[Samba] Unable to join domain

Rob Campbell robcampbell08105 at gmail.com
Tue Oct 5 02:37:07 UTC 2021


I followed these instructions:
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

These instructions didn't work exactly as they read.  There was one step I
didn't get a result because samba was stopped and it needed to be running
(for dns) to get the result in the guide but other than that, everything
happens as this guide says but when I try to join the domain from a vm I
created.  I have just one dc at this time.  I've created a Fedora Server 35
vm to add as another dc after I get it working solo bc that's how I really
want to use it.

$ realm join test-server.lan -U Administrator
Password for Administrator:
See: journalctl REALMD_OPERATION=r1171585.2732805
realm: Couldn't join realm: Failed to join the domain

$ journalctl REALMD_OPERATION=r1171585.2732805
-- Journal begins at Fri 2021-10-01 15:39:25 EDT, ends at Mon 2021-10-04
22:26:45 EDT. --
Oct 04 22:24:21 fedora realmd[2732808]:  * Resolving:
_ldap._tcp.test-server.lan
Oct 04 22:24:21 fedora realmd[2732808]:  * Performing LDAP DSE lookup on:
10.0.0.10
Oct 04 22:24:21 fedora realmd[2732808]:  * Successfully discovered:
test-server.lan
Oct 04 22:24:30 fedora realmd[2732808]:  * Required files:
/usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd,
/usr/sbin/adcli
Oct 04 22:24:30 fedora realmd[2732808]:  * LANG=C /usr/sbin/adcli join
--verbose --domain test-server.lan --domain-realm TEST-SERVER.LAN
--domain-controller 10.0.0.10 --login-type user --login-user Administrator
--stdin-password
Oct 04 22:24:30 fedora realmd[2732808]:  * Using domain name:
test-server.lan
Oct 04 22:24:30 fedora realmd[2732808]:  * Calculated computer account name
from fqdn: FEDORA
Oct 04 22:24:30 fedora realmd[2732808]:  * Using domain realm:
test-server.lan
Oct 04 22:24:30 fedora realmd[2732808]:  * Sending NetLogon ping to domain
controller: 10.0.0.10
Oct 04 22:24:46 fedora realmd[2732808]:  * Wrote out krb5.conf snippet to
/var/cache/realmd/adcli-krb5-OMYnX1/krb5.d/adcli-krb5-conf-lTV3xU
Oct 04 22:24:46 fedora realmd[2732808]:  ! Couldn't authenticate as:
Administrator at TEST-SERVER.LAN: Client 'Administrator at TEST-SERVER.LAN' not
found in Kerberos database
Oct 04 22:24:46 fedora realmd[2732808]: adcli: couldn't connect to
test-server.lan domain: Couldn't authenticate as:
Administrator at TEST-SERVER.LAN: Client 'Administrator at TEST-SERVER.LAN' not
found in Kerberos database
Oct 04 22:24:46 fedora realmd[2732808]:  ! Failed to join the domain

/etc/samba/smb.conf:
# Global parameters
[global]
dns forwarder = 10.0.0.1
netbios name = FS34
realm = TEST-SERVER.LAN
server role = active directory domain controller
workgroup = TEST-SERVER
idmap_ldb:use rfc2307 = yes

[sysvol]
path = /var/lib/samba/sysvol
read only = No

[netlogon]
path = /var/lib/samba/sysvol/test-server.lan/scripts
read only = No

[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = %S
; valid users = MYDOMAIN\%S

[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes

# Un-comment the following and create the netlogon directory for Domain
Logons:
; [netlogon]
; comment = Network Logon Service
; path = /var/lib/samba/netlogon
; guest ok = yes
; writable = no
; share modes = no

# Un-comment the following to provide a specific roaming profile share.
# The default is to use the user's home directory:
; [Profiles]
; path = /var/lib/samba/profiles
; browseable = no
; guest ok = yes

# A publicly accessible directory that is read only, except for users in the
# "staff" group (which have write permissions):
; [public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; writable = no
; printable = no
; write list = +staff

[Photos]
comment = Photos
path = /multimedia/Photos

browseable = Yes
read only = No
inherit acls = Yes

[Videos]
comment = Videos
path = /multimedia/Videos

browseable = Yes
read only = No
inherit acls = Yes

[Movies]
comment = Videos
path = /multimedia/Movies

browseable = Yes
read only = No
inherit acls = Yes

[Music]
comment = Videos
path = /multimedia/Music

browseable = Yes
read only = No
inherit acls = Yes

[seagate]
comment = Videos
path = /media/seagate

browseable = Yes
read only = No
inherit acls = Yes

/etc/krb5.conf:
[libdefaults]
default_realm = TEST-SERVER.LAN
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h

[realms]
TEST-SERVER.LAN = {
default_domain = test-server.lan
kdc = test-server.lan
}

[domain_realm]
fs34 = TEST-SERVER.LAN
dc01 = TEST-SERVER.LAN
.test-server = TEST-SERVER.LAN
.test-server.lan = TEST-SERVER.LAN
dc01.test-server.lan = TEST-SERVER.LAN

I am able to access the shares and I have mounted them (as a user I've
added).
//test-server.lan/Photos  2.7T  1.8T  926G  66% /home/user/mnt/Photos
//test-server.lan/Videos  2.8T  1.9T  926G  68% /home/user/mnt/Videos
//test-server.lan/Movies  2.8T  1.9T  926G  68% /home/user/mnt/Movies

# smbclient -L test-server.lan -U user
Enter TEST-SERVER\user's password:

Sharename       Type      Comment
---------       ----      -------
sysvol          Disk
netlogon        Disk
Photos          Disk      Photos
Videos          Disk      Videos
Movies          Disk      Videos
Music           Disk      Videos
seagate         Disk      Videos
IPC$            IPC       IPC Service (Samba 4.14.7)
SMB1 disabled -- no workgroup available



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In all things, Be Intentional.


More information about the samba mailing list