[Samba] Samba 4.1.6-Ubuntu on 14.04 domain join seems successful with caveats, testjoin reports no logon servers...

Rowland Penny rowlandpenny241155 at gmail.com
Tue Nov 17 17:00:31 UTC 2015 

On 17/11/15 16:38, Schuyler Bishop wrote:
> Hi Louis,
>
> Thanks for the reply.  Upon checking the URL you sent, I'm not finding
> which stanzas you're referring to as being samba3 - my smb.conf looks
> remarkably similar to the sample I see there.  Could you perhaps be more
> specific?
>
> Thanks,
>
> --Schuyler
>
> On Tue, Nov 17, 2015 at 11:23 AM L.P.H. van Belle <belle at bazuin.nl> wrote:
>
>> Your using a samba3 config on a samba 4.
>>
>> Change your config base on :
>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>>
>>
>> Gr,
>>
>> Louis
>>
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Schuyler Bishop
>>> Verzonden: dinsdag 17 november 2015 17:11
>>> Aan: samba at lists.samba.org
>>> Onderwerp: [Samba] Samba 4.1.6-Ubuntu on 14.04 domain join seems
>>> successful with caveats, testjoin reports no logon servers...
>>>
>>> Greetings,
>>>
>>> Long-time but very occasional samba user here with a new challenge (well
>>> for me at least).
>>>
>>> The basics are that on the domain join, the computer account gets created
>>> but throws the dns error which based on my searching seems non-fatal.
>>>   wbinfo -t gives me a succeeded, wbinfo -a klm.com\\me --ntlmv2 works
>> fine
>>> but yet the net ads testjoin fails.  Logs on the domain controller show
>> "A
>>> Kerberos authentication ticket (TGT) was requested." with an Audit
>> Success
>>> after I run the testjoin that fails.
>>>
>>> The AD guys tell me that hij.klm.com is the subdomain that the computer
>>> account exists in (hence the createcomputer string in the join) and user
>>> accounts exist in klm.com including my account that I was using to do
>> the
>>> join (me at klm.com).
>>>
>>> I did a tcpdump on the testjoin and pulled it into wireshark and I see it
>>> contacting (amongst other things) all of the AD servers in both domains
>> on
>>> 88/UDP and getting replies so it doesn't smell like a firewall issue.
>>>
>>> Thanks in advance for any help.
>>>
>>> Here's the edited and redacted output from the join (the computer account
>>> already existed as you can see):
>>>
>>> # net ads join
>>> createcomputer="OU=XYZ,OU=Production,OU=ABC,OU=DEF,DC=hij,DC=klm,DC=com"
>> -
>>> U
>>> me at klm.com -d 1
>>> Enter me at KLM.COM's password:
>>> libnet_Join:
>>>      libnet_JoinCtx: struct libnet_JoinCtx
>>>          in: struct libnet_JoinCtx
>>>              dc_name                  : NULL
>>>              machine_name             : 'this'
>>>              domain_name              : *
>>>                  domain_name              : 'HIJ.KLM.COM'
>>>              account_ou               :
>>> 'OU=XYZ,OU=Production,OU=ABC,OU=DEF,DC=hij,DC=klm,DC=com'
>>>              admin_account            : 'me at KLM.COM'
>>>              machine_password         : NULL
>>>              join_flags               : 0x00000023 (35)
>>>                     0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
>>>                     0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
>>>                     0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
>>>                     0: WKSSVC_JOIN_FLAGS_DEFER_SPN
>>>                     0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
>>>                     0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
>>>                          something = something-else
>>>                     1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
>>>                     0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
>>>                     0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
>>>                     1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
>>>                     1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
>>>              os_version               : NULL
>>>              os_name                  : NULL
>>>              create_upn               : 0x00 (0)
>>>              upn                      : NULL
>>>              modify_config            : 0x00 (0)
>>>              ads                      : NULL
>>>              debug                    : 0x01 (1)
>>>              use_kerberos             : 0x00 (0)
>>>              secure_channel_type      : SEC_CHAN_WKSTA (2)
>>> The machine account already exists in the specified OU.
>>> libnet_Join:
>>>      libnet_JoinCtx: struct libnet_JoinCtx
>>>          out: struct libnet_JoinCtx
>>>              account_name             : NULL
>>>              netbios_domain_name      : 'HIJ'
>>>              dns_domain_name          : 'hij.klm.com'
>>>              forest_name              : 'klm.com'
>>>              dn                       :
>>> 'CN=THIS,OU=XYZ,OU=Production,OU=ABC,OU=DEF,DC=hij,DC=klm,DC=com'
>>>              domain_sid               : *
>>>                  domain_sid               : *REDACTED*
>>>              modified_config          : 0x00 (0)
>>>              error_string             : NULL
>>>              domain_is_ad             : 0x01 (1)
>>>              result                   : WERR_OK
>>> Using short domain name -- HIJ
>>> Joined 'THIS' to dns domain 'hij.klm.com'
>>> kerberos_kinit_password THIS$@HIJ.KLM.COM failed: Cannot contact any KDC
>>> for requested realm
>>> DNS update failed: kinit failed: Cannot contact any KDC for requested
>>> realm
>>>
>>> And here's the output from my testjoin:
>>>
>>> # net ads testjoin -d 3
>>> lp_load_ex: refreshing parameters
>>> Initialising global parameters
>>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
>>> params.c:pm_process() - Processing configuration file
>>> "/etc/samba/smb.conf"
>>> Processing section "[global]"
>>> added interface eth0 ip=x.x.x.x bcast=x.x.x.y netmask=255.255.255.0
>>> Registered MSG_REQ_POOL_USAGE
>>> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
>>> get_dc_list: preferred server list: ", *"
>>> Successfully contacted LDAP server a.b.c.d
>>> get_dc_list: preferred server list: ", *"
>>> get_dc_list: preferred server list: ", *"
>>> get_dc_list: preferred server list: ", *"
>>> Successfully contacted LDAP server a.b.c.d
>>> get_dc_list: preferred server list: ", *"
>>> get_dc_list: preferred server list: ", *"
>>> resolve_lmhosts: Attempting lmhosts lookup for name AD1.HIJ.KLM.COM
>> <0x20>
>>> resolve_lmhosts: Attempting lmhosts lookup for name AD1.HIJ.KLM.COM
>> <0x20>
>>> resolve_wins: WINS server resolution selected and no WINS servers listed.
>>> resolve_hosts: Attempting host lookup for name AD1.HIJ.KLM.COM<0x20>
>>> Successfully contacted LDAP server a.b.c.d
>>> Connected to LDAP server ad1.hij.klm.com
>>> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
>>> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
>>> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
>>> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
>>> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
>>> ads_sasl_spnego_bind: got server principal name =
>>> not_defined_in_RFC4178 at please_ignore
>>> ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
>>> kerberos_kinit_password THIS$@HIJ.KLM.COM failed: Cannot contact any KDC
>>> for requested realm
>>> ads_connect: Cannot contact any KDC for requested realm
>>> Join to domain is not valid: No logon servers
>>> return code = -1
>>>
>>> My krb5.conf:
>>>
>>> [libdefaults]
>>> ticket_lifetime = 24h
>>> default_realm = HIJ.KLM.COM
>>> dns_lookup_realm = false
>>> dns_lookup_kdc = false
>>>
>>> krb4_config = /etc/krb.conf
>>> kdc_timesync = 1
>>> ccache_type = 4
>>> forwardable = true
>>> proxiable = true
>>> v4_instance_resolve = false
>>> v4_name_convert = {
>>> host = {
>>> rcmd = host
>>> ftp = ftp
>>> }
>>> plain = {
>>> something = something-else
>>> }
>>> }
>>> fcc-mit-ticketflags = true
>>>
>>> [realms]
>>> HIJ.KLM.COM = {
>>> kdc = ad1.hij.klm.com
>>> kdc = ad2.hij.klm.com
>>> admin_server = ad.hij.klm.com
>>> default_domain = hij.klm.com
>>> }
>>>
>>> [domain_realm]
>>> .xyz.hij.klm.com = HIJ.KLM.COM
>>> .hij.klm.com = HIJ.KLM.COM
>>>
>>> [login]
>>> krb4_convert = true
>>> krb4_get_tickets = false
>>> [logging]
>>> kdc = FILE:/var/log/krb5kdc.log
>>> admin_server = FILE:/var/log/kadmin.log
>>> default = FILE:/var/log/krb5lib.log
>>>
>>> My smb.conf:
>>>
>>> [global]
>>>
>>>     workgroup = hij
>>>     netbios name = this
>>>     security = ADS
>>>     realm = HIJ.KLM.COM
>>>     server string = XYZ server (Samba, Ubuntu)
>>>     dns proxy = no
>>>     printcap name = /etc/printcap
>>>     load printers = no
>>>     log file = /var/log/samba/log.%m
>>>     log level = 1
>>>     max log size = 1000
>>>     dedicated keytab file = /etc/krb5.keytab
>>>     encrypt passwords = yes
>>>     syslog = 0
>>>     panic action = /usr/share/samba/panic-action %d
>>>     server role = standalone server
>>>     passdb backend = tdbsam
>>>     obey pam restrictions = yes
>>>     unix password sync = no
>>>     passwd program = /usr/bin/passwd %u
>>>     passwd chat = *Enter\snew\s*\spassword:* %n\n
>>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>>>     pam password change = no
>>>     map to guest = bad user
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

Two things jump out from your smb.conf:

security = ADS

server role = standalone server

Well, which is it?
Is it a domain member getting its authentication and users & groups from 
AD, or is it a standalone server that stores its users & groups in a 
file on the server?

If it is a domain member, then follow the link Louis provided and remove 
all the un-required lines from your smb.conf.

Rowland

More information about the samba mailing list