[Samba] Unable to join domain
Rowland Penny
rpenny at samba.org
Tue Oct 12 18:17:00 UTC 2021
On Tue, 2021-10-12 at 13:38 -0400, Rob Campbell via samba wrote:
> *Debian server first DC: DC01*
>
> hostname: DC01
>
> /etc/hosts:
> 127.0.0.1 localhost
> 10.0.0.13 dc01.internal.test-server dc01
I hope that is a typo, the fqdn has lost the '.lan' from the end
>
>
>
>
> krb5.conf:
> [libdefaults]
> default_realm = INTERNAL.TEST-SERVER.LAN
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> [realms]
> INTERNAL.TEST-SERVER.LAN = {
> default_domain = internal.test-server.lan
> }
>
> [domain_realm]
> DC01 = INTERNAL.TEST-SERVER.LAN
>
You only need the first four lines and the '[domain_realm]' is totally
wrong anyway.
> ========================================
> *Fedora first file server: FS01*
>
> smb.conf:
> [global]
> workgroup = INTERNAL
> security = ADS
> realm = INTERNAL.TEST-SERVER.LAN
>
> winbind refresh tickets = Yes
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
> idmap config * : backend = autorid
> idmap config * : range = 10000-24999999
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
I would remove the two lines above, you do not need them and they just
slow things down.
> winbind separator = +
>
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> username map = /etc/samba/usermap.txt
>
> krb5.conf:
> [libdefaults]
> default_realm = INTERNAL.TEST-SERVER.LAN
> dns_lookup_realm = true
> dns_lookup_kdc = true
As the DC, you only need the lines above
>
> /etc/hosts:
> 127.0.0.1 localhost
> ::1 localhost
> 10.0.0.10 fs01.internal.test-server.lan fs01
>
> hostname: FS01
>
> resolv.conf:
> # Generated by NetworkManager
> nameserver 10.0.0.13
> search dc01.internal.test-server.lan
No, your dns domain is 'internal.test-server.lan' so the line should
be:
search internal.test-server.lan
>
> I'm sure there may be some things not quite right with smb.conf but
> i've
> been trying things online since the default didn't work. I get the
> same
> reply when trying to join the domain:
> net ads join -U administrator
> Enter administrator's password:
> Using short domain name -- INTERNAL
> Joined 'FS01' to dns domain 'internal.test-server.lan'
> DNS Update for fs01.internal.test-server.lan failed:
> ERROR_DNS_UPDATE_FAILED
That is because you still have problems in your dns
> DNS update failed: NT_STATUS_UNSUCCESSFUL
>
> netstat -tulpn | egrep 'samba|nmb|smb|bind'
> tcp 0 0 0.0.0.0:445 0.0.0.0:*
> LISTEN
> 5585/smbd
> tcp 0 0 0.0.0.0:139 0.0.0.0:*
> LISTEN
> 5585/smbd
> tcp6 0 0 :::445 :::*
> LISTEN
> 5585/smbd
> tcp6 0 0 :::139 :::*
> LISTEN
> 5585/smbd
> udp 0 0 10.0.0.255:137 0.0.0.0:*
> 5586/nmbd
> udp 0 0 10.0.0.10:137 0.0.0.0:*
> 5586/nmbd
> udp 0 0 0.0.0.0:137 0.0.0.0:*
> 5586/nmbd
> udp 0 0 10.0.0.255:138 0.0.0.0:*
> 5586/nmbd
> udp 0 0 10.0.0.10:138 0.0.0.0:*
> 5586/nmbd
> udp 0 0 0.0.0.0:138 0.0.0.0:*
> 5586/nmbd
>
> wbinfo --ping-dc
> checking the NETLOGON for domain[INTERNAL] dc connection to
> "dc01.internal.test-server.lan" succeeded
How did that succeed if your dns domain is now 'internal.test-
server.lan' ?
>
> getent passwd INTERNAL\\username (Nothing)
> getent group "INTERNAL\\Domain Users" (Nothing)
Are the winbind links set up correctly and is 'winbind' set on the
'passwd' & 'group' lines in /etc/nsswitch.conf ?
Rowland
More information about the samba
mailing list