[Samba] Can't join domain (LDAP error)

O'Connor, Daniel darius at dons.net.au
Sun Nov 8 06:41:21 UTC 2020

> On 8 Nov 2020, at 16:27, Andrew Bartlett <abartlet at samba.org> wrote:
> On Sun, 2020-11-08 at 16:06 +1030, O'Connor, Daniel via samba wrote:
>> Hi,
>> I'm trying to set up an AD DC in an iocage jail on FreeBSD (to avoid the issues of having the DC a file server) but I'm running into some trouble.
>> I've setup Kerberos and can kinit OK:
>> root at samba-addc:/ # kinit administrator
>> administrator at BEGER.COM.AU's Password:
>> root at samba-addc:/ # klist
>> Credentials cache: FILE:/tmp/krb5cc_0
>>         Principal: administrator at BEGER.COM.AU
>>   Issued                Expires               Principal
>> Nov  8 15:51:22 2020  Nov  9 01:51:22 2020  krbtgt/BEGER.COM.AU at BEGER.COM.AU
>> However when I try and join the domain it complains about connecting to the LDAP server:
>> root at samba-addc:/ # samba-tool domain join beger.com.au DC -k yes
>> INFO 2020-11-08 15:51:30,554 pid:20267 /usr/local/lib/python3.7/site-packages/samba/join.py #107: Finding a writeable DC for domain 'beger.com.au'
>> INFO 2020-11-08 15:51:30,576 pid:20267 /usr/local/lib/python3.7/site-packages/samba/join.py #109: Found DC gateway2.beger.com.au
>> Failed to connect to ldap URL 'ldap://gateway2.beger.com.au' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
>> Failed to connect to 'ldap://gateway2.beger.com.au' with backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
>> ERROR(ldb): uncaught exception - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
> Sorry about the horrible error message.  If you didn't set '-k yes' it
> would just fall back to NTLM.
> You need to set up enough of a krb5.conf for it to find the KDC,
> otherwise it doesn't know where to send the packet to. 

I did specify '-k yes', and I think I have enough krb5.conf for it to work - eg kinit works as I would expect (although I barely know anything about Kerberos so..)
Daniel O'Connor
"The nice thing about standards is that there
are so many of them to choose from."
 -- Andrew Tanenbaum

More information about the samba mailing list