samba - Apr 2019 - Joining Ubuntu Server to Domain - "kinit succeeded but ads_sasl_spnego_gensec_bind failed"

I'm currently attempting to join an Ubuntu server to an AD domain,
eventually with the intention of allowing Windows-based domain members to
access a Samba share using their AD credentials. (As specified in the Wiki
article "Setting Up Samba as a Domain Member." The DC is running on
Windows
(not Samba) and has DHCP/DNS running on a separate Linux server (using
BIND). The DC (dc0/dc0.corp.company.internal) has authority within the
"CORP" zone, which is also being used as the name of the domain
itself.

Kerberos kinit/klist appear to work fine:

<-----------------------
root at samba:~# kinit
Password for administrator at CORP.COMPANY.INTERNAL:

root at samba:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at CORP.COMPANY.INTERNAL

Valid starting       Expires              Service principal
04/11/2019 00:10:39  04/11/2019 00:20:33
krbtgt/CORP.COMPANY.INTERNAL at CORP.COMPANY.INTERNAL
----------------------->

DNS appears to be working properly as well.

My assumption as to why the issue is with smb.conf, as I was able to join
before. I didn't realize this at the time as there were still some less
significant errors - so I continued to change the smb.conf file to get it
to "work." Unfortunately, I do not have/did not save the configuration
which actually worked. I'm trying to get it back to that stage, but am not
sure what's actually wrong in order to diagnose it.

Everything in the Wiki guide seems to work until "Configuring Samba"
and
the steps that follow. There are several sets of errors I believe to be
most important, first from "net ads join:"

<-----------------------
root at samba:/etc/samba# net ads join -U administrator
Enter administrator's password:
gse_get_client_auth_token: gss_init_sec_context failed with [ Miscellaneous
failure (see text): Message stream modified](______)
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/dc0
with user[administrator] realm[CORP.COMPANY.INTERNAL]: The attempted logon
is invalid. This is either due to a bad username or authentication
information.
Failed to join domain: failed to connect to AD: The attempted logon is
invalid. This is either due to a bad username or authentication information.
----------------------->

Second, I get an error when I attempt to start Winbind when the line
"security = ads" is in the smb.conf file:

<-----------------------
systemd[1]: Starting Samba Winbind Daemon...
winbindd[22323]: [0]
../source3/winbindd/winbindd_cache.c:3170(initialize_winbindd_cache)
winbindd[22323]:   initialize_winbindd_cache: clearing cache and
re-creating with version number 2
winbindd[22323]: [0]
../source3/winbindd/winbindd_util.c:891(init_domain_list)
winbindd[22323]:   Could not fetch our SID - did we join?
winbindd[22323]: [0]
../source3/winbindd/winbindd.c:1366(winbindd_register_handlers)
winbindd[22323]:   unable to initialize domain list
systemd[1]: winbind.service: Main process exited, code=exited,
status=1/FAILURE
systemd[1]: winbind.service: Failed with result 'exit-code'.
systemd[1]: Failed to start Samba Winbind Daemon.
----------------------->

Additionally, when I try doing "net ads join -k -S" without winbind
running
I get the following results:

<-----------------------
root at samba:~# net ads join -k -S 192.168.1.230
Kerberos auth with 'root at CORP.COMPANY.INTERNAL'
(CORP.COMPANY.INTERNAL\root) to access '192.168.1.230' not possible
Failed to join domain: failed to lookup DC info for domain
'CORP.COMPANY.INTERNAL' over rpc: {Access Denied} A process has
requested
access to an object but has not been granted those access rights
----------------------->

Here is my current smb.conf file:

<-----------------------
[global]
        workgroup = CORP
        password server = dc0.corp.company.internal
        realm = CORP.COMPANY.INTERNAL
        security = ads

        idmap config * : range = 16777216-33554431
        template homedir = /home/%U
        template shell = /bin/bash
        winbind use default domain = true
        winbind offline logon = false

        dns proxy = No
        log file = /var/log/samba/log.%m
        map to guest = Bad User
        max log size = 1000
        obey pam restrictions = Yes
        pam password change = Yes
        panic action = /usr/share/samba/panic-action %d
        passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        passwd program = /usr/bin/passwd %u
        server role = standalone server
        server string = %h server (Samba, Ubuntu)
        syslog = 0
        unix password sync = Yes
        usershare allow guests = Yes
        idmap config * : backend = tdb
----------------------->

I am currently assuming (due to prior success) that the problem is not with
the DNS/DC configuration but rather with the client/member configuration,
most likely smb.conf and potentially krb5.cond.

I'm not sure if it's an issue with Ubuntu 18.04 and Winbind/Samba
versions,
something about which Winbind backend I use (ad/rid/autorid) or if it would
be a better idea to use SSSD or something instead of Winbind. I might be
following the steps in the Samba wiki guide incorrectly, but I've attempted
them multiple times and unfortunately I haven't been able to figure out
exactly what I'm doing wrong.

Thanks in advance and apologies for the long message!

On Fri, 12 Apr 2019 16:30:00 -0700
Ian O'Neill via samba <samba at lists.samba.org> wrote:
> <-----------------------
> [global]
>         workgroup = CORP
>         password server = dc0.corp.company.internal
>         realm = CORP.COMPANY.INTERNAL
>         security = ads
> 
>         idmap config * : range = 16777216-33554431
>         template homedir = /home/%U
>         template shell = /bin/bash
>         winbind use default domain = true
>         winbind offline logon = false
> 
>         dns proxy = No
>         log file = /var/log/samba/log.%m
>         map to guest = Bad User
>         max log size = 1000
>         obey pam restrictions = Yes
>         pam password change = Yes
>         panic action = /usr/share/samba/panic-action %d
>         passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>         passwd program = /usr/bin/passwd %u
>         server role = standalone server
>         server string = %h server (Samba, Ubuntu)
>         syslog = 0
>         unix password sync = Yes
>         usershare allow guests = Yes
>         idmap config * : backend = tdb
> ----------------------->  
> 
> I am currently assuming (due to prior success) that the problem is
> not with the DNS/DC configuration but rather with the client/member
> configuration, most likely smb.conf and potentially krb5.cond.
> 
> I'm not sure if it's an issue with Ubuntu 18.04 and Winbind/Samba
> versions, something about which Winbind backend I use
> (ad/rid/autorid) or if it would be a better idea to use SSSD or
> something instead of Winbind. I might be following the steps in the
> Samba wiki guide incorrectly, but I've attempted them multiple times
> and unfortunately I haven't been able to figure out exactly what
I'm
> doing wrong.
> 
No, it wouldn't be better to use sssd, it would be better to set up
your smb.conf correctly ;-)

Reread this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

And one of these:

https://wiki.samba.org/index.php/Idmap_config_ad

https://wiki.samba.org/index.php/Idmap_config_rid

As a hint, you cannot have:

        security = ads
AND
        server role = standalone server

They are totally different things.

You also need more than this:

        idmap config * : backend = tdb
        idmap config * : range = 16777216-33554431

You need lines for the 'CORP' domain

Rowland