[Samba] Unable to join domain I think.
Rowland Penny
rpenny at samba.org
Wed Sep 14 07:17:24 UTC 2022
On 13/09/2022 22:08, Rob Campbell wrote:
>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> In all things, Be Intentional.
>
>
> On Tue, Sep 13, 2022 at 4:33 PM Rowland Penny via samba
> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>
>
>
> On 13/09/2022 21:22, Rob Campbell wrote:
> > [Tue Sep 13 16:15:43] [*root at dc02~$*] net ads testjoin
> > Join is OK
>
> If I remember correctly, DC02 is a Unix domain member, so that (from
> info provided) appears to working correctly.
>
> >
> > [Tue Sep 13 16:19:14] [*root at D01~$*] net ads testjoin
> > ads_connect: No logon servers are currently available to service the
> > logon request.
> > Join to domain is not valid: No logon servers are currently
> available to
> > service the logon request.
>
> Can you go here:
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
> <https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh>
>
> Download the script and run it on 'D01'
> post the output here in a post, do not attach it, this list strips
> attachments. Sanitise it you must.
>
>
> [Tue Sep 13 17:04:30] [root at D01~$] samba-collect-debug-info.sh
>
> Please wait, collecting debug info.
>
> Password for Administrator at HOME.ROB-CAMPBELL.LAN:
> Warning: Your password will expire in 41 days on Tue 25 Oct 2022
> 12:47:59 AM EDT
> Warning: No smb.conf found
>
>
> The debug info about your system can be found in this file:
> /tmp/samba-debug-info.txt
>
> Please check this and if required, sanitise it.
> Then copy & paste it into an email to the samba list
> Do not attach it to the email, the Samba mailing list strips attachments.
>
> [Tue Sep 13 17:04:41] [root at D01~$] smbd -b | grep 'CONFIGFILE' | awk
> '{print $NF}'
> /etc/samba/smb.conf
> [Tue Sep 13 17:04:45] [root at D01~$] cat /etc/samba/smb.conf
> [global]
> security = ADS
> workgroup = HOME
> realm = HOME.ROB-CAMPBELL.LAN
>
> log file = /var/log/samba/%m.log
> log level = 1
>
> idmap config * : backend = autorid
> idmap config * : range = 10000-9999999
> idmap config * : rangesize = 200000
>
> username map = /etc/samba/user.map
>
> template shell = /bin/bash
> template homedir = /home/%U
> [Tue Sep 13 17:04:47] [root at D01~$] cat /tmp/samba-debug-info.txt
> Config collected --- 2022-09-13-17:04 -----------
>
> Hostname: D01
> DNS Domain: home.rob-campbell.lan
> Realm: HOME.ROB-CAMPBELL.LAN
> FQDN: d01.home.rob-campbell.lan
> ipaddress: 10.0.0.18 2600:4040:4666:f900::1406
>
> -----------
>
> This computer is running Debian 11.4 x86_64
>
> -----------
>
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group default qlen 1000
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 <http://127.0.0.1/8> scope host lo
> inet6 ::1/128 scope host
> 2: enp3s0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN
> group default qlen 1000
> link/ether c8:0a:a9:0e:93:23 brd ff:ff:ff:ff:ff:ff
> 3: wlo1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP group default qlen 1000
> link/ether c4:17:fe:4e:1a:8b brd ff:ff:ff:ff:ff:ff
> altname wlp2s0
> inet 10.0.0.18/24 <http://10.0.0.18/24> brd 10.0.0.255 scope global
> dynamic noprefixroute wlo1
> valid_lft 83491sec preferred_lft 83491sec
> inet6 2600:4040:4666:f900::1406/128 scope global dynamic noprefixroute
> valid_lft 2359sec preferred_lft 559sec
> inet6 fe80::7563:2b02:c335:1a7d/64 scope link noprefixroute
>
> -----------
>
> Checking file: /etc/hosts
>
> 127.0.0.1 localhost
> 10.0.0.18 d01.home.rob-campbell.lan d01
>
> # The following lines are desirable for IPv6 capable hosts
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> -----------
>
> Checking file: /etc/resolv.conf
>
> nameserver 10.0.0.10
> search HOME.ROB-CAMPBELL.LAN
>
> -----------
>
> Kerberos SRV _kerberos._tcp.home.rob-campbell.lan record(s) verified ok,
> sample output:
> Server: 10.0.0.10
> Address: 10.0.0.10#53
>
> _kerberos._tcp.home.rob-campbell.lan service = 0 100 88
> dc01.home.rob-campbell.lan.
>
> -----------
>
> 'kinit Administrator' checked successfully.
>
> -----------
>
> Samba is not being run as a DC or a Unix domain member.
I think that message needs changing, it really means that no Samba
binaries are running.
>
> -----------
>
> Checking file: /etc/krb5.conf
>
> [libdefaults]
> default_realm = HOME.ROB-CAMPBELL.LAN
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> -----------
>
> Checking file: /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd: files winbind systemd sss
> group: files winbind systemd sss
> shadow: files sss
> gshadow: files
>
> hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
> networks: files
>
> protocols: db files
> services: db files sss
> ethers: db files
> rpc: db files
>
> netgroup: nis sss
> automount: sss
>
I would remove all the 'sss'
> -----------
>
>
> Time on the DC with PDC Emulator role is: 2022-09-13T17:04:40
>
>
> Time on this computer is: 2022-09-13T17:04:41
>
>
> Time verified ok, within the allowed 300sec margin.
> Time offset is currently : 0 seconds
>
> -----------
>
> Installed packages:
> ii acl 2.2.53-10
> amd64 access control list - utilities
> ii attr 1:2.4.48-6
> amd64 utilities for manipulating filesystem extended
> attributes
> ii fonts-quicksand 0.2016-2.1
> all sans-serif font with round attributes
> ii kde-spectacle 20.12.3-1
> amd64 Screenshot capture utility
> ii krb5-config 2.6+nmu1
> all Configuration files for Kerberos Version 5
> ii krb5-locales 1.18.3-6+deb11u1
> all internationalization support for MIT Kerberos
> ii krb5-user 1.18.3-6+deb11u1
> amd64 basic programs to authenticate using MIT Kerberos
> ii libacl1:amd64 2.2.53-10
> amd64 access control list - shared library
> ii libattr1:amd64 1:2.4.48-6
> amd64 extended attribute handling - shared library
> ii libgssapi-krb5-2:amd64 1.18.3-6+deb11u1
> amd64 MIT Kerberos runtime libraries - krb5 GSS-API
> Mechanism
> ii libkrb5-3:amd64 1.18.3-6+deb11u1
> amd64 MIT Kerberos runtime libraries
> ii libkrb5support0:amd64 1.18.3-6+deb11u1
> amd64 MIT Kerberos runtime libraries - Support library
> ii libmoox-aliases-perl 0.001006-1.1
> all easy aliasing of methods and attributes in Moo
> ii libnss-winbind:amd64
> 2:4.13.13+dfsg-1~deb11u5 amd64 Samba nameservice
> integration plugins
> ii libpam-krb5:amd64 4.9-2
> amd64 PAM module for MIT Kerberos
> ii libpam-winbind:amd64
> 2:4.13.13+dfsg-1~deb11u5 amd64 Windows domain
> authentication integration plugin
> ii libsmbclient:amd64
> 2:4.13.13+dfsg-1~deb11u5 amd64 shared library for
> communication with SMB/CIFS servers
> ii libwbclient0:amd64
> 2:4.13.13+dfsg-1~deb11u5 amd64 Samba winbind client library
> ii python3-nacl 1.4.0-1+b1
> amd64 Python bindings to libsodium (Python 3)
> ii python3-pylibacl:amd64 0.6.0-1+b1
> amd64 module for manipulating POSIX.1e ACLs (Python3
> version)
> ii python3-pyxattr:amd64 0.7.2-1+b1
> amd64 module for manipulating filesystem extended
> attributes (Python3)
> ii python3-samba
> 2:4.13.13+dfsg-1~deb11u5 amd64 Python 3 bindings for Samba
> ii samba
> 2:4.13.13+dfsg-1~deb11u5 amd64 SMB/CIFS file, print, and
> login server for Unix
> ii samba-common
> 2:4.13.13+dfsg-1~deb11u5 all common files used by
> both the Samba server and client
> ii samba-common-bin
> 2:4.13.13+dfsg-1~deb11u5 amd64 Samba common files used
> by both the server and the client
> ii samba-dsdb-modules:amd64
> 2:4.13.13+dfsg-1~deb11u5 amd64 Samba Directory Services
> Database
> ii samba-libs:amd64
> 2:4.13.13+dfsg-1~deb11u5 amd64 Samba core libraries
> ii samba-vfs-modules:amd64
> 2:4.13.13+dfsg-1~deb11u5 amd64 Samba Virtual FileSystem
> plugins
> ii smbclient
> 2:4.13.13+dfsg-1~deb11u5 amd64 command-line SMB/CIFS
> clients for Unix
> ii sssd-krb5 2.4.1-2
> amd64 System Security Services Daemon -- Kerberos
> back end
> ii sssd-krb5-common 2.4.1-2
> amd64 System Security Services Daemon -- Kerberos helpers
> ii vlc-plugin-samba:amd64 3.0.17.4-0+deb11u1
> amd64 Samba plugin for VLC
> ii winbind
> 2:4.13.13+dfsg-1~deb11u5 amd64 service to resolve user
> and group information from Windows NT servers
>
> -----------
>
> I did fix some things but after fixing I ran it again. Why does it
> think I have no samba file? Does it have the wrong permissions?
>
>
They are good questions, why can the script not find the smb.conf ?
What does 'testparm -s' produce ?
The permissions on the smb.conf should be '-rw-r--r--' and owned by
'root:root'
Rowland
More information about the samba
mailing list