[Samba] net ads join explication ?
L.P.H. van Belle
belle at bazuin.nl
Thu Nov 7 13:40:00 UTC 2019
In addition to Rowland's comment.
What i dont get here.
Your running Debian Bullseye. (i hope not in production)
You didnt update it. ( samba 4.9.13 is set and not the current one for bullseye (samba 4.11.1-2)
Bullseye = testing, and believe me, testing has more problems then unstable..
So would start with running :
apt-get dist-upgrade
Then you configs, these dont look bad, but you need to make some adjustments.
/etc/hosts
127.0.0.1 localhost
192.168.xx.233 clientblues2.sambadom.calais.fr clientblues2
Remove > 192.168.xx.230 blueyestest.sambadom.calais.fr blueyestest
Not needed.
In /etc/resolv.conf
Remove the ip's to the internet( or disable them for now), the AD-DC dns should forward it.
And your primary search domain is not set.
Add : search your.domain.tld
Now, your using networkManager, in its config, add:
dns-search=sambadom.calais.fr;
Reboot and try again.
Personaly, i would remove networkManger and setup with systemd.
If thats also an option for you, then i suggest,
wget https://raw.githubusercontent.com/thctlo/debian-scripts/master/setup-systemd-networkd.sh
It will generate an IPv4 only setup. ( files are generated where you run the script )
If used like this especially on a member, you can remove some packages, because its handled by systemd now.
I use this in all my Debian Buster servers.
One of my configs look like this :
(and i dont need any ntp iproute resolv.conf packages or adjustments anymore )
[Match]
Name=eth0
[Network]
DHCP=no
DNSSEC=allow-downgrade
IPv6PrivacyExtensions=no
IPv6AcceptRouterAdvertisements=no
LinkLocalAddressing=no
# NTP and DNS point to AD-DC.
NTP=192.168.x.1 192.168.x.2
DNS=192.168.x.1 192.168.x.2
Domains=primary.dnssearchdomain.tld other.domains.tld
Address=192.168.x.10/24
# if you need a gateway.
#Gateway=192.168.x.1
# if you need extra routes.
#[Route]
#Destination=172.20.0/16
#Gateway=192.168.x.1
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> nathalie ramat via samba
> Verzonden: donderdag 7 november 2019 14:01
> Aan: rpenny at samba.org
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] net ads join explication ?
>
>
> My Dc is under linux - my version of linux is 5.2.0-3-amd64
>
> My client os is also under linux et the version is
> 5.2.0-2-amd64. I have
> also client windows10.
>
> I put the result of the test
>
> Collected config --- 2019-11-07-13:14 -----------
>
> Hostname: clientblues2
> DNS Domain: sambadom.calais.fr
> FQDN: clientblues2.sambadom.calais.fr
> ipaddress: 192.168.xx.233
>
> -----------
>
> Kerberos SRV _kerberos._tcp.sambadom.calais.fr record verified ok,
> sample output:
> Server: 192.168.xx.230
> Address: 192.168.xx.230#53
>
> _kerberos._tcp.sambadom.calais.fr service = 0 100 88
> blueyestest.sambadom.calais.fr.
> Samba is running as an Unix domain member but 'winbindd' is
> NOT running.
> Check that the winbind package is installed.
> Detected, Samba is running winbind only. Auth-only server,
> Unix domain
> member
> Checking file: /etc/os-release
>
> PRETTY_NAME="Debian GNU/Linux bullseye/sid"
> NAME="Debian GNU/Linux"
> ID=debian
> HOME_URL="https://www.debian.org/"
> SUPPORT_URL="https://www.debian.org/support"
> BUG_REPORT_URL="https://bugs.debian.org/"
>
> -----------
>
>
> This computer is running Debian bullseye/sid x86_64
>
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group default qlen 1000
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> 2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP group default qlen 1000
> link/ether a2:75:42:40:54:6b brd ff:ff:ff:ff:ff:ff
> inet 192.168.xx.233/24 brd 192.168.22.255 scope global
> noprefixroute ens18
> inet6 fe80::a075:42ff:fe40:546b/64 scope link noprefixroute
>
> -----------
> Checking file: /etc/hosts
>
> 127.0.0.1 localhost
> 192.168.xx.233 clientblues2.sambadom.calais.fr clientblues2
> 192.168.xx.230 blueyestest.sambadom.calais.fr blueyestest
>
>
>
> # The following lines are desirable for IPv6 capable hosts
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> -----------
>
> Checking file: /etc/resolv.conf
>
> # Generated by NetworkManager
> nameserver 192.168.xx.230
> nameserver 193.49.xx.10
> nameserver 195.220.xx.10
>
> -----------
>
> Checking file: /etc/krb5.conf
>
> [libdefaults]
> default_realm = SAMBADOM.CALAIS.FR
> kdc_timesync =1
> ccache_type = 4
> forwardable = true
> proxiable = true
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
>
>
> #fcc-mit-ticketflags = true
>
> #allow_weak_crypto = true
> #default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> #default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>
> default_tgs_enctypes = aes256-cts-hmac-sha1-96
> aes128-cts-hmac-sha1-96
> rc4-hmac des-cbc-crc des-cbc-md5
> default_tkt_enctypes = aes256-cts-hmac-sha1-96
> aes128-cts-hmac-sha1-96
> rc4-hmac des-cbc-crc des-cbc-md5
> permitted_enctypes= as256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
> rc4-hmac des-cbc-crc des-cbc-md5
>
>
>
> [realms]
> SAMBADOM.CALAIS.FR = {
> kdc = blueyestest.sambadom.calais.fr
> admin_server = blueyestest.sambadom.calais.fr
> default_domain =sambadom.calais.fr
> }
>
> [domain_realm]
> sambadom.calais.fr = SAMBADOM.CALAIS.FR
> .sambadom.calais.fr = SAMBADOM.CALAIS.FR
>
> [logging]
> default=file:/var/log/krb5.log
>
> -----------
>
> Checking file: /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages
> installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd: files winbind systemd
> group: files winbind systemd
> shadow: files winbind systemd
> gshadow: files
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
> -----------
>
> Checking file: /etc/samba/smb.conf
>
> [global]
> security =ADS
> realm = SAMBADOM.CALAIS.FR
> workgroup =SAMBADOM
> netbios name = clientblues2
> winbind separator = /
> winbind enum users = yes
> winbind enum groups = yes
>
>
> idmap config * : backend=tdb
> idmap config * : range=1000-2000
>
> idmap config SAMBADOM : backend = ad
> idmap config SAMBADOM : schema_mode =rfc2307
> idmap config SAMBADOM : range = 10000-600000
> idmap config SAMBADOM : unix_nss_info = yes
> idmap config SAMBADOM : unix_primary_group = yes
>
> winbind nss info = template
> template homedir =/etudiants/%U
>
>
> template shell =/bin/bash
> kerberos method = secrets and keytab
> dedicated keytab file =/etc/krb5.keytab
> winbind refresh tickets =yes
> #
> username map = /etc/samba/user.map
> winbind use default domain = yes
> log file =/var/log/samba/log.%m
> log level = 5
> # for acl support on members servers with shares
> vfs object = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
> # winbind nss info = rfc2307
>
> -----------
>
> Running as Unix domain member and user.map detected.
>
> Contents of /etc/samba/user.map
>
> !root = SAMBADOM\administrator
>
> Server Role is set to : auto
>
> -----------
>
> Installed packages:
> ii acl 2.2.53-5 amd64 access
> control list
> - utilities
> ii fonts-quicksand 0.2016-2 all
> sans-serif font with round attributes
> ii krb5-config 2.6 all
> Configuration files for Kerberos Version 5
> ii krb5-locales 1.17-6 all
> internationalization support for MIT Kerberos
> ii krb5-user 1.17-6 amd64 basic
> programs to authenticate using MIT Kerberos
> ii libacl1:amd64 2.2.53-5 amd64 access
> control list - shared library
> ii libattr1:amd64 1:2.4.48-5 amd64
> extended
> attribute handling - shared library
> ii libgssapi-krb5-2:amd64 1.17-6
> amd64
> MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
> ii libkrb5-3:amd64 1.17-6 amd64 MIT
> Kerberos runtime libraries
> ii libkrb5support0:amd64 1.17-6
> amd64
> MIT Kerberos runtime libraries - Support library
> ii libnss-winbind:amd64 2:4.9.13+dfsg-1 amd64
> Samba nameservice integration plugins
> ii libpam-winbind:amd64 2:4.9.13+dfsg-1 amd64
> Windows domain authentication integration plugin
> ii libsmbclient:amd64 2:4.9.13+dfsg-1 amd64
> shared library for communication with SMB/CIFS servers
> ii libwbclient0:amd64 2:4.9.13+dfsg-1 amd64
> Samba winbind client library
> ii python-samba 2:4.9.13+dfsg-1 amd64 Python
> bindings for Samba
> ii samba-common 2:4.9.13+dfsg-1 all common
> files used by both the Samba server and client
> ii samba-common-bin 2:4.9.13+dfsg-1 amd64
> Samba
> common files used by both the server and the client
> ii samba-dsdb-modules:amd64 2:4.9.13+dfsg-1
> amd64 Samba Directory Services Database
> ii samba-libs:amd64 2:4.9.13+dfsg-1 amd64
> Samba
> core libraries
> ii winbind 2:4.9.13+dfsg-1 amd64 service to
> resolve user and group information from Windows NT servers
>
> -----------
>
>
> Le 07/11/2019 à 12:37, Rowland penny via samba a écrit :
> > On 07/11/2019 11:08, nathalie ramat via samba wrote:
> >> Hello ,
> >>
> >> I want to add my linux client in my ad .
> >>
> >> I use net ads join -U administrator
> >> passwd : xxxx
> >>
> >> and I wait and I have no reponse but if I put 8 times t he key
> >> enter, my machine is add to my add but I have this
> message error :
> >> error reading from file descriptor 0 : empty password which come
> >> from the server
> >>
> >> I don't understand why .
> >>
> >>
> >> My server is samba 4.11 and my client use winbind .
> >
> > There doesn't seem to be anything wrong with your smb.conf, were
> > 'smdb', 'nmbd' and 'winbind' running before the join ?
> >
> > Can you download this:
> >
> https://github.com/thctlo/samba4/blob/master/samba-collect-deb
> ug-info.sh
> >
> > Run it on the Unix domain member and post the output into a
> reply to
> > this post, do not attach it, this list strips attachments.
> >
> > Also, what is he DC ? OS and version.
> >
> > Rowland
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
>
> --
> Nathalie RAMAT-LECLERCQ
>
> Service Informatique
>
> Universite du Littoral-Côte d'Opale
> SCoSI - Service Commun du Système d'Information
> Pôle Systèmes et réseaux
>
> Centre de Gestion Universitaire de Calais
> 50 rue ferdinand Buisson
> C.S 80699
> 62228 CALAIS CEDEX
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list