[Samba] Unable to join domain

Rowland Penny rpenny at samba.org
Tue Oct 12 18:17:00 UTC 2021


On Tue, 2021-10-12 at 13:38 -0400, Rob Campbell via samba wrote:
> *Debian server first DC: DC01*
> 
> hostname: DC01
> 
> /etc/hosts:
> 127.0.0.1 localhost
> 10.0.0.13 dc01.internal.test-server dc01

I hope that is a typo, the fqdn has lost the '.lan' from the end

> 
> 
> 
> 
> krb5.conf:
> [libdefaults]
> default_realm = INTERNAL.TEST-SERVER.LAN
> dns_lookup_realm = false
> dns_lookup_kdc = true
> 
> [realms]
> INTERNAL.TEST-SERVER.LAN = {
> default_domain = internal.test-server.lan
> }
> 
> [domain_realm]
> DC01 = INTERNAL.TEST-SERVER.LAN
> 

You only need the first four lines and the '[domain_realm]' is totally
wrong anyway.
 
> ========================================
> *Fedora first file server: FS01*
> 
> smb.conf:
> [global]
> workgroup = INTERNAL
> security = ADS
> realm = INTERNAL.TEST-SERVER.LAN
> 
> winbind refresh tickets = Yes
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
> idmap config * : backend = autorid
> idmap config * : range = 10000-24999999
> 
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes

I would remove the two lines above, you do not need them and they just
slow things down.

> winbind separator = +
> 
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
> 
> username map = /etc/samba/usermap.txt
> 
> krb5.conf:
> [libdefaults]
> default_realm = INTERNAL.TEST-SERVER.LAN
> dns_lookup_realm = true
> dns_lookup_kdc = true

As the DC, you only need the lines above

> 
> /etc/hosts:
> 127.0.0.1   localhost
> ::1         localhost
> 10.0.0.10 fs01.internal.test-server.lan fs01
> 
> hostname: FS01
> 
> resolv.conf:
> # Generated by NetworkManager
> nameserver 10.0.0.13
> search dc01.internal.test-server.lan

No, your dns domain is 'internal.test-server.lan' so the line should
be:
search internal.test-server.lan

> 
> I'm sure there may be some things not quite right with smb.conf but
> i've
> been trying things online since the default didn't work.  I get the
> same
> reply when trying to join the domain:
> net ads join -U administrator
> Enter administrator's password:
> Using short domain name -- INTERNAL
> Joined 'FS01' to dns domain 'internal.test-server.lan'
> DNS Update for fs01.internal.test-server.lan failed:
> ERROR_DNS_UPDATE_FAILED

That is because you still have problems in your dns

> DNS update failed: NT_STATUS_UNSUCCESSFUL
> 
> netstat -tulpn | egrep 'samba|nmb|smb|bind'
> tcp        0      0 0.0.0.0:445             0.0.0.0:*              
> LISTEN
>      5585/smbd
> tcp        0      0 0.0.0.0:139             0.0.0.0:*              
> LISTEN
>      5585/smbd
> tcp6       0      0 :::445                  :::*                   
> LISTEN
>      5585/smbd
> tcp6       0      0 :::139                  :::*                   
> LISTEN
>      5585/smbd
> udp        0      0 10.0.0.255:137          0.0.0.0:*
>     5586/nmbd
> udp        0      0 10.0.0.10:137           0.0.0.0:*
>     5586/nmbd
> udp        0      0 0.0.0.0:137             0.0.0.0:*
>     5586/nmbd
> udp        0      0 10.0.0.255:138          0.0.0.0:*
>     5586/nmbd
> udp        0      0 10.0.0.10:138           0.0.0.0:*
>     5586/nmbd
> udp        0      0 0.0.0.0:138             0.0.0.0:*
>     5586/nmbd
> 
> wbinfo --ping-dc
> checking the NETLOGON for domain[INTERNAL] dc connection to
> "dc01.internal.test-server.lan" succeeded

How did that succeed if your dns domain is now 'internal.test-
server.lan' ?

> 
> getent passwd INTERNAL\\username (Nothing)
> getent group "INTERNAL\\Domain Users" (Nothing)

Are the winbind links set up correctly and is 'winbind' set on the
'passwd' & 'group' lines in /etc/nsswitch.conf ?
 
Rowland





More information about the samba mailing list