Michael Evans
2021-Nov-16 22:12 UTC
[Samba] Unable to net ads join samba to an active directory domain Failed to join domain: failed to connect to AD: Can't contact LDAP server
A samba-ad-dc has been setup using
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Dom
ain_Controller
(with some Debian specific variations).
Samba is being used as the DNS, Kerberos, and LDAP servers. None of the
external server options were setup or added.
The Active Directory domain worked for a Windows 10 client machine joining
the domain. It also shows up in the list of computer objects.
Debian 11 (bullseye) samba fails to net ads join to this same domain.
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
If I am reading the debug error message correctly, it's trying to join the
domain, with a machine account it should create by joining the domain?
Also, I reported the bug here,
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=999797 , but it isn't
clear if this is operator error or a Debian specific issue.
### obtain kerberos credentials as an admin in the test domain
# kinit r2
### I've tried variations on the net ads join command, as the configuration
seems correct. -d 10 is very spammy. PS it stalls for a _long_ time at
Starting GENSEC submechanism gse_krb5
YES I have also tried -U Administrator and every other variation I could
think of, including the r2 (Administrator equivalent) account I kinit-ed
above. They all take AT LEAST 15 min to timeout and fail in the same way.
If there are specific invocations or pre-requisites you suggest I try,
please let me know.
# net ads join -k -d 5
Processing section "[global]"
doing parameter workgroup = NC
doing parameter security = ADS
doing parameter realm = NC.NOR-CONSULT.COM
doing parameter vfs objects = acl_xattr
doing parameter map acl inherit = Yes
doing parameter store dos attributes = Yes
doing parameter winbind refresh tickets = Yes
doing parameter dedicated keytab file = /etc/krb5.keytab
doing parameter kerberos method = secrets and keytab
doing parameter winbind use default domain = yes
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
pm_process() returned Yes
Netbios name list:-
my_netbios_names[0]="V-FS5"
added interface eth0 ip=REDACTED:a800:ff:fe48:dc6f
bcastnetmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=fd00:6959:d45d:200::2d
bcastnetmask=ffff:ffff:ffff:ff00::
added interface eth0 ip=fd00:6959:d45d:200:a800:ff:fe48:dc6f
bcastnetmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=10.2.0.45 bcast=10.2.255.255 netmask=255.255.0.0
added interface eth1 ip=REDACTED bcast=10.202.255.255 netmask=255.255.0.0
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'V-FS5'
domain_name : *
domain_name : 'NC.NOR-CONSULT.COM'
domain_name_type : JoinDomNameTypeDNS (1)
account_ou : NULL
admin_account : 'root'
admin_domain : NULL
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME <<<<<
Why isn't
this flag set as well?
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
os_servicepack : NULL
create_upn : 0x00 (0)
upn : NULL
dnshostname : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x01 (1)
secure_channel_type : SEC_CHAN_WKSTA (2)
desired_encryption_types : 0x0000001f (31)
Opening cache file at /run/samba/gencache.tdb
sitename_fetch: Returning sitename for realm 'NC.NOR-CONSULT.COM':
"Default-First-Site-Name"
saf_fetch: failed to find server for "NC.NOR-CONSULT.COM" domain
get_dc_list: preferred server list: ", *"
resolve_ads: Attempting to resolve KDCs for NC.NOR-CONSULT.COM using DNS
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 10.2.0.35:88 fd00:6959:d45d:200::23:88
saf_fetch: failed to find server for "NC.NOR-CONSULT.COM" domain
get_dc_list: preferred server list: ", *"
resolve_ads: Attempting to resolve KDCs for NC.NOR-CONSULT.COM using DNS
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 10.2.0.35:88 fd00:6959:d45d:200::23:88
create_local_private_krb5_conf_for_domain: wrote file
/run/samba/smb_krb5/krb5.conf._JOIN_ with realm NC.NOR-CONSULT.COM KDC list
= kdc = 10.2.0.35
kdc = [fd00:6959:d45d:200::23]:88
sitename_fetch: Returning sitename for realm 'NC.NOR-CONSULT.COM':
"Default-First-Site-Name"
name ad-mo3.nc.nor-consult.com#20 found.
Connecting to fd00:6959:d45d:200::23 at port 445
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 46080
SO_RCVBUF = 131072
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
TCP_USER_TIMEOUT = 0
cli_session_setup_spnego_send: Connect to ad-mo3.nc.nor-consult.com as
root at NC.NOR-CONSULT.COM using SPNEGO
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
signed SMB2 message
signed SMB2 message
Bind RPC Pipe: host ad-mo3.nc.nor-consult.com auth_type 0, auth_level 1
rpc_api_pipe: host ad-mo3.nc.nor-consult.com
signed SMB2 message
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host ad-mo3.nc.nor-consult.com
signed SMB2 message
rpc_read_send: data_to_read: 32
rpc_api_pipe: host ad-mo3.nc.nor-consult.com
signed SMB2 message
rpc_read_send: data_to_read: 204
rpc_api_pipe: host ad-mo3.nc.nor-consult.com
signed SMB2 message
rpc_read_send: data_to_read: 32
signed SMB2 message
saf_fetch: failed to find server for "nc.nor-consult.com" domain
get_dc_list: preferred server list: ", *"
resolve_ads: Attempting to resolve KDCs for nc.nor-consult.com using DNS
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 10.2.0.35:88 fd00:6959:d45d:200::23:88
saf_fetch: failed to find server for "nc.nor-consult.com" domain
get_dc_list: preferred server list: ", *"
resolve_ads: Attempting to resolve KDCs for nc.nor-consult.com using DNS
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 10.2.0.35:88 fd00:6959:d45d:200::23:88
create_local_private_krb5_conf_for_domain: wrote file
/run/samba/smb_krb5/krb5.conf.NC with realm NC.NOR-CONSULT.COM KDC list kdc =
[fd00:6959:d45d:200::23]:88
kdc = 10.2.0.35
sitename_fetch: Returning sitename for realm 'NC.NOR-CONSULT.COM':
"Default-First-Site-Name"
name ad-mo3.nc.nor-consult.com#20 found.
ads_try_connect: sending CLDAP request to 10.2.0.35 (realm:
nc.nor-consult.com)
Successfully contacted LDAP server 10.2.0.35
Connecting to 10.2.0.35 at port 389
Connected to LDAP server ad-mo3.nc.nor-consult.com
KDC time offset is 0 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
##### It stalls on this line for like 15+ min #####
##### debug level 10 zoom-in #####
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
#
gensec_update_send: gse_krb5[0x557fe640b800]: subreq: 0x557fe64271c0
gensec_update_send: spnego[0x557fe6402310]: subreq: 0x557fe6426860
gensec_update_done: gse_krb5[0x557fe640b800]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x557fe64271c0/../../source3/librpc/crypto/gse.c:848]: state[2]
error[0 (0x0)] state[struct gensec_gse_update_state (0x
557fe6427370)] timer[(nil)] finish[../../source3/librpc/crypto/gse.c:859]
gensec_update_done: spnego[0x557fe6402310]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x557fe6426860/../../auth/gensec/spnego.c:1631]: state[2] error[0
(0x0)] state[struct gensec_spnego_update_state (0x557fe
6426a10)] timer[(nil)] finish[../../auth/gensec/spnego.c:2116]
ads_sasl_spnego_gensec_bind(KRB5) failed with: Can't contact LDAP server,
calling kinit
#
ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/ad-mo3.nc.nor-consult.com
with user[root] realm[NC.NOR-CONSULT.COM]: Cannot read password, fallback to
NTLMSSP
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
##### back to debug level 5 #####
ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/ad-mo3.nc.nor-consult.com
with user[root] realm[NC.NOR-CONSULT.COM]: Cannot read password, fallback to
NTLMSSP
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
ads_sasl_spnego_gensec_bind(NTLMSSP) failed for
ldap/ad-mo3.nc.nor-consult.com with user[root] realm=[NC.NOR-CONSULT.COM]:
Can't contact LDAP server
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : 'V-FS5$'
netbios_domain_name : 'NC'
dns_domain_name : 'nc.nor-consult.com'
forest_name : 'nc.nor-consult.com'
dn : NULL
domain_guid : 250143d6-aebe-440e-94c5-f27c7af7857b
domain_sid : *
domain_sid :
S-1-5-21-3458735564-2487305582-1134572456
modified_config : 0x00 (0)
error_string : 'failed to connect to AD: Can't
contact LDAP server'
domain_is_ad : 0x01 (1)
set_encryption_types : 0x00000000 (0)
krb5_salt : NULL
result : WERR_NERR_DEFAULTJOINREQUIRED
return code = -1
Failed to join domain: failed to connect to AD: Can't contact LDAP server
# klist ### r2 has been added to all the groups that Administrator is in,
and was able to join the Windows 10 PC successfully.
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: r2 at NC.NOR-CONSULT.COM
Valid starting Expires Service principal
11/16/2021 18:21:38 11/17/2021 04:21:38
krbtgt/NC.NOR-CONSULT.COM at NC.NOR-CONSULT.COM
renew until 11/17/2021 18:21:36
11/16/2021 18:21:56 11/17/2021 04:21:38
cifs/ad-mo3.nc.nor-consult.com at NC.NOR-CONSULT.COM
11/16/2021 18:22:03 11/17/2021 04:21:38
ldap/ad-mo3.nc.nor-consult.com at NC.NOR-CONSULT.COM
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-i
nfo.sh
Collected config --- 2021-11-16-17:56 -----------
Hostname: v-fs5
DNS Domain: nc.nor-consult.com
FQDN: v-fs5.nc.nor-consult.com
ipaddress: 10.2.0.45 REDACTED fd00:6959:d45d:200:a800:ff:fe48:dc6f
REDACTED:a800:ff:fe48:dc6f fd00:6959:d45d:200::2d
-----------
Kerberos SRV _kerberos._tcp.nc.nor-consult.com record verified ok, sample
output:
Server: 10.2.0.35
Address: 10.2.0.35#53
_kerberos._tcp.nc.nor-consult.com service = 0 100 88
ad-mo3.nc.nor-consult.com.
Samba is running as an Unix domain member but 'winbindd' is NOT running.
Check that the winbind package is installed.
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 11.1 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast state
UP group default qlen 1000
link/ether REDACTED brd ff:ff:ff:ff:ff:ff
altname enp0s13
altname ens13
inet 10.2.0.45/16 brd 10.2.255.255 scope global eth0
inet6 fd00:6959:d45d:200:a800:ff:fe48:dc6f/64 scope global dynamic
mngtmpaddr
inet6 REDACTED:a800:ff:fe48:dc6f/64 scope global dynamic mngtmpaddr
inet6 fd00:6959:d45d:200::2d/56 scope global
inet6 fe80::a800:ff:fe48:dc6f/64 scope link
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast state
UP group default qlen 1000
link/ether REDACTED brd ff:ff:ff:ff:ff:ff
altname enp0s14
altname ens14
inet REDACTED/16 brd REDACTED scope global eth1
inet6 fe80::REDACTED/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
10.2.0.45 v-fs5.nc.nor-consult.com v-fs5
fd00:6959:d45d:0200::2d v-fs5.nc.nor-consult.com v-fs5
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
domain nc.nor-consult.com
search nc.nor-consult.com norconsult.local nor-consult.com
nameserver 10.2.0.35
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = NC.NOR-CONSULT.COM
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: files
group: files
shadow: files
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
[global]
workgroup = NC
security = ADS
realm = NC.NOR-CONSULT.COM
#server role = member server
idmap config ad
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
winbind refresh tickets = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = yes
# Only for testing
winbind enum users = yes
winbind enum groups = yes
-----------
Running as Unix domain member and no user.map detected.
This is possible with an auth-only setup, checking also for NFS parts
-----------
Warning, /etc/idmapd.conf does not exist
-----------
Installed packages:
ii acl 2.2.53-10 amd64
access control list - utilities
ii attr 1:2.4.48-6 amd64
utilities for manipulating filesystem extended attributes
ii krb5-config 2.6+nmu1 all
Configuration files for Kerberos Version 5
ii krb5-user 1.18.3-6+deb11u1 amd64
basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-10 amd64
access control list - shared library
ii libattr1:amd64 1:2.4.48-6 amd64
extended attribute handling - shared library
ii libgssapi-krb5-2:amd64 1.18.3-6+deb11u1 amd64
MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.18.3-6+deb11u1 amd64
MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.18.3-6+deb11u1 amd64
MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.13.13+dfsg-1~deb11u2 amd64
Samba nameservice integration plugins
ii libpam-krb5:amd64 4.9-2 amd64
PAM module for MIT Kerberos
ii libpam-winbind:amd64 2:4.13.13+dfsg-1~deb11u2 amd64
Windows domain authentication integration plugin
ii libwbclient0:amd64 2:4.13.13+dfsg-1~deb11u2 amd64
Samba winbind client library
ii python3-samba 2:4.13.13+dfsg-1~deb11u2 amd64
Python 3 bindings for Samba
ii samba 2:4.13.13+dfsg-1~deb11u2 amd64
SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.13.13+dfsg-1~deb11u2 all
common files used by both the Samba server and client
ii samba-common-bin 2:4.13.13+dfsg-1~deb11u2 amd64
Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.13.13+dfsg-1~deb11u2 amd64
Samba Directory Services Database
ii samba-libs:amd64 2:4.13.13+dfsg-1~deb11u2 amd64
Samba core libraries
ii samba-vfs-modules:amd64 2:4.13.13+dfsg-1~deb11u2 amd64
Samba Virtual FileSystem plugins
ii winbind 2:4.13.13+dfsg-1~deb11u2 amd64
service to resolve user and group information from Windows NT servers
-----------
Rowland Penny
2021-Nov-16 22:53 UTC
[Samba] Unable to net ads join samba to an active directory domain Failed to join domain: failed to connect to AD: Can't contact LDAP server
On Tue, 2021-11-16 at 14:12 -0800, Michael Evans via samba wrote:> A samba-ad-dc has been setup using > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Dom > ain_Controller > (with some Debian specific variations). > > Samba is being used as the DNS, Kerberos, and LDAP servers. None of > the > external server options were setup or added. > > > The Active Directory domain worked for a Windows 10 client machine > joining > the domain. It also shows up in the list of computer objects. > > > Debian 11 (bullseye) samba fails to net ads join to this same domain. > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > If I am reading the debug error message correctly, it's trying to > join the > domain, with a machine account it should create by joining the > domain? > > Also, I reported the bug here, > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=999797 , but it > isn't > clear if this is operator error or a Debian specific issue. > > ### obtain kerberos credentials as an admin in the test domain > # kinit r2 > > ### I've tried variations on the net ads join command, as the > configuration > seems correct. -d 10 is very spammy. PS it stalls for a _long_ time > at > Starting GENSEC submechanism gse_krb5 > > YES I have also tried -U Administrator and every other variation I > could > think of, including the r2 (Administrator equivalent) account I > kinit-ed > above. They all take AT LEAST 15 min to timeout and fail in the same > way. > If there are specific invocations or pre-requisites you suggest I > try, > please let me know. > > # net ads join -k -d 5 > Processing section "[global]" > doing parameter workgroup = NC > doing parameter security = ADS > doing parameter realm = NC.NOR-CONSULT.COM > doing parameter vfs objects = acl_xattr > doing parameter map acl inherit = Yes > doing parameter store dos attributes = Yes > doing parameter winbind refresh tickets = Yes > doing parameter dedicated keytab file = /etc/krb5.keytab > doing parameter kerberos method = secrets and keytab > doing parameter winbind use default domain = yes > doing parameter winbind enum users = yes > doing parameter winbind enum groups = yes > pm_process() returned Yes > Netbios name list:- > my_netbios_names[0]="V-FS5" > added interface eth0 ip=REDACTED:a800:ff:fe48:dc6f bcast> netmask=ffff:ffff:ffff:ffff:: > added interface eth0 ip=fd00:6959:d45d:200::2d bcast> netmask=ffff:ffff:ffff:ff00:: > added interface eth0 ip=fd00:6959:d45d:200:a800:ff:fe48:dc6f bcast> netmask=ffff:ffff:ffff:ffff:: > added interface eth0 ip=10.2.0.45 bcast=10.2.255.255 > netmask=255.255.0.0 > added interface eth1 ip=REDACTED bcast=10.202.255.255 > netmask=255.255.0.0 > libnet_Join: > libnet_JoinCtx: struct libnet_JoinCtx > in: struct libnet_JoinCtx > dc_name : NULL > machine_name : 'V-FS5' > domain_name : * > domain_name : 'NC.NOR-CONSULT.COM' > domain_name_type : JoinDomNameTypeDNS (1) > account_ou : NULL > admin_account : 'root' > admin_domain : NULL > machine_password : NULL > join_flags : 0x00000023 (35) > 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS > 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME <<<<< Why > isn't > this flag set as well? > 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT > 0: WKSSVC_JOIN_FLAGS_DEFER_SPN > 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED > 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE > 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED > 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE > 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE > 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE > 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE > os_version : NULL > os_name : NULL > os_servicepack : NULL > create_upn : 0x00 (0) > upn : NULL > dnshostname : NULL > modify_config : 0x00 (0) > ads : NULL > debug : 0x01 (1) > use_kerberos : 0x01 (1) > secure_channel_type : SEC_CHAN_WKSTA (2) > desired_encryption_types : 0x0000001f (31) > Opening cache file at /run/samba/gencache.tdb > sitename_fetch: Returning sitename for realm 'NC.NOR-CONSULT.COM': > "Default-First-Site-Name" > saf_fetch: failed to find server for "NC.NOR-CONSULT.COM" domain > get_dc_list: preferred server list: ", *" > resolve_ads: Attempting to resolve KDCs for NC.NOR-CONSULT.COM using > DNS > get_dc_list: returning 2 ip addresses in an ordered list > get_dc_list: 10.2.0.35:88 fd00:6959:d45d:200::23:88 > saf_fetch: failed to find server for "NC.NOR-CONSULT.COM" domain > get_dc_list: preferred server list: ", *" > resolve_ads: Attempting to resolve KDCs for NC.NOR-CONSULT.COM using > DNS > get_dc_list: returning 2 ip addresses in an ordered list > get_dc_list: 10.2.0.35:88 fd00:6959:d45d:200::23:88 > create_local_private_krb5_conf_for_domain: wrote file > /run/samba/smb_krb5/krb5.conf._JOIN_ with realm NC.NOR-CONSULT.COM > KDC list > = kdc = 10.2.0.35 > kdc = [fd00:6959:d45d:200::23]:88 > > sitename_fetch: Returning sitename for realm 'NC.NOR-CONSULT.COM': > "Default-First-Site-Name" > name ad-mo3.nc.nor-consult.com#20 found. > Connecting to fd00:6959:d45d:200::23 at port 445 > Socket options: > SO_KEEPALIVE = 0 > SO_REUSEADDR = 0 > SO_BROADCAST = 0 > TCP_NODELAY = 1 > TCP_KEEPCNT = 9 > TCP_KEEPIDLE = 7200 > TCP_KEEPINTVL = 75 > IPTOS_LOWDELAY = 0 > IPTOS_THROUGHPUT = 0 > SO_REUSEPORT = 0 > SO_SNDBUF = 46080 > SO_RCVBUF = 131072 > SO_SNDLOWAT = 1 > SO_RCVLOWAT = 1 > SO_SNDTIMEO = 0 > SO_RCVTIMEO = 0 > TCP_QUICKACK = 1 > TCP_DEFER_ACCEPT = 0 > TCP_USER_TIMEOUT = 0 > cli_session_setup_spnego_send: Connect to ad-mo3.nc.nor-consult.com > as > root at NC.NOR-CONSULT.COM using SPNEGO > GENSEC backend 'gssapi_spnego' registered > GENSEC backend 'gssapi_krb5' registered > GENSEC backend 'gssapi_krb5_sasl' registered > GENSEC backend 'spnego' registered > GENSEC backend 'schannel' registered > GENSEC backend 'naclrpc_as_system' registered > GENSEC backend 'sasl-EXTERNAL' registered > GENSEC backend 'ntlmssp' registered > GENSEC backend 'ntlmssp_resume_ccache' registered > GENSEC backend 'http_basic' registered > GENSEC backend 'http_ntlm' registered > GENSEC backend 'http_negotiate' registered > GENSEC backend 'krb5' registered > GENSEC backend 'fake_gssapi_krb5' registered > Starting GENSEC mechanism spnego > Starting GENSEC submechanism gse_krb5 > signed SMB2 message > signed SMB2 message > Bind RPC Pipe: host ad-mo3.nc.nor-consult.com auth_type 0, auth_level > 1 > rpc_api_pipe: host ad-mo3.nc.nor-consult.com > signed SMB2 message > rpc_read_send: data_to_read: 52 > check_bind_response: accepted! > rpc_api_pipe: host ad-mo3.nc.nor-consult.com > signed SMB2 message > rpc_read_send: data_to_read: 32 > rpc_api_pipe: host ad-mo3.nc.nor-consult.com > signed SMB2 message > rpc_read_send: data_to_read: 204 > rpc_api_pipe: host ad-mo3.nc.nor-consult.com > signed SMB2 message > rpc_read_send: data_to_read: 32 > signed SMB2 message > saf_fetch: failed to find server for "nc.nor-consult.com" domain > get_dc_list: preferred server list: ", *" > resolve_ads: Attempting to resolve KDCs for nc.nor-consult.com using > DNS > get_dc_list: returning 2 ip addresses in an ordered list > get_dc_list: 10.2.0.35:88 fd00:6959:d45d:200::23:88 > saf_fetch: failed to find server for "nc.nor-consult.com" domain > get_dc_list: preferred server list: ", *" > resolve_ads: Attempting to resolve KDCs for nc.nor-consult.com using > DNS > get_dc_list: returning 2 ip addresses in an ordered list > get_dc_list: 10.2.0.35:88 fd00:6959:d45d:200::23:88 > create_local_private_krb5_conf_for_domain: wrote file > /run/samba/smb_krb5/krb5.conf.NC with realm NC.NOR-CONSULT.COM KDC > list > kdc = [fd00:6959:d45d:200::23]:88 > kdc = 10.2.0.35 > > sitename_fetch: Returning sitename for realm 'NC.NOR-CONSULT.COM': > "Default-First-Site-Name" > name ad-mo3.nc.nor-consult.com#20 found. > ads_try_connect: sending CLDAP request to 10.2.0.35 (realm: > nc.nor-consult.com) > Successfully contacted LDAP server 10.2.0.35 > Connecting to 10.2.0.35 at port 389 > Connected to LDAP server ad-mo3.nc.nor-consult.com > KDC time offset is 0 seconds > Found SASL mechanism GSS-SPNEGO > ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 > ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 > Starting GENSEC mechanism spnego > Starting GENSEC submechanism gse_krb5 > > ##### It stalls on this line for like 15+ min ##### > ##### debug level 10 zoom-in ##### > > Starting GENSEC mechanism spnego > Starting GENSEC submechanism gse_krb5 > # > gensec_update_send: gse_krb5[0x557fe640b800]: subreq: 0x557fe64271c0 > gensec_update_send: spnego[0x557fe6402310]: subreq: 0x557fe6426860 > gensec_update_done: gse_krb5[0x557fe640b800]: > NT_STATUS_MORE_PROCESSING_REQUIRED > tevent_req[0x557fe64271c0/../../source3/librpc/crypto/gse.c:848]: > state[2] > error[0 (0x0)] state[struct gensec_gse_update_state (0x > 557fe6427370)] timer[(nil)] > finish[../../source3/librpc/crypto/gse.c:859] > gensec_update_done: spnego[0x557fe6402310]: > NT_STATUS_MORE_PROCESSING_REQUIRED > tevent_req[0x557fe6426860/../../auth/gensec/spnego.c:1631]: state[2] > error[0 > (0x0)] state[struct gensec_spnego_update_state (0x557fe > 6426a10)] timer[(nil)] finish[../../auth/gensec/spnego.c:2116] > ads_sasl_spnego_gensec_bind(KRB5) failed with: Can't contact LDAP > server, > calling kinit > # > ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/ad-mo3.nc.nor- > consult.com > with user[root] realm[NC.NOR-CONSULT.COM]: Cannot read password, > fallback to > NTLMSSP > Starting GENSEC mechanism spnego > Starting GENSEC submechanism ntlmssp > > ##### back to debug level 5 ##### > > ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/ad-mo3.nc.nor- > consult.com > with user[root] realm[NC.NOR-CONSULT.COM]: Cannot read password, > fallback to > NTLMSSP > Starting GENSEC mechanism spnego > Starting GENSEC submechanism ntlmssp > ads_sasl_spnego_gensec_bind(NTLMSSP) failed for > ldap/ad-mo3.nc.nor-consult.com with user[root] realm=[NC.NOR- > CONSULT.COM]: > Can't contact LDAP server > libnet_Join: > libnet_JoinCtx: struct libnet_JoinCtx > out: struct libnet_JoinCtx > account_name : 'V-FS5$' > netbios_domain_name : 'NC' > dns_domain_name : 'nc.nor-consult.com' > forest_name : 'nc.nor-consult.com' > dn : NULL > domain_guid : 250143d6-aebe-440e-94c5- > f27c7af7857b > domain_sid : * > domain_sid : > S-1-5-21-3458735564-2487305582-1134572456 > modified_config : 0x00 (0) > error_string : 'failed to connect to AD: > Can't > contact LDAP server' > domain_is_ad : 0x01 (1) > set_encryption_types : 0x00000000 (0) > krb5_salt : NULL > result : WERR_NERR_DEFAULTJOINREQUIRED > return code = -1 > Failed to join domain: failed to connect to AD: Can't contact LDAP > server > > # klist ### r2 has been added to all the groups that Administrator is > in, > and was able to join the Windows 10 PC successfully. > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: r2 at NC.NOR-CONSULT.COM > > Valid starting Expires Service principal > 11/16/2021 18:21:38 11/17/2021 04:21:38 > krbtgt/NC.NOR-CONSULT.COM at NC.NOR-CONSULT.COM > renew until 11/17/2021 18:21:36 > 11/16/2021 18:21:56 11/17/2021 04:21:38 > cifs/ad-mo3.nc.nor-consult.com at NC.NOR-CONSULT.COM > 11/16/2021 18:22:03 11/17/2021 04:21:38 > ldap/ad-mo3.nc.nor-consult.com at NC.NOR-CONSULT.COM > > > > > > > https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-i > nfo.sh > > Collected config --- 2021-11-16-17:56 ----------- > > Hostname: v-fs5 > DNS Domain: nc.nor-consult.com > FQDN: v-fs5.nc.nor-consult.com > ipaddress: 10.2.0.45 REDACTED fd00:6959:d45d:200:a800:ff:fe48:dc6f > REDACTED:a800:ff:fe48:dc6f fd00:6959:d45d:200::2d > > ----------- > > Kerberos SRV _kerberos._tcp.nc.nor-consult.com record verified ok, > sample > output: > Server: 10.2.0.35 > Address: 10.2.0.35#53 > > _kerberos._tcp.nc.nor-consult.com service = 0 100 88 > ad-mo3.nc.nor-consult.com. > Samba is running as an Unix domain member but 'winbindd' is NOT > running. > Check that the winbind package is installed. > Checking file: /etc/os-release > > PRETTY_NAME="Debian GNU/Linux 11 (bullseye)" > NAME="Debian GNU/Linux" > VERSION_ID="11" > VERSION="11 (bullseye)" > VERSION_CODENAME=bullseye > ID=debian > HOME_URL="https://www.debian.org/" > SUPPORT_URL="https://www.debian.org/support" > BUG_REPORT_URL="https://bugs.debian.org/" > > ----------- > > > This computer is running Debian 11.1 x86_64 > > ----------- > running command : ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN > group > default qlen 1000 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast > state > UP group default qlen 1000 > link/ether REDACTED brd ff:ff:ff:ff:ff:ff > altname enp0s13 > altname ens13 > inet 10.2.0.45/16 brd 10.2.255.255 scope global eth0 > inet6 fd00:6959:d45d:200:a800:ff:fe48:dc6f/64 scope global > dynamic > mngtmpaddr > inet6 REDACTED:a800:ff:fe48:dc6f/64 scope global dynamic > mngtmpaddr > inet6 fd00:6959:d45d:200::2d/56 scope global > inet6 fe80::a800:ff:fe48:dc6f/64 scope link > 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast > state > UP group default qlen 1000 > link/ether REDACTED brd ff:ff:ff:ff:ff:ff > altname enp0s14 > altname ens14 > inet REDACTED/16 brd REDACTED scope global eth1 > inet6 fe80::REDACTED/64 scope link > > ----------- > Checking file: /etc/hosts > > 127.0.0.1 localhost > 10.2.0.45 v-fs5.nc.nor-consult.com v-fs5 > fd00:6959:d45d:0200::2d v-fs5.nc.nor-consult.com v-fs5 > > > # The following lines are desirable for IPv6 capable hosts > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > ----------- > > Checking file: /etc/resolv.conf > > domain nc.nor-consult.com > search nc.nor-consult.com norconsult.local nor-consult.com > nameserver 10.2.0.35 > ----------- > > Checking file: /etc/krb5.conf > > [libdefaults] > default_realm = NC.NOR-CONSULT.COM > dns_lookup_realm = false > dns_lookup_kdc = true > > ----------- > > Checking file: /etc/nsswitch.conf > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages > installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: files > group: files > shadow: files > gshadow: files > > hosts: files mdns4_minimal [NOTFOUND=return] dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > ----------- > > Checking file: /etc/samba/smb.conf > > [global] > workgroup = NC > security = ADS > realm = NC.NOR-CONSULT.COM > #server role = member server > > idmap config ad > > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > winbind refresh tickets = Yes > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > winbind use default domain = yes > > # Only for testing > winbind enum users = yes > winbind enum groups = yes > > ----------- > > Running as Unix domain member and no user.map detected. > This is possible with an auth-only setup, checking also for NFS parts > ----------- > Warning, /etc/idmapd.conf does not exist > > ----------- > > > Installed packages: > ii acl 2.2.53- > 10 amd64 > access control list - utilities > ii attr 1:2.4.48- > 6 amd64 > utilities for manipulating filesystem extended attributes > ii krb5-config 2.6+nmu1 all > Configuration files for Kerberos Version 5 > ii krb5-user 1.18.3- > 6+deb11u1 amd64 > basic programs to authenticate using MIT Kerberos > ii libacl1:amd64 2.2.53- > 10 amd64 > access control list - shared library > ii libattr1:amd64 1:2.4.48- > 6 amd64 > extended attribute handling - shared library > ii libgssapi-krb5-2:amd64 1.18.3- > 6+deb11u1 amd64 > MIT Kerberos runtime libraries - krb5 GSS-API Mechanism > ii libkrb5-3:amd64 1.18.3- > 6+deb11u1 amd64 > MIT Kerberos runtime libraries > ii libkrb5support0:amd64 1.18.3- > 6+deb11u1 amd64 > MIT Kerberos runtime libraries - Support library > ii libnss-winbind:amd64 2:4.13.13+dfsg- > 1~deb11u2 amd64 > Samba nameservice integration plugins > ii libpam-krb5:amd64 4.9- > 2 amd64 > PAM module for MIT Kerberos > ii libpam-winbind:amd64 2:4.13.13+dfsg- > 1~deb11u2 amd64 > Windows domain authentication integration plugin > ii libwbclient0:amd64 2:4.13.13+dfsg- > 1~deb11u2 amd64 > Samba winbind client library > ii python3-samba 2:4.13.13+dfsg- > 1~deb11u2 amd64 > Python 3 bindings for Samba > ii samba 2:4.13.13+dfsg- > 1~deb11u2 amd64 > SMB/CIFS file, print, and login server for Unix > ii samba-common 2:4.13.13+dfsg-1~deb11u2 all > common files used by both the Samba server and client > ii samba-common-bin 2:4.13.13+dfsg- > 1~deb11u2 amd64 > Samba common files used by both the server and the client > ii samba-dsdb-modules:amd64 2:4.13.13+dfsg- > 1~deb11u2 amd64 > Samba Directory Services Database > ii samba-libs:amd64 2:4.13.13+dfsg- > 1~deb11u2 amd64 > Samba core libraries > ii samba-vfs-modules:amd64 2:4.13.13+dfsg- > 1~deb11u2 amd64 > Samba Virtual FileSystem plugins > ii winbind 2:4.13.13+dfsg- > 1~deb11u2 amd64 > service to resolve user and group information from Windows NT servers > > -----------Try reading the documentation again, your smb.conf is missing huge chunks, you will also need to specify which network interface Samba has to use. My advice would be to only use IPv4 and turn IPv6 off. Is Samba running during the join attempts ? If it is, turn it off, it shouldn't be. Rowland