[Samba] Unable to net ads join samba to an active directory domain Failed to join domain: failed to connect to AD: Can't contact LDAP server
Michael Evans
michael.evans at nor-consult.com
Wed Nov 17 00:37:28 UTC 2021
-----Original Message-----
From: Michael Evans [mailto:michael.evans at nor-consult.com]
Sent: Tuesday, November 16, 2021 3:11 PM
To: 'Rowland Penny'
Subject: RE: [Samba] Unable to net ads join samba to an active directory
domain Failed to join domain: failed to connect to AD: Can't contact LDAP
server
-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland
Penny via samba
Sent: Tuesday, November 16, 2021 2:54 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Unable to net ads join samba to an active directory
domain Failed to join domain: failed to connect to AD: Can't contact LDAP
server
On Tue, 2021-11-16 at 14:12 -0800, Michael Evans via samba wrote:
>
> [global]
> workgroup = NC
> security = ADS
> realm = NC.NOR-CONSULT.COM
> #server role = member server
>
> idmap config ad
>
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
>
> winbind refresh tickets = Yes
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> winbind use default domain = yes
>
> # Only for testing
> winbind enum users = yes
> winbind enum groups = yes
>
> -----------
Try reading the documentation again, your smb.conf is missing huge
chunks, you will also need to specify which network interface Samba has
to use. My advice would be to only use IPv4 and turn IPv6 off.
Is Samba running during the join attempts ? If it is, turn it off, it
shouldn't be.
Rowland
--
What sections do you believe are missing, and how would those impact joining
the active directory domain?
Shares are missing, but none have been setup yet, that's a future me
problem.
ID mapping is based on RFC2307 and stored within the active directory; is "
idmap config ad" sufficient for that task? That is my understanding from
the Samba AD Domain Member documentation.
I did not "optionally map the domain Administrator account to the local root
account on a Unix domain member.", as I don't need that account
authenticating to operate as root on each server. I have ssh and keybased
auth already.
All of the samba services are presently turned off, though I did try
starting up winbind at one point to see if that's why the join had failed.
++
I did add the bind interfaces to smb.conf [global]
bind interfaces only = yes
interfaces = 127.0.0.1 10.2.0.45 ::1 fd00:6959:d45d:200::2d
As the error happened while communicating with the LDAP server I wanted to
troubleshoot that in specific.
apt install ldap-utils libsasl2-modules-gssapi-heimdal
kinit r2
... the earlier net ads join
ldapsearch -H ldap://ad-mo3.nc.nor-consult.com -Y GSSAPI -b
'DC=nc,DC=nor-consult,DC=com'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error:
Miscellaneous failure (see text) (Matching credential
(ldap/fd00:6959:d45d:200::23 at NC.NOR-CONSULT.COM) not found)
root at v-fs5:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: r2 at NC.NOR-CONSULT.COM
Valid starting Expires Service principal
11/16/2021 23:20:11 11/17/2021 09:20:11
krbtgt/NC.NOR-CONSULT.COM at NC.NOR-CONSULT.COM
renew until 11/17/2021 23:20:08
11/16/2021 23:20:28 11/17/2021 09:20:11
cifs/ad-mo3.nc.nor-consult.com at NC.NOR-CONSULT.COM
11/16/2021 23:20:34 11/17/2021 09:20:11
ldap/ad-mo3.nc.nor-consult.com at NC.NOR-CONSULT.COM
kdestroy ; kinit r2 doesn't create the ldap ticket.
I find it interesting that the credential failure wants a ticket against the
IPv6 address in specific, rather than the hostname. Is that an issue
related to running samba 4.13.x on the AD DC and/or member server?
Even Debian unstable is only shipping 4.13 though.
More information about the samba
mailing list