[Samba] Failing to join existing AD as DC

Rowland penny rpenny at samba.org
Thu Aug 15 13:19:08 UTC 2019 

On 15/08/2019 14:08, L.P.H. van Belle via samba wrote:
> Hai,
>   
>  From what i see below.
>   
> kinit that should work, or error in krb5.conf or resolv.conf.
> What is the first resolver in resolv.conf and is samba configured with internal DNS or Bind9_DLZ?
>   
> This is in /etc/ldap/ldap.conf
> TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
> TLS_REQCERT allow
>
>
>   
> cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
> not really needed, but it does not hurt.
>   
> Well, can you run this for me and post the output.
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
> if needed anonymize it .
>   
> That will tell me enough, what is wrong.
>   
>   
> Greetz,
>   
> Louis
>   
>
>   
>
>
> Van: Alexander Harm [mailto:contact at aharm.de]
> Verzonden: donderdag 15 augustus 2019 15:00
> Aan: L.P.H. van Belle
> Onderwerp: Re: [Samba] Failing to join existing AD as DC
>
>
>
>
> kinit fails for me:
>
>
>
>
> kinit Administrator
>
> kinit: Client 'Administrator at SAMDOM.EXAMPLE.COM' not found in Kerberos database while getting initial credentials
>
>   
>
>
>
>
> #/etc/ldap/ldap.conf
>
> TLS_CACERT /etc/ssl/certs/ca-certificates.crt
>
>
>
>
> I added the Windows DC certs like this:
>
>
>
>
> cp wdc.crt /usr/local/share/ca-certificates/wdc.crt
>
> update-ca-certificates
>
>
>
>
>
> I installed Samba like this
>
>
> # Cleanup
> find /var/run/samba /var/lib/samba /var/cache/samba /var/lib/samba/private -name '*.tdb' -name '*.ldb' -delete
> rm /etc/samba/smb.conf
>
>
> # Provision domain
> samba-tool domain provision --use-rfc2307 --interactive
>
>
> # configure kerberos
> cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
>
>
> # start samba
> systemctl stop smbd nmbd winbind
> systemctl disable smbd nmbd winbind
> systemctl unmask samba-ad-dc
> systemctl enable samba-ad-dc
> systemctl start samba-ad-dc
>
>
>
>
>
>
> On 15. August 2019 at 14:25:48, L.P.H. van Belle via samba (samba at lists.samba.org) wrote:
>
> Can you try this:
>
> kinit Administrator
> samba-tool domain join samdom.example.com DC --site=?KA-H9? -k yes
>
> If that isnt working..
> Post output of :
> cat /etc/ldap/ldap.conf
>
> And tell me how did you setup your ssl certificates on this server.
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Alexander Harm via samba
>> Verzonden: donderdag 15 augustus 2019 13:25
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] Failing to join existing AD as DC
>>
>> I tried joining the same AD before and succeeded, however
>> after upgrading to Debian Buster and installing AD
>> Certificate Services on the Windows DC my join does not work anymore:
>>
>> samba-tool domain join samdom.example.com DC
>> -U?SAMDOM\adadmin? ?site=?KA-H9?
>>
>> fails during the ldap part with:
>>
>> Join failed - cleaning up
>>
>> Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -
>> <8009030C: LdapErr: DSID?0C090569, comment:
>> AcceptSecurityContext error, data 52e, v4563> <> Failed to
>> connect to ?ldap://dc01.samdom.example.com? with backend
>> ?ldap?: LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C:
>> LdapErr: DSID?0C090569, comment: AcceptSecurityContext error,
>> data 52e, v4563> <>
>>
>> ERROR(ldb): uncaught exception - LDAP error 1
>> LDAP_OPERATIONS_ERROR -  <000021A2: SvcErr: DSID-030A08C1,
>> problem 5012 (DIR_ERROR), data 8610
>>
>>> <>
>>    File
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>> line 177, in _run
>>
>>      return self.run(*args, **kwargs)
>>
>>    File
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py",
>> line 716, in run
>>
>>      backend_store=backend_store)
>>
>>    File "/usr/lib/python2.7/dist-packages/samba/join.py", line
>> 1501, in join_DC
>>
>>      ctx.do_join()
>>
>>    File "/usr/lib/python2.7/dist-packages/samba/join.py", line
>> 1397, in do_join
>>
>>      ctx.join_add_objects()
>>
>>    File "/usr/lib/python2.7/dist-packages/samba/join.py", line
>> 683, in join_add_objects
>>
>>      ctx.samdb.modify(m)
>>
>> I verified password etc. but I believe this boils down to
>> certificate issues. I added the root cert of the AD to the
>> local certificates and OpenSSL verifies everything as being OK.
>>
>> Does anyone have an idea on what I could try next?
>>
>> Thanks
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>
Everything Louis said, plus:

Please reply to the list, do not send replies directly to anyone, it 
BREAKS the thread.

Rowland

More information about the samba mailing list