[Samba] [samba] joining a Centos7 to MS AD

mathias dufresne infractory at gmail.com
Thu Nov 8 10:22:08 UTC 2018

Hi all,

AD version is MS 2008R2.

smb.conf is :
workgroup = AD
security = ADS

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server string = Samba 4 Client %h

winbind use default domain = yes
winbind expand groups = 40
winbind refresh tickets = Yes
winbind normalize names = Yes

## map ids outside of domain to tdb files.
idmap config *:backend = tdb
idmap config *:range = 2000-9999
## map ids from the domain the ranges may not overlap !
idmap config AD : backend = rid
idmap config AD : unix_nss_info = no
idmap config AD : range = 1000000-1999999
template shell = /bin/bash
template homedir = /home/%U

# user Administrator workaround, without it you are unable to set privileges
username map = /etc/samba/user.map

# disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

This very same smb.conf is working on others servers.

Joining command is :
net ads join -k

with a valid Domain Admins account in that Kerberos ticket.

Using -d 9 with that join command I get :

Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb
sitename_fetch: No stored sitename for realm 'AD.DOMAIN.TLD'
ads_dns_lookup_srv: 4 records returned in the answer section.
ads_cldap_netlogon: did not get a reply
ads_cldap_netlogon: did not get a reply
ads_cldap_netlogon: did not get a reply
ads_cldap_netlogon: did not get a reply

The "Default-First-Site-Name" was renamed and is now equal to domain short

As said, others servers are able to join that domain, but they are on
others networks.
I've tested ports using nmap -p88,135,445,88,389,636,3268 IP and they were
opened from buggy server. Note that by buggy I don't meant that this is
Samba which is buggy ;)



Le mar. 6 nov. 2018 à 13:12, mathias dufresne <infractory at gmail.com> a
écrit :

> Hi Rowland,
> Thank you for your reply. I'll provide these information but for now I'm
> suspecting Samba and others things could be installed in a strange manner.
> I have to check that first...
> Best regards,
> mathias
> Le mar. 6 nov. 2018 à 10:36, Rowland Penny via samba <
> samba at lists.samba.org> a écrit :
>> On Tue, 6 Nov 2018 10:16:26 +0100
>> mathias dufresne via samba <samba at lists.samba.org> wrote:
>> > Hi all,
>> >
>> > I'm facing an issue I can't understand, so here I am...
>> >
>> > I'm trying to join a CentOS 7 to MS AD and it fails
>> What is in smb.conf ?
>> How are you trying to join ?
>> What is the DC you are trying to join ?
>> Rowland
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list