[Samba] Have I managed to join Kali Linux to Windows Active Directory Domain Successfully?

Nico Kadel-Garcia nkadel at gmail.com
Sat Jun 19 23:28:22 UTC 2021

On Fri, Jun 18, 2021 at 10:45 AM Turritopsis Dohrnii Teo En Ming via samba <
samba at lists.samba.org> wrote:

> Dear Rowland Penny,
> Thank you for your prompt reply. I will try it out.
> > As per normal, there are errors 🙁
> The article is as bad as a going down a stackoverflow page and putting in
*everything* people recommend. Perhaps a letter to the editor is in order?

> Do not put the DC's host info in /etc/hosts

Aaagghh. Yeah, whatever you have in /etc/resolv.conf or configured in your
local DHCP settings should be pointed to the domain controllers, unless
your site is deliberately running multiple sets of DNS controllers for
peculiar reasons and your DNS is quite untrustworthy.

> The server line it tells you to put in /etc/ntp.conf isn't quite
> > right, it should be:
> >
> > server dc.supermario.corp.net iburst prefer
> And this should be configured by you local DHCP setups, unless you're
configuring servers that are very deliberately not using DHCP. Note that in
most setups, whatever is in your DHCP for NTP is *aggregaed* to the
settings in ntp.conf to generate a quorum for NTP.  And unfortunately, a
lot of NTP or chrony settings have hardcoded locations pointed to, for
example, Red Hat's or CentOs NTP servers, and these should be commented out
if you actually want to rely on complete consistencu with your local domain

Sadly, merely adding a line to ntp.conf leaves your system's DHCP likely to
be outvoted by NTP quorum generation unless you're quite careful with it.
ntp.conf and ntpd are being phased out by many operating systems which use
chronyd instead: hand editing ntp.conf when your system uses chronyd can
lead to startling behavior.

> > you also need this line:
> >
> > restrict dc.supermario.corp.net mask nomodify notrap
> > nopeer noquery
> >
> > You haven't installed all the required packages, you need:
> >
> > acl xattr krb5-user libpam-krb5 libpam-ccreds auth-client-config samba
> > winbind libpam-winbind libnss-winbind ntp
> >
> > You also need to remove sssd and realmd if they are installed.
> And beware the command line tool "authconfig", which on Red Hat systems
*keeps re-enabling sssd" when certain RPMs are installed or updated and run
a '%post' RPM operation. authconfig drives me *nuts*, because it makes a
lot of default assumptions and overrides local configurations with no
notificaton, and it provides no options to set those PAM and related
settings form the command line.

sssd.... is also nasty. It reliles on Samba libraries, but tries to
"optimize" a whole stack of LDAP behavior with its own
underdocumented ideas about how LDAP should work. I've especially been
bitten by its insistence on pre-caching *ALL* of the LDAP server's data,
which comes up at first but tries to pre-cache *all* of the LDAP
server's content, times out, and fails silently. So LDAP works for about 30
seconds and then fails on the client. It also suffers from the "authconfig
resets things on update, moo-ha-ha" problem

> > /etc/krb5.conf needs only to have these lines:

See notes about authconfig, which can only aggregate entries in
/etc/krb5.conf and has no way to excise out-of-date or accidental entries.
It's a very poor quality command-line tool.

> You will need to remove every 'sss' from /nsswitch.conf and add
> > 'winbind' to the 'passwd and 'group' lines.
> >
> > Rowland
Yeah, authconfig and the accumulation of sssd nonsense is *nasty*. I've
been dealing with it with Red Hat based servers for a few years and they're
some of Red Hat's worst tools.

More information about the samba mailing list