[Samba] Can't join domain (LDAP error)

Andrew Bartlett abartlet at samba.org
Sun Nov 8 05:57:39 UTC 2020

On Sun, 2020-11-08 at 16:06 +1030, O'Connor, Daniel via samba wrote:
> Hi,
> I'm trying to set up an AD DC in an iocage jail on FreeBSD (to avoid the issues of having the DC a file server) but I'm running into some trouble.
> I've setup Kerberos and can kinit OK:
> root at samba-addc:/ # kinit administrator
> administrator at BEGER.COM.AU's Password:
> root at samba-addc:/ # klist
> Credentials cache: FILE:/tmp/krb5cc_0
>         Principal: administrator at BEGER.COM.AU
>   Issued                Expires               Principal
> Nov  8 15:51:22 2020  Nov  9 01:51:22 2020  krbtgt/BEGER.COM.AU at BEGER.COM.AU
> However when I try and join the domain it complains about connecting to the LDAP server:
> root at samba-addc:/ # samba-tool domain join beger.com.au DC -k yes
> INFO 2020-11-08 15:51:30,554 pid:20267 /usr/local/lib/python3.7/site-packages/samba/join.py #107: Finding a writeable DC for domain 'beger.com.au'
> INFO 2020-11-08 15:51:30,576 pid:20267 /usr/local/lib/python3.7/site-packages/samba/join.py #109: Found DC gateway2.beger.com.au
> Failed to connect to ldap URL 'ldap://gateway2.beger.com.au' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
> Failed to connect to 'ldap://gateway2.beger.com.au' with backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
> ERROR(ldb): uncaught exception - LDAP client internal error: NT_STATUS_INVALID_PARAMETER

Sorry about the horrible error message.  If you didn't set '-k yes' it
would just fall back to NTLM.

You need to set up enough of a krb5.conf for it to find the KDC,
otherwise it doesn't know where to send the packet to. 

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT         

More information about the samba mailing list