On 04-03-2024 21:54, Rowland Penny via samba wrote:> On Mon, 4 Mar 2024 14:14:18 +0100 > Marco Gaiarin via samba <samba at lists.samba.org> wrote: > >> Mandi! Kees van Vloten via samba >> In chel di` si favelave... >> >>> Interesting, I tried running it with -d 10, it shows a lot of >>> output. >> The same. My output is a bit more complex, i think because the joined >> machine is a firewall, that have no whatsoever info about the domain, >> so i have tons of error relatives to dns record missing. >> >> But, as just stated, join with: >> >> net ads join -I 10.172.1.8 -U gaio >> >> worked as expected, a simple 'net ads testjoin' work (with the same >> DNS errors, of course). >> >> >>> Another thing I tried was "systemctl stop winbind" and then the >>> "net changetrustpw", but even then the same error occurs. >> I've not winbind running in joined machine. > If winbind isn't running, then your machine isn't fully joined, with > 'security = ADS' ( a requirement for an AD Unix domain member) you must > have winbind running, it has been this way since Samba 4.8.0 > > RowlandI just figured out something: All my machines run Debian bookworm, the DCs run with samba 4.19.5. I have ran it on 2 client machines, one with stock Debian winbind 4.17.12, the other one with 4.19.4. It fails with mentioned error on stock 4.17.12, but works fine on 4.19.4. Solution is easy: upgrading winbind from Debian backports solves the issue ! - Kees.
Mandi! Kees van Vloten via samba In chel di` si favelave...> Solution is easy: upgrading winbind from Debian backports solves the issue !I've upgraded to latest buster version 4.18.10+dfsg-1~buster, but still does not work for me... Now display: root at vfwacpn1:~# net ads changetrustpw get_kdc_ip_string: get_kdc_list fail NT_STATUS_NO_LOGON_SERVERS Changing password for principal: vfwacpn1$@AD.AC.CONCORDIA-PORDENONE.IT Password change failed: No more connections can be made to this remote computer at this time because the computer has already accepted the maximum number of connections. if i force the target server: root at vfwacpn1:~# net ads changetrustpw -S kdc.ad.ac.concordia-pordenone.it ads_sasl_spnego_bind: kinit succeeded but SPNEGO bind with Kerberos failed for ldap/kdc.ad.ac.concordia-pordenone.it - user[VFWACPN1$], realm[AD.AC.CONCORDIA-PORDENONE.IT]: An invalid parameter was passed to a service or function. Changing password for principal: vfwacpn1$@AD.AC.CONCORDIA-PORDENONE.IT Password change failed: No more connections can be made to this remote computer at this time because the computer has already accepted the maximum number of connections. In /etc/krb5.conf i've set: [libdefaults] default_realm = AD.AC.CONCORDIA-PORDENONE.IT dns_lookup_realm = false dns_lookup_kdc = false kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true [realms] AD.AC.CONCORDIA-PORDENONE.IT = { kdc = kdc.ad.ac.concordia-pordenone.it master_kdc = kdc.ad.ac.concordia-pordenone.it admin_server = kdc.ad.ac.concordia-pordenone.it default_domain = ad.ac.concordia-pordenone.it } clearly, 'kdc.ad.ac.concordia-pordenone.it' is in /etc/hosts: root at vfwacpn1:~# grep kdc /etc/hosts 10.172.1.8 vdcacpn1.ac.concordia-pordenone.it kdc.ad.ac.concordia-pordenone.it ad.ac.concordia-pordenone.it vdcacpn1 Join still seems valid: root at vfwacpn1:~# net ads testjoin get_kdc_ip_string: get_kdc_list fail NT_STATUS_NO_LOGON_SERVERS get_kdc_ip_string: get_kdc_list fail NT_STATUS_NO_LOGON_SERVERS Join is OK root at vfwacpn1:~# net ads testjoin -S kdc.ad.ac.concordia-pordenone.it get_kdc_ip_string: get_kdc_list fail NT_STATUS_NO_LOGON_SERVERS ads_sasl_spnego_bind: kinit succeeded but SPNEGO bind with Kerberos failed for ldap/kdc.ad.ac.concordia-pordenone.it - user[VFWACPN1$], realm[AD.AC.CONCORDIA-PORDENONE.IT]: An invalid parameter was passed to a service or function. Join is OK and i can get data i need: root at vfwacpn1:~# samba-tool group listmembers group1 -H ldap://ad.ac.concordia-pordenone.it -P user1 user2 user3 -- Le vie del Signore sono infinite. E' la segnaletica che lascia a desiderare...