[Samba] Samba keeps crashing when in AD mode due to mitkdc exiting.

Matthew Schumacher matt.s at aptalaska.net
Thu Jun 9 13:48:08 UTC 2022 

On 6/8/22 11:19 PM, Rowland Penny via samba wrote:
> On Wed, 2022-06-08 at 16:05 -0700, Matthew Schumacher via samba wrote:
>> I took some time to recompile and test out.  This page
>> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
>> suggests you call kinit before you you join the domain but kinit is
>> from
>> my OS now since kerberos is internal.  I think this might have
>> something
>> to do with the next error which is I can't join the domain with
>> "--dns-backend=BIND9_DLZ"
>>
>> I get the following:
>>
>> root at auth:/var/lib/samba/private# samba-tool domain join
>> admin.domain.net DC -U"ADMIN\administrator" --dns-backend=BIND9_DLZ
>> --server masterdc
>> Password for [ADMIN\administrator]:
>> INFO 2022-06-08 21:58:18,008 pid:750
>> /usr/lib64/python3.9/site-packages/samba/join.py #1527: workgroup is
>> ADMIN
>> INFO 2022-06-08 21:58:18,008 pid:750
>> /usr/lib64/python3.9/site-packages/samba/join.py #1530: realm is
>> admin.domain.net
>> Adding CN=AUTH,OU=Domain Controllers,DC=admin,DC=domain,DC=net
>> Adding
>> CN=AUTH,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=admin,DC=domain,DC=net
>> Adding CN=NTDS
>> Settings,CN=AUTH,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=admin,DC=domain,DC=net
>> Adding SPNs to CN=AUTH,OU=Domain
>> Controllers,DC=admin,DC=domain,DC=net
>> Setting account password for AUTH$
>> Enabling account
>> Adding DNS account CN=dns-AUTH,CN=Users,DC=admin,DC=domain,DC=net
>> with
>> dns/ SPN
>> Join failed - cleaning up
>> Deleted CN=AUTH,OU=Domain Controllers,DC=admin,DC=domain,DC=net
>> Deleted CN=NTDS
>> Settings,CN=AUTH,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=admin,DC=domain,DC=net
>> Deleted
>> CN=AUTH,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=admin,DC=domain,DC=net
>> ERROR(ldb): uncaught exception - LDAP error 80 LDAP_OTHER -
>> <00000523:
>> SysErr: DSID-031A1255, problem 22 (Invalid argument), data 0
>>   > <>
>>     File "/usr/lib64/python3.9/site-
>> packages/samba/netcmd/__init__.py",
>> line 186, in _run
>>       return self.run(*args, **kwargs)
>>     File "/usr/lib64/python3.9/site-packages/samba/netcmd/domain.py",
>> line 702, in run
>>       join_DC(logger=logger, server=server, creds=creds, lp=lp,
>> domain=domain,
>>     File "/usr/lib64/python3.9/site-packages/samba/join.py", line
>> 1543,
>> in join_DC
>>       ctx.do_join()
>>     File "/usr/lib64/python3.9/site-packages/samba/join.py", line
>> 1431,
>> in do_join
>>       ctx.join_add_objects()
>>     File "/usr/lib64/python3.9/site-packages/samba/join.py", line 780,
>> in
>> join_add_objects
>>       ctx.samdb.add(msg)
>>
>> <snip>
> It sounds like you are running Samba as an AD DC using the dns domain
> 'domain.net' and it also sounds like you are running a MIT kdc using
> the same dns domain.
>
> If this is the case, choose one (preferably the MIT kdc) and turn it
> off.
>
> Rowland
>
>
>
Thanks for the reply Rowland.

I'm not using the MIT kdc (or at least it's not configured), I noticed 
that if I put a krb5.conf in the samba/private directory it will join 
the domain, but that is moot since it doesn't appear to use the external 
DNS server, which is the same result as if I omitted 
"--dns-backend=BIND9_DLZ".   Basically I can't get samba to join a 
domain using the bind9 dns server without getting:

ERROR(ldb): uncaught exception - LDAP error 80 LDAP_OTHER -
<00000523:
SysErr: DSID-031A1255, problem 22 (Invalid argument), data 0

The DNS server is build against the systems MIT kerberos implementation, 
so I'm assuming this is the issue, can you confirm? If that's the case, 
what are my options?

What do most people do?  Just use the internal DNS server too?

Thanks again
Matt

More information about the samba mailing list