[Samba] [samba] joining a Centos7 to MS AD

mathias dufresne infractory at gmail.com
Thu Nov 8 10:22:08 UTC 2018

Hi all,

AD version is MS 2008R2.

smb.conf is :
workgroup = AD
security = ADS

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server string = Samba 4 Client %h

winbind use default domain = yes
winbind expand groups = 40
winbind refresh tickets = Yes
winbind normalize names = Yes

## map ids outside of domain to tdb files.
idmap config *:backend = tdb
idmap config *:range = 2000-9999
## map ids from the domain the ranges may not overlap !
idmap config AD : backend = rid
idmap config AD : unix_nss_info = no
idmap config AD : range = 1000000-1999999
template shell = /bin/bash
template homedir = /home/%U

# user Administrator workaround, without it you are unable to set privileges
username map = /etc/samba/user.map

# disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

This very same smb.conf is working on others servers.

Joining command is :
net ads join -k

with a valid Domain Admins account in that Kerberos ticket.

Using -d 9 with that join command I get :

Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb
sitename_fetch: No stored sitename for realm 'AD.DOMAIN.TLD'
ads_dns_lookup_srv: 4 records returned in the answer section.
ads_cldap_netlogon: did not get a reply
ads_cldap_netlogon: did not get a reply
ads_cldap_netlogon: did not get a reply
ads_cldap_netlogon: did not get a reply

The "Default-First-Site-Name" was renamed and is now equal to domain short

As said, others servers are able to join that domain, but they are on
others networks.
I've tested ports using nmap -p88,135,445,88,389,636,3268 IP and they were
opened from buggy server. Note that by buggy I don't meant that this is
Samba which is buggy ;)



