Daniel Carrasco Marín
2015-Apr-25 15:24 UTC
[Samba] I can't join the new AD server with Samba4
2015-04-25 16:57 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:> On 25/04/15 15:44, Daniel Carrasco Mar?n wrote: > >> >> >> On AD server i've linked the kerberos file on samba folder: >> lrwxrwxrwx 1 root root 32 abr 25 16:23 krb5.conf -> >> /var/lib/samba/private/krb5.conf >> >> On client i've the default: >> [libdefaults] >> default_realm = TTU.RED >> >> # The following krb5.conf variables are only for MIT Kerberos. >> krb4_config = /etc/krb.conf >> krb4_realms = /etc/krb.realms >> kdc_timesync = 1 >> ccache_type = 4 >> forwardable = true >> proxiable = true >> ........ >> >> [realms] >> TTU.RED = { >> kdc = pdc >> admin_server = pdc >> } >> ........ >> >> >> > Use the same krb5.conf as on the DC >Ok copied.> > Does /etc/krb5.keytab exist, if it does, remove it. >> >> >> Deleted, but nothing changed. >> > > You will need to try and rejoin the domain > > Does /etc/resolv.conf point to the DC ? >> >> >> Yes: >> cat /etc/resolv.conf >> domain TTU >> nameserver 192.168.2.251 >> > > Please change /etc/resolv.conf to this: > > search ttu.red > > nameserver 192.168.2.251 >Changed.> > >> Are you sure that you are using the correct password for >> Administrator ? >> >> >> Yes, even i've tried to cange the PW to another, and other commands works >> fine, for example with "kinit administrator at TTU.RED" and "klist -c": >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: administrator at TTU.RED >> >> Valid starting Expires Service principal >> 25/04/15 16:36:10 26/04/15 02:36:10 krbtgt/TTU.RED at TTU.RED >> renew until 26/04/15 16:36:06 >> >> >> I've linked the file showed on log to krb5.conf: >> ln -s /var/run/samba/smb_krb5/krb5.conf.TTU /etc/krb5.conf >> >> I got the same error: >> ....... >> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 >> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 >> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 >> ads_sasl_spnego_bind: got server principal name >> not_defined_in_RFC4178 at please_ignore >> ads_krb5_mk_req: krb5_cc_get_principal failed (No existe el fichero o el >> directorio) >> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration >> dom, 26 abr 2015 02:37:30 CEST >> kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials >> libnet_Join: >> libnet_JoinCtx: struct libnet_JoinCtx >> out: struct libnet_JoinCtx >> account_name : NULL >> netbios_domain_name : 'TTU' >> dns_domain_name : 'ttu.red' >> forest_name : 'ttu.red' >> dn : NULL >> domain_sid : * >> domain_sid : S-1-5-21-127850397-371183867- >> 665961664 >> modified_config : 0x00 (0) >> error_string : 'failed to connect to AD: Invalid >> credentials' >> domain_is_ad : 0x01 (1) >> result : WERR_GENERAL_FAILURE >> Failed to join domain: failed to connect to AD: Invalid credentials >> return code = -1 >> >> I can run commands like "net ads rpc -U "Administrator" and works fine, i >> even can get some AD info: >> # net rpc info -U Administrator >> Enter Administrator's password: >> Domain Name: TTU >> Domain SID: S-1-5-21-127850397-371183867-665961664 >> Sequence number: 1 >> Num users: 144 >> Num domain groups: 42 >> Num local groups: 26 >> >> >> Is strange because as i said, if i create a new domain without upgrade >> then i can join that domain even without krb5-client installed. >> >> >> > what OS are you using ? >Debian 7u2> what version of samba on the member server ? >Same as AD: Version 4.1.17-Debian> What packages have you installed to try and get samba working >Same packages, latest from wheezy-backports. The only difference is that i've created a new domain instead upgrade the old 3.6 domain.> > anything else relevant, apparmor, selinux, firewall etc ?AD don't have any kind of firewall or apparmor. I don't have Apparmor, and the firewall have the basic configuration on client. I don't know about selinux, but the default configuracion has not changed. I'm starting to think is better to create a new domain and move the machines and users to the new domain. Greetings!!> > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 25/04/15 16:24, Daniel Carrasco Mar?n wrote:> > > 2015-04-25 16:57 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com > <mailto:rowlandpenny at googlemail.com>>: > > On 25/04/15 15:44, Daniel Carrasco Mar?n wrote: > > > > On AD server i've linked the kerberos file on samba folder: > lrwxrwxrwx 1 root root 32 abr 25 16:23 krb5.conf -> > /var/lib/samba/private/krb5.conf > > On client i've the default: > [libdefaults] > default_realm = TTU.RED > > # The following krb5.conf variables are only for MIT Kerberos. > krb4_config = /etc/krb.conf > krb4_realms = /etc/krb.realms > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > ........ > > [realms] > TTU.RED = { > kdc = pdc > admin_server = pdc > } > ........ > > > > Use the same krb5.conf as on the DC > > > Ok copied. > > > Does /etc/krb5.keytab exist, if it does, remove it. > > > Deleted, but nothing changed. > > > You will need to try and rejoin the domain > > Does /etc/resolv.conf point to the DC ? > > > Yes: > cat /etc/resolv.conf > domain TTU > nameserver 192.168.2.251 > > > Please change /etc/resolv.conf to this: > > search ttu.red > > nameserver 192.168.2.251 > > > Changed. > > > > Are you sure that you are using the correct password for > Administrator ? > > > Yes, even i've tried to cange the PW to another, and other > commands works fine, for example with "kinit > administrator at TTU.RED" and "klist -c": > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: administrator at TTU.RED > > Valid starting Expires Service principal > 25/04/15 16:36:10 26/04/15 02:36:10 krbtgt/TTU.RED at TTU.RED > renew until 26/04/15 16:36:06 > > > I've linked the file showed on log to krb5.conf: > ln -s /var/run/samba/smb_krb5/krb5.conf.TTU /etc/krb5.conf > > I got the same error: > ....... > ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 > ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 > ads_sasl_spnego_bind: got server principal name > not_defined_in_RFC4178 at please_ignore > ads_krb5_mk_req: krb5_cc_get_principal failed (No existe el > fichero o el directorio) > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] > expiration dom, 26 abr 2015 02:37:30 CEST > kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid > credentials > libnet_Join: > libnet_JoinCtx: struct libnet_JoinCtx > out: struct libnet_JoinCtx > account_name : NULL > netbios_domain_name : 'TTU' > dns_domain_name : 'ttu.red' > forest_name : 'ttu.red' > dn : NULL > domain_sid : * > domain_sid : > S-1-5-21-127850397-371183867-665961664 <tel:665961664> > modified_config : 0x00 (0) > error_string : 'failed to connect to > AD: Invalid credentials' > domain_is_ad : 0x01 (1) > result : WERR_GENERAL_FAILURE > Failed to join domain: failed to connect to AD: Invalid > credentials > return code = -1 > > I can run commands like "net ads rpc -U "Administrator" and > works fine, i even can get some AD info: > # net rpc info -U Administrator > Enter Administrator's password: > Domain Name: TTU > Domain SID: S-1-5-21-127850397-371183867-665961664 <tel:665961664> > Sequence number: 1 > Num users: 144 > Num domain groups: 42 > Num local groups: 26 > > > Is strange because as i said, if i create a new domain without > upgrade then i can join that domain even without krb5-client > installed. > > > > what OS are you using ? > > > Debian 7u2 > > what version of samba on the member server ? > > > Same as AD: > Version 4.1.17-Debian > > What packages have you installed to try and get samba working > > > Same packages, latest from wheezy-backports. The only difference is > that i've created a new domain instead upgrade the old 3.6 domain. > > > anything else relevant, apparmor, selinux, firewall etc ? > > > AD don't have any kind of firewall or apparmor. I don't have Apparmor, > and the firewall have the basic configuration on client. I don't know > about selinux, but the default configuracion has not changed. > > I'm starting to think is better to create a new domain and move the > machines and users to the new domain. > > Greetings!! > > > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >OK, I use debian wheezy with samba from backports and this is how I set things up on a member server: Install these packages from backports: samba samba-common-bin samba-common samba-libs samba-vfs-modules \ samba-dsdb-modules tdb-tools libwbclient0 libsmbclient winbind \ ldb-tools zip arj mktemp acl attr quota krb5-config libnss-winbind \ libpam-winbind libpam-krb5 krb5-user Create a smb.conf: [global] workgroup = TTU security = ADS realm = TTU.RED dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab server string = Samba 4 Client %h winbind enum users = no winbind enum groups = no winbind use default domain = yes winbind expand groups = 4 winbind nss info = rfc2307 winbind refresh tickets = Yes winbind offline logon = yes winbind normalize names = Yes ## map ids outside of domain to tdb files. idmap config *:backend = tdb idmap config *:range = 2000-9999 ## map ids from the domain the ranges may not overlap ! idmap config TTU : backend = ad idmap config TTU : schema_mode = rfc2307 idmap config TTU : range = 10000-999999 domain master = no local master = no preferred master = no os level = 20 map to guest = bad user host msdfs = no # For ACL support on member server vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes # Share Setting Globally unix extensions = no reset on zero vc = yes veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ hide unreadable = yes alter /etc/krb5.conf [libdefaults] default_realm = TTU.RED dns_lookup_realm = false dns_lookup_kdc = true Make sure that the kerberos config file /etc/krb5.conf is correct [libdefaults] default_realm = TTU.RED dns_lookup_realm = false dns_lookup_kdc = true Make sure that /etc/resolv.conf is pointing to the domain and the AD DC: search ttu.red nameserver <IP_OF_SAMBA4_AD_DC> You should now be able to join the domain: net ads join -U Administrator If this does not work, then it is more likely that the problem lies on the AD DC, unless it is something simple like blocked ports on the firewall, the easiest way to rule this out, is to turn off the firewall temporarily. Rowland
Daniel Carrasco Marín
2015-Apr-25 16:07 UTC
[Samba] I can't join the new AD server with Samba4
Thanks for all your help. I've got the same error, then i think maybe is a problem related with upgrade. Maybe any wrong permissions or info on old samba server. I'll try to create a new domain with right data and migrate all machines (f ortunately are few computers). I think is the best. Greetings!! 2015-04-25 17:44 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:> On 25/04/15 16:24, Daniel Carrasco Mar?n wrote: > >> >> >> 2015-04-25 16:57 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com >> <mailto:rowlandpenny at googlemail.com>>: >> >> >> On 25/04/15 15:44, Daniel Carrasco Mar?n wrote: >> >> >> >> On AD server i've linked the kerberos file on samba folder: >> lrwxrwxrwx 1 root root 32 abr 25 16:23 krb5.conf -> >> /var/lib/samba/private/krb5.conf >> >> On client i've the default: >> [libdefaults] >> default_realm = TTU.RED >> >> # The following krb5.conf variables are only for MIT Kerberos. >> krb4_config = /etc/krb.conf >> krb4_realms = /etc/krb.realms >> kdc_timesync = 1 >> ccache_type = 4 >> forwardable = true >> proxiable = true >> ........ >> >> [realms] >> TTU.RED = { >> kdc = pdc >> admin_server = pdc >> } >> ........ >> >> >> >> Use the same krb5.conf as on the DC >> >> >> Ok copied. >> >> >> Does /etc/krb5.keytab exist, if it does, remove it. >> >> >> Deleted, but nothing changed. >> >> >> You will need to try and rejoin the domain >> >> Does /etc/resolv.conf point to the DC ? >> >> >> Yes: >> cat /etc/resolv.conf >> domain TTU >> nameserver 192.168.2.251 >> >> >> Please change /etc/resolv.conf to this: >> >> search ttu.red >> >> nameserver 192.168.2.251 >> >> >> Changed. >> >> >> >> Are you sure that you are using the correct password for >> Administrator ? >> >> >> Yes, even i've tried to cange the PW to another, and other >> commands works fine, for example with "kinit >> administrator at TTU.RED" and "klist -c": >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: administrator at TTU.RED >> >> Valid starting Expires Service principal >> 25/04/15 16:36:10 26/04/15 02:36:10 krbtgt/TTU.RED at TTU.RED >> renew until 26/04/15 16:36:06 >> >> >> I've linked the file showed on log to krb5.conf: >> ln -s /var/run/samba/smb_krb5/krb5.conf.TTU /etc/krb5.conf >> >> I got the same error: >> ....... >> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 >> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 >> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 >> ads_sasl_spnego_bind: got server principal name >> not_defined_in_RFC4178 at please_ignore >> ads_krb5_mk_req: krb5_cc_get_principal failed (No existe el >> fichero o el directorio) >> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] >> expiration dom, 26 abr 2015 02:37:30 CEST >> kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid >> credentials >> libnet_Join: >> libnet_JoinCtx: struct libnet_JoinCtx >> out: struct libnet_JoinCtx >> account_name : NULL >> netbios_domain_name : 'TTU' >> dns_domain_name : 'ttu.red' >> forest_name : 'ttu.red' >> dn : NULL >> domain_sid : * >> domain_sid : >> S-1-5-21-127850397-371183867-665961664 <tel:665961664> >> modified_config : 0x00 (0) >> error_string : 'failed to connect to >> AD: Invalid credentials' >> domain_is_ad : 0x01 (1) >> result : WERR_GENERAL_FAILURE >> Failed to join domain: failed to connect to AD: Invalid >> credentials >> return code = -1 >> >> I can run commands like "net ads rpc -U "Administrator" and >> works fine, i even can get some AD info: >> # net rpc info -U Administrator >> Enter Administrator's password: >> Domain Name: TTU >> Domain SID: S-1-5-21-127850397-371183867-665961664 <tel:665961664 >> > >> Sequence number: 1 >> Num users: 144 >> Num domain groups: 42 >> Num local groups: 26 >> >> >> Is strange because as i said, if i create a new domain without >> upgrade then i can join that domain even without krb5-client >> installed. >> >> >> >> what OS are you using ? >> >> >> Debian 7u2 >> >> what version of samba on the member server ? >> >> >> Same as AD: >> Version 4.1.17-Debian >> >> What packages have you installed to try and get samba working >> >> >> Same packages, latest from wheezy-backports. The only difference is that >> i've created a new domain instead upgrade the old 3.6 domain. >> >> >> anything else relevant, apparmor, selinux, firewall etc ? >> >> >> AD don't have any kind of firewall or apparmor. I don't have Apparmor, >> and the firewall have the basic configuration on client. I don't know about >> selinux, but the default configuracion has not changed. >> >> I'm starting to think is better to create a new domain and move the >> machines and users to the new domain. >> >> Greetings!! >> >> >> >> Rowland >> >> -- To unsubscribe from this list go to the following URL and read >> the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> > OK, I use debian wheezy with samba from backports and this is how I set > things up on a member server: > > Install these packages from backports: > > samba samba-common-bin samba-common samba-libs samba-vfs-modules \ > samba-dsdb-modules tdb-tools libwbclient0 libsmbclient winbind \ > ldb-tools zip arj mktemp acl attr quota krb5-config libnss-winbind \ > libpam-winbind libpam-krb5 krb5-user > > Create a smb.conf: > > [global] > workgroup = TTU > security = ADS > realm = TTU.RED > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > server string = Samba 4 Client %h > > winbind enum users = no > winbind enum groups = no > winbind use default domain = yes > winbind expand groups = 4 > winbind nss info = rfc2307 > winbind refresh tickets = Yes > winbind offline logon = yes > winbind normalize names = Yes > > ## map ids outside of domain to tdb files. > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > ## map ids from the domain the ranges may not overlap ! > idmap config TTU : backend = ad > idmap config TTU : schema_mode = rfc2307 > idmap config TTU : range = 10000-999999 > > domain master = no > local master = no > preferred master = no > os level = 20 > map to guest = bad user > host msdfs = no > > # For ACL support on member server > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > # Share Setting Globally > unix extensions = no > reset on zero vc = yes > veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ > hide unreadable = yes > > alter /etc/krb5.conf > > [libdefaults] > default_realm = TTU.RED > dns_lookup_realm = false > dns_lookup_kdc = true > > Make sure that the kerberos config file /etc/krb5.conf is correct > > [libdefaults] > default_realm = TTU.RED > dns_lookup_realm = false > dns_lookup_kdc = true > > Make sure that /etc/resolv.conf is pointing to the domain and the AD DC: > > search ttu.red > nameserver <IP_OF_SAMBA4_AD_DC> > > You should now be able to join the domain: > > net ads join -U Administrator > > If this does not work, then it is more likely that the problem lies on the > AD DC, unless it is something simple like blocked ports on the firewall, > the easiest way to rule this out, is to turn off the firewall temporarily. > > > Rowland > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >