[Samba] Failing to join existing AD as DC

Alexander Harm contact at aharm.de
Thu Aug 15 15:57:42 UTC 2019 

Sorry, am not used to a list that has real sender addresses…



Samba is configured with internal DNS.



# /etc/krb5.conf

[libdefaults]

	default_realm = SAMDOM.EXAMPLE.COM

	dns_lookup_realm = false

	dns_lookup_kdc = true


# /etc/ldap/ldap.conf 
TLS_CACERT	/etc/ssl/certs/ca-certificates.crt
TLS_REQCERT allow

# /etc/resolv.conf
domain samdom.example.com
search samdom.example.com
nameserver 10.88.80.88 # windows dc


./samba-collect-debug-info.sh
kinit: Client 'Administrator at SAMDOM.EXAMPLE.COM' not found in Kerberos database while getting initial credentials
Wrong password, exiting now.

Never asks me for a password though...

On 15. August 2019 at 15:19:44, Rowland penny via samba (samba at lists.samba.org) wrote:

On 15/08/2019 14:08, L.P.H. van Belle via samba wrote:  
> Hai,  
>  
> From what i see below.  
>  
> kinit that should work, or error in krb5.conf or resolv.conf.  
> What is the first resolver in resolv.conf and is samba configured with internal DNS or Bind9_DLZ?  
>  
> This is in /etc/ldap/ldap.conf  
> TLS_CACERT      /etc/ssl/certs/ca-certificates.crt  
> TLS_REQCERT allow  
>  
>  
>  
> cp /var/lib/samba/private/krb5.conf /etc/krb5.conf  
> not really needed, but it does not hurt.  
>  
> Well, can you run this for me and post the output.  
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh  
> if needed anonymize it .  
>  
> That will tell me enough, what is wrong.  
>  
>  
> Greetz,  
>  
> Louis  
>  
>  
>  
>  
>  
> Van: Alexander Harm [mailto:contact at aharm.de]  
> Verzonden: donderdag 15 augustus 2019 15:00  
> Aan: L.P.H. van Belle  
> Onderwerp: Re: [Samba] Failing to join existing AD as DC  
>  
>  
>  
>  
> kinit fails for me:  
>  
>  
>  
>  
> kinit Administrator  
>  
> kinit: Client 'Administrator at SAMDOM.EXAMPLE.COM' not found in Kerberos database while getting initial credentials  
>  
>  
>  
>  
>  
>  
> #/etc/ldap/ldap.conf  
>  
> TLS_CACERT /etc/ssl/certs/ca-certificates.crt  
>  
>  
>  
>  
> I added the Windows DC certs like this:  
>  
>  
>  
>  
> cp wdc.crt /usr/local/share/ca-certificates/wdc.crt  
>  
> update-ca-certificates  
>  
>  
>  
>  
>  
> I installed Samba like this  
>  
>  
> # Cleanup  
> find /var/run/samba /var/lib/samba /var/cache/samba /var/lib/samba/private -name '*.tdb' -name '*.ldb' -delete  
> rm /etc/samba/smb.conf  
>  
>  
> # Provision domain  
> samba-tool domain provision --use-rfc2307 --interactive  
>  
>  
> # configure kerberos  
> cp /var/lib/samba/private/krb5.conf /etc/krb5.conf  
>  
>  
> # start samba  
> systemctl stop smbd nmbd winbind  
> systemctl disable smbd nmbd winbind  
> systemctl unmask samba-ad-dc  
> systemctl enable samba-ad-dc  
> systemctl start samba-ad-dc  
>  
>  
>  
>  
>  
>  
> On 15. August 2019 at 14:25:48, L.P.H. van Belle via samba (samba at lists.samba.org) wrote:  
>  
> Can you try this:  
>  
> kinit Administrator  
> samba-tool domain join samdom.example.com DC --site=?KA-H9? -k yes  
>  
> If that isnt working..  
> Post output of :  
> cat /etc/ldap/ldap.conf  
>  
> And tell me how did you setup your ssl certificates on this server.  
>  
> Greetz,  
>  
> Louis  
>  
>  
>> -----Oorspronkelijk bericht-----  
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens  
>> Alexander Harm via samba  
>> Verzonden: donderdag 15 augustus 2019 13:25  
>> Aan: samba at lists.samba.org  
>> Onderwerp: [Samba] Failing to join existing AD as DC  
>>  
>> I tried joining the same AD before and succeeded, however  
>> after upgrading to Debian Buster and installing AD  
>> Certificate Services on the Windows DC my join does not work anymore:  
>>  
>> samba-tool domain join samdom.example.com DC  
>> -U?SAMDOM\adadmin? ?site=?KA-H9?  
>>  
>> fails during the ldap part with:  
>>  
>> Join failed - cleaning up  
>>  
>> Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -  
>> <8009030C: LdapErr: DSID?0C090569, comment:  
>> AcceptSecurityContext error, data 52e, v4563> <> Failed to  
>> connect to ?ldap://dc01.samdom.example.com? with backend  
>> ?ldap?: LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C:  
>> LdapErr: DSID?0C090569, comment: AcceptSecurityContext error,  
>> data 52e, v4563> <>  
>>  
>> ERROR(ldb): uncaught exception - LDAP error 1  
>> LDAP_OPERATIONS_ERROR -  <000021A2: SvcErr: DSID-030A08C1,  
>> problem 5012 (DIR_ERROR), data 8610  
>>  
>>> <>  
>>   File  
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",  
>> line 177, in _run  
>>  
>>     return self.run(*args, **kwargs)  
>>  
>>   File  
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py",  
>> line 716, in run  
>>  
>>     backend_store=backend_store)  
>>  
>>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line  
>> 1501, in join_DC  
>>  
>>     ctx.do_join()  
>>  
>>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line  
>> 1397, in do_join  
>>  
>>     ctx.join_add_objects()  
>>  
>>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line  
>> 683, in join_add_objects  
>>  
>>     ctx.samdb.modify(m)  
>>  
>> I verified password etc. but I believe this boils down to  
>> certificate issues. I added the root cert of the AD to the  
>> local certificates and OpenSSL verifies everything as being OK.  
>>  
>> Does anyone have an idea on what I could try next?  
>>  
>> Thanks  
>>  
>> --  
>> To unsubscribe from this list go to the following URL and read the  
>> instructions: https://lists.samba.org/mailman/options/samba  
>>  
>>  
>  
Everything Louis said, plus:  

Please reply to the list, do not send replies directly to anyone, it  
BREAKS the thread.  

Rowland  



--  
To unsubscribe from this list go to the following URL and read the  
instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list