[Samba] Joining Samba4 to existing AD

Erick Ocrospoma zipper1790 at gmail.com
Wed Apr 12 15:17:38 UTC 2017


Hi Rowland, thanks for your reply.

I tried the command as suggested, and this is what I get:


[root at dc-02 ~]# samba-tool domain join EXAMPLE.COM DC -UAdministrator
 --realm=EXAMPLE.COM --dns-backend=SAMBA_INTERNAL
Finding a writeable DC for domain 'EXAMPLE.COM'
Found DC dc-01.example.com
Password for [WORKGROUP\Administrator]:
workgroup is EXAMPLE
realm is example.com
Adding CN=LIM-INF1-DNS-02,OU=Domain Controllers,DC=example,DC=com
Adding
CN=LIM-INF1-DNS-02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
Join failed - cleaning up
Deleted CN=LIM-INF1-DNS-02,OU=Domain Controllers,DC=example,DC=com
ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT -
CN=Sites,CN=Configuration,DC=example,DC=com <0000208D: NameErr:
DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:
        'CN=Sites,CN=Configuration,DC=example,DC=com'
> <>
  File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py",
line 652, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
1253, in join_DC
    ctx.do_join()
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
1151, in do_join
    ctx.join_add_objects()
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
593, in join_add_objects
    ctx.samdb.add(rec)



This is the content of /etc/hosts


[root at dc-02 ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4
localhost4.localdomain4 dc-02.example.com dc-02
::1         localhost localhost.localdomain localhost6
localhost6.localdomain6
10.3.251.19     dc-01.example.com  dc-01


Also, I tried by enabling debug level 3


[root at dc-02 ~]# samba-tool domain join EXAMPLE.COM DC -UAdministrator
 --realm=EXAMPLE.COM --dns-backend=SAMBA_INTERNAL --debug 3
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Finding a writeable DC for domain 'EXAMPLE.COM'
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.EXAMPLE.COM
<0x0>
Found DC dc-01.example.com
resolve_lmhosts: Attempting lmhosts lookup for name dc-01.example.com<0x20>
Password for [WORKGROUP\Administrator]:
Aquiring initiator credentials failed: kinit for Administrator at EXAMPLE.COM
failed (Wrong realm)

SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_UNSUCCESSFUL
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
workgroup is EXAMPLE
realm is example.com
Adding CN=LIM-INF1-DNS-02,OU=Domain Controllers,DC=example,DC=com
Adding
CN=LIM-INF1-DNS-02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
Join failed - cleaning up
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch machine
account password for EXAMPLE from both secrets.ldb (Could not find entry to
match filter: '(&(flatname=EXAMPLE)(objectclass=primaryDomain))' base:
'cn=Primary Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4575) and from
/var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Deleted CN=LIM-INF1-DNS-02,OU=Domain Controllers,DC=example,DC=com
ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT -
CN=Sites,CN=Configuration,DC=example,DC=com <0000208D: NameErr:
DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:
        'CN=Sites,CN=Configuration,DC=example,DC=com'
> <>
  File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py",
line 652, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
1253, in join_DC
    ctx.do_join()
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
1151, in do_join
    ctx.join_add_objects()
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
593, in join_add_objects
    ctx.samdb.add(rec)


I see some lines mentioning kinit auth, but I tried to get a new ticket and
it worked


[root at dc-02 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at EXAMPLE.COM

Valid starting       Expires              Service principal
04/12/2017 11:39:06  04/12/2017 21:39:06  krbtgt/EXAMPLE.COM at EXAMPLE.COM
        renew until 04/13/2017 11:38:59



This machine does not get it's IP from DHCP, but yes, it is managed by
Network Manager, but IP and DNS config are static values.


On 11 April 2017 at 12:38, Rowland Penny via samba <samba at lists.samba.org>
wrote:

> On Tue, 11 Apr 2017 12:15:43 -0500
> Erick Ocrospoma via samba <samba at lists.samba.org> wrote:
>
> > Hi,
> >
> > I tried with the latest stable 4.5.x, but with no success.
> >
> > Do you think you could share your smb.conf ? and also how you built
> > from source?
> > I suspect there's something missing in the KRB5 for Samba (due to KDC
> > error messages).
> >
>
> Try it like this:
>
> samba-tool domain join EXAMPLE.COM DC -UAdministrator
> --realm=EXAMPLE.COM --dns-backend=SAMBA_INTERNAL
>
> If that doesn't work, can you post /etc/hosts, can you also explain why
> you are allowing Network-Manager to set /etc/resolv.conf, does the soon
> to be a DC get its IP from DHCP ??
>
> Does smb.conf already exist ? it shouldn't
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 


Erick.


-------------------------------------------
IRC     :   zerick
Blog    : http://zerick.me
About :  http://about.me/zerick
Linux User ID :  549567


More information about the samba mailing list