[Samba] (no subject)
Christian Naumer
cn at brain-biotech.de
Fri Mar 1 14:05:39 UTC 2019
In one word:
DONT!
Tried it once and realmd moved the DC to the Computer OU in AD. There it
no longer is a DC and nothing worked for us...
As it is already joind you don't need realmd at all. Just configure
sssd.conf and start sssd.
However, I would not recommend that. We have since switched to winbind
as this is already running and with the sernet packages can not be
installed alongside sssd anyway.
Regards
Christian
Am 01.03.19 um 14:21 schrieb Jonathon Reinhart via samba:
> Hello,
>
> I'm running a Samba DC on Debian 9 (version 4.5.12-Debian) in a lab
> environment, set up like this:
> https://jonathonreinhart.com/posts/blog/2019/02/11/setting-up-a-samba-4-domain-controller-on-debian-9/
>
> I would now like to configure this server to enable login via domain
> credentials. I'm aware that the Samba wiki recommends the following:
>
> - https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
> - https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM
>
> However, I'm familiar with using Realmd (using its default SSSD) to
> join Linux servers to a MS AD domain, to enable SSH and sudo using
> domain credentials. So I'm trying to use Realmd on my Samba DC, using
> windbind instead of sssd (because Samba already uses winbind).
>
> I first installed libpam-winbind, and then attempted the following:
> # realm join --client-software=winbind --automatic-id-mapping=no ad.example.com
>
> After entering my domain Administrator password, I received this error message:
> realm: Couldn't join realm: Failed to enroll machine in realm. See diagnostics.
>
> Upon a second attempt, I got this error message:
> realm: Couldn't join realm: Joining the domain ad.example.com failed
>
> Looking in the realmd logs, I see the following:
>
> * LANG=C LOGNAME=root /usr/bin/net -s
> /var/cache/realmd/realmd-smb-conf.3D2AXZ -U Administrator ads join
> ad.example.com
> gss_init_sec_context failed with [ Miscellaneous failure (see
> text): Server (ldap/samba-dc.ad.example.com at AD.EXAMPLE.COM)
> unknown]
> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: for
> ldap/samba-dc.ad.example.com user[Administrator]
> realm[AD.EXAMPLE.COM]: An internal error occurred.
>
> At this point, I'm stumped. This is on a very fresh install, so it
> should be very easy to reproduce.
>
> Is what I'm attempting to do a valid operation? Or is it weird that
> realmd is trying to "join" the DC to the domain?
>
> Thank you,
>
> Jonathon Reinhart
>
--
Dr. Christian Naumer
Research Scientist
Plattform-Koordinator Bioprozesstechnik
B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.de, homepage www.brain-biotech.de
fon +49-6251-9331-30 / fax +49-6251-9331-11
Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender,
Ludger Roedder
Aufsichtsratsvorsitzender: Dr. Ludger Mueller
More information about the samba
mailing list