)
> > The machine account already exists in the specified OU.
> > libnet_Join:
> > libnet_JoinCtx: struct libnet_JoinCtx
> > out: struct libnet_JoinCtx
> > account_name : NULL
> > netbios_domain_name : 'HIJ'
> > dns_domain_name : 'hij.klm.com'
> > forest_name : 'klm.com'
> > dn :
> > 'CN=THIS,OU=XYZ,OU=Production,OU=ABC,OU=DEF,DC=hij,DC=klm,DC=com'
> > domain_sid : *
> > domain_sid : *REDACTED*
> > modified_config : 0x00 (0)
> > error_string : NULL
> > domain_is_ad : 0x01 (1)
> > result : WERR_OK
> > Using short domain name -- HIJ
> > Joined 'THIS' to dns domain 'hij.klm.com'
> > kerberos_kinit_password THIS$@HIJ.KLM.COM failed: Cannot contact any KDC
> > for requested realm
> > DNS update failed: kinit failed: Cannot contact any KDC for requested
> > realm
> >
> > And here's the output from my testjoin:
> >
> > # net ads testjoin -d 3
> > lp_load_ex: refreshing parameters
> > Initialising global parameters
> > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> > params.c:pm_process() - Processing configuration file
> > "/etc/samba/smb.conf"
> > Processing section "[global]"
> > added interface eth0 ip=x.x.x.x bcast=x.x.x.y netmask=255.255.255.0
> > Registered MSG_REQ_POOL_USAGE
> > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> > get_dc_list: preferred server list: ", *"
> > Successfully contacted LDAP server a.b.c.d
> > get_dc_list: preferred server list: ", *"
> > get_dc_list: preferred server list: ", *"
> > get_dc_list: preferred server list: ", *"
> > Successfully contacted LDAP server a.b.c.d
> > get_dc_list: preferred server list: ", *"
> > get_dc_list: preferred server list: ", *"
> > resolve_lmhosts: Attempting lmhosts lookup for name AD1.HIJ.KLM.COM
> <0x20>
> > resolve_lmhosts: Attempting lmhosts lookup for name AD1.HIJ.KLM.COM
> <0x20>
> > resolve_wins: WINS server resolution selected and no WINS servers listed.
> > resolve_hosts: Attempting host lookup for name AD1.HIJ.KLM.COM<0x20>
> > Successfully contacted LDAP server a.b.c.d
> > Connected to LDAP server ad1.hij.klm.com
> > ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
> > ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
> > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
> > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
> > ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
> > ads_sasl_spnego_bind: got server principal name =
> > not_defined_in_RFC4178 at please_ignore
> > ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
> > kerberos_kinit_password THIS$@HIJ.KLM.COM failed: Cannot contact any KDC
> > for requested realm
> > ads_connect: Cannot contact any KDC for requested realm
> > Join to domain is not valid: No logon servers
> > return code = -1
> >
> > My krb5.conf:
> >
> > [libdefaults]
> > ticket_lifetime = 24h
> > default_realm = HIJ.KLM.COM
> > dns_lookup_realm = false
> > dns_lookup_kdc = false
> >
> > krb4_config = /etc/krb.conf
> > kdc_timesync = 1
> > ccache_type = 4
> > forwardable = true
> > proxiable = true
> > v4_instance_resolve = false
> > v4_name_convert = {
> > host = {
> > rcmd = host
> > ftp = ftp
> > }
> > plain = {
> > something = something-else
> > }
> > }
> > fcc-mit-ticketflags = true
> >
> > [realms]
> > HIJ.KLM.COM = {
> > kdc = ad1.hij.klm.com
> > kdc = ad2.hij.klm.com
> > admin_server = ad.hij.klm.com
> > default_domain = hij.klm.com
> > }
> >
> > [domain_realm]
> > .xyz.hij.klm.com = HIJ.KLM.COM
> > .hij.klm.com = HIJ.KLM.COM
> >
> > [login]
> > krb4_convert = true
> > krb4_get_tickets = false
> > [logging]
> > kdc = FILE:/var/log/krb5kdc.log
> > admin_server = FILE:/var/log/kadmin.log
> > default = FILE:/var/log/krb5lib.log
> >
> > My smb.conf:
> >
> > [global]
> >
> > workgroup = hij
> > netbios name = this
> > security = ADS
> > realm = HIJ.KLM.COM
> > server string = XYZ server (Samba, Ubuntu)
> > dns proxy = no
> > printcap name = /etc/printcap
> > load printers = no
> > log file = /var/log/samba/log.%m
> > log level = 1
> > max log size = 1000
> > dedicated keytab file = /etc/krb5.keytab
> > encrypt passwords = yes
> > syslog = 0
> > panic action = /usr/share/samba/panic-action %d
> > server role = standalone server
> > passdb backend = tdbsam
> > obey pam restrictions = yes
> > unix password sync = no
> > passwd program = /usr/bin/passwd %u
> > passwd chat = *Enter\snew\s*\spassword:* %n\n
> > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> > pam password change = no
> > map to guest = bad user
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list