[Samba] Failing to join existing AD as DC
Alexander Harm
contact at aharm.de
Fri Aug 16 13:14:05 UTC 2019
First of all, thanks to you all for bearing with me. To answer the questions:
- Subnets: yes, different subnets, routing is fine, can connect to Windows DC via telnet (DNS), OpenSSL on 389 and 636
- Naming: I could not find any object in the existing AD with the same name of the Samba DC that I want to add
- Join existing: I try to join an existing Windows AD, not Samba AD
I wiped the installation (again) and here are the exact steps I did to set everything up.
1. Install from Debian 10 netinstall ISO with only SSH-server and system utils
2. apt update && apt install curl ntp sudo vim dnsutils open-vm-tools
3. add buster-backports
4. apt update && apt -t buster-backports install samba attr winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user smbclient
5. find /var/run/samba /var/lib/samba /var/cache/samba /var/lib/samba/private -name '*.tdb' -name '*.ldb' -delete
6. rm /etc/samba/smb.conf
7. samba-tool domain provision --use-rfc2307 --interactive (with internal dns)
8. cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
9. unmask samba-ad-dc service
10. reboot
11. loads of DNS errors in the log like
[2019/08/16 15:02:45.925528, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run
[2019/08/16 15:02:45.925557, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: return self.run(*args, **kwargs)
[2019/08/16 15:02:45.925575, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 945, in run
[2019/08/16 15:02:45.925594, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: raise e
[2019/08/16 15:02:45.958441, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
[2019/08/16 15:02:45.958512, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run
[2019/08/16 15:02:45.958531, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: return self.run(*args, **kwargs)
[2019/08/16 15:02:45.958548, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 945, in run
[2019/08/16 15:02:45.958567, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: raise e
[2019/08/16 15:02:45.987725, 0] ../source4/dsdb/dns/dns_update.c:330(dnsupdate_nameupdate_done)
../source4/dsdb/dns/dns_update.c:330: Failed DNS update - with error code 29
[2019/08/16 15:02:46.489326, 0] ../source4/lib/tls/tlscert.c:170(tls_cert_generate)
TLS self-signed keys generated OK
12. changed /etc/resolv.conf to point to itself, restarted samba-ad-dc -> log fine
13. output of your debug script
Collected config --- 2019-08-16-15:07 -----------
Hostname: ka-h9-dc01
DNS Domain: samdom.example.com
FQDN: ka-h9-dc01.samdom.example.com
ipaddress: 10.0.1.250
-----------
Kerberos SRV _kerberos._tcp.samdom.example.com record verified ok, sample output:
Server: 10.0.1.250
Address: 10.0.1.250#53
_kerberos._tcp.samdom.example.com service = 0 100 88 ka-h9-dc01.samdom.example.com.
Samba is running as an AD DC
-----------
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 10.0 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:35:9c:84 brd ff:ff:ff:ff:ff:ff
inet 10.0.1.250/24 brd 10.0.1.255 scope global ens192
inet6 fe80::20c:29ff:fe35:9c84/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
10.0.1.250 ka-h9-dc01.samdom.example.com ka-h9-dc01
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
search samdom.example.com
nameserver 10.0.1.250
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = SAMDOM.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files systemd
group: files systemd
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
dns forwarder = 10.0.1.100
netbios name = KA-H9-DC01
realm = SAMDOM.EXAMPLE.COM
server role = active directory domain controller
workgroup = COMPANYNAME
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/samdom.example.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
-----------
BIND_DLZ not detected in smb.conf
-----------
Installed packages:
ii attr 1:2.4.48-4 amd64 utilities for manipulating filesystem extended attributes
ii krb5-config 2.6 all Configuration files for Kerberos Version 5
ii krb5-locales 1.17-3 all internationalization support for MIT Kerberos
ii krb5-user 1.17-3 amd64 basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-4 amd64 access control list - shared library
ii libattr1:amd64 1:2.4.48-4 amd64 extended attribute handling - shared library
ii libgssapi-krb5-2:amd64 1.17-3 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.17-3 amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.17-3 amd64 MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.9.5+dfsg-5 amd64 Samba nameservice integration plugins
ii libpam-krb5:amd64 4.8-2 amd64 PAM module for MIT Kerberos
ii libpam-winbind:amd64 2:4.9.5+dfsg-5 amd64 Windows domain authentication integration plugin
ii libsmbclient:amd64 2:4.9.5+dfsg-5 amd64 shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.9.5+dfsg-5 amd64 Samba winbind client library
ii python-samba 2:4.9.5+dfsg-5 amd64 Python bindings for Samba
ii samba 2:4.9.5+dfsg-5 amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.9.5+dfsg-5 all common files used by both the Samba server and client
ii samba-common-bin 2:4.9.5+dfsg-5 amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.9.5+dfsg-5 amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.9.5+dfsg-5 amd64 Samba core libraries
ii samba-vfs-modules:amd64 2:4.9.5+dfsg-5 amd64 Samba Virtual FileSystem plugins
ii smbclient 2:4.9.5+dfsg-5 amd64 command-line SMB/CIFS clients for Unix
ii winbind 2:4.9.5+dfsg-5 amd64 service to resolve user and group information from Windows NT servers
-----------
14. samba-tool fsmo show -H ldap://$(hostname -d)
SchemaMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
InfrastructureMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
RidAllocationMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
PdcEmulationMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
DomainNamingMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
15. samba-tool fsmo show -H ldap://10.88.80.88 -U dcadmin
SchemaMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
InfrastructureMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
RidAllocationMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
PdcEmulationMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
DomainNamingMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
16. Notice I don't have "Administrator" as user in my Windows domain if that is an issue
So far everything looks fine to me, should I now point resolv.conf to Windows DC and attempt the join again?
On 16. August 2019 at 14:34:55, Rowland penny via samba (samba at lists.samba.org) wrote:
On 16/08/2019 12:52, Rowland penny via samba wrote:
> On 16/08/2019 12:05, L.P.H. van Belle via samba wrote:
>> It's windows that is not allowing samba to join.
>>
>> This should make thing more clear in my opinion.
>>
>> samba-tool fsmo show -H ldap://$(hostname -d)
>> And
>> samba-tool fsmo show -H ldap://10.88.80.88 -U Administrator
>>
>> These both work agains my Samba AD-DC's (ldap://$(hostname -d))
>> And my windows DC -H ldap://10.88.80.88 -U "NTDOM\Administrator"
>>
>>
> It may be windows that is not allowing the join, but he is going
> nowhere until 'kinit Administrator' works ;-)
>
> Rowland
>
>
>
Andrew may have a point here, we have only been supplied with the 'join'
command and a portion of the resulting join output and anything after
'join failed' is an artefact of the failure and is meaningless. We need
to see everything between the 'join' command and 'join failed'.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list