[Samba] Unable to join domain

Rob Campbell robcampbell08105 at gmail.com
Tue Oct 12 21:25:44 UTC 2021 

>> 10.0.0.13 dc01.internal.test-server dc01

> I hope that is a typo, the fqdn has lost the '.lan' from the end

It was. It was just a copy and paste but maybe when I was editing the email
I removed it by accident.  It is correct in the actual file.

>> search dc01.internal.test-server.lan

> No, your dns domain is 'internal.test-server.lan' so the line should be:
> search internal.test-server.lan

I did make this change during my troubleshooting while waiting for a
response.  Previously, DC01 was the subdomain [incorrectly] and I didn't
remove it when I made the changes.

>> winbind enum users = yes
>> winbind enum groups = yes

>I would remove the two lines above, you do not need them and they just
slow things down.

Yes. It said that in the wiki but I thought it would provide some info if
there were a problem since it said only use for testing purposes.

>> krb5.conf:
>> [libdefaults]
>> default_realm = INTERNAL.TEST-SERVER.LAN
>> dns_lookup_realm = true
>> dns_lookup_kdc = true

> As the DC, you only need the lines above

This is on the FS (file server, the one I'm joining as a member).  Should
it still only be these lines?

>> net ads join -U administrator
>> Enter administrator's password:
>> Using short domain name -- INTERNAL
>> Joined 'FS01' to dns domain 'internal.test-server.lan'
>> DNS Update for fs01.internal.test-server.lan failed:
>> ERROR_DNS_UPDATE_FAILED

> How did that succeed if your dns domain is now 'internal.test-server.lan'
?

Not sure but maybe because fs01.internal.test-server.lan and
internal.test-server.lan resolves to the same IP?

> Are the winbind links set up correctly and is 'winbind' set on the
'passwd' & 'group' lines in /etc/nsswitch.conf ?

passwd:     files winbind #systemd
group:      files winbind #systemd

I just commented out systemd and now I get a response

getent group "INTERNAL\\Domain Users"
domain users:x:110513:

Still something is wrong with dns.  I'm not able to resolve from DC01 to
FS01 but I can the other way.

net ads join -U administrator
Enter administrator's password:
Using short domain name -- INTERNAL
Joined 'FS01' to dns domain 'internal.test-server.lan'
DNS Update for fs01.internal.test-server.lan failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL

On DC01 I had to do this to get reverse lookups to work:
samba-tool dns add internal.test-server.lan 0.0.10.in-addr.arpa 13 PTR
internal.test-server.lan

If I try something similar on FS01, it complains about port 135 refusing.
Samba isn't running on FS01 as it is on DC01.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In all things, Be Intentional.


On Tue, Oct 12, 2021 at 2:18 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Tue, 2021-10-12 at 13:38 -0400, Rob Campbell via samba wrote:
> > *Debian server first DC: DC01*
> >
> > hostname: DC01
> >
> > /etc/hosts:
> > 127.0.0.1 localhost
> > 10.0.0.13 dc01.internal.test-server dc01
>
> I hope that is a typo, the fqdn has lost the '.lan' from the end
>
> >
> >
> >
> >
> > krb5.conf:
> > [libdefaults]
> > default_realm = INTERNAL.TEST-SERVER.LAN
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> >
> > [realms]
> > INTERNAL.TEST-SERVER.LAN = {
> > default_domain = internal.test-server.lan
> > }
> >
> > [domain_realm]
> > DC01 = INTERNAL.TEST-SERVER.LAN
> >
>
> You only need the first four lines and the '[domain_realm]' is totally
> wrong anyway.
>
> > ========================================
> > *Fedora first file server: FS01*
> >
> > smb.conf:
> > [global]
> > workgroup = INTERNAL
> > security = ADS
> > realm = INTERNAL.TEST-SERVER.LAN
> >
> > winbind refresh tickets = Yes
> > vfs objects = acl_xattr
> > map acl inherit = Yes
> > store dos attributes = Yes
> > idmap config * : backend = autorid
> > idmap config * : range = 10000-24999999
> >
> > dedicated keytab file = /etc/krb5.keytab
> > kerberos method = secrets and keytab
> > winbind use default domain = yes
> > winbind enum users = yes
> > winbind enum groups = yes
>
> I would remove the two lines above, you do not need them and they just
> slow things down.
>
> > winbind separator = +
> >
> > load printers = no
> > printing = bsd
> > printcap name = /dev/null
> > disable spoolss = yes
> >
> > username map = /etc/samba/usermap.txt
> >
> > krb5.conf:
> > [libdefaults]
> > default_realm = INTERNAL.TEST-SERVER.LAN
> > dns_lookup_realm = true
> > dns_lookup_kdc = true
>
> As the DC, you only need the lines above
>
> >
> > /etc/hosts:
> > 127.0.0.1   localhost
> > ::1         localhost
> > 10.0.0.10 fs01.internal.test-server.lan fs01
> >
> > hostname: FS01
> >
> > resolv.conf:
> > # Generated by NetworkManager
> > nameserver 10.0.0.13
> > search dc01.internal.test-server.lan
>
> No, your dns domain is 'internal.test-server.lan' so the line should
> be:
> search internal.test-server.lan
>
> >
> > I'm sure there may be some things not quite right with smb.conf but
> > i've
> > been trying things online since the default didn't work.  I get the
> > same
> > reply when trying to join the domain:
> > net ads join -U administrator
> > Enter administrator's password:
> > Using short domain name -- INTERNAL
> > Joined 'FS01' to dns domain 'internal.test-server.lan'
> > DNS Update for fs01.internal.test-server.lan failed:
> > ERROR_DNS_UPDATE_FAILED
>
> That is because you still have problems in your dns
>
> > DNS update failed: NT_STATUS_UNSUCCESSFUL
> >
> > netstat -tulpn | egrep 'samba|nmb|smb|bind'
> > tcp        0      0 0.0.0.0:445             0.0.0.0:*
> > LISTEN
> >      5585/smbd
> > tcp        0      0 0.0.0.0:139             0.0.0.0:*
> > LISTEN
> >      5585/smbd
> > tcp6       0      0 :::445                  :::*
> > LISTEN
> >      5585/smbd
> > tcp6       0      0 :::139                  :::*
> > LISTEN
> >      5585/smbd
> > udp        0      0 10.0.0.255:137          0.0.0.0:*
> >     5586/nmbd
> > udp        0      0 10.0.0.10:137           0.0.0.0:*
> >     5586/nmbd
> > udp        0      0 0.0.0.0:137             0.0.0.0:*
> >     5586/nmbd
> > udp        0      0 10.0.0.255:138          0.0.0.0:*
> >     5586/nmbd
> > udp        0      0 10.0.0.10:138           0.0.0.0:*
> >     5586/nmbd
> > udp        0      0 0.0.0.0:138             0.0.0.0:*
> >     5586/nmbd
> >
> > wbinfo --ping-dc
> > checking the NETLOGON for domain[INTERNAL] dc connection to
> > "dc01.internal.test-server.lan" succeeded
>
> How did that succeed if your dns domain is now 'internal.test-
> server.lan' ?
>
> >
> > getent passwd INTERNAL\\username (Nothing)
> > getent group "INTERNAL\\Domain Users" (Nothing)
>
> Are the winbind links set up correctly and is 'winbind' set on the
> 'passwd' & 'group' lines in /etc/nsswitch.conf ?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list