[Samba] Not able to join Debian 10 to AD using winbind
Rowland Penny
rpenny at samba.org
Tue Nov 2 10:02:02 UTC 2021
On Tue, 2021-11-02 at 15:14 +0530, Sac Isilia wrote:
> Hi Rowland,
>
> Below is the output.
>
> --------------------------------------------------
> Config collected --- 2021-11-02-09:40 -----------
>
>
> Hostname: AZEUW1PAPL44
> DNS Domain: emea.media.global.loc
> Realm: EMEA.MEDIA.GLOBAL.LOC
> FQDN: AZEUW1PAPL44.emea.media.global.loc
> ipaddress: 10.19.60.25
>
> -----------
>
> This computer is running Debian 10.11 x86_64
>
> -----------
>
> Samba is running as a Unix domain member
>
> -----------
>
> The first nameserver in /etc/resolv.conf is not an AD DC.
> It should be one of these IP's: 10.49.67.180 10.34.54.47 10.190.0.7
> 10.19.17.133 10.8.32.53 10.19.28.101 10.53.4.3 10.53.75.3 10.8.32.54
> 10.190.0.6 10.19.17.132 10.19.77.158 10.19.46.196 10.19.209.4
> 10.19.28.100 10.53.4.2 10.19.209.5 10.19.26.137 10.49.214.7 10.43.2.2
> 10.19.26.136 10.48.128.12 10.34.54.46
Quite a list, choose one and set it as the first nameserver (preferably
the one with the PDC_Emulator FSMO role)
>
> -----------
>
> /etc/hosts
>
> 127.0.0.1 localhost
> 10.19.60.25 AZEUW1PAPL44.emea.media.global.loc AZEUW1PAPL44
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> -----------
>
> Kerberos SRV _kerberos._tcp.emea.media.global.loc record(s) verified
> ok, sample output:
> ;; Truncated, retrying in TCP mode.
> Server: 10.190.0.4
> Address: 10.190.0.4#53
>
> Non-authoritative answer:
> _kerberos._tcp.emea.media.global.loc service = 0 100 88
> azeuw1dcem02.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc service = 0 100 88
> azeuw4dcem02.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc service = 0 100 88
> esmad2dcm03.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc service = 0 100 88
> dedus3dcm05.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc service = 0 100 88
> azeuw1dcm06.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc service = 0 100 88
> ruspb1dcm02.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc service = 0 100 88
> azsan1dcem03.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc service = 0 100 88
> azeuw1dcem01.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc service = 0 100 88
> esmad2dcm01.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc service = 0 100 88
> hubud2dcm01.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc service = 0 100 88
> azeuw1dcem03.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc service = 0 100 88
> rumsk1dcm08.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc service = 0 100 88
> dkcph1dcm05.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc service = 0 100 88
> dkcph1dcm06.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc service = 0 100 88
> azeuw1dcem04.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc service = 0 100 88
> azeuw4dcem01.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc service = 0 100 88
> atvie1dcm03.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc service = 0 100 88
> azuse2dcem01.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc service = 0 100 88
> azeuwhdcem01.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc service = 0 100 88
> deham3dcm02.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc service = 0 100 88
> azeuwhdcem02.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc service = 0 100 88
> azeuw1dcm05.emea.media.global.loc.
> _kerberos._tcp.emea.media.global.loc service = 0 100 88
> rumsk1dcm07.emea.media.global.loc.
>
> Authoritative answers can be found from:
> azeuw1dcem02.emea.media.global.loc internet address =
> 10.19.26.137
> azeuw4dcem02.emea.media.global.loc internet address =
> 10.19.209.5
> esmad2dcm03.emea.media.global.loc internet address =
> 10.34.54.47
> dedus3dcm05.emea.media.global.loc internet address =
> 10.49.214.7
> azeuw1dcm06.emea.media.global.loc internet address =
> 10.19.17.133
> ruspb1dcm02.emea.media.global.loc internet address = 10.53.75.3
> azsan1dcem03.emea.media.global.loc internet address =
> 10.19.46.196
> azeuw1dcem01.emea.media.global.loc internet address =
> 10.19.26.136
> esmad2dcm01.emea.media.global.loc internet address =
> 10.34.54.46
> hubud2dcm01.emea.media.global.loc internet address =
> 10.48.128.12
> azeuw1dcem03.emea.media.global.loc internet address =
> 10.19.28.100
> rumsk1dcm08.emea.media.global.loc internet address = 10.53.4.3
> dkcph1dcm05.emea.media.global.loc internet address = 10.8.32.53
> dkcph1dcm06.emea.media.global.loc internet address = 10.8.32.54
> azeuw1dcem04.emea.media.global.loc internet address =
> 10.19.28.101
> azeuw4dcem01.emea.media.global.loc internet address =
> 10.19.209.4
> atvie1dcm03.emea.media.global.loc internet address = 10.43.2.2
> azuse2dcem01.emea.media.global.loc internet address =
> 10.19.77.158
> azeuwhdcem01.emea.media.global.loc internet address = 10.190.0.6
> deham3dcm02.emea.media.global.loc internet address =
> 10.49.67.180
> azeuwhdcem02.emea.media.global.loc internet address = 10.190.0.7
> azeuw1dcm05.emea.media.global.loc internet address =
> 10.19.17.132
> rumsk1dcm07.emea.media.global.loc internet address = 10.53.4.2
>
> -----------
>
> 'kinit Administrator' password checked failed.
> Wrong password or kerberos REALM problems.
Check /etc/krb5.conf
>
> -----------
>
> /etc/samba/smb.conf
>
> # Global parameters
> [global]
> dedicated keytab file = /etc/krb5.keytab
> dns proxy = No
> domain master = No
> kerberos method = secrets and keytab
> local master = No
> log file = /var/log/samba/log.%m
> max log size = 1000
> obey pam restrictions = Yes
> panic action = /usr/share/samba/panic-action %d
> preferred master = No
> realm = EMEA.MEDIA.GLOBAL.LOC
> restrict anonymous = 2
> security = ADS
> syslog = 0
> template shell = /bin/bash
> username map = /etc/samba/user.map
> usershare allow guests = Yes
> winbind offline logon = Yes
> winbind refresh tickets = Yes
> winbind use default domain = Yes
> workgroup = EMEA-MEDIA
> idmap config * : range = 10000-9999999
> idmap config * : backend = autorid
> map acl inherit = Yes
> vfs objects = acl_xattr
>
>
> [homes]
> browseable = No
> comment = Home Directories
> create mask = 0700
> directory mask = 0700
> read only = No
> valid users = %S
>
>
> [printers]
> browseable = No
> comment = All Printers
> create mask = 0700
> path = /var/spool/samba
> printable = Yes
>
>
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/printers
>
> Running as Unix domain member and user.map detected.
>
> Contents of /etc/samba/user.map
>
> !root = EMEA-MEDIA\\Test_Sachin
Unless you have changed 'Administrator' with 'TEST_Sachin', set it to
'!root = EMEA-MEDIA\Administrator' (you also only use one '\')
>
> Server Role is set to : MEMBER SERVER
>
> -----------
>
> There are too many occurences of 'winbind' in /etc/nsswitch.conf.
> They should only be set on the 'passwd' & 'group' lines.
As it says.
>
>
> Time on the DC with PDC Emulator role is: 2021-11-02T09:40:39
>
>
> Time on this computer is: 2021-11-02T09:40:39
>
>
> Time verified ok, within the allowed 300sec margin.
> Time offset is currently : 0 seconds.
>
>
> -----------
>
>
>
> These required packages are not installed: libpam-winbind libpam-
> krb5 libnss-winbind acl
You MUST install those packages.
More information about the samba
mailing list