samba - Nov 2020 - Can't join domain (LDAP error)

Hi,
I'm trying to set up an AD DC in an iocage jail on FreeBSD (to avoid the
issues of having the DC a file server) but I'm running into some trouble.

I've setup Kerberos and can kinit OK:
root at samba-addc:/ # kinit administrator
administrator at BEGER.COM.AU's Password:
root at samba-addc:/ # klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: administrator at BEGER.COM.AU

  Issued                Expires               Principal
Nov  8 15:51:22 2020  Nov  9 01:51:22 2020  krbtgt/BEGER.COM.AU at BEGER.COM.AU

However when I try and join the domain it complains about connecting to the LDAP
server:
root at samba-addc:/ # samba-tool domain join beger.com.au DC -k yes
INFO 2020-11-08 15:51:30,554 pid:20267
/usr/local/lib/python3.7/site-packages/samba/join.py #107: Finding a writeable
DC for domain 'beger.com.au'
INFO 2020-11-08 15:51:30,576 pid:20267
/usr/local/lib/python3.7/site-packages/samba/join.py #109: Found DC
gateway2.beger.com.au
Failed to connect to ldap URL 'ldap://gateway2.beger.com.au' - LDAP
client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldap://gateway2.beger.com.au' with backend
'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
ERROR(ldb): uncaught exception - LDAP client internal error:
NT_STATUS_INVALID_PARAMETER
  File
"/usr/local/lib/python3.7/site-packages/samba/netcmd/__init__.py",
line 186, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/lib/python3.7/site-packages/samba/netcmd/domain.py", line
668, in run
    backend_store_size=backend_store_size)
  File "/usr/local/lib/python3.7/site-packages/samba/join.py", line
1539, in join_DC
    backend_store_size=backend_store_size)
  File "/usr/local/lib/python3.7/site-packages/samba/join.py", line
112, in __init__
    credentials=ctx.creds, lp=ctx.lp)
  File "/usr/local/lib/python3.7/site-packages/samba/samdb.py", line
67, in __init__
    options=options)
  File "/usr/local/lib/python3.7/site-packages/samba/__init__.py",
line 115, in __init__
    self.connect(url, flags, options)
  File "/usr/local/lib/python3.7/site-packages/samba/samdb.py", line
82, in connect
    options=options)
root at samba-addc:/ #

'gateway2' is correct (that is what the current DC is called).

ldbsearch does not work either:
root at samba-addc:/ # samba-ldbsearch -H ldap://gateway2.beger.com.au -U
beger/darius '(objectclass=person)'
Failed to connect to ldap URL 'ldap://gateway2.beger.com.au' - LDAP
client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldap://gateway2.beger.com.au' with backend
'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to ldap://gateway2.beger.com.au - LDAP client internal error:
NT_STATUS_INVALID_PARAMETER
root at samba-addc:/ #
root at samba-addc:/ # samba-ldbsearch -H ldap://gateway2.beger.com.au -k yes
'(objectclass=person)'
Failed to connect to ldap URL 'ldap://gateway2.beger.com.au' - LDAP
client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldap://gateway2.beger.com.au' with backend
'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to ldap://gateway2.beger.com.au - LDAP client internal error:
NT_STATUS_INVALID_PARAMETER

ldbsearch *does* work on host (ie gateway2) though.

Both ldap and ldaps behave the same.

I ran ktrace on ldbsearch and it did not even open a socket, let alone try a
connection and fail..

I also tried tuning it with debugging but there wasn't anything of interest:
root at samba-addc:/ # samba-ldbsearch -d 10 --debug-stderr -H
ldaps://gateway2.beger.com.au -U beger/darius '(objectclass=person)'
INFO: Current debug levels:
  all: 10
...
  Privilege[ 22]: SeImpersonatePrivilege
  Privilege[ 23]: SeCreateGlobalPrivilege
  Privilege[ 24]: SeEnableDelegationPrivilege
 Rights (0x               0):
Failed to connect to ldap URL 'ldaps://gateway2.beger.com.au' - LDAP
client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldaps://gateway2.beger.com.au' with backend
'ldaps': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to ldaps://gateway2.beger.com.au - LDAP client internal error:
NT_STATUS_INVALID_PARAMETER

--
Daniel O'Connor
"The nice thing about standards is that there
are so many of them to choose from."
 -- Andrew Tanenbaum

On Sun, 2020-11-08 at 16:06 +1030, O'Connor, Daniel via samba
wrote:
> Hi,
> I'm trying to set up an AD DC in an iocage jail on FreeBSD (to avoid
the issues of having the DC a file server) but I'm running into some
trouble.
> 
> I've setup Kerberos and can kinit OK:
> root at samba-addc:/ # kinit administrator
> administrator at BEGER.COM.AU's Password:
> root at samba-addc:/ # klist
> Credentials cache: FILE:/tmp/krb5cc_0
> ????????Principal: administrator at BEGER.COM.AU
> 
> ??Issued                Expires               Principal
> Nov  8 15:51:22 2020  Nov  9 01:51:22 2020  krbtgt/BEGER.COM.AU at
BEGER.COM.AU
> 
> However when I try and join the domain it complains about connecting to the
LDAP server:
> root at samba-addc:/ # samba-tool domain join beger.com.au DC -k yes
> INFO 2020-11-08 15:51:30,554 pid:20267
/usr/local/lib/python3.7/site-packages/samba/join.py #107: Finding a writeable
DC for domain 'beger.com.au'
> INFO 2020-11-08 15:51:30,576 pid:20267
/usr/local/lib/python3.7/site-packages/samba/join.py #109: Found DC
gateway2.beger.com.au
> Failed to connect to ldap URL 'ldap://gateway2.beger.com.au' - LDAP
client internal error: NT_STATUS_INVALID_PARAMETER
> Failed to connect to 'ldap://gateway2.beger.com.au' with backend
'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
> ERROR(ldb): uncaught exception - LDAP client internal error:
NT_STATUS_INVALID_PARAMETER
Sorry about the horrible error message.  If you didn't set '-k yes'
it
would just fall back to NTLM.

You need to set up enough of a krb5.conf for it to find the KDC,
otherwise it doesn't know where to send the packet to. 

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT         
http://catalyst.net.nz/services/samba

> On 8 Nov 2020, at 16:27, Andrew Bartlett <abartlet at samba.org>
wrote:
> On Sun, 2020-11-08 at 16:06 +1030, O'Connor, Daniel via samba wrote:
>> Hi,
>> I'm trying to set up an AD DC in an iocage jail on FreeBSD (to
avoid the issues of having the DC a file server) but I'm running into some
trouble.
>> 
>> I've setup Kerberos and can kinit OK:
>> root at samba-addc:/ # kinit administrator
>> administrator at BEGER.COM.AU's Password:
>> root at samba-addc:/ # klist
>> Credentials cache: FILE:/tmp/krb5cc_0
>>         Principal: administrator at BEGER.COM.AU
>> 
>>   Issued                Expires               Principal
>> Nov  8 15:51:22 2020  Nov  9 01:51:22 2020  krbtgt/BEGER.COM.AU at
BEGER.COM.AU
>> 
>> However when I try and join the domain it complains about connecting to
the LDAP server:
>> root at samba-addc:/ # samba-tool domain join beger.com.au DC -k yes
>> INFO 2020-11-08 15:51:30,554 pid:20267
/usr/local/lib/python3.7/site-packages/samba/join.py #107: Finding a writeable
DC for domain 'beger.com.au'
>> INFO 2020-11-08 15:51:30,576 pid:20267
/usr/local/lib/python3.7/site-packages/samba/join.py #109: Found DC
gateway2.beger.com.au
>> Failed to connect to ldap URL 'ldap://gateway2.beger.com.au' -
LDAP client internal error: NT_STATUS_INVALID_PARAMETER
>> Failed to connect to 'ldap://gateway2.beger.com.au' with
backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
>> ERROR(ldb): uncaught exception - LDAP client internal error:
NT_STATUS_INVALID_PARAMETER
> 
> Sorry about the horrible error message.  If you didn't set '-k
yes' it
> would just fall back to NTLM.
> 
> You need to set up enough of a krb5.conf for it to find the KDC,
> otherwise it doesn't know where to send the packet to. 
I did specify '-k yes', and I think I have enough krb5.conf for it to
work - eg kinit works as I would expect (although I barely know anything about
Kerberos so..)
--
Daniel O'Connor
"The nice thing about standards is that there
are so many of them to choose from."
 -- Andrew Tanenbaum

On 08/11/2020 05:36, O'Connor, Daniel via samba
wrote:
> Hi,
> I'm trying to set up an AD DC in an iocage jail on FreeBSD (to avoid
the issues of having the DC a file server) but I'm running into some
trouble.
>
> I've setup Kerberos and can kinit OK:
> root at samba-addc:/ # kinit administrator
> administrator at BEGER.COM.AU's Password:
> root at samba-addc:/ # klist
> Credentials cache: FILE:/tmp/krb5cc_0
>          Principal: administrator at BEGER.COM.AU
>
>    Issued                Expires               Principal
> Nov  8 15:51:22 2020  Nov  9 01:51:22 2020  krbtgt/BEGER.COM.AU at
BEGER.COM.AU
>
> However when I try and join the domain it complains about connecting to the
LDAP server:
>
> ldbsearch does not work either:
> root at samba-addc:/ # samba-ldbsearch -H ldap://gateway2.beger.com.au -U
beger/darius '(objectclass=person)'
> Failed to connect to ldap URL 'ldap://gateway2.beger.com.au' - LDAP
client internal error: NT_STATUS_INVALID_PARAMETER
> Failed to connect to 'ldap://gateway2.beger.com.au' with backend
'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
I always shudder when I read Freebsd, jails and AD in the same sentence, 
it never seems to work ?

You do have what appears to be a mistake in your ldbsearch command, you 
have 'beger/darius', it should be 'BEGER\\darius', note the
forward
slash replaced by two backslashes, one to escape the other.

On Linux, provided you have (at least) this in /etc/krb5.conf:

[libdefaults]
 ??? default_realm = BEGER.COM.AU

and dns is set up correctly, then it should work.

I know little about Freebsd jails, but if I understand them correctly, 
they are very similar to using a chroot on Linux and I wouldn't want to 
try and run a second DC in a chroot.

Rowland

> On 8 Nov 2020, at 20:24, Rowland penny via samba <samba at
lists.samba.org> wrote:
>> ldbsearch does not work either:
>> root at samba-addc:/ # samba-ldbsearch -H ldap://gateway2.beger.com.au
-U beger/darius '(objectclass=person)'
>> Failed to connect to ldap URL 'ldap://gateway2.beger.com.au' -
LDAP client internal error: NT_STATUS_INVALID_PARAMETER
>> Failed to connect to 'ldap://gateway2.beger.com.au' with
backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
> 
> I always shudder when I read Freebsd, jails and AD in the same sentence, it
never seems to work ?
It would be nice if it did though :)
> You do have what appears to be a mistake in your ldbsearch command, you
have 'beger/darius', it should be 'BEGER\\darius', note the
forward slash replaced by two backslashes, one to escape the other.
I tried that but no difference.
> On Linux, provided you have (at least) this in /etc/krb5.conf:
> 
> [libdefaults]
>     default_realm = BEGER.COM.AU
> 
> and dns is set up correctly, then it should work.
I have that in my krb5.conf, DNS does work as far as I can see (and kinit, klist
etc work)
> I know little about Freebsd jails, but if I understand them correctly, they
are very similar to using a chroot on Linux and I wouldn't want to try and
run a second DC in a chroot.
Jails are pretty similar to chroot but more secure - like Linux containers.

--
Daniel O'Connor
"The nice thing about standards is that there
are so many of them to choose from."
 -- Andrew Tanenbaum