Rowland Penny
2015-Jun-03 20:57 UTC
[Samba] Cannot join Ubuntu12.04 Samba 4.1.17 to domain
On 03/06/15 21:29, ivenhov wrote:> I reproduced error WERR_DEFAULT_JOIN_REQUIRED in two scenarios: > - user account that is used to join machine to domain is not part of Domain > Admin group. > - OU path for computer (specified in createcomputer) is invalid > > In both of those cases I'm getting detailed error messages: 'insufficient > access' and 'invalid path' respectively but on customer site I'm always > getting: > > Failed to join domain: failed to connect to AD: Cannot contact any KDC for > requested realm > > Instead of valid error message > > I'm sure krb5.conf is OK because it has exactly the same details as server > with Samba 3.6 (which could join domain). > smb.conf has security = ads and correct realm. > > I can resolve DNS name of the KDC and AD. Reverse lookup is also OK. > Time is correct on the server and is synced with NTP server. > > But I still cannot joint it to domain. Most recent error I get: > > > saf_store: domain = [MYNAT], server = [BGB48DC1001.mynat.myco.bcu], expire > [1433259373] > Adding cache entry with key=[SAF/DOMAIN/MYNAT] and timeout=[Tue Jun 2 > 15:36:13 2015 UTC] (900 seconds ahead) > tdb_traverse with wipe_fn on gencache_notrans.tdb failed: Success > saf_store: domain = [mynat.myco.bcu], server = [BGB48DC1001.mynat.myco.bcu], > expire = [1433259373] > Adding cache entry with key=[SAF/DOMAIN/MYNAT.MYCO.BCU] and timeout=[Tue Jun > 2 15:36:13 2015 UTC] (900 seconds ahead) > tdb_traverse with wipe_fn on gencache_notrans.tdb failed: Success > KDC time offset is 0 seconds > Found SASL mechanism GSS-SPNEGO > ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30 > ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3 > ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 > ads_sasl_spnego_bind: got server principal name > not_defined_in_RFC4178 at please_ignore > ads_sasl_spnego_krb5_bind failed with: Miscellaneous failure (see text) : > Did not find a plugin for ccache_ops, calling kinit > kerberos_kinit_password: as wal-sa-omtest at MYNAT.MYCO.BCU using > [MEMORY:net_ads] as ccache and config > [/var/cache/samba/smb_krb5/krb5.conf.MYNAT] > > > kerberos_kinit_password wal-sa-omtest at MYNAT.MYCO.BCU failed: Cannot contact > any KDC for requested realm > libnet_Join: > libnet_JoinCtx: struct libnet_JoinCtx > out: struct libnet_JoinCtx > account_name : NULL > netbios_domain_name : 'MYNAT' > dns_domain_name : 'mynat.myco.bcu' > forest_name : 'myco.bcu' > dn : NULL > domain_sid : * > domain_sid : > S-1-5-21-73586283-854245398-682003330 > modified_config : 0x00 (0) > error_string : 'failed to connect to AD: Cannot > contact any KDC for requested realm' > domain_is_ad : 0x01 (1) > result : WERR_GENERAL_FAILURE > Failed to join domain: failed to connect to AD: Cannot contact any KDC for > requested realm > return code = -1 > > I also get the same error on ubuntu 14.04 with Sernet Samba 4.2.2 > > Any help appreciated > D. > > > > -- > View this message in context: http://samba.2283325.n4.nabble.com/Cannot-join-Ubuntu12-04-Samba-4-1-17-to-domain-tp4684555p4686672.html > Sent from the Samba - General mailing list archive at Nabble.com.OK, can you post your smb.conf, krb5.conf and resolv.conf Rowland
Thanks Rowland.
I understand smb.conf is bit messy and can affect performance but it should
not prevent me from joining domain.
Here you go:
[global]
workgroup = MYNAT
realm = MYNAT.MYCO.BCU
server string = My server %h
security = ADS
password server = dc1001.mynat.myco.bcu
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
server max protocol = SMB2
min receivefile size = 13638
max xmit = 131072
load printers = no
printcap name = /dev/null
disable spoolss = yes
dns proxy = No
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
template homedir = /dev/null
template shell = /bin/true
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
idmap config * : range = 100000-200000
idmap config * : backend = tdb
aio read size = 1
aio write size = 1
aio write behind = true
use sendfile = yes
write cache size = 12826144
printing = bsd
print command = lpr -r -P'%p' %s
lpq command = lpq -P'%p'
lprm command = lprm -P'%p' %j
#winbind max domain connections = 5
max protocol = SMB2
large readwrite = yes
winbind offline logon = false
#winbind max clients = 1000
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
print ok = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
Kerberos
cat /etc/krb5.conf
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = true
default_realm = MYNAT.MYCO.BCU
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
MYNAT.MYCO.BCU = {
kdc = dc1001.mynat.myco.bcu
admin_server = dc1001.mynat.myco.bcu
default_domain = mynat.myco.bcu
}
[domain_realm]
.mynat.myco.bcu = MYNAT.MYCO.BCU
mynat.myco.bcu = MYNAT.MYCO.BCU
[login]
krb4_convert = true
krb4_get_tickets = false
cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by
resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 10.80.8.88
--
View this message in context:
http://samba.2283325.n4.nabble.com/Cannot-join-Ubuntu12-04-Samba-4-1-17-to-domain-tp4684555p4686674.html
Sent from the Samba - General mailing list archive at Nabble.com.
Rowland Penny
2015-Jun-03 21:46 UTC
[Samba] Cannot join Ubuntu12.04 Samba 4.1.17 to domain
On 03/06/15 22:04, ivenhov wrote:> Thanks Rowland. > I understand smb.conf is bit messy and can affect performance but it should > not prevent me from joining domain. > > Here you go: > > [global] > workgroup = MYNAT > realm = MYNAT.MYCO.BCU > server string = My server %h > security = ADS > password server = dc1001.mynat.myco.bcu > map to guest = Bad User > obey pam restrictions = Yes > pam password change = Yes > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\s*\spassword:* %n\n > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > unix password sync = Yes > syslog = 0 > log file = /var/log/samba/log.%m > max log size = 1000 > server max protocol = SMB2 > min receivefile size = 13638 > max xmit = 131072 > load printers = no > printcap name = /dev/null > disable spoolss = yes > dns proxy = No > usershare allow guests = Yes > panic action = /usr/share/samba/panic-action %d > template homedir = /dev/null > template shell = /bin/true > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > idmap config * : range = 100000-200000 > idmap config * : backend = tdb > aio read size = 1 > aio write size = 1 > aio write behind = true > use sendfile = yes > write cache size = 12826144 > printing = bsd > print command = lpr -r -P'%p' %s > lpq command = lpq -P'%p' > lprm command = lprm -P'%p' %j > #winbind max domain connections = 5 > max protocol = SMB2 > large readwrite = yes > winbind offline logon = false > #winbind max clients = 1000 > > [printers] > comment = All Printers > path = /var/spool/samba > create mask = 0700 > printable = Yes > print ok = Yes > browseable = No > > [print$] > comment = Printer Drivers > path = /var/lib/samba/printers > > > > > Kerberos > cat /etc/krb5.conf > [libdefaults] > dns_lookup_realm = false > dns_lookup_kdc = true > default_realm = MYNAT.MYCO.BCU > > # The following krb5.conf variables are only for MIT Kerberos. > krb4_config = /etc/krb.conf > krb4_realms = /etc/krb.realms > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > > # The following libdefaults parameters are only for Heimdal Kerberos. > v4_instance_resolve = false > v4_name_convert = { > host = { > rcmd = host > ftp = ftp > } > plain = { > something = something-else > } > } > fcc-mit-ticketflags = true > > [realms] > MYNAT.MYCO.BCU = { > kdc = dc1001.mynat.myco.bcu > admin_server = dc1001.mynat.myco.bcu > default_domain = mynat.myco.bcu > } > > [domain_realm] > .mynat.myco.bcu = MYNAT.MYCO.BCU > mynat.myco.bcu = MYNAT.MYCO.BCU > > [login] > krb4_convert = true > krb4_get_tickets = false > > > cat /etc/resolv.conf > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by > resolvconf(8) > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN > nameserver 10.80.8.88 > > > > > -- > View this message in context: http://samba.2283325.n4.nabble.com/Cannot-join-Ubuntu12-04-Samba-4-1-17-to-domain-tp4684555p4686674.html > Sent from the Samba - General mailing list archive at Nabble.com.OK, have a look here: https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server The smb.conf on that page is known to work, just adapt it to your domain and once everything is working, add lines from your smb.conf to it (but check 'man smb.conf' before adding any lines) Your krb5.conf only needs to be this: [libdefaults] default_realm = MYNAT.MYCO.BCU dns_lookup_realm = false dns_lookup_kdc = true Your resolv.conf should be this: search mynat.myco.bcu nameserver 10.80.8.88 I presume that 10.80.8.88 is the ipaddress of your AD DC, if not, it needs to be, your AD DC must be the DNS server for your AD domain. The one thing I forgot to ask for is /etc/hosts, if you are only using ipv4, you really only need '127.0.0.1 localhost' in it if you are using DHCP, you should also ensure that NetworkManager is not using dnsmasq, (you can turn this off in /etc/NetworkManager/NetworkManager.conf) Rowland