[Samba] Failing to join existing AD as DC

Alexander Harm contact at aharm.de
Thu Aug 15 16:42:06 UTC 2019

Here you go:

Collected config  --- 2019-08-15-18:38 -----------

Hostname: ka-h9-dc01
DNS Domain: samdom.example.com
FQDN: ka-h9-dc01.samdom.example.com


Samba is running as an AD DC

       Checking file: /etc/os-release

PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION="10 (buster)"


This computer is running Debian 10.0 x86_64

running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
    inet6 ::1/128 scope host
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:35:9c:84 brd ff:ff:ff:ff:ff:ff
    inet brd scope global ens192
    inet6 fe80::20c:29ff:fe35:9c84/64 scope link

       Checking file: /etc/hosts	localhost	ka-h9-dc01.samdom.example.com ka-h9-dc01.example.com ka-h9-dc01	ka-h9-dc01.samdom.example.com ka-h9-dc01.example.com ka-h9-dc01

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters


       Checking file: /etc/resolv.conf

domain samdom.example.com
search samdom.example.com


       Checking file: /etc/krb5.conf

	default_realm = SAMDOM.EXAMPLE.COM
	dns_lookup_realm = false
	dns_lookup_kdc = true


       Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files systemd
group:          files systemd
shadow:         files
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis


       Checking file: /etc/samba/smb.conf

# Global parameters
	dns forwarder =
	netbios name = KA-H9-DC01
	server role = active directory domain controller
	workgroup = XYZ
	idmap_ldb:use rfc2307 = yes

	path = /var/lib/samba/sysvol/samdom.example.com/scripts
	read only = No

	path = /var/lib/samba/sysvol
	read only = No


BIND_DLZ not detected in smb.conf


Installed packages:
ii  attr                           1:2.4.48-4                  amd64        utilities for manipulating filesystem extended attributes
ii  krb5-config                    2.6                         all          Configuration files for Kerberos Version 5
ii  krb5-locales                   1.17-3                      all          internationalization support for MIT Kerberos
ii  krb5-user                      1.17-3                      amd64        basic programs to authenticate using MIT Kerberos
ii  libacl1:amd64                  2.2.53-4                    amd64        access control list - shared library
ii  libattr1:amd64                 1:2.4.48-4                  amd64        extended attribute handling - shared library
ii  libgssapi-krb5-2:amd64         1.17-3                      amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-3:amd64                1.17-3                      amd64        MIT Kerberos runtime libraries
ii  libkrb5support0:amd64          1.17-3                      amd64        MIT Kerberos runtime libraries - Support library
ii  libnss-winbind:amd64           2:4.9.5+dfsg-5              amd64        Samba nameservice integration plugins
ii  libpam-krb5:amd64              4.8-2                       amd64        PAM module for MIT Kerberos
ii  libpam-winbind:amd64           2:4.9.5+dfsg-5              amd64        Windows domain authentication integration plugin
ii  libsmbclient:amd64             2:4.9.5+dfsg-5              amd64        shared library for communication with SMB/CIFS servers
ii  libwbclient0:amd64             2:4.9.5+dfsg-5              amd64        Samba winbind client library
ii  python-samba                   2:4.9.5+dfsg-5              amd64        Python bindings for Samba
ii  samba                          2:4.9.5+dfsg-5              amd64        SMB/CIFS file, print, and login server for Unix
ii  samba-common                   2:4.9.5+dfsg-5              all          common files used by both the Samba server and client
ii  samba-common-bin               2:4.9.5+dfsg-5              amd64        Samba common files used by both the server and the client
ii  samba-dsdb-modules:amd64       2:4.9.5+dfsg-5              amd64        Samba Directory Services Database
ii  samba-libs:amd64               2:4.9.5+dfsg-5              amd64        Samba core libraries
ii  samba-vfs-modules:amd64        2:4.9.5+dfsg-5              amd64        Samba Virtual FileSystem plugins
ii  smbclient                      2:4.9.5+dfsg-5              amd64        command-line SMB/CIFS clients for Unix
ii  winbind                        2:4.9.5+dfsg-5              amd64        service to resolve user and group information from Windows NT servers


On 15. August 2019 at 18:25:58, Rowland penny via samba (samba at lists.samba.org) wrote:

On 15/08/2019 17:10, Alexander Harm via samba wrote:  
> That is what I did:  
>> ./samba-collect-debug-info.sh  
>> kinit: Client 'Administrator at SAMDOM.EXAMPLE.COM' not found in Kerberos database while getting initial credentials  
>> Wrong password, exiting now.  

Congratulations, you have found a bug in the test script ;-)  

OK, can you open the script in your favourite editor, go to line 26 and  
comment it out i. e. make it look like this:  

     #exit 1  

save and close the file and then run the script again.  


To unsubscribe from this list go to the following URL and read the  
instructions: https://lists.samba.org/mailman/options/samba  

More information about the samba mailing list