[Samba] Problem with adding an Samba Member Server to a Samba AD Domain

Stefan Schäfer ml at fsproductions.de
Sat Mar 18 06:48:27 UTC 2017


Hi List,

I found some threads here in the list with similar problems, but nothing 
helped to solve my problem.

We have a very much to old Samba DC (Version 4.1.x) and a new Samba 
4.5.6 which should act as a member server.

The first problem we had during joining the domain:

"net ads join -k" didn't work.

The Error Message said: Failed to join domain: failed to lookup DC info 
for domain 'BAETTENHAUSEN.LOCAL' over rpc: An internal error occurred.

Joining with "net ads join -S s4ad.baettenhausen.local -U 
Administrator at baettenhausen.local" worked.

After this it wasn't possible to connect to any share of this server. I 
found the following message in the logs:

[2017/03/18 01:48:18.760431,  1] 
../source3/librpc/crypto/gse.c:498(gse_get_server_auth_token)
   gss_accept_sec_context failed with [ Miscellaneous failure (see 
text): Failed to find 
cifs/fileserver.baettenhausen.local at BAETTENHAUSEN.LOCAL(kvno 2) in 
keytab MEMORY:cifs_srv_keytab
  (arcfour-hmac-md5)]

Trying to search the keytab for "arcfour-hmac-md5" with "klist -e -k 
/etc/krb5.keytab | grep arcfour-hmac-md5" delivers no matches.

Trying to connect with the Domain admins Account with smbclient didn't work:

smbclient -L 127.0.0.1 -U administrator at baettenhausen.local
Enter administrator at baettenhausen.local's password:
session setup failed: NT_STATUS_LOGON_FAILURE

The log shows:

[2017/03/18 07:35:01.529313,  3] 
../source3/auth/auth.c:178(auth_check_ntlm_password)
   check_ntlm_password:  Checking password for unmapped user 
[BAETTENHAUSEN]\[administrator]@[FILESERVER] with the new password interface
[2017/03/18 07:35:01.529339,  3] 
../source3/auth/auth.c:181(auth_check_ntlm_password)
   check_ntlm_password:  mapped user is: 
[BAETTENHAUSEN]\[administrator]@[FILESERVER]
[2017/03/18 07:35:01.552411,  3] 
../source3/auth/auth_util.c:1233(check_account)
   Failed to find authenticated user BAETTENHAUSEN\administrator via 
getpwnam(), denying access.
[2017/03/18 07:35:01.552450,  2] 
../source3/auth/auth.c:315(auth_check_ntlm_password)
   check_ntlm_password:  Authentication for user [administrator] -> 
[administrator] FAILED with error NT_STATUS_NO_SUCH_USER
[2017/03/18 07:35:01.552482,  2] 
../auth/gensec/spnego.c:720(gensec_spnego_server_negTokenTarg)
   SPNEGO login failed: NT_STATUS_NO_SUCH_USER
[2017/03/18 07:35:01.552546,  3] 
../source3/smbd/error.c:82(error_packet_set)
   NT error packet at ../source3/smbd/sesssetup.c(277) cmd=115 
(SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2017/03/18 07:35:01.552988,  3] 
../source3/smbd/server_exit.c:246(exit_server_common)
   Server exit (failed to receive smb request)
[2017/03/18 07:35:01.577737,  3] 
../source3/lib/util_procid.c:54(pid_to_procid)
   pid_to_procid: messaging_dgm_get_unique failed: No such file or directory

kinit instead works fine and wbinfo -u is able to show all domain users

My smb.conf:

[global]
         workgroup = BAETTENHAUSEN
         interfaces = 127.0.0.1 eth0
         bind interfaces only = true
         printing = cups
         printcap name = cups
         load printers = yes
         user share allow guests = no
         log level = 3

## keine Offline Dateien
#       csc policy = disable

## Domain Settings
         security = ADS
         realm = BAETTENHAUSEN.LOCAL
#       server signing = auto
         kerberos method = secrets and keytab
         client signing = yes
         client use spnego = yes

         ntlm auth = yes

         winbind trusted domains only = no
         winbind use default domain = yes

## Winbind Settings
         #winbind separator = +
         # ID-Mapping mit RFC2307 Erweiterung
         # Builtin und lokale Benutzer/Gruppen
         idmap config *:backend = tdb
         idmap config *:range = 40000-49999

         # BAETTENHAUSEN
         idmap config BAETTENHAUSEN:backend = ad
         #idmap config BAETTENHAUSEN:schema_mode = rfc2307
         idmap config BAETTENHAUSEN:range = 500-30000

         winbind enum users = yes
         winbind enum groups = yes
         winbind refresh tickets = yes
         template homedir = /home/%D/%U

## Charset Settings
         unix charset = UTF8
#       display charset = UTF8
         dos charset = ASCII

....

Here the krb5.conf

[libdefaults]
         default_realm = BAETTENHAUSEN.LOCAL
         dns_lookup_realm = true
         dns_lookup_kdc = true

[realms]
         BAETTENHAUSEN.LOCAL = {
                 kdc = s4ad.baettenhausen.local
                 admin_server = s4ad.baettenhausen.local
         }

Resolving the DNS service records for LDAP and Kerberos works:

fileserver:~ # dig SRV _ldap._tcp.baettenhausen.local

; <<>> DiG 9.9.9-P1 <<>> SRV _ldap._tcp.baettenhausen.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46492
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_ldap._tcp.baettenhausen.local.        IN      SRV

;; ANSWER SECTION:
_ldap._tcp.baettenhausen.local. 900 IN  SRV     0 100 389 
s4ad.baettenhausen.local.

;; AUTHORITY SECTION:
baettenhausen.local.    900     IN      NS s4ad.baettenhausen.local.

;; ADDITIONAL SECTION:
s4ad.baettenhausen.local. 900   IN      A       192.168.1.10

;; Query time: 8 msec
;; SERVER: 192.168.1.10#53(192.168.1.10)
;; WHEN: Sat Mar 18 07:45:39 CET 2017
;; MSG SIZE  rcvd: 133


fileserver:~ # dig SRV _kerberos._tcp.baettenhausen.local

; <<>> DiG 9.9.9-P1 <<>> SRV _kerberos._tcp.baettenhausen.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33727
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_kerberos._tcp.baettenhausen.local. IN SRV

;; ANSWER SECTION:
_kerberos._tcp.baettenhausen.local. 900 IN SRV  0 100 88 
s4ad.baettenhausen.local.

;; AUTHORITY SECTION:
baettenhausen.local.    900     IN      NS s4ad.baettenhausen.local.

;; ADDITIONAL SECTION:
s4ad.baettenhausen.local. 900   IN      A       192.168.1.10

;; Query time: 7 msec
;; SERVER: 192.168.1.10#53(192.168.1.10)
;; WHEN: Sat Mar 18 07:46:58 CET 2017
;; MSG SIZE  rcvd: 137

Resolving the Hostnames of the AD-DC and the new Member Server works in 
both directions.

Any Ideas?

Stefan





More information about the samba mailing list