[Samba] Unable to net ads join samba to an active directory domain Failed to join domain: failed to connect to AD: Can't contact LDAP server
Rowland Penny
rpenny at samba.org
Thu Nov 18 09:06:17 UTC 2021
On Thu, 2021-11-18 at 00:15 -0800, Michael Evans wrote:
> First, Sorry, It isn't as obvious when Outlook is mostly used in an
> office
> and everyone's using the defaults, but it becomes really obvious when
> interacting with a mailing list: those defaults are super confusing
> for
> conversations with many replies. I had to google where the
> configuration to
> conform with non-Redmond email clients was. Mostly. It keeps
> inserting []
> even when I don't give it a name to put in the middle, which is
> aggravating
> to the point that I see why I must have never kept that change.
>
> >
> >
> >
> > On Wed, 2021-11-17 at 13:11 -0800, Michael Evans wrote:
> > > Your Third point: If I DO need it then it isn't _optional_ and
> > > the
> > > documentation is incorrect / confusing.
> >
> > Granted, I will fix.
>
> [Michael Evans]
> Thank you.
Now fixed.
>
> > > Documentation error: Hyperlink is NOT default hyperlink colors
> > > and
> > > NOT
> > > underlined.
> >
> > You may have a point there, but it does say above the box:
> >
> > Select one of the following hyperlinks to find information about
> > the
> > relevant Samba domain back end and what idmap config lines to add:
> >
>
> [Michael Evans]
> It's in the middle of a BIG blob of text someone expecting to just
> set the configuration value to "idmap config ad" since it's all
> stored in the AD and not need to set anything else, will skim past.
We cannot stop anyone 'skimming' the wiki documentation, we can only
advise that it is read fully.
>
> Also, for readability, hyperlinks should always present as
> hyperlinks.
> It would also help to hyperlink to the details page each time the
> topic
> Is mentioned.
> > > idmap config ad <<< That looks like just text with emphasis, NOT
> > > a
> > > hyperlink.
> >
> > Well yes, but normal hyperlinks can look just like text until you
> > hover
> > your mouse pointer over them.
>
> [Michael Evans]
> (added since the previous reply)
> Who's going to do that if it doesn't look like a hyperlink?
Sorry, but you are the first person (that I can remember) to complain
about hyperlinks on the wiki.
>
> It seems to be a deliberate style anti-pattern on the whole wiki.
> The AD page _also_ has disguised hyperlinks that are thus
> Skipped because unless you know they /might/ be hyperlinks
> it would never occur to you that it isn't a
> single line configuration flag that is required.
What would like ? Something along the lines of 'Hey, this is an
hyperlink' ?
>
> > > https://wiki.samba.org/index.php/Idmap_config_ad
> > >
> > > The Config AD Backend and NSS info sections should be in that
> > > order,
> > > not the
> > > NSS then AD order.
> >
> > I must be missing something, for as far as I can see, the wiki does
> > show how to set up the winbind backend before how to set up NSS. If
> > you
> > can show where this is different, I will try to fix it.
> >
>
> [Michael Evans]
> I'm saying the sections should be re-arranged in this order:
>
> Configuring the ad Back End
> then
> The RFC2307 and template Mode Options
>
> This would present the config outline first, then explain variations
> and
> what the different value options mean.
At one time, setting up a Unix domain member was all on one page,
basically as you are suggesting and it confused everyone. After it was
split up into separate pages, the confusion level went down
significantly. It isn't perfect and will probably get tweaked over
time.
>
> I would have found it much clearer as a first time / long time ago
> returning
> reader.
>
> The example also clarifies given the difference that SAMDOM and
> DOMAIN
> are placeholder variables for the workgroup/domain.
The wiki tends to use 'DOMAIN' as a placeholder for the netbios domain
name (aka workgroup) in descriptions and 'SAMDOM' in examples.
>
> > >
> > > This still fails (r2 is in every group Administrator is in; I
> > > expect
> > > the
> > > same output)
> > >
> > > net ads join -U r2 -d 5 2>&1
> > ...
> > > _kerberos._tcp.nc.nor-consult.com service = 0 100 88
> > > ad-mo3.nc.nor-consult.com.
> > > Samba is running as an Unix domain member but 'winbindd' is NOT
> > > running.
> > > Check that the winbind package is installed.
> >
> > This shows that at least one Samba daemon is running (but not
> > winbind),
> > so find which are and stop them.
> >
>
> [Michael Evans]
> I must have forgotten to stop them again at some point after
> restarting the
> VM during troubleshooting.
>
>
> systemctl disable smbd nmbd winbind ; systemctl stop smbd nmbd
> winbind
>
> As I write this reply I am trying again with them stopped.
>
> HOWEVER I'm 99% sure it's going to fail again since it stalled at
> that place
> it
> hangs for 15+min. Do I need to purge the local samba databases
> again?
>
> rm -r /run/samba/*.?db\
> /var/cache/samba/*.?db\
> /var/lib/samba/*.?db\
> /var/lib/samba/private/*.?db
>
> Additional: it failed again as expected, also after purging the above
> on
> v-fs5.
>
> >
> > Do you really need all those ethernet devices ?
> > Do you really need IPv6 ?
> >
> > > -----------
> The altnames are junk systemd adds... /etc/network/interfaces
> only calls them lo eth0 and eth1 as is proper for a VM.
>
> IPv6 yes, If I have to migrate to a new domain it's far past time
> that I
> should
> enable IPv6 internally as well. It might not be required today, but
> it's
> well
> past time to be IPv4 only.
If you use 192.168.0.0/16 it would give you 65,534 possible hosts, do
you have or expect to have that number of hosts ?
> > > Checking file: /etc/hosts
> > >
> > > 127.0.0.1 localhost
> > > 10.2.0.45 v-fs5.nc.nor-consult.com v-fs5
> > > fd00:6959:d45d:0200::2d v-fs5.nc.nor-consult.com v-fs5
> >
> > Does this computer have a fixed IP ?
> >
> > >
>
> Those are its static IPs yes.
>
> > > Checking file: /etc/resolv.conf
> > >
> > > domain nc.nor-consult.com
> > > search nc.nor-consult.com norconsult.local nor-consult.com
> >
> > 'domain' and search are mutually exclusive, the last one wins, so
> > you
> > might as well remove the 'domain' line.
> > Your 'search' line should only search the AD dns domain, nothing
> > else.
> >
> > > nameserver 10.2.0.35
> >
> > There are legacy resources that live in other places and shortnames
> > for
> > servers that live outside of the domain. That's the search order I
> > want
> to
> > look for hosts in.
You might want to, but you shouldn't set them in your /etc/resolv.conf
> >
> >
> > Not that it matters at this point, but you need to add winbind to
> > the
> > passwd and group lines, also the hosts line should be:
> > hosts: files dns
> >
> > > -----------
>
> [Michael Evans]
> Good, I hate how apple tookover .local and no one told them that was
> a bad
> idea.
>
> > > idmap config NC:range = 3500-999999
> >
> > Why start the 'DOMAIN' range at '3500' ?
> >
> > Rowland
> >
>
> [Michael Evans]
> Reasons of annoyances for migration plans, and I also read that
> 'machine
> accounts' need UIDs as well, which wasn't in the initial plans. It
> makes
> sense
> as each machine must have an agent ID to pair with the machine
> keytab.
Your computers do not require Unix ID's
>
> The question about the member server's IP addresses being static made
> me
> wonder: should I add records for those services too? Which records?
Yes, if your computer is using a fixed IP, you should add A and PTR
records to AD.
>
>
> Revisiting the records that helped the LDAP tool (external to samba)
> work
> for those tests:
>
>
> # Add in-addr.arpa and ip6.arpa reverse lookup zones (I would have
> appreciated -k also working for Kerberos auth here)
>
> # static IPv4 /16 netmask
>
> samba-tool dns zonecreate ::1 2.10.in-addr.arpa -U Administrator
>
> samba-tool dns add ::1 2.10.in-addr.arpa 35.0 PTR ad-mo3.nc.nor-
> consult.com
> -U Administrator
>
> # static IPv6 /60 netmask
>
> samba-tool dns zonecreate ::1 0.2.0.d.5.4.d.9.5.9.6.0.0.d.f.ip6.arpa
> -U
> Administrator
>
> samba-tool dns add ::1 0.2.0.d.5.4.d.9.5.9.6.0.0.d.f.ip6.arpa
> 3.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR ad-mo3.nc.nor-consult.com
>
> Test method:
>
> host 10.2.0.35
>
> 35.0.2.10.in-addr.arpa domain name pointer ad-mo3.nc.nor-consult.com.
>
> host fd00:6959:d45d:200::23
>
> 3.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.d.5.4.d.9.5.9.6.0.0.d.f.ip6.a
> rpa
> domain name pointer ad-mo3.nc.nor-consult.com.
>
> Note: the output of host is particularly useful as it reverses and
> divides
> the uncompressed IPv6 notation exactly as necessary on error:
> 3.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.d.5.4.d.9.5.9.6.0.0.d.f.ip6.a
> rpa has
> no PTR record Simple cut and paste string operations are sufficient.
>
>
> +++
>
> samba-tool dns add ::1 2.10.in-addr.arpa 45.0 PTR v-fs5.nc.nor-
> consult.com
> -U r2
>
> samba-tool dns add ::1 0.2.0.d.5.4.d.9.5.9.6.0.0.d.f.ip6.arpa
> d.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR v-fs5.nc.nor-consult.com -U r2
>
> samba-tool dns add ::1 nc.nor-consult.com v-fs5 A 10.2.0.45 -U r2
>
> samba-tool dns add ::1 nc.nor-consult.com v-fs5 AAAA
> fd00:6959:d45d:200::2d
> -U r2
>
> samba-tool dns query ::1 nc.nor-consult.com '@' ALL
>
> Name=, Records=4, Children=0
> AAAA: fd00:6959:d45d:0200:0000:0000:0000:0023 (flags=600000f0,
> serial=110, ttl=900)
> SOA: serial=4, refresh=900, retry=600, expire=86400, minttl=3600,
> ns=ad-mo3.nc.nor-consult.com., email=hostmaster.nc.nor-consult.com.
> (flags=600000f0, serial=4, ttl=3600)
> NS: ad-mo3.nc.nor-consult.com. (flags=600000f0, serial=110,
> ttl=900)
> A: 10.2.0.35 (flags=600000f0, serial=110, ttl=900)
> Name=_msdcs, Records=0, Children=0
> Name=_sites, Records=0, Children=1
> Name=_tcp, Records=0, Children=4
> Name=_udp, Records=0, Children=2
> Name=ad-mo3, Records=2, Children=0
> AAAA: fd00:6959:d45d:0200:0000:0000:0000:0023 (flags=f0,
> serial=2,
> ttl=900)
> A: 10.2.0.35 (flags=f0, serial=110, ttl=900)
> Name=DomainDnsZones, Records=0, Children=2
> Name=ForestDnsZones, Records=0, Children=2
> Name=v-fs5, Records=2, Children=0
> A: 10.2.0.45 (flags=f0, serial=3, ttl=900)
> AAAA: fd00:6959:d45d:0200:0000:0000:0000:002d (flags=f0,
> serial=4,
> ttl=900)
>
> Retested: Failed.
>
> Re-thought about hyperlinks missing _ and the wrong color. ad-mo3,
> the DC,
> is also missing idmap config.
>
> Retested Windows PC join, still works anyway.
>
> v-fs5 passed
> kinit u2
> ldapsearch -H ldap://ad-mo3.nc.nor-consult.com -Y GSSAPI -b
> 'DC=nc,DC=nor-consult,DC=com'
>
> # on the AD DC
> getfacl /var/lib/samba/sysvol/nc.nor-consult.com/
>
> Q: winbind doesn't seem to show the User or Group names, even with
> the enum
> users / groups config lines in smb.conf... How to fix nss?
> A: Debian doesn't install libnss-winbind nor libpam-winbind by
> default.
>
> apt install libnss-winbind libpam-winbind
> Update /etc/nsswitch.conf if the packages don't add winbind to the
> end of
> passwd and group lines.
I would suggest you also install libpam-krb5
>
>
>
> This is a long email by necessity, I'm out of ideas so I'm collecting
> data
> on both the AD DC and the member server that fails to join as a
> member
> server.
I can confirm that running Samba as Unix domain member on Debian 11
works, you just need to set it up correctly.
Rowland
More information about the samba
mailing list