[Samba] Problems joining Samba 4 in the domain
Marcio Demetrio Bacci
marciobacci at gmail.com
Thu Aug 8 14:25:40 UTC 2019
Hi,
I have 2 DC in my network.
DC master is a Samba 4 and the secondary is Windows Server 2008.
I want to put another Samba 4 as DC to replace Windows Server, however the
following errors are emerging:
root at samba4-dc2:~# samba-tool domain join empresa.com.br DC -k yes -d 3
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Finding a writeable DC for domain 'empresa.com.br'
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._
tcp.empresa.com.br<0x0>
Found DC win-dc2.empresa.com.br
resolve_lmhosts: Attempting lmhosts lookup for name win-dc2.empresa.com.br
<0x20>
workgroup is EMPRESA
realm is empresa.com.br
Adding CN=SAMBA4-DC2,OU=Domain Controllers,DC=empresa,DC=com,DC=br
Adding
CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
Adding CN=NTDS
Settings,CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
Using binding ncacn_ip_tcp:win-dc2.empresa.com.br[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name win-dc2.empresa.com.br
<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name win-dc2.empresa.com.br
<0x20>
Join failed - cleaning up
ldb_wrap open of secrets.ldb
resolve_lmhosts: Attempting lmhosts lookup for name win-dc2.empresa.com.br
<0x20>
Failed to get kerberos credentials (kerberos required): kinit for
SAMBA4-DC2$@EMPRESA.COM.BR failed (Clients credentials have been revoked)
Account locked out: kinit for SAMBA4-DC2$@EMPRESA.COM.BR failed (Clients
credentials have been revoked)
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/win-dc2.empresa.com.br
failed (next[(null)]): NT_STATUS_ACCOUNT_LOCKED_OUT
Failed to bind - LDAP client internal error: NT_STATUS_ACCOUNT_LOCKED_OUT
Failed to connect to 'ldap://win-dc2.empresa.com.br' with backend 'ldap':
LDAP client internal error: NT_STATUS_ACCOUNT_LOCKED_OUT
Deleted CN=SAMBA4-DC2,OU=Domain Controllers,DC=empresa,DC=com,DC=br
Deleted CN=NTDS
Settings,CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
Deleted
CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL - <0000202B:
RefErr: DSID-030A0AEB, data 0, 1 access points
ref 1: 'a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br'
> <ldap://a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br>
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
176, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661,
in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in
join_DC
ctx.do_join()
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in
do_join
ctx.join_add_objects()
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 668, in
join_add_objects
ctx.samdb.modify(m)
#############################################################################################################
root at samba4-dc2:~# samba-tool domain join empresa.com.br DC
-U"EMPRESA\administrator" -d 3
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Finding a writeable DC for domain 'empresa.com.br'
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._
tcp.empresa.com.br<0x0>
Found DC win-dc2.empresa.com.br
resolve_lmhosts: Attempting lmhosts lookup for name win-dc2.empresa.com.br
<0x20>
Password for [EMPRESA\administrador]:
Cannot reach a KDC we require to contact (null) : kinit for
administrador at EMPRESA failed (Cannot contact any KDC for requested realm)
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/win-dc2.empresa.com.br
failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
workgroup is EMPRESA
realm is empresa.com.br
Adding CN=SAMBA4-DC2,OU=Domain Controllers,DC=empresa,DC=com,DC=br
Adding
CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
Adding CN=NTDS
Settings,CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
Using binding ncacn_ip_tcp:win-dc2.empresa.com.br[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name win-dc2.empresa.com.br
<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name win-dc2.empresa.com.br
<0x20>
Cannot reach a KDC we require to contact (null) : kinit for
administrador at EMPRESA failed (Cannot contact any KDC for requested realm)
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/WIN-DC2.EMPRESA.COM.BR
failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
Join failed - cleaning up
ldb_wrap open of secrets.ldb
resolve_lmhosts: Attempting lmhosts lookup for name win-dc2.empresa.com.br
<0x20>
Account locked out: kinit for SAMBA4-DC2$@EMPRESA.COM.BR failed (Clients
credentials have been revoked)
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/win-dc2.empresa.com.br
failed (next[ntlmssp]): NT_STATUS_ACCOUNT_LOCKED_OUT
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C:
LdapErr: DSID-0C09052B, comment: AcceptSecurityContext error, data 52e,
v1773> <>
Failed to connect to 'ldap://win-dc2.empresa.com.br' with backend 'ldap':
LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr:
DSID-0C09052B, comment: AcceptSecurityContext error, data 52e, v1773> <>
Deleted CN=SAMBA4-DC2,OU=Domain Controllers,DC=empresa,DC=com,DC=br
Deleted CN=NTDS
Settings,CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
Deleted
CN=SAMBA4-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
ERROR(ldb): uncaught exception - LDAP error 10 LDAP_REFERRAL - <0000202B:
RefErr: DSID-030A0AEB, data 0, 1 access points
ref 1: 'a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br'
> <ldap://a1ab021c-0ef7-4fd3-a69d-28afc7c1260a._msdcs.empresa.com.br>
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
176, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661,
in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in
join_DC
ctx.do_join()
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in
do_join
ctx.join_add_objects()
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 668, in
join_add_objects
ctx.samdb.modify(m)
#############################################################################################
I did some tests in the new Samaba4 DC and it seems OK as below:
root at samba4-dc2:~# kinit Administrator
Password for marcio at EMPRESA.COM.BR:
root at samba4-dc2:~# klist -l
Principal name Cache name
-------------- ----------
Administrator at EMPRESA.COM.BR FILE:/tmp/krb5cc_0
root at samba4-dc2:~# host -t SRV _kerberos._udp.EMPRESA.COM.BR
_kerberos._udp.EMPRESA.COM.BR has SRV record 0 100 88
samba4-dc1.empresa.com.br.
_kerberos._udp.EMPRESA.COM.BR has SRV record 0 100 88 win-dc2.empresa.com.br
.
root at samba4-dc2:~#
root at samba4-dc2:~#
root at samba4-dc2:~# host -t SRV _ldap._tcp.EMPRESA.COM.BR
_ldap._tcp.EMPRESA.COM.BR has SRV record 0 100 389 win-dc2.empresa.com.br.
_ldap._tcp.EMPRESA.COM.BR has SRV record 0 100 389 samba4-dc1.empresa.com.br
.
root at samba4-dc2:~#
root at samba4-dc2:~# cat /etc/krb5.conf
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = true
default_realm = EMPRESA.COM.BR
root at samba4-dc2:~# host -t EMPRESA.COM.BR
host: invalid type: EMPRESA.COM.BR
root at samba4-dc2:~# host -t A EMPRESA.COM.BR
EMPRESA.COM.BR has address 10.133.84.135 # Wind-DC2
EMPRESA.COM.BR has address 192.168.1.20 # Samba4-DC1
EMPRESA.COM.BR has address 192.168.1.19 # Samba4-DC2 . I did not
understand why. He hasn't joined in the domain yet.
My kerberos configurations:
cat /etc/krb5.conf
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = true
default_realm = EMPRESA.COM.BR
Another configurations:
cat /etc/hosts
192.168.1.19 samba4-dc2.empresa.com.br samba4-dc2
192.168.1.20 samba4-dc1.empresa.com.br. samba4-dc1
10.133.84.135 win-dc2.empresa.com.br. wind-dc2
cat /etc/resolv.conf
domain empresa.com.br
search empresa.com.br
nameserver 192.168.1.20
nameserver 10.133.84.135
Could anybody help me?
Regards,
Márcio Bacci
More information about the samba
mailing list