samba - Nov 2015 - After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command

/etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by
resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 192.168.127.129
search windows.corp.XXX.com

/etc/hosts

127.0.0.1   localhost
127.0.1.1 freeradius.windows.corp.XXX.com freeradius
192.168.127.131 whiskey.windows.corp.XXX.com whiskey
192.168.112.4 wine..windows.corp.XXX.com wine

 /etc/krb5.conf

[libdefaults]
default_realm = WINDOWS.CORP.XXX.COM
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true

[realms]
WINDOWS.CORP.XXX.COM = {
kdc = whiskey.windows.corp.XXX.com:88
kdc = wine.windows.corp.XXX.com:88
admin_server = whiskey.windows.corp.XXX.com:749
}

[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
}

[domain_realm]
.windows.corp.XXX.com = WINDOWS.CORP.XXX.COM
windows.corp.XXX.com = WINDOWS.CORP.XXX.COM

[login]
krb4_convert = true
krb4_get_tickets = false


On Mon, Nov 30, 2015 at 2:43 PM, Rowland Penny <rowlandpenny241155 at
gmail.com
> wrote:
> On 30/11/15 20:30, Jonathan S. Fisher wrote:
>
>> Same results with that command. And the same DNS query occurred
>>
>> On Mon, Nov 30, 2015 at 2:20 PM, Rowland Penny <
>> rowlandpenny241155 at gmail.com <mailto:rowlandpenny241155 at
gmail.com>>
>> wrote:
>>
>>     On 30/11/15 20:01, Jonathan S. Fisher wrote:
>>
>>         Hey guys,
>>
>>         I've successfully joined the domain with "sudo net ads
join
>>         -k". However,
>>         when I try to run this: "sudo net rpc info" I get
this error:
>>         "Unable to
>>         find a suitable server for domain WINDOWS"
>>
>>         I dumped the DNS requests and it looks like the problem is
>>         that it's asking
>>         for ldap entries under the workgroup name, not the FQDN:
>>
>>          From Wireshark:
>>
>>         Queries
>>         _ldap._tcp.pdc._msdcs.WINDOWS: type SRV, class IN
>>         Name: _ldap._tcp.pdc._msdcs.WINDOWS
>>
>>         Ok great, so if I dig that with the command: "dig
>>         _ldap._tcp.pdc._msdcs.WINDOWS"  dig times out. If I dig
the
>>         FQDN: "dig
>>         _ldap._tcp.pdc._msdcs.WINDOWS.CORP.XXX.COM
>>         <http://msdcs.WINDOWS.CORP.XXX.COM>" I get a
response instantly.
>>
>>         Is this a problem with my windows domain controller (how do I
>>         make it
>>         respond to those queries)? Or is this a problem with my samba
>>         setup?
>>
>>         Samba version:  4.2.5-SerNet-Ubuntu-8.trusty
>>
>>         Here is my smb.conf:
>>
>>         [global]
>>         security=ads
>>         realm=WINDOWS.CORP.XXX.COM <http://WINDOWS.CORP.XXX.COM>
>>
>>         workgroup=WINDOWS
>>         domain master=no
>>         local master=no
>>         preferred master=no
>>         load printers=no
>>         printing=bsd
>>         printcap name=/dev/null
>>         disable spoolss=yes
>>         idmap backend=tdb
>>         idmap uid=10000-99999
>>         idmap gid=10000-99999
>>         winbind enum users=yes
>>         winbind enum groups=yes
>>         winbind use default domain=yes
>>         winbind nested groups=yes
>>         winbind refresh tickets=yes
>>         winbind offline logon=yes
>>         template shell=/bin/false
>>         client use spnego=yes
>>         client ntlmv2 auth=yes
>>         encrypt passwords=yes
>>         restrict anonymous=2
>>         log file=/var/log/samba/samba.log
>>         log level=2
>>         dcerpc endpoint servers=remote
>>         wins support=no
>>
>>
>>     Try it like this: sudo net rpc info -UAdministrator
>>
>>     Rowland
>>
>>
>>
> OK, what have you got in /etc/resolv.conf & /etc/krb5.conf
>
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
Email Confidentiality Notice: The information contained in this 
transmission is confidential, proprietary or privileged and may be subject 
to protection under the law, including the Health Insurance Portability and 
Accountability Act (HIPAA). The message is intended for the sole use of the 
individual or entity to whom it is addressed. If you are not the intended 
recipient, you are notified that any use, distribution or copying of the 
message is strictly prohibited and may subject you to criminal or civil 
penalties. If you received this transmission in error, please contact the 
sender immediately by replying to this email and delete the material from 
any computer.

On 30/11/15 20:52, Jonathan S. Fisher wrote:
> /etc/resolv.conf
> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by 
> resolvconf(8)
> # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
> nameserver 192.168.127.129
> search windows.corp.XXX.com <http://windows.corp.XXX.com>
I take it 192.168.127.129 is your AD DC.
>
> /etc/hosts
>
> 127.0.0.1   localhost
> 127.0.1.1 freeradius.windows.corp.XXX.com 
> <http://freeradius.windows.corp.XXX.com> freeradius
> 192.168.127.131 whiskey.windows.corp.XXX.com 
> <http://whiskey.windows.corp.XXX.com> whiskey
> 192.168.112.4 wine..windows.corp.XXX.com
<http://windows.corp.XXX.com>
> wine
Hmm, I think you are using Network Manager, which uses dnsmasq as a 
cache, I would suggest you stop this ( open the network-manager conf and 
comment out the dnsmasq line, restart network-manager). If you are using 
DHCP, I would also suggest you remove the three lines below '127.0.0.1 
localhost', if your machine has a fixed ip, I would remove any of the 
three lines that doesn't point to your machine.
>
>  /etc/krb5.conf
>
> [libdefaults]
> default_realm = WINDOWS.CORP.XXX.COM <http://WINDOWS.CORP.XXX.COM>
Believe it or not, you do not need any of /etc/krb5 from here on, you 
only need the two lines above
> krb4_config = /etc/krb.conf
> krb4_realms = /etc/krb.realms
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
>
> v4_instance_resolve = false
> v4_name_convert = {
> host = {
> rcmd = host
> ftp = ftp
> }
> plain = {
> something = something-else
> }
> }
> fcc-mit-ticketflags = true
>
> [realms]
> WINDOWS.CORP.XXX.COM <http://WINDOWS.CORP.XXX.COM> = {
> kdc = whiskey.windows.corp.XXX.com:88 
> <http://whiskey.windows.corp.XXX.com:88>
> kdc = wine.windows.corp.XXX.com:88
<http://wine.windows.corp.XXX.com:88>
> admin_server = whiskey.windows.corp.XXX.com:749 
> <http://whiskey.windows.corp.XXX.com:749>
> }
>
> [appdefaults]
> pam = {
> ticket_lifetime = 1d
> renew_lifetime = 1d
> forwardable = true
> proxiable = false
> retain_after_close = false
> minimum_uid = 0
> debug = false
> }
>
> [domain_realm]
> .windows.corp.XXX.com <http://windows.corp.XXX.com> = 
> WINDOWS.CORP.XXX.COM <http://WINDOWS.CORP.XXX.COM>
> windows.corp.XXX.com <http://windows.corp.XXX.com> = 
> WINDOWS.CORP.XXX.COM <http://WINDOWS.CORP.XXX.COM>
>
> [login]
> krb4_convert = true
> krb4_get_tickets = false
>
>
I would also go here: 
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

Setup samba as described there, you will need to follow the hyperlinks.

Rowland

> On Mon, Nov 30, 2015 at 2:43 PM, Rowland Penny 
> <rowlandpenny241155 at gmail.com <mailto:rowlandpenny241155 at
gmail.com>>
> wrote:
>
>     On 30/11/15 20:30, Jonathan S. Fisher wrote:
>
>         Same results with that command. And the same DNS query occurred
>
>         On Mon, Nov 30, 2015 at 2:20 PM, Rowland Penny
>         <rowlandpenny241155 at gmail.com
>         <mailto:rowlandpenny241155 at gmail.com>
>         <mailto:rowlandpenny241155 at gmail.com
>         <mailto:rowlandpenny241155 at gmail.com>>> wrote:
>
>             On 30/11/15 20:01, Jonathan S. Fisher wrote:
>
>                 Hey guys,
>
>                 I've successfully joined the domain with "sudo net
ads
>         join
>                 -k". However,
>                 when I try to run this: "sudo net rpc info" I get
this
>         error:
>                 "Unable to
>                 find a suitable server for domain WINDOWS"
>
>                 I dumped the DNS requests and it looks like the problem is
>                 that it's asking
>                 for ldap entries under the workgroup name, not the FQDN:
>
>                  From Wireshark:
>
>                 Queries
>                 _ldap._tcp.pdc._msdcs.WINDOWS: type SRV, class IN
>                 Name: _ldap._tcp.pdc._msdcs.WINDOWS
>
>                 Ok great, so if I dig that with the command: "dig
>                 _ldap._tcp.pdc._msdcs.WINDOWS"  dig times out. If I
>         dig the
>                 FQDN: "dig
>                 _ldap._tcp.pdc._msdcs.WINDOWS.CORP.XXX.COM
>         <http://msdcs.WINDOWS.CORP.XXX.COM>
>                 <http://msdcs.WINDOWS.CORP.XXX.COM>" I get a
response
>         instantly.
>
>                 Is this a problem with my windows domain controller
>         (how do I
>                 make it
>                 respond to those queries)? Or is this a problem with
>         my samba
>                 setup?
>
>                 Samba version:  4.2.5-SerNet-Ubuntu-8.trusty
>
>                 Here is my smb.conf:
>
>                 [global]
>                 security=ads
>                 realm=WINDOWS.CORP.XXX.COM
>         <http://WINDOWS.CORP.XXX.COM>
<http://WINDOWS.CORP.XXX.COM>
>
>                 workgroup=WINDOWS
>                 domain master=no
>                 local master=no
>                 preferred master=no
>                 load printers=no
>                 printing=bsd
>                 printcap name=/dev/null
>                 disable spoolss=yes
>                 idmap backend=tdb
>                 idmap uid=10000-99999
>                 idmap gid=10000-99999
>                 winbind enum users=yes
>                 winbind enum groups=yes
>                 winbind use default domain=yes
>                 winbind nested groups=yes
>                 winbind refresh tickets=yes
>                 winbind offline logon=yes
>                 template shell=/bin/false
>                 client use spnego=yes
>                 client ntlmv2 auth=yes
>                 encrypt passwords=yes
>                 restrict anonymous=2
>                 log file=/var/log/samba/samba.log
>                 log level=2
>                 dcerpc endpoint servers=remote
>                 wins support=no
>
>
>             Try it like this: sudo net rpc info -UAdministrator
>
>             Rowland
>
>
>
>     OK, what have you got in /etc/resolv.conf & /etc/krb5.conf
>
>
>     Rowland
>
>     -- 
>

Thank you Rowland for the help so far. I followed the directions on that
page very precisely. I was able to join the domain, but the RPC stuff still
doesn't work and I'm still having the same problem. The actual root
problem
is that up to this point, winbind works for about a day or so then I start
getting NT_STATUS_ACCESS_DENIED.

Anyway, after the join, winbind works right now:

sudo wbinfo -a administrator
Enter administrator's password:
plaintext password authentication succeeded

Checking RPC:

sudo net rpc info -Uadministrator
Unable to find a suitable server for domain WINDOWS

Here is my new config:

 /etc/hosts
127.0.0.1   localhost

/etc/krb5.conf
[libdefaults]
default_realm = WINDOWS.CORP.XXX.COM

/etc/samba/smb.conf
[global]
netbios name=freeradius
security=ADS
workgroup=WINDOWS
realm=WINDOWS.CORP.XXX.COM

log file=/var/log/samba/%m.log
log level=1

dedicated keytab file=/etc/krb5.keytab
kerberos method=secrets and keytab
winbind refresh tickets=yes

winbind trusted domains only=no
winbind use default domain=yes
winbind enum users=yes
winbind enum groups=yes

load printers=no
template shell=/bin/false

idmap config WINDOWS:backend=rid
idmap config WINDOWS:range=10000-99999


On Mon, Nov 30, 2015 at 3:07 PM, Rowland Penny <rowlandpenny241155 at
gmail.com
> wrote:
> On 30/11/15 20:52, Jonathan S. Fisher wrote:
>
>> /etc/resolv.conf
>> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
>> resolvconf(8)
>> # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
>> nameserver 192.168.127.129
>> search windows.corp.XXX.com <http://windows.corp.XXX.com>
>>
>
> I take it 192.168.127.129 is your AD DC.
>
>
>> /etc/hosts
>>
>> 127.0.0.1   localhost
>> 127.0.1.1 freeradius.windows.corp.XXX.com <
>> http://freeradius.windows.corp.XXX.com> freeradius
>> 192.168.127.131 whiskey.windows.corp.XXX.com <
>> http://whiskey.windows.corp.XXX.com> whiskey
>> 192.168.112.4 wine..windows.corp.XXX.com
<http://windows.corp.XXX.com>
>> wine
>>
>
> Hmm, I think you are using Network Manager, which uses dnsmasq as a cache,
> I would suggest you stop this ( open the network-manager conf and comment
> out the dnsmasq line, restart network-manager). If you are using DHCP, I
> would also suggest you remove the three lines below '127.0.0.1
localhost',
> if your machine has a fixed ip, I would remove any of the three lines that
> doesn't point to your machine.
>
>
>>  /etc/krb5.conf
>>
>> [libdefaults]
>> default_realm = WINDOWS.CORP.XXX.COM
<http://WINDOWS.CORP.XXX.COM>
>>
>
> Believe it or not, you do not need any of /etc/krb5 from here on, you only
> need the two lines above
>
> krb4_config = /etc/krb.conf
>> krb4_realms = /etc/krb.realms
>> kdc_timesync = 1
>> ccache_type = 4
>> forwardable = true
>> proxiable = true
>>
>> v4_instance_resolve = false
>> v4_name_convert = {
>> host = {
>> rcmd = host
>> ftp = ftp
>> }
>> plain = {
>> something = something-else
>> }
>> }
>> fcc-mit-ticketflags = true
>>
>> [realms]
>> WINDOWS.CORP.XXX.COM <http://WINDOWS.CORP.XXX.COM> = {
>> kdc = whiskey.windows.corp.XXX.com:88 <
>> http://whiskey.windows.corp.XXX.com:88>
>> kdc = wine.windows.corp.XXX.com:88
<http://wine.windows.corp.XXX.com:88>
>> admin_server = whiskey.windows.corp.XXX.com:749 <
>> http://whiskey.windows.corp.XXX.com:749>
>> }
>>
>> [appdefaults]
>> pam = {
>> ticket_lifetime = 1d
>> renew_lifetime = 1d
>> forwardable = true
>> proxiable = false
>> retain_after_close = false
>> minimum_uid = 0
>> debug = false
>> }
>>
>> [domain_realm]
>> .windows.corp.XXX.com <http://windows.corp.XXX.com> >>
WINDOWS.CORP.XXX.COM <http://WINDOWS.CORP.XXX.COM>
>> windows.corp.XXX.com <http://windows.corp.XXX.com> =
WINDOWS.CORP.XXX.COM
>> <http://WINDOWS.CORP.XXX.COM>
>>
>> [login]
>> krb4_convert = true
>> krb4_get_tickets = false
>>
>>
>>
> I would also go here:
> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>
> Setup samba as described there, you will need to follow the hyperlinks.
>
> Rowland
>
>
> On Mon, Nov 30, 2015 at 2:43 PM, Rowland Penny <
>> rowlandpenny241155 at gmail.com <mailto:rowlandpenny241155 at
gmail.com>>
>> wrote:
>>
>>     On 30/11/15 20:30, Jonathan S. Fisher wrote:
>>
>>         Same results with that command. And the same DNS query occurred
>>
>>         On Mon, Nov 30, 2015 at 2:20 PM, Rowland Penny
>>         <rowlandpenny241155 at gmail.com
>>         <mailto:rowlandpenny241155 at gmail.com>
>>         <mailto:rowlandpenny241155 at gmail.com
>>
>>         <mailto:rowlandpenny241155 at gmail.com>>> wrote:
>>
>>             On 30/11/15 20:01, Jonathan S. Fisher wrote:
>>
>>                 Hey guys,
>>
>>                 I've successfully joined the domain with "sudo
net ads
>>         join
>>                 -k". However,
>>                 when I try to run this: "sudo net rpc info" I
get this
>>         error:
>>                 "Unable to
>>                 find a suitable server for domain WINDOWS"
>>
>>                 I dumped the DNS requests and it looks like the problem
is
>>                 that it's asking
>>                 for ldap entries under the workgroup name, not the
FQDN:
>>
>>                  From Wireshark:
>>
>>                 Queries
>>                 _ldap._tcp.pdc._msdcs.WINDOWS: type SRV, class IN
>>                 Name: _ldap._tcp.pdc._msdcs.WINDOWS
>>
>>                 Ok great, so if I dig that with the command: "dig
>>                 _ldap._tcp.pdc._msdcs.WINDOWS"  dig times out. If
I
>>         dig the
>>                 FQDN: "dig
>>                 _ldap._tcp.pdc._msdcs.WINDOWS.CORP.XXX.COM
>>         <http://msdcs.WINDOWS.CORP.XXX.COM>
>>                 <http://msdcs.WINDOWS.CORP.XXX.COM>" I get a
response
>>         instantly.
>>
>>                 Is this a problem with my windows domain controller
>>         (how do I
>>                 make it
>>                 respond to those queries)? Or is this a problem with
>>         my samba
>>                 setup?
>>
>>                 Samba version:  4.2.5-SerNet-Ubuntu-8.trusty
>>
>>                 Here is my smb.conf:
>>
>>                 [global]
>>                 security=ads
>>                 realm=WINDOWS.CORP.XXX.COM
>>         <http://WINDOWS.CORP.XXX.COM>
<http://WINDOWS.CORP.XXX.COM>
>>
>>
>>                 workgroup=WINDOWS
>>                 domain master=no
>>                 local master=no
>>                 preferred master=no
>>                 load printers=no
>>                 printing=bsd
>>                 printcap name=/dev/null
>>                 disable spoolss=yes
>>                 idmap backend=tdb
>>                 idmap uid=10000-99999
>>                 idmap gid=10000-99999
>>                 winbind enum users=yes
>>                 winbind enum groups=yes
>>                 winbind use default domain=yes
>>                 winbind nested groups=yes
>>                 winbind refresh tickets=yes
>>                 winbind offline logon=yes
>>                 template shell=/bin/false
>>                 client use spnego=yes
>>                 client ntlmv2 auth=yes
>>                 encrypt passwords=yes
>>                 restrict anonymous=2
>>                 log file=/var/log/samba/samba.log
>>                 log level=2
>>                 dcerpc endpoint servers=remote
>>                 wins support=no
>>
>>
>>             Try it like this: sudo net rpc info -UAdministrator
>>
>>             Rowland
>>
>>
>>
>>     OK, what have you got in /etc/resolv.conf & /etc/krb5.conf
>>
>>
>>     Rowland
>>
>>     --
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
Email Confidentiality Notice: The information contained in this 
transmission is confidential, proprietary or privileged and may be subject 
to protection under the law, including the Health Insurance Portability and 
Accountability Act (HIPAA). The message is intended for the sole use of the 
individual or entity to whom it is addressed. If you are not the intended 
recipient, you are notified that any use, distribution or copying of the 
message is strictly prohibited and may subject you to criminal or civil 
penalties. If you received this transmission in error, please contact the 
sender immediately by replying to this email and delete the material from 
any computer.