[Samba] Can't join to Domain

Rowland Penny rpenny at samba.org
Fri Aug 4 10:59:59 UTC 2023 


On 04/08/2023 11:50, basti via samba wrote:
> 
> 
> On 04.08.23 12:37, Rowland Penny via samba wrote:
>>
>>
>> On 04/08/2023 11:21, basti via samba wrote:
>>> Hello,
>>> yesterday I setup a AD DC.
>>> Today I try to add a Fileserver to the AD.
>>>
>>> https://wiki.samba.org/index.php/Idmap_config_ad
>>>
>>> smb.conf:
>>>
>>> [global]
>>>
>>>      security = ADS
>>>      workgroup = NET
>>>      realm = NET.EXAMPLE.COM
>>>
>>>      log file = /var/log/samba/%m.log
>>>      log level = 1
>>>
>>>      # Default ID mapping configuration for local BUILTIN accounts
>>>      # and groups on a domain member. The default (*) domain:
>>>      # - must not overlap with any domain ID mapping configuration!
>>>      # - must use a read-write-enabled back end, such as tdb.
>>>      idmap config * : backend = tdb
>>>      idmap config * : range = 3000-7999
>>>      # - You must set a DOMAIN backend configuration
>>>      # idmap config for the NET domain
>>>      idmap config NET:backend = ad
>>>      idmap config NET:schema_mode = rfc2307
>>>      idmap config NET:range = 10000-999999
>>>      idmap config NET:unix_nss_info = yes
>>>
>>>      vfs objects = acl_xattr
>>>      map acl inherit = yes
>>>      store dos attributes = yes
>>>
>>> [homes]
>>>     comment = Home Directories
>>>     browseable = no
>>>
>>> root at fs:/var/lib/samba# cat /etc/krb5.conf
>>> [libdefaults]
>>>      default_realm = NET.EXAMPLE.COM
>>>      dns_lookup_realm = false
>>>      dns_lookup_kdc = true
>>> root at fs:/var/lib/samba#
>>>
>>> root at fs:/var/lib/samba# net ads join -U Administrator
>>> Password for [NET\Administrator]:
>>> Failed to join domain: failed to lookup DC info for domain 
>>> 'NET.EXAMPLE:COM' over rpc: Indicates the SID structure is not valid.
>>>
>>> DNS also works as expected.
>>> All tests done on 
>>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member 
>>> are OK
>>>
>>>
>>>
>>
>> I take it this is 4.17.9 on bookworm (as your DC was).
>> Have you added any rfc2307 attributes to AD ?
>> If you temporarily change to the 'rid' idmap backend, does the join 
>> then work ?
>>
>> Rowland
>>
> 
> Yes is is bookworm, sorry.
> I setup DC with --use-rfc2307
> temporarily change to the 'rid' idmap backend did not help, the error is 
> the same.
> 
> 
> Somethink seems wrong here:
> 
> root at dc1:~# net rpc info -U Administrator
> Password for [NET\Administrator]:
> Could not connect to server DC1
> Connection failed: NT_STATUS_INVALID_SID
> root at dc1:~#
> 

I cannot remember ever having that problem.
Is Samba running at this point ? if it is, stop it and try the join again.
Check that you can ping the DC.
Check that /etc/resolv.conf is using the DC as its first nameserver
Check that /etc/hosts is set up correctly

Rowland

More information about the samba mailing list