[Samba] Unable to join domain

Rowland Penny rpenny at samba.org
Tue Oct 5 18:04:28 UTC 2021 

On Tue, 2021-10-05 at 13:36 -0400, Rob Campbell wrote:
> Miscommunication.  When I say join a domain, I mean joining a
> workstation to the domain, not another DC.  I want to eventually use
> the graphical login but figured the command line would give me more
> information on failures.  

OK, so you want to run Samba as a Unix domain member, so can you post
the smb.conf that you are using, the one you posted was for a DC being
used as a fileserver.

> 
> 
> 
> The actual login does exist, I created it with 'samba-tool user add
> username'.  I've also tried 'samba-tool user create username --user-
> username-as-cn --surname="Last" --given-name-"First" --initials=FML 
> --mail-address=fml at yahoo.com --profile-path=\\\\test-
> server.lan\\profiles\\username'
> 
> There seems to be intermittent issues.  Sometimes it doesn't even
> prompt for password.  Other times, it doesn't accept the password. 
> And sometimes it works.
> 
> 

There seems to be something wrong, somewhere:

adminuser at dmtest:~$ kinit administrator
Password for administrator at SAMDOM.EXAMPLE.COM: 
adminuser at dmtest:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administrator at SAMDOM.EXAMPLE.COM

Valid starting     Expires            Service principal
05/10/21 18:53:15  06/10/21 04:53:15  
krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
	renew until 06/10/21 18:53:06
> 
> 
> FYI:
> When I read
> Samba provides experimental support for the MIT Kerberos KDC provided
> by your operating system if you run Samba 4.7 or later and has been
> built using the --with-system-mitkrb5 option. In other cases Samba
> uses the Heimdal KDC included in Samba.

If you use the fedora Samba packages to create a Samba AD DC, then you
will be using MIT for the KDC, but a Unix client can use either the MIT
or Heimdal tools.

> 
> I read that to mean if you don't build Samba AND you didn't build it
> with --with-system-mitkrb5, Samba uses Heimdal KDC (which is my
> scenario).  Maybe there could be an option you could use to determine
> which is being used, similar to 'samba -b' if knowing which you have
> is important.

There is a way of knowing. If the distro is based on Debian, it will
use Heimdal for a Samba DC, if it is Fedora based, it will use MIT, (I
believe Suse is the same), and finally you cannot provision a Samba AD
domain with RHEL packages, this includes all the compatible RHEL
distros.  

Rowland

More information about the samba mailing list