samba - Nov 2019 - net ads join explication ?

In addition to Rowland's comment. 

What i dont get here. 
Your running Debian Bullseye. (i hope not in production) 
You didnt update it. ( samba 4.9.13 is set and not the current one for bullseye
(samba 4.11.1-2)
Bullseye = testing, and believe me, testing has more problems then unstable.. 

So would start with running : 
apt-get dist-upgrade 

Then you configs, these dont look bad, but you need to make some adjustments. 
/etc/hosts
 127.0.0.1??? localhost
192.168.xx.233??? clientblues2.sambadom.calais.fr clientblues2
Remove > 192.168.xx.230??? blueyestest.sambadom.calais.fr??? blueyestest 
Not needed. 

In /etc/resolv.conf
Remove the ip's to the internet( or disable them for now), the AD-DC dns
should forward it.
And your primary search domain is not set.
Add : search your.domain.tld 

Now, your using networkManager, in its config, add: 
dns-search=sambadom.calais.fr; 

Reboot and try again.

Personaly, i would remove networkManger and setup with systemd. 
If thats also an option for you, then i suggest, 
wget
https://raw.githubusercontent.com/thctlo/debian-scripts/master/setup-systemd-networkd.sh
It will generate an IPv4 only setup. ( files are generated where you run the
script )
If used like this especially on a member, you can remove some packages, because
its handled by systemd now.
I use this in all my Debian Buster servers. 

One of my configs look like this :
(and i dont need any ntp iproute resolv.conf packages or adjustments anymore )

[Match]
Name=eth0

[Network]
DHCP=no
DNSSEC=allow-downgrade
IPv6PrivacyExtensions=no
IPv6AcceptRouterAdvertisements=no
LinkLocalAddressing=no

# NTP and DNS point to AD-DC. 
NTP=192.168.x.1 192.168.x.2
DNS=192.168.x.1 192.168.x.2
Domains=primary.dnssearchdomain.tld other.domains.tld
Address=192.168.x.10/24
# if you need a gateway. 
#Gateway=192.168.x.1

# if you need extra routes. 
#[Route]
#Destination=172.20.0/16
#Gateway=192.168.x.1

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> nathalie ramat via samba
> Verzonden: donderdag 7 november 2019 14:01
> Aan: rpenny at samba.org
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] net ads join explication ?
> 
> 
> My Dc is under linux - my version of linux is 5.2.0-3-amd64
> 
> My client os is also under linux et the version is 
> 5.2.0-2-amd64. I have 
> also client windows10.
> 
> I put the result of the test
> 
> Collected config? --- 2019-11-07-13:14 -----------
> 
> Hostname: clientblues2
> DNS Domain: sambadom.calais.fr
> FQDN: clientblues2.sambadom.calais.fr
> ipaddress: 192.168.xx.233
> 
> -----------
> 
> Kerberos SRV _kerberos._tcp.sambadom.calais.fr record verified ok, 
> sample output:
> Server:??? ??? 192.168.xx.230
> Address:??? 192.168.xx.230#53
> 
> _kerberos._tcp.sambadom.calais.fr??? service = 0 100 88 
> blueyestest.sambadom.calais.fr.
> Samba is running as an Unix domain member but 'winbindd' is 
> NOT running.
> Check that the winbind package is installed.
> Detected, Samba is running winbind only. Auth-only server, 
> Unix domain 
> member
>  ?????? Checking file: /etc/os-release
> 
> PRETTY_NAME="Debian GNU/Linux bullseye/sid"
> NAME="Debian GNU/Linux"
> ID=debian
> HOME_URL="https://www.debian.org/"
> SUPPORT_URL="https://www.debian.org/support"
> BUG_REPORT_URL="https://bugs.debian.org/"
> 
> -----------
> 
> 
> This computer is running Debian bullseye/sid x86_64
> 
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
> group default qlen 1000
>  ??? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>  ??? inet 127.0.0.1/8 scope host lo
>  ??? inet6 ::1/128 scope host
> 2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP group default qlen 1000
>  ??? link/ether a2:75:42:40:54:6b brd ff:ff:ff:ff:ff:ff
>  ??? inet 192.168.xx.233/24 brd 192.168.22.255 scope global 
> noprefixroute ens18
>  ??? inet6 fe80::a075:42ff:fe40:546b/64 scope link noprefixroute
> 
> -----------
>  ?????? Checking file: /etc/hosts
> 
> 127.0.0.1??? localhost
> 192.168.xx.233??? clientblues2.sambadom.calais.fr clientblues2
> 192.168.xx.230??? blueyestest.sambadom.calais.fr??? blueyestest
> 
> 
> 
> # The following lines are desirable for IPv6 capable hosts
> ::1???? localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> 
> -----------
> 
>  ?????? Checking file: /etc/resolv.conf
> 
> # Generated by NetworkManager
> nameserver 192.168.xx.230
> nameserver 193.49.xx.10
> nameserver 195.220.xx.10
> 
> -----------
> 
>  ?????? Checking file: /etc/krb5.conf
> 
> [libdefaults]
>  ??? default_realm = SAMBADOM.CALAIS.FR
>  ??? kdc_timesync =1
>  ??? ccache_type = 4
>  ??? forwardable = true
>  ??? proxiable = true
>  ??? dns_lookup_realm = false
>  ??? dns_lookup_kdc = true
> 
> 
> 
> #fcc-mit-ticketflags = true
> 
> #allow_weak_crypto = true
> #default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> #default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> 
> default_tgs_enctypes = aes256-cts-hmac-sha1-96 
> aes128-cts-hmac-sha1-96 
> rc4-hmac des-cbc-crc des-cbc-md5
> default_tkt_enctypes = aes256-cts-hmac-sha1-96 
> aes128-cts-hmac-sha1-96 
> rc4-hmac des-cbc-crc des-cbc-md5
> permitted_enctypes= as256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 
> rc4-hmac des-cbc-crc des-cbc-md5
> 
> 
> 
> [realms]
>  ??? SAMBADOM.CALAIS.FR = {
>  ??? ??? kdc = blueyestest.sambadom.calais.fr
>  ??? ??? admin_server = blueyestest.sambadom.calais.fr
>  ??? ??? default_domain =sambadom.calais.fr
>  ??? }
> 
> [domain_realm]
>  ??? sambadom.calais.fr = SAMBADOM.CALAIS.FR
>  ??? .sambadom.calais.fr = SAMBADOM.CALAIS.FR
> 
> [logging]
>  ??? default=file:/var/log/krb5.log
> 
> -----------
> 
>  ?????? Checking file: /etc/nsswitch.conf
> 
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages 
> installed, try:
> # `info libc "Name Service Switch"' for information about
this file.
> 
> passwd:???????? files winbind systemd
> group:????????? files winbind systemd
> shadow:???????? files winbind systemd
> gshadow:??????? files
> 
> hosts:????????? files dns
> networks:?????? files
> 
> protocols:????? db files
> services:?????? db files
> ethers:???????? db files
> rpc:??????????? db files
> 
> netgroup:?????? nis
> 
> -----------
> 
>  ?????? Checking file: /etc/samba/smb.conf
> 
> [global]
>  ??? security =ADS
>  ??? realm = SAMBADOM.CALAIS.FR
>  ??? workgroup =SAMBADOM
>  ??? netbios name = clientblues2
>  ??? winbind separator = /
>  ??? winbind enum users = yes
>  ??? winbind enum groups = yes
> 
> 
>  ??? idmap config * : backend=tdb
>  ??? idmap config * : range=1000-2000
> 
>  ??? idmap config SAMBADOM : backend = ad
>  ??? idmap config SAMBADOM : schema_mode =rfc2307
>  ??? idmap config SAMBADOM : range = 10000-600000
>  ??? idmap config SAMBADOM : unix_nss_info = yes
>  ??? idmap config SAMBADOM : unix_primary_group = yes
> 
>  ??? winbind nss info = template
>  ??? template homedir =/etudiants/%U
> 
> 
>  ??? template shell =/bin/bash
>  ??? kerberos method =? secrets and keytab
>  ??? dedicated keytab file =/etc/krb5.keytab
>  ??? winbind refresh tickets =yes
> #
>  ??? username map = /etc/samba/user.map
>  ??? winbind use default domain = yes
>  ??? log file =/var/log/samba/log.%m
>  ??? log level = 5
> # for acl support on members servers with shares
>  ??? vfs object = acl_xattr
>  ??? map acl inherit = yes
>  ??? store dos attributes = yes
> #??? winbind nss info = rfc2307
> 
> -----------
> 
> Running as Unix domain member and user.map detected.
> 
> Contents of /etc/samba/user.map
> 
> !root = SAMBADOM\administrator
> 
> Server Role is set to :? auto
> 
> -----------
> 
> Installed packages:
> ii? acl 2.2.53-5??????????????????????? amd64??????? access 
> control list 
> - utilities
> ii? fonts-quicksand 0.2016-2??????????????????????? all????????? 
> sans-serif font with round attributes
> ii? krb5-config 2.6???????????????????????????? all????????? 
> Configuration files for Kerberos Version 5
> ii? krb5-locales 1.17-6????????????????????????? all 
> internationalization support for MIT Kerberos
> ii? krb5-user 1.17-6????????????????????????? amd64??????? basic 
> programs to authenticate using MIT Kerberos
> ii? libacl1:amd64 2.2.53-5??????????????????????? amd64??????? access 
> control list - shared library
> ii? libattr1:amd64 1:2.4.48-5????????????????????? amd64??????
> ? extended 
> attribute handling - shared library
> ii? libgssapi-krb5-2:amd64 1.17-6????????????????????????? 
> amd64??????? 
> MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
> ii? libkrb5-3:amd64 1.17-6????????????????????????? amd64??????? MIT 
> Kerberos runtime libraries
> ii? libkrb5support0:amd64 1.17-6????????????????????????? 
> amd64??????? 
> MIT Kerberos runtime libraries - Support library
> ii? libnss-winbind:amd64 2:4.9.13+dfsg-1???????????????? amd64??????? 
> Samba nameservice integration plugins
> ii? libpam-winbind:amd64 2:4.9.13+dfsg-1???????????????? amd64??????? 
> Windows domain authentication integration plugin
> ii? libsmbclient:amd64 2:4.9.13+dfsg-1???????????????? amd64??????? 
> shared library for communication with SMB/CIFS servers
> ii? libwbclient0:amd64 2:4.9.13+dfsg-1???????????????? amd64??????? 
> Samba winbind client library
> ii? python-samba 2:4.9.13+dfsg-1???????????????? amd64??????? Python 
> bindings for Samba
> ii? samba-common 2:4.9.13+dfsg-1???????????????? all????????? common 
> files used by both the Samba server and client
> ii? samba-common-bin 2:4.9.13+dfsg-1???????????????? amd64????
> ??? Samba 
> common files used by both the server and the client
> ii? samba-dsdb-modules:amd64 2:4.9.13+dfsg-1???????????????? 
> amd64??????? Samba Directory Services Database
> ii? samba-libs:amd64 2:4.9.13+dfsg-1???????????????? amd64????
> ??? Samba 
> core libraries
> ii? winbind 2:4.9.13+dfsg-1???????????????? amd64??????? service to 
> resolve user and group information from Windows NT servers
> 
> -----------
> 
> 
> Le 07/11/2019 ? 12:37, Rowland penny via samba a ?crit?:
> > On 07/11/2019 11:08, nathalie ramat via samba wrote:
> >> Hello ,
> >>
> >> I want to add my linux client in my ad .
> >>
> >> I use net ads join -U administrator
> >> passwd : xxxx
> >>
> >> and I wait and I have no reponse but if I put 8 times t he key 
> >> enter,? my machine is add to my add but I have? this 
> message error : 
> >> error reading from file descriptor 0 : empty password? which come 
> >> from the server
> >>
> >> I don't understand why .
> >>
> >>
> >> My server is samba 4.11 and? my client use winbind .
> >
> > There doesn't seem to be anything wrong with your smb.conf, were 
> > 'smdb', 'nmbd' and 'winbind' running before
the join ?
> >
> > Can you download this: 
> > 
> https://github.com/thctlo/samba4/blob/master/samba-collect-deb
> ug-info.sh
> >
> > Run it on the Unix domain member and post the output into a 
> reply to 
> > this post, do not attach it, this list strips attachments.
> >
> > Also, what is he DC ? OS and version.
> >
> > Rowland
> >
> >
> >
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> 
> -- 
> Nathalie RAMAT-LECLERCQ
> 
> Service Informatique
> 
> Universite du Littoral-C?te d'Opale
> SCoSI - Service Commun du Syst?me d'Information
> P?le Syst?mes et r?seaux
> 
> Centre de Gestion Universitaire de Calais
> 50 rue ferdinand Buisson
> C.S 80699
> 62228 CALAIS CEDEX
> 
> 
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>