[Samba] Failing to join existing AD as DC
Alexander Harm
contact at aharm.de
Thu Aug 15 15:57:42 UTC 2019
Sorry, am not used to a list that has real sender addresses…
Samba is configured with internal DNS.
# /etc/krb5.conf
[libdefaults]
default_realm = SAMDOM.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
# /etc/ldap/ldap.conf
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT allow
# /etc/resolv.conf
domain samdom.example.com
search samdom.example.com
nameserver 10.88.80.88 # windows dc
./samba-collect-debug-info.sh
kinit: Client 'Administrator at SAMDOM.EXAMPLE.COM' not found in Kerberos database while getting initial credentials
Wrong password, exiting now.
Never asks me for a password though...
On 15. August 2019 at 15:19:44, Rowland penny via samba (samba at lists.samba.org) wrote:
On 15/08/2019 14:08, L.P.H. van Belle via samba wrote:
> Hai,
>
> From what i see below.
>
> kinit that should work, or error in krb5.conf or resolv.conf.
> What is the first resolver in resolv.conf and is samba configured with internal DNS or Bind9_DLZ?
>
> This is in /etc/ldap/ldap.conf
> TLS_CACERT /etc/ssl/certs/ca-certificates.crt
> TLS_REQCERT allow
>
>
>
> cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
> not really needed, but it does not hurt.
>
> Well, can you run this for me and post the output.
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
> if needed anonymize it .
>
> That will tell me enough, what is wrong.
>
>
> Greetz,
>
> Louis
>
>
>
>
>
> Van: Alexander Harm [mailto:contact at aharm.de]
> Verzonden: donderdag 15 augustus 2019 15:00
> Aan: L.P.H. van Belle
> Onderwerp: Re: [Samba] Failing to join existing AD as DC
>
>
>
>
> kinit fails for me:
>
>
>
>
> kinit Administrator
>
> kinit: Client 'Administrator at SAMDOM.EXAMPLE.COM' not found in Kerberos database while getting initial credentials
>
>
>
>
>
>
> #/etc/ldap/ldap.conf
>
> TLS_CACERT /etc/ssl/certs/ca-certificates.crt
>
>
>
>
> I added the Windows DC certs like this:
>
>
>
>
> cp wdc.crt /usr/local/share/ca-certificates/wdc.crt
>
> update-ca-certificates
>
>
>
>
>
> I installed Samba like this
>
>
> # Cleanup
> find /var/run/samba /var/lib/samba /var/cache/samba /var/lib/samba/private -name '*.tdb' -name '*.ldb' -delete
> rm /etc/samba/smb.conf
>
>
> # Provision domain
> samba-tool domain provision --use-rfc2307 --interactive
>
>
> # configure kerberos
> cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
>
>
> # start samba
> systemctl stop smbd nmbd winbind
> systemctl disable smbd nmbd winbind
> systemctl unmask samba-ad-dc
> systemctl enable samba-ad-dc
> systemctl start samba-ad-dc
>
>
>
>
>
>
> On 15. August 2019 at 14:25:48, L.P.H. van Belle via samba (samba at lists.samba.org) wrote:
>
> Can you try this:
>
> kinit Administrator
> samba-tool domain join samdom.example.com DC --site=?KA-H9? -k yes
>
> If that isnt working..
> Post output of :
> cat /etc/ldap/ldap.conf
>
> And tell me how did you setup your ssl certificates on this server.
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Alexander Harm via samba
>> Verzonden: donderdag 15 augustus 2019 13:25
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] Failing to join existing AD as DC
>>
>> I tried joining the same AD before and succeeded, however
>> after upgrading to Debian Buster and installing AD
>> Certificate Services on the Windows DC my join does not work anymore:
>>
>> samba-tool domain join samdom.example.com DC
>> -U?SAMDOM\adadmin? ?site=?KA-H9?
>>
>> fails during the ldap part with:
>>
>> Join failed - cleaning up
>>
>> Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -
>> <8009030C: LdapErr: DSID?0C090569, comment:
>> AcceptSecurityContext error, data 52e, v4563> <> Failed to
>> connect to ?ldap://dc01.samdom.example.com? with backend
>> ?ldap?: LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C:
>> LdapErr: DSID?0C090569, comment: AcceptSecurityContext error,
>> data 52e, v4563> <>
>>
>> ERROR(ldb): uncaught exception - LDAP error 1
>> LDAP_OPERATIONS_ERROR - <000021A2: SvcErr: DSID-030A08C1,
>> problem 5012 (DIR_ERROR), data 8610
>>
>>> <>
>> File
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>> line 177, in _run
>>
>> return self.run(*args, **kwargs)
>>
>> File
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py",
>> line 716, in run
>>
>> backend_store=backend_store)
>>
>> File "/usr/lib/python2.7/dist-packages/samba/join.py", line
>> 1501, in join_DC
>>
>> ctx.do_join()
>>
>> File "/usr/lib/python2.7/dist-packages/samba/join.py", line
>> 1397, in do_join
>>
>> ctx.join_add_objects()
>>
>> File "/usr/lib/python2.7/dist-packages/samba/join.py", line
>> 683, in join_add_objects
>>
>> ctx.samdb.modify(m)
>>
>> I verified password etc. but I believe this boils down to
>> certificate issues. I added the root cert of the AD to the
>> local certificates and OpenSSL verifies everything as being OK.
>>
>> Does anyone have an idea on what I could try next?
>>
>> Thanks
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>
Everything Louis said, plus:
Please reply to the list, do not send replies directly to anyone, it
BREAKS the thread.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list