[Samba] Samba 4.1.6-Ubuntu on 14.04 domain join seems successful with caveats, testjoin reports no logon servers...
Rowland Penny
rowlandpenny241155 at gmail.com
Tue Nov 17 17:00:31 UTC 2015
On 17/11/15 16:38, Schuyler Bishop wrote:
> Hi Louis,
>
> Thanks for the reply. Upon checking the URL you sent, I'm not finding
> which stanzas you're referring to as being samba3 - my smb.conf looks
> remarkably similar to the sample I see there. Could you perhaps be more
> specific?
>
> Thanks,
>
> --Schuyler
>
> On Tue, Nov 17, 2015 at 11:23 AM L.P.H. van Belle <belle at bazuin.nl> wrote:
>
>> Your using a samba3 config on a samba 4.
>>
>> Change your config base on :
>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>>
>>
>> Gr,
>>
>> Louis
>>
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Schuyler Bishop
>>> Verzonden: dinsdag 17 november 2015 17:11
>>> Aan: samba at lists.samba.org
>>> Onderwerp: [Samba] Samba 4.1.6-Ubuntu on 14.04 domain join seems
>>> successful with caveats, testjoin reports no logon servers...
>>>
>>> Greetings,
>>>
>>> Long-time but very occasional samba user here with a new challenge (well
>>> for me at least).
>>>
>>> The basics are that on the domain join, the computer account gets created
>>> but throws the dns error which based on my searching seems non-fatal.
>>> wbinfo -t gives me a succeeded, wbinfo -a klm.com\\me --ntlmv2 works
>> fine
>>> but yet the net ads testjoin fails. Logs on the domain controller show
>> "A
>>> Kerberos authentication ticket (TGT) was requested." with an Audit
>> Success
>>> after I run the testjoin that fails.
>>>
>>> The AD guys tell me that hij.klm.com is the subdomain that the computer
>>> account exists in (hence the createcomputer string in the join) and user
>>> accounts exist in klm.com including my account that I was using to do
>> the
>>> join (me at klm.com).
>>>
>>> I did a tcpdump on the testjoin and pulled it into wireshark and I see it
>>> contacting (amongst other things) all of the AD servers in both domains
>> on
>>> 88/UDP and getting replies so it doesn't smell like a firewall issue.
>>>
>>> Thanks in advance for any help.
>>>
>>> Here's the edited and redacted output from the join (the computer account
>>> already existed as you can see):
>>>
>>> # net ads join
>>> createcomputer="OU=XYZ,OU=Production,OU=ABC,OU=DEF,DC=hij,DC=klm,DC=com"
>> -
>>> U
>>> me at klm.com -d 1
>>> Enter me at KLM.COM's password:
>>> libnet_Join:
>>> libnet_JoinCtx: struct libnet_JoinCtx
>>> in: struct libnet_JoinCtx
>>> dc_name : NULL
>>> machine_name : 'this'
>>> domain_name : *
>>> domain_name : 'HIJ.KLM.COM'
>>> account_ou :
>>> 'OU=XYZ,OU=Production,OU=ABC,OU=DEF,DC=hij,DC=klm,DC=com'
>>> admin_account : 'me at KLM.COM'
>>> machine_password : NULL
>>> join_flags : 0x00000023 (35)
>>> 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
>>> 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
>>> 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
>>> 0: WKSSVC_JOIN_FLAGS_DEFER_SPN
>>> 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
>>> 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
>>> something = something-else
>>> 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
>>> 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
>>> 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
>>> 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
>>> 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
>>> os_version : NULL
>>> os_name : NULL
>>> create_upn : 0x00 (0)
>>> upn : NULL
>>> modify_config : 0x00 (0)
>>> ads : NULL
>>> debug : 0x01 (1)
>>> use_kerberos : 0x00 (0)
>>> secure_channel_type : SEC_CHAN_WKSTA (2)
>>> The machine account already exists in the specified OU.
>>> libnet_Join:
>>> libnet_JoinCtx: struct libnet_JoinCtx
>>> out: struct libnet_JoinCtx
>>> account_name : NULL
>>> netbios_domain_name : 'HIJ'
>>> dns_domain_name : 'hij.klm.com'
>>> forest_name : 'klm.com'
>>> dn :
>>> 'CN=THIS,OU=XYZ,OU=Production,OU=ABC,OU=DEF,DC=hij,DC=klm,DC=com'
>>> domain_sid : *
>>> domain_sid : *REDACTED*
>>> modified_config : 0x00 (0)
>>> error_string : NULL
>>> domain_is_ad : 0x01 (1)
>>> result : WERR_OK
>>> Using short domain name -- HIJ
>>> Joined 'THIS' to dns domain 'hij.klm.com'
>>> kerberos_kinit_password THIS$@HIJ.KLM.COM failed: Cannot contact any KDC
>>> for requested realm
>>> DNS update failed: kinit failed: Cannot contact any KDC for requested
>>> realm
>>>
>>> And here's the output from my testjoin:
>>>
>>> # net ads testjoin -d 3
>>> lp_load_ex: refreshing parameters
>>> Initialising global parameters
>>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
>>> params.c:pm_process() - Processing configuration file
>>> "/etc/samba/smb.conf"
>>> Processing section "[global]"
>>> added interface eth0 ip=x.x.x.x bcast=x.x.x.y netmask=255.255.255.0
>>> Registered MSG_REQ_POOL_USAGE
>>> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
>>> get_dc_list: preferred server list: ", *"
>>> Successfully contacted LDAP server a.b.c.d
>>> get_dc_list: preferred server list: ", *"
>>> get_dc_list: preferred server list: ", *"
>>> get_dc_list: preferred server list: ", *"
>>> Successfully contacted LDAP server a.b.c.d
>>> get_dc_list: preferred server list: ", *"
>>> get_dc_list: preferred server list: ", *"
>>> resolve_lmhosts: Attempting lmhosts lookup for name AD1.HIJ.KLM.COM
>> <0x20>
>>> resolve_lmhosts: Attempting lmhosts lookup for name AD1.HIJ.KLM.COM
>> <0x20>
>>> resolve_wins: WINS server resolution selected and no WINS servers listed.
>>> resolve_hosts: Attempting host lookup for name AD1.HIJ.KLM.COM<0x20>
>>> Successfully contacted LDAP server a.b.c.d
>>> Connected to LDAP server ad1.hij.klm.com
>>> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
>>> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
>>> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
>>> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
>>> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
>>> ads_sasl_spnego_bind: got server principal name =
>>> not_defined_in_RFC4178 at please_ignore
>>> ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
>>> kerberos_kinit_password THIS$@HIJ.KLM.COM failed: Cannot contact any KDC
>>> for requested realm
>>> ads_connect: Cannot contact any KDC for requested realm
>>> Join to domain is not valid: No logon servers
>>> return code = -1
>>>
>>> My krb5.conf:
>>>
>>> [libdefaults]
>>> ticket_lifetime = 24h
>>> default_realm = HIJ.KLM.COM
>>> dns_lookup_realm = false
>>> dns_lookup_kdc = false
>>>
>>> krb4_config = /etc/krb.conf
>>> kdc_timesync = 1
>>> ccache_type = 4
>>> forwardable = true
>>> proxiable = true
>>> v4_instance_resolve = false
>>> v4_name_convert = {
>>> host = {
>>> rcmd = host
>>> ftp = ftp
>>> }
>>> plain = {
>>> something = something-else
>>> }
>>> }
>>> fcc-mit-ticketflags = true
>>>
>>> [realms]
>>> HIJ.KLM.COM = {
>>> kdc = ad1.hij.klm.com
>>> kdc = ad2.hij.klm.com
>>> admin_server = ad.hij.klm.com
>>> default_domain = hij.klm.com
>>> }
>>>
>>> [domain_realm]
>>> .xyz.hij.klm.com = HIJ.KLM.COM
>>> .hij.klm.com = HIJ.KLM.COM
>>>
>>> [login]
>>> krb4_convert = true
>>> krb4_get_tickets = false
>>> [logging]
>>> kdc = FILE:/var/log/krb5kdc.log
>>> admin_server = FILE:/var/log/kadmin.log
>>> default = FILE:/var/log/krb5lib.log
>>>
>>> My smb.conf:
>>>
>>> [global]
>>>
>>> workgroup = hij
>>> netbios name = this
>>> security = ADS
>>> realm = HIJ.KLM.COM
>>> server string = XYZ server (Samba, Ubuntu)
>>> dns proxy = no
>>> printcap name = /etc/printcap
>>> load printers = no
>>> log file = /var/log/samba/log.%m
>>> log level = 1
>>> max log size = 1000
>>> dedicated keytab file = /etc/krb5.keytab
>>> encrypt passwords = yes
>>> syslog = 0
>>> panic action = /usr/share/samba/panic-action %d
>>> server role = standalone server
>>> passdb backend = tdbsam
>>> obey pam restrictions = yes
>>> unix password sync = no
>>> passwd program = /usr/bin/passwd %u
>>> passwd chat = *Enter\snew\s*\spassword:* %n\n
>>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>>> pam password change = no
>>> map to guest = bad user
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
Two things jump out from your smb.conf:
security = ADS
server role = standalone server
Well, which is it?
Is it a domain member getting its authentication and users & groups from
AD, or is it a standalone server that stores its users & groups in a
file on the server?
If it is a domain member, then follow the link Louis provided and remove
all the un-required lines from your smb.conf.
Rowland
More information about the samba
mailing list