tsmafts
2015-May-31 23:53 UTC
[Samba] unable to join a SAMBA linux box to MSWindows 2012 AD
Linux debian1 3.2.0-4-686-pae #1 SMP Debian 3.2.68-1+deb7u1 i686 GNU/Linux it is serving as file server for a few windows pcs in a satellite office. I am trying to join the machine to a AD Domain in our main office. tried[b] net join -U duper%5HaveLefT -d5[/b] debug results:[code]INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" Processing section "[global]" doing parameter idmap gid = 16777216-33554431 WARNING: The "idmap gid" option is deprecated doing parameter passwd chat = *New*password* %nn *ReType*new*password* %nn *passwd*changed*n doing parameter obey pam restrictions = yes doing parameter preserve case = yes doing parameter delete user from group script = /usr/sbin/userdel '%u' '%g' doing parameter time server = no doing parameter dns proxy = no doing parameter netbios name = CCSOO handle_netbios_name: set global_myname to: CCSOO doing parameter cups options = raw doing parameter printing = lprng doing parameter idmap uid = 16777216-33554431 WARNING: The "idmap uid" option is deprecated doing parameter disable netbios = no doing parameter logon script = %G.bat doing parameter winbind refresh tickets = no doing parameter security = ADS doing parameter machine password timeout = 120 doing parameter add machine script = /usr/sbin/useradd -d /dev/null -g sambamachines -c 'Samba Machine Account' -s /dev/null -M '%u' doing parameter short preserve case = yes doing parameter delete user script = /usr/sbin/userdel '%u' doing parameter server schannel = no doing parameter max log size = 1000 doing parameter winbind nss info = no doing parameter log file = /var/log/samba/samba.log doing parameter printer = Aficio-MP-4500 doing parameter load printers = yes doing parameter guest account = smbguest doing parameter passwd chat timeout = 120 doing parameter delete group script = /usr/sbin/groupdel '%g' doing parameter username level = 6 doing parameter socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 doing parameter wins server = 192.168.1.218 doing parameter client use spnego = no doing parameter follow symlinks = no doing parameter null passwords = no WARNING: The "null passwords" option is deprecated doing parameter domain master = no doing parameter winbind trusted domains only = yes doing parameter winbind use default domain = yes doing parameter passdb backend = tdbsam doing parameter template shell = /dev/null doing parameter client plaintext auth = no doing parameter bind interfaces only = yes doing parameter pam password change = no doing parameter enable spoolss = yes doing parameter domain logons = yes doing parameter name resolve order = wins lmhosts bcast doing parameter client signing = yes doing parameter hostname lookups = no doing parameter remote browse sync = 192.168.102.255 doing parameter client schannel = no doing parameter passwd program = /usr/bin/passwd '%u' doing parameter allow hosts = 127. 192.168.102. 192.168.1. doing parameter remote announce = 192.168.102.255 192.168.1.255 doing parameter local master = no doing parameter realm = fask.COM doing parameter workgroup = fask doing parameter os level = 33 doing parameter server signing = no doing parameter printcap name = cups doing parameter winbind separator = @ doing parameter winbind offline logon = yes doing parameter allow trusted domains = yes doing parameter add group script = /usr/sbin/groupadd '%g' doing parameter nt pipe support = yes doing parameter add user to group script = /usr/sbin/useradd -d /dev/null -c 'Samba User Account' -s /dev/null -g '%g' '%u' doing parameter nt status support = yes doing parameter logon drive = m: doing parameter interfaces = 127.0.0.1/8 192.168.102.0/24 doing parameter username map = /etc/samba/smbusers doing parameter encrypt passwords = yes doing parameter public = yes doing parameter logon home = \%Lhomes%u doing parameter wins proxy = no doing parameter password level = 6 WARNING: The "password level" option is deprecated doing parameter server string = Occidentel server doing parameter winbind nested groups = no doing parameter unix password sync = yes doing parameter logon path = \%Lprofiles%u doing parameter add user script = /usr/sbin/useradd -d /dev/null -c 'Samba User Account' -s /dev/null '%u' doing parameter preferred master = no doing parameter winbind cache time = 360 pm_process() returned Yes Substituting charset 'UTF-8' for LOCALE Netbios name list:- my_netbios_names[0]="CCSOO" interpret_interface: Adding interface 127.0.0.1/8 added interface 127.0.0.1/8 ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0 interpret_interface: using netmask value 24 from config file on interface eth0 added interface eth0 ip=192.168.102.251 bcast=192.168.102.255 netmask=255.255.255.0 Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED Opening cache file at /var/run/samba/gencache.tdb Opening cache file at /var/run/samba/gencache_notrans.tdb sitename_fetch: Returning sitename for fask.COM: "Default-First-Site-Name" saf_fetch: failed to find server for "fask.COM" domain get_dc_list: preferred server list: ", *" name fask.COM#1C found. get_dc_list: returning 1 ip addresses in an ordered list get_dc_list: 192.168.1.218:389 ads_try_connect: sending CLDAP request to 192.168.1.218 (realm: fask.COM) Successfully contacted LDAP server 192.168.1.218 Invalid configuration. Exiting.... ADS join did not work, falling back to RPC... name fask#1B found. namecache_status_fetch: key NBT/fask#1B.20.192.168.1.218 -> fask-SERVER01 Connecting to host=fask-SERVER01 Connecting to 192.168.1.218 at port 445 Connecting to 192.168.1.218 at port 139 Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_SNDBUF = 16384 SO_RCVBUF = 16384 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 Substituting charset 'UTF-8' for LOCALE Bind RPC Pipe: host fask-SERVER01 auth_type 0, auth_level 1 rpc_api_pipe: host fask-SERVER01 rpc_read_send: data_to_read: 52 check_bind_response: accepted! rpc_api_pipe: host fask-SERVER01 rpc_read_send: data_to_read: 32 rpc_api_pipe: host fask-SERVER01 rpc_read_send: data_to_read: 80 rpc_api_pipe: host fask-SERVER01 rpc_read_send: data_to_read: 32 Bind RPC Pipe: host fask-SERVER01 auth_type 0, auth_level 1 rpc_api_pipe: host fask-SERVER01 rpc_read_send: data_to_read: 52 check_bind_response: accepted! rpc command function failed! (NT_STATUS_NOT_SUPPORTED) name fask#1B found. namecache_status_fetch: key NBT/fask#1B.20.192.168.1.218 -> fask-SERVER01 Connecting to host=fask-SERVER01 Connecting to 192.168.1.218 at port 445 Connecting to 192.168.1.218 at port 139 Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_SNDBUF = 16384 SO_RCVBUF = 16384 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 cli_session_setup: NT1 session setup failed: NT_STATUS_INVALID_PARAMETER failed session setup with NT_STATUS_INVALID_PARAMETER Could not connect to server fask-SERVER01 Connection failed: NT_STATUS_INVALID_PARAMETER return code = 1 [/code] hmm. so ran [b]net ads lookup dc[/b] and that resulted in: [code]Information for Domain Controller: 192.168.1.218 Response Type: LOGON_SAM_LOGON_RESPONSE_EX GUID: 242bf0ef-bb6a-46a3-b220-f709d9bc897a Flags: Is a PDC: yes Is a GC of the forest: yes Is an LDAP server: yes Supports DS: yes Is running a KDC: yes Is running time services: yes Is the closest DC: yes Is writable: yes Has a hardware clock: yes Is a non-domain NC serviced by LDAP server: no Is NT6 DC that has some secrets: no Is NT6 DC that has all secrets: yes Forest: fask.com Domain: fask.com Domain Controller: fask-SERVER01.fask.com Pre-Win2k Domain: fask Pre-Win2k Hostname: fask-SERVER01 Server Site Name : Default-First-Site-Name Client Site Name : Default-First-Site-Name NT Version: 5 LMNT Token: ffff LM20 Token: ffff [/code] and for good measure ran [b]net ads info[/b] which at least gave back an error of some sort: [code]Failed to get server's current time! LDAP server: 192.168.1.218 LDAP server name: fask-SERVER01.fask.com Realm: fask.COM Bind Path: dc=fask,dc=COM LDAP port: 389 Server time: Wed, 31 Dec 1969 16:00:00 PST KDC server: 192.168.1.218 Server time offset: 0 [/code] and just to make sure i'm not being really klutzy about this, the User to be used in the net join is a user on the existing Windows AD that I want to join that has administrative rights and not the local debian super user. Help please, i need to get the Debian machine on the domain so that an ftp server can use it.
Rowland Penny
2015-Jun-02 09:22 UTC
[Samba] unable to join a SAMBA linux box to MSWindows 2012 AD
On 01/06/15 00:53, tsmafts wrote:> > > Linux debian1 3.2.0-4-686-pae #1 SMP Debian 3.2.68-1+deb7u1 i686 > GNU/Linux > it is serving as file server for a few windows pcs in a satellite > office. > I am trying to join the machine to a AD Domain in our main office. > tried[b] net join -U duper%5HaveLefT -d5[/b] > > debug results:[code]INFO: Current debug levels: > all: 5 > tdb: 5 > printdrivers: 5 > lanman: 5 > smb: 5 > rpc_parse: 5 > rpc_srv: 5 > rpc_cli: 5 > passdb: 5 > sam: 5 > auth: 5 > winbind: 5 > vfs: 5 > idmap: 5 > quota: 5 > acls: 5 > locking: 5 > msdfs: 5 > dmapi: 5 > registry: 5 > lp_load_ex: refreshing parameters > Initialising global parameters > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit > (16384) > INFO: Current debug levels: > all: 5 > tdb: 5 > printdrivers: 5 > lanman: 5 > smb: 5 > rpc_parse: 5 > rpc_srv: 5 > rpc_cli: 5 > passdb: 5 > sam: 5 > auth: 5 > winbind: 5 > vfs: 5 > idmap: 5 > quota: 5 > acls: 5 > locking: 5 > msdfs: 5 > dmapi: 5 > registry: 5 > params.c:pm_process() - Processing configuration file > "/etc/samba/smb.conf" > Processing section "[global]" > doing parameter idmap gid = 16777216-33554431 > WARNING: The "idmap gid" option is deprecated > doing parameter passwd chat = *New*password* %nn *ReType*new*password* > %nn *passwd*changed*n > doing parameter obey pam restrictions = yes > doing parameter preserve case = yes > doing parameter delete user from group script = /usr/sbin/userdel '%u' > '%g' > doing parameter time server = no > doing parameter dns proxy = no > doing parameter netbios name = CCSOO > handle_netbios_name: set global_myname to: CCSOO > doing parameter cups options = raw > doing parameter printing = lprng > doing parameter idmap uid = 16777216-33554431 > WARNING: The "idmap uid" option is deprecated > doing parameter disable netbios = no > doing parameter logon script = %G.bat > doing parameter winbind refresh tickets = no > doing parameter security = ADS > doing parameter machine password timeout = 120 > doing parameter add machine script = /usr/sbin/useradd -d /dev/null -g > sambamachines -c 'Samba Machine Account' -s /dev/null -M '%u' > doing parameter short preserve case = yes > doing parameter delete user script = /usr/sbin/userdel '%u' > doing parameter server schannel = no > doing parameter max log size = 1000 > doing parameter winbind nss info = no > doing parameter log file = /var/log/samba/samba.log > doing parameter printer = Aficio-MP-4500 > doing parameter load printers = yes > doing parameter guest account = smbguest > doing parameter passwd chat timeout = 120 > doing parameter delete group script = /usr/sbin/groupdel '%g' > doing parameter username level = 6 > doing parameter socket options = TCP_NODELAY SO_RCVBUF=8192 > SO_SNDBUF=8192 > doing parameter wins server = 192.168.1.218 > doing parameter client use spnego = no > doing parameter follow symlinks = no > doing parameter null passwords = no > WARNING: The "null passwords" option is deprecated > doing parameter domain master = no > doing parameter winbind trusted domains only = yes > doing parameter winbind use default domain = yes > doing parameter passdb backend = tdbsam > doing parameter template shell = /dev/null > doing parameter client plaintext auth = no > doing parameter bind interfaces only = yes > doing parameter pam password change = no > doing parameter enable spoolss = yes > doing parameter domain logons = yes > doing parameter name resolve order = wins lmhosts bcast > doing parameter client signing = yes > doing parameter hostname lookups = no > doing parameter remote browse sync = 192.168.102.255 > doing parameter client schannel = no > doing parameter passwd program = /usr/bin/passwd '%u' > doing parameter allow hosts = 127. 192.168.102. 192.168.1. > doing parameter remote announce = 192.168.102.255 192.168.1.255 > doing parameter local master = no > doing parameter realm = fask.COM > doing parameter workgroup = fask > doing parameter os level = 33 > doing parameter server signing = no > doing parameter printcap name = cups > doing parameter winbind separator = @ > doing parameter winbind offline logon = yes > doing parameter allow trusted domains = yes > doing parameter add group script = /usr/sbin/groupadd '%g' > doing parameter nt pipe support = yes > doing parameter add user to group script = /usr/sbin/useradd -d > /dev/null -c 'Samba User Account' -s /dev/null -g '%g' '%u' > doing parameter nt status support = yes > doing parameter logon drive = m: > doing parameter interfaces = 127.0.0.1/8 192.168.102.0/24 > doing parameter username map = /etc/samba/smbusers > doing parameter encrypt passwords = yes > doing parameter public = yes > doing parameter logon home = \%Lhomes%u > doing parameter wins proxy = no > doing parameter password level = 6 > WARNING: The "password level" option is deprecated > doing parameter server string = Occidentel server > doing parameter winbind nested groups = no > doing parameter unix password sync = yes > doing parameter logon path = \%Lprofiles%u > doing parameter add user script = /usr/sbin/useradd -d /dev/null -c > 'Samba User Account' -s /dev/null '%u' > doing parameter preferred master = no > doing parameter winbind cache time = 360 > pm_process() returned Yes > Substituting charset 'UTF-8' for LOCALE > Netbios name list:- > my_netbios_names[0]="CCSOO" > interpret_interface: Adding interface 127.0.0.1/8 > added interface 127.0.0.1/8 ip=127.0.0.1 bcast=127.255.255.255 > netmask=255.0.0.0 > interpret_interface: using netmask value 24 from config file on > interface eth0 > added interface eth0 ip=192.168.102.251 bcast=192.168.102.255 > netmask=255.255.255.0 > Registered MSG_REQ_POOL_USAGE > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED > Opening cache file at /var/run/samba/gencache.tdb > Opening cache file at /var/run/samba/gencache_notrans.tdb > sitename_fetch: Returning sitename for fask.COM: > "Default-First-Site-Name" > saf_fetch: failed to find server for "fask.COM" domain > get_dc_list: preferred server list: ", *" > name fask.COM#1C found. > get_dc_list: returning 1 ip addresses in an ordered list > get_dc_list: 192.168.1.218:389 > ads_try_connect: sending CLDAP request to 192.168.1.218 (realm: > fask.COM) > Successfully contacted LDAP server 192.168.1.218 > Invalid configuration. Exiting.... > ADS join did not work, falling back to RPC... > name fask#1B found. > namecache_status_fetch: key NBT/fask#1B.20.192.168.1.218 -> > fask-SERVER01 > Connecting to host=fask-SERVER01 > Connecting to 192.168.1.218 at port 445 > Connecting to 192.168.1.218 at port 139 > Socket options: > SO_KEEPALIVE = 0 > SO_REUSEADDR = 0 > SO_BROADCAST = 0 > TCP_NODELAY = 1 > TCP_KEEPCNT = 9 > TCP_KEEPIDLE = 7200 > TCP_KEEPINTVL = 75 > IPTOS_LOWDELAY = 0 > IPTOS_THROUGHPUT = 0 > SO_SNDBUF = 16384 > SO_RCVBUF = 16384 > SO_SNDLOWAT = 1 > SO_RCVLOWAT = 1 > SO_SNDTIMEO = 0 > SO_RCVTIMEO = 0 > TCP_QUICKACK = 1 > Substituting charset 'UTF-8' for LOCALE > Bind RPC Pipe: host fask-SERVER01 auth_type 0, auth_level 1 > rpc_api_pipe: host fask-SERVER01 > rpc_read_send: data_to_read: 52 > check_bind_response: accepted! > rpc_api_pipe: host fask-SERVER01 > rpc_read_send: data_to_read: 32 > rpc_api_pipe: host fask-SERVER01 > rpc_read_send: data_to_read: 80 > rpc_api_pipe: host fask-SERVER01 > rpc_read_send: data_to_read: 32 > Bind RPC Pipe: host fask-SERVER01 auth_type 0, auth_level 1 > rpc_api_pipe: host fask-SERVER01 > rpc_read_send: data_to_read: 52 > check_bind_response: accepted! > rpc command function failed! (NT_STATUS_NOT_SUPPORTED) > name fask#1B found. > namecache_status_fetch: key NBT/fask#1B.20.192.168.1.218 -> > fask-SERVER01 > Connecting to host=fask-SERVER01 > Connecting to 192.168.1.218 at port 445 > Connecting to 192.168.1.218 at port 139 > Socket options: > SO_KEEPALIVE = 0 > SO_REUSEADDR = 0 > SO_BROADCAST = 0 > TCP_NODELAY = 1 > TCP_KEEPCNT = 9 > TCP_KEEPIDLE = 7200 > TCP_KEEPINTVL = 75 > IPTOS_LOWDELAY = 0 > IPTOS_THROUGHPUT = 0 > SO_SNDBUF = 16384 > SO_RCVBUF = 16384 > SO_SNDLOWAT = 1 > SO_RCVLOWAT = 1 > SO_SNDTIMEO = 0 > SO_RCVTIMEO = 0 > TCP_QUICKACK = 1 > cli_session_setup: NT1 session setup failed: NT_STATUS_INVALID_PARAMETER > failed session setup with NT_STATUS_INVALID_PARAMETER > Could not connect to server fask-SERVER01 > Connection failed: NT_STATUS_INVALID_PARAMETER > return code = 1 [/code] > > hmm. so ran [b]net ads lookup dc[/b] and that resulted in: > [code]Information for Domain Controller: 192.168.1.218 > > Response Type: LOGON_SAM_LOGON_RESPONSE_EX > GUID: 242bf0ef-bb6a-46a3-b220-f709d9bc897a > Flags: > Is a PDC: yes > Is a GC of the forest: yes > Is an LDAP server: yes > Supports DS: yes > Is running a KDC: yes > Is running time services: yes > Is the closest DC: yes > Is writable: yes > Has a hardware clock: yes > Is a non-domain NC serviced by LDAP server: no > Is NT6 DC that has some secrets: no > Is NT6 DC that has all secrets: yes > Forest: fask.com > Domain: fask.com > Domain Controller: fask-SERVER01.fask.com > Pre-Win2k Domain: fask > Pre-Win2k Hostname: fask-SERVER01 > Server Site Name : Default-First-Site-Name > Client Site Name : Default-First-Site-Name > NT Version: 5 > LMNT Token: ffff > LM20 Token: ffff > [/code] > and for good measure ran [b]net ads info[/b] which at least gave back an > error of some sort: > [code]Failed to get server's current time! > LDAP server: 192.168.1.218 > LDAP server name: fask-SERVER01.fask.com > Realm: fask.COM > Bind Path: dc=fask,dc=COM > LDAP port: 389 > Server time: Wed, 31 Dec 1969 16:00:00 PST > KDC server: 192.168.1.218 > Server time offset: 0 > [/code] > and just to make sure i'm not being really klutzy about this, the User > to be used in the net join is a user on the existing Windows AD that I > want to join that has administrative rights and not the local debian > super user. > > Help please, i need to get the Debian machine on the domain so that an > ftp server can use it. >It looks like you are using Debian wheezy with the standard 3.6.x version of samba and if you look through what you posted there is this: Invalid configuration. Exiting.... Pretty explicit why it doesn't work, have a look here: https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server There is a known working smb.conf on that page, adapt it to your realm, workgroup etc and try again, once you have got samba working again, you could then start adding some of the lines that you have in your original, but be very selective, quite a lot of what you have isn't needed any more. I would suggest you read 'man smb.conf'. You can upgrade to a later samba version by using the backports repo or by using the samba packages from sernet, though this would involve registering with sernet (this is free). Rowland