Hi, We are having an issue, trying to install a domain member server. I'm following the samba wiki: - samba 4.6.1 - krb5.conf as recommended on wiki - time synced - kinit works - dns works (DCs in resolv.conf) - setup a basic smb.conf (pasted at the end of this email) - edit nsswitch.conf to include winbind for passwd/group and then finally "net ads join -U administrator -d5" fails with:> ... > ...(snipped) > ... > Host account for PROCESSING does not have service principal names. > Retrieving the servicePrincipalNames failed. > getaddrinfo: No address associated with hostname > ads_domain_func_level: 2 > ads_domain_func_level: 2 > kerberos_secrets_store_des_salt: Storing salt "host/processing.SAMBA.COMPANY.COM at SAMBA.COMPANY.COM" > check lock order 1 for /var/lib/samba/private/secrets.tdb > release lock order 1 for /var/lib/samba/private/secrets.tdb > smb_krb5_kt_open failed (Key table name malformed) > ads_keytab_add_entry failed while adding 'HOST/PROCESSING' principal. > libnet_Join: > libnet_JoinCtx: struct libnet_JoinCtx > out: struct libnet_JoinCtx > account_name : NULL > netbios_domain_name : 'WRKGRP' > dns_domain_name : 'SAMBA.COMPANY.COM' > forest_name : 'SAMBA.COMPANY.COM' > dn : 'CN=PROCESSING,CN=Computers,DC=samba,DC=company,DC=com' > domain_sid : * > domain_sid : S-1-5-21-92843450-981953634-869174549 > modified_config : 0x00 (0) > error_string : 'failed to create kerberos keytab' > domain_is_ad : 0x01 (1) > set_encryption_types : 0x00000000 (0) > result : WERR_GEN_FAILURE > Failed to join domain: failed to create kerberos keytab > return code = -1The file /etc/krb5.keytab is NOT created. (I thought it should be created automatically on AD join) When I ignore that and simply start winbind, the effect is that "wbinfo -u", "wbinfo -g", "id username" all work. However: "getent passwd" does NOT work correctly:> user1:*:22185:513::/home/WRKGRP/user1:/bin/false > user2:*:29969:513::/home/WRKGRP/user2:/bin/falseThe uid/gid IS taken from AD, but homedirectory and shell are NOT the ones defined in AD. (making it look like the old samba 4.1 situation, where winbind took uid/gid from AD, but shell / homedirectory were from a template) I will paste the smb.conf below. For the rest: our AD appears to be working correctly... The smb.conf of the domain member server:> root at processing:/etc/samba# cat smb.conf > [global] > > netbios name = processing > workgroup = WRKGRP > security = ADS > realm = SAMBA.COMPANY.COM > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind refresh tickets = yes > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > > idmap config *:backend = tdb > idmap config *:range = 1000000-1000999 > idmap config WRKGRP:backend = ad > idmap config WRKGRP:schema_mode = rfc2307 > idmap config WRKGRP:range = 500-999999 > > winbind nss info = rfc2307I have NO idea where to look... Suggestions?
Hi all, On 04/04/2017 04:55 PM, lists via samba wrote:> > However: "getent passwd" does NOT work correctly: > >> user1:*:22185:513::/home/WRKGRP/user1:/bin/false >> user2:*:29969:513::/home/WRKGRP/user2:/bin/false > > The uid/gid IS taken from AD, but homedirectory and shell are NOT the > ones defined in AD. (making it look like the old samba 4.1 situation, > where winbind took uid/gid from AD, but shell / homedirectory were from > a template)Reading the release notes for samba 4.6 on the member server, I have solved the "getent passwd" issue. It seems we need to specify in smb.conf: idmap config WRKGRP:unix_nss_info = yes And yes, after adding this, the home directory and shell are correctly imported from AD. However, the rest of the question remains: why does the domain join not generate a krb5.keytab? The computer account IS created/visible in AD, just the keytab is not generated. And (probably as a result of that?) I cannot logon (ssh or console) as an AD domain user:> Apr 4 19:57:01 processing sshd[1159]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=54f.fth.concepts.com user=username > Apr 4 19:57:01 processing sshd[1159]: pam_winbind(sshd:auth): getting password (0x00000388) > Apr 4 19:57:01 processing sshd[1159]: pam_winbind(sshd:auth): pam_get_item returned a password > Apr 4 19:57:02 processing sshd[1159]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS: NT_STATUS_CONNECTION_DISCONNECTED, Error message was: The transport connection is now disconnected. > Apr 4 19:57:02 processing sshd[1159]: pam_winbind(sshd:auth): internal module error (retval = PAM_SYSTEM_ERR(4), user = 'username') > Apr 4 19:57:04 processing sshd[1159]: Failed password for username from 84.3.2.25 port 36396 ssh2 > Apr 4 19:57:17 processing sshd[1159]: Connection closed by 84.3.2.25 [preauth]Any suggestions?
Yes, post the complete smb.conf.. when what os your running. Then we can have a look better whats going on. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj via samba > Verzonden: dinsdag 4 april 2017 20:17 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Key table name malformed > > Hi all, > > On 04/04/2017 04:55 PM, lists via samba wrote: > > > > However: "getent passwd" does NOT work correctly: > > > >> user1:*:22185:513::/home/WRKGRP/user1:/bin/false > >> user2:*:29969:513::/home/WRKGRP/user2:/bin/false > > > > The uid/gid IS taken from AD, but homedirectory and shell are NOT the > > ones defined in AD. (making it look like the old samba 4.1 situation, > > where winbind took uid/gid from AD, but shell / homedirectory were from > > a template) > > Reading the release notes for samba 4.6 on the member server, I have > solved the "getent passwd" issue. > > It seems we need to specify in smb.conf: > > idmap config WRKGRP:unix_nss_info = yes > > And yes, after adding this, the home directory and shell are correctly > imported from AD. > > However, the rest of the question remains: why does the domain join not > generate a krb5.keytab? The computer account IS created/visible in AD, > just the keytab is not generated. > > And (probably as a result of that?) I cannot logon (ssh or console) as > an AD domain user: > > > Apr 4 19:57:01 processing sshd[1159]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser> rhost=54f.fth.concepts.com user=username > > Apr 4 19:57:01 processing sshd[1159]: pam_winbind(sshd:auth): getting > password (0x00000388) > > Apr 4 19:57:01 processing sshd[1159]: pam_winbind(sshd:auth): > pam_get_item returned a password > > Apr 4 19:57:02 processing sshd[1159]: pam_winbind(sshd:auth): request > wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), > NTSTATUS: NT_STATUS_CONNECTION_DISCONNECTED, Error message was: The > transport connection is now disconnected. > > Apr 4 19:57:02 processing sshd[1159]: pam_winbind(sshd:auth): internal > module error (retval = PAM_SYSTEM_ERR(4), user = 'username') > > Apr 4 19:57:04 processing sshd[1159]: Failed password for username from > 84.3.2.25 port 36396 ssh2 > > Apr 4 19:57:17 processing sshd[1159]: Connection closed by 84.3.2.25 > [preauth] > > Any suggestions? > > -- > To unsubscribe from this list go to the following URL and read the > instructions: lists.samba.org/mailman/options/samba
Hi Louis, On 04/05/2017 07:51 AM, L.P.H. van Belle via samba wrote:> Yes, post the complete smb.conf.. when what os your running. > Then we can have a look better whats going on. > > Greetz, > > LouisHere is the smb.conf for the debian 8.7 domain member server running samba 4.6.1:> root at processing:~# cd /etc/samba/ > root at processing:/etc/samba# cat smb.conf > [global] > > netbios name = processing > workgroup = WKRGRP > security = ADS > realm = SAMBA.COMPANY.COM > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind refresh tickets = yes > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > > idmap config *:backend = tdb > idmap config *:range = 1000000-1000999 > idmap config INTECH:backend = ad > idmap config INTECH:schema_mode = rfc2307 > idmap config INTECH:range = 500-999999 > idmap config INTECH:unix_nss_info = yes > > winbind nss info = rfc2307 > > log level = 3Here is smb.conf for the DC2, running samba 4.5.6 on debian 7.11:> root at DC2:~# cat /etc/samba/smb.conf > # Global parameters > [global] > workgroup = WKRGRP > realm = samba.company.com > netbios name = DC2 > server role = active directory domain controller > dns forwarder = 192.65.132.5 > allow dns updates = nonsecure > > server signing = mandatory > ntlm auth = yes > ldap server require strong auth = no > printing = bsd > log level = 3 > idmap_ldb:use rfc2307 = yes > > > [netlogon] > path = /var/lib/samba/sysvol/samba.company.com/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > acl_xattr:ignore system acls = yesThis domain seems to be mostly running fine for some years, ever since samba 4.1.16 or so. I realise that my realm on the DC is written in lower case. However testparm shows it uppercase, and everyting has always been running good, that why I was afraid to change it to capitals. It's lower case ONLY in the smb.conf on the three the DCs. Everywhere else in caps. Ideas?
Hai Mourik-Jan, This looks all good. Only one thing in the config, you can remove : winbind nss info = rfc2307 Since your alread set ( for 4.6.x) : idmap config INTECH:unix_nss_info = yes Can you check the content of the keytab? klist -ke /etc/krb5.keytab post ( if needed anonymized ) the content you see. run : net ads keytab list -UAdministrator And did you by accident run : net ads join , multiple times on this server? About the realm in caps or not, to my believe that no problem in samba. But to be sure, i would recommends everything in caps. Looks to me there is something with net ads keytab going on. I'll go test a bit more here also. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj via samba > Verzonden: woensdag 5 april 2017 8:30 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Key table name malformed > > Hi Louis, > > On 04/05/2017 07:51 AM, L.P.H. van Belle via samba wrote: > > Yes, post the complete smb.conf.. when what os your running. > > Then we can have a look better whats going on. > > > > Greetz, > > > > Louis > > Here is the smb.conf for the debian 8.7 domain member server running > samba 4.6.1: > > root at processing:~# cd /etc/samba/ > > root at processing:/etc/samba# cat smb.conf > > [global] > > > > netbios name = processing > > workgroup = WKRGRP > > security = ADS > > realm = SAMBA.COMPANY.COM > > > > dedicated keytab file = /etc/krb5.keytab > > kerberos method = secrets and keytab > > winbind refresh tickets = yes > > winbind use default domain = yes > > winbind enum users = yes > > winbind enum groups = yes > > > > idmap config *:backend = tdb > > idmap config *:range = 1000000-1000999 > > idmap config INTECH:backend = ad > > idmap config INTECH:schema_mode = rfc2307 > > idmap config INTECH:range = 500-999999 > > idmap config INTECH:unix_nss_info = yes > > > > winbind nss info = rfc2307 > > > > log level = 3 > > Here is smb.conf for the DC2, running samba 4.5.6 on debian 7.11: > > root at DC2:~# cat /etc/samba/smb.conf > > # Global parameters > > [global] > > workgroup = WKRGRP > > realm = samba.company.com > > netbios name = DC2 > > server role = active directory domain controller > > dns forwarder = 192.65.132.5 > > allow dns updates = nonsecure > > > > server signing = mandatory > > ntlm auth = yes > > ldap server require strong auth = no > > printing = bsd > > log level = 3 > > idmap_ldb:use rfc2307 = yes > > > > > > [netlogon] > > path = /var/lib/samba/sysvol/samba.company.com/scripts > > read only = No > > > > [sysvol] > > path = /var/lib/samba/sysvol > > read only = No > > acl_xattr:ignore system acls = yes > > This domain seems to be mostly running fine for some years, ever since > samba 4.1.16 or so. > > I realise that my realm on the DC is written in lower case. However > testparm shows it uppercase, and everyting has always been running good, > that why I was afraid to change it to capitals. It's lower case ONLY in > the smb.conf on the three the DCs. Everywhere else in caps. > > Ideas? > > -- > To unsubscribe from this list go to the following URL and read the > instructions: lists.samba.org/mailman/options/samba