[Samba] Can't join domain (LDAP error)

O'Connor, Daniel darius at dons.net.au
Sun Nov 8 05:36:11 UTC 2020 

Hi,
I'm trying to set up an AD DC in an iocage jail on FreeBSD (to avoid the issues of having the DC a file server) but I'm running into some trouble.

I've setup Kerberos and can kinit OK:
root at samba-addc:/ # kinit administrator
administrator at BEGER.COM.AU's Password:
root at samba-addc:/ # klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: administrator at BEGER.COM.AU

  Issued                Expires               Principal
Nov  8 15:51:22 2020  Nov  9 01:51:22 2020  krbtgt/BEGER.COM.AU at BEGER.COM.AU

However when I try and join the domain it complains about connecting to the LDAP server:
root at samba-addc:/ # samba-tool domain join beger.com.au DC -k yes
INFO 2020-11-08 15:51:30,554 pid:20267 /usr/local/lib/python3.7/site-packages/samba/join.py #107: Finding a writeable DC for domain 'beger.com.au'
INFO 2020-11-08 15:51:30,576 pid:20267 /usr/local/lib/python3.7/site-packages/samba/join.py #109: Found DC gateway2.beger.com.au
Failed to connect to ldap URL 'ldap://gateway2.beger.com.au' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldap://gateway2.beger.com.au' with backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
ERROR(ldb): uncaught exception - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
  File "/usr/local/lib/python3.7/site-packages/samba/netcmd/__init__.py", line 186, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/samba/netcmd/domain.py", line 668, in run
    backend_store_size=backend_store_size)
  File "/usr/local/lib/python3.7/site-packages/samba/join.py", line 1539, in join_DC
    backend_store_size=backend_store_size)
  File "/usr/local/lib/python3.7/site-packages/samba/join.py", line 112, in __init__
    credentials=ctx.creds, lp=ctx.lp)
  File "/usr/local/lib/python3.7/site-packages/samba/samdb.py", line 67, in __init__
    options=options)
  File "/usr/local/lib/python3.7/site-packages/samba/__init__.py", line 115, in __init__
    self.connect(url, flags, options)
  File "/usr/local/lib/python3.7/site-packages/samba/samdb.py", line 82, in connect
    options=options)
root at samba-addc:/ #

'gateway2' is correct (that is what the current DC is called).

ldbsearch does not work either:
root at samba-addc:/ # samba-ldbsearch -H ldap://gateway2.beger.com.au -U beger/darius '(objectclass=person)'
Failed to connect to ldap URL 'ldap://gateway2.beger.com.au' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldap://gateway2.beger.com.au' with backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to ldap://gateway2.beger.com.au - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
root at samba-addc:/ #
root at samba-addc:/ # samba-ldbsearch -H ldap://gateway2.beger.com.au -k yes '(objectclass=person)'
Failed to connect to ldap URL 'ldap://gateway2.beger.com.au' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldap://gateway2.beger.com.au' with backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to ldap://gateway2.beger.com.au - LDAP client internal error: NT_STATUS_INVALID_PARAMETER

ldbsearch *does* work on host (ie gateway2) though.

Both ldap and ldaps behave the same.

I ran ktrace on ldbsearch and it did not even open a socket, let alone try a connection and fail..

I also tried tuning it with debugging but there wasn't anything of interest:
root at samba-addc:/ # samba-ldbsearch -d 10 --debug-stderr -H ldaps://gateway2.beger.com.au -U beger/darius '(objectclass=person)'
INFO: Current debug levels:
  all: 10
...
  Privilege[ 22]: SeImpersonatePrivilege
  Privilege[ 23]: SeCreateGlobalPrivilege
  Privilege[ 24]: SeEnableDelegationPrivilege
 Rights (0x               0):
Failed to connect to ldap URL 'ldaps://gateway2.beger.com.au' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldaps://gateway2.beger.com.au' with backend 'ldaps': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to ldaps://gateway2.beger.com.au - LDAP client internal error: NT_STATUS_INVALID_PARAMETER

--
Daniel O'Connor
"The nice thing about standards is that there
are so many of them to choose from."
 -- Andrew Tanenbaum

More information about the samba mailing list