[Samba] Joining Samba4 to existing AD
L.P.H. van Belle
belle at bazuin.nl
Wed Apr 12 15:28:39 UTC 2017
Correct you need a smb.conf.
https://wiki.samba.org/index.php/User_Documentation
And please do correct your hosts file before you join.
>> 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 dc-02.example.com dc-02 << NOT GOOD
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.3.251.19 dc-01.example.com dc-01 << CORRECT
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Erick Ocrospoma
> via samba
> Verzonden: woensdag 12 april 2017 17:24
> Aan: Rowland Penny
> CC: Samba mailing list
> Onderwerp: Re: [Samba] Joining Samba4 to existing AD
>
> Oh, also, I was asking about the smb.conf because googling I saw some
> smb.conf with some entries for Kerberos which supposely fixed/helped other
> people.
>
> Currently my /etc/samba/ is empty, so I think it is normal from a Samba
> built from source.
>
>
>
> On 12 April 2017 at 10:17, Erick Ocrospoma <zipper1790 at gmail.com> wrote:
>
> > Hi Rowland, thanks for your reply.
> >
> > I tried the command as suggested, and this is what I get:
> >
> >
> > [root at dc-02 ~]# samba-tool domain join EXAMPLE.COM DC -UAdministrator
> > --realm=EXAMPLE.COM --dns-backend=SAMBA_INTERNAL
> > Finding a writeable DC for domain 'EXAMPLE.COM'
> > Found DC dc-01.example.com
> > Password for [WORKGROUP\Administrator]:
> > workgroup is EXAMPLE
> > realm is example.com
> > Adding CN=LIM-INF1-DNS-02,OU=Domain Controllers,DC=example,DC=com
> > Adding CN=LIM-INF1-DNS-02,CN=Servers,CN=Default-First-Site-Name,CN=
> > Sites,CN=Configuration,DC=example,DC=com
> > Join failed - cleaning up
> > Deleted CN=LIM-INF1-DNS-02,OU=Domain Controllers,DC=example,DC=com
> > ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT -
> > CN=Sites,CN=Configuration,DC=example,DC=com <0000208D: NameErr:
> > DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:
> > 'CN=Sites,CN=Configuration,DC=example,DC=com'
> > > <>
> > File "/usr/local/samba/lib64/python2.7/site-
> packages/samba/netcmd/__init__.py",
> > line 176, in _run
> > return self.run(*args, **kwargs)
> > File "/usr/local/samba/lib64/python2.7/site-
> packages/samba/netcmd/domain.py",
> > line 652, in run
> > machinepass=machinepass, use_ntvfs=use_ntvfs,
> dns_backend=dns_backend)
> > File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
> > line 1253, in join_DC
> > ctx.do_join()
> > File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
> > line 1151, in do_join
> > ctx.join_add_objects()
> > File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
> > line 593, in join_add_objects
> > ctx.samdb.add(rec)
> >
> >
> >
> > This is the content of /etc/hosts
> >
> >
> > [root at dc-02 ~]# cat /etc/hosts
> > 127.0.0.1 localhost localhost.localdomain localhost4
> > localhost4.localdomain4 dc-02.example.com dc-02
> > ::1 localhost localhost.localdomain localhost6
> > localhost6.localdomain6
> > 10.3.251.19 dc-01.example.com dc-01
> >
> >
> > Also, I tried by enabling debug level 3
> >
> >
> > [root at dc-02 ~]# samba-tool domain join EXAMPLE.COM DC -UAdministrator
> > --realm=EXAMPLE.COM --dns-backend=SAMBA_INTERNAL --debug 3
> > GENSEC backend 'gssapi_spnego' registered
> > GENSEC backend 'gssapi_krb5' registered
> > GENSEC backend 'gssapi_krb5_sasl' registered
> > GENSEC backend 'spnego' registered
> > GENSEC backend 'schannel' registered
> > GENSEC backend 'naclrpc_as_system' registered
> > GENSEC backend 'sasl-EXTERNAL' registered
> > GENSEC backend 'ntlmssp' registered
> > GENSEC backend 'ntlmssp_resume_ccache' registered
> > GENSEC backend 'http_basic' registered
> > GENSEC backend 'http_ntlm' registered
> > GENSEC backend 'krb5' registered
> > GENSEC backend 'fake_gssapi_krb5' registered
> > Finding a writeable DC for domain 'EXAMPLE.COM'
> > resolve_lmhosts: Attempting lmhosts lookup for name
> _ldap._tcp.EXAMPLE.COM
> > <0x0>
> > Found DC dc-01.example.com
> > resolve_lmhosts: Attempting lmhosts lookup for name dc-01.example.com
> > <0x20>
> > Password for [WORKGROUP\Administrator]:
> > Aquiring initiator credentials failed: kinit for
> Administrator at EXAMPLE.COM
> > failed (Wrong realm)
> >
> > SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed:
> NT_STATUS_UNSUCCESSFUL
> > Got challenge flags:
> > Got NTLMSSP neg_flags=0x62898235
> > NTLMSSP: Set final flags:
> > Got NTLMSSP neg_flags=0x62088235
> > NTLMSSP Sign/Seal - Initialising with flags:
> > Got NTLMSSP neg_flags=0x62088235
> > NTLMSSP Sign/Seal - Initialising with flags:
> > Got NTLMSSP neg_flags=0x62088235
> > workgroup is EXAMPLE
> > realm is example.com
> > Adding CN=LIM-INF1-DNS-02,OU=Domain Controllers,DC=example,DC=com
> > Adding CN=LIM-INF1-DNS-02,CN=Servers,CN=Default-First-Site-Name,CN=
> > Sites,CN=Configuration,DC=example,DC=com
> > Join failed - cleaning up
> > ldb_wrap open of secrets.ldb
> > Could not find machine account in secrets database: Failed to fetch
> > machine account password for EXAMPLE from both secrets.ldb (Could not
> find
> > entry to match filter:
> '(&(flatname=EXAMPLE)(objectclass=primaryDomain))'
> > base: 'cn=Primary Domains': No such object: dsdb_search at
> > ../source4/dsdb/common/util.c:4575) and from
> /var/lib/samba/private/secrets.tdb:
> > NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> > Deleted CN=LIM-INF1-DNS-02,OU=Domain Controllers,DC=example,DC=com
> > ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT -
> > CN=Sites,CN=Configuration,DC=example,DC=com <0000208D: NameErr:
> > DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:
> > 'CN=Sites,CN=Configuration,DC=example,DC=com'
> > > <>
> > File "/usr/local/samba/lib64/python2.7/site-
> packages/samba/netcmd/__init__.py",
> > line 176, in _run
> > return self.run(*args, **kwargs)
> > File "/usr/local/samba/lib64/python2.7/site-
> packages/samba/netcmd/domain.py",
> > line 652, in run
> > machinepass=machinepass, use_ntvfs=use_ntvfs,
> dns_backend=dns_backend)
> > File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
> > line 1253, in join_DC
> > ctx.do_join()
> > File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
> > line 1151, in do_join
> > ctx.join_add_objects()
> > File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
> > line 593, in join_add_objects
> > ctx.samdb.add(rec)
> >
> >
> > I see some lines mentioning kinit auth, but I tried to get a new ticket
> > and it worked
> >
> >
> > [root at dc-02 ~]# klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: Administrator at EXAMPLE.COM
> >
> > Valid starting Expires Service principal
> > 04/12/2017 11:39:06 04/12/2017 21:39:06 krbtgt/EXAMPLE.COM at EXAMPLE.COM
> > renew until 04/13/2017 11:38:59
> >
> >
> >
> > This machine does not get it's IP from DHCP, but yes, it is managed by
> > Network Manager, but IP and DNS config are static values.
> >
> >
> > On 11 April 2017 at 12:38, Rowland Penny via samba
> <samba at lists.samba.org>
> > wrote:
> >
> >> On Tue, 11 Apr 2017 12:15:43 -0500
> >> Erick Ocrospoma via samba <samba at lists.samba.org> wrote:
> >>
> >> > Hi,
> >> >
> >> > I tried with the latest stable 4.5.x, but with no success.
> >> >
> >> > Do you think you could share your smb.conf ? and also how you built
> >> > from source?
> >> > I suspect there's something missing in the KRB5 for Samba (due to KDC
> >> > error messages).
> >> >
> >>
> >> Try it like this:
> >>
> >> samba-tool domain join EXAMPLE.COM DC -UAdministrator
> >> --realm=EXAMPLE.COM --dns-backend=SAMBA_INTERNAL
> >>
> >> If that doesn't work, can you post /etc/hosts, can you also explain why
> >> you are allowing Network-Manager to set /etc/resolv.conf, does the soon
> >> to be a DC get its IP from DHCP ??
> >>
> >> Does smb.conf already exist ? it shouldn't
> >>
> >> Rowland
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
> >
> >
> >
> > --
> >
> >
> > Erick.
> >
> >
> > -------------------------------------------
> > IRC : zerick
> > Blog : http://zerick.me
> > About : http://about.me/zerick
> > Linux User ID : 549567
> >
>
>
>
> --
>
>
> Erick.
>
>
> -------------------------------------------
> IRC : zerick
> Blog : http://zerick.me
> About : http://about.me/zerick
> Linux User ID : 549567
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list