[Samba] Unable to net ads join samba to an active directory domain Failed to join domain: failed to connect to AD: Can't contact LDAP server
Michael Evans
michael.evans at nor-consult.com
Wed Nov 17 02:28:30 UTC 2021
-----Original Message-----
From: Michael Evans [mailto:michael.evans at nor-consult.com]
Sent: Tuesday, November 16, 2021 4:37 PM
To: 'Rowland Penny'
Cc: 'samba at lists.samba.org'
Subject: RE: [Samba] Unable to net ads join samba to an active directory
domain Failed to join domain: failed to connect to AD: Can't contact LDAP
server
-----Original Message-----
From: Michael Evans [mailto:michael.evans at nor-consult.com]
Sent: Tuesday, November 16, 2021 3:11 PM
To: 'Rowland Penny'
Subject: RE: [Samba] Unable to net ads join samba to an active directory
domain Failed to join domain: failed to connect to AD: Can't contact LDAP
server
-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland
Penny via samba
Sent: Tuesday, November 16, 2021 2:54 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Unable to net ads join samba to an active directory
domain Failed to join domain: failed to connect to AD: Can't contact LDAP
server
On Tue, 2021-11-16 at 14:12 -0800, Michael Evans via samba wrote:
>
> -----------
Changes since the initial email:
As the error happened while communicating with the LDAP server I wanted to
troubleshoot that in specific.
apt install ldap-utils libsasl2-modules-gssapi-heimdal
kinit r2
... the earlier net ads join
ldapsearch -H ldap://ad-mo3.nc.nor-consult.com -Y GSSAPI -b
'DC=nc,DC=nor-consult,DC=com'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error:
Miscellaneous failure (see text) (Matching credential
(ldap/fd00:6959:d45d:200::23 at NC.NOR-CONSULT.COM) not found)
The ldapsearch test, BUT NOT MY ISSUE, was _resolved_ by these steps on the
DC.
# Add in-addr.arpa and ip6.arpa reverse lookup zones (I would have
appreciated -k also working for Kerberos auth here)
# static IPv4 /16 netmask
samba-tool dns zonecreate ::1 2.10.in-addr.arpa -U Administrator
samba-tool dns add ::1 2.10.in-addr.arpa 35.0 PTR ad-mo3.nc.nor-consult.com
-U Administrator
# static IPv6 /60 netmask
samba-tool dns zonecreate ::1 0.2.0.d.5.4.d.9.5.9.6.0.0.d.f.ip6.arpa -U
Administrator
samba-tool dns add ::1 0.2.0.d.5.4.d.9.5.9.6.0.0.d.f.ip6.arpa
3.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR ad-mo3.nc.nor-consult.com
Test method:
host 10.2.0.35
35.0.2.10.in-addr.arpa domain name pointer ad-mo3.nc.nor-consult.com.
host fd00:6959:d45d:200::23
3.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.d.5.4.d.9.5.9.6.0.0.d.f.ip6.arpa
domain name pointer ad-mo3.nc.nor-consult.com.
Note: the output of host is particularly useful as it reverses and divides
the uncompressed IPv6 notation exactly as necessary on error:
3.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.d.5.4.d.9.5.9.6.0.0.d.f.ip6.arpa has
no PTR record Simple cut and paste string operations are sufficient.
Unfortunately, while the above should probably be added to the Setup
Instructions and Tests for the Samba AD DC wiki page, and probably saved
future headaches...
my /etc/samba/smb.conf file, as far as I can tell from the documentation,
matches what the Samba Wiki suggests I should begin with.
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
[global]
workgroup = NC
security = ADS
realm = NC.NOR-CONSULT.COM
#server role = member server
bind interfaces only = yes
interfaces = 127.0.0.1 10.2.0.45 ::1 fd00:6959:d45d:200::2d
idmap config ad
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
winbind refresh tickets = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = yes
# Only for testing
winbind enum users = yes
winbind enum groups = yes
Joining a Samba (non DC) server to the domain with an Administrator / admin
equivalent user still fails, be it with -k OR -U someaccount.
net ads join -U r2 -d 10
...
sitename_store: realm = [nc.nor-consult.com], sitename =
[Default-First-Site-Name], expire = [2085923199]
gencache_set_data_blob: Adding cache entry with
key=[AD_SITENAME/DOMAIN/NC.NOR-CONSULT.COM] and timeout=[Wed Dec 31 11:59:59
PM -2147481749 UTC] (67768034554563044 seconds ahead)
Successfully contacted LDAP server 10.2.0.35
Opening connection to LDAP server 'ad-mo3.nc.nor-consult.com:389', timeout
15 seconds
Connecting to 10.2.0.35 at port 389
Initialized connection for LDAP server
'ldap://ad-mo3.nc.nor-consult.com:389'
Connected to LDAP server ad-mo3.nc.nor-consult.com
ads_closest_dc: NBT_SERVER_CLOSEST flag set
saf_store: domain = [NC], server = [ad-mo3.nc.nor-consult.com], expire =
[1637114655]
gencache_set_data_blob: Adding cache entry with key=[SAF/DOMAIN/NC] and
timeout=[Wed Nov 17 02:04:15 AM 2021 UTC] (900 seconds ahead)
saf_store: domain = [nc.nor-consult.com], server =
[ad-mo3.nc.nor-consult.com], expire = [1637114655]
gencache_set_data_blob: Adding cache entry with
key=[SAF/DOMAIN/NC.NOR-CONSULT.COM] and timeout=[Wed Nov 17 02:04:15 AM 2021
UTC] (900 seconds ahead)
KDC time offset is 0 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
kerberos_kinit_password_ext: as r2 at NC.NOR-CONSULT.COM using
[MEMORY:libnet_join_user_creds] as ccache and config
[/run/samba/smb_krb5/krb5.conf.NC]
kerberos_kinit_password_ext: r2 at NC.NOR-CONSULT.COM mapped to
r2 at NC.NOR-CONSULT.COM
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
gensec_update_send: gse_krb5[0x5593ee54dba0]: subreq: 0x5593ee549270
gensec_update_send: spnego[0x5593ee568460]: subreq: 0x5593ee579b20
gensec_update_done: gse_krb5[0x5593ee54dba0]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x5593ee549270/../../source3/librpc/crypto/gse.c:848]: state[2]
error[0 (0x0)] state[struct gensec_gse_update_state (0x
5593ee549420)] timer[(nil)] finish[../../source3/librpc/crypto/gse.c:859]
gensec_update_done: spnego[0x5593ee568460]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x5593ee579b20/../../auth/gensec/spnego.c:1631]: state[2] error[0
(0x0)] state[struct gensec_spnego_update_state (0x5593ee579cd0)]
timer[(nil)] finish[../../auth/gensec/spnego.c:2116]
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for
ldap/ad-mo3.nc.nor-consult.com with user[r2] realm[NC.NOR-CONSULT.COM]:
Can't contact LDAP server
ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/ad-mo3.nc.nor-consult.com
with user[r2] realm[NC.NOR-CONSULT.COM]: Can't contact LDAP server, fallback
to NTLMSSP
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
negotiate: struct NEGOTIATE_MESSAGE
Signature : 'NTLMSSP'
MessageType : NtLmNegotiate (1)
NegotiateFlags : 0x62088235 (1644724789)
1: NTLMSSP_NEGOTIATE_UNICODE
0: NTLMSSP_NEGOTIATE_OEM
1: NTLMSSP_REQUEST_TARGET
1: NTLMSSP_NEGOTIATE_SIGN
1: NTLMSSP_NEGOTIATE_SEAL
0: NTLMSSP_NEGOTIATE_DATAGRAM
0: NTLMSSP_NEGOTIATE_LM_KEY
0: NTLMSSP_NEGOTIATE_NETWARE
1: NTLMSSP_NEGOTIATE_NTLM
0: NTLMSSP_NEGOTIATE_NT_ONLY
0: NTLMSSP_ANONYMOUS
0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
0: NTLMSSP_TARGET_TYPE_DOMAIN
0: NTLMSSP_TARGET_TYPE_SERVER
0: NTLMSSP_TARGET_TYPE_SHARE
1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
0: NTLMSSP_NEGOTIATE_IDENTIFY
0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
0: NTLMSSP_NEGOTIATE_TARGET_INFO
1: NTLMSSP_NEGOTIATE_VERSION
1: NTLMSSP_NEGOTIATE_128
1: NTLMSSP_NEGOTIATE_KEY_EXCH
0: NTLMSSP_NEGOTIATE_56
DomainNameLen : 0x0000 (0)
DomainNameMaxLen : 0x0000 (0)
DomainName : *
DomainName : ''
WorkstationLen : 0x0000 (0)
WorkstationMaxLen : 0x0000 (0)
Workstation : *
Workstation : ''
Version: struct ntlmssp_VERSION
ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6)
ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1)
ProductBuild : 0x0000 (0)
Reserved: ARRAY(3)
[0] : 0x00 (0)
[1] : 0x00 (0)
[2] : 0x00 (0)
NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15)
gensec_update_send: ntlmssp[0x5593ee54dba0]: subreq: 0x5593ee549270
gensec_update_send: spnego[0x5593ee568460]: subreq: 0x5593ee57dc80
gensec_update_done: ntlmssp[0x5593ee54dba0]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x5593ee549270/../../auth/ntlmssp/ntlmssp.c:180]: state[2]
error[0 (0x0)] state[struct gensec_ntlmssp_update_state (0x5593ee549420)]
timer[(nil)] finish[../../auth/ntlmssp/ntlmssp.c:215]
gensec_update_done: spnego[0x5593ee568460]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x5593ee57dc80/../../auth/gensec/spnego.c:1631]: state[2] error[0
(0x0)] state[struct gensec_spnego_update_state (0x5593ee57de30)]
timer[(nil)] finish[../../auth/gensec/spnego.c:2116]
ads_sasl_spnego_gensec_bind(NTLMSSP) failed for
ldap/ad-mo3.nc.nor-consult.com with user[r2] realm=[NC.NOR-CONSULT.COM]:
Can't contact LDAP server
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : 'V-FS5$'
netbios_domain_name : 'NC'
dns_domain_name : 'nc.nor-consult.com'
forest_name : 'nc.nor-consult.com'
dn : NULL
domain_guid : 250143d6-aebe-440e-94c5-f27c7af7857b
domain_sid : *
domain_sid :
S-1-5-21-3458735564-2487305582-1134572456
modified_config : 0x00 (0)
error_string : 'failed to connect to AD: Can't
contact LDAP server'
domain_is_ad : 0x01 (1)
set_encryption_types : 0x00000000 (0)
krb5_salt : NULL
result : WERR_NERR_DEFAULTJOINREQUIRED
return code = -1
Failed to join domain: failed to connect to AD: Can't contact LDAP server
Which, reminder, did work with Kerberos / GSSAPI auth in tests on the same
machine.
More information about the samba
mailing list