[Samba] Unable to net ads join samba to an active directory domain Failed to join domain: failed to connect to AD: Can't contact LDAP server
Michael Evans
michael.evans at nor-consult.com
Mon Nov 22 05:58:47 UTC 2021
I was mistaken, I noticed that the result was really a failure; however it
failed far faster than when it was trying to talk over IPv6, so I'd assumed
it had worked and the result message looked like a success; wishful
thoughts.
Trying the full IPv6 disable test.
editor /etc/sysctl.d/98-noipv6.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
Edit the linux commandline provided by the VM environment: ipv6.disable=1
reboot from the VM to have it take effect.
host -t SRV _ldap._tcp.test.nor-consult.com ; host -t SRV
_kerberos._udp.test.nor-consult.com ; host -a dtdc.test.nor-consult.com
_ldap._tcp.test.nor-consult.com has SRV record 0 100 389
dtdc.test.nor-consult.com.
_kerberos._udp.test.nor-consult.com has SRV record 0 100 88
dtdc.test.nor-consult.com.
Trying "dtdc.test.nor-consult.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2836
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;dtdc.test.nor-consult.com. IN ANY
;; ANSWER SECTION:
dtdc.test.nor-consult.com. 900 IN A 10.2.0.46
;; AUTHORITY SECTION:
test.nor-consult.com. 3600 IN SOA dtdc.test.nor-consult.com.
hostmaster.test.nor-consult.com. 1 900 600 86400 3600
Received 106 bytes from 10.2.0.46#53 in 0 ms
net ads join -d5 -U Administrator 2>&1 | tee join-21.txt
...
resolve_ads: Attempting to resolve KDCs for test.nor-consult.com using DNS
get_dc_list: returning 1 ip addresses in an ordered list
get_dc_list: 10.2.0.46:88
create_local_private_krb5_conf_for_domain: wrote file
/run/samba/smb_krb5/krb5.conf.TEST with realm TEST.NOR-CONSULT.COM KDC list
= kdc = 10.2.0.46
sitename_fetch: Returning sitename for realm 'TEST.NOR-CONSULT.COM':
"Default-First-Site-Name"
name dtdc.test.nor-consult.com#20 found.
ads_try_connect: sending CLDAP request to 10.2.0.46 (realm:
test.nor-consult.com)
Successfully contacted LDAP server 10.2.0.46
Connecting to 10.2.0.46 at port 389
Connected to LDAP server dtdc.test.nor-consult.com
KDC time offset is 0 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
kerberos_kinit_password Administrator at TEST.NOR-CONSULT.COM failed: Cannot
contact any KDC for requested realm
ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/dtdc.test.nor-consult.com
with user[Administrator] realm[TEST.NOR-CONSULT.COM]: Cannot contact any KDC
for requested realm, fallback to NTLMSSP
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
... x4 + some console spam
ads_gen_add: AD LDAP: Adding
cn=DTDM,CN=Computers,dc=TEST,dc=NOR-CONSULT,dc=COM
... It has hung here for OVER an HOUR.
I did copy the krb5.conf file it was using though.
root at dtdm:~# cp /run/samba/smb_krb5/krb5.conf.TEST /etc/krb5.conf.brokenTEST
root at dtdm:~# cat /etc/krb5.conf.brokenTEST
[libdefaults]
default_realm = TEST.NOR-CONSULT.COM
default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
arcfour-hmac-md5 des-cbc-crc des-cbc-md5
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
TEST.NOR-CONSULT.COM = {
kdc = 10.2.0.46
}
TEST = {
kdc = 10.2.0.46
}
bad_Test.pass
KRB5_CONFIG=/etc/krb5.conf.brokenTEST kinit
Administrator at TEST.NOR-CONSULT.COM
Password for Administrator at TEST.NOR-CONSULT.COM:
kinit: Cannot contact any KDC for realm 'TEST.NOR-CONSULT.COM' while getting
initial credentials
KRB5_TRACE=/dev/stderr KRB5_CONFIG=/etc/krb5.conf.brokenTEST kinit
Administrator at TEST.NOR-CONSULT.COM
[621] 1637559631.591668: Getting initial credentials for
Administrator at TEST.NOR-CONSULT.COM
[621] 1637559631.591670: Sending unauthenticated request
[621] 1637559631.591671: Sending request (209 bytes) to TEST.NOR-CONSULT.COM
[621] 1637559631.591672: Resolving hostname 10.2.0.46
[621] 1637559631.591673: Sending initial UDP request to dgram 10.2.0.46:88
[621] 1637559631.591674: Received answer (317 bytes) from dgram 10.2.0.46:88
[621] 1637559631.591675: Sending DNS URI query for
_kerberos.TEST.NOR-CONSULT.COM.
[621] 1637559631.591676: No URI records found
[621] 1637559631.591677: Sending DNS SRV query for
_kerberos-master._udp.TEST.NOR-CONSULT.COM.
[621] 1637559631.591678: Sending DNS SRV query for
_kerberos-master._tcp.TEST.NOR-CONSULT.COM.
[621] 1637559631.591679: No SRV records found
[621] 1637559631.591680: Response was not from master KDC
[621] 1637559631.591681: Received error from KDC: -1765328359/Additional
pre-authentication required
[621] 1637559631.591684: Preauthenticating using KDC method data
[621] 1637559631.591685: Processing preauth types: PA-PK-AS-REQ (16),
PA-PK-AS-REP_OLD (15), PA-ENC-TIMESTAMP (2), PA-ETYPE-INFO2 (19)
[621] 1637559631.591686: Selected etype info: etype aes256-cts, salt
"TEST.NOR-CONSULT.COMAdministrator", params "\x00\x00\x10\x00"
Password for Administrator at TEST.NOR-CONSULT.COM:
[621] 1637559637.181263: AS key obtained for encrypted timestamp:
aes256-cts/4A17
[621] 1637559637.181265: Encrypted timestamp (for 1637559636.710429): plain
301AA011180F32303231313132323035343033365AA10502030AD71D, encrypted
ED6D444B0743B50F77C07302B9678692821D35A8AF259046F5C631B1FEF69C1C52CDD7AC751C
41540E7A7C83B01CE63CC06B1BA3ACCC8611
[621] 1637559637.181266: Preauth module encrypted_timestamp (2) (real)
returned: 0/Success
[621] 1637559637.181267: Produced preauth for next request: PA-ENC-TIMESTAMP
(2)
[621] 1637559637.181268: Sending request (289 bytes) to TEST.NOR-CONSULT.COM
[621] 1637559637.181269: Resolving hostname 10.2.0.46
[621] 1637559637.181270: Sending initial UDP request to dgram 10.2.0.46:88
[621] 1637559637.181271: Received answer (192 bytes) from dgram 10.2.0.46:88
[621] 1637559637.181272: Sending DNS URI query for
_kerberos.TEST.NOR-CONSULT.COM.
[621] 1637559637.181273: No URI records found
[621] 1637559637.181274: Sending DNS SRV query for
_kerberos-master._udp.TEST.NOR-CONSULT.COM.
[621] 1637559637.181275: Sending DNS SRV query for
_kerberos-master._tcp.TEST.NOR-CONSULT.COM.
[621] 1637559637.181276: No SRV records found
[621] 1637559637.181277: Response was not from master KDC
[621] 1637559637.181278: Received error from KDC: -1765328332/Response too
big for UDP, retry with TCP
[621] 1637559637.181279: Request or response is too big for UDP; retrying
with TCP
[621] 1637559637.181280: Sending request (289 bytes) to TEST.NOR-CONSULT.COM
(tcp only)
[621] 1637559637.181281: Resolving hostname 10.2.0.46
[621] 1637559637.181282: Initiating TCP connection to stream 10.2.0.46:88
[621] 1637559637.181283: Sending TCP request to stream 10.2.0.46:88
[621] 1637559661.265737: Terminating TCP connection to stream 10.2.0.46:88
kinit: Cannot contact any KDC for realm 'TEST.NOR-CONSULT.COM' while getting
initial credentials
root at dtdc:~# ss -nl | grep :88
udp UNCONN 0 0 10.2.0.46:88
0.0.0.0:*
udp UNCONN 0 0 127.0.0.1:88
0.0.0.0:*
tcp LISTEN 0 0 10.2.0.46:88
0.0.0.0:*
tcp LISTEN 0 0 127.0.0.1:88
0.0.0.0:*
DNS strikes me as maybe an issue:
[621] 1637559631.591675: Sending DNS URI query for
_kerberos.TEST.NOR-CONSULT.COM.
[621] 1637559631.591676: No URI records found
[621] 1637559631.591677: Sending DNS SRV query for
_kerberos-master._udp.TEST.NOR-CONSULT.COM.
[621] 1637559631.591678: Sending DNS SRV query for
_kerberos-master._tcp.TEST.NOR-CONSULT.COM.
[621] 1637559631.591679: No SRV records found
[621] 1637559631.591680: Response was not from master KDC
However it ends up trying to connect anyway.
[621] 1637559637.181283: Sending TCP request to stream 10.2.0.46:88
[621] 1637559661.265737: Terminating TCP connection to stream 10.2.0.46:88
kinit: Cannot contact any KDC for realm 'TEST.NOR-CONSULT.COM' while getting
initial credentials
What log entries need to be set to see the other side of this on the Samba
AD DC? Maybe that will illuminate what's going wrong?
More information about the samba
mailing list