[Samba] Unable to join domain I think.
Rob Campbell
robcampbell08105 at gmail.com
Thu Sep 15 11:29:26 UTC 2022
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In all things, Be Intentional.
On Wed, Sep 14, 2022 at 9:08 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
>
>
> On 14/09/2022 13:57, Rob Campbell wrote:
>
>
> >
> > I would remove all the 'sss'
> >
> >
> > This was supposed to be done on the members, dc or both? This output
> > was from a member so I did remove it from all the members. Changing
> > hosts: files dns was supposed to be changed on the DC, right?
>
> My opinion is that if you are running Samba, then you should not run
> sssd. I have no problem with sssd, I just do not see the point to it
> with Samba. If you use sssd, you just get authentication, no NTLM, no
> ACL's, the things you need with Samba.
>
> >
> >
>
>
> > > -----------
> > >
> > > I did fix some things but after fixing I ran it again. Why does
> it
> > > think I have no samba file? Does it have the wrong permissions?
> > >
> > >
> >
> > They are good questions, why can the script not find the smb.conf ?
> > What does 'testparm -s' produce ?
> > The permissions on the smb.conf should be '-rw-r--r--' and owned by
> > 'root:root'
> >
> > Rowland
> >
> >
> > [Wed Sep 14 08:50:39] [root at dc02~$] testparm -s
> > Load smb config files from /etc/samba/smb.conf
> > Loaded services file OK.
> > Weak crypto is allowed
> > Server role: ROLE_DOMAIN_MEMBER
> >
> > # Global parameters
> > [global]
> > log file = /var/log/samba/%m.log
> > realm = HOME.ROB-CAMPBELL.LAN
> > security = ADS
> > template homedir = /home/%U
> > template shell = /bin/bash
> > username map = /etc/samba/user.map
> > workgroup = HOME
> > idmap config * : rangesize = 200000
> > idmap config * : range = 10000-9999999
> > idmap config * : backend = autorid
> > [Wed Sep 14 08:51:10] [root at dc02~$] la /etc/samba/smb.conf
> > -rw-r--r-- 1 root root 596 Sep 13 00:49 /etc/samba/smb.conf
>
> Everything looks okay, so why couldn't the script find the smb.conf file ?
>
> Was that rhetorical? I imagine we're looking up and to the left with our
hand on our chin 🤔
> Rowland
>
>
> This the other workstation.
[Thu Sep 15 07:19:49] [root at D01~$] vim /etc/resolv.conf (NetworkManager is
updating this)
[Thu Sep 15 07:23:46] [root at D01~$] net ads testjoin
Join is OK
[Thu Sep 15 07:23:51] [root at D01~$] samba-collect-debug-info.sh
Please wait, collecting debug info.
Password for Administrator at HOME.ROB-CAMPBELL.LAN:
Warning: Your password will expire in 39 days on Tue 25 Oct 2022 12:47:59
AM EDT
Warning: No smb.conf found
The debug info about your system can be found in this file:
/tmp/samba-debug-info.txt
Please check this and if required, sanitise it.
Then copy & paste it into an email to the samba list
Do not attach it to the email, the Samba mailing list strips attachments.
[Thu Sep 15 07:24:05] [root at D01~$] smbd -b | grep 'CONFIGFILE' | awk
'{print $NF}'
/etc/samba/smb.conf
[Thu Sep 15 07:24:17] [root at D01~$] testparm -s
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed
Server role: ROLE_DOMAIN_MEMBER
# Global parameters
[global]
log file = /var/log/samba/%m.log
realm = HOME.ROB-CAMPBELL.LAN
security = ADS
template homedir = /home/%U
template shell = /bin/bash
username map = /etc/samba/user.map
workgroup = HOME
idmap config * : rangesize = 200000
idmap config * : range = 10000-9999999
idmap config * : backend = autorid
[Thu Sep 15 07:24:39] [root at D01~$] cat /tmp/samba-debug-info.txt
Config collected --- 2022-09-15-07:24 -----------
Hostname: D01
DNS Domain: home.rob-campbell.lan
Realm: HOME.ROB-CAMPBELL.LAN
FQDN: d01.home.rob-campbell.lan
ipaddress: 10.0.0.18 2600:4040:4666:f900::1406
-----------
This computer is running Debian 11.4 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: enp3s0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN group
default qlen 1000
link/ether c8:0a:a9:0e:93:23 brd ff:ff:ff:ff:ff:ff
3: wlo1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP group default qlen 1000
link/ether c4:17:fe:4e:1a:8b brd ff:ff:ff:ff:ff:ff
altname wlp2s0
inet 10.0.0.18/24 brd 10.0.0.255 scope global dynamic noprefixroute wlo1
valid_lft 85791sec preferred_lft 85791sec
inet6 2600:4040:4666:f900::1406/128 scope global dynamic noprefixroute
valid_lft 2993sec preferred_lft 1193sec
inet6 fe80::7563:2b02:c335:1a7d/64 scope link noprefixroute
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
10.0.0.18 d01.home.rob-campbell.lan d01
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
# Generated by NetworkManager
search home.rob-campbell.lan
nameserver 10.0.0.10
#nameserver 2600:4040:4666:f900::1
-----------
Kerberos SRV _kerberos._tcp.home.rob-campbell.lan record(s) verified ok,
sample output:
Server: 10.0.0.10
Address: 10.0.0.10#53
_kerberos._tcp.home.rob-campbell.lan service = 0 100 88
dc01.home.rob-campbell.lan.
-----------
'kinit Administrator' password checked failed.
Wrong password or kerberos REALM problems.
-----------
Samba is not being run as a DC or a Unix domain member.
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = HOME.ROB-CAMPBELL.LAN
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
#passwd: files winbind systemd sss
#group: files winbind systemd sss
#shadow: files sss
passwd: files winbind systemd
group: files winbind systemd
shadow: files
gshadow: files
#hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
hosts: files dns
networks: files
protocols: db files
#services: db files sss
services: db files
ethers: db files
rpc: db files
#netgroup: nis sss
#automount: sss
netgroup: nis
-----------
Time on the DC with PDC Emulator role is: 2022-09-15T07:24:39
Time on this computer is: 2022-09-15T07:24:39
Time verified ok, within the allowed 300sec margin.
Time offset is currently : 0 seconds
-----------
Installed packages:
ii acl 2.2.53-10
amd64 access control list - utilities
ii attr 1:2.4.48-6
amd64 utilities for manipulating filesystem extended
attributes
ii fonts-quicksand 0.2016-2.1
all sans-serif font with round attributes
ii kde-spectacle 20.12.3-1
amd64 Screenshot capture utility
ii krb5-config 2.6+nmu1
all Configuration files for Kerberos Version 5
ii krb5-locales 1.18.3-6+deb11u1
all internationalization support for MIT Kerberos
ii krb5-user 1.18.3-6+deb11u1
amd64 basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-10
amd64 access control list - shared library
ii libattr1:amd64 1:2.4.48-6
amd64 extended attribute handling - shared library
ii libgssapi-krb5-2:amd64 1.18.3-6+deb11u1
amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.18.3-6+deb11u1
amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.18.3-6+deb11u1
amd64 MIT Kerberos runtime libraries - Support library
ii libmoox-aliases-perl 0.001006-1.1
all easy aliasing of methods and attributes in Moo
ii libnss-winbind:amd64 2:4.13.13+dfsg-1~deb11u5
amd64 Samba nameservice integration plugins
ii libpam-krb5:amd64 4.9-2
amd64 PAM module for MIT Kerberos
ii libpam-winbind:amd64 2:4.13.13+dfsg-1~deb11u5
amd64 Windows domain authentication integration plugin
ii libsmbclient:amd64 2:4.13.13+dfsg-1~deb11u5
amd64 shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.13.13+dfsg-1~deb11u5
amd64 Samba winbind client library
ii python3-nacl 1.4.0-1+b1
amd64 Python bindings to libsodium (Python 3)
ii python3-pylibacl:amd64 0.6.0-1+b1
amd64 module for manipulating POSIX.1e ACLs (Python3 version)
ii python3-pyxattr:amd64 0.7.2-1+b1
amd64 module for manipulating filesystem extended attributes
(Python3)
ii python3-samba 2:4.13.13+dfsg-1~deb11u5
amd64 Python 3 bindings for Samba
ii samba 2:4.13.13+dfsg-1~deb11u5
amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.13.13+dfsg-1~deb11u5
all common files used by both the Samba server and client
ii samba-common-bin 2:4.13.13+dfsg-1~deb11u5
amd64 Samba common files used by both the server and the
client
ii samba-dsdb-modules:amd64 2:4.13.13+dfsg-1~deb11u5
amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.13.13+dfsg-1~deb11u5
amd64 Samba core libraries
ii samba-vfs-modules:amd64 2:4.13.13+dfsg-1~deb11u5
amd64 Samba Virtual FileSystem plugins
ii smbclient 2:4.13.13+dfsg-1~deb11u5
amd64 command-line SMB/CIFS clients for Unix
ii sssd-krb5 2.4.1-2
amd64 System Security Services Daemon -- Kerberos back end
ii sssd-krb5-common 2.4.1-2
amd64 System Security Services Daemon -- Kerberos helpers
ii vlc-plugin-samba:amd64 3.0.17.4-0+deb11u1
amd64 Samba plugin for VLC
ii winbind 2:4.13.13+dfsg-1~deb11u5
amd64 service to resolve user and group information from
Windows NT servers
-----------
-----------
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list