[Samba] samba on solaris 11 can not longer join Windows AD domain
Gaiseric Vandal
gaiseric.vandal at gmail.com
Tue Sep 19 12:26:02 UTC 2017
On 09/19/17 05:30, Rowland Penny via samba wrote:
> On Mon, 18 Sep 2017 22:45:04 -0400
> Gaeseric Vandal via samba <samba at lists.samba.org> wrote:
>
>> I would like to move my Samba file server (Samba 4.4.14 on Solaris
>> 11) from a classic domain into an Active Directory domain. The
>> active directory domain has one Win 2008 directory server / domain
>> controller, and one Win 2012 R2 DS. E-mail, among other things,
>> depends on a Microsoft AD backend.
>>
>>
>> A few months ago I was able to join a test server to the AD
>> domain. Today I tried joining a 2nd one, but without success.
>>
>>
>>
>> testmachine1# net ads join -U Administrator at mydomain.com
>>
>> Enter Administrator at mydomain.com's password:
>>
>> Failed to join domain: Failed to set machine spn: Time limit exceeded
>>
>> Do you have sufficient permissions to create machine accounts?
>>
>>
>>
>>
>>
>> I thought that I may have not properly replicated the configuration,
>> so I tried it on the first test server, with the same error.
>>
>>
>>
>> The event log on the AD DS shows
>>
>>
>>
>>
>>
>>
>>
>> Log Name: System
>>
>> Source: Microsoft-Windows-Security-Kerberos
>>
>> Date: 9/18/2017 10:01:27 PM
>>
>> Event ID: 3
>>
>> Task Category: None
>>
>> Level: Error
>>
>> Keywords: Classic
>>
>> User: N/A
>>
>> Computer: DS1.mydomain.com
>>
>> Description:
>>
>> A Kerberos Error Message was received:
>>
>> on logon session
>>
>> Client Time:
>>
>> Server Time: 2:1:27.0000 9/19/2017 Z
>>
>> Error Code: 0xd KDC_ERR_BADOPTION
>>
>> Extended Error: 0xc00000bb KLIN(0)
>>
>> Client Realm:
>>
>> Client Name:
>>
>> Server Realm: MYDOMAIN.COM
>>
>> Server Name: DS1.mydomain.com
>>
>> Target Name: DS1.mydomain.com at MYDOMAIN.COM
>> <mailto:DS1.mydomain.com at MYDOMAIN.COM>
>>
>>
>>
>>
>>
>>
>>
>> I have applied patches over the last few months to the Windows
>> servers. Can't think of any significant changes on the windows side.
>>
>>
>>
>> I have copied and pasted the partial output of testparm -v.
>>
>>
>>
>> root at testmachine1:~# testparm -v
>>
> Please don't ever do that again, never send the verbose output from
> testparm, just send the output of 'cat'
>
>
> Before going any further, can I ask how you how (once you have joined
> the domain) you propose to make your Windows users known to the Unix
> system ? There is a distinct lack of 'idmap config' lines.
>
> Does the /etc/resolv.conf point to a DC as a nameserver ?
> Does the proposed Unix domain member get its IP via DHCP ?
> What is in /etc/hosts ?
> What is in /etc/krb5.conf ?
>
> Rowland
>
Sorry, meant to copy and paste only the relevant stuff. I think I hit paste twice.
The problem with showing just the config file is that options not explicitly set may have different defaults depending on version. I have attached part of cat smb.conf below.
/etc/hosts does not include the AD Domain controllers.
/etc/resolv.conf shows 2ndary DNS servers, which in turn sync data from the AD Domain controllers. I don't think this is a DNS issue since "net join" and "net ads join" are locating the AD domain controllers.
/etc/krb5/krb5.conf is set up for the MYDOMAIN realm. I can use the ldapclient and kinit to join the machine to the MYDOMAIN AD realm for "Unix" level user and group lookups (via ldap) and kerberos authentication. I did find that Solaris "native" kerberos and Samba expect krb5.keytab files in different locations , which I resolved with a sym link between /etc/krb5.keytab and /etc/krb5/krb5.keytab.
All member servers use static IP.
Thanks
________________________________________________________________________________________________________________
#cat /etc/samba/smb.conf
...
#======================= Global Settings =====================================
[global]
private dir = /etc/samba/private
smb passwd file = /etc/samba/private/smbpasswd
syslog = 3
log level = 10
client ldap sasl wrapping = plain
ldap server require strong auth = no
create krb5 conf = no
...
# max protocol = used to define the supported protocol. The default is NT1. You
# can set it to SMB2 if you want experimental SMB2 support.
#
workgroup = MYDOMAIN
server string = Samba Server Version %v
netbios name = MYSERVER
; max protocol = SMB2
passdb backend = tdbsam
security = ads
realm = MYDOMAIN.COM
idmap config *:backend = tdb
idmap config *:range = 2000-2999
idmap config MYDOMAIN:backend = ad
idmap config MYDOMAIN:schema_mode = rfc2307
idmap config MYDOMAIN:range = 100-1999
# Use settings from AD for login shell and home directory
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
domain master = no
domain logons = no
_______________________________________________________________________________________________________________
More information about the samba
mailing list