[Samba] ?==?utf-8?q? ?==?utf-8?q? ?= Joining a samba ad dc domain from another samba installatio
François Legal
devel at thom.fr.eu.org
Tue May 3 20:00:52 UTC 2022
Le Lundi, Mai 02, 2022 12:02 CEST, Rowland Penny via samba <samba at lists.samba.org> a écrit:
> On Mon, 2022-05-02 at 10:47 +0200, François Legal wrote:
> > Le Vendredi, Avril 29, 2022 09:23 CEST, Rowland Penny via samba <
> > samba at lists.samba.org> a écrit:
> >
> > > On Fri, 2022-04-29 at 09:09 +0200, François Legal via samba wrote:
> > > > Le Mercredi, Avril 27, 2022 22:57 CEST, François Legal via samba
> > > > <
> > > > samba at lists.samba.org> a écrit:
> > > >
> > > > > Le Mardi, Avril 26, 2022 11:10 CEST, Rowland Penny via samba <
> > > > > samba at lists.samba.org> a écrit:
> > > > >
> > > > > > On Tue, 2022-04-26 at 10:36 +0200, François Legal via samba
> > > > > > wrote:
> > > > > > > Le Lundi, Avril 25, 2022 15:24 CEST, Jonathon Reinhart <
> > > > > > > jonathon.reinhart at gmail.com> a écrit:
> > > > > > >
> > > > > > > > On Mon, Apr 25, 2022 at 7:13 AM François Legal via samba
> > > > > > > > <> >
> > > > > > > > > > samba at lists.samba.org> wrote:
> > > > > > > > > samba-tool domain join [my samba domain] DC -k yes --
> > > > > > > > > dns-
> > > > > > > > > backend=BIND9_DLZ
> > > > > > > > > --option='idmap_ldb:use rfc2307 = yes'
> > > > > > > > > INFO 2022-04-25 10:41:04,952 pid:374
> > > > > > > > > /usr/lib/python3/dist-packages/samba/join.py #107:
> > > > > > > > > Finding
> > > > > > > > > a
> > > > > > > > > writeable DC
> > > > > > > > > for domain '[my samba domain]'
> > > > > > > > > INFO 2022-04-25 10:41:04,973 pid:374
> > > > > > > > > /usr/lib/python3/dist-packages/samba/join.py #109:
> > > > > > > > > Found
> > > > > > > > > DC [my-
> > > > > > > > > dc].[my
> > > > > > > > > samba domain]
> > > > > > > > > ERROR(<class 'samba.join.DCJoinException'>): uncaught
> > > > > > > > > exception -
> > > > > > > > > Can't
> > > > > > > > > join, error: 00002020: Operation unavailable without
> > > > > > > > > authentication
> > > > > > > > >
> > > > > > > >
> > > > > > > > I see you used "-k yes". Did you confirm that you have a
> > > > > > > > valid
> > > > > > > > Kerberos TGT
> > > > > > > > for a Domain Admin account? (Run "kinit" to get a ticket
> > > > > > > > and
> > > > > > > > "klist" to
> > > > > > > > check.)
> > > > > > >
> > > > > > > Yes. I’ve kinit administrator@[my realm], the ticket shows
> > > > > > > out
> > > > > > > in
> > > > > > > klist afterwards.
> > > > > > > But either using -U administrator (for which no password is
> > > > > > > requested), either --krb5-ccache=/tmp/krb5cc_0 produce the
> > > > > > > same
> > > > > > > result
> > > > > > >
> > > > > > > François
> > > > > >
> > > > > > Provided that krb5.conf and DNS are set up correctly, you
> > > > > > should
> > > > > > just
> > > > > > run 'kinit administrator' to get a ticket.
> > > > > > I take it that you are doing this as root.
> > > > > >
> > > > > > Rowland
> > > > > >
> > > > >
> > > > > Yes, krb5.conf is setup correctly, dns resolver too. KDC is
> > > > > discovered through NS requests successfully, kinit & samba-tool
> > > > > run
> > > > > as root.
> > > > >
> > > > > François
> > > > >
> > > >
> > > > Just to make sure :
> > > >
> > > > root@[my new dc hostname]:~# more /etc/krb5.conf
> > > > [libdefaults]
> > > > default_realm = [my realm]
> > > > dns_lookup_realm = false
> > > > dns_lookup_kdc = false
> > > >
> > > > [realms]
> > > > [my realm] = {
> > > > kdc = [my dc ip]
> > > > }
> > >
> > > Good job you did, it is wrong :-)
> > >
> > > Try it like this:
> > >
> > > [libdefaults]
> > > default_realm = [my realm]
> > > dns_lookup_realm = false
> > > dns_lookup_kdc = true
> > >
> > > Rowland
> > >
> > >
> >
> > Correct. I tried with the same result.
> >
> > François
>
> OK, go here:
> https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh
>
> Run it on your unix domain member and post the output inline to this
> list.
>
> Rowland
>
>
Here comes the output :
root@[new dc]:~# ./samba-collect-debug-info.sh
Please wait, collecting debug info.
Password for Administrator@[my realm]:
grep: : No such file or directory
Load smb config files from /etc/samba/smb.conf
Error loading services.
The debug info about your system can be found in this file: /tmp/samba-debug-info.txt
Please check this and if required, sanitise it.
Then copy & paste it into an email to the samba list
Do not attach it to the email, the Samba mailing list strips attachments.
root at tls-srv-03:~# more /tmp/samba-debug-info.txt
Collected config --- 2022-05-03-18:05 -----------
Hostname: [new dc]
DNS Domain: [my domain]
FQDN: [new dc].[my domain]
ipaddress: 192.168.1.210
-----------
Kerberos SRV _kerberos._tcp.[my domain] record verified ok, sample output:
Server: 10.211.254.253
Address: 10.211.254.253#53
_kerberos._tcp.[my domain] service = 0 100 88 [my current dc].[my domain].
Samba is not being run as a DC or a Unix domain member.
-----------
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 11.3 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:16:3e:bd:bb:3a brd ff:ff:ff:ff:ff:ff
inet 192.168.1.210/24 brd 192.168.1.255 scope global eth0
inet6 fe80::216:3eff:febd:bb3a/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
192.168.1.210 [new dc].[my domain] [new dc]
10.211.254.253 [current dc].[my domain] [current dc]
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
-----------
Checking file: /etc/resolv.conf
nameserver 10.211.254.253
search [my domain]
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = [my realm]
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
[my realm] = {
kdc = 10.211.254.253
}
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files
group: files
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Warning, does not exist
-----------
Installed packages:
ii krb5-config 2.6+nmu1 all Configuration files for Kerberos Version 5
ii krb5-user 1.18.3-6+deb11u1 amd64 basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-10 amd64 access control list - shared library
ii libattr1:amd64 1:2.4.48-6 amd64 extended attribute handling - shared library
ii libgssapi-krb5-2:amd64 1.18.3-6+deb11u1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.18.3-6+deb11u1 amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.18.3-6+deb11u1 amd64 MIT Kerberos runtime libraries - Support library
ii libwbclient0:amd64 2:4.13.13+dfsg-1~deb11u3 amd64 Samba winbind client library
ii python3-samba 2:4.13.13+dfsg-1~deb11u3 amd64 Python 3 bindings for Samba
ii samba 2:4.13.13+dfsg-1~deb11u3 amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.13.13+dfsg-1~deb11u3 all common files used by both the Samba server and client
ii samba-common-bin 2:4.13.13+dfsg-1~deb11u3 amd64 Samba common files used by both the server and the client
ii samba-libs:amd64 2:4.13.13+dfsg-1~deb11u3 amd64 Samba core libraries
I also tried to paste the [global] section of my current DC smb.conf to my new DC smb.conf, changing the netbios name, but that did not help.
I also check the time synchronisation which is good.
François
More information about the samba
mailing list