[Samba] Can't join domain (LDAP error)

Rowland penny rpenny at samba.org
Sun Nov 8 09:54:53 UTC 2020

On 08/11/2020 05:36, O'Connor, Daniel via samba wrote:
> Hi,
> I'm trying to set up an AD DC in an iocage jail on FreeBSD (to avoid the issues of having the DC a file server) but I'm running into some trouble.
> I've setup Kerberos and can kinit OK:
> root at samba-addc:/ # kinit administrator
> administrator at BEGER.COM.AU's Password:
> root at samba-addc:/ # klist
> Credentials cache: FILE:/tmp/krb5cc_0
>          Principal: administrator at BEGER.COM.AU
>    Issued                Expires               Principal
> Nov  8 15:51:22 2020  Nov  9 01:51:22 2020  krbtgt/BEGER.COM.AU at BEGER.COM.AU
> However when I try and join the domain it complains about connecting to the LDAP server:
> ldbsearch does not work either:
> root at samba-addc:/ # samba-ldbsearch -H ldap://gateway2.beger.com.au -U beger/darius '(objectclass=person)'
> Failed to connect to ldap URL 'ldap://gateway2.beger.com.au' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
> Failed to connect to 'ldap://gateway2.beger.com.au' with backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER

I always shudder when I read Freebsd, jails and AD in the same sentence, 
it never seems to work 😭

You do have what appears to be a mistake in your ldbsearch command, you 
have 'beger/darius', it should be 'BEGER\\darius', note the forward 
slash replaced by two backslashes, one to escape the other.

On Linux, provided you have (at least) this in /etc/krb5.conf:

     default_realm = BEGER.COM.AU

and dns is set up correctly, then it should work.

I know little about Freebsd jails, but if I understand them correctly, 
they are very similar to using a chroot on Linux and I wouldn't want to 
try and run a second DC in a chroot.


More information about the samba mailing list