[Samba] "samba-tool domain join" doesn't work with -U and -k

Jonathon Reinhart jonathon.reinhart at gmail.com
Thu Jun 13 09:33:15 UTC 2019


Hello,

Summary: "samba-tool domain join" doesn't seem to work if you pass
both "-k yes" and -U.

Samba version: 4.9.5-Debian

I have a newly-provisioned AD domain with a single DC (dc1). I'm
attempting to join a second DC (dc2), per the wiki.

On dc2:
- I have /etc/resolv.conf pointing at dc1  (confirmed all AD DNS
resolution works)
- I've copied the basic /etc/krb5.conf that was spit out during provisioning
- I've got a valid kerberos ticket ("kinit Administrator" worked)
- I can query info about the domain via dc1:

# samba-tool domain info dc1
Forest           : ad-test.vx
Domain           : ad-test.vx
Netbios domain   : ADTEST
DC name          : dc1.ad-test.vx
DC netbios name  : DC1
Server site      : Default-First-Site-Name
Client site      : Default-First-Site-Name

I am unable to join dc2. All of the following fail:

# samba-tool domain join ad-test.vx DC -U 'Administrator' --no-pass -k
yes --option 'idmap_ldb:use rfc2307 = yes'
# samba-tool domain join ad-test.vx DC -U 'ADTEST\Administrator'
--no-pass -k yes --option 'idmap_ldb:use rfc2307 = yes'
# samba-tool domain join ad-test.vx DC -U 'Administrator at ad-test.vx'
--no-pass -k yes --option 'idmap_ldb:use rfc2307 = yes'
# samba-tool domain join ad-test.vx DC -k yes -U
Administrator at AD-TEST.VX --no-pass --option 'idmap_ldb:use rfc2307 =
yes'

They fail with the same error output:

Finding a writeable DC for domain 'ad-test.vx'
Found DC dc1.ad-test.vx
Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldap://dc1.ad-test.vx' with backend 'ldap': LDAP
client internal error: NT_STATUS_INVALID_PARAMETER
ERROR(ldb): uncaught exception - LDAP client internal error:
NT_STATUS_INVALID_PARAMETER


However (I just discovered while writing this email) that leaving off
-U altogether worked!

# samba-tool domain join ad-test.vx DC --no-pass -k yes --option
'idmap_ldb:use rfc2307 = yes'

So it appears, at least for "domain join", that "-U" and "-k" are incompatible.

In the Wiki,
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Kerberos
It tells the user to use 'kinit' to confirm that Kerberos is working.
Perhaps it should say to use '-k yes' instead of '-U'?

Jonathon



More information about the samba mailing list