Rowland Penny
2015-Jun-03 21:46 UTC
[Samba] Cannot join Ubuntu12.04 Samba 4.1.17 to domain
On 03/06/15 22:04, ivenhov wrote:> Thanks Rowland. > I understand smb.conf is bit messy and can affect performance but it should > not prevent me from joining domain. > > Here you go: > > [global] > workgroup = MYNAT > realm = MYNAT.MYCO.BCU > server string = My server %h > security = ADS > password server = dc1001.mynat.myco.bcu > map to guest = Bad User > obey pam restrictions = Yes > pam password change = Yes > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\s*\spassword:* %n\n > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > unix password sync = Yes > syslog = 0 > log file = /var/log/samba/log.%m > max log size = 1000 > server max protocol = SMB2 > min receivefile size = 13638 > max xmit = 131072 > load printers = no > printcap name = /dev/null > disable spoolss = yes > dns proxy = No > usershare allow guests = Yes > panic action = /usr/share/samba/panic-action %d > template homedir = /dev/null > template shell = /bin/true > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > idmap config * : range = 100000-200000 > idmap config * : backend = tdb > aio read size = 1 > aio write size = 1 > aio write behind = true > use sendfile = yes > write cache size = 12826144 > printing = bsd > print command = lpr -r -P'%p' %s > lpq command = lpq -P'%p' > lprm command = lprm -P'%p' %j > #winbind max domain connections = 5 > max protocol = SMB2 > large readwrite = yes > winbind offline logon = false > #winbind max clients = 1000 > > [printers] > comment = All Printers > path = /var/spool/samba > create mask = 0700 > printable = Yes > print ok = Yes > browseable = No > > [print$] > comment = Printer Drivers > path = /var/lib/samba/printers > > > > > Kerberos > cat /etc/krb5.conf > [libdefaults] > dns_lookup_realm = false > dns_lookup_kdc = true > default_realm = MYNAT.MYCO.BCU > > # The following krb5.conf variables are only for MIT Kerberos. > krb4_config = /etc/krb.conf > krb4_realms = /etc/krb.realms > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > > # The following libdefaults parameters are only for Heimdal Kerberos. > v4_instance_resolve = false > v4_name_convert = { > host = { > rcmd = host > ftp = ftp > } > plain = { > something = something-else > } > } > fcc-mit-ticketflags = true > > [realms] > MYNAT.MYCO.BCU = { > kdc = dc1001.mynat.myco.bcu > admin_server = dc1001.mynat.myco.bcu > default_domain = mynat.myco.bcu > } > > [domain_realm] > .mynat.myco.bcu = MYNAT.MYCO.BCU > mynat.myco.bcu = MYNAT.MYCO.BCU > > [login] > krb4_convert = true > krb4_get_tickets = false > > > cat /etc/resolv.conf > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by > resolvconf(8) > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN > nameserver 10.80.8.88 > > > > > -- > View this message in context: http://samba.2283325.n4.nabble.com/Cannot-join-Ubuntu12-04-Samba-4-1-17-to-domain-tp4684555p4686674.html > Sent from the Samba - General mailing list archive at Nabble.com.OK, have a look here: https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server The smb.conf on that page is known to work, just adapt it to your domain and once everything is working, add lines from your smb.conf to it (but check 'man smb.conf' before adding any lines) Your krb5.conf only needs to be this: [libdefaults] default_realm = MYNAT.MYCO.BCU dns_lookup_realm = false dns_lookup_kdc = true Your resolv.conf should be this: search mynat.myco.bcu nameserver 10.80.8.88 I presume that 10.80.8.88 is the ipaddress of your AD DC, if not, it needs to be, your AD DC must be the DNS server for your AD domain. The one thing I forgot to ask for is /etc/hosts, if you are only using ipv4, you really only need '127.0.0.1 localhost' in it if you are using DHCP, you should also ensure that NetworkManager is not using dnsmasq, (you can turn this off in /etc/NetworkManager/NetworkManager.conf) Rowland
I've made all changes to 3 files you mentioned, also removed everything
except localhost in hosts file.
SO I have minimal smb.conf and minimal krb5 file
Unfortunately error is still the same.
If I try to join with full OU path I get kerberos_kinit_password
testuser at MYNAT.MYCO.BCU failed: Cannot contact any KDC for requested realm
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : 'MYNAT'
dns_domain_name : 'mynat.myco.bcu'
forest_name : 'myco.bcu'
dn : NULL
domain_sid : *
domain_sid :
S-1-5-21-73586283-854245398-682003330
modified_config : 0x00 (0)
error_string : 'failed to connect to AD: Cannot
contact any KDC for requested realm'
domain_is_ad : 0x01 (1)
result : WERR_DEFAULT_JOIN_REQUIRED
Failed to join domain: failed to connect to AD: Cannot contact any KDC for
requested realm
return code = -1
If I try without cretecomputer
kerberos_kinit_password testuser at MYNAT.MYCO.BCU failed: Cannot contact any
KDC for requested realm
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : 'MYNAT'
dns_domain_name : 'mynat.myco.bcu'
forest_name : 'myco.bcu'
dn : NULL
domain_sid : *
domain_sid :
S-1-5-21-73586283-854245398-682003330
modified_config : 0x00 (0)
error_string : 'failed to connect to AD: Cannot
contact any KDC for requested realm'
domain_is_ad : 0x01 (1)
result : WERR_GENERAL_FAILURE
Failed to join domain: failed to connect to AD: Cannot contact any KDC for
requested realm
return code = -1
I can get Kerberos ticket with no problems using:
kinit myuser at MYNAT.MYCO.BCU
klist shows valid ticket
regarding services
me at SERV1603:~$ sudo netstat -tulpan | grep LISTEN
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN
5628/smbd
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN
5628/smbd
tcp6 0 0 :::445 :::* LISTEN
5628/smbd
tcp6 0 0 :::139 :::* LISTEN
5628/smbd
there is also no process with dns name, checked via
ps aux | grep -i dns
I have no file with path /etc/NetworkManager/NetworkManager.conf which I
assume no netman installed.
10.80.8.88 is AD and DNS on the network
D.
--
View this message in context:
http://samba.2283325.n4.nabble.com/Cannot-join-Ubuntu12-04-Samba-4-1-17-to-domain-tp4684555p4686678.html
Sent from the Samba - General mailing list archive at Nabble.com.
Rowland Penny
2015-Jun-04 08:19 UTC
[Samba] Cannot join Ubuntu12.04 Samba 4.1.17 to domain
On 03/06/15 23:54, ivenhov wrote:> I've made all changes to 3 files you mentioned, also removed everything > except localhost in hosts file. > SO I have minimal smb.conf and minimal krb5 file > > Unfortunately error is still the same. > > If I try to join with full OU path I get kerberos_kinit_password > testuser at MYNAT.MYCO.BCU failed: Cannot contact any KDC for requested realmHow are you trying to join the domain? what command are you actually using? It seems that the KDC cannot be found, just what are you trying to join to? All I can say is that it works for me against a samba4 AD DC Rowland> libnet_Join: > libnet_JoinCtx: struct libnet_JoinCtx > out: struct libnet_JoinCtx > account_name : NULL > netbios_domain_name : 'MYNAT' > dns_domain_name : 'mynat.myco.bcu' > forest_name : 'myco.bcu' > dn : NULL > domain_sid : * > domain_sid : > S-1-5-21-73586283-854245398-682003330 > modified_config : 0x00 (0) > error_string : 'failed to connect to AD: Cannot > contact any KDC for requested realm' > domain_is_ad : 0x01 (1) > result : WERR_DEFAULT_JOIN_REQUIRED > Failed to join domain: failed to connect to AD: Cannot contact any KDC for > requested realm > return code = -1 > > If I try without cretecomputer > > kerberos_kinit_password testuser at MYNAT.MYCO.BCU failed: Cannot contact any > KDC for requested realm > libnet_Join: > libnet_JoinCtx: struct libnet_JoinCtx > out: struct libnet_JoinCtx > account_name : NULL > netbios_domain_name : 'MYNAT' > dns_domain_name : 'mynat.myco.bcu' > forest_name : 'myco.bcu' > dn : NULL > domain_sid : * > domain_sid : > S-1-5-21-73586283-854245398-682003330 > modified_config : 0x00 (0) > error_string : 'failed to connect to AD: Cannot > contact any KDC for requested realm' > domain_is_ad : 0x01 (1) > result : WERR_GENERAL_FAILURE > Failed to join domain: failed to connect to AD: Cannot contact any KDC for > requested realm > return code = -1 > > > I can get Kerberos ticket with no problems using: > kinit myuser at MYNAT.MYCO.BCU > klist shows valid ticket > > regarding services > > me at SERV1603:~$ sudo netstat -tulpan | grep LISTEN > tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN > 5628/smbd > tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN > 5628/smbd > tcp6 0 0 :::445 :::* LISTEN > 5628/smbd > tcp6 0 0 :::139 :::* LISTEN > 5628/smbd > > > there is also no process with dns name, checked via > ps aux | grep -i dns > > I have no file with path /etc/NetworkManager/NetworkManager.conf which I > assume no netman installed. > > 10.80.8.88 is AD and DNS on the network > > D. > > > > > > > > -- > View this message in context: http://samba.2283325.n4.nabble.com/Cannot-join-Ubuntu12-04-Samba-4-1-17-to-domain-tp4684555p4686678.html > Sent from the Samba - General mailing list archive at Nabble.com.