Rowland Penny
2021-Nov-17  09:56 UTC
[Samba] Unable to net ads join samba to an active directory domain Failed to join domain: failed to connect to AD: Can't contact LDAP server
On Tue, 2021-11-16 at 15:10 -0800, Michael Evans wrote:> > > > > > > What sections do you believe are missing, and how would those impact > joining > the active directory domain? > > Shares are missing, but none have been setup yet, that's a future me > problem.That wasn't your problem.> > ID mapping is based on RFC2307 and stored within the active > directory; is " > idmap config ad" sufficient for that task? That is my understanding > from > the Samba AD Domain Member documentation.Then read it again, this time follow the hyperlinks> > I did not "optionally map the domain Administrator account to the > local root > account on a Unix domain member.", as I don't need that account > authenticating to operate as root on each server. I have ssh and > keybased > auth already.That isn't what it is added for, it allows you to set permissions from Windows, you need it.> > All of the samba services are presently turned off, though I did try > starting up winbind at one point to see if that's why the join had > failed. >What OS is this ? Is something like a firewall getting in the way ? Rowland
Michael Evans
2021-Nov-17  21:11 UTC
[Samba] Unable to net ads join samba to an active directory domain Failed to join domain: failed to connect to AD: Can't contact LDAP server
-----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny via samba Sent: Wednesday, November 17, 2021 1:57 AM To: sambalist Subject: Re: [Samba] Unable to net ads join samba to an active directory domain Failed to join domain: failed to connect to AD: Can't contact LDAP server On Tue, 2021-11-16 at 15:10 -0800, Michael Evans wrote:> What sections do you believe are missing, and how would those impact > joining > the active directory domain? > > Shares are missing, but none have been setup yet, that's a future me > problem.That wasn't your problem.> > ID mapping is based on RFC2307 and stored within the active > directory; is " > idmap config ad" sufficient for that task? That is my understanding > from > the Samba AD Domain Member documentation.Then read it again, this time follow the hyperlinks> > I did not "optionally map the domain Administrator account to the > local root > account on a Unix domain member.", as I don't need that account > authenticating to operate as root on each server. I have ssh and > keybased > auth already.That isn't what it is added for, it allows you to set permissions from Windows, you need it.> > All of the samba services are presently turned off, though I did try > starting up winbind at one point to see if that's why the join had > failed. >What OS is this ? Is something like a firewall getting in the way ? Rowland Your Third point: If I DO need it then it isn't _optional_ and the documentation is incorrect / confusing. Still, which sections, what keywords should I be looking for, and more to the point, why aren't those in the Member Server documentation to begin with, without external references? Any inconsistencies at all. nslookup 10.2.0.35 35.0.2.10.in-addr.arpa name = ad-mo3.nc.nor-consult.com. I added the reverse DNS entries manually; they weren't even needed for the Win10 join to the domain. Does Samba perform a case-sensitive compare? The guide's example is DC1.realm (lowercase), and I only ever think of DNS entries as lowercased because that's the normal convention. Time synchronization; VM, sntp run daily by schedule. "If you need your users to have different login shells and/or Unix home directory paths, or you want them to have the same ID everywhere, you will need to use the winbind 'ad' backend and add RFC2307 attributes to AD." Yes, I need that, and have done that on the DC. Documentation error: Hyperlink is NOT default hyperlink colors and NOT underlined. idmap config ad <<< That looks like just text with emphasis, NOT a hyperlink. This table of 3 options should instead be broken out to small sections, each with a single (current version) template example and a link to the full set of directions. Ideally all three examples would fit on a typical PC screen when viewing the wiki. https://wiki.samba.org/index.php/Idmap_config_ad The Config AD Backend and NSS info sections should be in that order, not the NSS then AD order. This still fails (r2 is in every group Administrator is in; I expect the same output) net ads join -U r2 -d 5 2>&1 get_dc_list: preferred server list: ", *" resolve_ads: Attempting to resolve KDCs for nc.nor-consult.com using DNS get_dc_list: returning 2 ip addresses in an ordered list get_dc_list: 10.2.0.35:88 fd00:6959:d45d:200::23:88 saf_fetch: failed to find server for "nc.nor-consult.com" domain get_dc_list: preferred server list: ", *" resolve_ads: Attempting to resolve KDCs for nc.nor-consult.com using DNS get_dc_list: returning 2 ip addresses in an ordered list get_dc_list: 10.2.0.35:88 fd00:6959:d45d:200::23:88 create_local_private_krb5_conf_for_domain: wrote file /run/samba/smb_krb5/krb5.conf.NC with realm NC.NOR-CONSULT.COM KDC list kdc = [fd00:6959:d45d:200::23]:88 kdc = 10.2.0.35 sitename_fetch: Returning sitename for realm 'NC.NOR-CONSULT.COM': "Default-First-Site-Name" name ad-mo3.nc.nor-consult.com#20 found. ads_try_connect: sending CLDAP request to 10.2.0.35 (realm: nc.nor-consult.com) Successfully contacted LDAP server 10.2.0.35 Connecting to 10.2.0.35 at port 389 Connected to LDAP server ad-mo3.nc.nor-consult.com KDC time offset is 0 seconds Found SASL mechanism GSS-SPNEGO ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 Starting GENSEC mechanism spnego Starting GENSEC submechanism gse_krb5 ----- It HANGS here for subjectively forever, probably 15+ min. kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/ad-mo3.nc.nor-consult.com with user[r2] realm[NC.NOR-CONSULT.COM]: Can't contact LDAP server ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/ad-mo3.nc.nor-consult.com with user[r2] realm[NC.NOR-CONSULT.COM]: Can't contact LDAP server, fallback to NTLMSSP Starting GENSEC mechanism spnego Starting GENSEC submechanism ntlmssp ads_sasl_spnego_gensec_bind(NTLMSSP) failed for ldap/ad-mo3.nc.nor-consult.com with user[r2] realm=[NC.NOR-CONSULT.COM]: Can't contact LDAP server libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : 'V-FS5$' netbios_domain_name : 'NC' dns_domain_name : 'nc.nor-consult.com' forest_name : 'nc.nor-consult.com' dn : NULL domain_guid : 250143d6-aebe-440e-94c5-f27c7af7857b domain_sid : * domain_sid : S-1-5-21-3458735564-2487305582-1134572456 modified_config : 0x00 (0) error_string : 'failed to connect to AD: Can't contact LDAP server' domain_is_ad : 0x01 (1) set_encryption_types : 0x00000000 (0) krb5_salt : NULL result : WERR_NERR_DEFAULTJOINREQUIRED return code = -1 Failed to join domain: failed to connect to AD: Can't contact LDAP server I'll run and redact public IP network data from this again... https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-i nfo.sh bash samba-collect-debug-info.sh Please wait, collecting debug info. Password for Administrator at NC.NOR-CONSULT.COM: Warning: Your password will expire in 40 days on Tue 28 Dec 2021 02:07:05 AM UTC Load smb config files from /etc/samba/smb.conf Loaded services file OK. Weak crypto is allowed Server role: ROLE_DOMAIN_MEMBER The debug info about your system can be found in this file: /tmp/samba-debug-info.txt Please check this and if required, sanitise it. Then copy & paste it into an email to the samba list Do not attach it to the email, the Samba mailing list strips attachments. Collected config --- 2021-11-17-21:03 ----------- Hostname: v-fs5 DNS Domain: nc.nor-consult.com FQDN: v-fs5.nc.nor-consult.com ipaddress: 10.2.0.45 10.202.0.45 fd00:6959:d45d:200:a800:ff:fe48:dc6f REDACTED:a800:ff:fe48:dc6f fd00:6959:d45d:200::2d ----------- Kerberos SRV _kerberos._tcp.nc.nor-consult.com record verified ok, sample output: Server: 10.2.0.35 Address: 10.2.0.35#53 _kerberos._tcp.nc.nor-consult.com service = 0 100 88 ad-mo3.nc.nor-consult.com. Samba is running as an Unix domain member but 'winbindd' is NOT running. Check that the winbind package is installed. Checking file: /etc/os-release PRETTY_NAME="Debian GNU/Linux 11 (bullseye)" NAME="Debian GNU/Linux" VERSION_ID="11" VERSION="11 (bullseye)" VERSION_CODENAME=bullseye ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" ----------- This computer is running Debian 11.1 x86_64 ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast state UP group default qlen 1000 link/ether REDACTED brd ff:ff:ff:ff:ff:ff altname enp0s13 altname ens13 inet 10.2.0.45/16 brd 10.2.255.255 scope global eth0 inet6 fd00:6959:d45d:200:a800:ff:fe48:dc6f/64 scope global dynamic mngtmpaddr inet6 REDACTED:a800:ff:fe48:dc6f/64 scope global dynamic mngtmpaddr inet6 fd00:6959:d45d:200::2d/56 scope global inet6 fe80::a800:ff:fe48:dc6f/64 scope link 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast state UP group default qlen 1000 link/ether REDACTED brd ff:ff:ff:ff:ff:ff altname enp0s14 altname ens14 inet REDACTED inet6 fe80::a800:ff:fe89:ed9e/64 scope link ----------- Checking file: /etc/hosts 127.0.0.1 localhost 10.2.0.45 v-fs5.nc.nor-consult.com v-fs5 fd00:6959:d45d:0200::2d v-fs5.nc.nor-consult.com v-fs5 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters ----------- Checking file: /etc/resolv.conf domain nc.nor-consult.com search nc.nor-consult.com norconsult.local nor-consult.com nameserver 10.2.0.35 ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = NC.NOR-CONSULT.COM dns_lookup_realm = false dns_lookup_kdc = true ----------- Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: files group: files shadow: files gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ----------- Checking file: /etc/samba/smb.conf [global] workgroup = NC security = ADS realm = NC.NOR-CONSULT.COM #server role = member server bind interfaces only = yes interfaces = 127.0.0.1 10.2.0.45 ::1 fd00:6959:d45d:200::2d winbind refresh tickets = Yes dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab winbind use default domain = yes # idmap config ad # https://wiki.samba.org/index.php/Idmap_config_ad # local server idmap config * : backend = tdb idmap config * : range = 3000-3499 # domain # is DOMAIN $DOMAIN or literal DOMAIN ? -- Ah there's an example later, that helps idmap config NC:backend = ad idmap config NC:schema_mode = rfc2307 idmap config NC:range = 3500-999999 idmap config NC:unix_nss_info = no vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes template shell = /bin/bash template homedir = /home/%D/%U username map = /etc/samba/user.map # Only for testing winbind enum users = yes winbind enum groups = yes ----------- Running as Unix domain member and user.map detected. Contents of /etc/samba/user.map !root = NC\Administrator Server Role is set to : auto Server Role is set to : auto ----------- Installed packages: ii acl 2.2.53-10 amd64 access control list - utilities ii attr 1:2.4.48-6 amd64 utilities for manipulating filesystem extended attributes ii krb5-config 2.6+nmu1 all Configuration files for Kerberos Version 5 ii krb5-user 1.18.3-6+deb11u1 amd64 basic programs to authenticate using MIT Kerberos ii libacl1:amd64 2.2.53-10 amd64 access control list - shared library ii libattr1:amd64 1:2.4.48-6 amd64 extended attribute handling - shared library ii libgssapi-krb5-2:amd64 1.18.3-6+deb11u1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-26-heimdal:amd64 7.7.0+dfsg-2 amd64 Heimdal Kerberos - libraries ii libkrb5-3:amd64 1.18.3-6+deb11u1 amd64 MIT Kerberos runtime libraries ii libkrb5support0:amd64 1.18.3-6+deb11u1 amd64 MIT Kerberos runtime libraries - Support library ii libnss-winbind:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 Samba nameservice integration plugins ii libpam-krb5:amd64 4.9-2 amd64 PAM module for MIT Kerberos ii libpam-winbind:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 Windows domain authentication integration plugin ii libwbclient0:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 Samba winbind client library ii python3-samba 2:4.13.13+dfsg-1~deb11u2 amd64 Python 3 bindings for Samba ii samba 2:4.13.13+dfsg-1~deb11u2 amd64 SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.13.13+dfsg-1~deb11u2 all common files used by both the Samba server and client ii samba-common-bin 2:4.13.13+dfsg-1~deb11u2 amd64 Samba common files used by both the server and the client ii samba-dsdb-modules:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 Samba Directory Services Database ii samba-libs:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 Samba core libraries ii samba-vfs-modules:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 Samba Virtual FileSystem plugins ii winbind 2:4.13.13+dfsg-1~deb11u2 amd64 service to resolve user and group information from Windows NT servers -----------