[Samba] ?==?utf-8?q? Joining a samba ad dc domain from another samba installation

François Legal devel at thom.fr.eu.org
Fri Apr 29 07:09:34 UTC 2022 

Le Mercredi, Avril 27, 2022 22:57 CEST, François Legal via samba <samba at lists.samba.org> a écrit: 
 
> Le Mardi, Avril 26, 2022 11:10 CEST, Rowland Penny via samba <samba at lists.samba.org> a écrit: 
>  
> > On Tue, 2022-04-26 at 10:36 +0200, François Legal via samba wrote:
> > > Le Lundi, Avril 25, 2022 15:24 CEST, Jonathon Reinhart <
> > > jonathon.reinhart at gmail.com> a écrit: 
> > >  
> > > > On Mon, Apr 25, 2022 at 7:13 AM François Legal via samba <> > > > samba at lists.samba.org> wrote:
> > > > 
> > > > > samba-tool domain join [my samba domain] DC -k yes --dns-
> > > > > backend=BIND9_DLZ
> > > > > --option='idmap_ldb:use rfc2307 = yes'
> > > > > INFO 2022-04-25 10:41:04,952 pid:374
> > > > > /usr/lib/python3/dist-packages/samba/join.py #107: Finding a
> > > > > writeable DC
> > > > > for domain '[my samba domain]'
> > > > > INFO 2022-04-25 10:41:04,973 pid:374
> > > > > /usr/lib/python3/dist-packages/samba/join.py #109: Found DC  [my-
> > > > > dc].[my
> > > > > samba domain]
> > > > > ERROR(<class 'samba.join.DCJoinException'>): uncaught exception -
> > > > > Can't
> > > > > join, error: 00002020: Operation unavailable without
> > > > > authentication
> > > > > 
> > > > 
> > > > I see you used "-k yes". Did you confirm that you have a valid
> > > > Kerberos TGT
> > > > for a Domain Admin account? (Run "kinit" to get a ticket and
> > > > "klist" to
> > > > check.)
> > >  
> > > Yes. I’ve kinit administrator@[my realm], the ticket shows out in
> > > klist afterwards.
> > > But either using -U administrator (for which no password is
> > > requested), either --krb5-ccache=/tmp/krb5cc_0 produce the same
> > > result 
> > > 
> > > François
> > 
> > Provided that krb5.conf and DNS are set up correctly, you should just
> > run 'kinit administrator' to get a ticket.
> > I take it that you are doing this as root.
> > 
> > Rowland
> > 
> 
> Yes, krb5.conf is setup correctly, dns resolver too. KDC is discovered through NS requests successfully, kinit & samba-tool run as root.
> 
> François
> 

Just to make sure :

root@[my new dc hostname]:~# more /etc/krb5.conf 
[libdefaults]
	default_realm = [my realm]
	dns_lookup_realm = false
	dns_lookup_kdc = false

[realms]
	[my realm] = {
	kdc = [my dc ip]
	}
root@[my new dc hostname]:~# kinit administrator
Password for administrator@[my realm]: 
root@[my new dc hostname]:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@[my realm]

Valid starting     Expires            Service principal
04/29/22 06:55:58  04/29/22 16:55:58  krbtgt/[my realm]@[my realm]
	renew until 04/30/22 06:55:52
root@[my new dc hostname]:~# samba-tool domain join [my domain] DC -k yes --dns-backend=BIND9_DLZ --option='idmap_ldb:use rfc2307 = yes'
INFO 2022-04-29 06:56:14,025 pid:1974 /usr/lib/python3/dist-packages/samba/join.py #107: Finding a writeable DC for domain '[my domain]'
INFO 2022-04-29 06:56:14,044 pid:1974 /usr/lib/python3/dist-packages/samba/join.py #109: Found DC [my dc hostname].[my domain]
ERROR(<class 'samba.join.DCJoinException'>): uncaught exception - Can't join, error: 00002020: Operation unavailable without authentication
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 186, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line 661, in run
    join_DC(logger=logger, server=server, creds=creds, lp=lp, domain=domain,
  File "/usr/lib/python3/dist-packages/samba/join.py", line 1536, in join_DC
    ctx = DCJoinContext(logger, server, creds, lp, site, netbios_name,
  File "/usr/lib/python3/dist-packages/samba/join.py", line 121, in __init__
    raise DCJoinException(estr)
root@[my new dc hostname]:~# samba-tool domain join [my domain] DC -U administrator --dns-backend=BIND9_DLZ --option='idmap_ldb:use rfc2307 = yes'
INFO 2022-04-29 06:56:34,351 pid:1976 /usr/lib/python3/dist-packages/samba/join.py #107: Finding a writeable DC for domain '[my domain]'
INFO 2022-04-29 06:56:34,370 pid:1976 /usr/lib/python3/dist-packages/samba/join.py #109: Found DC [my dc hostname].[my domain]
ERROR(<class 'samba.join.DCJoinException'>): uncaught exception - Can't join, error: 00002020: Operation unavailable without authentication
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 186, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line 661, in run
    join_DC(logger=logger, server=server, creds=creds, lp=lp, domain=domain,
  File "/usr/lib/python3/dist-packages/samba/join.py", line 1536, in join_DC
    ctx = DCJoinContext(logger, server, creds, lp, site, netbios_name,
  File "/usr/lib/python3/dist-packages/samba/join.py", line 121, in __init__
    raise DCJoinException(estr)
root@[my new dc hostname]:~#
 
François

More information about the samba mailing list