[Samba] Can't join domain (LDAP error)
O'Connor, Daniel
darius at dons.net.au
Sun Nov 8 05:36:11 UTC 2020
Hi,
I'm trying to set up an AD DC in an iocage jail on FreeBSD (to avoid the issues of having the DC a file server) but I'm running into some trouble.
I've setup Kerberos and can kinit OK:
root at samba-addc:/ # kinit administrator
administrator at BEGER.COM.AU's Password:
root at samba-addc:/ # klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: administrator at BEGER.COM.AU
Issued Expires Principal
Nov 8 15:51:22 2020 Nov 9 01:51:22 2020 krbtgt/BEGER.COM.AU at BEGER.COM.AU
However when I try and join the domain it complains about connecting to the LDAP server:
root at samba-addc:/ # samba-tool domain join beger.com.au DC -k yes
INFO 2020-11-08 15:51:30,554 pid:20267 /usr/local/lib/python3.7/site-packages/samba/join.py #107: Finding a writeable DC for domain 'beger.com.au'
INFO 2020-11-08 15:51:30,576 pid:20267 /usr/local/lib/python3.7/site-packages/samba/join.py #109: Found DC gateway2.beger.com.au
Failed to connect to ldap URL 'ldap://gateway2.beger.com.au' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldap://gateway2.beger.com.au' with backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
ERROR(ldb): uncaught exception - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
File "/usr/local/lib/python3.7/site-packages/samba/netcmd/__init__.py", line 186, in _run
return self.run(*args, **kwargs)
File "/usr/local/lib/python3.7/site-packages/samba/netcmd/domain.py", line 668, in run
backend_store_size=backend_store_size)
File "/usr/local/lib/python3.7/site-packages/samba/join.py", line 1539, in join_DC
backend_store_size=backend_store_size)
File "/usr/local/lib/python3.7/site-packages/samba/join.py", line 112, in __init__
credentials=ctx.creds, lp=ctx.lp)
File "/usr/local/lib/python3.7/site-packages/samba/samdb.py", line 67, in __init__
options=options)
File "/usr/local/lib/python3.7/site-packages/samba/__init__.py", line 115, in __init__
self.connect(url, flags, options)
File "/usr/local/lib/python3.7/site-packages/samba/samdb.py", line 82, in connect
options=options)
root at samba-addc:/ #
'gateway2' is correct (that is what the current DC is called).
ldbsearch does not work either:
root at samba-addc:/ # samba-ldbsearch -H ldap://gateway2.beger.com.au -U beger/darius '(objectclass=person)'
Failed to connect to ldap URL 'ldap://gateway2.beger.com.au' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldap://gateway2.beger.com.au' with backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to ldap://gateway2.beger.com.au - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
root at samba-addc:/ #
root at samba-addc:/ # samba-ldbsearch -H ldap://gateway2.beger.com.au -k yes '(objectclass=person)'
Failed to connect to ldap URL 'ldap://gateway2.beger.com.au' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldap://gateway2.beger.com.au' with backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to ldap://gateway2.beger.com.au - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
ldbsearch *does* work on host (ie gateway2) though.
Both ldap and ldaps behave the same.
I ran ktrace on ldbsearch and it did not even open a socket, let alone try a connection and fail..
I also tried tuning it with debugging but there wasn't anything of interest:
root at samba-addc:/ # samba-ldbsearch -d 10 --debug-stderr -H ldaps://gateway2.beger.com.au -U beger/darius '(objectclass=person)'
INFO: Current debug levels:
all: 10
...
Privilege[ 22]: SeImpersonatePrivilege
Privilege[ 23]: SeCreateGlobalPrivilege
Privilege[ 24]: SeEnableDelegationPrivilege
Rights (0x 0):
Failed to connect to ldap URL 'ldaps://gateway2.beger.com.au' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldaps://gateway2.beger.com.au' with backend 'ldaps': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to ldaps://gateway2.beger.com.au - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
--
Daniel O'Connor
"The nice thing about standards is that there
are so many of them to choose from."
-- Andrew Tanenbaum
More information about the samba
mailing list