[Samba] Unable to net ads join samba to an active directory domain Failed to join domain: failed to connect to AD: Can't contact LDAP server
Rowland Penny
rpenny at samba.org
Wed Nov 17 22:37:01 UTC 2021
On Wed, 2021-11-17 at 13:11 -0800, Michael Evans wrote:
>
>
>
> >
>
> >
>
> Your Third point: If I DO need it then it isn't _optional_ and the
> documentation is incorrect / confusing.
Granted, I will fix.
>
> Still, which sections, what keywords should I be looking for, and
> more to
> the point, why aren't those in the Member Server documentation to
> begin
> with, without external references?
'external references' ? they are links to separate Samba wiki pages
>
>
> "If you need your users to have different login shells and/or Unix
> home
> directory paths, or you want them to have the same ID everywhere, you
> will
> need to use the winbind 'ad' backend and add RFC2307 attributes to
> AD."
>
> Yes, I need that, and have done that on the DC.
>
> Documentation error: Hyperlink is NOT default hyperlink colors and
> NOT
> underlined.
You may have a point there, but it does say above the box:
Select one of the following hyperlinks to find information about the
relevant Samba domain back end and what idmap config lines to add:
>
> idmap config ad <<< That looks like just text with emphasis, NOT a
> hyperlink.
Well yes, but normal hyperlinks can look just like text until you hover
your mouse pointer over them.
>
> This table of 3 options should instead be broken out to small
> sections, each
> with a single (current version) template example and a link to the
> full set
> of directions. Ideally all three examples would fit on a typical PC
> screen
> when viewing the wiki.
Sorry, but the three pages that are linked to, will each not fit on one
page.
>
>
> https://wiki.samba.org/index.php/Idmap_config_ad
>
> The Config AD Backend and NSS info sections should be in that order,
> not the
> NSS then AD order.
I must be missing something, for as far as I can see, the wiki does
show how to set up the winbind backend before how to set up NSS. If you
can show where this is different, I will try to fix it.
>
>
> This still fails (r2 is in every group Administrator is in; I expect
> the
> same output)
>
> net ads join -U r2 -d 5 2>&1
> get_dc_list: preferred server list: ", *"
> resolve_ads: Attempting to resolve KDCs for nc.nor-consult.com using
> DNS
> get_dc_list: returning 2 ip addresses in an ordered list
> get_dc_list: 10.2.0.35:88 fd00:6959:d45d:200::23:88
> saf_fetch: failed to find server for "nc.nor-consult.com" domain
> get_dc_list: preferred server list: ", *"
> resolve_ads: Attempting to resolve KDCs for nc.nor-consult.com using
> DNS
> get_dc_list: returning 2 ip addresses in an ordered list
> get_dc_list: 10.2.0.35:88 fd00:6959:d45d:200::23:88
> create_local_private_krb5_conf_for_domain: wrote file
> /run/samba/smb_krb5/krb5.conf.NC with realm NC.NOR-CONSULT.COM KDC
> list =
> kdc = [fd00:6959:d45d:200::23]:88
> kdc = 10.2.0.35
>
> sitename_fetch: Returning sitename for realm 'NC.NOR-CONSULT.COM':
> "Default-First-Site-Name"
> name ad-mo3.nc.nor-consult.com#20 found.
> ads_try_connect: sending CLDAP request to 10.2.0.35 (realm:
> nc.nor-consult.com)
> Successfully contacted LDAP server 10.2.0.35
> Connecting to 10.2.0.35 at port 389
> Connected to LDAP server ad-mo3.nc.nor-consult.com
> KDC time offset is 0 seconds
> Found SASL mechanism GSS-SPNEGO
> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism gse_krb5
> ----- It HANGS here for subjectively forever, probably 15+ min.
> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for
> ldap/ad-mo3.nc.nor-consult.com with user[r2] realm[NC.NOR-
> CONSULT.COM]:
> Can't contact LDAP server
> ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/ad-mo3.nc.nor-
> consult.com
> with user[r2] realm[NC.NOR-CONSULT.COM]: Can't contact LDAP server,
> fallback
> to NTLMSSP
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism ntlmssp
> ads_sasl_spnego_gensec_bind(NTLMSSP) failed for
> ldap/ad-mo3.nc.nor-consult.com with user[r2] realm=[NC.NOR-
> CONSULT.COM]:
> Can't contact LDAP server
> libnet_Join:
> libnet_JoinCtx: struct libnet_JoinCtx
> out: struct libnet_JoinCtx
> account_name : 'V-FS5$'
> netbios_domain_name : 'NC'
> dns_domain_name : 'nc.nor-consult.com'
> forest_name : 'nc.nor-consult.com'
> dn : NULL
> domain_guid : 250143d6-aebe-440e-94c5-
> f27c7af7857b
> domain_sid : *
> domain_sid :
> S-1-5-21-3458735564-2487305582-1134572456
> modified_config : 0x00 (0)
> error_string : 'failed to connect to AD:
> Can't
> contact LDAP server'
> domain_is_ad : 0x01 (1)
> set_encryption_types : 0x00000000 (0)
> krb5_salt : NULL
> result : WERR_NERR_DEFAULTJOINREQUIRED
> return code = -1
>
> Failed to join domain: failed to connect to AD: Can't contact LDAP
> server
>
>
>
>
> I'll run and redact public IP network data from this again...
>
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-i
> nfo.sh
>
> bash samba-collect-debug-info.sh
> Please wait, collecting debug info.
>
> Password for Administrator at NC.NOR-CONSULT.COM:
> Warning: Your password will expire in 40 days on Tue 28 Dec 2021
> 02:07:05 AM
> UTC
> Load smb config files from /etc/samba/smb.conf
> Loaded services file OK.
> Weak crypto is allowed
> Server role: ROLE_DOMAIN_MEMBER
>
> The debug info about your system can be found in this file:
> /tmp/samba-debug-info.txt
> Please check this and if required, sanitise it.
> Then copy & paste it into an email to the samba list
> Do not attach it to the email, the Samba mailing list strips
> attachments.
>
> Collected config --- 2021-11-17-21:03 -----------
>
> Hostname: v-fs5
> DNS Domain: nc.nor-consult.com
> FQDN: v-fs5.nc.nor-consult.com
> ipaddress: 10.2.0.45 10.202.0.45 fd00:6959:d45d:200:a800:ff:fe48:dc6f
> REDACTED:a800:ff:fe48:dc6f fd00:6959:d45d:200::2d
>
> -----------
>
> Kerberos SRV _kerberos._tcp.nc.nor-consult.com record verified ok,
> sample
> output:
> Server: 10.2.0.35
> Address: 10.2.0.35#53
>
> _kerberos._tcp.nc.nor-consult.com service = 0 100 88
> ad-mo3.nc.nor-consult.com.
> Samba is running as an Unix domain member but 'winbindd' is NOT
> running.
> Check that the winbind package is installed.
This shows that at least one Samba daemon is running (but not winbind),
so find which are and stop them.
> Checking file: /etc/os-release
>
> PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
> NAME="Debian GNU/Linux"
> VERSION_ID="11"
> VERSION="11 (bullseye)"
> VERSION_CODENAME=bullseye
> ID=debian
> HOME_URL="https://www.debian.org/"
> SUPPORT_URL="https://www.debian.org/support"
> BUG_REPORT_URL="https://bugs.debian.org/"
>
> -----------
>
>
> This computer is running Debian 11.1 x86_64
>
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group
> default qlen 1000
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast
> state
> UP group default qlen 1000
> link/ether REDACTED brd ff:ff:ff:ff:ff:ff
> altname enp0s13
> altname ens13
> inet 10.2.0.45/16 brd 10.2.255.255 scope global eth0
> inet6 fd00:6959:d45d:200:a800:ff:fe48:dc6f/64 scope global
> dynamic
> mngtmpaddr
> inet6 REDACTED:a800:ff:fe48:dc6f/64 scope global dynamic
> mngtmpaddr
> inet6 fd00:6959:d45d:200::2d/56 scope global
> inet6 fe80::a800:ff:fe48:dc6f/64 scope link
> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast
> state
> UP group default qlen 1000
> link/ether REDACTED brd ff:ff:ff:ff:ff:ff
> altname enp0s14
> altname ens14
> inet REDACTED
> inet6 fe80::a800:ff:fe89:ed9e/64 scope link
>
Do you really need all those ethernet devices ?
Do you really need IPv6 ?
> -----------
> Checking file: /etc/hosts
>
> 127.0.0.1 localhost
> 10.2.0.45 v-fs5.nc.nor-consult.com v-fs5
> fd00:6959:d45d:0200::2d v-fs5.nc.nor-consult.com v-fs5
Does this computer have a fixed IP ?
>
>
> # The following lines are desirable for IPv6 capable hosts
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> -----------
>
> Checking file: /etc/resolv.conf
>
> domain nc.nor-consult.com
> search nc.nor-consult.com norconsult.local nor-consult.com
'domain' and search are mutually exclusive, the last one wins, so you
might as well remove the 'domain' line.
Your 'search' line should only search the AD dns domain, nothing else.
> nameserver 10.2.0.35
>
> -----------
>
> Checking file: /etc/krb5.conf
>
> [libdefaults]
> default_realm = NC.NOR-CONSULT.COM
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> -----------
>
> Checking file: /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages
> installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd: files
> group: files
> shadow: files
> gshadow: files
>
> hosts: files mdns4_minimal [NOTFOUND=return] dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
Not that it matters at this point, but you need to add winbind to the
passwd and group lines, also the hosts line should be:
hosts: files dns
> -----------
>
> Checking file: /etc/samba/smb.conf
>
> [global]
> workgroup = NC
> security = ADS
> realm = NC.NOR-CONSULT.COM
> #server role = member server
> bind interfaces only = yes
> interfaces = 127.0.0.1 10.2.0.45 ::1 fd00:6959:d45d:200::2d
>
> winbind refresh tickets = Yes
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> winbind use default domain = yes
>
> # idmap config ad
> # https://wiki.samba.org/index.php/Idmap_config_ad
>
> # local server
> idmap config * : backend = tdb
> idmap config * : range = 3000-3499
>
> # domain
> # is DOMAIN $DOMAIN or literal DOMAIN ? -- Ah there's an
> example
> later, that helps
> idmap config NC:backend = ad
> idmap config NC:schema_mode = rfc2307
> idmap config NC:range = 3500-999999
Why start the 'DOMAIN' range at '3500' ?
Rowland
More information about the samba
mailing list