[Samba] Joining Samba4 to existing AD

L.P.H. van Belle belle at bazuin.nl
Wed Apr 12 15:28:39 UTC 2017


Correct you need a smb.conf. 

https://wiki.samba.org/index.php/User_Documentation 

 

And please do correct your hosts file before you join. 

 

>>  127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4 dc-02.example.com dc-02 << NOT GOOD 

::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

10.3.251.19                    dc-01.example.com  dc-01  << CORRECT

 

 

Greetz, 

 

Louis

 

 

 

 

> -----Oorspronkelijk bericht-----

> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Erick Ocrospoma

> via samba

> Verzonden: woensdag 12 april 2017 17:24

> Aan: Rowland Penny

> CC: Samba mailing list

> Onderwerp: Re: [Samba] Joining Samba4 to existing AD

> 

> Oh, also, I was asking about the smb.conf because googling I saw some

> smb.conf with some entries for Kerberos which supposely fixed/helped other

> people.

> 

> Currently my /etc/samba/ is empty, so I think it is normal from a Samba

> built from source.

> 

> 

> 

> On 12 April 2017 at 10:17, Erick Ocrospoma <zipper1790 at gmail.com> wrote:

> 

> > Hi Rowland, thanks for your reply.

> >

> > I tried the command as suggested, and this is what I get:

> >

> >

> > [root at dc-02 ~]# samba-tool domain join EXAMPLE.COM DC -UAdministrator

> >  --realm=EXAMPLE.COM --dns-backend=SAMBA_INTERNAL

> > Finding a writeable DC for domain 'EXAMPLE.COM'

> > Found DC dc-01.example.com

> > Password for [WORKGROUP\Administrator]:

> > workgroup is EXAMPLE

> > realm is example.com

> > Adding CN=LIM-INF1-DNS-02,OU=Domain Controllers,DC=example,DC=com

> > Adding CN=LIM-INF1-DNS-02,CN=Servers,CN=Default-First-Site-Name,CN=

> > Sites,CN=Configuration,DC=example,DC=com

> > Join failed - cleaning up

> > Deleted CN=LIM-INF1-DNS-02,OU=Domain Controllers,DC=example,DC=com

> > ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT -

> > CN=Sites,CN=Configuration,DC=example,DC=com <0000208D: NameErr:

> > DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:

> >         'CN=Sites,CN=Configuration,DC=example,DC=com'

> > > <>

> >   File "/usr/local/samba/lib64/python2.7/site-

> packages/samba/netcmd/__init__.py",

> > line 176, in _run

> >     return self.run(*args, **kwargs)

> >   File "/usr/local/samba/lib64/python2.7/site-

> packages/samba/netcmd/domain.py",

> > line 652, in run

> >     machinepass=machinepass, use_ntvfs=use_ntvfs,

> dns_backend=dns_backend)

> >   File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",

> > line 1253, in join_DC

> >     ctx.do_join()

> >   File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",

> > line 1151, in do_join

> >     ctx.join_add_objects()

> >   File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",

> > line 593, in join_add_objects

> >     ctx.samdb.add(rec)

> >

> >

> >

> > This is the content of /etc/hosts

> >

> >

> > [root at dc-02 ~]# cat /etc/hosts

> > 127.0.0.1   localhost localhost.localdomain localhost4

> > localhost4.localdomain4 dc-02.example.com dc-02

> > ::1         localhost localhost.localdomain localhost6

> > localhost6.localdomain6

> > 10.3.251.19     dc-01.example.com  dc-01

> >

> >

> > Also, I tried by enabling debug level 3

> >

> >

> > [root at dc-02 ~]# samba-tool domain join EXAMPLE.COM DC -UAdministrator

> >  --realm=EXAMPLE.COM --dns-backend=SAMBA_INTERNAL --debug 3

> > GENSEC backend 'gssapi_spnego' registered

> > GENSEC backend 'gssapi_krb5' registered

> > GENSEC backend 'gssapi_krb5_sasl' registered

> > GENSEC backend 'spnego' registered

> > GENSEC backend 'schannel' registered

> > GENSEC backend 'naclrpc_as_system' registered

> > GENSEC backend 'sasl-EXTERNAL' registered

> > GENSEC backend 'ntlmssp' registered

> > GENSEC backend 'ntlmssp_resume_ccache' registered

> > GENSEC backend 'http_basic' registered

> > GENSEC backend 'http_ntlm' registered

> > GENSEC backend 'krb5' registered

> > GENSEC backend 'fake_gssapi_krb5' registered

> > Finding a writeable DC for domain 'EXAMPLE.COM'

> > resolve_lmhosts: Attempting lmhosts lookup for name

> _ldap._tcp.EXAMPLE.COM

> > <0x0>

> > Found DC dc-01.example.com

> > resolve_lmhosts: Attempting lmhosts lookup for name dc-01.example.com

> > <0x20>

> > Password for [WORKGROUP\Administrator]:

> > Aquiring initiator credentials failed: kinit for

> Administrator at EXAMPLE.COM

> > failed (Wrong realm)

> >

> > SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed:

> NT_STATUS_UNSUCCESSFUL

> > Got challenge flags:

> > Got NTLMSSP neg_flags=0x62898235

> > NTLMSSP: Set final flags:

> > Got NTLMSSP neg_flags=0x62088235

> > NTLMSSP Sign/Seal - Initialising with flags:

> > Got NTLMSSP neg_flags=0x62088235

> > NTLMSSP Sign/Seal - Initialising with flags:

> > Got NTLMSSP neg_flags=0x62088235

> > workgroup is EXAMPLE

> > realm is example.com

> > Adding CN=LIM-INF1-DNS-02,OU=Domain Controllers,DC=example,DC=com

> > Adding CN=LIM-INF1-DNS-02,CN=Servers,CN=Default-First-Site-Name,CN=

> > Sites,CN=Configuration,DC=example,DC=com

> > Join failed - cleaning up

> > ldb_wrap open of secrets.ldb

> > Could not find machine account in secrets database: Failed to fetch

> > machine account password for EXAMPLE from both secrets.ldb (Could not

> find

> > entry to match filter:

> '(&(flatname=EXAMPLE)(objectclass=primaryDomain))'

> > base: 'cn=Primary Domains': No such object: dsdb_search at

> > ../source4/dsdb/common/util.c:4575) and from

> /var/lib/samba/private/secrets.tdb:

> > NT_STATUS_CANT_ACCESS_DOMAIN_INFO

> > Deleted CN=LIM-INF1-DNS-02,OU=Domain Controllers,DC=example,DC=com

> > ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT -

> > CN=Sites,CN=Configuration,DC=example,DC=com <0000208D: NameErr:

> > DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:

> >         'CN=Sites,CN=Configuration,DC=example,DC=com'

> > > <>

> >   File "/usr/local/samba/lib64/python2.7/site-

> packages/samba/netcmd/__init__.py",

> > line 176, in _run

> >     return self.run(*args, **kwargs)

> >   File "/usr/local/samba/lib64/python2.7/site-

> packages/samba/netcmd/domain.py",

> > line 652, in run

> >     machinepass=machinepass, use_ntvfs=use_ntvfs,

> dns_backend=dns_backend)

> >   File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",

> > line 1253, in join_DC

> >     ctx.do_join()

> >   File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",

> > line 1151, in do_join

> >     ctx.join_add_objects()

> >   File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",

> > line 593, in join_add_objects

> >     ctx.samdb.add(rec)

> >

> >

> > I see some lines mentioning kinit auth, but I tried to get a new ticket

> > and it worked

> >

> >

> > [root at dc-02 ~]# klist

> > Ticket cache: FILE:/tmp/krb5cc_0

> > Default principal: Administrator at EXAMPLE.COM

> >

> > Valid starting       Expires              Service principal

> > 04/12/2017 11:39:06  04/12/2017 21:39:06  krbtgt/EXAMPLE.COM at EXAMPLE.COM

> >         renew until 04/13/2017 11:38:59

> >

> >

> >

> > This machine does not get it's IP from DHCP, but yes, it is managed by

> > Network Manager, but IP and DNS config are static values.

> >

> >

> > On 11 April 2017 at 12:38, Rowland Penny via samba

> <samba at lists.samba.org>

> > wrote:

> >

> >> On Tue, 11 Apr 2017 12:15:43 -0500

> >> Erick Ocrospoma via samba <samba at lists.samba.org> wrote:

> >>

> >> > Hi,

> >> >

> >> > I tried with the latest stable 4.5.x, but with no success.

> >> >

> >> > Do you think you could share your smb.conf ? and also how you built

> >> > from source?

> >> > I suspect there's something missing in the KRB5 for Samba (due to KDC

> >> > error messages).

> >> >

> >>

> >> Try it like this:

> >>

> >> samba-tool domain join EXAMPLE.COM DC -UAdministrator

> >> --realm=EXAMPLE.COM --dns-backend=SAMBA_INTERNAL

> >>

> >> If that doesn't work, can you post /etc/hosts, can you also explain why

> >> you are allowing Network-Manager to set /etc/resolv.conf, does the soon

> >> to be a DC get its IP from DHCP ??

> >>

> >> Does smb.conf already exist ? it shouldn't

> >>

> >> Rowland

> >>

> >>

> >> --

> >> To unsubscribe from this list go to the following URL and read the

> >> instructions:  https://lists.samba.org/mailman/options/samba

> >>

> >

> >

> >

> > --

> >

> >

> > Erick.

> >

> >

> > -------------------------------------------

> > IRC     :   zerick

> > Blog    : http://zerick.me

> > About :  http://about.me/zerick

> > Linux User ID :  549567

> >

> 

> 

> 

> --

> 

> 

> Erick.

> 

> 

> -------------------------------------------

> IRC     :   zerick

> Blog    : http://zerick.me

> About :  http://about.me/zerick

> Linux User ID :  549567

> --

> To unsubscribe from this list go to the following URL and read the

> instructions:  https://lists.samba.org/mailman/options/samba

 



More information about the samba mailing list