samba - Jul 2020 - help for join AD domain failure troubleshooting

Hi team,
   I meet problem when join AD domain with Samba failed, want to get
some help from community, please let me put details.

1. Problem
   When run "net ads join -U username" on Linux client to join AD
domain,
it failed with error message:

"""
Failed to join domain: Failed to set machine spn: Operations error
Do you have sufficient permissions to create machine accounts?
"""

It worked before, just failed from one day.

2. What my environment is

My AD domain cluster is made up by windows server 2012.
Using winbind on Linux client to do authentication through AD account.

3. What I did for troubleshooting
3.1 debug log
   The debug level 5 log shows some detail information:

"""
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
Failed while searching for:
<WKGUID=AA312825768811D1ADED00C04FD8D5CD,dc=PROD
USA,dc=mycompany,dc=COM>

libnet_DomainJoin: Failed to pre-create account in OU
cn=Computers,dc=PROD-USA,dc=mycompany,dc=COM: Operations error

signed SMB2 message
"""

It showed failed while searching a wellknownobject, and Samba source code shows:

if (asprintf(&base, "<WKGUID=%s,%s>", wknguid,
ads->config.bind_path ) == -1) {
DEBUG(1, ("asprintf failed!\n"));
return NULL;
}

status = ads_search_dn(ads, &res, base, attrs);
if (!ADS_ERR_OK(status)) {
DEBUG(1,("Failed while searching for: %s\n", base));
goto out;
}

It should fail at line: status = ads_search_dn(ads, &res, base, attrs);

However, if I search by ldapsearch command, it works well:

"""
[root at monitor-test-12 ~]# ldapsearch -H ldap://pd11scl-ads-02 -x -W -D
"username at prod-usa.mycompany.com" -b
"<WKGUID=AA312825768811D1ADED00C04FD8D5CD
,dc=PROD-USA,dc=mycompany,dc=COM>" distinguishedName  -z 2

Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base
<<WKGUID=AA312825768811D1ADED00C04FD8D5CD,dc=PROD-USA,dc=mycompany,dc=COM>>
with scope subtree

# filter: (objectclass=*)
# requesting: distinguishedName

#
.....  save some lines of computers information .....
"""

3.2 If using "net rpc join -U username", it works
     This means join NT4 domain success, but this is not what I want.


I have requested support from Microsoft to check if there was anything
wrong on Windows server, but no luck.

I am wondering how to get more details from samba, why ads_search_dn
failed? If it can print root cause, that will help a lot.

Thanks.

On 01/07/2020 08:43, rong zhao via samba wrote:
> Hi team,
>     I meet problem when join AD domain with Samba failed, want to get
> some help from community, please let me put details.
>
> 1. Problem
>     When run "net ads join -U username" on Linux client to join
AD domain,
> it failed with error message:
>
> """
> Failed to join domain: Failed to set machine spn: Operations error
> Do you have sufficient permissions to create machine accounts?
> """
>
> It worked before, just failed from one day.
>
> 2. What my environment is
>
> My AD domain cluster is made up by windows server 2012.
> Using winbind on Linux client to do authentication through AD account.
>
> 3. What I did for troubleshooting
> 3.1 debug log
>     The debug level 5 log shows some detail information:
>
> """
> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism gse_krb5
> Failed while searching for:
> <WKGUID=AA312825768811D1ADED00C04FD8D5CD,dc=PROD
> USA,dc=mycompany,dc=COM>
>
> libnet_DomainJoin: Failed to pre-create account in OU
> cn=Computers,dc=PROD-USA,dc=mycompany,dc=COM: Operations error
>
> signed SMB2 message
> """
>
> It showed failed while searching a wellknownobject, and Samba source code
shows:
>
> if (asprintf(&base, "<WKGUID=%s,%s>", wknguid,
ads->config.bind_path ) == -1) {
> DEBUG(1, ("asprintf failed!\n"));
> return NULL;
> }
>
> status = ads_search_dn(ads, &res, base, attrs);
> if (!ADS_ERR_OK(status)) {
> DEBUG(1,("Failed while searching for: %s\n", base));
> goto out;
> }
>
> It should fail at line: status = ads_search_dn(ads, &res, base, attrs);
>
> However, if I search by ldapsearch command, it works well:
>
> """
> [root at monitor-test-12 ~]# ldapsearch -H ldap://pd11scl-ads-02 -x -W -D
> "username at prod-usa.mycompany.com" -b
> "<WKGUID=AA312825768811D1ADED00C04FD8D5CD
> ,dc=PROD-USA,dc=mycompany,dc=COM>" distinguishedName  -z 2
>
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base
<<WKGUID=AA312825768811D1ADED00C04FD8D5CD,dc=PROD-USA,dc=mycompany,dc=COM>>
> with scope subtree
>
> # filter: (objectclass=*)
> # requesting: distinguishedName
>
> #
> .....  save some lines of computers information .....
> """
>
> 3.2 If using "net rpc join -U username", it works
>       This means join NT4 domain success, but this is not what I want.
>
>
> I have requested support from Microsoft to check if there was anything
> wrong on Windows server, but no luck.
>
> I am wondering how to get more details from samba, why ads_search_dn
> failed? If it can print root cause, that will help a lot.
>
> Thanks.
>
Has your user hit the limit for joining computers ?

Is your smb.conf set up correctly ?

What OS is this ?

Do you have the correct packages installed ?

Rowland

Hi Rowland,

  Thank you so much for your comment, I don't know why I didn't
receive your email, just see it in "Digest" mail.

   Answering your questions:

Has your user hit the limit for joining computers ?
[R] I followed this article to set limit:
https://www.petenetlive.com/KB/Article/0001536, but not work, can you
please guide me check more about it?

Is your smb.conf set up correctly ?
[R] I think my smb.conf should work, because same configuration worked
before and it can work for other domain, here is sample (replace
company name)
"""
[global]
        client use spnego = no
        workgroup = PROD-USA
        realm = PROD-USA.MYCOMPANY.COM
        preferred master = no
        server string = Samba Server Version %v
        security = ADS
        encrypt passwords = yes
        log level = 3
        log file = /var/log/samba/%m
        max log size = 50
        printcap name = cups
        printing = cups
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind nested groups = Yes
        winbind separator = +
        template shell = /bin/bash
        idmap domains = PROD-USA
        idmap config PROD-USA:range = 10000 - 49999
        idmap config PROD-USA:base_rid = 0
        idmap config PROD-USA:backend = rid
        ################################################
        # Required for Samba/Winbind 3.4+
        # Note that local tdb idmap backend
        # required now for Samba/Winbind 3.4+
        idmap backend = tdb
        idmap uid = 10000 - 49999
        idmap gid = 10000 - 49999
        #################################################

[homes]
        comment = Home Directories
        valid users = %S
        browseable = no
        writable = yes

[printers]
        comment = All Printers
        path = /var/spool/cups
        browseable = no
        guest ok = no
        writable = no
        printable = yes
"""

What OS is this ?
[R] CentOS 7, 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC
2017 x86_64 x86_64 x86_64 GNU/Linux

Do you have the correct packages installed ?
[R] I think so, samba related packages are latest:
samba-common-4.10.4-11.el7_8.noarch
samba-client-libs-4.10.4-11.el7_8.x86_64
samba-winbind-4.10.4-11.el7_8.x86_64
samba-4.10.4-11.el7_8.x86_64
samba-common-libs-4.10.4-11.el7_8.x86_64
samba-winbind-modules-4.10.4-11.el7_8.x86_64
samba-winbind-clients-4.10.4-11.el7_8.x86_64
samba-libs-4.10.4-11.el7_8.x86_64
samba-common-tools-4.10.4-11.el7_8.x86_64
samba-client-4.10.4-11.el7_8.x86_64


Appreciate your help.

Thanks.

Rong

rong zhao <zhaorbox at gmail.com> ?2020?7?1??? ??3:43???
>
> Hi team,
>    I meet problem when join AD domain with Samba failed, want to get
> some help from community, please let me put details.
>
> 1. Problem
>    When run "net ads join -U username" on Linux client to join AD
domain,
> it failed with error message:
>
> """
> Failed to join domain: Failed to set machine spn: Operations error
> Do you have sufficient permissions to create machine accounts?
> """
>
> It worked before, just failed from one day.
>
> 2. What my environment is
>
> My AD domain cluster is made up by windows server 2012.
> Using winbind on Linux client to do authentication through AD account.
>
> 3. What I did for troubleshooting
> 3.1 debug log
>    The debug level 5 log shows some detail information:
>
> """
> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism gse_krb5
> Failed while searching for:
> <WKGUID=AA312825768811D1ADED00C04FD8D5CD,dc=PROD
> USA,dc=mycompany,dc=COM>
>
> libnet_DomainJoin: Failed to pre-create account in OU
> cn=Computers,dc=PROD-USA,dc=mycompany,dc=COM: Operations error
>
> signed SMB2 message
> """
>
> It showed failed while searching a wellknownobject, and Samba source code
shows:
>
> if (asprintf(&base, "<WKGUID=%s,%s>", wknguid,
ads->config.bind_path ) == -1) {
> DEBUG(1, ("asprintf failed!\n"));
> return NULL;
> }
>
> status = ads_search_dn(ads, &res, base, attrs);
> if (!ADS_ERR_OK(status)) {
> DEBUG(1,("Failed while searching for: %s\n", base));
> goto out;
> }
>
> It should fail at line: status = ads_search_dn(ads, &res, base, attrs);
>
> However, if I search by ldapsearch command, it works well:
>
> """
> [root at monitor-test-12 ~]# ldapsearch -H ldap://pd11scl-ads-02 -x -W -D
> "username at prod-usa.mycompany.com" -b
> "<WKGUID=AA312825768811D1ADED00C04FD8D5CD
> ,dc=PROD-USA,dc=mycompany,dc=COM>" distinguishedName  -z 2
>
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base
<<WKGUID=AA312825768811D1ADED00C04FD8D5CD,dc=PROD-USA,dc=mycompany,dc=COM>>
> with scope subtree
>
> # filter: (objectclass=*)
> # requesting: distinguishedName
>
> #
> .....  save some lines of computers information .....
> """
>
> 3.2 If using "net rpc join -U username", it works
>      This means join NT4 domain success, but this is not what I want.
>
>
> I have requested support from Microsoft to check if there was anything
> wrong on Windows server, but no luck.
>
> I am wondering how to get more details from samba, why ads_search_dn
> failed? If it can print root cause, that will help a lot.
>
> Thanks.

On 01/07/2020 13:26, rong zhao wrote:
> Hi Rowland,
>
>    Thank you so much for your comment, I don't know why I didn't
> receive your email, just see it in "Digest" mail.
Sounds like you signed up 'digest' mail
>
>     Answering your questions:
>
> Has your user hit the limit for joining computers ?
> [R] I followed this article to set limit:
> https://www.petenetlive.com/KB/Article/0001536, but not work, can you
> please guide me check more about it?
Not sure if any of those work on Samba.
>
> Is your smb.conf set up correctly ?
> [R] I think my smb.conf should work, because same configuration worked
> before and it can work for other domain, here is sample (replace
> company name)
>
Yes, it probably did work before, when Adam was a lad :-D

try it like this:

 ??????? workgroup = PROD-USA
 ??????? realm = PROD-USA.MYCOMPANY.COM
 ??????? server string = Samba Server Version %v
 ??????? security = ADS
 ??????? winbind use default domain = Yes
 ??????? winbind separator = +

 ??????? idmap config * : backend = tdb
 ??????? idmap config * : range = 3000-7999
 ??????? idmap config PROD-USA : backend = rid
 ??????? idmap config PROD-USA : range = 10000 - 49999

 ??????? template shell = /bin/bash
 ??????? preferred master = no
 ??????? log level = 3
 ??????? log file = /var/log/samba/%m
 ??????? max log size = 50
 ??????? printcap name = cups
 ??????? printing = cups

 ?????? vfs objects = acl_xattr
 ?????? map acl inherit = Yes

 ?????? username map = /etc/samba/user.map

[homes]
 ??????? comment = Home Directories
 ??????? valid users = %S
 ??????? browseable = no
 ??????? writable = yes

[printers]
 ??????? comment = All Printers
 ??????? path = /var/spool/cups
 ??????? browseable = no
 ??????? printable = yes

Create the user.map

nano /etc/samba/user.map

!root = PROD-USA+Administrator

Rowland