[Samba] [samba] joining a Centos7 to MS AD

mathias dufresne infractory at gmail.com
Thu Nov 8 11:33:35 UTC 2018 

Hi,

After more investigations I'm now believing that we have some issue on our
AD site declaration. I'll be back once I would have get more information.

Best regards,

M.

Le jeu. 8 nov. 2018 à 11:22, mathias dufresne <infractory at gmail.com> a
écrit :

> Hi all,
>
> AD version is MS 2008R2.
>
> smb.conf is :
> [global]
> workgroup = AD
> security = ADS
> realm = AD.DOMAIN.TLD
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> server string = Samba 4 Client %h
>
> winbind use default domain = yes
> winbind expand groups = 40
> winbind refresh tickets = Yes
> winbind normalize names = Yes
>
> ## map ids outside of domain to tdb files.
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> ## map ids from the domain the ranges may not overlap !
> idmap config AD : backend = rid
> idmap config AD : unix_nss_info = no
> idmap config AD : range = 1000000-1999999
> template shell = /bin/bash
> template homedir = /home/%U
>
> # user Administrator workaround, without it you are unable to set
> privileges
> username map = /etc/samba/user.map
>
> # disable printing completely
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> This very same smb.conf is working on others servers.
>
> Joining command is :
> net ads join -k
>
> with a valid Domain Admins account in that Kerberos ticket.
>
> Using -d 9 with that join command I get :
>
> Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb
> sitename_fetch: No stored sitename for realm 'AD.DOMAIN.TLD'
> ads_dns_lookup_srv: 4 records returned in the answer section.
> ads_cldap_netlogon: did not get a reply
> ads_cldap_netlogon: did not get a reply
> ads_cldap_netlogon: did not get a reply
> ads_cldap_netlogon: did not get a reply
>
> The "Default-First-Site-Name" was renamed and is now equal to domain short
> name.
>
> As said, others servers are able to join that domain, but they are on
> others networks.
> I've tested ports using nmap -p88,135,445,88,389,636,3268 IP and they were
> opened from buggy server. Note that by buggy I don't meant that this is
> Samba which is buggy ;)
>
> Cheers,
>
> mathias
>
>
> Le mar. 6 nov. 2018 à 13:12, mathias dufresne <infractory at gmail.com> a
> écrit :
>
>> Hi Rowland,
>>
>> Thank you for your reply. I'll provide these information but for now I'm
>> suspecting Samba and others things could be installed in a strange manner.
>> I have to check that first...
>>
>> Best regards,
>>
>> mathias
>>
>> Le mar. 6 nov. 2018 à 10:36, Rowland Penny via samba <
>> samba at lists.samba.org> a écrit :
>>
>>> On Tue, 6 Nov 2018 10:16:26 +0100
>>> mathias dufresne via samba <samba at lists.samba.org> wrote:
>>>
>>> > Hi all,
>>> >
>>> > I'm facing an issue I can't understand, so here I am...
>>> >
>>> > I'm trying to join a CentOS 7 to MS AD and it fails
>>>
>>> What is in smb.conf ?
>>> How are you trying to join ?
>>> What is the DC you are trying to join ?
>>>
>>> Rowland
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>

More information about the samba mailing list