[Samba] Can't join to Domain

basti mailinglist at unix-solution.de
Fri Aug 4 10:50:26 UTC 2023 


On 04.08.23 12:37, Rowland Penny via samba wrote:
> 
> 
> On 04/08/2023 11:21, basti via samba wrote:
>> Hello,
>> yesterday I setup a AD DC.
>> Today I try to add a Fileserver to the AD.
>>
>> https://wiki.samba.org/index.php/Idmap_config_ad
>>
>> smb.conf:
>>
>> [global]
>>
>>      security = ADS
>>      workgroup = NET
>>      realm = NET.EXAMPLE.COM
>>
>>      log file = /var/log/samba/%m.log
>>      log level = 1
>>
>>      # Default ID mapping configuration for local BUILTIN accounts
>>      # and groups on a domain member. The default (*) domain:
>>      # - must not overlap with any domain ID mapping configuration!
>>      # - must use a read-write-enabled back end, such as tdb.
>>      idmap config * : backend = tdb
>>      idmap config * : range = 3000-7999
>>      # - You must set a DOMAIN backend configuration
>>      # idmap config for the NET domain
>>      idmap config NET:backend = ad
>>      idmap config NET:schema_mode = rfc2307
>>      idmap config NET:range = 10000-999999
>>      idmap config NET:unix_nss_info = yes
>>
>>      vfs objects = acl_xattr
>>      map acl inherit = yes
>>      store dos attributes = yes
>>
>> [homes]
>>     comment = Home Directories
>>     browseable = no
>>
>> root at fs:/var/lib/samba# cat /etc/krb5.conf
>> [libdefaults]
>>      default_realm = NET.EXAMPLE.COM
>>      dns_lookup_realm = false
>>      dns_lookup_kdc = true
>> root at fs:/var/lib/samba#
>>
>> root at fs:/var/lib/samba# net ads join -U Administrator
>> Password for [NET\Administrator]:
>> Failed to join domain: failed to lookup DC info for domain 
>> 'NET.EXAMPLE:COM' over rpc: Indicates the SID structure is not valid.
>>
>> DNS also works as expected.
>> All tests done on 
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member 
>> are OK
>>
>>
>>
> 
> I take it this is 4.17.9 on bookworm (as your DC was).
> Have you added any rfc2307 attributes to AD ?
> If you temporarily change to the 'rid' idmap backend, does the join then 
> work ?
> 
> Rowland
> 

Yes is is bookworm, sorry.
I setup DC with --use-rfc2307
temporarily change to the 'rid' idmap backend did not help, the error is 
the same.


Somethink seems wrong here:

root at dc1:~# net rpc info -U Administrator
Password for [NET\Administrator]:
Could not connect to server DC1
Connection failed: NT_STATUS_INVALID_SID
root at dc1:~#

More information about the samba mailing list