[Samba] Joining a DC, was (no subject)

Rowland Penny rpenny at samba.org
Fri Mar 1 13:56:42 UTC 2019

On Fri, 1 Mar 2019 08:21:54 -0500
Jonathon Reinhart via samba <samba at lists.samba.org> wrote:

> Hello,
> I'm running a Samba DC on Debian 9 (version 4.5.12-Debian) in a lab
> environment, set up like this:
> https://jonathonreinhart.com/posts/blog/2019/02/11/setting-up-a-samba-4-domain-controller-on-debian-9/

There are a few 'not quite right' things there and at least one
'Nooooo, don't do that' ;-)

The 'Nooooo, don't do that is:
Don't change the UPN

> I would now like to configure this server to enable login via domain
> credentials. I'm aware that the Samba wiki recommends the following:
> -
> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
> -
> https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM
> However, I'm familiar with using Realmd (using its default SSSD) to
> join Linux servers to a MS AD domain, to enable SSH and sudo using
> domain credentials.  So I'm trying to use Realmd on my Samba DC, using
> windbind instead of sssd (because Samba already uses winbind).
> I first installed libpam-winbind, and then attempted the following:
> # realm join --client-software=winbind --automatic-id-mapping=no
> ad.example.com

What about libnss-winbind ?

> After entering my domain Administrator password, I received this
> error message: realm: Couldn't join realm: Failed to enroll machine
> in realm. See diagnostics.

Well, you would.

> Upon a second attempt, I got this error message:
> realm: Couldn't join realm: Joining the domain ad.example.com failed

Again, you would.

> Looking in the realmd logs, I see the following:
>     * LANG=C LOGNAME=root /usr/bin/net -s
> /var/cache/realmd/realmd-smb-conf.3D2AXZ -U Administrator ads join
> ad.example.com
>     gss_init_sec_context failed with [ Miscellaneous failure (see
> text): Server (ldap/samba-dc.ad.example.com at AD.EXAMPLE.COM)
> unknown]
>     kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: for
> ldap/samba-dc.ad.example.com user[Administrator]
> realm[AD.EXAMPLE.COM]: An internal error occurred.

Yes, you would get an error message.

> At this point, I'm stumped. This is on a very fresh install, so it
> should be very easy to reproduce.
> Is what I'm attempting to do a valid operation? 


>Or is it weird that realmd is trying to "join" the DC to the domain?

Oh yes, very weird, trying to join something that is already joined to
the domain by the provision command.
Oh and just in passing, you probably do not have a forwarder set in


> Thank you,
> Jonathon Reinhart

More information about the samba mailing list