[Samba] (no subject)
Jonathon Reinhart
jonathon.reinhart at gmail.com
Fri Mar 1 13:21:54 UTC 2019
Hello,
I'm running a Samba DC on Debian 9 (version 4.5.12-Debian) in a lab
environment, set up like this:
https://jonathonreinhart.com/posts/blog/2019/02/11/setting-up-a-samba-4-domain-controller-on-debian-9/
I would now like to configure this server to enable login via domain
credentials. I'm aware that the Samba wiki recommends the following:
- https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
- https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM
However, I'm familiar with using Realmd (using its default SSSD) to
join Linux servers to a MS AD domain, to enable SSH and sudo using
domain credentials. So I'm trying to use Realmd on my Samba DC, using
windbind instead of sssd (because Samba already uses winbind).
I first installed libpam-winbind, and then attempted the following:
# realm join --client-software=winbind --automatic-id-mapping=no ad.example.com
After entering my domain Administrator password, I received this error message:
realm: Couldn't join realm: Failed to enroll machine in realm. See diagnostics.
Upon a second attempt, I got this error message:
realm: Couldn't join realm: Joining the domain ad.example.com failed
Looking in the realmd logs, I see the following:
* LANG=C LOGNAME=root /usr/bin/net -s
/var/cache/realmd/realmd-smb-conf.3D2AXZ -U Administrator ads join
ad.example.com
gss_init_sec_context failed with [ Miscellaneous failure (see
text): Server (ldap/samba-dc.ad.example.com at AD.EXAMPLE.COM)
unknown]
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: for
ldap/samba-dc.ad.example.com user[Administrator]
realm[AD.EXAMPLE.COM]: An internal error occurred.
At this point, I'm stumped. This is on a very fresh install, so it
should be very easy to reproduce.
Is what I'm attempting to do a valid operation? Or is it weird that
realmd is trying to "join" the DC to the domain?
Thank you,
Jonathon Reinhart
More information about the samba
mailing list