[Samba] Unable to join domain

Rowland Penny rpenny at samba.org
Tue Oct 5 07:54:20 UTC 2021 

On Mon, 2021-10-04 at 22:37 -0400, Rob Campbell via samba wrote:
> I followed these instructions:
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
> 
> These instructions didn't work exactly as they read.  There was one
> step I
> didn't get a result because samba was stopped and it needed to be
> running
> (for dns) to get the result in the guide but other than that,
> everything
> happens as this guide says

No, it all works, you must be misunderstanding something.

>  but when I try to join the domain from a vm I
> created.  I have just one dc at this time.  I've created a Fedora
> Server 35
> vm to add as another dc after I get it working solo bc that's how I
> really
> want to use it.

Are you using the standard fedora Samba packages ? If so, are you aware
that they are experimental when used for a DC, because they use MIT for
kerberos.

> 
> $ realm join test-server.lan -U Administrator
> Password for Administrator:
> See: journalctl REALMD_OPERATION=r1171585.2732805
> realm: Couldn't join realm: Failed to join the domain
> 
> $ journalctl REALMD_OPERATION=r1171585.2732805
> -- Journal begins at Fri 2021-10-01 15:39:25 EDT, ends at Mon 2021-
> 10-04
> 22:26:45 EDT. --
> Oct 04 22:24:21 fedora realmd[2732808]:  * Resolving:
> _ldap._tcp.test-server.lan
> Oct 04 22:24:21 fedora realmd[2732808]:  * Performing LDAP DSE lookup
> on:
> 10.0.0.10
> Oct 04 22:24:21 fedora realmd[2732808]:  * Successfully discovered:
> test-server.lan
> Oct 04 22:24:30 fedora realmd[2732808]:  * Required files:
> /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd,
> /usr/sbin/adcli
> Oct 04 22:24:30 fedora realmd[2732808]:  * LANG=C /usr/sbin/adcli
> join
> --verbose --domain test-server.lan --domain-realm TEST-SERVER.LAN
> --domain-controller 10.0.0.10 --login-type user --login-user
> Administrator
> --stdin-password
> Oct 04 22:24:30 fedora realmd[2732808]:  * Using domain name:
> test-server.lan
> Oct 04 22:24:30 fedora realmd[2732808]:  * Calculated computer
> account name
> from fqdn: FEDORA
> Oct 04 22:24:30 fedora realmd[2732808]:  * Using domain realm:
> test-server.lan
> Oct 04 22:24:30 fedora realmd[2732808]:  * Sending NetLogon ping to
> domain
> controller: 10.0.0.10
> Oct 04 22:24:46 fedora realmd[2732808]:  * Wrote out krb5.conf
> snippet to
> /var/cache/realmd/adcli-krb5-OMYnX1/krb5.d/adcli-krb5-conf-lTV3xU
> Oct 04 22:24:46 fedora realmd[2732808]:  ! Couldn't authenticate as:
> Administrator at TEST-SERVER.LAN: Client 'Administrator at TEST-SERVER.LAN'
> not
> found in Kerberos database
> Oct 04 22:24:46 fedora realmd[2732808]: adcli: couldn't connect to
> test-server.lan domain: Couldn't authenticate as:
> Administrator at TEST-SERVER.LAN: Client 'Administrator at TEST-SERVER.LAN'
> not
> found in Kerberos database
> Oct 04 22:24:46 fedora realmd[2732808]:  ! Failed to join the domain

Sorry, but you cannot use realmd to join a DC

> 
> /etc/samba/smb.conf:
> # Global parameters
> [global]
> dns forwarder = 10.0.0.1
> netbios name = FS34
> realm = TEST-SERVER.LAN
> server role = active directory domain controller
> workgroup = TEST-SERVER
> idmap_ldb:use rfc2307 = yes
> 
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
> 
> [netlogon]
> path = /var/lib/samba/sysvol/test-server.lan/scripts
> read only = No
> 
> [homes]
> comment = Home Directories
> browseable = no
> writable = yes
> valid users = %S
> ; valid users = MYDOMAIN\%S
> 
> [printers]
> comment = All Printers
> path = /var/spool/samba
> browseable = no
> guest ok = no
> writable = no
> printable = yes
> 
> # Un-comment the following and create the netlogon directory for
> Domain
> Logons:
> ; [netlogon]
> ; comment = Network Logon Service
> ; path = /var/lib/samba/netlogon
> ; guest ok = yes
> ; writable = no
> ; share modes = no
> 
> # Un-comment the following to provide a specific roaming profile
> share.
> # The default is to use the user's home directory:
> ; [Profiles]
> ; path = /var/lib/samba/profiles
> ; browseable = no
> ; guest ok = yes
> 
> # A publicly accessible directory that is read only, except for users
> in the
> # "staff" group (which have write permissions):
> ; [public]
> ; comment = Public Stuff
> ; path = /home/samba
> ; public = yes
> ; writable = no
> ; printable = no
> ; write list = +staff
> 
> [Photos]
> comment = Photos
> path = /multimedia/Photos
> 
> browseable = Yes
> read only = No
> inherit acls = Yes
> 
> [Videos]
> comment = Videos
> path = /multimedia/Videos
> 
> browseable = Yes
> read only = No
> inherit acls = Yes
> 
> [Movies]
> comment = Videos
> path = /multimedia/Movies
> 
> browseable = Yes
> read only = No
> inherit acls = Yes
> 
> [Music]
> comment = Videos
> path = /multimedia/Music
> 
> browseable = Yes
> read only = No
> inherit acls = Yes
> 
> [seagate]
> comment = Videos
> path = /media/seagate
> 
> browseable = Yes
> read only = No
> inherit acls = Yes
> 
> /etc/krb5.conf:
> [libdefaults]
> default_realm = TEST-SERVER.LAN
> dns_lookup_realm = false
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> 
> [realms]
> TEST-SERVER.LAN = {
> default_domain = test-server.lan
> kdc = test-server.lan
> }
> 
> [domain_realm]
> fs34 = TEST-SERVER.LAN
> dc01 = TEST-SERVER.LAN
> .test-server = TEST-SERVER.LAN
> .test-server.lan = TEST-SERVER.LAN
> dc01.test-server.lan = TEST-SERVER.LAN
> 
> I am able to access the shares and I have mounted them (as a user
> I've
> added).
> //test-server.lan/Photos  2.7T  1.8T  926G  66% /home/user/mnt/Photos
> //test-server.lan/Videos  2.8T  1.9T  926G  68% /home/user/mnt/Videos
> //test-server.lan/Movies  2.8T  1.9T  926G  68% /home/user/mnt/Movies
> 
> # smbclient -L test-server.lan -U user
> Enter TEST-SERVER\user's password:
> 
> Sharename       Type      Comment
> ---------       ----      -------
> sysvol          Disk
> netlogon        Disk
> Photos          Disk      Photos
> Videos          Disk      Videos
> Movies          Disk      Videos
> Music           Disk      Videos
> seagate         Disk      Videos
> IPC$            IPC       IPC Service (Samba 4.14.7)
> SMB1 disabled -- no workgroup available
> 

Is it possible that you think you can create a DC smb.conf and then
join it as a DC with realmd ? If so, then sorry to disillusion you, but
that will never work. Also you should be aware that Samba does not
recommend using a DC as a fileserver.

Rowland

More information about the samba mailing list