[Samba] Unable to join domain I think.
Rob Campbell
robcampbell08105 at gmail.com
Tue Sep 13 21:25:07 UTC 2022
[Tue Sep 13 17:07:54] [root at D01~$] net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- HOME
Joined 'D01' to dns domain 'home.rob-campbell.lan'
DNS Update for d01.home.rob-campbell.lan failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL
[Tue Sep 13 17:11:12] [root at D01~$] net ads testjoin
Join is OK
There is an old thread that stopped (because I rebuilt my server and didn't
get back to this until now)
- *To*: samba at xxxxxxxxxxxxxxx
- *Subject*: Re: DNS Update Failing
- *From*: Rowland Penny via samba <samba at xxxxxxxxxxxxxxx>
- *Date*: Tue, 02 Nov 2021 17:08:09 +0000
- *In-reply-to*: <CAHej=pX9sjuiDdHt=TUoT+zjSt7JFEB37b5LUK90=
iZ6A4orWw at mail.gmail.com>
- *Reply-to*: Rowland Penny <rpenny at xxxxxxxxx>
- *User-agent*: Evolution 3.30.5-1.1
> Just a thought, have you added the reverse record ?
>
> Rowland
Isn't the PTR the reverse record? I'm just asking because it appears
I am back to that same problem. I don't have that email to continue
that chain.
[Tue Sep 13 17:16:55] [root at DC01/var/log/samba$] dig -x 10.0.0.9
; <<>> DiG 9.16.27-Debian <<>> -x 10.0.0.9
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20611
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;9.0.0.10.in-addr.arpa. IN PTR
;; ANSWER SECTION:
9.0.0.10.in-addr.arpa. 900 IN PTR dc02.HOME.ROB-CAMPBELL.LAN.
;; AUTHORITY SECTION:
0.0.10.in-addr.arpa. 3600 IN SOA DC01.home.rob-campbell.lan.
hostmaster.home.rob-campbell.lan. 6 900 600 86400 3600
;; Query time: 0 msec
;; SERVER: 10.0.0.10#53(10.0.0.10)
;; WHEN: Tue Sep 13 17:17:00 EDT 2022
;; MSG SIZE rcvd: 152
[Tue Sep 13 17:17:00] [root at DC01/var/log/samba$] dig -x 10.0.0.18
; <<>> DiG 9.16.27-Debian <<>> -x 10.0.0.18
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61778
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;18.0.0.10.in-addr.arpa. IN PTR
;; ANSWER SECTION:
18.0.0.10.in-addr.arpa. 900 IN PTR D01.HOME.ROB-CAMPBELL.LAN.
;; AUTHORITY SECTION:
0.0.10.in-addr.arpa. 3600 IN SOA DC01.home.rob-campbell.lan.
hostmaster.home.rob-campbell.lan. 6 900 600 86400 3600
;; Query time: 0 msec
;; SERVER: 10.0.0.10#53(10.0.0.10)
;; WHEN: Tue Sep 13 17:17:05 EDT 2022
;; MSG SIZE rcvd: 152
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In all things, Be Intentional.
On Tue, Sep 13, 2022 at 5:08 PM Rob Campbell <robcampbell08105 at gmail.com>
wrote:
>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> In all things, Be Intentional.
>
>
> On Tue, Sep 13, 2022 at 4:33 PM Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
>>
>>
>> On 13/09/2022 21:22, Rob Campbell wrote:
>> > [Tue Sep 13 16:15:43] [*root at dc02~$*] net ads testjoin
>> > Join is OK
>>
>> If I remember correctly, DC02 is a Unix domain member, so that (from
>> info provided) appears to working correctly.
>>
>> >
>> > [Tue Sep 13 16:19:14] [*root at D01~$*] net ads testjoin
>> > ads_connect: No logon servers are currently available to service the
>> > logon request.
>> > Join to domain is not valid: No logon servers are currently available
>> to
>> > service the logon request.
>>
>> Can you go here:
>>
>> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
>>
>> Download the script and run it on 'D01'
>> post the output here in a post, do not attach it, this list strips
>> attachments. Sanitise it you must.
>>
>
> [Tue Sep 13 17:04:30] [root at D01~$] samba-collect-debug-info.sh
>
> Please wait, collecting debug info.
>
> Password for Administrator at HOME.ROB-CAMPBELL.LAN:
> Warning: Your password will expire in 41 days on Tue 25 Oct 2022 12:47:59
> AM EDT
> Warning: No smb.conf found
>
>
> The debug info about your system can be found in this file:
> /tmp/samba-debug-info.txt
>
> Please check this and if required, sanitise it.
> Then copy & paste it into an email to the samba list
> Do not attach it to the email, the Samba mailing list strips attachments.
>
> [Tue Sep 13 17:04:41] [root at D01~$] smbd -b | grep 'CONFIGFILE' | awk
> '{print $NF}'
> /etc/samba/smb.conf
> [Tue Sep 13 17:04:45] [root at D01~$] cat /etc/samba/smb.conf
> [global]
> security = ADS
> workgroup = HOME
> realm = HOME.ROB-CAMPBELL.LAN
>
> log file = /var/log/samba/%m.log
> log level = 1
>
> idmap config * : backend = autorid
> idmap config * : range = 10000-9999999
> idmap config * : rangesize = 200000
>
> username map = /etc/samba/user.map
>
> template shell = /bin/bash
> template homedir = /home/%U
> [Tue Sep 13 17:04:47] [root at D01~$] cat /tmp/samba-debug-info.txt
> Config collected --- 2022-09-13-17:04 -----------
>
> Hostname: D01
> DNS Domain: home.rob-campbell.lan
> Realm: HOME.ROB-CAMPBELL.LAN
> FQDN: d01.home.rob-campbell.lan
> ipaddress: 10.0.0.18 2600:4040:4666:f900::1406
>
> -----------
>
> This computer is running Debian 11.4 x86_64
>
> -----------
>
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
> default qlen 1000
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> 2: enp3s0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN
> group default qlen 1000
> link/ether c8:0a:a9:0e:93:23 brd ff:ff:ff:ff:ff:ff
> 3: wlo1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
> UP group default qlen 1000
> link/ether c4:17:fe:4e:1a:8b brd ff:ff:ff:ff:ff:ff
> altname wlp2s0
> inet 10.0.0.18/24 brd 10.0.0.255 scope global dynamic noprefixroute
> wlo1
> valid_lft 83491sec preferred_lft 83491sec
> inet6 2600:4040:4666:f900::1406/128 scope global dynamic noprefixroute
> valid_lft 2359sec preferred_lft 559sec
> inet6 fe80::7563:2b02:c335:1a7d/64 scope link noprefixroute
>
> -----------
>
> Checking file: /etc/hosts
>
> 127.0.0.1 localhost
> 10.0.0.18 d01.home.rob-campbell.lan d01
>
> # The following lines are desirable for IPv6 capable hosts
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> -----------
>
> Checking file: /etc/resolv.conf
>
> nameserver 10.0.0.10
> search HOME.ROB-CAMPBELL.LAN
>
> -----------
>
> Kerberos SRV _kerberos._tcp.home.rob-campbell.lan record(s) verified ok,
> sample output:
> Server: 10.0.0.10
> Address: 10.0.0.10#53
>
> _kerberos._tcp.home.rob-campbell.lan service = 0 100 88
> dc01.home.rob-campbell.lan.
>
> -----------
>
> 'kinit Administrator' checked successfully.
>
> -----------
>
> Samba is not being run as a DC or a Unix domain member.
>
> -----------
>
> Checking file: /etc/krb5.conf
>
> [libdefaults]
> default_realm = HOME.ROB-CAMPBELL.LAN
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> -----------
>
> Checking file: /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd: files winbind systemd sss
> group: files winbind systemd sss
> shadow: files sss
> gshadow: files
>
> hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
> networks: files
>
> protocols: db files
> services: db files sss
> ethers: db files
> rpc: db files
>
> netgroup: nis sss
> automount: sss
>
> -----------
>
>
> Time on the DC with PDC Emulator role is: 2022-09-13T17:04:40
>
>
> Time on this computer is: 2022-09-13T17:04:41
>
>
> Time verified ok, within the allowed 300sec margin.
> Time offset is currently : 0 seconds
>
> -----------
>
> Installed packages:
> ii acl 2.2.53-10
> amd64 access control list - utilities
> ii attr 1:2.4.48-6
> amd64 utilities for manipulating filesystem extended
> attributes
> ii fonts-quicksand 0.2016-2.1
> all sans-serif font with round attributes
> ii kde-spectacle 20.12.3-1
> amd64 Screenshot capture utility
> ii krb5-config 2.6+nmu1
> all Configuration files for Kerberos Version 5
> ii krb5-locales 1.18.3-6+deb11u1
> all internationalization support for MIT Kerberos
> ii krb5-user 1.18.3-6+deb11u1
> amd64 basic programs to authenticate using MIT Kerberos
> ii libacl1:amd64 2.2.53-10
> amd64 access control list - shared library
> ii libattr1:amd64 1:2.4.48-6
> amd64 extended attribute handling - shared library
> ii libgssapi-krb5-2:amd64 1.18.3-6+deb11u1
> amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
> ii libkrb5-3:amd64 1.18.3-6+deb11u1
> amd64 MIT Kerberos runtime libraries
> ii libkrb5support0:amd64 1.18.3-6+deb11u1
> amd64 MIT Kerberos runtime libraries - Support library
> ii libmoox-aliases-perl 0.001006-1.1
> all easy aliasing of methods and attributes in Moo
> ii libnss-winbind:amd64 2:4.13.13+dfsg-1~deb11u5
> amd64 Samba nameservice integration plugins
> ii libpam-krb5:amd64 4.9-2
> amd64 PAM module for MIT Kerberos
> ii libpam-winbind:amd64 2:4.13.13+dfsg-1~deb11u5
> amd64 Windows domain authentication integration plugin
> ii libsmbclient:amd64 2:4.13.13+dfsg-1~deb11u5
> amd64 shared library for communication with SMB/CIFS servers
> ii libwbclient0:amd64 2:4.13.13+dfsg-1~deb11u5
> amd64 Samba winbind client library
> ii python3-nacl 1.4.0-1+b1
> amd64 Python bindings to libsodium (Python 3)
> ii python3-pylibacl:amd64 0.6.0-1+b1
> amd64 module for manipulating POSIX.1e ACLs (Python3 version)
> ii python3-pyxattr:amd64 0.7.2-1+b1
> amd64 module for manipulating filesystem extended attributes
> (Python3)
> ii python3-samba 2:4.13.13+dfsg-1~deb11u5
> amd64 Python 3 bindings for Samba
> ii samba 2:4.13.13+dfsg-1~deb11u5
> amd64 SMB/CIFS file, print, and login server for Unix
> ii samba-common 2:4.13.13+dfsg-1~deb11u5
> all common files used by both the Samba server and client
> ii samba-common-bin 2:4.13.13+dfsg-1~deb11u5
> amd64 Samba common files used by both the server and the
> client
> ii samba-dsdb-modules:amd64 2:4.13.13+dfsg-1~deb11u5
> amd64 Samba Directory Services Database
> ii samba-libs:amd64 2:4.13.13+dfsg-1~deb11u5
> amd64 Samba core libraries
> ii samba-vfs-modules:amd64 2:4.13.13+dfsg-1~deb11u5
> amd64 Samba Virtual FileSystem plugins
> ii smbclient 2:4.13.13+dfsg-1~deb11u5
> amd64 command-line SMB/CIFS clients for Unix
> ii sssd-krb5 2.4.1-2
> amd64 System Security Services Daemon -- Kerberos back end
> ii sssd-krb5-common 2.4.1-2
> amd64 System Security Services Daemon -- Kerberos helpers
> ii vlc-plugin-samba:amd64 3.0.17.4-0+deb11u1
> amd64 Samba plugin for VLC
> ii winbind 2:4.13.13+dfsg-1~deb11u5
> amd64 service to resolve user and group information from
> Windows NT servers
>
> -----------
>
> I did fix some things but after fixing I ran it again. Why does it think
> I have no samba file? Does it have the wrong permissions?
>
>
>> >
>> > [Tue Sep 13 16:19:25] [*_root at DC01/var/log/samba$_*] net ads testjoin
>> > kerberos_kinit_password HOME at HOME.ROB-CAMPBELL.LAN failed: Client not
>> > found in Kerberos database
>> > Join to domain is not valid: The name provided is not a properly formed
>> > account name.
>> >
>> > DC01 us the DC
>>
>> And 'net ads testjoin' doesn't work on a DC.
>> Rowland
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
More information about the samba
mailing list