[Samba] [samba] joining a Centos7 to MS AD

mathias dufresne infractory at gmail.com
Thu Nov 8 10:22:08 UTC 2018


Hi all,

AD version is MS 2008R2.

smb.conf is :
[global]
workgroup = AD
security = ADS
realm = AD.DOMAIN.TLD

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server string = Samba 4 Client %h

winbind use default domain = yes
winbind expand groups = 40
winbind refresh tickets = Yes
winbind normalize names = Yes

## map ids outside of domain to tdb files.
idmap config *:backend = tdb
idmap config *:range = 2000-9999
## map ids from the domain the ranges may not overlap !
idmap config AD : backend = rid
idmap config AD : unix_nss_info = no
idmap config AD : range = 1000000-1999999
template shell = /bin/bash
template homedir = /home/%U

# user Administrator workaround, without it you are unable to set privileges
username map = /etc/samba/user.map

# disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

This very same smb.conf is working on others servers.

Joining command is :
net ads join -k

with a valid Domain Admins account in that Kerberos ticket.

Using -d 9 with that join command I get :

Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb
sitename_fetch: No stored sitename for realm 'AD.DOMAIN.TLD'
ads_dns_lookup_srv: 4 records returned in the answer section.
ads_cldap_netlogon: did not get a reply
ads_cldap_netlogon: did not get a reply
ads_cldap_netlogon: did not get a reply
ads_cldap_netlogon: did not get a reply

The "Default-First-Site-Name" was renamed and is now equal to domain short
name.

As said, others servers are able to join that domain, but they are on
others networks.
I've tested ports using nmap -p88,135,445,88,389,636,3268 IP and they were
opened from buggy server. Note that by buggy I don't meant that this is
Samba which is buggy ;)

Cheers,

mathias


Le mar. 6 nov. 2018 à 13:12, mathias dufresne <infractory at gmail.com> a
écrit :

> Hi Rowland,
>
> Thank you for your reply. I'll provide these information but for now I'm
> suspecting Samba and others things could be installed in a strange manner.
> I have to check that first...
>
> Best regards,
>
> mathias
>
> Le mar. 6 nov. 2018 à 10:36, Rowland Penny via samba <
> samba at lists.samba.org> a écrit :
>
>> On Tue, 6 Nov 2018 10:16:26 +0100
>> mathias dufresne via samba <samba at lists.samba.org> wrote:
>>
>> > Hi all,
>> >
>> > I'm facing an issue I can't understand, so here I am...
>> >
>> > I'm trying to join a CentOS 7 to MS AD and it fails
>>
>> What is in smb.conf ?
>> How are you trying to join ?
>> What is the DC you are trying to join ?
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>


More information about the samba mailing list