Rob Campbell
2023-Sep-08 20:46 UTC
[Samba] Failed to join domain: failed to find DC for domain...
Getting this error when trying to join computer to the domain. I just
built a new debian computer for gaming and photo and video editing. I went
through the same process as I did before (I created a script to do all of
the things I did in the past)
net ads join -U administrator
Password for [HOME\administrator]:
Failed to join domain: failed to find DC for domain HOME - The object was
not found.
net ads join -U administrator
Password for [HOME\administrator]:
Failed to join domain: failed to find DC for domain HOME - The object was
not found.
root at D01:~/.bin# samba-tool domain join home.rob-campbell.lan MEMBER -U
administrator
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'ncalrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Password for [HOME\administrator]:
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
ads_cldap_netlogon: did not get a reply
ads_cldap_netlogon: did not get a reply
resolve_lmhosts: Attempting lmhosts lookup for name HOME<0x1c>
resolve_wins: WINS server resolution selected and no WINS servers listed.
name_resolve_bcast: Attempting broadcast lookup for name HOME<0x1c>
ERROR(runtime): uncaught exception - (2453, 'failed to find DC for domain
HOME - The address handle that was given to the transport was invalid.')
File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
185,
in _run
return self.run(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line
695,
in run
(sid, domain_name) = s3_net.join_member(netbios_name,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>From member
/etc/krb5.conf
[libdefaults]
default_realm = HOME.ROB-CAMPBELL.LAN
dns_lookup_realm = false
dns_lookup_kdc = true
/etc/samba/smb.conf
# Global parameters
[global]
bind interfaces only = Yes
dedicated keytab file = /etc/krb5.keytab
interfaces = lo eno1
kerberos method = secrets and keytab
log file = /var/log/samba/%m.log
log level = 3
realm = HOME.ROB-CAMPBELL.LAN
security = ADS
server role = member server
template homedir = /home/%U
template shell = /bin/bash
username map = /etc/samba/user.map
winbind refresh tickets = Yes
winbind use default domain = Yes
workgroup = HOME
idmap config home : range = 10000-999999
<http://voice.google.com/calls?a=nc,%2B10000999999>
idmap config home : backend = rid
idmap config home : unix_nss_info = yes
idmap config * : rangesize = 200000
idmap config * : backend = autorid
idmap config * : range = 3000-7999
map acl inherit = Yes
vfs objects = acl_xattr
I read this page https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage
and set my firewall accordingly.
# samba-tool domain join home.rob-campbell.lan MEMBER -U administrator
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'ncalrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Password for [HOME\administrator]:
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
ads_cldap_netlogon: did not get a reply
ads_cldap_netlogon: did not get a reply
No nmbd found
Connecting to 10.0.0.10 at port 445
get_dc_list: preferred server list: ", *"
get_kdc_ip_string: get_kdc_list (site-less) fail NT_STATUS_NO_LOGON_SERVERS
get_kdc_ip_string: Failed to get KDC ip address
ads_cldap_netlogon: did not get a reply
ads_try_connect: CLDAP request 10.0.0.10 failed.
get_dc_list: preferred server list: ", *"
ads_find_dc: falling back to netbios name resolution for domain 'HOME'
(realm 'home.rob-campbell.lan')
get_dc_list: preferred server list: ", *"
ads_find_dc: name resolution for realm 'home.rob-campbell.lan' (domain
'HOME') failed: NT_STATUS_NO_LOGON_SERVERS
get_dc_list: preferred server list: ", *"
Could not look up dc's for domain HOME
ERROR(runtime): uncaught exception - (2694, 'failed to connect to AD: No
logon servers are currently available to service the logon request.')
File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
185,
in _run
return self.run(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line
695,
in run
(sid, domain_name) = s3_net.join_member(netbios_name,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In all things, Be Intentional.
Rowland Penny
2023-Sep-09 07:18 UTC
[Samba] Failed to join domain: failed to find DC for domain...
On Fri, 8 Sep 2023 16:46:54 -0400 Rob Campbell via samba <samba at lists.samba.org> wrote:> Getting this error when trying to join computer to the domain. I just > built a new debian computer for gaming and photo and video editing. I > went through the same process as I did before (I created a script to > do all of the things I did in the past) > > net ads join -U administrator > Password for [HOME\administrator]: > Failed to join domain: failed to find DC for domain HOME - The object > was not found. > > net ads join -U administrator > Password for [HOME\administrator]: > Failed to join domain: failed to find DC for domain HOME - The object > was not found. > root at D01:~/.bin# samba-tool domain join home.rob-campbell.lan MEMBER > -U administrator > GENSEC backend 'gssapi_spnego' registered > GENSEC backend 'gssapi_krb5' registered > GENSEC backend 'gssapi_krb5_sasl' registered > GENSEC backend 'spnego' registered > GENSEC backend 'schannel' registered > GENSEC backend 'ncalrpc_as_system' registered > GENSEC backend 'sasl-EXTERNAL' registered > GENSEC backend 'ntlmssp' registered > GENSEC backend 'ntlmssp_resume_ccache' registered > GENSEC backend 'http_basic' registered > GENSEC backend 'http_ntlm' registered > GENSEC backend 'http_negotiate' registered > GENSEC backend 'krb5' registered > GENSEC backend 'fake_gssapi_krb5' registered > lp_load_ex: refreshing parameters > Initialising global parameters > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit > (16384) Processing section "[global]" > Password for [HOME\administrator]: > Registered MSG_REQ_POOL_USAGE > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED > ads_cldap_netlogon: did not get a reply > ads_cldap_netlogon: did not get a reply > resolve_lmhosts: Attempting lmhosts lookup for name HOME<0x1c> > resolve_wins: WINS server resolution selected and no WINS servers > listed. name_resolve_bcast: Attempting broadcast lookup for name > HOME<0x1c> ERROR(runtime): uncaught exception - (2453, 'failed to > find DC for domain HOME - The address handle that was given to the > transport was invalid.') File > "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185, > in _run return self.run(*args, **kwargs) > ^^^^^^^^^^^^^^^^^^^^^^^^^ > File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line > 695, in run > (sid, domain_name) = s3_net.join_member(netbios_name, > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > From member > /etc/krb5.conf > [libdefaults] > default_realm = HOME.ROB-CAMPBELL.LAN > dns_lookup_realm = false > dns_lookup_kdc = true > > /etc/samba/smb.conf > # Global parameters > [global] > bind interfaces only = Yes > dedicated keytab file = /etc/krb5.keytab > interfaces = lo eno1 > kerberos method = secrets and keytab > log file = /var/log/samba/%m.log > log level = 3 > realm = HOME.ROB-CAMPBELL.LAN > security = ADS > server role = member server > template homedir = /home/%U > template shell = /bin/bash > username map = /etc/samba/user.map > winbind refresh tickets = Yes > winbind use default domain = Yes > workgroup = HOME > idmap config home : range = 10000-999999 > idmap config home : backend = rid > idmap config home : unix_nss_info = yes > idmap config * : rangesize = 200000 > idmap config * : backend = autorid > idmap config * : range = 3000-7999There is a problem, you are using both 'autorid' and the 'rid' idmap backends. You are also using a line from the 'ad' setup with the 'rid' idmap backend. You either use the 'rid' idmap backend with 'tdb' for the default '*' domain, or you just use the 'autorid' idmap backend by itself. As you have also set 'winbind use default domain = yes', you cannot use the 'autorid' idmap backend, it isn't allowed. Try it set like this: idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config home : backend = rid idmap config home : range = 10000-999999> map acl inherit = Yes > vfs objects = acl_xattr > > I read this page > https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage and set my > firewall accordingly. > > # samba-tool domain join home.rob-campbell.lan MEMBER -U administrator > lp_load_ex: refreshing parameters > Initialising global parameters > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit > (16384) Processing section "[global]" > Password for [HOME\administrator]: > Registered MSG_REQ_POOL_USAGE > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED > ads_cldap_netlogon: did not get a reply > ads_cldap_netlogon: did not get a reply > No nmbd found > Connecting to 10.0.0.10 at port 445 > get_dc_list: preferred server list: ", *" > get_kdc_ip_string: get_kdc_list (site-less) fail > NT_STATUS_NO_LOGON_SERVERS get_kdc_ip_string: Failed to get KDC ip > address ads_cldap_netlogon: did not get a reply > ads_try_connect: CLDAP request 10.0.0.10 failed. > get_dc_list: preferred server list: ", *" > ads_find_dc: falling back to netbios name resolution for domain 'HOME' > (realm 'home.rob-campbell.lan') > get_dc_list: preferred server list: ", *" > ads_find_dc: name resolution for realm 'home.rob-campbell.lan' (domain > 'HOME') failed: NT_STATUS_NO_LOGON_SERVERS > get_dc_list: preferred server list: ", *" > Could not look up dc's for domain HOME > ERROR(runtime): uncaught exception - (2694, 'failed to connect to AD: > No logon servers are currently available to service the logon > request.') File > "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185, > in _run return self.run(*args, **kwargs) > ^^^^^^^^^^^^^^^^^^^^^^^^^ > File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line > 695, in run > (sid, domain_name) = s3_net.join_member(netbios_name, > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^It looks like DNS is failing, does /etc/resolv.conf look like this: search home.rob-campbell.lan nameserver A.DC.IPADDRESS While you are checking, does /etc/hosts contain a line like this: computers_ip computers FQDN computers short_hostname Rowland