[Samba] help for join AD domain failure troubleshooting

rong zhao zhaorbox at gmail.com
Wed Jul 1 12:26:49 UTC 2020 

Hi Rowland,

  Thank you so much for your comment, I don't know why I didn't
receive your email, just see it in "Digest" mail.

   Answering your questions:

Has your user hit the limit for joining computers ?
[R] I followed this article to set limit:
https://www.petenetlive.com/KB/Article/0001536, but not work, can you
please guide me check more about it?

Is your smb.conf set up correctly ?
[R] I think my smb.conf should work, because same configuration worked
before and it can work for other domain, here is sample (replace
company name)
"""
[global]
        client use spnego = no
        workgroup = PROD-USA
        realm = PROD-USA.MYCOMPANY.COM
        preferred master = no
        server string = Samba Server Version %v
        security = ADS
        encrypt passwords = yes
        log level = 3
        log file = /var/log/samba/%m
        max log size = 50
        printcap name = cups
        printing = cups
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind nested groups = Yes
        winbind separator = +
        template shell = /bin/bash
        idmap domains = PROD-USA
        idmap config PROD-USA:range = 10000 - 49999
        idmap config PROD-USA:base_rid = 0
        idmap config PROD-USA:backend = rid
        ################################################
        # Required for Samba/Winbind 3.4+
        # Note that local tdb idmap backend
        # required now for Samba/Winbind 3.4+
        idmap backend = tdb
        idmap uid = 10000 - 49999
        idmap gid = 10000 - 49999
        #################################################

[homes]
        comment = Home Directories
        valid users = %S
        browseable = no
        writable = yes

[printers]
        comment = All Printers
        path = /var/spool/cups
        browseable = no
        guest ok = no
        writable = no
        printable = yes
"""

What OS is this ?
[R] CentOS 7, 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC
2017 x86_64 x86_64 x86_64 GNU/Linux

Do you have the correct packages installed ?
[R] I think so, samba related packages are latest:
samba-common-4.10.4-11.el7_8.noarch
samba-client-libs-4.10.4-11.el7_8.x86_64
samba-winbind-4.10.4-11.el7_8.x86_64
samba-4.10.4-11.el7_8.x86_64
samba-common-libs-4.10.4-11.el7_8.x86_64
samba-winbind-modules-4.10.4-11.el7_8.x86_64
samba-winbind-clients-4.10.4-11.el7_8.x86_64
samba-libs-4.10.4-11.el7_8.x86_64
samba-common-tools-4.10.4-11.el7_8.x86_64
samba-client-4.10.4-11.el7_8.x86_64


Appreciate your help.

Thanks.

Rong

rong zhao <zhaorbox at gmail.com> 于2020年7月1日周三 下午3:43写道:

>
> Hi team,
>    I meet problem when join AD domain with Samba failed, want to get
> some help from community, please let me put details.
>
> 1. Problem
>    When run "net ads join -U username" on Linux client to join AD domain,
> it failed with error message:
>
> """
> Failed to join domain: Failed to set machine spn: Operations error
> Do you have sufficient permissions to create machine accounts?
> """
>
> It worked before, just failed from one day.
>
> 2. What my environment is
>
> My AD domain cluster is made up by windows server 2012.
> Using winbind on Linux client to do authentication through AD account.
>
> 3. What I did for troubleshooting
> 3.1 debug log
>    The debug level 5 log shows some detail information:
>
> """
> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism gse_krb5
> Failed while searching for:
> <WKGUID=AA312825768811D1ADED00C04FD8D5CD,dc=PROD
> USA,dc=mycompany,dc=COM>
>
> libnet_DomainJoin: Failed to pre-create account in OU
> cn=Computers,dc=PROD-USA,dc=mycompany,dc=COM: Operations error
>
> signed SMB2 message
> """
>
> It showed failed while searching a wellknownobject, and Samba source code shows:
>
> if (asprintf(&base, "<WKGUID=%s,%s>", wknguid, ads->config.bind_path ) == -1) {
> DEBUG(1, ("asprintf failed!\n"));
> return NULL;
> }
>
> status = ads_search_dn(ads, &res, base, attrs);
> if (!ADS_ERR_OK(status)) {
> DEBUG(1,("Failed while searching for: %s\n", base));
> goto out;
> }
>
> It should fail at line: status = ads_search_dn(ads, &res, base, attrs);
>
> However, if I search by ldapsearch command, it works well:
>
> """
> [root at monitor-test-12 ~]# ldapsearch -H ldap://pd11scl-ads-02 -x -W -D
> "username at prod-usa.mycompany.com" -b
> "<WKGUID=AA312825768811D1ADED00C04FD8D5CD
> ,dc=PROD-USA,dc=mycompany,dc=COM>" distinguishedName  -z 2
>
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <<WKGUID=AA312825768811D1ADED00C04FD8D5CD,dc=PROD-USA,dc=mycompany,dc=COM>>
> with scope subtree
>
> # filter: (objectclass=*)
> # requesting: distinguishedName
>
> #
> .....  save some lines of computers information .....
> """
>
> 3.2 If using "net rpc join -U username", it works
>      This means join NT4 domain success, but this is not what I want.
>
>
> I have requested support from Microsoft to check if there was anything
> wrong on Windows server, but no luck.
>
> I am wondering how to get more details from samba, why ads_search_dn
> failed? If it can print root cause, that will help a lot.
>
> Thanks.

More information about the samba mailing list