[Samba] Can't join to Domain
Rowland Penny
rpenny at samba.org
Fri Aug 4 14:30:59 UTC 2023
On 04/08/2023 12:21, basti via samba wrote:
>
>
> On 04.08.23 12:59, Rowland Penny via samba wrote:
>>
>>
>> On 04/08/2023 11:50, basti via samba wrote:
>>>
>>>
>>> On 04.08.23 12:37, Rowland Penny via samba wrote:
>>>>
>>>>
>>>> On 04/08/2023 11:21, basti via samba wrote:
>>>>> Hello,
>>>>> yesterday I setup a AD DC.
>>>>> Today I try to add a Fileserver to the AD.
>>>>>
>>>>> https://wiki.samba.org/index.php/Idmap_config_ad
>>>>>
>>>>> smb.conf:
>>>>>
>>>>> [global]
>>>>>
>>>>> security = ADS
>>>>> workgroup = NET
>>>>> realm = NET.EXAMPLE.COM
>>>>>
>>>>> log file = /var/log/samba/%m.log
>>>>> log level = 1
>>>>>
>>>>> # Default ID mapping configuration for local BUILTIN accounts
>>>>> # and groups on a domain member. The default (*) domain:
>>>>> # - must not overlap with any domain ID mapping configuration!
>>>>> # - must use a read-write-enabled back end, such as tdb.
>>>>> idmap config * : backend = tdb
>>>>> idmap config * : range = 3000-7999
>>>>> # - You must set a DOMAIN backend configuration
>>>>> # idmap config for the NET domain
>>>>> idmap config NET:backend = ad
>>>>> idmap config NET:schema_mode = rfc2307
>>>>> idmap config NET:range = 10000-999999
>>>>> idmap config NET:unix_nss_info = yes
>>>>>
>>>>> vfs objects = acl_xattr
>>>>> map acl inherit = yes
>>>>> store dos attributes = yes
>>>>>
>>>>> [homes]
>>>>> comment = Home Directories
>>>>> browseable = no
>>>>>
>>>>> root at fs:/var/lib/samba# cat /etc/krb5.conf
>>>>> [libdefaults]
>>>>> default_realm = NET.EXAMPLE.COM
>>>>> dns_lookup_realm = false
>>>>> dns_lookup_kdc = true
>>>>> root at fs:/var/lib/samba#
>>>>>
>>>>> root at fs:/var/lib/samba# net ads join -U Administrator
>>>>> Password for [NET\Administrator]:
>>>>> Failed to join domain: failed to lookup DC info for domain
>>>>> 'NET.EXAMPLE:COM' over rpc: Indicates the SID structure is not valid.
>>>>>
>>>>> DNS also works as expected.
>>>>> All tests done on
>>>>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member are OK
>>>>>
>>>>>
>>>>>
>>>>
>>>> I take it this is 4.17.9 on bookworm (as your DC was).
>>>> Have you added any rfc2307 attributes to AD ?
>>>> If you temporarily change to the 'rid' idmap backend, does the join
>>>> then work ?
>>>>
>>>> Rowland
>>>>
>>>
>>> Yes is is bookworm, sorry.
>>> I setup DC with --use-rfc2307
>>> temporarily change to the 'rid' idmap backend did not help, the error
>>> is the same.
>>>
>>>
>>> Somethink seems wrong here:
>>>
>>> root at dc1:~# net rpc info -U Administrator
>>> Password for [NET\Administrator]:
>>> Could not connect to server DC1
>>> Connection failed: NT_STATUS_INVALID_SID
>>> root at dc1:~#
>>>
>>
>> I cannot remember ever having that problem.
>> Is Samba running at this point ? if it is, stop it and try the join
>> again.
>> Check that you can ping the DC.
>> Check that /etc/resolv.conf is using the DC as its first nameserver
>> Check that /etc/hosts is set up correctly
>>
>> Rowland
>>
>
> I get this error on both, the DC and the other pc I try to join.
>
> I can ping DC, DNS (dig) works, resolv.conf is OK, /etc/hosts look good.
> samba is running on DC on the other pc there is no smbd/nmbd/winbindd.
>
> root at dc1:~# wbinfo --name-to-sid Administrator
> S-1-5-21-3817776203-2382255991-3851830574-500 SID_USER (1)
>
> on dc works
>
> It seems to be a problem with rpc, ads is working:
>
> root at dc1:~# net ads info -U Admininistrator
> Password for [NET\Admininistrator]:
> LDAP server: 192.168.22.23
> LDAP server name: dc1.net.example.com
> Realm: NET.EXAMPLE.COM
> Bind Path: dc=NET,dc=EXAMPLE,dc=COM
> LDAP port: 389
> Server time: Fri, 04 Aug 2023 13:12:56 CEST
> KDC server: 192.168.22.23
> Server time offset: 0
> Last machine account password change: Thu, 03 Aug 2023 13:23:31 CEST
> root at dc1:~#
>
>
> But i cant join via ads:
>
> root at fs:~# net ads join -U Admininistrator
I looked at this three times before I realised that:
'Admininistrator' isn't 'Administrator'
Rowland
More information about the samba
mailing list