[Samba] Unable to join domain

Rob Campbell robcampbell08105 at gmail.com
Tue Oct 12 17:38:52 UTC 2021 

*Debian server first DC: DC01*

hostname: DC01

/etc/hosts:
127.0.0.1 localhost
10.0.0.13 dc01.internal.test-server dc01

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

# samba-tool domain provision --server-role=dc --use-rfc2307
--dns-backend=SAMBA_INTERNAL --realm=INTERNAL.TEST-SERVER.LAN
--domain=INTERNAL --adminpass="Password"
Server Role:           active directory domain controller
Hostname:              DC01
NetBIOS Domain:        INTERNAL
DNS Domain:            internal.test-server.lan
DOMAIN SID:            S-1-5-21-4291246526-3808389449-2935712140

smb.conf
# Global parameters
[global]
dns forwarder = 8.8.8.8
netbios name = DC01
realm = INTERNAL.TEST-SERVER.LAN
server role = active directory domain controller
workgroup = INTERNAL
idmap_ldb:use rfc2307 = yes

[sysvol]
path = /var/lib/samba/sysvol
read only = No

[netlogon]
path = /var/lib/samba/sysvol/internal.test-server.lan/scripts
read only = No
search internal.test-server.lan
nameserver 10.0.0.13

krb5.conf:
[libdefaults]
default_realm = INTERNAL.TEST-SERVER.LAN
dns_lookup_realm = false
dns_lookup_kdc = true

[realms]
INTERNAL.TEST-SERVER.LAN = {
default_domain = internal.test-server.lan
}

[domain_realm]
DC01 = INTERNAL.TEST-SERVER.LAN

========================================
*Fedora first file server: FS01*

smb.conf:
[global]
workgroup = INTERNAL
security = ADS
realm = INTERNAL.TEST-SERVER.LAN

winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
idmap config * : backend = autorid
idmap config * : range = 10000-24999999

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind separator = +

load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

username map = /etc/samba/usermap.txt

krb5.conf:
[libdefaults]
default_realm = INTERNAL.TEST-SERVER.LAN
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24hr
renew_lifetime = 7d
forwardable = true
rdns = false

[realms]
TEST-SERVER.LAN = {
default_domain = internal.test-server.lan
kdc = internal.test-server.lan
master_kdc = internal.test-server.lan
admin_server = internal.test-server.lan
}

[domain_realm]
test-server = INTERNAL.TEST-SERVER.LAN
test-server.lan = INTERNAL.TEST-SERVER.LAN

/etc/hosts:
127.0.0.1   localhost
::1         localhost
10.0.0.10 fs01.internal.test-server.lan fs01

hostname: FS01

resolv.conf:
# Generated by NetworkManager
nameserver 10.0.0.13
search dc01.internal.test-server.lan

I'm sure there may be some things not quite right with smb.conf but i've
been trying things online since the default didn't work.  I get the same
reply when trying to join the domain:
net ads join -U administrator
Enter administrator's password:
Using short domain name -- INTERNAL
Joined 'FS01' to dns domain 'internal.test-server.lan'
DNS Update for fs01.internal.test-server.lan failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL

netstat -tulpn | egrep 'samba|nmb|smb|bind'
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN
     5585/smbd
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN
     5585/smbd
tcp6       0      0 :::445                  :::*                    LISTEN
     5585/smbd
tcp6       0      0 :::139                  :::*                    LISTEN
     5585/smbd
udp        0      0 10.0.0.255:137          0.0.0.0:*
    5586/nmbd
udp        0      0 10.0.0.10:137           0.0.0.0:*
    5586/nmbd
udp        0      0 0.0.0.0:137             0.0.0.0:*
    5586/nmbd
udp        0      0 10.0.0.255:138          0.0.0.0:*
    5586/nmbd
udp        0      0 10.0.0.10:138           0.0.0.0:*
    5586/nmbd
udp        0      0 0.0.0.0:138             0.0.0.0:*
    5586/nmbd

wbinfo --ping-dc
checking the NETLOGON for domain[INTERNAL] dc connection to
"dc01.internal.test-server.lan" succeeded

getent passwd INTERNAL\\username (Nothing)
getent group "INTERNAL\\Domain Users" (Nothing)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In all things, Be Intentional.


On Tue, Oct 12, 2021 at 11:55 AM Patrick Goetz via samba <
samba at lists.samba.org> wrote:

>
>
> On 10/12/21 10:18, Rowland Penny via samba wrote:
> > On Tue, 2021-10-12 at 09:42 -0500, Patrick Goetz via samba wrote:
> >>
> >> On 10/12/21 04:27, Rowland Penny via samba wrote:
> >>> On Tue, 2021-10-12 at 11:14 +0200, L.P.H. van Belle via samba
> >>> wrote:
> >>>> Ow yes, this can work fine.
> >>>>
> >>>> AD-DC, time is given to the pc's over the AD. (not NTP
> >>>> directly)..
> >>>> sure you can configure that, but i didnt.
> >>>>
> >>>> Members, systemd-timedated used the AD-DC its NTP to sync.
> >>>> Standalones ( i have 1, ) same.
> >>>>
> >>>> The members dont need SNTP to sync time, only the AD-DC <=>
> >>>> Windows
> >>>> And you can even overrule that, but im not doing that.
> >>>>
> >>>> timedatectl show-timesync
> >>>> SystemNTPServers="192.168.1.1 192.168.1.2"
> >>>>
> >>>
> >>> I repeat, your clients are not using the DC's directly for time,
> >>> you
> >>> might be okay with this, but I am not, but hey, they are your
> >>> clients :
> >>> -)
> >>>
> >>
> >> I'm not sure why this matters if the drift is less than the
> >> allowable
> >> kerberos time difference.
> >
> > It is this: People can and will do things their own way. I cannot know
> > or remember how they do things their way, I have a bad enough time
> > remembering the recommended way :-)
> >
>
>
> That's fair. I have a dozen or so Ubuntu workstations at work bound to
> an AD domain, and haven't bothered to configure systemd-timedated on
> them, either:
>
> cnsit at armadillo:~$ timedatectl show-timesync
> FallbackNTPServers=ntp.ubuntu.com
> ServerName=ntp.ubuntu.com
> ServerAddress=91.189.89.198
> RootDistanceMaxUSec=5s
> PollIntervalMinUSec=32s
> PollIntervalMaxUSec=34min 8s
> PollIntervalUSec=34min 8s
> NTPMessage={ Leap=0, Version=4, Mode=4, Stratum=2, Precision=-23,
> RootDelay=1.113ms, RootDispersion=40.023ms, Reference=11FD227B,
> OriginateTimestamp=Tue 2021-10-12 10:08:51 CDT, ReceiveTimestamp=Tue
> 2021-10-12 10:08:51 CDT, TransmitTimestamp=Tue 2021-10-12 10:08:51 CDT,
> DestinationTimestamp=Tue 2021-10-12 10:08:51 CDT, Ignored=no
> PacketCount=541, Jitter=2.738ms }
>
>
> It just hasn't ever been a problem. The time differences are too close
> for Kerberos to care.  Yes, I probably *should* configure this, but I'm
>   a member of the old school "If it ain't broke, don't fix it" club. One
> usually ends up there after a number of years of systems engineer
> experience. After one too many times of fixing something that was
> working and consequently breaking it; then wondering what the hell were
> you thinking not leaving well enough alone.
>
>
> > Just because I say don't do it that way, doesn't mean it will
> > definitely not work (it possibly will), but it is just not the Samba
> > recommended way of doing things and I cannot test everything (so I know
> > it does work, or not). If anyone feels that something does work and can
> > prove it, then register for the wiki and edit it to add that
> > information.
> >
>
> Did not know mere mortals could sign up for Wiki editing. Will do so, if
> only to fix some vaguely annoying typos I've run in to.
>
>
>
>
> > Rowland
> >
> >
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list