Francois Lafont
2013-Apr-06 01:54 UTC
[Samba] Samba4 member of an another « Samba4 » domain
Hi, I have a Samba4 domain controller installed on Debian Wheezy (Domain = CHEZMOI.PRIV). I try to installed an another Samba4 server which is just a member of the CHEZMOI.PRIV domain. But I don't succeed. I have followed this page : https://wiki.samba.org/index.php/Samba4/Domain_Member But I have : ~# net ads join -U administrator Enter administrator's password: kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials Failed to join domain: failed to connect to AD: Invalid credentials I don't know what to do... Did you have an idea ? -- Fran?ois Lafont
François Lafont
2013-Apr-07 01:08 UTC
[Samba] Samba4 member of an another « Samba4 » domain
Hello,
I have progressed but It still doesn't work. I recall:
- Domain controller on Debian Wheezy (domain = chezmoi.priv) with Samba version
4.0.4 (works fine).
- I *try* to install a member of the "chezmoi.priv" domain on an
another Debian Wheezy with Samba version 4.0.4.
Below, I explain what I have done on the member server. I have made 2 attemps
which don't work. Thanks in advance for your help.
Here is my /usr/local/samba/etc/smb.conf file in the member server:
-----------------------------------------------
[global]
workgroup = CHEZMOI
security = ADS
realm = CHEZMOI.PRIV
encrypt passwords = yes
idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config CHEZMOI:backend = ad
idmap config CHEZMOI:schema_mode = rfc2307
idmap config CHEZMOI:range = 500-40000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
-----------------------------------------------
root at member~# ln -s /usr/local/samba/lib/libnss_winbind.so
/lib/libnss_winbind.so
root at member~# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
Here is my /etc/nsswitch.conf file:
-----------------------------------------------
passwd: compat winbind
group: compat winbind
...
-----------------------------------------------
1) First attempt to join the domain in the member server
root at member~# samba-tool domain join chezmoi.priv member -U administrator
--realm=chezmoi.priv
Password for [CHEZMOI\administrator]:
Joined domain CHEZMOI (S-1-5-21-3370545617-3166960116-3193249687)
root at member~# ldconfig
root at member~# smbd && nmbd
And now impossible to run winbindd.
-----------------------------------------------
root at member~# winbindd -i -d 10
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
Maximum core file size limits now 16777216(soft) -1(hard)
winbindd version 4.0.4 started.
Copyright Andrew Tridgell and the Samba Team 1992-2012
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
params.c:pm_process() - Processing configuration file
"/usr/local/samba/etc/smb.conf"
Processing section "[global]"
doing parameter workgroup = CHEZMOI
doing parameter security = ADS
doing parameter realm = CHEZMOI.PRIV
doing parameter encrypt passwords = yes
doing parameter idmap config *:backend = tdb
doing parameter idmap config *:range = 70001-80000
doing parameter idmap config CHEZMOI:backend = ad
doing parameter idmap config CHEZMOI:schema_mode = rfc2307
doing parameter idmap config CHEZMOI:range = 500-40000
doing parameter winbind nss info = rfc2307
doing parameter winbind trusted domains only = no
doing parameter winbind use default domain = yes
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
pm_process() returned Yes
lp_servicenumber: couldn't find homes
Maximum core file size limits now 16777216(soft) -1(hard)
Registering messaging pointer for type 2 - private_data=(nil)
Registering messaging pointer for type 9 - private_data=(nil)
Registered MSG_REQ_POOL_USAGE
Registering messaging pointer for type 11 - private_data=(nil)
Registering messaging pointer for type 12 - private_data=(nil)
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Registering messaging pointer for type 1 - private_data=(nil)
Registering messaging pointer for type 5 - private_data=(nil)
lp_load_ex: refreshing parameters
Freeing parametrics:
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
params.c:pm_process() - Processing configuration file
"/usr/local/samba/etc/smb.conf"
Processing section "[global]"
doing parameter workgroup = CHEZMOI
doing parameter security = ADS
doing parameter realm = CHEZMOI.PRIV
doing parameter encrypt passwords = yes
doing parameter idmap config *:backend = tdb
doing parameter idmap config *:range = 70001-80000
doing parameter idmap config CHEZMOI:backend = ad
doing parameter idmap config CHEZMOI:schema_mode = rfc2307
doing parameter idmap config CHEZMOI:range = 500-40000
doing parameter winbind nss info = rfc2307
doing parameter winbind trusted domains only = no
doing parameter winbind use default domain = yes
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface eth0 ip=fe80::a00:27ff:fe4b:65d3%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="WHEEZY-2"
added interface eth0 ip=fe80::a00:27ff:fe4b:65d3%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0
Process with PID=2689 does not exist.
Deleting /usr/local/samba/var/run/winbindd.pid, since 2689 is not a Samba
process.
fcntl_lock 8 6 0 1 1
fcntl_lock: Lock call successful
TimeInit: Serverzone is -7200
initialize_winbindd_cache: clearing cache and re-creating with version number 2
check lock order 2 for /usr/local/samba/var/lock/serverid.tdb
lock order: 1:<none> 2:/usr/local/samba/var/lock/serverid.tdb
3:<none>
Locking key 870A000000000000FFFF
Allocated locked data 0x0x2136700
Unlocking key 870A000000000000FFFF
release lock order 2 for /usr/local/samba/var/lock/serverid.tdb
lock order: 1:<none> 2:<none> 3:<none>
Registering messaging pointer for type 33 - private_data=(nil)
Registering messaging pointer for type 13 - private_data=(nil)
Registering messaging pointer for type 1028 - private_data=(nil)
Registering messaging pointer for type 1027 - private_data=(nil)
Registering messaging pointer for type 1029 - private_data=(nil)
Registering messaging pointer for type 1280 - private_data=(nil)
Registering messaging pointer for type 1032 - private_data=(nil)
Registering messaging pointer for type 1033 - private_data=(nil)
Registering messaging pointer for type 1034 - private_data=(nil)
Registering messaging pointer for type 1 - private_data=(nil)
Overriding messaging pointer for type 1 - private_data=(nil)
wcache_tdc_add_domain: Adding domain BUILTIN (), SID S-1-5-32, flags = 0x0,
attributes = 0x0, type = 0x0
pack_tdc_domains: Packing 1 trusted domains
pack_tdc_domains: Packing domain BUILTIN ()
idmap config BUILTIN : range = not defined
Added domain BUILTIN S-1-5-32
wcache_tdc_add_domain: Adding domain WHEEZY-2 (), SID
S-1-5-21-210096926-4033722923-1792459932, flags = 0x0, attributes = 0x0, type =
0x0
pack_tdc_domains: Packing 2 trusted domains
pack_tdc_domains: Packing domain BUILTIN ()
pack_tdc_domains: Packing domain WHEEZY-2 ()
idmap config WHEEZY-2 : range = not defined
Added domain WHEEZY-2 S-1-5-21-210096926-4033722923-1792459932
Could not fetch our SID - did we join?
unable to initialize domain list
-----------------------------------------------
Boum !!! The command is stopped.
2) Second attempt to join the domain in the member server. It's better but
It doesn't work too.
root at member:~# net ads join -U administrator
Enter administrator's password:
Using short domain name -- CHEZMOI
Joined 'WHEEZY-2' to dns domain 'chezmoi.priv'
DNS Update for wheezy-2.chezmoi.priv failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL
root at member:~# ldconfig
root at member:~# smbd && nmbd
root at member:~# winbindd -i -d 10
And winbindd seems to be ok. I have :
root at member:~# wbinfo -u
administrator
krbtgt
test10
test11
guest
test1
test2
test3
test4
test5
test6
...
root at member:~# wbinfo -i test9
test9:*:70004:70001:test9:/home/CHEZMOI/test9:/bin/false
But if I create an user in the domain controller server:
root at dc:~# samba-tool user add test12 --random-password
User 'test12' created successfully
after in the member server:
root at member:~# wbinfo -i test12
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user test12
Here is the stdout of winbindd during the command :
-----------------------------------------------
info : *
info: struct wbint_userinfo
acct_name : *
acct_name : 'test12'
full_name : NULL
homedir : NULL
shell : NULL
primary_gid : 0x00000000ffffffff (4294967295)
user_sid :
S-1-5-21-3370545617-3166960116-3193249687-1115
group_sid :
S-1-5-21-3370545617-3166960116-3193249687-513
result : NT_STATUS_NOT_FOUND
Could not convert sid S-1-5-21-3370545617-3166960116-3193249687-1115:
NT_STATUS_NOT_FOUND
wb_request_done[2813:GETPWNAM]: NT_STATUS_NOT_FOUND
winbind_client_response_written[2813:GETPWNAM]: delivered response to client
closing socket 23, client exited
-----------------------------------------------
Sorry for this long message.
--
Fran?ois Lafont