First of all, thanks to you all for bearing with me. To answer the questions:
- Subnets: yes, different subnets, routing is fine, can connect to Windows DC
via telnet (DNS), OpenSSL on 389 and 636
- Naming: I could not find any object in the existing AD with the same name of
the Samba DC that I want to add
- Join existing: I try to join an existing Windows AD, not Samba AD
I wiped the installation (again) and here are the exact steps I did to set
everything up.
1. Install from Debian 10 netinstall ISO with only SSH-server and system utils
2. apt update && apt install?curl ntp sudo vim dnsutils?open-vm-tools
3. add buster-backports
4. apt update &&?apt -t buster-backports install samba attr winbind
libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user smbclient
5.?find /var/run/samba /var/lib/samba /var/cache/samba /var/lib/samba/private
-name '*.tdb' -name '*.ldb' -delete
6.?rm /etc/samba/smb.conf
7.?samba-tool domain provision --use-rfc2307 --interactive (with internal dns)
8.?cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
9. unmask samba-ad-dc service
10. reboot
11. loads of DNS errors in the log like
[2019/08/16 15:02:45.925528, ?0]
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
? /usr/sbin/samba_dnsupdate: ? File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177,
in _run
[2019/08/16 15:02:45.925557, ?0]
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
? /usr/sbin/samba_dnsupdate: ? ? return self.run(*args, **kwargs)
[2019/08/16 15:02:45.925575, ?0]
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
? /usr/sbin/samba_dnsupdate: ? File
"/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 945, in
run
[2019/08/16 15:02:45.925594, ?0]
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
? /usr/sbin/samba_dnsupdate: ? ? raise e
[2019/08/16 15:02:45.958441, ?0]
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
? /usr/sbin/samba_dnsupdate: ERROR(runtime): uncaught exception - (9711,
'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
[2019/08/16 15:02:45.958512, ?0]
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
? /usr/sbin/samba_dnsupdate: ? File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177,
in _run
[2019/08/16 15:02:45.958531, ?0]
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
? /usr/sbin/samba_dnsupdate: ? ? return self.run(*args, **kwargs)
[2019/08/16 15:02:45.958548, ?0]
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
? /usr/sbin/samba_dnsupdate: ? File
"/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 945, in
run
[2019/08/16 15:02:45.958567, ?0]
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
? /usr/sbin/samba_dnsupdate: ? ? raise e
[2019/08/16 15:02:45.987725, ?0]
../source4/dsdb/dns/dns_update.c:330(dnsupdate_nameupdate_done)
? ../source4/dsdb/dns/dns_update.c:330: Failed DNS update - with error code 29
[2019/08/16 15:02:46.489326, ?0]
../source4/lib/tls/tlscert.c:170(tls_cert_generate)
? TLS self-signed keys generated OK
12. changed /etc/resolv.conf to point to itself, restarted samba-ad-dc -> log
fine
13. output of your debug script
Collected config ?--- 2019-08-16-15:07 -----------
Hostname: ka-h9-dc01
DNS Domain: samdom.example.com
FQDN: ka-h9-dc01.samdom.example.com
ipaddress: 10.0.1.250
-----------
Kerberos SRV _kerberos._tcp.samdom.example.com record verified ok, sample
output:
Server: 10.0.1.250
Address: 10.0.1.250#53
_kerberos._tcp.samdom.example.com service = 0 100 88
ka-h9-dc01.samdom.example.com.
Samba is running as an AD DC
-----------
? ? ? ?Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 10.0 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
? ? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
? ? inet 127.0.0.1/8 scope host lo
? ? inet6 ::1/128 scope host
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
? ? link/ether 00:0c:29:35:9c:84 brd ff:ff:ff:ff:ff:ff
? ? inet 10.0.1.250/24 brd 10.0.1.255 scope global ens192
? ? inet6 fe80::20c:29ff:fe35:9c84/64 scope link
-----------
? ? ? ?Checking file: /etc/hosts
127.0.0.1 localhost
10.0.1.250 ka-h9-dc01.samdom.example.com ka-h9-dc01
# The following lines are desirable for IPv6 capable hosts
::1 ? ? localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
? ? ? ?Checking file: /etc/resolv.conf
search samdom.example.com
nameserver 10.0.1.250
-----------
? ? ? ?Checking file: /etc/krb5.conf
[libdefaults]
default_realm = SAMDOM.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
? ? ? ?Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: ? ? ? ? files systemd
group: ? ? ? ? ?files systemd
shadow: ? ? ? ? files
gshadow: ? ? ? ?files
hosts: ? ? ? ? ?files dns
networks: ? ? ? files
protocols: ? ? ?db files
services: ? ? ? db files
ethers: ? ? ? ? db files
rpc: ? ? ? ? ? ?db files
netgroup: ? ? ? nis
-----------
? ? ? ?Checking file: /etc/samba/smb.conf
# Global parameters
[global]
dns forwarder = 10.0.1.100
netbios name = KA-H9-DC01
realm = SAMDOM.EXAMPLE.COM
server role = active directory domain controller
workgroup = COMPANYNAME
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/samdom.example.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
-----------
BIND_DLZ not detected in smb.conf
-----------
Installed packages:
ii ?attr ? ? ? ? ? ? ? ? ? ? ? ? ? 1:2.4.48-4 ? ? ? ? ? ? ? ? ?amd64 ? ? ?
?utilities for manipulating filesystem extended attributes
ii ?krb5-config ? ? ? ? ? ? ? ? ? ?2.6 ? ? ? ? ? ? ? ? ? ? ? ? all ? ? ? ?
?Configuration files for Kerberos Version 5
ii ?krb5-locales ? ? ? ? ? ? ? ? ? 1.17-3 ? ? ? ? ? ? ? ? ? ? ?all ? ? ? ?
?internationalization support for MIT Kerberos
ii ?krb5-user ? ? ? ? ? ? ? ? ? ? ?1.17-3 ? ? ? ? ? ? ? ? ? ? ?amd64 ? ? ?
?basic programs to authenticate using MIT Kerberos
ii ?libacl1:amd64 ? ? ? ? ? ? ? ? ?2.2.53-4 ? ? ? ? ? ? ? ? ? ?amd64 ? ? ?
?access control list - shared library
ii ?libattr1:amd64 ? ? ? ? ? ? ? ? 1:2.4.48-4 ? ? ? ? ? ? ? ? ?amd64 ? ? ?
?extended attribute handling - shared library
ii ?libgssapi-krb5-2:amd64 ? ? ? ? 1.17-3 ? ? ? ? ? ? ? ? ? ? ?amd64 ? ? ? ?MIT
Kerberos runtime libraries - krb5 GSS-API Mechanism
ii ?libkrb5-3:amd64 ? ? ? ? ? ? ? ?1.17-3 ? ? ? ? ? ? ? ? ? ? ?amd64 ? ? ? ?MIT
Kerberos runtime libraries
ii ?libkrb5support0:amd64 ? ? ? ? ?1.17-3 ? ? ? ? ? ? ? ? ? ? ?amd64 ? ? ? ?MIT
Kerberos runtime libraries - Support library
ii ?libnss-winbind:amd64 ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ?
?Samba nameservice integration plugins
ii ?libpam-krb5:amd64 ? ? ? ? ? ? ?4.8-2 ? ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?PAM
module for MIT Kerberos
ii ?libpam-winbind:amd64 ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ?
?Windows domain authentication integration plugin
ii ?libsmbclient:amd64 ? ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ?
?shared library for communication with SMB/CIFS servers
ii ?libwbclient0:amd64 ? ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ?
?Samba winbind client library
ii ?python-samba ? ? ? ? ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ?
?Python bindings for Samba
ii ?samba ? ? ? ? ? ? ? ? ? ? ? ? ?2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ?
?SMB/CIFS file, print, and login server for Unix
ii ?samba-common ? ? ? ? ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?all ? ? ? ?
?common files used by both the Samba server and client
ii ?samba-common-bin ? ? ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ?
?Samba common files used by both the server and the client
ii ?samba-dsdb-modules:amd64 ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ?
?Samba Directory Services Database
ii ?samba-libs:amd64 ? ? ? ? ? ? ? 2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ?
?Samba core libraries
ii ?samba-vfs-modules:amd64 ? ? ? ?2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ?
?Samba Virtual FileSystem plugins
ii ?smbclient ? ? ? ? ? ? ? ? ? ? ?2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ?
?command-line SMB/CIFS clients for Unix
ii ?winbind ? ? ? ? ? ? ? ? ? ? ? ?2:4.9.5+dfsg-5 ? ? ? ? ? ? ?amd64 ? ? ?
?service to resolve user and group information from Windows NT servers
-----------
14.?samba-tool fsmo show -H ldap://$(hostname -d)
SchemaMasterRole owner: CN=NTDS
Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
InfrastructureMasterRole owner: CN=NTDS
Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
RidAllocationMasterRole owner: CN=NTDS
Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
PdcEmulationMasterRole owner: CN=NTDS
Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
DomainNamingMasterRole owner: CN=NTDS
Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
DomainDnsZonesMasterRole owner: CN=NTDS
Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
ForestDnsZonesMasterRole owner: CN=NTDS
Settings,CN=KA-H9-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
15.?samba-tool fsmo show -H?ldap://10.88.80.88?-U dcadmin
SchemaMasterRole owner: CN=NTDS
Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
InfrastructureMasterRole owner: CN=NTDS
Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
RidAllocationMasterRole owner: CN=NTDS
Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
PdcEmulationMasterRole owner: CN=NTDS
Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
DomainNamingMasterRole owner: CN=NTDS
Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
DomainDnsZonesMasterRole owner: CN=NTDS
Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
ForestDnsZonesMasterRole owner: CN=NTDS
Settings,CN=VMDC-AZURE-01,CN=Servers,CN=Azure,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
16. Notice I don't have "Administrator" as user in my Windows
domain if that is an issue
So far everything looks fine to me, should I now point resolv.conf to Windows DC
and attempt the join again?
On 16. August 2019 at 14:34:55, Rowland penny via samba (samba at
lists.samba.org) wrote:
On 16/08/2019 12:52, Rowland penny via samba wrote: > On 16/08/2019 12:05, L.P.H. van Belle via samba wrote:
>> It's windows that is not allowing samba to join.
>>
>> This should make thing more clear in my opinion.
>>
>> samba-tool fsmo show -H ldap://$(hostname -d)
>> And
>> samba-tool fsmo show -H ldap://10.88.80.88 -U Administrator
>>
>> These both work agains my Samba AD-DC's (ldap://$(hostname -d))
>> And my windows DC -H ldap://10.88.80.88 -U
"NTDOM\Administrator"
>>
>>
> It may be windows that is not allowing the join, but he is going
> nowhere until 'kinit Administrator' works ;-)
>
> Rowland
>
>
>
Andrew may have a point here, we have only been supplied with the 'join'
command and a portion of the resulting join output and anything after
'join failed' is an artefact of the failure and is meaningless. We need
to see everything between the 'join' command and 'join failed'.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba