[Samba] Failing to join existing AD as DC
L.P.H. van Belle
belle at bazuin.nl
Thu Aug 15 13:08:03 UTC 2019
Hai,
From what i see below.
kinit that should work, or error in krb5.conf or resolv.conf.
What is the first resolver in resolv.conf and is samba configured with internal DNS or Bind9_DLZ?
This is in /etc/ldap/ldap.conf
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT allow
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
not really needed, but it does not hurt.
Well, can you run this for me and post the output.
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
if needed anonymize it .
That will tell me enough, what is wrong.
Greetz,
Louis
Van: Alexander Harm [mailto:contact at aharm.de]
Verzonden: donderdag 15 augustus 2019 15:00
Aan: L.P.H. van Belle
Onderwerp: Re: [Samba] Failing to join existing AD as DC
kinit fails for me:
kinit Administrator
kinit: Client 'Administrator at SAMDOM.EXAMPLE.COM' not found in Kerberos database while getting initial credentials
#/etc/ldap/ldap.conf
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
I added the Windows DC certs like this:
cp wdc.crt /usr/local/share/ca-certificates/wdc.crt
update-ca-certificates
I installed Samba like this
# Cleanup
find /var/run/samba /var/lib/samba /var/cache/samba /var/lib/samba/private -name '*.tdb' -name '*.ldb' -delete
rm /etc/samba/smb.conf
# Provision domain
samba-tool domain provision --use-rfc2307 --interactive
# configure kerberos
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
# start samba
systemctl stop smbd nmbd winbind
systemctl disable smbd nmbd winbind
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
systemctl start samba-ad-dc
On 15. August 2019 at 14:25:48, L.P.H. van Belle via samba (samba at lists.samba.org) wrote:
Can you try this:
kinit Administrator
samba-tool domain join samdom.example.com DC --site=?KA-H9? -k yes
If that isnt working..
Post output of :
cat /etc/ldap/ldap.conf
And tell me how did you setup your ssl certificates on this server.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Alexander Harm via samba
> Verzonden: donderdag 15 augustus 2019 13:25
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Failing to join existing AD as DC
>
> I tried joining the same AD before and succeeded, however
> after upgrading to Debian Buster and installing AD
> Certificate Services on the Windows DC my join does not work anymore:
>
> samba-tool domain join samdom.example.com DC
> -U?SAMDOM\adadmin? ?site=?KA-H9?
>
> fails during the ldap part with:
>
> Join failed - cleaning up
>
> Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -
> <8009030C: LdapErr: DSID?0C090569, comment:
> AcceptSecurityContext error, data 52e, v4563> <> Failed to
> connect to ?ldap://dc01.samdom.example.com? with backend
> ?ldap?: LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C:
> LdapErr: DSID?0C090569, comment: AcceptSecurityContext error,
> data 52e, v4563> <>
>
> ERROR(ldb): uncaught exception - LDAP error 1
> LDAP_OPERATIONS_ERROR - <000021A2: SvcErr: DSID-030A08C1,
> problem 5012 (DIR_ERROR), data 8610
>
> > <>
>
> File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 177, in _run
>
> return self.run(*args, **kwargs)
>
> File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py",
> line 716, in run
>
> backend_store=backend_store)
>
> File "/usr/lib/python2.7/dist-packages/samba/join.py", line
> 1501, in join_DC
>
> ctx.do_join()
>
> File "/usr/lib/python2.7/dist-packages/samba/join.py", line
> 1397, in do_join
>
> ctx.join_add_objects()
>
> File "/usr/lib/python2.7/dist-packages/samba/join.py", line
> 683, in join_add_objects
>
> ctx.samdb.modify(m)
>
> I verified password etc. but I believe this boils down to
> certificate issues. I added the root cert of the AD to the
> local certificates and OpenSSL verifies everything as being OK.
>
> Does anyone have an idea on what I could try next?
>
> Thanks
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list