[Samba] Domain join not happening on Debian/Ubuntu machines

Sac Isilia udaypratap.singh65 at gmail.com
Thu Apr 28 17:31:57 UTC 2022 

Hi Team,

Your question is correct. We are using media domain account whereas we wish
to join the server in AP-MEDIA domain. I explained the same thing to my AD
team to give us the service account in AP-MEDIA domain . But there rational
argument is that when we join using media\svc_domjoin02 it is resolving to
AP.MEDIA.GLOBAL.LOC as I posted in the above mail in the "net ads join"
output.

root at cngzh1dnl01:~# net ads join -U media\\svc_domjoin02
Enter media\svc_domjoin02's password:
kerberos_kinit_password *svc_domjoin02 at AP.MEDIA.GLOBAL.LOC* failed: Client
not found in Kerberos database  - - > This line which is resolving to
AP.MEDIA.GLOBAL.LOC
Failed to join domain: failed to connect to AD: Client not found in
Kerberos database

Can you provide us technical justification that why the server will not
join with media domain account . My initial question was the same - The
MEDIA domain account joins the RHEL machines in other domain however that
fails with Debian/Ubuntu machines. According to you - creating the service
account in AP-MEDIA domain to join the server will only resolve the issue.
If yes , then what is the technical concept behind this.

Regards
Sachin Kumar


On Thu, Apr 28, 2022 at 6:21 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Thu, 2022-04-28 at 17:52 +0100, Sac Isilia via samba wrote:
> > Hi Team,
> >
> > I have done all the settings as mentioned but still the domain join
> > via
> > winbind fails.
> >
> > root at cngzh1dnl01:~# net ads join -U media\\svc_domjoin02
>
> You posted this:
> workgroup = AP-MEDIA
>
> So why are you using the user 'media\\svc_domjoin02' to join to the
> 'AP-MEDIA' domain ? the user 'media\\svc_domjoin02' appears to be
> fromanother domain.
>
> > Enter media\svc_domjoin02's password:
> > kerberos_kinit_password svc_domjoin02 at AP.MEDIA.GLOBAL.LOC failed:
> > Client
> > not found in Kerberos database
> > Failed to join domain: failed to connect to AD: Client not found in
> > Kerberos database
>
> This is probably because the user is unknown to the domain.
>
> >
> > Also as quoted above - "If you are going to use multiple domains, you
> > will
> > need to use
> > 'trusts'." - How to do the same ?
>
> Try reading these:
> https://wiki.samba.org/index.php/Active_Directory_Trusts
> https://wiki.samba.org/index.php/Samba4/Linking_AD_and_unix_directories
>
> However, there isn't really much on the Samba wiki and I don't use
> trusts (I once set up a POC forest, but this was way back at Samba
> 4.9.x). Is there anyone using trusts that could help here ?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list