samba - Apr 2015 - Cannot join Ubuntu12.04 Samba 4.1.17 to domain

Hi Rowland

I don't have krb5.conf at hand at the moment but I've checked it
multiple
times and I think is OK since I can get ticket via kinit.
resolv.conf points to my DNS

I can resolve AD hostname via 
host serverDC1001.dan2003.sample.domain.com

and via
host 10.80.8.88

Regarding NetworkManager, my machine is a headless server so dnsmasq does
not apply I guess?

Bit of a back story
Initially I had Samba 3.6 on that machine and it was joined to the domain,
then removed from domain.
I've done disk backup of it, then put Samba Sernet 4.1.17 on it and
attempted to joined which fails.
After 2 days of struggle I rolled back to the snapshot 3.6 issues join
command and it worked.

I haven't changed config files between versions
Thanks for any suggestions.

D.









--
View this message in context:
http://samba.2283325.n4.nabble.com/Cannot-join-Ubuntu12-04-Samba-4-1-17-to-domain-tp4684555p4684559.html
Sent from the Samba - General mailing list archive at Nabble.com.

On 17/04/15 13:49, ivenhov wrote:
> Hi Rowland
>
> I don't have krb5.conf at hand at the moment but I've checked it
multiple
> times and I think is OK since I can get ticket via kinit.
> resolv.conf points to my DNS
>
> I can resolve AD hostname via
> host serverDC1001.dan2003.sample.domain.com
>
> and via
> host 10.80.8.88
>
> Regarding NetworkManager, my machine is a headless server so dnsmasq does
> not apply I guess?
>
> Bit of a back story
> Initially I had Samba 3.6 on that machine and it was joined to the domain,
> then removed from domain.
> I've done disk backup of it, then put Samba Sernet 4.1.17 on it and
> attempted to joined which fails.
> After 2 days of struggle I rolled back to the snapshot 3.6 issues join
> command and it worked.
>
> I haven't changed config files between versions
> Thanks for any suggestions.
>
> D.
>
>
>
>
>
>
>
>
>
> --
> View this message in context:
http://samba.2283325.n4.nabble.com/Cannot-join-Ubuntu12-04-Samba-4-1-17-to-domain-tp4684555p4684559.html
> Sent from the Samba - General mailing list archive at Nabble.com.
OK, Ubuntu 12.04.5 server with 'sernet-samba sernet-samba-winbind 
krb5-user ntp' installed

set /etc/ntp.conf to point at the DC for time.

Alter smb.conf to be similar to this:

#---- Start ------
[global]
     workgroup = EXAMPLE
     security = ADS
     realm = EXAMPLE.COM

     dedicated keytab file = /etc/krb5.keytab
     kerberos method = secrets and keytab
     server string = Samba 4 Client %h

     winbind enum users = no
     winbind enum groups = no
     winbind use default domain = yes
     winbind expand groups = 4
     winbind nss info = rfc2307
     winbind refresh tickets = Yes
     winbind offline logon = yes
     winbind normalize names = Yes

     ## map ids outside of domain to tdb files.
     idmap config *:backend = tdb
     idmap config *:range = 2000-9999
     ## map ids from the domain  the ranges may not overlap !
     idmap config EXAMPLE : backend = ad
     idmap config EXAMPLE : schema_mode = rfc2307
     idmap config EXAMPLE : range = 10000-999999

     wins server = 192.168.0.2 192.168.0.3 # change these for YOUR DCs 
ipaddress

     domain master = no
     local master = no
     preferred master = no
     os level = 20
     map to guest = bad user
     host msdfs = no

     # user Administrator workaround, without it you are unable to set 
privileges
     username map = /etc/samba/user.map

     # For ACL support on member server
     vfs objects = acl_xattr
     map acl inherit = Yes
     store dos attributes = Yes

     # Share Setting Globally
     unix extensions = no
     reset on zero vc = yes
     veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
     hide unreadable = yes

[home]
     path = /home/%u
     read only = no

#------- End ------------

You may have to change the ranges to match your setup

Create the user map file (it's just one line)

nano /etc/samba/user.map

!root = EXAMPLE\Administrator EXAMPLE\administrator Administrator 
administrator

Change /etc/krb5.conf to this:

[libdefaults]
     default_realm = EXAMPLE.COM
     dns_lookup_realm = false
     dns_lookup_kdc = true

You should now be able to join the Domain:

net ads join -U Administrator

Obviously, where ever you see 'EXAMPLE' above, change it for YOUR 
workgroup name, the same goes for 'EXAMPLE.COM', change this for YOUR 
Realm name, remember they must be in UPPERCASE.

Rowland

Greetings, ivenhov!
> I don't have krb5.conf at hand at the moment but I've checked it
multiple
> times and I think is OK since I can get ticket via kinit.
Words are cheap.
I've just came back from work, where I'm ironing out last twists of
recent
classic migration.
One of them been that krb5.conf on one of the gateway systems posed itself as
an authoritative KDC for a parent domain. Whole segment of client systems went
upside down and hanged in that pose until I actually began to match every
config line by line.
> resolv.conf points to my DNS
Not necessary as long as the domain names can be resolved correctly.
> I can resolve AD hostname via 
> host serverDC1001.dan2003.sample.domain.com
That's enough.
> and via
> host 10.80.8.88
> Regarding NetworkManager, my machine is a headless server so dnsmasq does
> not apply I guess?
NM is a network manager in its own rights. What you think about is
network-manager-gnome, most likely, and that is only a part of it.
Headless or not, NM can still be used to control networking connections.
So, Rowland's question wasn't all that useless.
> Bit of a back story
> Initially I had Samba 3.6 on that machine and it was joined to the domain,
> then removed from domain.
> I've done disk backup of it, then put Samba Sernet 4.1.17 on it and
> attempted to joined which fails.
1. Recheck the realm description in /etc/krb5.conf
2. Double check that date and timezone are set correctly.
`date -u` being the most trustworthy source.
> After 2 days of struggle I rolled back to the snapshot 3.6 issues join
> command and it worked.
> I haven't changed config files between versions
> Thanks for any suggestions.
You should, like, REALLY clean up your smb.conf. At least half of it is just a
garbage. And 'socket options' is literally a shot into your own leg.


-- 
With best regards,
Andrey Repin
Saturday, April 18, 2015 02:30:23

Sorry for my terrible english...

Thank you both for the answers.
I'll re-check everything again once on customer site and post my findings
shortly afterwards

Regards




--
View this message in context:
http://samba.2283325.n4.nabble.com/Cannot-join-Ubuntu12-04-Samba-4-1-17-to-domain-tp4684555p4684827.html
Sent from the Samba - General mailing list archive at Nabble.com.