thr3ads.net - samba - [Samba] Cannot join Ubuntu12.04 Samba 4.1.17 to domain [Jun 2015]

If this information is useful, please help other people find it:
Share via:

ivenhov

2015-Apr-22 08:30 UTC

[Samba] Cannot join Ubuntu12.04 Samba 4.1.17 to domain

Thank you both for the answers.
I'll re-check everything again once on customer site and post my findings
shortly afterwards

Regards




--
View this message in context:
http://samba.2283325.n4.nabble.com/Cannot-join-Ubuntu12-04-Samba-4-1-17-to-domain-tp4684555p4684827.html
Sent from the Samba - General mailing list archive at Nabble.com.

ivenhov

2015-Jun-03 20:29 UTC

head link

[Samba] Cannot join Ubuntu12.04 Samba 4.1.17 to domain

I reproduced error WERR_DEFAULT_JOIN_REQUIRED in two scenarios:
- user account that is used to join machine to domain is not part of Domain
Admin group.
- OU path for computer (specified in createcomputer) is invalid

In both of those cases I'm getting detailed error messages:
'insufficient
access' and 'invalid path' respectively but on customer site I'm
always
getting: 

Failed to join domain: failed to connect to AD: Cannot contact any KDC for
requested realm

Instead of valid error message

I'm sure krb5.conf is OK because it has exactly the same details as server
with Samba 3.6 (which could join domain).
smb.conf has security = ads and correct realm.

I can resolve DNS name of the KDC and AD. Reverse lookup is also OK.
Time is correct on the server and is synced with NTP server.

But I still cannot joint it to domain. Most recent error I get:


saf_store: domain = [MYNAT], server = [BGB48DC1001.mynat.myco.bcu], expire
[1433259373]
Adding cache entry with key=[SAF/DOMAIN/MYNAT] and timeout=[Tue Jun  2
15:36:13 2015 UTC] (900 seconds ahead)
tdb_traverse with wipe_fn on gencache_notrans.tdb failed: Success
saf_store: domain = [mynat.myco.bcu], server = [BGB48DC1001.mynat.myco.bcu],
expire = [1433259373]
Adding cache entry with key=[SAF/DOMAIN/MYNAT.MYCO.BCU] and timeout=[Tue Jun 
2 15:36:13 2015 UTC] (900 seconds ahead)
tdb_traverse with wipe_fn on gencache_notrans.tdb failed: Success
KDC time offset is 0 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
ads_sasl_spnego_bind: got server principal name not_defined_in_RFC4178 at
please_ignore
ads_sasl_spnego_krb5_bind failed with:  Miscellaneous failure (see text) :
Did not find a plugin for ccache_ops, calling kinit
kerberos_kinit_password: as wal-sa-omtest at MYNAT.MYCO.BCU using
[MEMORY:net_ads] as ccache and config
[/var/cache/samba/smb_krb5/krb5.conf.MYNAT]


kerberos_kinit_password wal-sa-omtest at MYNAT.MYCO.BCU failed: Cannot contact
any KDC for requested realm
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : NULL
            netbios_domain_name      : 'MYNAT'
            dns_domain_name          : 'mynat.myco.bcu'
            forest_name              : 'myco.bcu'
            dn                       : NULL
            domain_sid               : *
                domain_sid               :
S-1-5-21-73586283-854245398-682003330
            modified_config          : 0x00 (0)
            error_string             : 'failed to connect to AD: Cannot
contact any KDC for requested realm'
            domain_is_ad             : 0x01 (1)
            result                   : WERR_GENERAL_FAILURE
Failed to join domain: failed to connect to AD: Cannot contact any KDC for
requested realm
return code = -1

I also get the same error on ubuntu 14.04 with Sernet Samba 4.2.2

Any help appreciated
D.



--
View this message in context:
http://samba.2283325.n4.nabble.com/Cannot-join-Ubuntu12-04-Samba-4-1-17-to-domain-tp4684555p4686672.html
Sent from the Samba - General mailing list archive at Nabble.com.

Rowland Penny

2015-Jun-03 20:57 UTC

head link

[Samba] Cannot join Ubuntu12.04 Samba 4.1.17 to domain

On 03/06/15 21:29, ivenhov wrote:> I reproduced error WERR_DEFAULT_JOIN_REQUIRED in two scenarios:
> - user account that is used to join machine to domain is not part of Domain
> Admin group.
> - OU path for computer (specified in createcomputer) is invalid
>
> In both of those cases I'm getting detailed error messages:
'insufficient
> access' and 'invalid path' respectively but on customer site
I'm always
> getting:
>
> Failed to join domain: failed to connect to AD: Cannot contact any KDC for
> requested realm
>
> Instead of valid error message
>
> I'm sure krb5.conf is OK because it has exactly the same details as
server
> with Samba 3.6 (which could join domain).
> smb.conf has security = ads and correct realm.
>
> I can resolve DNS name of the KDC and AD. Reverse lookup is also OK.
> Time is correct on the server and is synced with NTP server.
>
> But I still cannot joint it to domain. Most recent error I get:
>
>
> saf_store: domain = [MYNAT], server = [BGB48DC1001.mynat.myco.bcu], expire
> [1433259373]
> Adding cache entry with key=[SAF/DOMAIN/MYNAT] and timeout=[Tue Jun  2
> 15:36:13 2015 UTC] (900 seconds ahead)
> tdb_traverse with wipe_fn on gencache_notrans.tdb failed: Success
> saf_store: domain = [mynat.myco.bcu], server =
[BGB48DC1001.mynat.myco.bcu],
> expire = [1433259373]
> Adding cache entry with key=[SAF/DOMAIN/MYNAT.MYCO.BCU] and timeout=[Tue
Jun
> 2 15:36:13 2015 UTC] (900 seconds ahead)
> tdb_traverse with wipe_fn on gencache_notrans.tdb failed: Success
> KDC time offset is 0 seconds
> Found SASL mechanism GSS-SPNEGO
> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
> ads_sasl_spnego_bind: got server principal name > not_defined_in_RFC4178
at please_ignore
> ads_sasl_spnego_krb5_bind failed with:  Miscellaneous failure (see text) :
> Did not find a plugin for ccache_ops, calling kinit
> kerberos_kinit_password: as wal-sa-omtest at MYNAT.MYCO.BCU using
> [MEMORY:net_ads] as ccache and config
> [/var/cache/samba/smb_krb5/krb5.conf.MYNAT]
>
>
> kerberos_kinit_password wal-sa-omtest at MYNAT.MYCO.BCU failed: Cannot
contact
> any KDC for requested realm
> libnet_Join:
>      libnet_JoinCtx: struct libnet_JoinCtx
>          out: struct libnet_JoinCtx
>              account_name             : NULL
>              netbios_domain_name      : 'MYNAT'
>              dns_domain_name          : 'mynat.myco.bcu'
>              forest_name              : 'myco.bcu'
>              dn                       : NULL
>              domain_sid               : *
>                  domain_sid               :
> S-1-5-21-73586283-854245398-682003330
>              modified_config          : 0x00 (0)
>              error_string             : 'failed to connect to AD:
Cannot
> contact any KDC for requested realm'
>              domain_is_ad             : 0x01 (1)
>              result                   : WERR_GENERAL_FAILURE
> Failed to join domain: failed to connect to AD: Cannot contact any KDC for
> requested realm
> return code = -1
>
> I also get the same error on ubuntu 14.04 with Sernet Samba 4.2.2
>
> Any help appreciated
> D.
>
>
>
> --
> View this message in context:
http://samba.2283325.n4.nabble.com/Cannot-join-Ubuntu12-04-Samba-4-1-17-to-domain-tp4684555p4686672.html
> Sent from the Samba - General mailing list archive at Nabble.com.
OK, can you post your smb.conf, krb5.conf and resolv.conf

Rowland

Maybe Matching Threads

Search for more apparently analagous threads

samba - Jun 2015 - Cannot join Ubuntu12.04 Samba 4.1.17 to domain

[Samba] Cannot join Ubuntu12.04 Samba 4.1.17 to domain

[Samba] Cannot join Ubuntu12.04 Samba 4.1.17 to domain

[Samba] Cannot join Ubuntu12.04 Samba 4.1.17 to domain

Maybe Matching Threads