[Samba] Can't join domain (LDAP error)

Rowland penny rpenny at samba.org
Thu May 6 16:29:53 UTC 2021


On 03/05/2021 02:54, Timur I. Bakeyev via samba wrote:
> Hi from the future!
>
> On Mon, 9 Nov 2020 at 08:13, O'Connor, Daniel via samba <
> samba at lists.samba.org> wrote:
>
>>> On 9 Nov 2020, at 14:51, Andrew Bartlett <abartlet at samba.org> wrote:
>>> On Mon, 2020-11-09 at 14:43 +1030, O'Connor, Daniel wrote:
>>>> Good idea.
>>>> First step is building Samba from source which is not a fun
>>>> experience on FreeBSD :(
>>> We do honestly want to make this easier.  Now of course that doesn't
>>> help for a historical bisect, but we are open to and encourage up-
>>> streaming of patches from ports.  (We also ask that patches we reject -
>>> this has happened - be removed from the port, but can't force that).
>> I managed to get the build done with the patches from the FreeBSD port
>> (plus a few mods where they did not apply).
>>
>> However the problem is when I go to bisect all those patches need to be
>> manually re-applied (eg stash push/pop) and then hand fixed which is quite
>> tedious..
>>
>> I did a bit more digging and 4.12.7 works, 4.13.0 is broken (and HEAD).
>>
> The (quite rude, TBH)
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=252385 suggests, that the
> problem, possibly,
> was introduced by introduced by this Volker's commit:
> https://gitlab.com/samba-team/devel/samba/-/commit/011a2a82953fa910e1e7dee9862fbb5deaae8651
> where sscanf() is invoked with unsupported by FreeBSD `%m` modifier. That,
> obviously, would kill all the URL parsing.
>

I don't know about the code, but don't bother with ldaps for searches, 
use kerberos instead, believe it or not, it is more secure, also use the 
ldb-tools, it is a lot easier.

As for the 'domain join', I would expect it to fail, you do not use '-k 
yes' with -U, I would (after root has run 'kinit Administrator') expect 
this to work:

samba-tool domain join smallcatbrain.com DC -k yes --option='dns 
forwarder=192.168.2.1' --option='idmap_ldb:use rfc2307=yes' 
--option="vfs objects=zfsacl dfs_samba4 acl_xattr"

Rowland






More information about the samba mailing list