samba - Mar 2015 - net ads join fails

smb.conf and krb5.conf on dc2:

# Global parameters
[global]        workgroup = AD
        realm = ad.dilken.eu
        netbios name = DC2
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        log level = 5

[netlogon]
        path = /var/lib/samba/sysvol/ad.dilken.eu/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[libdefaults]
    dns_lookup_realm = true
    dns_lookup_kdc = true
    default_realm = AD.DILKEN.EU

smb.conf and krb5.conf on raspberry-pi:

[libdefaults]
        default_realm = AD.DILKEN.EU
        dns_lookup_realm = true
        dns_lookup_kdc = true

[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log

# Global parameters
[global]
        workgroup = AD
        realm = AD.DILKEN.EU
        netbios name = RASPBERRY-PI
        server role = active directory domain controller
        dns forwarder = 192.71.247.247
        idmap_ldb:use rfc2307 = yes
        log level = 5

[netlogon]
        path = /var/lib/samba/sysvol/ad.dilken.eu/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

I'll check the DNS entries later again.

Greetings


Am 10.03.2015 um 22:55 schrieb Rowland Penny:
>> 
> 
> Hmm, it should actually be _kerberos._udp.ad.dilken.eu, what is in
/etc/krb5.conf on the two DCs, also what is smb.conf on the two DCs
> 
> Rowland
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On 11/03/15 04:49, Roman Dilken wrote:
> smb.conf and krb5.conf on dc2:
>
> # Global parameters
> [global]        workgroup = AD
>          realm = ad.dilken.eu
>          netbios name = DC2
>          server role = active directory domain controller
>          idmap_ldb:use rfc2307 = yes
>          log level = 5
>
> [netlogon]
>          path = /var/lib/samba/sysvol/ad.dilken.eu/scripts
>          read only = No
>
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
>
> [libdefaults]
>      dns_lookup_realm = true
>      dns_lookup_kdc = true
>      default_realm = AD.DILKEN.EU
>
> smb.conf and krb5.conf on raspberry-pi:
>
> [libdefaults]
>          default_realm = AD.DILKEN.EU
>          dns_lookup_realm = true
>          dns_lookup_kdc = true
>
> [logging]
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmin.log
> default = FILE:/var/log/krb5lib.log
>
> # Global parameters
> [global]
>          workgroup = AD
>          realm = AD.DILKEN.EU
>          netbios name = RASPBERRY-PI
>          server role = active directory domain controller
>          dns forwarder = 192.71.247.247
>          idmap_ldb:use rfc2307 = yes
>          log level = 5
>
> [netlogon]
>          path = /var/lib/samba/sysvol/ad.dilken.eu/scripts
>          read only = No
>
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
>
> I'll check the DNS entries later again.
>
> Greetings
>
>
> Am 10.03.2015 um 22:55 schrieb Rowland Penny:
>
>> Hmm, it should actually be _kerberos._udp.ad.dilken.eu, what is in
/etc/krb5.conf on the two DCs, also what is smb.conf on the two DCs
>>
>> Rowland
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
I would expect the smb.conf on both DCs to identical (apart from netbios 
name), but DC2 doesn't have a forwarder, are you using bind9 on this DC ?

If you are using bind, you are missing the 'server services' line, I use
bind9 and have this in smb.conf:

[global]
         workgroup = EXAMPLE
         realm = example.com
         netbios name = DC01
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbind, ntp_signd, kcc, dnsupdate
         idmap_ldb:use rfc2307 = yes
         template shell = /bin/bash
;        log level = 3

[netlogon]
         path = /var/lib/samba/sysvol/example.com/scripts
         read only = No

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No


/etc/krb5.conf on both my DCs is this:

[libdefaults]
     dns_lookup_realm = false
     dns_lookup_kdc = true
     default_realm = EXAMPLE.COM

/etc/resolv.conf on both my DCs is this:

search example.com
nameserver 127.0.0.1


Rowland

Hi,

I tested again and found out that the ports-version is broken.
If i Install out of the package-collection, samba and winbindd work
correct and net ads join does its job.

Greetings,

Roman

On 11.03.2015 10:08, Rowland Penny wrote:
> On 11/03/15 04:49, Roman Dilken wrote:
>> smb.conf and krb5.conf on dc2:
>>
>> # Global parameters
>> [global]        workgroup = AD
>>          realm = ad.dilken.eu
>>          netbios name = DC2
>>          server role = active directory domain controller
>>          idmap_ldb:use rfc2307 = yes
>>          log level = 5
>>
>> [netlogon]
>>          path = /var/lib/samba/sysvol/ad.dilken.eu/scripts
>>          read only = No
>>
>> [sysvol]
>>          path = /var/lib/samba/sysvol
>>          read only = No
>>
>> [libdefaults]
>>      dns_lookup_realm = true
>>      dns_lookup_kdc = true
>>      default_realm = AD.DILKEN.EU
>>
>> smb.conf and krb5.conf on raspberry-pi:
>>
>> [libdefaults]
>>          default_realm = AD.DILKEN.EU
>>          dns_lookup_realm = true
>>          dns_lookup_kdc = true
>>
>> [logging]
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmin.log
>> default = FILE:/var/log/krb5lib.log
>>
>> # Global parameters
>> [global]
>>          workgroup = AD
>>          realm = AD.DILKEN.EU
>>          netbios name = RASPBERRY-PI
>>          server role = active directory domain controller
>>          dns forwarder = 192.71.247.247
>>          idmap_ldb:use rfc2307 = yes
>>          log level = 5
>>
>> [netlogon]
>>          path = /var/lib/samba/sysvol/ad.dilken.eu/scripts
>>          read only = No
>>
>> [sysvol]
>>          path = /var/lib/samba/sysvol
>>          read only = No
>>
>> I'll check the DNS entries later again.
>>
>> Greetings
>>
>>
>> Am 10.03.2015 um 22:55 schrieb Rowland Penny:
>>
>>> Hmm, it should actually be _kerberos._udp.ad.dilken.eu, what is in
>>> /etc/krb5.conf on the two DCs, also what is smb.conf on the two DCs
>>>
>>> Rowland
>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
> 
> I would expect the smb.conf on both DCs to identical (apart from netbios
> name), but DC2 doesn't have a forwarder, are you using bind9 on this DC
?
> 
> If you are using bind, you are missing the 'server services' line,
I use
> bind9 and have this in smb.conf:
> 
> [global]
>         workgroup = EXAMPLE
>         realm = example.com
>         netbios name = DC01
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbind, ntp_signd, kcc, dnsupdate
>         idmap_ldb:use rfc2307 = yes
>         template shell = /bin/bash
> ;        log level = 3
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/example.com/scripts
>         read only = No
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 
> 
> /etc/krb5.conf on both my DCs is this:
> 
> [libdefaults]
>     dns_lookup_realm = false
>     dns_lookup_kdc = true
>     default_realm = EXAMPLE.COM
> 
> /etc/resolv.conf on both my DCs is this:
> 
> search example.com
> nameserver 127.0.0.1
> 
> 
> Rowland
>