[Samba] ?= Joining a samba ad dc domain from another samba installatio
Rowland Penny
rpenny at samba.org
Mon May 2 10:02:36 UTC 2022
On Mon, 2022-05-02 at 10:47 +0200, François Legal wrote:
> Le Vendredi, Avril 29, 2022 09:23 CEST, Rowland Penny via samba <
> samba at lists.samba.org> a écrit:
>
> > On Fri, 2022-04-29 at 09:09 +0200, François Legal via samba wrote:
> > > Le Mercredi, Avril 27, 2022 22:57 CEST, François Legal via samba
> > > <
> > > samba at lists.samba.org> a écrit:
> > >
> > > > Le Mardi, Avril 26, 2022 11:10 CEST, Rowland Penny via samba <
> > > > samba at lists.samba.org> a écrit:
> > > >
> > > > > On Tue, 2022-04-26 at 10:36 +0200, François Legal via samba
> > > > > wrote:
> > > > > > Le Lundi, Avril 25, 2022 15:24 CEST, Jonathon Reinhart <
> > > > > > jonathon.reinhart at gmail.com> a écrit:
> > > > > >
> > > > > > > On Mon, Apr 25, 2022 at 7:13 AM François Legal via samba
> > > > > > > <> >
> > > > > > > > > samba at lists.samba.org> wrote:
> > > > > > > > samba-tool domain join [my samba domain] DC -k yes --
> > > > > > > > dns-
> > > > > > > > backend=BIND9_DLZ
> > > > > > > > --option='idmap_ldb:use rfc2307 = yes'
> > > > > > > > INFO 2022-04-25 10:41:04,952 pid:374
> > > > > > > > /usr/lib/python3/dist-packages/samba/join.py #107:
> > > > > > > > Finding
> > > > > > > > a
> > > > > > > > writeable DC
> > > > > > > > for domain '[my samba domain]'
> > > > > > > > INFO 2022-04-25 10:41:04,973 pid:374
> > > > > > > > /usr/lib/python3/dist-packages/samba/join.py #109:
> > > > > > > > Found
> > > > > > > > DC [my-
> > > > > > > > dc].[my
> > > > > > > > samba domain]
> > > > > > > > ERROR(<class 'samba.join.DCJoinException'>): uncaught
> > > > > > > > exception -
> > > > > > > > Can't
> > > > > > > > join, error: 00002020: Operation unavailable without
> > > > > > > > authentication
> > > > > > > >
> > > > > > >
> > > > > > > I see you used "-k yes". Did you confirm that you have a
> > > > > > > valid
> > > > > > > Kerberos TGT
> > > > > > > for a Domain Admin account? (Run "kinit" to get a ticket
> > > > > > > and
> > > > > > > "klist" to
> > > > > > > check.)
> > > > > >
> > > > > > Yes. I’ve kinit administrator@[my realm], the ticket shows
> > > > > > out
> > > > > > in
> > > > > > klist afterwards.
> > > > > > But either using -U administrator (for which no password is
> > > > > > requested), either --krb5-ccache=/tmp/krb5cc_0 produce the
> > > > > > same
> > > > > > result
> > > > > >
> > > > > > François
> > > > >
> > > > > Provided that krb5.conf and DNS are set up correctly, you
> > > > > should
> > > > > just
> > > > > run 'kinit administrator' to get a ticket.
> > > > > I take it that you are doing this as root.
> > > > >
> > > > > Rowland
> > > > >
> > > >
> > > > Yes, krb5.conf is setup correctly, dns resolver too. KDC is
> > > > discovered through NS requests successfully, kinit & samba-tool
> > > > run
> > > > as root.
> > > >
> > > > François
> > > >
> > >
> > > Just to make sure :
> > >
> > > root@[my new dc hostname]:~# more /etc/krb5.conf
> > > [libdefaults]
> > > default_realm = [my realm]
> > > dns_lookup_realm = false
> > > dns_lookup_kdc = false
> > >
> > > [realms]
> > > [my realm] = {
> > > kdc = [my dc ip]
> > > }
> >
> > Good job you did, it is wrong :-)
> >
> > Try it like this:
> >
> > [libdefaults]
> > default_realm = [my realm]
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> >
> > Rowland
> >
> >
>
> Correct. I tried with the same result.
>
> François
OK, go here:
https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh
Run it on your unix domain member and post the output inline to this
list.
Rowland
More information about the samba
mailing list