I'm trying sudo net ads join -S dc1001.mynat.myco.bcu -U testuser -d10 and also sudo net ads join createcomputer="My/Ou/For/Servers" -S dc1001.mynat.myco.bcu -U testuser -d10 It works for me every time in lab on real hw (same spec) and on virtualbox. It's just this particular site (with large AD infrastructure) where it's failing. I don't quite understand is why it complains about KDC why in fact I can ping it and get ticket via kinit. What would be next step to diagnose it? I'm out of ideas at this point. -- View this message in context: http://samba.2283325.n4.nabble.com/Cannot-join-Ubuntu12-04-Samba-4-1-17-to-domain-tp4684555p4686701.html Sent from the Samba - General mailing list archive at Nabble.com.
Rowland Penny
2015-Jun-04 08:19 UTC
[Samba] Cannot join Ubuntu12.04 Samba 4.1.17 to domain
On 03/06/15 23:54, ivenhov wrote:> I've made all changes to 3 files you mentioned, also removed everything > except localhost in hosts file. > SO I have minimal smb.conf and minimal krb5 file > > Unfortunately error is still the same. > > If I try to join with full OU path I get kerberos_kinit_password > testuser at MYNAT.MYCO.BCU failed: Cannot contact any KDC for requested realmHow are you trying to join the domain? what command are you actually using? It seems that the KDC cannot be found, just what are you trying to join to? All I can say is that it works for me against a samba4 AD DC Rowland> libnet_Join: > libnet_JoinCtx: struct libnet_JoinCtx > out: struct libnet_JoinCtx > account_name : NULL > netbios_domain_name : 'MYNAT' > dns_domain_name : 'mynat.myco.bcu' > forest_name : 'myco.bcu' > dn : NULL > domain_sid : * > domain_sid : > S-1-5-21-73586283-854245398-682003330 > modified_config : 0x00 (0) > error_string : 'failed to connect to AD: Cannot > contact any KDC for requested realm' > domain_is_ad : 0x01 (1) > result : WERR_DEFAULT_JOIN_REQUIRED > Failed to join domain: failed to connect to AD: Cannot contact any KDC for > requested realm > return code = -1 > > If I try without cretecomputer > > kerberos_kinit_password testuser at MYNAT.MYCO.BCU failed: Cannot contact any > KDC for requested realm > libnet_Join: > libnet_JoinCtx: struct libnet_JoinCtx > out: struct libnet_JoinCtx > account_name : NULL > netbios_domain_name : 'MYNAT' > dns_domain_name : 'mynat.myco.bcu' > forest_name : 'myco.bcu' > dn : NULL > domain_sid : * > domain_sid : > S-1-5-21-73586283-854245398-682003330 > modified_config : 0x00 (0) > error_string : 'failed to connect to AD: Cannot > contact any KDC for requested realm' > domain_is_ad : 0x01 (1) > result : WERR_GENERAL_FAILURE > Failed to join domain: failed to connect to AD: Cannot contact any KDC for > requested realm > return code = -1 > > > I can get Kerberos ticket with no problems using: > kinit myuser at MYNAT.MYCO.BCU > klist shows valid ticket > > regarding services > > me at SERV1603:~$ sudo netstat -tulpan | grep LISTEN > tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN > 5628/smbd > tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN > 5628/smbd > tcp6 0 0 :::445 :::* LISTEN > 5628/smbd > tcp6 0 0 :::139 :::* LISTEN > 5628/smbd > > > there is also no process with dns name, checked via > ps aux | grep -i dns > > I have no file with path /etc/NetworkManager/NetworkManager.conf which I > assume no netman installed. > > 10.80.8.88 is AD and DNS on the network > > D. > > > > > > > > -- > View this message in context: http://samba.2283325.n4.nabble.com/Cannot-join-Ubuntu12-04-Samba-4-1-17-to-domain-tp4684555p4686678.html > Sent from the Samba - General mailing list archive at Nabble.com.
Rowland Penny
2015-Jun-04 08:41 UTC
[Samba] Cannot join Ubuntu12.04 Samba 4.1.17 to domain
On 04/06/15 09:10, ivenhov wrote:> I'm trying > > sudo net ads join -S dc1001.mynat.myco.bcu -U testuser -d10 > > and also > > sudo net ads join createcomputer="My/Ou/For/Servers" -S > dc1001.mynat.myco.bcu -U testuser -d10 > > > It works for me every time in lab on real hw (same spec) and on virtualbox. > It's just this particular site (with large AD infrastructure) where it's > failing. > > I don't quite understand is why it complains about KDC why in fact I can > ping it and get ticket via kinit. > What would be next step to diagnose it? I'm out of ideas at this point. > > > > -- > View this message in context: http://samba.2283325.n4.nabble.com/Cannot-join-Ubuntu12-04-Samba-4-1-17-to-domain-tp4684555p4686701.html > Sent from the Samba - General mailing list archive at Nabble.com.I normally just use: net ads join -U Administrator Could it be that allowing a normal user to join computers has been turned off ? If the above command line is still failing to find the KDC, then it does sound like a dns problem. I seem to remember reports of using the wrong password can produce a similar error i.e. the error message has really nothing to do with the actual error. Rowland
L.P.H. van Belle
2015-Jun-04 09:00 UTC
[Samba] Cannot join Ubuntu12.04 Samba 4.1.17 to domain
can your run the following :
cat /etc/resolv.conf
cat /etc/hosts
SETDNSDOMAIN="hostname -d"
SETHOSTNAME=`hostname -f`
echo $SETDNSDOMAIN
echo $SETHOSTNAME
if [ -z "`host -t SRV _ldap._tcp.${SETDNSDOMAIN}. | grep 'not
found'`" ]; then
echo "testing of : host -t SRV _ldap._tcp.${SETDNSDOMAIN}. : ok"
else
echo "testing of : host -t SRV _ldap._tcp.${SETDNSDOMAIN}. : FAILED"
fi
if [ -z "`host -t SRV _kerberos._udp.${SETDNSDOMAIN}. | grep "not
found" `" ]; then
echo "testing of : host -t SRV _kerberos._udp.${SETDNSDOMAIN}. :
ok";
else
echo "testing of : host -t SRV _kerberos._udp.${SETDNSDOMAIN}. :
FAILED";
fi
if [ -z "`host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}. | grep "not
found" `" ]; then
echo "testing of : host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}. :
ok";
TEST3=0;
else
echo "testing of : host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}. :
FAILED";
fi
echo $SETDNSDOMAIN
echo $SETHOSTNAME
and again with
SETDNSDOMAIN="myco.bcu"
echo $SETDNSDOMAIN
if [ -z "`host -t SRV _ldap._tcp.${SETDNSDOMAIN}. | grep 'not
found'`" ]; then
echo "testing of : host -t SRV _ldap._tcp.${SETDNSDOMAIN}. : ok"
else
echo "testing of : host -t SRV _ldap._tcp.${SETDNSDOMAIN}. : FAILED"
fi
if [ -z "`host -t SRV _kerberos._udp.${SETDNSDOMAIN}. | grep "not
found" `" ]; then
echo "testing of : host -t SRV _kerberos._udp.${SETDNSDOMAIN}. :
ok";
else
echo "testing of : host -t SRV _kerberos._udp.${SETDNSDOMAIN}. :
FAILED";
fi
if [ -z "`host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}. | grep "not
found" `" ]; then
echo "testing of : host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}. :
ok";
TEST3=0;
else
echo "testing of : host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}. :
FAILED";
fi
and post the result back.
greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: iwan.daniel at gmail.com
>[mailto:samba-bounces at lists.samba.org] Namens ivenhov
>Verzonden: donderdag 4 juni 2015 10:10
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Cannot join Ubuntu12.04 Samba 4.1.17 to domain
>
>I'm trying
>
>sudo net ads join -S dc1001.mynat.myco.bcu -U testuser -d10
>
>and also
>
>sudo net ads join createcomputer="My/Ou/For/Servers" -S
>dc1001.mynat.myco.bcu -U testuser -d10
>
>
>It works for me every time in lab on real hw (same spec) and
>on virtualbox.
>It's just this particular site (with large AD infrastructure)
>where it's
>failing.
>
>I don't quite understand is why it complains about KDC why in
>fact I can
>ping it and get ticket via kinit.
>What would be next step to diagnose it? I'm out of ideas at this point.
>
>
>
>--
>View this message in context:
>http://samba.2283325.n4.nabble.com/Cannot-join-Ubuntu12-04-Samb
>a-4-1-17-to-domain-tp4684555p4686701.html
>Sent from the Samba - General mailing list archive at Nabble.com.
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
L.P.H. van Belle
2015-Jun-04 09:04 UTC
[Samba] Cannot join Ubuntu12.04 Samba 4.1.17 to domain
i just did a join on debian jessie samba 4.1.17 on to a debian wheezy, sernet samba 4.2.2 AD-DC, without any problems. and only using the command: net ads join -U Administrator as Rowland also did.. this must be dns/resolving problems. do you use multple domains and subdomains. if so, try the following. in resolv.conf, add search mynat.myco.bcu myco.bcu and if needed more. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: L.P.H. van Belle [mailto:belle at bazuin.nl] >Verzonden: donderdag 4 juni 2015 11:01 >Aan: 'samba at lists.samba.org' >Onderwerp: RE: [Samba] Cannot join Ubuntu12.04 Samba 4.1.17 to domain > >can your run the following : > >cat /etc/resolv.conf >cat /etc/hosts > >SETDNSDOMAIN="hostname -d" >SETHOSTNAME=`hostname -f` >echo $SETDNSDOMAIN >echo $SETHOSTNAME >if [ -z "`host -t SRV _ldap._tcp.${SETDNSDOMAIN}. | grep 'not >found'`" ]; then > echo "testing of : host -t SRV _ldap._tcp.${SETDNSDOMAIN}. : ok" >else > echo "testing of : host -t SRV >_ldap._tcp.${SETDNSDOMAIN}. : FAILED" >fi >if [ -z "`host -t SRV _kerberos._udp.${SETDNSDOMAIN}. | grep >"not found" `" ]; then > echo "testing of : host -t SRV >_kerberos._udp.${SETDNSDOMAIN}. : ok"; >else > echo "testing of : host -t SRV >_kerberos._udp.${SETDNSDOMAIN}. : FAILED"; >fi >if [ -z "`host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}. | grep >"not found" `" ]; then > echo "testing of : host -t A >${SETHOSTNAME}.${SETDNSDOMAIN}. : ok"; > TEST3=0; >else > echo "testing of : host -t A >${SETHOSTNAME}.${SETDNSDOMAIN}. : FAILED"; >fi >echo $SETDNSDOMAIN >echo $SETHOSTNAME > > >and again with >SETDNSDOMAIN="myco.bcu" >echo $SETDNSDOMAIN >if [ -z "`host -t SRV _ldap._tcp.${SETDNSDOMAIN}. | grep 'not >found'`" ]; then > echo "testing of : host -t SRV _ldap._tcp.${SETDNSDOMAIN}. : ok" >else > echo "testing of : host -t SRV >_ldap._tcp.${SETDNSDOMAIN}. : FAILED" >fi >if [ -z "`host -t SRV _kerberos._udp.${SETDNSDOMAIN}. | grep >"not found" `" ]; then > echo "testing of : host -t SRV >_kerberos._udp.${SETDNSDOMAIN}. : ok"; >else > echo "testing of : host -t SRV >_kerberos._udp.${SETDNSDOMAIN}. : FAILED"; >fi >if [ -z "`host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}. | grep >"not found" `" ]; then > echo "testing of : host -t A >${SETHOSTNAME}.${SETDNSDOMAIN}. : ok"; > TEST3=0; >else > echo "testing of : host -t A >${SETHOSTNAME}.${SETDNSDOMAIN}. : FAILED"; >fi > > >and post the result back. > >greetz, > >Louis > >>-----Oorspronkelijk bericht----- >>Van: iwan.daniel at gmail.com >>[mailto:samba-bounces at lists.samba.org] Namens ivenhov >>Verzonden: donderdag 4 juni 2015 10:10 >>Aan: samba at lists.samba.org >>Onderwerp: Re: [Samba] Cannot join Ubuntu12.04 Samba 4.1.17 to domain >> >>I'm trying >> >>sudo net ads join -S dc1001.mynat.myco.bcu -U testuser -d10 >> >>and also >> >>sudo net ads join createcomputer="My/Ou/For/Servers" -S >>dc1001.mynat.myco.bcu -U testuser -d10 >> >> >>It works for me every time in lab on real hw (same spec) and >>on virtualbox. >>It's just this particular site (with large AD infrastructure) >>where it's >>failing. >> >>I don't quite understand is why it complains about KDC why in >>fact I can >>ping it and get ticket via kinit. >>What would be next step to diagnose it? I'm out of ideas at >this point. >> >> >> >>-- >>View this message in context: >>http://samba.2283325.n4.nabble.com/Cannot-join-Ubuntu12-04-Samb >>a-4-1-17-to-domain-tp4684555p4686701.html >>Sent from the Samba - General mailing list archive at Nabble.com. >>-- >>To unsubscribe from this list go to the following URL and read the >>instructions: https://lists.samba.org/mailman/options/samba >> >> >
Hi! ivenhov skrev den 2015-06-04 10:10:> I'm trying > > sudo net ads join -S dc1001.mynat.myco.bcu -U testuser -d10 > > and also > > sudo net ads join createcomputer="My/Ou/For/Servers" -S > dc1001.mynat.myco.bcu -U testuser -d10 > > > It works for me every time in lab on real hw (same spec) and on virtualbox. > It's just this particular site (with large AD infrastructure) where it's > failing.I never got it to work with the quation marks, so I used "net ads join createcomputer=My/Ou/For/Servers -U testuser", where 'testuser' only have got the "add computer to Windowsdomain privileges" on named OU. Samba version 4.1.12.> I don't quite understand is why it complains about KDC why in fact I can > ping it and get ticket via kinit. > What would be next step to diagnose it? I'm out of ideas at this point. >I had a similar error as you first presented when using wrong password. Regards Davor> > -- > View this message in context: http://samba.2283325.n4.nabble.com/Cannot-join-Ubuntu12-04-Samba-4-1-17-to-domain-tp4684555p4686701.html > Sent from the Samba - General mailing list archive at Nabble.com.