[Samba] Failing to join existing AD as DC

L.P.H. van Belle belle at bazuin.nl
Thu Aug 15 13:08:03 UTC 2019 

Hai, 
 
From what i see below. 
 
kinit that should work, or error in krb5.conf or resolv.conf. 
What is the first resolver in resolv.conf and is samba configured with internal DNS or Bind9_DLZ? 
 
This is in /etc/ldap/ldap.conf 
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT allow


 
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
not really needed, but it does not hurt. 
 
Well, can you run this for me and post the output. 
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
if needed anonymize it . 
 
That will tell me enough, what is wrong. 
 
 
Greetz, 
 
Louis
 

 


Van: Alexander Harm [mailto:contact at aharm.de] 
Verzonden: donderdag 15 augustus 2019 15:00
Aan: L.P.H. van Belle
Onderwerp: Re: [Samba] Failing to join existing AD as DC




kinit fails for me:




kinit Administrator

kinit: Client 'Administrator at SAMDOM.EXAMPLE.COM' not found in Kerberos database while getting initial credentials 

 




#/etc/ldap/ldap.conf

TLS_CACERT /etc/ssl/certs/ca-certificates.crt




I added the Windows DC certs like this:




cp wdc.crt /usr/local/share/ca-certificates/wdc.crt

update-ca-certificates





I installed Samba like this


# Cleanup
find /var/run/samba /var/lib/samba /var/cache/samba /var/lib/samba/private -name '*.tdb' -name '*.ldb' -delete
rm /etc/samba/smb.conf


# Provision domain
samba-tool domain provision --use-rfc2307 --interactive


# configure kerberos
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf


# start samba
systemctl stop smbd nmbd winbind
systemctl disable smbd nmbd winbind
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
systemctl start samba-ad-dc






On 15. August 2019 at 14:25:48, L.P.H. van Belle via samba (samba at lists.samba.org) wrote:

Can you try this: 

kinit Administrator 
samba-tool domain join samdom.example.com DC --site=?KA-H9? -k yes 

If that isnt working.. 
Post output of : 
cat /etc/ldap/ldap.conf 

And tell me how did you setup your ssl certificates on this server. 

Greetz, 

Louis 


> -----Oorspronkelijk bericht----- 
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Alexander Harm via samba 
> Verzonden: donderdag 15 augustus 2019 13:25 
> Aan: samba at lists.samba.org 
> Onderwerp: [Samba] Failing to join existing AD as DC 
> 
> I tried joining the same AD before and succeeded, however 
> after upgrading to Debian Buster and installing AD 
> Certificate Services on the Windows DC my join does not work anymore: 
> 
> samba-tool domain join samdom.example.com DC 
> -U?SAMDOM\adadmin? ?site=?KA-H9? 
> 
> fails during the ldap part with: 
> 
> Join failed - cleaning up 
> 
> Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - 
> <8009030C: LdapErr: DSID?0C090569, comment: 
> AcceptSecurityContext error, data 52e, v4563> <> Failed to 
> connect to ?ldap://dc01.samdom.example.com? with backend 
> ?ldap?: LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: 
> LdapErr: DSID?0C090569, comment: AcceptSecurityContext error, 
> data 52e, v4563> <> 
> 
> ERROR(ldb): uncaught exception - LDAP error 1 
> LDAP_OPERATIONS_ERROR -  <000021A2: SvcErr: DSID-030A08C1, 
> problem 5012 (DIR_ERROR), data 8610 
> 
> > <> 
> 
>   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
> line 177, in _run 
> 
>     return self.run(*args, **kwargs) 
> 
>   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", 
> line 716, in run 
> 
>     backend_store=backend_store) 
> 
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 
> 1501, in join_DC 
> 
>     ctx.do_join() 
> 
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 
> 1397, in do_join 
> 
>     ctx.join_add_objects() 
> 
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 
> 683, in join_add_objects 
> 
>     ctx.samdb.modify(m) 
> 
> I verified password etc. but I believe this boils down to 
> certificate issues. I added the root cert of the AD to the 
> local certificates and OpenSSL verifies everything as being OK. 
> 
> Does anyone have an idea on what I could try next? 
> 
> Thanks 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the 
> instructions: https://lists.samba.org/mailman/options/samba 
> 
> 


-- 
To unsubscribe from this list go to the following URL and read the 
instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list