[Samba] Problems joining Samba 4 in the domain

Marcio Demetrio Bacci marciobacci at gmail.com
Thu Aug 8 14:25:40 UTC 2019


Hi,

I have 2 DC in my network.

DC master is a Samba 4 and the secondary is Windows Server 2008.

I want to put another Samba 4 as DC to replace Windows Server, however the
following errors are emerging:

root at samba4-dc2:~# samba-tool domain join empresa.com.br DC -k yes -d 3
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Finding a writeable DC for domain 'empresa.com.br'
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._
tcp.empresa.com.br<0x0>
Found DC win-dc2.empresa.com.br
resolve_lmhosts: Attempting lmhosts lookup for name win-dc2.empresa.com.br
<0x20>
workgroup is EMPRESA
realm is empresa.com.br
Adding CN=SAMBA4-DC2,OU=Domain Controllers,DC=empresa,DC=com,DC=br
Adding
CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
Adding CN=NTDS
Settings,CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
Using binding ncacn_ip_tcp:win-dc2.empresa.com.br[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name win-dc2.empresa.com.br
<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name win-dc2.empresa.com.br
<0x20>
Join failed - cleaning up
ldb_wrap open of secrets.ldb
resolve_lmhosts: Attempting lmhosts lookup for name win-dc2.empresa.com.br
<0x20>
Failed to get kerberos credentials (kerberos required): kinit for
SAMBA4-DC2$@EMPRESA.COM.BR failed (Clients credentials have been revoked)

Account locked out: kinit for SAMBA4-DC2$@EMPRESA.COM.BR failed (Clients
credentials have been revoked)

SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/win-dc2.empresa.com.br
failed (next[(null)]): NT_STATUS_ACCOUNT_LOCKED_OUT
Failed to bind - LDAP client internal error: NT_STATUS_ACCOUNT_LOCKED_OUT
Failed to connect to 'ldap://win-dc2.empresa.com.br' with backend 'ldap':
LDAP client internal error: NT_STATUS_ACCOUNT_LOCKED_OUT
Deleted CN=SAMBA4-DC2,OU=Domain Controllers,DC=empresa,DC=com,DC=br
Deleted CN=NTDS
Settings,CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
Deleted
CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL -  <0000202B:
RefErr: DSID-030A0AEB, data 0, 1 access points
ref 1: 'a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br'
> <ldap://a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br>
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661,
in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in
join_DC
    ctx.do_join()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in
do_join
    ctx.join_add_objects()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 668, in
join_add_objects
    ctx.samdb.modify(m)

#############################################################################################################


root at samba4-dc2:~# samba-tool domain join empresa.com.br DC
-U"EMPRESA\administrator" -d 3
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Finding a writeable DC for domain 'empresa.com.br'
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._
tcp.empresa.com.br<0x0>
Found DC win-dc2.empresa.com.br
resolve_lmhosts: Attempting lmhosts lookup for name win-dc2.empresa.com.br
<0x20>
Password for [EMPRESA\administrador]:
Cannot reach a KDC we require to contact (null) : kinit for
administrador at EMPRESA failed (Cannot contact any KDC for requested realm)

SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/win-dc2.empresa.com.br
failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
workgroup is EMPRESA
realm is empresa.com.br
Adding CN=SAMBA4-DC2,OU=Domain Controllers,DC=empresa,DC=com,DC=br
Adding
CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
Adding CN=NTDS
Settings,CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
Using binding ncacn_ip_tcp:win-dc2.empresa.com.br[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name win-dc2.empresa.com.br
<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name win-dc2.empresa.com.br
<0x20>
Cannot reach a KDC we require to contact (null) : kinit for
administrador at EMPRESA failed (Cannot contact any KDC for requested realm)

SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/WIN-DC2.EMPRESA.COM.BR
failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
Join failed - cleaning up
ldb_wrap open of secrets.ldb
resolve_lmhosts: Attempting lmhosts lookup for name win-dc2.empresa.com.br
<0x20>
Account locked out: kinit for SAMBA4-DC2$@EMPRESA.COM.BR failed (Clients
credentials have been revoked)

SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/win-dc2.empresa.com.br
failed (next[ntlmssp]): NT_STATUS_ACCOUNT_LOCKED_OUT
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -  <8009030C:
LdapErr: DSID-0C09052B, comment: AcceptSecurityContext error, data 52e,
v1773> <>
Failed to connect to 'ldap://win-dc2.empresa.com.br' with backend 'ldap':
LDAP error 49 LDAP_INVALID_CREDENTIALS -  <8009030C: LdapErr:
DSID-0C09052B, comment: AcceptSecurityContext error, data 52e, v1773> <>
Deleted CN=SAMBA4-DC2,OU=Domain Controllers,DC=empresa,DC=com,DC=br
Deleted CN=NTDS
Settings,CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
Deleted
CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL -  <0000202B:
RefErr: DSID-030A0AEB, data 0, 1 access points
ref 1: 'a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br'
> <ldap://a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br>
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661,
in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in
join_DC
    ctx.do_join()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in
do_join
    ctx.join_add_objects()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 668, in
join_add_objects
    ctx.samdb.modify(m)

#############################################################################################

I did some tests in the new Samaba4 DC and it seems OK as below:

root at samba4-dc2:~# kinit Administrator
Password for marcio at EMPRESA.COM.BR:


root at samba4-dc2:~# klist -l
Principal name                 Cache name
--------------                 ----------
Administrator at EMPRESA.COM.BR      FILE:/tmp/krb5cc_0

root at samba4-dc2:~# host -t SRV _kerberos._udp.EMPRESA.COM.BR
_kerberos._udp.EMPRESA.COM.BR has SRV record 0 100 88
samba4-dc1.empresa.com.br.
_kerberos._udp.EMPRESA.COM.BR has SRV record 0 100 88 win-dc2.empresa.com.br
.
root at samba4-dc2:~#
root at samba4-dc2:~#
root at samba4-dc2:~# host -t SRV _ldap._tcp.EMPRESA.COM.BR
_ldap._tcp.EMPRESA.COM.BR has SRV record 0 100 389 win-dc2.empresa.com.br.
_ldap._tcp.EMPRESA.COM.BR has SRV record 0 100 389 samba4-dc1.empresa.com.br
.
root at samba4-dc2:~#
root at samba4-dc2:~# cat /etc/krb5.conf
[libdefaults]
    dns_lookup_realm = false
    dns_lookup_kdc = true
    default_realm = EMPRESA.COM.BR
root at samba4-dc2:~# host -t EMPRESA.COM.BR
host: invalid type: EMPRESA.COM.BR

root at samba4-dc2:~# host -t A EMPRESA.COM.BR
EMPRESA.COM.BR has address 10.133.84.135 # Wind-DC2
EMPRESA.COM.BR has address 192.168.1.20 # Samba4-DC1
EMPRESA.COM.BR has address 192.168.1.19 #  Samba4-DC2 . I did not
understand why. He hasn't joined in the domain yet.


My kerberos configurations:

cat /etc/krb5.conf

[libdefaults]
    dns_lookup_realm = false
    dns_lookup_kdc = true
    default_realm = EMPRESA.COM.BR


Another configurations:

cat /etc/hosts
192.168.1.19   samba4-dc2.empresa.com.br  samba4-dc2
192.168.1.20   samba4-dc1.empresa.com.br. samba4-dc1
10.133.84.135  win-dc2.empresa.com.br.    wind-dc2


cat /etc/resolv.conf
domain empresa.com.br
search empresa.com.br
nameserver 192.168.1.20
nameserver 10.133.84.135

Could anybody help me?

Regards,

Márcio Bacci


More information about the samba mailing list