[Samba] net ads join explication ?

nathalie ramat nathalie.ramat at univ-littoral.fr
Thu Nov 7 13:00:31 UTC 2019

My Dc is under linux - my version of linux is 5.2.0-3-amd64

My client os is also under linux et the version is 5.2.0-2-amd64. I have 
also client windows10.

I put the result of the test

Collected config  --- 2019-11-07-13:14 -----------

Hostname: clientblues2
DNS Domain: sambadom.calais.fr
FQDN: clientblues2.sambadom.calais.fr
ipaddress: 192.168.xx.233


Kerberos SRV _kerberos._tcp.sambadom.calais.fr record verified ok, 
sample output:
Server:        192.168.xx.230
Address:    192.168.xx.230#53

_kerberos._tcp.sambadom.calais.fr    service = 0 100 88 
Samba is running as an Unix domain member but 'winbindd' is NOT running.
Check that the winbind package is installed.
Detected, Samba is running winbind only. Auth-only server, Unix domain 
        Checking file: /etc/os-release

PRETTY_NAME="Debian GNU/Linux bullseye/sid"
NAME="Debian GNU/Linux"


This computer is running Debian bullseye/sid x86_64

running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
group default qlen 1000
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet scope host lo
     inet6 ::1/128 scope host
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
state UP group default qlen 1000
     link/ether a2:75:42:40:54:6b brd ff:ff:ff:ff:ff:ff
     inet 192.168.xx.233/24 brd scope global 
noprefixroute ens18
     inet6 fe80::a075:42ff:fe40:546b/64 scope link noprefixroute

        Checking file: /etc/hosts    localhost
192.168.xx.233    clientblues2.sambadom.calais.fr clientblues2
192.168.xx.230    blueyestest.sambadom.calais.fr    blueyestest

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters


        Checking file: /etc/resolv.conf

# Generated by NetworkManager
nameserver 192.168.xx.230
nameserver 193.49.xx.10
nameserver 195.220.xx.10


        Checking file: /etc/krb5.conf

     default_realm = SAMBADOM.CALAIS.FR
     kdc_timesync =1
     ccache_type = 4
     forwardable = true
     proxiable = true
     dns_lookup_realm = false
     dns_lookup_kdc = true

#fcc-mit-ticketflags = true

#allow_weak_crypto = true
#default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
#default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5

default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 
rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 
rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes= as256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 
rc4-hmac des-cbc-crc des-cbc-md5

         kdc = blueyestest.sambadom.calais.fr
         admin_server = blueyestest.sambadom.calais.fr
         default_domain =sambadom.calais.fr

     sambadom.calais.fr = SAMBADOM.CALAIS.FR
     .sambadom.calais.fr = SAMBADOM.CALAIS.FR



        Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files winbind systemd
group:          files winbind systemd
shadow:         files winbind systemd
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis


        Checking file: /etc/samba/smb.conf

     security =ADS
     workgroup =SAMBADOM
     netbios name = clientblues2
     winbind separator = /
     winbind enum users = yes
     winbind enum groups = yes

     idmap config * : backend=tdb
     idmap config * : range=1000-2000

     idmap config SAMBADOM : backend = ad
     idmap config SAMBADOM : schema_mode =rfc2307
     idmap config SAMBADOM : range = 10000-600000
     idmap config SAMBADOM : unix_nss_info = yes
     idmap config SAMBADOM : unix_primary_group = yes

     winbind nss info = template
     template homedir =/etudiants/%U

     template shell =/bin/bash
     kerberos method =  secrets and keytab
     dedicated keytab file =/etc/krb5.keytab
     winbind refresh tickets =yes
     username map = /etc/samba/user.map
     winbind use default domain = yes
     log file =/var/log/samba/log.%m
     log level = 5
# for acl support on members servers with shares
     vfs object = acl_xattr
     map acl inherit = yes
     store dos attributes = yes
#    winbind nss info = rfc2307


Running as Unix domain member and user.map detected.

Contents of /etc/samba/user.map

!root = SAMBADOM\administrator

Server Role is set to :  auto


Installed packages:
ii  acl 2.2.53-5                        amd64        access control list 
- utilities
ii  fonts-quicksand 0.2016-2                        all          
sans-serif font with round attributes
ii  krb5-config 2.6                             all          
Configuration files for Kerberos Version 5
ii  krb5-locales 1.17-6                          all 
internationalization support for MIT Kerberos
ii  krb5-user 1.17-6                          amd64        basic 
programs to authenticate using MIT Kerberos
ii  libacl1:amd64 2.2.53-5                        amd64        access 
control list - shared library
ii  libattr1:amd64 1:2.4.48-5                      amd64        extended 
attribute handling - shared library
ii  libgssapi-krb5-2:amd64 1.17-6                          amd64        
MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-3:amd64 1.17-6                          amd64        MIT 
Kerberos runtime libraries
ii  libkrb5support0:amd64 1.17-6                          amd64        
MIT Kerberos runtime libraries - Support library
ii  libnss-winbind:amd64 2:4.9.13+dfsg-1                 amd64        
Samba nameservice integration plugins
ii  libpam-winbind:amd64 2:4.9.13+dfsg-1                 amd64        
Windows domain authentication integration plugin
ii  libsmbclient:amd64 2:4.9.13+dfsg-1                 amd64        
shared library for communication with SMB/CIFS servers
ii  libwbclient0:amd64 2:4.9.13+dfsg-1                 amd64        
Samba winbind client library
ii  python-samba 2:4.9.13+dfsg-1                 amd64        Python 
bindings for Samba
ii  samba-common 2:4.9.13+dfsg-1                 all          common 
files used by both the Samba server and client
ii  samba-common-bin 2:4.9.13+dfsg-1                 amd64        Samba 
common files used by both the server and the client
ii  samba-dsdb-modules:amd64 2:4.9.13+dfsg-1                 
amd64        Samba Directory Services Database
ii  samba-libs:amd64 2:4.9.13+dfsg-1                 amd64        Samba 
core libraries
ii  winbind 2:4.9.13+dfsg-1                 amd64        service to 
resolve user and group information from Windows NT servers


Le 07/11/2019 à 12:37, Rowland penny via samba a écrit :
> On 07/11/2019 11:08, nathalie ramat via samba wrote:
>> Hello ,
>> I want to add my linux client in my ad .
>> I use net ads join -U administrator
>> passwd : xxxx
>> and I wait and I have no reponse but if I put 8 times t he key 
>> enter,  my machine is add to my add but I have  this message error : 
>> error reading from file descriptor 0 : empty password  which come 
>> from the server
>> I don't understand why .
>> My server is samba 4.11 and  my client use winbind .
> There doesn't seem to be anything wrong with your smb.conf, were 
> 'smdb', 'nmbd' and 'winbind' running before the join ?
> Can you download this: 
> https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh
> Run it on the Unix domain member and post the output into a reply to 
> this post, do not attach it, this list strips attachments.
> Also, what is he DC ? OS and version.
> Rowland
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba


Service Informatique

Universite du Littoral-Côte d'Opale
SCoSI - Service Commun du Système d'Information
Pôle Systèmes et réseaux

Centre de Gestion Universitaire de Calais
50 rue ferdinand Buisson
C.S 80699

More information about the samba mailing list