[Samba] [samba] joining a Centos7 to MS AD

mathias dufresne infractory at gmail.com
Thu Nov 8 16:05:43 UTC 2018 

After lot of search, lot of stupid idea from me and help from my colleagues
the problem was LDAP/UDP which was not allowed. At least that's we think
after this day of research.

Le jeu. 8 nov. 2018 à 12:33, mathias dufresne <infractory at gmail.com> a
écrit :

> Hi,
>
> After more investigations I'm now believing that we have some issue on our
> AD site declaration. I'll be back once I would have get more information.
>
> Best regards,
>
> M.
>
> Le jeu. 8 nov. 2018 à 11:22, mathias dufresne <infractory at gmail.com> a
> écrit :
>
>> Hi all,
>>
>> AD version is MS 2008R2.
>>
>> smb.conf is :
>> [global]
>> workgroup = AD
>> security = ADS
>> realm = AD.DOMAIN.TLD
>>
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>> server string = Samba 4 Client %h
>>
>> winbind use default domain = yes
>> winbind expand groups = 40
>> winbind refresh tickets = Yes
>> winbind normalize names = Yes
>>
>> ## map ids outside of domain to tdb files.
>> idmap config *:backend = tdb
>> idmap config *:range = 2000-9999
>> ## map ids from the domain the ranges may not overlap !
>> idmap config AD : backend = rid
>> idmap config AD : unix_nss_info = no
>> idmap config AD : range = 1000000-1999999
>> template shell = /bin/bash
>> template homedir = /home/%U
>>
>> # user Administrator workaround, without it you are unable to set
>> privileges
>> username map = /etc/samba/user.map
>>
>> # disable printing completely
>> load printers = no
>> printing = bsd
>> printcap name = /dev/null
>> disable spoolss = yes
>>
>> This very same smb.conf is working on others servers.
>>
>> Joining command is :
>> net ads join -k
>>
>> with a valid Domain Admins account in that Kerberos ticket.
>>
>> Using -d 9 with that join command I get :
>>
>> Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb
>> sitename_fetch: No stored sitename for realm 'AD.DOMAIN.TLD'
>> ads_dns_lookup_srv: 4 records returned in the answer section.
>> ads_cldap_netlogon: did not get a reply
>> ads_cldap_netlogon: did not get a reply
>> ads_cldap_netlogon: did not get a reply
>> ads_cldap_netlogon: did not get a reply
>>
>> The "Default-First-Site-Name" was renamed and is now equal to domain
>> short name.
>>
>> As said, others servers are able to join that domain, but they are on
>> others networks.
>> I've tested ports using nmap -p88,135,445,88,389,636,3268 IP and they
>> were opened from buggy server. Note that by buggy I don't meant that this
>> is Samba which is buggy ;)
>>
>> Cheers,
>>
>> mathias
>>
>>
>> Le mar. 6 nov. 2018 à 13:12, mathias dufresne <infractory at gmail.com> a
>> écrit :
>>
>>> Hi Rowland,
>>>
>>> Thank you for your reply. I'll provide these information but for now I'm
>>> suspecting Samba and others things could be installed in a strange manner.
>>> I have to check that first...
>>>
>>> Best regards,
>>>
>>> mathias
>>>
>>> Le mar. 6 nov. 2018 à 10:36, Rowland Penny via samba <
>>> samba at lists.samba.org> a écrit :
>>>
>>>> On Tue, 6 Nov 2018 10:16:26 +0100
>>>> mathias dufresne via samba <samba at lists.samba.org> wrote:
>>>>
>>>> > Hi all,
>>>> >
>>>> > I'm facing an issue I can't understand, so here I am...
>>>> >
>>>> > I'm trying to join a CentOS 7 to MS AD and it fails
>>>>
>>>> What is in smb.conf ?
>>>> How are you trying to join ?
>>>> What is the DC you are trying to join ?
>>>>
>>>> Rowland
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>

More information about the samba mailing list