[Samba] Unable to net ads join samba to an active directory domain Failed to join domain: failed to connect to AD: Can't contact LDAP server

Michael Evans michael.evans at nor-consult.com
Wed Nov 17 23:37:05 UTC 2021

-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland
Penny via samba
Sent: Wednesday, November 17, 2021 2:37 PM
To: sambalist
Subject: Re: [Samba] Unable to net ads join samba to an active directory
domain Failed to join domain: failed to connect to AD: Can't contact LDAP

On Wed, 2021-11-17 at 13:11 -0800, Michael Evans wrote:
> Your Third point: If I DO need it then it isn't _optional_ and the
> documentation is incorrect / confusing.

Granted, I will fix.


Thank you.

> Documentation error: Hyperlink is NOT default hyperlink colors and
> underlined.

You may have a point there, but it does say above the box:

Select one of the following hyperlinks to find information about the
relevant Samba domain back end and what idmap config lines to add:


It's in the middle of a BIG blob of text someone expecting to just
set the configuration value to "idmap config ad" since it's all
stored in the AD and not need to set anything else, will skim past.

Also, for readability, hyperlinks should always present as hyperlinks.
It would also help to hyperlink to the details page each time the topic
Is mentioned.

> idmap config ad <<< That looks like just text with emphasis, NOT a
> hyperlink.

Well yes, but normal hyperlinks can look just like text until you hover
your mouse pointer over them.

> https://wiki.samba.org/index.php/Idmap_config_ad
> The Config AD Backend and NSS info sections should be in that order,
> not the
> NSS then AD order.

I must be missing something, for as far as I can see, the wiki does
show how to set up the winbind backend before how to set up NSS. If you
can show where this is different, I will try to fix it.

I'm saying the sections should be re-arranged in this order:

Configuring the ad Back End
The RFC2307 and template Mode Options

This would present the config outline first, then explain variations and
what the different value options mean.

I would have found it much clearer as a first time / long time ago returning

The example also clarifies given the difference that SAMDOM and DOMAIN
are placeholder variables for the workgroup/domain.

> This still fails (r2 is in every group Administrator is in; I expect
> the
> same output)
> net ads join -U r2 -d 5 2>&1
> _kerberos._tcp.nc.nor-consult.com       service = 0 100 88
> ad-mo3.nc.nor-consult.com.
> Samba is running as an Unix domain member but 'winbindd' is NOT
> running.
> Check that the winbind package is installed.

This shows that at least one Samba daemon is running (but not winbind),
so find which are and stop them.


I must have forgotten to stop them again at some point after restarting the
VM during troubleshooting.

systemctl disable smbd nmbd winbind ; systemctl stop smbd nmbd winbind

As I write this reply I am trying again with them stopped.

HOWEVER I'm 99% sure it's going to fail again since it stalled at that place
it hangs for 15+min.  Do I need to purge the local samba databases again?

rm -r /run/samba/*.?db\


Do you really need all those ethernet devices ? 
Do you really need IPv6 ?

> -----------

The altnames are junk systemd adds... /etc/network/interfaces
only calls them lo eth0 and eth1 as is proper for a VM.

IPv6 yes, If I have to migrate to a new domain it's far past time that I
should enable IPv6 internally as well.  It might not be required today, but
it's well past time to be IPv4 only.

>        Checking file: /etc/hosts
>       localhost
>       v-fs5.nc.nor-consult.com v-fs5
> fd00:6959:d45d:0200::2d v-fs5.nc.nor-consult.com v-fs5

Does this computer have a fixed IP ?

Those are its static IPs yes.

>        Checking file: /etc/resolv.conf
> domain nc.nor-consult.com
> search nc.nor-consult.com norconsult.local nor-consult.com

'domain' and search are mutually exclusive, the last one wins, so you
might as well remove the 'domain' line.
Your 'search' line should only search the AD dns domain, nothing else.

> nameserver

There are legacy resources that live in other places and shortnames for
servers that live outside of the domain.  That's the search order I want to
look for hosts in.


Not that it matters at this point, but you need to add winbind to the
passwd and group lines, also the hosts line should be:
hosts:		files dns

> -----------

Good, I hate how apple tookover .local and no one told them that was a bad

>         idmap config NC:range = 3500-999999

Why start the 'DOMAIN' range at '3500' ?


Reasons of annoyances for migration plans, and I also read that 'machine
accounts' need UIDs as well, which wasn't in the initial plans.  It makes
sense as each machine must have an agent ID to pair with the machine keytab.

More information about the samba mailing list