[Samba] Unable to join domain

Rob Campbell robcampbell08105 at gmail.com
Wed Oct 13 02:15:16 UTC 2021


> Are the winbind links set up correctly and is 'winbind' set on the
'passwd' & 'group' lines in /etc/nsswitch.conf ?

I didn't compile winbind so I didn't think I needed to do any symlinks but
this is what it is:
la /usr/lib64/libnss_winbind.so /usr/lib64/libnss_winbind.so.2
lrwxrwxrwx. 1 root root  19 Aug 25 11:35 /usr/lib64/libnss_winbind.so ->
libnss_winbind.so.2
-rwxr-xr-x. 1 root root 16K Aug 25 11:35 /usr/lib64/libnss_winbind.so.2

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In all things, Be Intentional.


On Tue, Oct 12, 2021 at 5:25 PM Rob Campbell <robcampbell08105 at gmail.com>
wrote:

> >> 10.0.0.13 dc01.internal.test-server dc01
>
> > I hope that is a typo, the fqdn has lost the '.lan' from the end
>
> It was. It was just a copy and paste but maybe when I was editing the
> email I removed it by accident.  It is correct in the actual file.
>
> >> search dc01.internal.test-server.lan
>
> > No, your dns domain is 'internal.test-server.lan' so the line should be:
> > search internal.test-server.lan
>
> I did make this change during my troubleshooting while waiting for a
> response.  Previously, DC01 was the subdomain [incorrectly] and I didn't
> remove it when I made the changes.
>
> >> winbind enum users = yes
> >> winbind enum groups = yes
>
> >I would remove the two lines above, you do not need them and they just
> slow things down.
>
> Yes. It said that in the wiki but I thought it would provide some info if
> there were a problem since it said only use for testing purposes.
>
> >> krb5.conf:
> >> [libdefaults]
> >> default_realm = INTERNAL.TEST-SERVER.LAN
> >> dns_lookup_realm = true
> >> dns_lookup_kdc = true
>
> > As the DC, you only need the lines above
>
> This is on the FS (file server, the one I'm joining as a member).  Should
> it still only be these lines?
>
> >> net ads join -U administrator
> >> Enter administrator's password:
> >> Using short domain name -- INTERNAL
> >> Joined 'FS01' to dns domain 'internal.test-server.lan'
> >> DNS Update for fs01.internal.test-server.lan failed:
> >> ERROR_DNS_UPDATE_FAILED
>
> > How did that succeed if your dns domain is now
> 'internal.test-server.lan' ?
>
> Not sure but maybe because fs01.internal.test-server.lan and
> internal.test-server.lan resolves to the same IP?
>
> > Are the winbind links set up correctly and is 'winbind' set on the
> 'passwd' & 'group' lines in /etc/nsswitch.conf ?
>
> passwd:     files winbind #systemd
> group:      files winbind #systemd
>
> I just commented out systemd and now I get a response
>
> getent group "INTERNAL\\Domain Users"
> domain users:x:110513:
>
> Still something is wrong with dns.  I'm not able to resolve from DC01 to
> FS01 but I can the other way.
>
> net ads join -U administrator
> Enter administrator's password:
> Using short domain name -- INTERNAL
> Joined 'FS01' to dns domain 'internal.test-server.lan'
> DNS Update for fs01.internal.test-server.lan failed:
> ERROR_DNS_UPDATE_FAILED
> DNS update failed: NT_STATUS_UNSUCCESSFUL
>
> On DC01 I had to do this to get reverse lookups to work:
> samba-tool dns add internal.test-server.lan 0.0.10.in-addr.arpa 13 PTR
> internal.test-server.lan
>
> If I try something similar on FS01, it complains about port 135 refusing.
> Samba isn't running on FS01 as it is on DC01.
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> In all things, Be Intentional.
>
>
> On Tue, Oct 12, 2021 at 2:18 PM Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
>> On Tue, 2021-10-12 at 13:38 -0400, Rob Campbell via samba wrote:
>> > *Debian server first DC: DC01*
>> >
>> > hostname: DC01
>> >
>> > /etc/hosts:
>> > 127.0.0.1 localhost
>> > 10.0.0.13 dc01.internal.test-server dc01
>>
>> I hope that is a typo, the fqdn has lost the '.lan' from the end
>>
>> >
>> >
>> >
>> >
>> > krb5.conf:
>> > [libdefaults]
>> > default_realm = INTERNAL.TEST-SERVER.LAN
>> > dns_lookup_realm = false
>> > dns_lookup_kdc = true
>> >
>> > [realms]
>> > INTERNAL.TEST-SERVER.LAN = {
>> > default_domain = internal.test-server.lan
>> > }
>> >
>> > [domain_realm]
>> > DC01 = INTERNAL.TEST-SERVER.LAN
>> >
>>
>> You only need the first four lines and the '[domain_realm]' is totally
>> wrong anyway.
>>
>> > ========================================
>> > *Fedora first file server: FS01*
>> >
>> > smb.conf:
>> > [global]
>> > workgroup = INTERNAL
>> > security = ADS
>> > realm = INTERNAL.TEST-SERVER.LAN
>> >
>> > winbind refresh tickets = Yes
>> > vfs objects = acl_xattr
>> > map acl inherit = Yes
>> > store dos attributes = Yes
>> > idmap config * : backend = autorid
>> > idmap config * : range = 10000-24999999
>> >
>> > dedicated keytab file = /etc/krb5.keytab
>> > kerberos method = secrets and keytab
>> > winbind use default domain = yes
>> > winbind enum users = yes
>> > winbind enum groups = yes
>>
>> I would remove the two lines above, you do not need them and they just
>> slow things down.
>>
>> > winbind separator = +
>> >
>> > load printers = no
>> > printing = bsd
>> > printcap name = /dev/null
>> > disable spoolss = yes
>> >
>> > username map = /etc/samba/usermap.txt
>> >
>> > krb5.conf:
>> > [libdefaults]
>> > default_realm = INTERNAL.TEST-SERVER.LAN
>> > dns_lookup_realm = true
>> > dns_lookup_kdc = true
>>
>> As the DC, you only need the lines above
>>
>> >
>> > /etc/hosts:
>> > 127.0.0.1   localhost
>> > ::1         localhost
>> > 10.0.0.10 fs01.internal.test-server.lan fs01
>> >
>> > hostname: FS01
>> >
>> > resolv.conf:
>> > # Generated by NetworkManager
>> > nameserver 10.0.0.13
>> > search dc01.internal.test-server.lan
>>
>> No, your dns domain is 'internal.test-server.lan' so the line should
>> be:
>> search internal.test-server.lan
>>
>> >
>> > I'm sure there may be some things not quite right with smb.conf but
>> > i've
>> > been trying things online since the default didn't work.  I get the
>> > same
>> > reply when trying to join the domain:
>> > net ads join -U administrator
>> > Enter administrator's password:
>> > Using short domain name -- INTERNAL
>> > Joined 'FS01' to dns domain 'internal.test-server.lan'
>> > DNS Update for fs01.internal.test-server.lan failed:
>> > ERROR_DNS_UPDATE_FAILED
>>
>> That is because you still have problems in your dns
>>
>> > DNS update failed: NT_STATUS_UNSUCCESSFUL
>> >
>> > netstat -tulpn | egrep 'samba|nmb|smb|bind'
>> > tcp        0      0 0.0.0.0:445             0.0.0.0:*
>> > LISTEN
>> >      5585/smbd
>> > tcp        0      0 0.0.0.0:139             0.0.0.0:*
>> > LISTEN
>> >      5585/smbd
>> > tcp6       0      0 :::445                  :::*
>> > LISTEN
>> >      5585/smbd
>> > tcp6       0      0 :::139                  :::*
>> > LISTEN
>> >      5585/smbd
>> > udp        0      0 10.0.0.255:137          0.0.0.0:*
>> >     5586/nmbd
>> > udp        0      0 10.0.0.10:137           0.0.0.0:*
>> >     5586/nmbd
>> > udp        0      0 0.0.0.0:137             0.0.0.0:*
>> >     5586/nmbd
>> > udp        0      0 10.0.0.255:138          0.0.0.0:*
>> >     5586/nmbd
>> > udp        0      0 10.0.0.10:138           0.0.0.0:*
>> >     5586/nmbd
>> > udp        0      0 0.0.0.0:138             0.0.0.0:*
>> >     5586/nmbd
>> >
>> > wbinfo --ping-dc
>> > checking the NETLOGON for domain[INTERNAL] dc connection to
>> > "dc01.internal.test-server.lan" succeeded
>>
>> How did that succeed if your dns domain is now 'internal.test-
>> server.lan' ?
>>
>> >
>> > getent passwd INTERNAL\\username (Nothing)
>> > getent group "INTERNAL\\Domain Users" (Nothing)
>>
>> Are the winbind links set up correctly and is 'winbind' set on the
>> 'passwd' & 'group' lines in /etc/nsswitch.conf ?
>>
>> Rowland
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>


More information about the samba mailing list