samba - Sep 2023 - Failed to join domain: failed to find DC for domain...

On Fri, 8 Sep 2023 16:46:54 -0400
Rob Campbell via samba <samba at lists.samba.org> wrote:
> Getting this error when trying to join computer to the domain.  I just
> built a new debian computer for gaming and photo and video editing. I
> went through the same process as I did before (I created a script to
> do all of the things I did in the past)
> 
> net ads join -U administrator
> Password for [HOME\administrator]:
> Failed to join domain: failed to find DC for domain HOME - The object
> was not found.
> 
> net ads join -U administrator
> Password for [HOME\administrator]:
> Failed to join domain: failed to find DC for domain HOME - The object
> was not found.
> root at D01:~/.bin# samba-tool domain join home.rob-campbell.lan MEMBER
> -U administrator
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'ncalrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'http_negotiate' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384) Processing section "[global]"
> Password for [HOME\administrator]:
> Registered MSG_REQ_POOL_USAGE
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> ads_cldap_netlogon: did not get a reply
> ads_cldap_netlogon: did not get a reply
> resolve_lmhosts: Attempting lmhosts lookup for name HOME<0x1c>
> resolve_wins: WINS server resolution selected and no WINS servers
> listed. name_resolve_bcast: Attempting broadcast lookup for name
> HOME<0x1c> ERROR(runtime): uncaught exception - (2453, 'failed to
> find DC for domain HOME - The address handle that was given to the
> transport was invalid.') File
> "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
185,
> in _run return self.run(*args, **kwargs)
>            ^^^^^^^^^^^^^^^^^^^^^^^^^
>   File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py",
line
> 695, in run
>     (sid, domain_name) = s3_net.join_member(netbios_name,
>                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> From member
> /etc/krb5.conf
> [libdefaults]
> default_realm = HOME.ROB-CAMPBELL.LAN
> dns_lookup_realm = false
> dns_lookup_kdc = true
> 
> /etc/samba/smb.conf
> # Global parameters
> [global]
> bind interfaces only = Yes
> dedicated keytab file = /etc/krb5.keytab
> interfaces = lo eno1
> kerberos method = secrets and keytab
> log file = /var/log/samba/%m.log
> log level = 3
> realm = HOME.ROB-CAMPBELL.LAN
> security = ADS
> server role = member server
> template homedir = /home/%U
> template shell = /bin/bash
> username map = /etc/samba/user.map
> winbind refresh tickets = Yes
> winbind use default domain = Yes
> workgroup = HOME
> idmap config home : range = 10000-999999
> idmap config home : backend = rid
> idmap config home : unix_nss_info = yes
> idmap config * : rangesize = 200000
> idmap config * : backend = autorid
> idmap config * : range = 3000-7999
There is a problem, you are using both 'autorid' and the 'rid'
idmap
backends. You are also using a line from the 'ad' setup with the
'rid'
idmap backend. You either use the 'rid' idmap backend with 'tdb'
for
the default '*' domain, or you just use the 'autorid' idmap
backend by
itself. As you have also set 'winbind use default domain = yes', you
cannot use the 'autorid' idmap backend, it isn't allowed.

Try it set like this:

idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config home : backend = rid
idmap config home : range = 10000-999999
> map acl inherit = Yes
> vfs objects = acl_xattr
> 
> I read this page
> https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage and set my
> firewall accordingly.
> 
> # samba-tool domain join home.rob-campbell.lan MEMBER -U administrator
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384) Processing section "[global]"
> Password for [HOME\administrator]:
> Registered MSG_REQ_POOL_USAGE
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> ads_cldap_netlogon: did not get a reply
> ads_cldap_netlogon: did not get a reply
> No nmbd found
> Connecting to 10.0.0.10 at port 445
> get_dc_list: preferred server list: ", *"
> get_kdc_ip_string: get_kdc_list (site-less) fail
> NT_STATUS_NO_LOGON_SERVERS get_kdc_ip_string: Failed to get KDC ip
> address ads_cldap_netlogon: did not get a reply
> ads_try_connect: CLDAP request 10.0.0.10 failed.
> get_dc_list: preferred server list: ", *"
> ads_find_dc: falling back to netbios name resolution for domain
'HOME'
> (realm 'home.rob-campbell.lan')
> get_dc_list: preferred server list: ", *"
> ads_find_dc: name resolution for realm 'home.rob-campbell.lan'
(domain
> 'HOME') failed: NT_STATUS_NO_LOGON_SERVERS
> get_dc_list: preferred server list: ", *"
> Could not look up dc's for domain HOME
> ERROR(runtime): uncaught exception - (2694, 'failed to connect to AD:
> No logon servers are currently available to service the logon
> request.') File
> "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
185,
> in _run return self.run(*args, **kwargs)
>            ^^^^^^^^^^^^^^^^^^^^^^^^^
>   File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py",
line
> 695, in run
>     (sid, domain_name) = s3_net.join_member(netbios_name,
>                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
It looks like DNS is failing, does /etc/resolv.conf look like this:

search home.rob-campbell.lan
nameserver A.DC.IPADDRESS

While you are checking, does /etc/hosts contain a line like this:

computers_ip computers FQDN computers short_hostname

Rowland

>
> It looks like DNS is failing, does /etc/resolv.conf look like this:
>
> search home.rob-campbell.lan
> nameserver A.DC.IPADDRESS
>
This is what it looks like in this order (if that matters)
nameserver 10.0.0.10
nameserver 10.0.0.1
search HOME.ROB-CAMPBELL.LAN
>
> While you are checking, does /etc/hosts contain a line like this:
>
> computers_ip computers FQDN computers short_hostname
>
Yes

root at D01:~/.bin# realm leave
root at D01:~/.bin# realm list
root at D01:~/.bin# cp /etc/samba/smb.conf.converted /etc/samba/smb.conf
root at D01:~/.bin# realm list
home.rob-campbell.lan
  type: kerberos
  realm-name: HOME.ROB-CAMPBELL.LAN
  domain-name: home.rob-campbell.lan
  configured: kerberos-member
  server-software: active-directory
  client-software: winbind
  required-package: libnss-winbind
  required-package: winbind
  required-package: libpam-winbind
  required-package: samba-common-bin
  login-formats: %U
  login-policy: allow-any-login
root at D01:~/.bin# net ads join -U administrator
Password for [HOME\administrator]:
Failed to join domain: failed to connect to AD: No logon servers are
currently available to service the logon request.
root at D01:~/.bin# samba-tool domain join home.rob-campbell.lan MEMBER -U
administrator
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'ncalrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Password for [HOME\administrator]:
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
ads_cldap_netlogon: did not get a reply
ads_cldap_netlogon: did not get a reply
No nmbd found
Connecting to 10.0.0.10 at port 445
get_dc_list: preferred server list: ", *"
get_kdc_ip_string: get_kdc_list (site-less) fail NT_STATUS_NO_LOGON_SERVERS
get_kdc_ip_string: Failed to get KDC ip address
ads_cldap_netlogon: did not get a reply
ads_try_connect: CLDAP request 10.0.0.10 failed.
get_dc_list: preferred server list: ", *"
ads_find_dc: falling back to netbios name resolution for domain 'HOME'
(realm 'home.rob-campbell.lan')
get_dc_list: preferred server list: ", *"
ads_find_dc: name resolution for realm 'home.rob-campbell.lan' (domain
'HOME') failed: NT_STATUS_NO_LOGON_SERVERS
get_dc_list: preferred server list: ", *"
Could not look up dc's for domain HOME
ERROR(runtime): uncaught exception - (2694, 'failed to connect to AD: No
logon servers are currently available to service the logon request.')
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
185,
in _run
    return self.run(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line
695,
in run
    (sid, domain_name) = s3_net.join_member(netbios_name,
                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

./check_smb.sh
 144310 ?        Ss     0:00 smbd
 144311 ?        S      0:00 smbd
 144312 ?        S      0:00 smbd
 144320 ?        Ss     0:00 nmbd
 144321 pts/1    S+     0:00 /bin/bash ./check_smb.sh
 144323 pts/1    S+     0:00 grep -E samba|smb|nmb|winbind
root at D01:~/.bin# samba-tool domain join home.rob-campbell.lan MEMBER -U
administrator
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'ncalrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Password for [HOME\administrator]:
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
ads_cldap_netlogon: did not get a reply
ads_cldap_netlogon: did not get a reply
fcntl_lock: fcntl lock gave errno 11 (Resource temporarily unavailable)
fcntl_lock: lock failed at offset 0 count 1 op 6 type 0 (Resource
temporarily unavailable)
resolve_hosts: Attempting host lookup for name
dc01.home.rob-campbell.lan<0x20>
Connecting to 2600:4040:4661:9a00:aaa1:59ff:fe5f:b823 at port 445
get_dc_list: preferred server list: ", *"
get_dc_list: preferred server list: ", *"
ads_cldap_netlogon: did not get a reply
ads_try_connect: CLDAP request 10.0.0.10 failed.
get_dc_list: preferred server list: ", *"
ads_cldap_netlogon: did not get a reply
ads_try_connect: CLDAP request 10.0.0.10 failed.
ads_cldap_netlogon: did not get a reply
ads_try_connect: CLDAP request 2600:4040:4661:9a00:aaa1:59ff:fe5f:b823
failed.
ads_cldap_netlogon: did not get a reply
ads_try_connect: CLDAP request 2600:4040:4661:9a00:b037:5676:5a02:cb00
failed.
ads_cldap_netlogon: did not get a reply
ads_try_connect: CLDAP request 2600:4040:4661:9a00:e2b2:cddc:804a:abed
failed.
ads_find_dc: failed to find a valid DC on our site
(Default-First-Site-Name), Trying to find another DC for realm
'home.rob-campbell.lan' (domain 'HOME')
get_dc_list: preferred server list: ", *"
ads_find_dc: falling back to netbios name resolution for domain 'HOME'
(realm 'home.rob-campbell.lan')
get_dc_list: preferred server list: ", *"
ads_find_dc: name resolution for realm 'home.rob-campbell.lan' (domain
'HOME') failed: NT_STATUS_NO_LOGON_SERVERS
get_dc_list: preferred server list: ", *"
Could not look up dc's for domain HOME
ERROR(runtime): uncaught exception - (2694, 'failed to connect to AD: No
logon servers are currently available to service the logon request.')
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
185,
in _run
    return self.run(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line
695,
in run
    (sid, domain_name) = s3_net.join_member(netbios_name,
                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In all things, Be Intentional.


On Sat, Sep 9, 2023 at 3:20?AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Fri, 8 Sep 2023 16:46:54 -0400
> Rob Campbell via samba <samba at lists.samba.org> wrote:
>
> > Getting this error when trying to join computer to the domain.  I just
> > built a new debian computer for gaming and photo and video editing. I
> > went through the same process as I did before (I created a script to
> > do all of the things I did in the past)
> >
> > net ads join -U administrator
> > Password for [HOME\administrator]:
> > Failed to join domain: failed to find DC for domain HOME - The object
> > was not found.
> >
> > net ads join -U administrator
> > Password for [HOME\administrator]:
> > Failed to join domain: failed to find DC for domain HOME - The object
> > was not found.
> > root at D01:~/.bin# samba-tool domain join home.rob-campbell.lan
MEMBER
> > -U administrator
> > GENSEC backend 'gssapi_spnego' registered
> > GENSEC backend 'gssapi_krb5' registered
> > GENSEC backend 'gssapi_krb5_sasl' registered
> > GENSEC backend 'spnego' registered
> > GENSEC backend 'schannel' registered
> > GENSEC backend 'ncalrpc_as_system' registered
> > GENSEC backend 'sasl-EXTERNAL' registered
> > GENSEC backend 'ntlmssp' registered
> > GENSEC backend 'ntlmssp_resume_ccache' registered
> > GENSEC backend 'http_basic' registered
> > GENSEC backend 'http_ntlm' registered
> > GENSEC backend 'http_negotiate' registered
> > GENSEC backend 'krb5' registered
> > GENSEC backend 'fake_gssapi_krb5' registered
> > lp_load_ex: refreshing parameters
> > Initialising global parameters
> > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> > (16384) Processing section "[global]"
> > Password for [HOME\administrator]:
> > Registered MSG_REQ_POOL_USAGE
> > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> > ads_cldap_netlogon: did not get a reply
> > ads_cldap_netlogon: did not get a reply
> > resolve_lmhosts: Attempting lmhosts lookup for name HOME<0x1c>
> > resolve_wins: WINS server resolution selected and no WINS servers
> > listed. name_resolve_bcast: Attempting broadcast lookup for name
> > HOME<0x1c> ERROR(runtime): uncaught exception - (2453,
'failed to
> > find DC for domain HOME - The address handle that was given to the
> > transport was invalid.') File
> > "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
line 185,
> > in _run return self.run(*args, **kwargs)
> >            ^^^^^^^^^^^^^^^^^^^^^^^^^
> >   File
"/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line
> > 695, in run
> >     (sid, domain_name) = s3_net.join_member(netbios_name,
> >                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >
> > From member
> > /etc/krb5.conf
> > [libdefaults]
> > default_realm = HOME.ROB-CAMPBELL.LAN
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> >
> > /etc/samba/smb.conf
> > # Global parameters
> > [global]
> > bind interfaces only = Yes
> > dedicated keytab file = /etc/krb5.keytab
> > interfaces = lo eno1
> > kerberos method = secrets and keytab
> > log file = /var/log/samba/%m.log
> > log level = 3
> > realm = HOME.ROB-CAMPBELL.LAN
> > security = ADS
> > server role = member server
> > template homedir = /home/%U
> > template shell = /bin/bash
> > username map = /etc/samba/user.map
> > winbind refresh tickets = Yes
> > winbind use default domain = Yes
> > workgroup = HOME
> > idmap config home : range = 10000-999999
> <http://voice.google.com/calls?a=nc,%2B10000999999>
> > idmap config home : backend = rid
> > idmap config home : unix_nss_info = yes
> > idmap config * : rangesize = 200000
> > idmap config * : backend = autorid
> > idmap config * : range = 3000-7999
>
> There is a problem, you are using both 'autorid' and the
'rid' idmap
> backends. You are also using a line from the 'ad' setup with the
'rid'
> idmap backend. You either use the 'rid' idmap backend with
'tdb' for
> the default '*' domain, or you just use the 'autorid' idmap
backend by
> itself. As you have also set 'winbind use default domain = yes',
you
> cannot use the 'autorid' idmap backend, it isn't allowed.
>
> Try it set like this:
>
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config home : backend = rid
> idmap config home : range = 10000-999999
>
> > map acl inherit = Yes
> > vfs objects = acl_xattr
> >
> > I read this page
> > https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage and set my
> > firewall accordingly.
> >
> > # samba-tool domain join home.rob-campbell.lan MEMBER -U administrator
> > lp_load_ex: refreshing parameters
> > Initialising global parameters
> > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> > (16384) Processing section "[global]"
> > Password for [HOME\administrator]:
> > Registered MSG_REQ_POOL_USAGE
> > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> > ads_cldap_netlogon: did not get a reply
> > ads_cldap_netlogon: did not get a reply
> > No nmbd found
> > Connecting to 10.0.0.10 at port 445
> > get_dc_list: preferred server list: ", *"
> > get_kdc_ip_string: get_kdc_list (site-less) fail
> > NT_STATUS_NO_LOGON_SERVERS get_kdc_ip_string: Failed to get KDC ip
> > address ads_cldap_netlogon: did not get a reply
> > ads_try_connect: CLDAP request 10.0.0.10 failed.
> > get_dc_list: preferred server list: ", *"
> > ads_find_dc: falling back to netbios name resolution for domain
'HOME'
> > (realm 'home.rob-campbell.lan')
> > get_dc_list: preferred server list: ", *"
> > ads_find_dc: name resolution for realm 'home.rob-campbell.lan'
(domain
> > 'HOME') failed: NT_STATUS_NO_LOGON_SERVERS
> > get_dc_list: preferred server list: ", *"
> > Could not look up dc's for domain HOME
> > ERROR(runtime): uncaught exception - (2694, 'failed to connect to
AD:
> > No logon servers are currently available to service the logon
> > request.') File
> > "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
line 185,
> > in _run return self.run(*args, **kwargs)
> >            ^^^^^^^^^^^^^^^^^^^^^^^^^
> >   File
"/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line
> > 695, in run
> >     (sid, domain_name) = s3_net.join_member(netbios_name,
> >                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> It looks like DNS is failing, does /etc/resolv.conf look like this:
>
> search home.rob-campbell.lan
> nameserver A.DC.IPADDRESS
>
This is what it looks like in this order (if that matters)
nameserver 10.0.0.10
nameserver 10.0.0.1
search HOME.ROB-CAMPBELL.LAN
>
> While you are checking, does /etc/hosts contain a line like this:
>
> computers_ip computers FQDN computers short_hostname
>
Yes
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>