[Samba] Joining Samba4 to existing AD

Erick Ocrospoma zipper1790 at gmail.com
Wed Apr 12 15:23:37 UTC 2017 

Oh, also, I was asking about the smb.conf because googling I saw some
smb.conf with some entries for Kerberos which supposely fixed/helped other
people.

Currently my /etc/samba/ is empty, so I think it is normal from a Samba
built from source.



On 12 April 2017 at 10:17, Erick Ocrospoma <zipper1790 at gmail.com> wrote:

> Hi Rowland, thanks for your reply.
>
> I tried the command as suggested, and this is what I get:
>
>
> [root at dc-02 ~]# samba-tool domain join EXAMPLE.COM DC -UAdministrator
>  --realm=EXAMPLE.COM --dns-backend=SAMBA_INTERNAL
> Finding a writeable DC for domain 'EXAMPLE.COM'
> Found DC dc-01.example.com
> Password for [WORKGROUP\Administrator]:
> workgroup is EXAMPLE
> realm is example.com
> Adding CN=LIM-INF1-DNS-02,OU=Domain Controllers,DC=example,DC=com
> Adding CN=LIM-INF1-DNS-02,CN=Servers,CN=Default-First-Site-Name,CN=
> Sites,CN=Configuration,DC=example,DC=com
> Join failed - cleaning up
> Deleted CN=LIM-INF1-DNS-02,OU=Domain Controllers,DC=example,DC=com
> ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT -
> CN=Sites,CN=Configuration,DC=example,DC=com <0000208D: NameErr:
> DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:
>         'CN=Sites,CN=Configuration,DC=example,DC=com'
> > <>
>   File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py",
> line 652, in run
>     machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
>   File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
> line 1253, in join_DC
>     ctx.do_join()
>   File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
> line 1151, in do_join
>     ctx.join_add_objects()
>   File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
> line 593, in join_add_objects
>     ctx.samdb.add(rec)
>
>
>
> This is the content of /etc/hosts
>
>
> [root at dc-02 ~]# cat /etc/hosts
> 127.0.0.1   localhost localhost.localdomain localhost4
> localhost4.localdomain4 dc-02.example.com dc-02
> ::1         localhost localhost.localdomain localhost6
> localhost6.localdomain6
> 10.3.251.19     dc-01.example.com  dc-01
>
>
> Also, I tried by enabling debug level 3
>
>
> [root at dc-02 ~]# samba-tool domain join EXAMPLE.COM DC -UAdministrator
>  --realm=EXAMPLE.COM --dns-backend=SAMBA_INTERNAL --debug 3
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Finding a writeable DC for domain 'EXAMPLE.COM'
> resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.EXAMPLE.COM
> <0x0>
> Found DC dc-01.example.com
> resolve_lmhosts: Attempting lmhosts lookup for name dc-01.example.com
> <0x20>
> Password for [WORKGROUP\Administrator]:
> Aquiring initiator credentials failed: kinit for Administrator at EXAMPLE.COM
> failed (Wrong realm)
>
> SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_UNSUCCESSFUL
> Got challenge flags:
> Got NTLMSSP neg_flags=0x62898235
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x62088235
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088235
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088235
> workgroup is EXAMPLE
> realm is example.com
> Adding CN=LIM-INF1-DNS-02,OU=Domain Controllers,DC=example,DC=com
> Adding CN=LIM-INF1-DNS-02,CN=Servers,CN=Default-First-Site-Name,CN=
> Sites,CN=Configuration,DC=example,DC=com
> Join failed - cleaning up
> ldb_wrap open of secrets.ldb
> Could not find machine account in secrets database: Failed to fetch
> machine account password for EXAMPLE from both secrets.ldb (Could not find
> entry to match filter: '(&(flatname=EXAMPLE)(objectclass=primaryDomain))'
> base: 'cn=Primary Domains': No such object: dsdb_search at
> ../source4/dsdb/common/util.c:4575) and from /var/lib/samba/private/secrets.tdb:
> NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> Deleted CN=LIM-INF1-DNS-02,OU=Domain Controllers,DC=example,DC=com
> ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT -
> CN=Sites,CN=Configuration,DC=example,DC=com <0000208D: NameErr:
> DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:
>         'CN=Sites,CN=Configuration,DC=example,DC=com'
> > <>
>   File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py",
> line 652, in run
>     machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
>   File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
> line 1253, in join_DC
>     ctx.do_join()
>   File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
> line 1151, in do_join
>     ctx.join_add_objects()
>   File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
> line 593, in join_add_objects
>     ctx.samdb.add(rec)
>
>
> I see some lines mentioning kinit auth, but I tried to get a new ticket
> and it worked
>
>
> [root at dc-02 ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: Administrator at EXAMPLE.COM
>
> Valid starting       Expires              Service principal
> 04/12/2017 11:39:06  04/12/2017 21:39:06  krbtgt/EXAMPLE.COM at EXAMPLE.COM
>         renew until 04/13/2017 11:38:59
>
>
>
> This machine does not get it's IP from DHCP, but yes, it is managed by
> Network Manager, but IP and DNS config are static values.
>
>
> On 11 April 2017 at 12:38, Rowland Penny via samba <samba at lists.samba.org>
> wrote:
>
>> On Tue, 11 Apr 2017 12:15:43 -0500
>> Erick Ocrospoma via samba <samba at lists.samba.org> wrote:
>>
>> > Hi,
>> >
>> > I tried with the latest stable 4.5.x, but with no success.
>> >
>> > Do you think you could share your smb.conf ? and also how you built
>> > from source?
>> > I suspect there's something missing in the KRB5 for Samba (due to KDC
>> > error messages).
>> >
>>
>> Try it like this:
>>
>> samba-tool domain join EXAMPLE.COM DC -UAdministrator
>> --realm=EXAMPLE.COM --dns-backend=SAMBA_INTERNAL
>>
>> If that doesn't work, can you post /etc/hosts, can you also explain why
>> you are allowing Network-Manager to set /etc/resolv.conf, does the soon
>> to be a DC get its IP from DHCP ??
>>
>> Does smb.conf already exist ? it shouldn't
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>
>
> --
>
>
> Erick.
>
>
> -------------------------------------------
> IRC     :   zerick
> Blog    : http://zerick.me
> About :  http://about.me/zerick
> Linux User ID :  549567
>



-- 


Erick.


-------------------------------------------
IRC     :   zerick
Blog    : http://zerick.me
About :  http://about.me/zerick
Linux User ID :  549567

More information about the samba mailing list