Jonathan S. Fisher
2015-Dec-01 15:47 UTC
[Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
Great things to investigate... thank you. Ok, so everything is pingable. I've checked to make sure I can send TCP and UDP traffic between the hosts with netcat.> Does your dhcp server deliver the required info?For DNS? Yes, it tells the client to use 192.168.127.129. I'd be in a world of hurt otherwise!> Does 'hostname -d' return the fully qualified domain name of the client?No, it doesn't return anything actually! Maybe this is why is keeps trying to send ask for SRV records in WINDOWS instead of WINDOWS.CORP.XXX.COM> Is there a firewall running on the client? if so, try turning it off.Yep, it's off. Off on the servers too.> If you follow the Samba wiki, I can assure you that it does work:I know :) The documentation is very clear, it's some oddity about my network I'm sure. I'll look into the hostname -d and see if I can figure out why that's not returning anything On Tue, Dec 1, 2015 at 4:31 AM, Rowland Penny <rowlandpenny241155 at gmail.com> wrote:> On 30/11/15 22:38, Jonathan S. Fisher wrote: > >> Thank you Rowland for the help so far. I followed the directions on that >> page very precisely. I was able to join the domain, but the RPC stuff still >> doesn't work and I'm still having the same problem. The actual root problem >> is that up to this point, winbind works for about a day or so then I start >> getting NT_STATUS_ACCESS_DENIED. >> >> Anyway, after the join, winbind works right now: >> >> sudo wbinfo -a administrator >> Enter administrator's password: >> plaintext password authentication succeeded >> >> Checking RPC: >> >> sudo net rpc info -Uadministrator >> Unable to find a suitable server for domain WINDOWS >> >> Here is my new config: >> >> /etc/hosts >> 127.0.0.1 localhost >> >> /etc/krb5.conf >> [libdefaults] >> default_realm = WINDOWS.CORP.XXX.COM <http://WINDOWS.CORP.XXX.COM> >> >> /etc/samba/smb.conf >> [global] >> netbios name=freeradius >> security=ADS >> workgroup=WINDOWS >> realm=WINDOWS.CORP.XXX.COM <http://WINDOWS.CORP.XXX.COM> >> >> log file=/var/log/samba/%m.log >> log level=1 >> >> dedicated keytab file=/etc/krb5.keytab >> kerberos method=secrets and keytab >> winbind refresh tickets=yes >> >> winbind trusted domains only=no >> winbind use default domain=yes >> winbind enum users=yes >> winbind enum groups=yes >> >> load printers=no >> template shell=/bin/false >> >> idmap config WINDOWS:backend=rid >> idmap config WINDOWS:range=10000-99999 >> >> >> >> > You still need a bit more in your smb.conf: > > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > You need these lines to get the builtin users & groups mapped. > > I think your problem is DNS related, you should be able to ping a DC via > ipaddress & hostname > > ping -c1 192.168.127.131 > ping -c1 whiskey.windows.corp.XXX.com > ping -c1 whiskey > ping -c1 192.168.112.4 > ping -c1 wine.windows.corp.XXX.com > ping -c1 wine > > The above commands should all return a reply. > > Does your dhcp server deliver the required info? > > Does 'hostname -d' return the fully qualified domain name of the client? > > Is there a firewall running on the client? if so, try turning it off. > > If you follow the Samba wiki, I can assure you that it does work: > > rowland at debnet:~/Downloads$ sudo net rpc info -Uadministrator > [sudo] password for rowland: > Enter administrator's password: > Domain Name: SAMDOM > Domain SID: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx > Sequence number: 1 > Num users: XXXXX > Num domain groups: XXXX > Num local groups: XXXX > > If you are having any problems understanding or following the wiki, please > tell us, otherwise we will just assume everybody understands it :-) > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer.
Jonathan S. Fisher
2015-Dec-01 16:02 UTC
[Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
Well I got one step farther... hostname -d and hostname -f now work correctly if I add this line to /etc/hosts /etc/hosts 127.0.0.1 localhost 127.0.1.1 freeradius.windows.corp.springventuregroup.com freeradius But same error on the rpc command. It's still asking DNS for "_ldap._tcp.pdc._msdcs.WINDOWS" not "_ldap._tcp.pdc._msdcs.WINDOWS.CORP.XXX.COM" Can you do a tcpdump on yours and see what the desired behavior is? I used this command: "sudo tcpdump -vvv -s 0 -l -n port 53 -w dns.pcap". Start the dump, then run "sudo net rpc info -Uadministrator" On Tue, Dec 1, 2015 at 9:47 AM, Jonathan S. Fisher < jonathan at springventuregroup.com> wrote:> Great things to investigate... thank you. > > Ok, so everything is pingable. I've checked to make sure I can send TCP > and UDP traffic between the hosts with netcat. > > > Does your dhcp server deliver the required info? > For DNS? Yes, it tells the client to use 192.168.127.129. I'd be in a > world of hurt otherwise! > > > Does 'hostname -d' return the fully qualified domain name of the client? > No, it doesn't return anything actually! Maybe this is why is keeps trying > to send ask for SRV records in WINDOWS instead of WINDOWS.CORP.XXX.COM > > > Is there a firewall running on the client? if so, try turning it off. > Yep, it's off. Off on the servers too. > > > If you follow the Samba wiki, I can assure you that it does work: > I know :) The documentation is very clear, it's some oddity about my > network I'm sure. > > I'll look into the hostname -d and see if I can figure out why that's not > returning anything > > > On Tue, Dec 1, 2015 at 4:31 AM, Rowland Penny < > rowlandpenny241155 at gmail.com> wrote: > >> On 30/11/15 22:38, Jonathan S. Fisher wrote: >> >>> Thank you Rowland for the help so far. I followed the directions on that >>> page very precisely. I was able to join the domain, but the RPC stuff still >>> doesn't work and I'm still having the same problem. The actual root problem >>> is that up to this point, winbind works for about a day or so then I start >>> getting NT_STATUS_ACCESS_DENIED. >>> >>> Anyway, after the join, winbind works right now: >>> >>> sudo wbinfo -a administrator >>> Enter administrator's password: >>> plaintext password authentication succeeded >>> >>> Checking RPC: >>> >>> sudo net rpc info -Uadministrator >>> Unable to find a suitable server for domain WINDOWS >>> >>> Here is my new config: >>> >>> /etc/hosts >>> 127.0.0.1 localhost >>> >>> /etc/krb5.conf >>> [libdefaults] >>> default_realm = WINDOWS.CORP.XXX.COM <http://WINDOWS.CORP.XXX.COM> >>> >>> /etc/samba/smb.conf >>> [global] >>> netbios name=freeradius >>> security=ADS >>> workgroup=WINDOWS >>> realm=WINDOWS.CORP.XXX.COM <http://WINDOWS.CORP.XXX.COM> >>> >>> log file=/var/log/samba/%m.log >>> log level=1 >>> >>> dedicated keytab file=/etc/krb5.keytab >>> kerberos method=secrets and keytab >>> winbind refresh tickets=yes >>> >>> winbind trusted domains only=no >>> winbind use default domain=yes >>> winbind enum users=yes >>> winbind enum groups=yes >>> >>> load printers=no >>> template shell=/bin/false >>> >>> idmap config WINDOWS:backend=rid >>> idmap config WINDOWS:range=10000-99999 >>> >>> >>> >>> >> You still need a bit more in your smb.conf: >> >> idmap config *:backend = tdb >> idmap config *:range = 2000-9999 >> >> You need these lines to get the builtin users & groups mapped. >> >> I think your problem is DNS related, you should be able to ping a DC via >> ipaddress & hostname >> >> ping -c1 192.168.127.131 >> ping -c1 whiskey.windows.corp.XXX.com >> ping -c1 whiskey >> ping -c1 192.168.112.4 >> ping -c1 wine.windows.corp.XXX.com >> ping -c1 wine >> >> The above commands should all return a reply. >> >> Does your dhcp server deliver the required info? >> >> Does 'hostname -d' return the fully qualified domain name of the client? >> >> Is there a firewall running on the client? if so, try turning it off. >> >> If you follow the Samba wiki, I can assure you that it does work: >> >> rowland at debnet:~/Downloads$ sudo net rpc info -Uadministrator >> [sudo] password for rowland: >> Enter administrator's password: >> Domain Name: SAMDOM >> Domain SID: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx >> Sequence number: 1 >> Num users: XXXXX >> Num domain groups: XXXX >> Num local groups: XXXX >> >> If you are having any problems understanding or following the wiki, >> please tell us, otherwise we will just assume everybody understands it :-) >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >-- Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer.
Rowland Penny
2015-Dec-01 16:10 UTC
[Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
On 01/12/15 15:47, Jonathan S. Fisher wrote:> Great things to investigate... thank you. > > Ok, so everything is pingable. I've checked to make sure I can send > TCP and UDP traffic between the hosts with netcat. > > > Does your dhcp server deliver the required info? > For DNS? Yes, it tells the client to use 192.168.127.129. I'd be in a > world of hurt otherwise! > > > Does 'hostname -d' return the fully qualified domain name of the client? > No, it doesn't return anything actually! Maybe this is why is keeps > trying to send ask for SRV records in WINDOWS instead of > WINDOWS.CORP.XXX.COM <http://WINDOWS.CORP.XXX.COM>Then your dhcp server isn't sending all the required info, or your dhcpclient isn't using all it gets :-) My dhcp servers sends: subnet-mask broadcast-address time-offset routers domain-name domain-name-servers netbios-name-servers ntp-servers Rowland
mathias dufresne
2015-Dec-01 16:15 UTC
[Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
Could you please extract there the content of the following files on host named freeradius please: /etc/resolv.conf /etc/krb5.conf /etc/samba/smb.conf 2015-12-01 17:02 GMT+01:00 Jonathan S. Fisher < jonathan at springventuregroup.com>:> Well I got one step farther... > > hostname -d and hostname -f now work correctly if I add this line to > /etc/hosts > > /etc/hosts > 127.0.0.1 localhost > 127.0.1.1 freeradius.windows.corp.springventuregroup.com freeradius > > But same error on the rpc command. It's still asking DNS for > "_ldap._tcp.pdc._msdcs.WINDOWS" > not "_ldap._tcp.pdc._msdcs.WINDOWS.CORP.XXX.COM" > > Can you do a tcpdump on yours and see what the desired behavior is? I used > this command: "sudo tcpdump -vvv -s 0 -l -n port 53 -w dns.pcap". Start the > dump, then run "sudo net rpc info -Uadministrator" > > > On Tue, Dec 1, 2015 at 9:47 AM, Jonathan S. Fisher < > jonathan at springventuregroup.com> wrote: > > > Great things to investigate... thank you. > > > > Ok, so everything is pingable. I've checked to make sure I can send TCP > > and UDP traffic between the hosts with netcat. > > > > > Does your dhcp server deliver the required info? > > For DNS? Yes, it tells the client to use 192.168.127.129. I'd be in a > > world of hurt otherwise! > > > > > Does 'hostname -d' return the fully qualified domain name of the > client? > > No, it doesn't return anything actually! Maybe this is why is keeps > trying > > to send ask for SRV records in WINDOWS instead of WINDOWS.CORP.XXX.COM > > > > > Is there a firewall running on the client? if so, try turning it off. > > Yep, it's off. Off on the servers too. > > > > > If you follow the Samba wiki, I can assure you that it does work: > > I know :) The documentation is very clear, it's some oddity about my > > network I'm sure. > > > > I'll look into the hostname -d and see if I can figure out why that's not > > returning anything > > > > > > On Tue, Dec 1, 2015 at 4:31 AM, Rowland Penny < > > rowlandpenny241155 at gmail.com> wrote: > > > >> On 30/11/15 22:38, Jonathan S. Fisher wrote: > >> > >>> Thank you Rowland for the help so far. I followed the directions on > that > >>> page very precisely. I was able to join the domain, but the RPC stuff > still > >>> doesn't work and I'm still having the same problem. The actual root > problem > >>> is that up to this point, winbind works for about a day or so then I > start > >>> getting NT_STATUS_ACCESS_DENIED. > >>> > >>> Anyway, after the join, winbind works right now: > >>> > >>> sudo wbinfo -a administrator > >>> Enter administrator's password: > >>> plaintext password authentication succeeded > >>> > >>> Checking RPC: > >>> > >>> sudo net rpc info -Uadministrator > >>> Unable to find a suitable server for domain WINDOWS > >>> > >>> Here is my new config: > >>> > >>> /etc/hosts > >>> 127.0.0.1 localhost > >>> > >>> /etc/krb5.conf > >>> [libdefaults] > >>> default_realm = WINDOWS.CORP.XXX.COM <http://WINDOWS.CORP.XXX.COM> > >>> > >>> /etc/samba/smb.conf > >>> [global] > >>> netbios name=freeradius > >>> security=ADS > >>> workgroup=WINDOWS > >>> realm=WINDOWS.CORP.XXX.COM <http://WINDOWS.CORP.XXX.COM> > >>> > >>> log file=/var/log/samba/%m.log > >>> log level=1 > >>> > >>> dedicated keytab file=/etc/krb5.keytab > >>> kerberos method=secrets and keytab > >>> winbind refresh tickets=yes > >>> > >>> winbind trusted domains only=no > >>> winbind use default domain=yes > >>> winbind enum users=yes > >>> winbind enum groups=yes > >>> > >>> load printers=no > >>> template shell=/bin/false > >>> > >>> idmap config WINDOWS:backend=rid > >>> idmap config WINDOWS:range=10000-99999 > >>> > >>> > >>> > >>> > >> You still need a bit more in your smb.conf: > >> > >> idmap config *:backend = tdb > >> idmap config *:range = 2000-9999 > >> > >> You need these lines to get the builtin users & groups mapped. > >> > >> I think your problem is DNS related, you should be able to ping a DC via > >> ipaddress & hostname > >> > >> ping -c1 192.168.127.131 > >> ping -c1 whiskey.windows.corp.XXX.com > >> ping -c1 whiskey > >> ping -c1 192.168.112.4 > >> ping -c1 wine.windows.corp.XXX.com > >> ping -c1 wine > >> > >> The above commands should all return a reply. > >> > >> Does your dhcp server deliver the required info? > >> > >> Does 'hostname -d' return the fully qualified domain name of the client? > >> > >> Is there a firewall running on the client? if so, try turning it off. > >> > >> If you follow the Samba wiki, I can assure you that it does work: > >> > >> rowland at debnet:~/Downloads$ sudo net rpc info -Uadministrator > >> [sudo] password for rowland: > >> Enter administrator's password: > >> Domain Name: SAMDOM > >> Domain SID: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx > >> Sequence number: 1 > >> Num users: XXXXX > >> Num domain groups: XXXX > >> Num local groups: XXXX > >> > >> If you are having any problems understanding or following the wiki, > >> please tell us, otherwise we will just assume everybody understands it > :-) > >> > >> Rowland > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > > > > > > -- > Email Confidentiality Notice: The information contained in this > transmission is confidential, proprietary or privileged and may be subject > to protection under the law, including the Health Insurance Portability and > Accountability Act (HIPAA). The message is intended for the sole use of the > individual or entity to whom it is addressed. If you are not the intended > recipient, you are notified that any use, distribution or copying of the > message is strictly prohibited and may subject you to criminal or civil > penalties. If you received this transmission in error, please contact the > sender immediately by replying to this email and delete the material from > any computer. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2015-Dec-01 16:27 UTC
[Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
On 01/12/15 16:02, Jonathan S. Fisher wrote:> Well I got one step farther... > > hostname -d and hostname -f now work correctly if I add this line to > /etc/hosts > > /etc/hosts > 127.0.0.1 localhost > 127.0.1.1 freeradius.windows.corp.springventuregroup.com > <http://freeradius.windows.corp.springventuregroup.com> freeradius > > But same error on the rpc command. It's still asking DNS for > "_ldap._tcp.pdc._msdcs.WINDOWS" not > "_ldap._tcp.pdc._msdcs.WINDOWS.CORP.XXX.COM > <http://msdcs.WINDOWS.CORP.XXX.COM>" > > Can you do a tcpdump on yours and see what the desired behavior is? I > used this command: "sudo tcpdump-vvv -s 0 -l -n port 53 -w dns.pcap". > Start the dump, then run "sudo net rpc info -Uadministrator" > >If you are using 127.0.1.1 in etc/hosts on Ubuntu, then you are using dnsmasq. If you are using dnsmasq, then it is unlikely your dns setup will find the DC Just a thought, is there a DNS server running on the AD DC ? There should be and your client should be using this as its DNS server, AD lives and dies on DNS. There shouldn't be a dns server running on your domain member, it should be using the AD dns server. Rowland
Apparently Analagous Threads
- After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
- After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
- After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
- After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
- After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command