[Samba] Can't join domain (LDAP error)
Andrew Bartlett
abartlet at samba.org
Sun Nov 8 05:57:39 UTC 2020
On Sun, 2020-11-08 at 16:06 +1030, O'Connor, Daniel via samba wrote:
> Hi,
> I'm trying to set up an AD DC in an iocage jail on FreeBSD (to avoid the issues of having the DC a file server) but I'm running into some trouble.
>
> I've setup Kerberos and can kinit OK:
> root at samba-addc:/ # kinit administrator
> administrator at BEGER.COM.AU's Password:
> root at samba-addc:/ # klist
> Credentials cache: FILE:/tmp/krb5cc_0
> Principal: administrator at BEGER.COM.AU
>
> Issued Expires Principal
> Nov 8 15:51:22 2020 Nov 9 01:51:22 2020 krbtgt/BEGER.COM.AU at BEGER.COM.AU
>
> However when I try and join the domain it complains about connecting to the LDAP server:
> root at samba-addc:/ # samba-tool domain join beger.com.au DC -k yes
> INFO 2020-11-08 15:51:30,554 pid:20267 /usr/local/lib/python3.7/site-packages/samba/join.py #107: Finding a writeable DC for domain 'beger.com.au'
> INFO 2020-11-08 15:51:30,576 pid:20267 /usr/local/lib/python3.7/site-packages/samba/join.py #109: Found DC gateway2.beger.com.au
> Failed to connect to ldap URL 'ldap://gateway2.beger.com.au' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
> Failed to connect to 'ldap://gateway2.beger.com.au' with backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
> ERROR(ldb): uncaught exception - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Sorry about the horrible error message. If you didn't set '-k yes' it
would just fall back to NTLM.
You need to set up enough of a krb5.conf for it to find the KDC,
otherwise it doesn't know where to send the packet to.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT
http://catalyst.net.nz/services/samba
More information about the samba
mailing list