[Samba] Can't join domain (LDAP error)
rpenny at samba.org
Sun Nov 8 09:54:53 UTC 2020
On 08/11/2020 05:36, O'Connor, Daniel via samba wrote:
> I'm trying to set up an AD DC in an iocage jail on FreeBSD (to avoid the issues of having the DC a file server) but I'm running into some trouble.
> I've setup Kerberos and can kinit OK:
> root at samba-addc:/ # kinit administrator
> administrator at BEGER.COM.AU's Password:
> root at samba-addc:/ # klist
> Credentials cache: FILE:/tmp/krb5cc_0
> Principal: administrator at BEGER.COM.AU
> Issued Expires Principal
> Nov 8 15:51:22 2020 Nov 9 01:51:22 2020 krbtgt/BEGER.COM.AU at BEGER.COM.AU
> However when I try and join the domain it complains about connecting to the LDAP server:
> ldbsearch does not work either:
> root at samba-addc:/ # samba-ldbsearch -H ldap://gateway2.beger.com.au -U beger/darius '(objectclass=person)'
> Failed to connect to ldap URL 'ldap://gateway2.beger.com.au' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
> Failed to connect to 'ldap://gateway2.beger.com.au' with backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
I always shudder when I read Freebsd, jails and AD in the same sentence,
it never seems to work 😭
You do have what appears to be a mistake in your ldbsearch command, you
have 'beger/darius', it should be 'BEGER\\darius', note the forward
slash replaced by two backslashes, one to escape the other.
On Linux, provided you have (at least) this in /etc/krb5.conf:
default_realm = BEGER.COM.AU
and dns is set up correctly, then it should work.
I know little about Freebsd jails, but if I understand them correctly,
they are very similar to using a chroot on Linux and I wouldn't want to
try and run a second DC in a chroot.
More information about the samba