[Samba] Unable to net ads join samba to an active directory domain Failed to join domain: failed to connect to AD: Can't contact LDAP server
Michael Evans
michael.evans at nor-consult.com
Wed Nov 17 21:11:29 UTC 2021
-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland
Penny via samba
Sent: Wednesday, November 17, 2021 1:57 AM
To: sambalist
Subject: Re: [Samba] Unable to net ads join samba to an active directory
domain Failed to join domain: failed to connect to AD: Can't contact LDAP
server
On Tue, 2021-11-16 at 15:10 -0800, Michael Evans wrote:
> What sections do you believe are missing, and how would those impact
> joining
> the active directory domain?
>
> Shares are missing, but none have been setup yet, that's a future me
> problem.
That wasn't your problem.
>
> ID mapping is based on RFC2307 and stored within the active
> directory; is "
> idmap config ad" sufficient for that task? That is my understanding
> from
> the Samba AD Domain Member documentation.
Then read it again, this time follow the hyperlinks
>
> I did not "optionally map the domain Administrator account to the
> local root
> account on a Unix domain member.", as I don't need that account
> authenticating to operate as root on each server. I have ssh and
> keybased
> auth already.
That isn't what it is added for, it allows you to set permissions from
Windows, you need it.
>
> All of the samba services are presently turned off, though I did try
> starting up winbind at one point to see if that's why the join had
> failed.
>
What OS is this ? Is something like a firewall getting in the way ?
Rowland
Your Third point: If I DO need it then it isn't _optional_ and the
documentation is incorrect / confusing.
Still, which sections, what keywords should I be looking for, and more to
the point, why aren't those in the Member Server documentation to begin
with, without external references?
Any inconsistencies at all.
nslookup 10.2.0.35
35.0.2.10.in-addr.arpa name = ad-mo3.nc.nor-consult.com.
I added the reverse DNS entries manually; they weren't even needed for the
Win10 join to the domain. Does Samba perform a case-sensitive compare? The
guide's example is DC1.realm (lowercase), and I only ever think of DNS
entries as lowercased because that's the normal convention.
Time synchronization; VM, sntp run daily by schedule.
"If you need your users to have different login shells and/or Unix home
directory paths, or you want them to have the same ID everywhere, you will
need to use the winbind 'ad' backend and add RFC2307 attributes to AD."
Yes, I need that, and have done that on the DC.
Documentation error: Hyperlink is NOT default hyperlink colors and NOT
underlined.
idmap config ad <<< That looks like just text with emphasis, NOT a
hyperlink.
This table of 3 options should instead be broken out to small sections, each
with a single (current version) template example and a link to the full set
of directions. Ideally all three examples would fit on a typical PC screen
when viewing the wiki.
https://wiki.samba.org/index.php/Idmap_config_ad
The Config AD Backend and NSS info sections should be in that order, not the
NSS then AD order.
This still fails (r2 is in every group Administrator is in; I expect the
same output)
net ads join -U r2 -d 5 2>&1
get_dc_list: preferred server list: ", *"
resolve_ads: Attempting to resolve KDCs for nc.nor-consult.com using DNS
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 10.2.0.35:88 fd00:6959:d45d:200::23:88
saf_fetch: failed to find server for "nc.nor-consult.com" domain
get_dc_list: preferred server list: ", *"
resolve_ads: Attempting to resolve KDCs for nc.nor-consult.com using DNS
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 10.2.0.35:88 fd00:6959:d45d:200::23:88
create_local_private_krb5_conf_for_domain: wrote file
/run/samba/smb_krb5/krb5.conf.NC with realm NC.NOR-CONSULT.COM KDC list =
kdc = [fd00:6959:d45d:200::23]:88
kdc = 10.2.0.35
sitename_fetch: Returning sitename for realm 'NC.NOR-CONSULT.COM':
"Default-First-Site-Name"
name ad-mo3.nc.nor-consult.com#20 found.
ads_try_connect: sending CLDAP request to 10.2.0.35 (realm:
nc.nor-consult.com)
Successfully contacted LDAP server 10.2.0.35
Connecting to 10.2.0.35 at port 389
Connected to LDAP server ad-mo3.nc.nor-consult.com
KDC time offset is 0 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
----- It HANGS here for subjectively forever, probably 15+ min.
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for
ldap/ad-mo3.nc.nor-consult.com with user[r2] realm[NC.NOR-CONSULT.COM]:
Can't contact LDAP server
ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/ad-mo3.nc.nor-consult.com
with user[r2] realm[NC.NOR-CONSULT.COM]: Can't contact LDAP server, fallback
to NTLMSSP
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
ads_sasl_spnego_gensec_bind(NTLMSSP) failed for
ldap/ad-mo3.nc.nor-consult.com with user[r2] realm=[NC.NOR-CONSULT.COM]:
Can't contact LDAP server
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : 'V-FS5$'
netbios_domain_name : 'NC'
dns_domain_name : 'nc.nor-consult.com'
forest_name : 'nc.nor-consult.com'
dn : NULL
domain_guid : 250143d6-aebe-440e-94c5-f27c7af7857b
domain_sid : *
domain_sid :
S-1-5-21-3458735564-2487305582-1134572456
modified_config : 0x00 (0)
error_string : 'failed to connect to AD: Can't
contact LDAP server'
domain_is_ad : 0x01 (1)
set_encryption_types : 0x00000000 (0)
krb5_salt : NULL
result : WERR_NERR_DEFAULTJOINREQUIRED
return code = -1
Failed to join domain: failed to connect to AD: Can't contact LDAP server
I'll run and redact public IP network data from this again...
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-i
nfo.sh
bash samba-collect-debug-info.sh
Please wait, collecting debug info.
Password for Administrator at NC.NOR-CONSULT.COM:
Warning: Your password will expire in 40 days on Tue 28 Dec 2021 02:07:05 AM
UTC
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed
Server role: ROLE_DOMAIN_MEMBER
The debug info about your system can be found in this file:
/tmp/samba-debug-info.txt
Please check this and if required, sanitise it.
Then copy & paste it into an email to the samba list
Do not attach it to the email, the Samba mailing list strips attachments.
Collected config --- 2021-11-17-21:03 -----------
Hostname: v-fs5
DNS Domain: nc.nor-consult.com
FQDN: v-fs5.nc.nor-consult.com
ipaddress: 10.2.0.45 10.202.0.45 fd00:6959:d45d:200:a800:ff:fe48:dc6f
REDACTED:a800:ff:fe48:dc6f fd00:6959:d45d:200::2d
-----------
Kerberos SRV _kerberos._tcp.nc.nor-consult.com record verified ok, sample
output:
Server: 10.2.0.35
Address: 10.2.0.35#53
_kerberos._tcp.nc.nor-consult.com service = 0 100 88
ad-mo3.nc.nor-consult.com.
Samba is running as an Unix domain member but 'winbindd' is NOT running.
Check that the winbind package is installed.
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 11.1 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast state
UP group default qlen 1000
link/ether REDACTED brd ff:ff:ff:ff:ff:ff
altname enp0s13
altname ens13
inet 10.2.0.45/16 brd 10.2.255.255 scope global eth0
inet6 fd00:6959:d45d:200:a800:ff:fe48:dc6f/64 scope global dynamic
mngtmpaddr
inet6 REDACTED:a800:ff:fe48:dc6f/64 scope global dynamic mngtmpaddr
inet6 fd00:6959:d45d:200::2d/56 scope global
inet6 fe80::a800:ff:fe48:dc6f/64 scope link
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast state
UP group default qlen 1000
link/ether REDACTED brd ff:ff:ff:ff:ff:ff
altname enp0s14
altname ens14
inet REDACTED
inet6 fe80::a800:ff:fe89:ed9e/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
10.2.0.45 v-fs5.nc.nor-consult.com v-fs5
fd00:6959:d45d:0200::2d v-fs5.nc.nor-consult.com v-fs5
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
domain nc.nor-consult.com
search nc.nor-consult.com norconsult.local nor-consult.com
nameserver 10.2.0.35
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = NC.NOR-CONSULT.COM
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files
group: files
shadow: files
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
[global]
workgroup = NC
security = ADS
realm = NC.NOR-CONSULT.COM
#server role = member server
bind interfaces only = yes
interfaces = 127.0.0.1 10.2.0.45 ::1 fd00:6959:d45d:200::2d
winbind refresh tickets = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = yes
# idmap config ad
# https://wiki.samba.org/index.php/Idmap_config_ad
# local server
idmap config * : backend = tdb
idmap config * : range = 3000-3499
# domain
# is DOMAIN $DOMAIN or literal DOMAIN ? -- Ah there's an example
later, that helps
idmap config NC:backend = ad
idmap config NC:schema_mode = rfc2307
idmap config NC:range = 3500-999999
idmap config NC:unix_nss_info = no
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
template shell = /bin/bash
template homedir = /home/%D/%U
username map = /etc/samba/user.map
# Only for testing
winbind enum users = yes
winbind enum groups = yes
-----------
Running as Unix domain member and user.map detected.
Contents of /etc/samba/user.map
!root = NC\Administrator
Server Role is set to : auto
Server Role is set to : auto
-----------
Installed packages:
ii acl 2.2.53-10
amd64 access control list - utilities
ii attr 1:2.4.48-6
amd64 utilities for manipulating filesystem extended attributes
ii krb5-config 2.6+nmu1 all
Configuration files for Kerberos Version 5
ii krb5-user 1.18.3-6+deb11u1
amd64 basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-10
amd64 access control list - shared library
ii libattr1:amd64 1:2.4.48-6
amd64 extended attribute handling - shared library
ii libgssapi-krb5-2:amd64 1.18.3-6+deb11u1
amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-26-heimdal:amd64 7.7.0+dfsg-2
amd64 Heimdal Kerberos - libraries
ii libkrb5-3:amd64 1.18.3-6+deb11u1
amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.18.3-6+deb11u1
amd64 MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.13.13+dfsg-1~deb11u2
amd64 Samba nameservice integration plugins
ii libpam-krb5:amd64 4.9-2
amd64 PAM module for MIT Kerberos
ii libpam-winbind:amd64 2:4.13.13+dfsg-1~deb11u2
amd64 Windows domain authentication integration plugin
ii libwbclient0:amd64 2:4.13.13+dfsg-1~deb11u2
amd64 Samba winbind client library
ii python3-samba 2:4.13.13+dfsg-1~deb11u2
amd64 Python 3 bindings for Samba
ii samba 2:4.13.13+dfsg-1~deb11u2
amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.13.13+dfsg-1~deb11u2 all
common files used by both the Samba server and client
ii samba-common-bin 2:4.13.13+dfsg-1~deb11u2
amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.13.13+dfsg-1~deb11u2
amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.13.13+dfsg-1~deb11u2
amd64 Samba core libraries
ii samba-vfs-modules:amd64 2:4.13.13+dfsg-1~deb11u2
amd64 Samba Virtual FileSystem plugins
ii winbind 2:4.13.13+dfsg-1~deb11u2
amd64 service to resolve user and group information from Windows NT
servers
-----------
More information about the samba
mailing list