[Samba] "samba-tool domain join" doesn't work with -U and -k

Rowland penny rpenny at samba.org
Thu Jun 13 09:46:27 UTC 2019 

On 13/06/2019 10:33, Jonathon Reinhart via samba wrote:
> Hello,
>
> Summary: "samba-tool domain join" doesn't seem to work if you pass
> both "-k yes" and -U.
>
> Samba version: 4.9.5-Debian
>
> I have a newly-provisioned AD domain with a single DC (dc1). I'm
> attempting to join a second DC (dc2), per the wiki.
>
> On dc2:
> - I have /etc/resolv.conf pointing at dc1  (confirmed all AD DNS
> resolution works)
> - I've copied the basic /etc/krb5.conf that was spit out during provisioning
> - I've got a valid kerberos ticket ("kinit Administrator" worked)
> - I can query info about the domain via dc1:
>
> # samba-tool domain info dc1
> Forest           : ad-test.vx
> Domain           : ad-test.vx
> Netbios domain   : ADTEST
> DC name          : dc1.ad-test.vx
> DC netbios name  : DC1
> Server site      : Default-First-Site-Name
> Client site      : Default-First-Site-Name
>
> I am unable to join dc2. All of the following fail:
>
> # samba-tool domain join ad-test.vx DC -U 'Administrator' --no-pass -k
> yes --option 'idmap_ldb:use rfc2307 = yes'
> # samba-tool domain join ad-test.vx DC -U 'ADTEST\Administrator'
> --no-pass -k yes --option 'idmap_ldb:use rfc2307 = yes'
> # samba-tool domain join ad-test.vx DC -U 'Administrator at ad-test.vx'
> --no-pass -k yes --option 'idmap_ldb:use rfc2307 = yes'
> # samba-tool domain join ad-test.vx DC -k yes -U
> Administrator at AD-TEST.VX --no-pass --option 'idmap_ldb:use rfc2307 =
> yes'
>
> They fail with the same error output:
>
> Finding a writeable DC for domain 'ad-test.vx'
> Found DC dc1.ad-test.vx
> Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
> Failed to connect to 'ldap://dc1.ad-test.vx' with backend 'ldap': LDAP
> client internal error: NT_STATUS_INVALID_PARAMETER
> ERROR(ldb): uncaught exception - LDAP client internal error:
> NT_STATUS_INVALID_PARAMETER
>
>
> However (I just discovered while writing this email) that leaving off
> -U altogether worked!
>
> # samba-tool domain join ad-test.vx DC --no-pass -k yes --option
> 'idmap_ldb:use rfc2307 = yes'
>
> So it appears, at least for "domain join", that "-U" and "-k" are incompatible.
>
> In the Wiki,
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Kerberos
> It tells the user to use 'kinit' to confirm that Kerberos is working.
> Perhaps it should say to use '-k yes' instead of '-U'?
>
> Jonathon
>
Good point, the page tells you how to set up kerberos and test it, then 
never uses it.

You actually missed one of the kerberos auth methods, instead of '-k 
yes' you can use '--krb5-ccache=KRB5CCNAME', where KRB5CCNAME is the 
full path to a valid kerberos ticket e.g. '/tmp/krb5cc_0'

Rowland

More information about the samba mailing list