François Legal
2022-Apr-29 07:09 UTC
[Samba] ?==?utf-8?q? Joining a samba ad dc domain from another samba installation
Le Mercredi, Avril 27, 2022 22:57 CEST, Fran?ois Legal via samba <samba at lists.samba.org> a ?crit:> Le Mardi, Avril 26, 2022 11:10 CEST, Rowland Penny via samba <samba at lists.samba.org> a ?crit: > > > On Tue, 2022-04-26 at 10:36 +0200, Fran?ois Legal via samba wrote: > > > Le Lundi, Avril 25, 2022 15:24 CEST, Jonathon Reinhart < > > > jonathon.reinhart at gmail.com> a ?crit: > > > > > > > On Mon, Apr 25, 2022 at 7:13 AM Fran?ois Legal via samba <> > > > samba at lists.samba.org> wrote: > > > > > > > > > samba-tool domain join [my samba domain] DC -k yes --dns- > > > > > backend=BIND9_DLZ > > > > > --option='idmap_ldb:use rfc2307 = yes' > > > > > INFO 2022-04-25 10:41:04,952 pid:374 > > > > > /usr/lib/python3/dist-packages/samba/join.py #107: Finding a > > > > > writeable DC > > > > > for domain '[my samba domain]' > > > > > INFO 2022-04-25 10:41:04,973 pid:374 > > > > > /usr/lib/python3/dist-packages/samba/join.py #109: Found DC [my- > > > > > dc].[my > > > > > samba domain] > > > > > ERROR(<class 'samba.join.DCJoinException'>): uncaught exception - > > > > > Can't > > > > > join, error: 00002020: Operation unavailable without > > > > > authentication > > > > > > > > > > > > > I see you used "-k yes". Did you confirm that you have a valid > > > > Kerberos TGT > > > > for a Domain Admin account? (Run "kinit" to get a ticket and > > > > "klist" to > > > > check.) > > > > > > Yes. I?ve kinit administrator@[my realm], the ticket shows out in > > > klist afterwards. > > > But either using -U administrator (for which no password is > > > requested), either --krb5-ccache=/tmp/krb5cc_0 produce the same > > > result > > > > > > Fran?ois > > > > Provided that krb5.conf and DNS are set up correctly, you should just > > run 'kinit administrator' to get a ticket. > > I take it that you are doing this as root. > > > > Rowland > > > > Yes, krb5.conf is setup correctly, dns resolver too. KDC is discovered through NS requests successfully, kinit & samba-tool run as root. > > Fran?ois >Just to make sure : root@[my new dc hostname]:~# more /etc/krb5.conf [libdefaults] default_realm = [my realm] dns_lookup_realm = false dns_lookup_kdc = false [realms] [my realm] = { kdc = [my dc ip] } root@[my new dc hostname]:~# kinit administrator Password for administrator@[my realm]: root@[my new dc hostname]:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@[my realm] Valid starting Expires Service principal 04/29/22 06:55:58 04/29/22 16:55:58 krbtgt/[my realm]@[my realm] renew until 04/30/22 06:55:52 root@[my new dc hostname]:~# samba-tool domain join [my domain] DC -k yes --dns-backend=BIND9_DLZ --option='idmap_ldb:use rfc2307 = yes' INFO 2022-04-29 06:56:14,025 pid:1974 /usr/lib/python3/dist-packages/samba/join.py #107: Finding a writeable DC for domain '[my domain]' INFO 2022-04-29 06:56:14,044 pid:1974 /usr/lib/python3/dist-packages/samba/join.py #109: Found DC [my dc hostname].[my domain] ERROR(<class 'samba.join.DCJoinException'>): uncaught exception - Can't join, error: 00002020: Operation unavailable without authentication File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 186, in _run return self.run(*args, **kwargs) File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line 661, in run join_DC(logger=logger, server=server, creds=creds, lp=lp, domain=domain, File "/usr/lib/python3/dist-packages/samba/join.py", line 1536, in join_DC ctx = DCJoinContext(logger, server, creds, lp, site, netbios_name, File "/usr/lib/python3/dist-packages/samba/join.py", line 121, in __init__ raise DCJoinException(estr) root@[my new dc hostname]:~# samba-tool domain join [my domain] DC -U administrator --dns-backend=BIND9_DLZ --option='idmap_ldb:use rfc2307 = yes' INFO 2022-04-29 06:56:34,351 pid:1976 /usr/lib/python3/dist-packages/samba/join.py #107: Finding a writeable DC for domain '[my domain]' INFO 2022-04-29 06:56:34,370 pid:1976 /usr/lib/python3/dist-packages/samba/join.py #109: Found DC [my dc hostname].[my domain] ERROR(<class 'samba.join.DCJoinException'>): uncaught exception - Can't join, error: 00002020: Operation unavailable without authentication File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 186, in _run return self.run(*args, **kwargs) File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line 661, in run join_DC(logger=logger, server=server, creds=creds, lp=lp, domain=domain, File "/usr/lib/python3/dist-packages/samba/join.py", line 1536, in join_DC ctx = DCJoinContext(logger, server, creds, lp, site, netbios_name, File "/usr/lib/python3/dist-packages/samba/join.py", line 121, in __init__ raise DCJoinException(estr) root@[my new dc hostname]:~# Fran?ois
Rowland Penny
2022-Apr-29 07:23 UTC
[Samba] ?==?utf-8?q? Joining a samba ad dc domain from another samba installation
On Fri, 2022-04-29 at 09:09 +0200, Fran?ois Legal via samba wrote:> Le Mercredi, Avril 27, 2022 22:57 CEST, Fran?ois Legal via samba < > samba at lists.samba.org> a ?crit: > > > Le Mardi, Avril 26, 2022 11:10 CEST, Rowland Penny via samba < > > samba at lists.samba.org> a ?crit: > > > > > On Tue, 2022-04-26 at 10:36 +0200, Fran?ois Legal via samba > > > wrote: > > > > Le Lundi, Avril 25, 2022 15:24 CEST, Jonathon Reinhart < > > > > jonathon.reinhart at gmail.com> a ?crit: > > > > > > > > > On Mon, Apr 25, 2022 at 7:13 AM Fran?ois Legal via samba <> > > > > > > > > samba at lists.samba.org> wrote: > > > > > > > > > > > samba-tool domain join [my samba domain] DC -k yes --dns- > > > > > > backend=BIND9_DLZ > > > > > > --option='idmap_ldb:use rfc2307 = yes' > > > > > > INFO 2022-04-25 10:41:04,952 pid:374 > > > > > > /usr/lib/python3/dist-packages/samba/join.py #107: Finding > > > > > > a > > > > > > writeable DC > > > > > > for domain '[my samba domain]' > > > > > > INFO 2022-04-25 10:41:04,973 pid:374 > > > > > > /usr/lib/python3/dist-packages/samba/join.py #109: Found > > > > > > DC [my- > > > > > > dc].[my > > > > > > samba domain] > > > > > > ERROR(<class 'samba.join.DCJoinException'>): uncaught > > > > > > exception - > > > > > > Can't > > > > > > join, error: 00002020: Operation unavailable without > > > > > > authentication > > > > > > > > > > > > > > > > I see you used "-k yes". Did you confirm that you have a > > > > > valid > > > > > Kerberos TGT > > > > > for a Domain Admin account? (Run "kinit" to get a ticket and > > > > > "klist" to > > > > > check.) > > > > > > > > Yes. I?ve kinit administrator@[my realm], the ticket shows out > > > > in > > > > klist afterwards. > > > > But either using -U administrator (for which no password is > > > > requested), either --krb5-ccache=/tmp/krb5cc_0 produce the same > > > > result > > > > > > > > Fran?ois > > > > > > Provided that krb5.conf and DNS are set up correctly, you should > > > just > > > run 'kinit administrator' to get a ticket. > > > I take it that you are doing this as root. > > > > > > Rowland > > > > > > > Yes, krb5.conf is setup correctly, dns resolver too. KDC is > > discovered through NS requests successfully, kinit & samba-tool run > > as root. > > > > Fran?ois > > > > Just to make sure : > > root@[my new dc hostname]:~# more /etc/krb5.conf > [libdefaults] > default_realm = [my realm] > dns_lookup_realm = false > dns_lookup_kdc = false > > [realms] > [my realm] = { > kdc = [my dc ip] > }Good job you did, it is wrong :-) Try it like this: [libdefaults] default_realm = [my realm] dns_lookup_realm = false dns_lookup_kdc = true Rowland