Daniel Carrasco Marín
2015-Apr-25 16:24 UTC
[Samba] I can't join the new AD server with Samba4
Hi,
The smb.conf is the default after the upgrade:
cat /etc/samba/smb.conf
# Global parameters
[global]
workgroup = TTU
realm = ttu.red
netbios name = PDC
interfaces = lo, eth0
bind interfaces only = Yes
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /server/samba/sysvol/ttu.red/scripts
read only = No
[sysvol]
path = /server/samba/sysvol
read only = No
and yes, it has a fixed IP.
I don't know if is important, but the dns backend is Bind 9.9. I've
tested
the dns with "samba_dnsupdate --verbose" and looks fine:
IPs: ['192.168.2.251']
Looking for DNS entry A pdc.ttu.red 192.168.2.251 as pdc.ttu.red.
Looking for DNS entry A ttu.red 192.168.2.251 as ttu.red.
Looking for DNS entry SRV _ldap._tcp.ttu.red pdc.ttu.red 389 as
_ldap._tcp.ttu.red.
Checking 0 100 389 pdc.ttu.red. against SRV _ldap._tcp.ttu.red pdc.ttu.red
389
Looking for DNS entry SRV _ldap._tcp.dc._msdcs.ttu.red pdc.ttu.red 389 as
_ldap._tcp.dc._msdcs.ttu.red.
Checking 0 100 389 pdc.ttu.red. against SRV _ldap._tcp.dc._msdcs.ttu.red
pdc.ttu.red 389
Looking for DNS entry SRV
_ldap._tcp.981b82ce-75a3-453f-a1b1-140194960bac.domains._msdcs.ttu.red
pdc.ttu.red 389 as
_ldap._tcp.981b82ce-75a3-453f-a1b1-140194960bac.domains._msdcs.ttu.red.
Checking 0 100 389 pdc.ttu.red. against SRV
_ldap._tcp.981b82ce-75a3-453f-a1b1-140194960bac.domains._msdcs.ttu.red
pdc.ttu.red 389
Looking for DNS entry SRV _kerberos._tcp.ttu.red pdc.ttu.red 88 as
_kerberos._tcp.ttu.red.
Checking 0 100 88 pdc.ttu.red. against SRV _kerberos._tcp.ttu.red
pdc.ttu.red 88
Looking for DNS entry SRV _kerberos._udp.ttu.red pdc.ttu.red 88 as
_kerberos._udp.ttu.red.
Checking 0 100 88 pdc.ttu.red. against SRV _kerberos._udp.ttu.red
pdc.ttu.red 88
Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.ttu.red pdc.ttu.red 88
as _kerberos._tcp.dc._msdcs.ttu.red.
Checking 0 100 88 pdc.ttu.red. against SRV _kerberos._tcp.dc._msdcs.ttu.red
pdc.ttu.red 88
Looking for DNS entry SRV _kpasswd._tcp.ttu.red pdc.ttu.red 464 as
_kpasswd._tcp.ttu.red.
Checking 0 100 464 pdc.ttu.red. against SRV _kpasswd._tcp.ttu.red
pdc.ttu.red 464
Looking for DNS entry SRV _kpasswd._udp.ttu.red pdc.ttu.red 464 as
_kpasswd._udp.ttu.red.
Checking 0 100 464 pdc.ttu.red. against SRV _kpasswd._udp.ttu.red
pdc.ttu.red 464
Looking for DNS entry CNAME
00b7f230-fa13-4e51-9e36-0c95360029a5._msdcs.ttu.red pdc.ttu.red as
00b7f230-fa13-4e51-9e36-0c95360029a5._msdcs.ttu.red.
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.ttu.red
pdc.ttu.red 389 as _ldap._tcp.Default-First-Site-Name._sites.ttu.red.
Checking 0 100 389 pdc.ttu.red. against SRV
_ldap._tcp.Default-First-Site-Name._sites.ttu.red pdc.ttu.red 389
Looking for DNS entry SRV
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ttu.red pdc.ttu.red 389
as _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ttu.red.
Checking 0 100 389 pdc.ttu.red. against SRV
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ttu.red pdc.ttu.red 389
Looking for DNS entry SRV
_kerberos._tcp.Default-First-Site-Name._sites.ttu.red pdc.ttu.red 88 as
_kerberos._tcp.Default-First-Site-Name._sites.ttu.red.
Checking 0 100 88 pdc.ttu.red. against SRV
_kerberos._tcp.Default-First-Site-Name._sites.ttu.red pdc.ttu.red 88
Looking for DNS entry SRV
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ttu.red pdc.ttu.red
88 as _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ttu.red.
Checking 0 100 88 pdc.ttu.red. against SRV
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ttu.red pdc.ttu.red
88
Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.ttu.red pdc.ttu.red 389 as
_ldap._tcp.pdc._msdcs.ttu.red.
Checking 0 100 389 pdc.ttu.red. against SRV _ldap._tcp.pdc._msdcs.ttu.red
pdc.ttu.red 389
Looking for DNS entry A gc._msdcs.ttu.red 192.168.2.251 as
gc._msdcs.ttu.red.
Looking for DNS entry SRV _gc._tcp.ttu.red pdc.ttu.red 3268 as
_gc._tcp.ttu.red.
Checking 0 100 3268 pdc.ttu.red. against SRV _gc._tcp.ttu.red pdc.ttu.red
3268
Looking for DNS entry SRV _ldap._tcp.gc._msdcs.ttu.red pdc.ttu.red 3268 as
_ldap._tcp.gc._msdcs.ttu.red.
Checking 0 100 3268 pdc.ttu.red. against SRV _ldap._tcp.gc._msdcs.ttu.red
pdc.ttu.red 3268
Looking for DNS entry SRV _gc._tcp.Default-First-Site-Name._sites.ttu.red
pdc.ttu.red 3268 as _gc._tcp.Default-First-Site-Name._sites.ttu.red.
Checking 0 100 3268 pdc.ttu.red. against SRV
_gc._tcp.Default-First-Site-Name._sites.ttu.red pdc.ttu.red 3268
Looking for DNS entry SRV
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.ttu.red pdc.ttu.red
3268 as _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.ttu.red.
Checking 0 100 3268 pdc.ttu.red. against SRV
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.ttu.red pdc.ttu.red 3268
Looking for DNS entry A DomainDnsZones.ttu.red 192.168.2.251 as
DomainDnsZones.ttu.red.
Looking for DNS entry SRV _ldap._tcp.DomainDnsZones.ttu.red pdc.ttu.red 389
as _ldap._tcp.DomainDnsZones.ttu.red.
Checking 0 100 389 pdc.ttu.red. against SRV
_ldap._tcp.DomainDnsZones.ttu.red pdc.ttu.red 389
Looking for DNS entry SRV
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.ttu.red
pdc.ttu.red 389 as
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.ttu.red.
Checking 0 100 389 pdc.ttu.red. against SRV
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.ttu.red
pdc.ttu.red 389
Looking for DNS entry A ForestDnsZones.ttu.red 192.168.2.251 as
ForestDnsZones.ttu.red.
Looking for DNS entry SRV _ldap._tcp.ForestDnsZones.ttu.red pdc.ttu.red 389
as _ldap._tcp.ForestDnsZones.ttu.red.
Checking 0 100 389 pdc.ttu.red. against SRV
_ldap._tcp.ForestDnsZones.ttu.red pdc.ttu.red 389
Looking for DNS entry SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ttu.red
pdc.ttu.red 389 as
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ttu.red.
Checking 0 100 389 pdc.ttu.red. against SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ttu.red
pdc.ttu.red 389
No DNS updates needed
The krb5.conf is the linked version:
[libdefaults]
default_realm = TTU.RED
dns_lookup_realm = false
dns_lookup_kdc = true
and i can join the AD and use the RSAT tools with a Windows Machine.
Greetings!!
2015-04-25 18:11 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:
> On 25/04/15 17:07, Daniel Carrasco Mar?n wrote:
>
>> Thanks for all your help.
>>
>> I've got the same error, then i think maybe is a problem related
with
>> upgrade. Maybe any wrong permissions or info on old samba server.
>> I'll try to create a new domain with right data and migrate all
machines
>> (fortunately are few computers). I think is the best.
>>
>> Greetings!!
>>
>> 2015-04-25 17:44 GMT+02:00 Rowland Penny <rowlandpenny at
googlemail.com
>> <mailto:rowlandpenny at googlemail.com>>:
>>
>> On 25/04/15 16:24, Daniel Carrasco Mar?n wrote:
>>
>>
>>
>> 2015-04-25 16:57 GMT+02:00 Rowland Penny
>> <rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>
>> <mailto:rowlandpenny at googlemail.com
>>
>> <mailto:rowlandpenny at googlemail.com>>>:
>>
>>
>> On 25/04/15 15:44, Daniel Carrasco Mar?n wrote:
>>
>>
>>
>> On AD server i've linked the kerberos file on samba
>> folder:
>> lrwxrwxrwx 1 root root 32 abr 25 16:23 krb5.conf ->
>> /var/lib/samba/private/krb5.conf
>>
>> On client i've the default:
>> [libdefaults]
>> default_realm = TTU.RED
>>
>> # The following krb5.conf variables are only for MIT
>> Kerberos.
>> krb4_config = /etc/krb.conf
>> krb4_realms = /etc/krb.realms
>> kdc_timesync = 1
>> ccache_type = 4
>> forwardable = true
>> proxiable = true
>> ........
>>
>> [realms]
>> TTU.RED = {
>> kdc = pdc
>> admin_server = pdc
>> }
>> ........
>>
>>
>>
>> Use the same krb5.conf as on the DC
>>
>>
>> Ok copied.
>>
>>
>> Does /etc/krb5.keytab exist, if it does, remove it.
>>
>>
>> Deleted, but nothing changed.
>>
>>
>> You will need to try and rejoin the domain
>>
>> Does /etc/resolv.conf point to the DC ?
>>
>>
>> Yes:
>> cat /etc/resolv.conf
>> domain TTU
>> nameserver 192.168.2.251
>>
>>
>> Please change /etc/resolv.conf to this:
>>
>> search ttu.red
>>
>> nameserver 192.168.2.251
>>
>>
>> Changed.
>>
>>
>>
>> Are you sure that you are using the correct
>> password for
>> Administrator ?
>>
>>
>> Yes, even i've tried to cange the PW to another,
and other
>> commands works fine, for example with "kinit
>> administrator at TTU.RED" and "klist
-c":
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: administrator at TTU.RED
>>
>> Valid starting Expires Service principal
>> 25/04/15 16:36:10 26/04/15 02:36:10
>> krbtgt/TTU.RED at TTU.RED
>> renew until 26/04/15 16:36:06
>>
>>
>> I've linked the file showed on log to krb5.conf:
>> ln -s /var/run/samba/smb_krb5/krb5.conf.TTU
/etc/krb5.conf
>>
>> I got the same error:
>> .......
>> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
>> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
>> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
>> ads_sasl_spnego_bind: got server principal name
>> not_defined_in_RFC4178 at please_ignore
>> ads_krb5_mk_req: krb5_cc_get_principal failed (No
>> existe el
>> fichero o el directorio)
>> ads_cleanup_expired_creds: Ticket in
>> ccache[MEMORY:net_ads]
>> expiration dom, 26 abr 2015 02:37:30 CEST
>> kinit succeeded but ads_sasl_spnego_krb5_bind failed:
>> Invalid
>> credentials
>> libnet_Join:
>> libnet_JoinCtx: struct libnet_JoinCtx
>> out: struct libnet_JoinCtx
>> account_name : NULL
>> netbios_domain_name : 'TTU'
>> dns_domain_name :
'ttu.red'
>> forest_name :
'ttu.red'
>> dn : NULL
>> domain_sid : *
>> domain_sid :
>> S-1-5-21-127850397-371183867-665961664
<tel:665961664>
>> <tel:665961664 <tel:665961664>>
>> modified_config : 0x00 (0)
>> error_string : 'failed to
>> connect to
>> AD: Invalid credentials'
>> domain_is_ad : 0x01 (1)
>> result :
>> WERR_GENERAL_FAILURE
>> Failed to join domain: failed to connect to AD: Invalid
>> credentials
>> return code = -1
>>
>> I can run commands like "net ads rpc -U
>> "Administrator" and
>> works fine, i even can get some AD info:
>> # net rpc info -U Administrator
>> Enter Administrator's password:
>> Domain Name: TTU
>> Domain SID: S-1-5-21-127850397-371183867-665961664
>> <tel:665961664> <tel:665961664
<tel:665961664>>
>>
>> Sequence number: 1
>> Num users: 144
>> Num domain groups: 42
>> Num local groups: 26
>>
>>
>> Is strange because as i said, if i create a new domain
>> without
>> upgrade then i can join that domain even without
>> krb5-client
>> installed.
>>
>>
>>
>> what OS are you using ?
>>
>>
>> Debian 7u2
>>
>> what version of samba on the member server ?
>>
>>
>> Same as AD:
>> Version 4.1.17-Debian
>>
>> What packages have you installed to try and get samba
working
>>
>>
>> Same packages, latest from wheezy-backports. The only
>> difference is that i've created a new domain instead
upgrade
>> the old 3.6 domain.
>>
>>
>> anything else relevant, apparmor, selinux, firewall etc ?
>>
>>
>> AD don't have any kind of firewall or apparmor. I don't
have
>> Apparmor, and the firewall have the basic configuration on
>> client. I don't know about selinux, but the default
>> configuracion has not changed.
>>
>> I'm starting to think is better to create a new domain and
>> move the machines and users to the new domain.
>>
>> Greetings!!
>>
>>
>>
>> Rowland
>>
>> -- To unsubscribe from this list go to the following
>> URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
>> OK, I use debian wheezy with samba from backports and this is how
>> I set things up on a member server:
>>
>> Install these packages from backports:
>>
>> samba samba-common-bin samba-common samba-libs samba-vfs-modules \
>> samba-dsdb-modules tdb-tools libwbclient0 libsmbclient winbind \
>> ldb-tools zip arj mktemp acl attr quota krb5-config libnss-winbind
\
>> libpam-winbind libpam-krb5 krb5-user
>>
>> Create a smb.conf:
>>
>> [global]
>> workgroup = TTU
>> security = ADS
>> realm = TTU.RED
>>
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>> server string = Samba 4 Client %h
>>
>> winbind enum users = no
>> winbind enum groups = no
>> winbind use default domain = yes
>> winbind expand groups = 4
>> winbind nss info = rfc2307
>> winbind refresh tickets = Yes
>> winbind offline logon = yes
>> winbind normalize names = Yes
>>
>> ## map ids outside of domain to tdb files.
>> idmap config *:backend = tdb
>> idmap config *:range = 2000-9999
>> ## map ids from the domain the ranges may not overlap !
>> idmap config TTU : backend = ad
>> idmap config TTU : schema_mode = rfc2307
>> idmap config TTU : range = 10000-999999
>>
>> domain master = no
>> local master = no
>> preferred master = no
>> os level = 20
>> map to guest = bad user
>> host msdfs = no
>>
>> # For ACL support on member server
>> vfs objects = acl_xattr
>> map acl inherit = Yes
>> store dos attributes = Yes
>>
>> # Share Setting Globally
>> unix extensions = no
>> reset on zero vc = yes
>> veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
>> hide unreadable = yes
>>
>> alter /etc/krb5.conf
>>
>> [libdefaults]
>> default_realm = TTU.RED
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>>
>> Make sure that the kerberos config file /etc/krb5.conf is correct
>>
>> [libdefaults]
>> default_realm = TTU.RED
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>>
>> Make sure that /etc/resolv.conf is pointing to the domain and the
>> AD DC:
>>
>> search ttu.red
>> nameserver <IP_OF_SAMBA4_AD_DC>
>>
>> You should now be able to join the domain:
>>
>> net ads join -U Administrator
>>
>> If this does not work, then it is more likely that the problem
>> lies on the AD DC, unless it is something simple like blocked
>> ports on the firewall, the easiest way to rule this out, is to
>> turn off the firewall temporarily.
>>
>>
>> Rowland
>> -- To unsubscribe from this list go to the following URL and
read
>> the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
> OK, but before you do, you could check the AD DC, could you post the
> smb.conf from the DC ?
> Does the DC have a fixed ip ?
>
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
On 25/04/15 17:24, Daniel Carrasco Mar?n wrote:> Hi, > > The smb.conf is the default after the upgrade: > cat /etc/samba/smb.conf > # Global parameters > [global] > workgroup = TTU > realm = ttu.red > netbios name = PDC > interfaces = lo, eth0 > bind interfaces only = Yes > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbind, ntp_signd, kcc, dnsupdate > idmap_ldb:use rfc2307 = yes > > [netlogon] > path = /server/samba/sysvol/ttu.red/scripts > read only = No > > [sysvol] > path = /server/samba/sysvol > read only = No >hmm, don't know if it means anything, but you say you are using debian, so why is the path to sysvol '/server/samba' and not '/var/lib/samba' ? can you post the output of 'samba -b' Rowland> and yes, it has a fixed IP. > > I don't know if is important, but the dns backend is Bind 9.9. I've > tested the dns with "samba_dnsupdate --verbose" and looks fine: > IPs: ['192.168.2.251'] > Looking for DNS entry A pdc.ttu.red 192.168.2.251 as pdc.ttu.red. > Looking for DNS entry A ttu.red 192.168.2.251 as ttu.red. > Looking for DNS entry SRV _ldap._tcp.ttu.red pdc.ttu.red 389 as > _ldap._tcp.ttu.red. > Checking 0 100 389 pdc.ttu.red. against SRV _ldap._tcp.ttu.red > pdc.ttu.red 389 > Looking for DNS entry SRV _ldap._tcp.dc._msdcs.ttu.red pdc.ttu.red 389 > as _ldap._tcp.dc._msdcs.ttu.red. > Checking 0 100 389 pdc.ttu.red. against SRV > _ldap._tcp.dc._msdcs.ttu.red pdc.ttu.red 389 > Looking for DNS entry SRV > _ldap._tcp.981b82ce-75a3-453f-a1b1-140194960bac.domains._msdcs.ttu.red > pdc.ttu.red 389 as > _ldap._tcp.981b82ce-75a3-453f-a1b1-140194960bac.domains._msdcs.ttu.red. > Checking 0 100 389 pdc.ttu.red. against SRV > _ldap._tcp.981b82ce-75a3-453f-a1b1-140194960bac.domains._msdcs.ttu.red > pdc.ttu.red 389 > Looking for DNS entry SRV _kerberos._tcp.ttu.red pdc.ttu.red 88 as > _kerberos._tcp.ttu.red. > Checking 0 100 88 pdc.ttu.red. against SRV _kerberos._tcp.ttu.red > pdc.ttu.red 88 > Looking for DNS entry SRV _kerberos._udp.ttu.red pdc.ttu.red 88 as > _kerberos._udp.ttu.red. > Checking 0 100 88 pdc.ttu.red. against SRV _kerberos._udp.ttu.red > pdc.ttu.red 88 > Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.ttu.red pdc.ttu.red > 88 as _kerberos._tcp.dc._msdcs.ttu.red. > Checking 0 100 88 pdc.ttu.red. against SRV > _kerberos._tcp.dc._msdcs.ttu.red pdc.ttu.red 88 > Looking for DNS entry SRV _kpasswd._tcp.ttu.red pdc.ttu.red 464 as > _kpasswd._tcp.ttu.red. > Checking 0 100 464 pdc.ttu.red. against SRV _kpasswd._tcp.ttu.red > pdc.ttu.red 464 > Looking for DNS entry SRV _kpasswd._udp.ttu.red pdc.ttu.red 464 as > _kpasswd._udp.ttu.red. > Checking 0 100 464 pdc.ttu.red. against SRV _kpasswd._udp.ttu.red > pdc.ttu.red 464 > Looking for DNS entry CNAME > 00b7f230-fa13-4e51-9e36-0c95360029a5._msdcs.ttu.red pdc.ttu.red as > 00b7f230-fa13-4e51-9e36-0c95360029a5._msdcs.ttu.red. > Looking for DNS entry SRV > _ldap._tcp.Default-First-Site-Name._sites.ttu.red pdc.ttu.red 389 as > _ldap._tcp.Default-First-Site-Name._sites.ttu.red. > Checking 0 100 389 pdc.ttu.red. against SRV > _ldap._tcp.Default-First-Site-Name._sites.ttu.red pdc.ttu.red 389 > Looking for DNS entry SRV > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ttu.red > pdc.ttu.red 389 as > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ttu.red. > Checking 0 100 389 pdc.ttu.red. against SRV > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ttu.red > pdc.ttu.red 389 > Looking for DNS entry SRV > _kerberos._tcp.Default-First-Site-Name._sites.ttu.red pdc.ttu.red 88 > as _kerberos._tcp.Default-First-Site-Name._sites.ttu.red. > Checking 0 100 88 pdc.ttu.red. against SRV > _kerberos._tcp.Default-First-Site-Name._sites.ttu.red pdc.ttu.red 88 > Looking for DNS entry SRV > _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ttu.red > pdc.ttu.red 88 as > _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ttu.red. > Checking 0 100 88 pdc.ttu.red. against SRV > _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ttu.red > pdc.ttu.red 88 > Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.ttu.red pdc.ttu.red > 389 as _ldap._tcp.pdc._msdcs.ttu.red. > Checking 0 100 389 pdc.ttu.red. against SRV > _ldap._tcp.pdc._msdcs.ttu.red pdc.ttu.red 389 > Looking for DNS entry A gc._msdcs.ttu.red 192.168.2.251 as > gc._msdcs.ttu.red. > Looking for DNS entry SRV _gc._tcp.ttu.red pdc.ttu.red 3268 as > _gc._tcp.ttu.red. > Checking 0 100 3268 pdc.ttu.red. against SRV _gc._tcp.ttu.red > pdc.ttu.red 3268 > Looking for DNS entry SRV _ldap._tcp.gc._msdcs.ttu.red pdc.ttu.red > 3268 as _ldap._tcp.gc._msdcs.ttu.red. > Checking 0 100 3268 pdc.ttu.red. against SRV > _ldap._tcp.gc._msdcs.ttu.red pdc.ttu.red 3268 > Looking for DNS entry SRV > _gc._tcp.Default-First-Site-Name._sites.ttu.red pdc.ttu.red 3268 as > _gc._tcp.Default-First-Site-Name._sites.ttu.red. > Checking 0 100 3268 pdc.ttu.red. against SRV > _gc._tcp.Default-First-Site-Name._sites.ttu.red pdc.ttu.red 3268 > Looking for DNS entry SRV > _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.ttu.red > pdc.ttu.red 3268 as > _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.ttu.red. > Checking 0 100 3268 pdc.ttu.red. against SRV > _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.ttu.red > pdc.ttu.red 3268 > Looking for DNS entry A DomainDnsZones.ttu.red 192.168.2.251 as > DomainDnsZones.ttu.red. > Looking for DNS entry SRV _ldap._tcp.DomainDnsZones.ttu.red > pdc.ttu.red 389 as _ldap._tcp.DomainDnsZones.ttu.red. > Checking 0 100 389 pdc.ttu.red. against SRV > _ldap._tcp.DomainDnsZones.ttu.red pdc.ttu.red 389 > Looking for DNS entry SRV > _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.ttu.red > pdc.ttu.red 389 as > _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.ttu.red. > Checking 0 100 389 pdc.ttu.red. against SRV > _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.ttu.red > pdc.ttu.red 389 > Looking for DNS entry A ForestDnsZones.ttu.red 192.168.2.251 as > ForestDnsZones.ttu.red. > Looking for DNS entry SRV _ldap._tcp.ForestDnsZones.ttu.red > pdc.ttu.red 389 as _ldap._tcp.ForestDnsZones.ttu.red. > Checking 0 100 389 pdc.ttu.red. against SRV > _ldap._tcp.ForestDnsZones.ttu.red pdc.ttu.red 389 > Looking for DNS entry SRV > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ttu.red > pdc.ttu.red 389 as > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ttu.red. > Checking 0 100 389 pdc.ttu.red. against SRV > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ttu.red > pdc.ttu.red 389 > No DNS updates needed > > The krb5.conf is the linked version: > [libdefaults] > default_realm = TTU.RED > dns_lookup_realm = false > dns_lookup_kdc = true > > > and i can join the AD and use the RSAT tools with a Windows Machine. > > Greetings!! > > 2015-04-25 18:11 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com > <mailto:rowlandpenny at googlemail.com>>: > > On 25/04/15 17:07, Daniel Carrasco Mar?n wrote: > > Thanks for all your help. > > I've got the same error, then i think maybe is a problem > related with upgrade. Maybe any wrong permissions or info on > old samba server. > I'll try to create a new domain with right data and migrate > all machines (fortunately are few computers). I think is the best. > > Greetings!! > > 2015-04-25 17:44 GMT+02:00 Rowland Penny > <rowlandpenny at googlemail.com > <mailto:rowlandpenny at googlemail.com> > <mailto:rowlandpenny at googlemail.com > <mailto:rowlandpenny at googlemail.com>>>: > > On 25/04/15 16:24, Daniel Carrasco Mar?n wrote: > > > > 2015-04-25 16:57 GMT+02:00 Rowland Penny > <rowlandpenny at googlemail.com > <mailto:rowlandpenny at googlemail.com> > <mailto:rowlandpenny at googlemail.com > <mailto:rowlandpenny at googlemail.com>> > <mailto:rowlandpenny at googlemail.com > <mailto:rowlandpenny at googlemail.com> > > <mailto:rowlandpenny at googlemail.com > <mailto:rowlandpenny at googlemail.com>>>>: > > > On 25/04/15 15:44, Daniel Carrasco Mar?n wrote: > > > > On AD server i've linked the kerberos file on > samba > folder: > lrwxrwxrwx 1 root root 32 abr 25 16:23 > krb5.conf -> > /var/lib/samba/private/krb5.conf > > On client i've the default: > [libdefaults] > default_realm = TTU.RED > > # The following krb5.conf variables are only > for MIT > Kerberos. > krb4_config = /etc/krb.conf > krb4_realms = /etc/krb.realms > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > ........ > > [realms] > TTU.RED = { > kdc = pdc > admin_server = pdc > } > ........ > > > > Use the same krb5.conf as on the DC > > > Ok copied. > > > Does /etc/krb5.keytab exist, if it does, > remove it. > > > Deleted, but nothing changed. > > > You will need to try and rejoin the domain > > Does /etc/resolv.conf point to the DC ? > > > Yes: > cat /etc/resolv.conf > domain TTU > nameserver 192.168.2.251 > > > Please change /etc/resolv.conf to this: > > search ttu.red > > nameserver 192.168.2.251 > > > Changed. > > > > Are you sure that you are using the correct > password for > Administrator ? > > > Yes, even i've tried to cange the PW to > another, and other > commands works fine, for example with "kinit > administrator at TTU.RED" and "klist -c": > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: administrator at TTU.RED > > Valid starting Expires Service principal > 25/04/15 16:36:10 26/04/15 02:36:10 > krbtgt/TTU.RED at TTU.RED > renew until 26/04/15 16:36:06 > > > I've linked the file showed on log to krb5.conf: > ln -s /var/run/samba/smb_krb5/krb5.conf.TTU > /etc/krb5.conf > > I got the same error: > ....... > ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 > ads_sasl_spnego_bind: got > OID=1.3.6.1.4.1.311.2.2.10 > ads_sasl_spnego_bind: got server principal name > not_defined_in_RFC4178 at please_ignore > ads_krb5_mk_req: krb5_cc_get_principal failed (No > existe el > fichero o el directorio) > ads_cleanup_expired_creds: Ticket in > ccache[MEMORY:net_ads] > expiration dom, 26 abr 2015 02:37:30 CEST > kinit succeeded but ads_sasl_spnego_krb5_bind > failed: > Invalid > credentials > libnet_Join: > libnet_JoinCtx: struct libnet_JoinCtx > out: struct libnet_JoinCtx > account_name : NULL > netbios_domain_name : 'TTU' > dns_domain_name : 'ttu.red' > forest_name : 'ttu.red' > dn : NULL > domain_sid : * > domain_sid : > S-1-5-21-127850397-371183867-665961664 > <tel:665961664> <tel:665961664 <tel:665961664>> > <tel:665961664 <tel:665961664> <tel:665961664 > <tel:665961664>>> > modified_config : 0x00 (0) > error_string : 'failed to > connect to > AD: Invalid credentials' > domain_is_ad : 0x01 (1) > result : > WERR_GENERAL_FAILURE > Failed to join domain: failed to connect to > AD: Invalid > credentials > return code = -1 > > I can run commands like "net ads rpc -U > "Administrator" and > works fine, i even can get some AD info: > # net rpc info -U Administrator > Enter Administrator's password: > Domain Name: TTU > Domain SID: > S-1-5-21-127850397-371183867-665961664 <tel:665961664> > <tel:665961664 <tel:665961664>> <tel:665961664 > <tel:665961664> <tel:665961664 <tel:665961664>>> > > Sequence number: 1 > Num users: 144 > Num domain groups: 42 > Num local groups: 26 > > > Is strange because as i said, if i create a > new domain > without > upgrade then i can join that domain even without > krb5-client > installed. > > > > what OS are you using ? > > > Debian 7u2 > > what version of samba on the member server ? > > > Same as AD: > Version 4.1.17-Debian > > What packages have you installed to try and get > samba working > > > Same packages, latest from wheezy-backports. The only > difference is that i've created a new domain instead > upgrade > the old 3.6 domain. > > > anything else relevant, apparmor, selinux, > firewall etc ? > > > AD don't have any kind of firewall or apparmor. I > don't have > Apparmor, and the firewall have the basic configuration on > client. I don't know about selinux, but the default > configuracion has not changed. > > I'm starting to think is better to create a new domain and > move the machines and users to the new domain. > > Greetings!! > > > > Rowland > > -- To unsubscribe from this list go to the > following > URL and read the > instructions: > https://lists.samba.org/mailman/options/samba > > > > OK, I use debian wheezy with samba from backports and this > is how > I set things up on a member server: > > Install these packages from backports: > > samba samba-common-bin samba-common samba-libs > samba-vfs-modules \ > samba-dsdb-modules tdb-tools libwbclient0 libsmbclient > winbind \ > ldb-tools zip arj mktemp acl attr quota krb5-config > libnss-winbind \ > libpam-winbind libpam-krb5 krb5-user > > Create a smb.conf: > > [global] > workgroup = TTU > security = ADS > realm = TTU.RED > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > server string = Samba 4 Client %h > > winbind enum users = no > winbind enum groups = no > winbind use default domain = yes > winbind expand groups = 4 > winbind nss info = rfc2307 > winbind refresh tickets = Yes > winbind offline logon = yes > winbind normalize names = Yes > > ## map ids outside of domain to tdb files. > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > ## map ids from the domain the ranges may not overlap ! > idmap config TTU : backend = ad > idmap config TTU : schema_mode = rfc2307 > idmap config TTU : range = 10000-999999 > > domain master = no > local master = no > preferred master = no > os level = 20 > map to guest = bad user > host msdfs = no > > # For ACL support on member server > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > # Share Setting Globally > unix extensions = no > reset on zero vc = yes > veto files > /.bash_logout/.bash_profile/.bash_history/.bashrc/ > hide unreadable = yes > > alter /etc/krb5.conf > > [libdefaults] > default_realm = TTU.RED > dns_lookup_realm = false > dns_lookup_kdc = true > > Make sure that the kerberos config file /etc/krb5.conf is > correct > > [libdefaults] > default_realm = TTU.RED > dns_lookup_realm = false > dns_lookup_kdc = true > > Make sure that /etc/resolv.conf is pointing to the domain > and the > AD DC: > > search ttu.red > nameserver <IP_OF_SAMBA4_AD_DC> > > You should now be able to join the domain: > > net ads join -U Administrator > > If this does not work, then it is more likely that the problem > lies on the AD DC, unless it is something simple like blocked > ports on the firewall, the easiest way to rule this out, is to > turn off the firewall temporarily. > > > Rowland > -- To unsubscribe from this list go to the following > URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > > OK, but before you do, you could check the AD DC, could you post > the smb.conf from the DC ? > Does the DC have a fixed ip ? > > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Daniel Carrasco Marín
2015-Apr-25 17:07 UTC
[Samba] I can't join the new AD server with Samba4
2015-04-25 18:56 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:> On 25/04/15 17:24, Daniel Carrasco Mar?n wrote: > >> Hi, >> >> The smb.conf is the default after the upgrade: >> cat /etc/samba/smb.conf >> # Global parameters >> [global] >> workgroup = TTU >> realm = ttu.red >> netbios name = PDC >> interfaces = lo, eth0 >> bind interfaces only = Yes >> server role = active directory domain controller >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, >> winbind, ntp_signd, kcc, dnsupdate >> idmap_ldb:use rfc2307 = yes >> >> [netlogon] >> path = /server/samba/sysvol/ttu.red/scripts >> read only = No >> >> [sysvol] >> path = /server/samba/sysvol >> read only = No >> >> > hmm, don't know if it means anything, but you say you are using debian, so > why is the path to sysvol '/server/samba' and not '/var/lib/samba' ? >I've moved the sysvol folder to another path. I like to use that path because it helps in future upgrades. If I need some extra space I only have to attach a disk, copy all data to new disk and mount that disk on /server. The samba folder with all the other stuff still on /var/lib/samba. # samba -b Samba version: 4.1.17-Debian Build environment: Build host: Linux pontus 3.14-1-amd64 #1 SMP Debian 3.14.12-1 (2014-07-11) x86_64 GNU/Linux Paths: BINDIR: /usr/bin SBINDIR: /usr/sbin CONFIGFILE: /etc/samba/smb.conf NCALRPCDIR: /var/run/samba/ncalrpc LOGFILEBASE: /var/log/samba LMHOSTSFILE: /etc/samba/lmhosts DATADIR: /usr/share MODULESDIR: /usr/lib/x86_64-linux-gnu/samba LOCKDIR: /var/run/samba STATEDIR: /var/lib/samba CACHEDIR: /var/cache/samba PIDDIR: /var/run/samba PRIVATE_DIR: /var/lib/samba/private CODEPAGEDIR: /usr/share/samba/codepages SETUPDIR: /usr/share/samba/setup WINBINDD_SOCKET_DIR: /var/run/samba/winbindd WINBINDD_PRIVILEGED_SOCKET_DIR: /var/lib/samba/winbindd_privileged NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd Greetings!!> can you post the output of 'samba -b' > > Rowland > > and yes, it has a fixed IP. >> >> I don't know if is important, but the dns backend is Bind 9.9. I've >> tested the dns with "samba_dnsupdate --verbose" and looks fine: >> IPs: ['192.168.2.251'] >> Looking for DNS entry A pdc.ttu.red 192.168.2.251 as pdc.ttu.red. >> Looking for DNS entry A ttu.red 192.168.2.251 as ttu.red. >> Looking for DNS entry SRV _ldap._tcp.ttu.red pdc.ttu.red 389 as >> _ldap._tcp.ttu.red. >> Checking 0 100 389 pdc.ttu.red. against SRV _ldap._tcp.ttu.red >> pdc.ttu.red 389 >> Looking for DNS entry SRV _ldap._tcp.dc._msdcs.ttu.red pdc.ttu.red 389 as >> _ldap._tcp.dc._msdcs.ttu.red. >> Checking 0 100 389 pdc.ttu.red. against SRV _ldap._tcp.dc._msdcs.ttu.red >> pdc.ttu.red 389 >> Looking for DNS entry SRV >> _ldap._tcp.981b82ce-75a3-453f-a1b1-140194960bac.domains._msdcs.ttu.red >> pdc.ttu.red 389 as >> _ldap._tcp.981b82ce-75a3-453f-a1b1-140194960bac.domains._msdcs.ttu.red. >> Checking 0 100 389 pdc.ttu.red. against SRV >> _ldap._tcp.981b82ce-75a3-453f-a1b1-140194960bac.domains._msdcs.ttu.red >> pdc.ttu.red 389 >> Looking for DNS entry SRV _kerberos._tcp.ttu.red pdc.ttu.red 88 as >> _kerberos._tcp.ttu.red. >> Checking 0 100 88 pdc.ttu.red. against SRV _kerberos._tcp.ttu.red >> pdc.ttu.red 88 >> Looking for DNS entry SRV _kerberos._udp.ttu.red pdc.ttu.red 88 as >> _kerberos._udp.ttu.red. >> Checking 0 100 88 pdc.ttu.red. against SRV _kerberos._udp.ttu.red >> pdc.ttu.red 88 >> Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.ttu.red pdc.ttu.red 88 >> as _kerberos._tcp.dc._msdcs.ttu.red. >> Checking 0 100 88 pdc.ttu.red. against SRV >> _kerberos._tcp.dc._msdcs.ttu.red pdc.ttu.red 88 >> Looking for DNS entry SRV _kpasswd._tcp.ttu.red pdc.ttu.red 464 as >> _kpasswd._tcp.ttu.red. >> Checking 0 100 464 pdc.ttu.red. against SRV _kpasswd._tcp.ttu.red >> pdc.ttu.red 464 >> Looking for DNS entry SRV _kpasswd._udp.ttu.red pdc.ttu.red 464 as >> _kpasswd._udp.ttu.red. >> Checking 0 100 464 pdc.ttu.red. against SRV _kpasswd._udp.ttu.red >> pdc.ttu.red 464 >> Looking for DNS entry CNAME >> 00b7f230-fa13-4e51-9e36-0c95360029a5._msdcs.ttu.red pdc.ttu.red as >> 00b7f230-fa13-4e51-9e36-0c95360029a5._msdcs.ttu.red. >> Looking for DNS entry SRV >> _ldap._tcp.Default-First-Site-Name._sites.ttu.red pdc.ttu.red 389 as >> _ldap._tcp.Default-First-Site-Name._sites.ttu.red. >> Checking 0 100 389 pdc.ttu.red. against SRV >> _ldap._tcp.Default-First-Site-Name._sites.ttu.red pdc.ttu.red 389 >> Looking for DNS entry SRV >> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ttu.red pdc.ttu.red 389 >> as _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ttu.red. >> Checking 0 100 389 pdc.ttu.red. against SRV >> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ttu.red pdc.ttu.red 389 >> Looking for DNS entry SRV >> _kerberos._tcp.Default-First-Site-Name._sites.ttu.red pdc.ttu.red 88 as >> _kerberos._tcp.Default-First-Site-Name._sites.ttu.red. >> Checking 0 100 88 pdc.ttu.red. against SRV >> _kerberos._tcp.Default-First-Site-Name._sites.ttu.red pdc.ttu.red 88 >> Looking for DNS entry SRV >> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ttu.red pdc.ttu.red >> 88 as _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ttu.red. >> Checking 0 100 88 pdc.ttu.red. against SRV >> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ttu.red pdc.ttu.red >> 88 >> Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.ttu.red pdc.ttu.red 389 >> as _ldap._tcp.pdc._msdcs.ttu.red. >> Checking 0 100 389 pdc.ttu.red. against SRV _ldap._tcp.pdc._msdcs.ttu.red >> pdc.ttu.red 389 >> Looking for DNS entry A gc._msdcs.ttu.red 192.168.2.251 as >> gc._msdcs.ttu.red. >> Looking for DNS entry SRV _gc._tcp.ttu.red pdc.ttu.red 3268 as >> _gc._tcp.ttu.red. >> Checking 0 100 3268 pdc.ttu.red. against SRV _gc._tcp.ttu.red pdc.ttu.red >> 3268 >> Looking for DNS entry SRV _ldap._tcp.gc._msdcs.ttu.red pdc.ttu.red 3268 >> as _ldap._tcp.gc._msdcs.ttu.red. >> Checking 0 100 3268 pdc.ttu.red. against SRV _ldap._tcp.gc._msdcs.ttu.red >> pdc.ttu.red 3268 >> Looking for DNS entry SRV _gc._tcp.Default-First-Site-Name._sites.ttu.red >> pdc.ttu.red 3268 as _gc._tcp.Default-First-Site-Name._sites.ttu.red. >> Checking 0 100 3268 pdc.ttu.red. against SRV >> _gc._tcp.Default-First-Site-Name._sites.ttu.red pdc.ttu.red 3268 >> Looking for DNS entry SRV >> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.ttu.red pdc.ttu.red >> 3268 as _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.ttu.red. >> Checking 0 100 3268 pdc.ttu.red. against SRV >> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.ttu.red pdc.ttu.red 3268 >> Looking for DNS entry A DomainDnsZones.ttu.red 192.168.2.251 as >> DomainDnsZones.ttu.red. >> Looking for DNS entry SRV _ldap._tcp.DomainDnsZones.ttu.red pdc.ttu.red >> 389 as _ldap._tcp.DomainDnsZones.ttu.red. >> Checking 0 100 389 pdc.ttu.red. against SRV >> _ldap._tcp.DomainDnsZones.ttu.red pdc.ttu.red 389 >> Looking for DNS entry SRV >> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.ttu.red >> pdc.ttu.red 389 as >> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.ttu.red. >> Checking 0 100 389 pdc.ttu.red. against SRV >> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.ttu.red >> pdc.ttu.red 389 >> Looking for DNS entry A ForestDnsZones.ttu.red 192.168.2.251 as >> ForestDnsZones.ttu.red. >> Looking for DNS entry SRV _ldap._tcp.ForestDnsZones.ttu.red pdc.ttu.red >> 389 as _ldap._tcp.ForestDnsZones.ttu.red. >> Checking 0 100 389 pdc.ttu.red. against SRV >> _ldap._tcp.ForestDnsZones.ttu.red pdc.ttu.red 389 >> Looking for DNS entry SRV >> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ttu.red >> pdc.ttu.red 389 as >> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ttu.red. >> Checking 0 100 389 pdc.ttu.red. against SRV >> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ttu.red >> pdc.ttu.red 389 >> No DNS updates needed >> >> The krb5.conf is the linked version: >> [libdefaults] >> default_realm = TTU.RED >> dns_lookup_realm = false >> dns_lookup_kdc = true >> >> >> and i can join the AD and use the RSAT tools with a Windows Machine. >> >> Greetings!! >> >> 2015-04-25 18:11 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com >> <mailto:rowlandpenny at googlemail.com>>: >> >> On 25/04/15 17:07, Daniel Carrasco Mar?n wrote: >> >> Thanks for all your help. >> >> I've got the same error, then i think maybe is a problem >> related with upgrade. Maybe any wrong permissions or info on >> old samba server. >> I'll try to create a new domain with right data and migrate >> all machines (fortunately are few computers). I think is the best. >> >> Greetings!! >> >> 2015-04-25 17:44 GMT+02:00 Rowland Penny >> <rowlandpenny at googlemail.com >> <mailto:rowlandpenny at googlemail.com> >> <mailto:rowlandpenny at googlemail.com >> <mailto:rowlandpenny at googlemail.com>>>: >> >> On 25/04/15 16:24, Daniel Carrasco Mar?n wrote: >> >> >> >> 2015-04-25 16:57 GMT+02:00 Rowland Penny >> <rowlandpenny at googlemail.com >> <mailto:rowlandpenny at googlemail.com> >> <mailto:rowlandpenny at googlemail.com >> <mailto:rowlandpenny at googlemail.com>> >> <mailto:rowlandpenny at googlemail.com >> <mailto:rowlandpenny at googlemail.com> >> >> <mailto:rowlandpenny at googlemail.com >> <mailto:rowlandpenny at googlemail.com>>>>: >> >> >> On 25/04/15 15:44, Daniel Carrasco Mar?n wrote: >> >> >> >> On AD server i've linked the kerberos file on >> samba >> folder: >> lrwxrwxrwx 1 root root 32 abr 25 16:23 >> krb5.conf -> >> /var/lib/samba/private/krb5.conf >> >> On client i've the default: >> [libdefaults] >> default_realm = TTU.RED >> >> # The following krb5.conf variables are only >> for MIT >> Kerberos. >> krb4_config = /etc/krb.conf >> krb4_realms = /etc/krb.realms >> kdc_timesync = 1 >> ccache_type = 4 >> forwardable = true >> proxiable = true >> ........ >> >> [realms] >> TTU.RED = { >> kdc = pdc >> admin_server = pdc >> } >> ........ >> >> >> >> Use the same krb5.conf as on the DC >> >> >> Ok copied. >> >> >> Does /etc/krb5.keytab exist, if it does, >> remove it. >> >> >> Deleted, but nothing changed. >> >> >> You will need to try and rejoin the domain >> >> Does /etc/resolv.conf point to the DC ? >> >> >> Yes: >> cat /etc/resolv.conf >> domain TTU >> nameserver 192.168.2.251 >> >> >> Please change /etc/resolv.conf to this: >> >> search ttu.red >> >> nameserver 192.168.2.251 >> >> >> Changed. >> >> >> >> Are you sure that you are using the correct >> password for >> Administrator ? >> >> >> Yes, even i've tried to cange the PW to >> another, and other >> commands works fine, for example with "kinit >> administrator at TTU.RED" and "klist -c": >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: administrator at TTU.RED >> >> Valid starting Expires Service principal >> 25/04/15 16:36:10 26/04/15 02:36:10 >> krbtgt/TTU.RED at TTU.RED >> renew until 26/04/15 16:36:06 >> >> >> I've linked the file showed on log to krb5.conf: >> ln -s /var/run/samba/smb_krb5/krb5.conf.TTU >> /etc/krb5.conf >> >> I got the same error: >> ....... >> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 >> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 >> ads_sasl_spnego_bind: got >> OID=1.3.6.1.4.1.311.2.2.10 >> ads_sasl_spnego_bind: got server principal name >> not_defined_in_RFC4178 at please_ignore >> ads_krb5_mk_req: krb5_cc_get_principal failed (No >> existe el >> fichero o el directorio) >> ads_cleanup_expired_creds: Ticket in >> ccache[MEMORY:net_ads] >> expiration dom, 26 abr 2015 02:37:30 CEST >> kinit succeeded but ads_sasl_spnego_krb5_bind >> failed: >> Invalid >> credentials >> libnet_Join: >> libnet_JoinCtx: struct libnet_JoinCtx >> out: struct libnet_JoinCtx >> account_name : NULL >> netbios_domain_name : 'TTU' >> dns_domain_name : 'ttu.red' >> forest_name : 'ttu.red' >> dn : NULL >> domain_sid : * >> domain_sid : >> S-1-5-21-127850397-371183867-665961664 >> <tel:665961664> <tel:665961664 <tel:665961664>> >> <tel:665961664 <tel:665961664> <tel:665961664 >> <tel:665961664>>> >> modified_config : 0x00 (0) >> error_string : 'failed to >> connect to >> AD: Invalid credentials' >> domain_is_ad : 0x01 (1) >> result : >> WERR_GENERAL_FAILURE >> Failed to join domain: failed to connect to >> AD: Invalid >> credentials >> return code = -1 >> >> I can run commands like "net ads rpc -U >> "Administrator" and >> works fine, i even can get some AD info: >> # net rpc info -U Administrator >> Enter Administrator's password: >> Domain Name: TTU >> Domain SID: >> S-1-5-21-127850397-371183867-665961664 <tel:665961664> >> <tel:665961664 <tel:665961664>> <tel:665961664 >> >> <tel:665961664> <tel:665961664 <tel:665961664>>> >> >> Sequence number: 1 >> Num users: 144 >> Num domain groups: 42 >> Num local groups: 26 >> >> >> Is strange because as i said, if i create a >> new domain >> without >> upgrade then i can join that domain even without >> krb5-client >> installed. >> >> >> >> what OS are you using ? >> >> >> Debian 7u2 >> >> what version of samba on the member server ? >> >> >> Same as AD: >> Version 4.1.17-Debian >> >> What packages have you installed to try and get >> samba working >> >> >> Same packages, latest from wheezy-backports. The only >> difference is that i've created a new domain instead >> upgrade >> the old 3.6 domain. >> >> >> anything else relevant, apparmor, selinux, >> firewall etc ? >> >> >> AD don't have any kind of firewall or apparmor. I >> don't have >> Apparmor, and the firewall have the basic configuration on >> client. I don't know about selinux, but the default >> configuracion has not changed. >> >> I'm starting to think is better to create a new domain and >> move the machines and users to the new domain. >> >> Greetings!! >> >> >> >> Rowland >> >> -- To unsubscribe from this list go to the >> following >> URL and read the >> instructions: >> https://lists.samba.org/mailman/options/samba >> >> >> >> OK, I use debian wheezy with samba from backports and this >> is how >> I set things up on a member server: >> >> Install these packages from backports: >> >> samba samba-common-bin samba-common samba-libs >> samba-vfs-modules \ >> samba-dsdb-modules tdb-tools libwbclient0 libsmbclient >> winbind \ >> ldb-tools zip arj mktemp acl attr quota krb5-config >> libnss-winbind \ >> libpam-winbind libpam-krb5 krb5-user >> >> Create a smb.conf: >> >> [global] >> workgroup = TTU >> security = ADS >> realm = TTU.RED >> >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> server string = Samba 4 Client %h >> >> winbind enum users = no >> winbind enum groups = no >> winbind use default domain = yes >> winbind expand groups = 4 >> winbind nss info = rfc2307 >> winbind refresh tickets = Yes >> winbind offline logon = yes >> winbind normalize names = Yes >> >> ## map ids outside of domain to tdb files. >> idmap config *:backend = tdb >> idmap config *:range = 2000-9999 >> ## map ids from the domain the ranges may not overlap ! >> idmap config TTU : backend = ad >> idmap config TTU : schema_mode = rfc2307 >> idmap config TTU : range = 10000-999999 >> >> domain master = no >> local master = no >> preferred master = no >> os level = 20 >> map to guest = bad user >> host msdfs = no >> >> # For ACL support on member server >> vfs objects = acl_xattr >> map acl inherit = Yes >> store dos attributes = Yes >> >> # Share Setting Globally >> unix extensions = no >> reset on zero vc = yes >> veto files >> /.bash_logout/.bash_profile/.bash_history/.bashrc/ >> hide unreadable = yes >> >> alter /etc/krb5.conf >> >> [libdefaults] >> default_realm = TTU.RED >> dns_lookup_realm = false >> dns_lookup_kdc = true >> >> Make sure that the kerberos config file /etc/krb5.conf is >> correct >> >> [libdefaults] >> default_realm = TTU.RED >> dns_lookup_realm = false >> dns_lookup_kdc = true >> >> Make sure that /etc/resolv.conf is pointing to the domain >> and the >> AD DC: >> >> search ttu.red >> nameserver <IP_OF_SAMBA4_AD_DC> >> >> You should now be able to join the domain: >> >> net ads join -U Administrator >> >> If this does not work, then it is more likely that the problem >> lies on the AD DC, unless it is something simple like blocked >> ports on the firewall, the easiest way to rule this out, is to >> turn off the firewall temporarily. >> >> >> Rowland >> -- To unsubscribe from this list go to the following >> URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> >> OK, but before you do, you could check the AD DC, could you post >> the smb.conf from the DC ? >> Does the DC have a fixed ip ? >> >> >> Rowland >> >> -- To unsubscribe from this list go to the following URL and read >> the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Maybe Matching Threads
- I can't join the new AD server with Samba4
- I can't join the new AD server with Samba4
- Fwd: Fwd: samba_dnsupdate failed with RuntimeError: kinit for SMB4ECONOMIA$@ECONOMIA failed (Cannot contact any KDC for requested realm)
- GPO issues - getting SYSVOL cleaned up again
- GPO issues - getting SYSVOL cleaned up again