Hi! ivenhov skrev den 2015-06-04 10:10:> I'm trying > > sudo net ads join -S dc1001.mynat.myco.bcu -U testuser -d10 > > and also > > sudo net ads join createcomputer="My/Ou/For/Servers" -S > dc1001.mynat.myco.bcu -U testuser -d10 > > > It works for me every time in lab on real hw (same spec) and on virtualbox. > It's just this particular site (with large AD infrastructure) where it's > failing.I never got it to work with the quation marks, so I used "net ads join createcomputer=My/Ou/For/Servers -U testuser", where 'testuser' only have got the "add computer to Windowsdomain privileges" on named OU. Samba version 4.1.12.> I don't quite understand is why it complains about KDC why in fact I can > ping it and get ticket via kinit. > What would be next step to diagnose it? I'm out of ideas at this point. >I had a similar error as you first presented when using wrong password. Regards Davor> > -- > View this message in context: http://samba.2283325.n4.nabble.com/Cannot-join-Ubuntu12-04-Samba-4-1-17-to-domain-tp4684555p4686701.html > Sent from the Samba - General mailing list archive at Nabble.com.
Thanks all for helping with this and for script Still no luck though. I've modified scripts as they had some bugs, my output and modified version at the end. As I mentioned, I don't have any issues with joining samba 4.1 or 4.2 in the lab, only on that site.>> if so, try the following. >> in resolv.conf, add >> search mynat.myco.bcu myco.bcuI haven't tried that yet. Will do next. There is myco.bcu domain along with mynat.myco.bcu, I'm not sure if that makes it more tricky. In the meantime there were some firewall issues discovered and fixed (filtering of the IPs connecting to LDAP ports). Issue persists though. I don't have full access unfortunately to see exactly what's happening on AD but I can make necessary changes on samba box. At this point I'm thinking error: Failed to join domain: failed to connect to AD: Cannot contact any KDC for requested realm is a bogus and real problem lies somewhere else (shown by result WERR_DEFAULT_JOIN_REQUIRED and WERR_GENERAL_FAILURE)>> Could it be that allowing a normal user to join computers has been >> turned off ?Yes it is possible. But apparently my user should have enough permission (I sceptical) Does user doing join has to be Domain Admin, or only permission to creating objects in OU is necessary? How can I check via command line if user have enough permissions ? In my lab I get WERR_DEFAULT_JOIN_REQUIRED when user is not DomainAdmin. Here are my results and modified scripts. m at serv1602:~$ ./script1.sh Content of /etc/resolv.conf ------------------------ # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 10.80.8.88 nameserver 10.80.96.13 nameserver 10.80.96.17 ------------------------------------------------ Content of /etc/hosts ------------------------ 127.0.0.1 localhost 10.80.100.74 serv1602.mynat.myco.bcu serv1602 10.80.8.88 dc1001.mynat.myco.bcu 10.80.137.41 dc1003.mynat.myco.bcu ------------------------------------------------ Content of /etc/hostname ------------------------ serv1602.mynat.myco.bcu ------------------------------------------------ Local names ------------------------ domain: mynat.myco.bcu host long: serv1602.mynat.myco.bcu host short: serv1602 ------------------------------------------------ test 1 testing of : host -t SRV _ldap._tcp.mynat.myco.bcu. : ok test 2 testing of : host -t SRV _kerberos._udp.mynat.myco.bcu. : ok test3 testing of : host -t A serv1602.mynat.myco.bcu. : ok ------------------------------------------------ domain: mynat.myco.bcu host: serv1602.mynat.myco.bcu host short: serv1602 m at serv1602:~$ m at serv1602:~$ m at serv1602:~$ ./script2.sh myco.bcu testing of : host -t SRV _ldap._tcp.myco.bcu. : ok testing of : host -t SRV _kerberos._udp.myco.bcu. : ok testing of : host -t A serv1602.mynat.myco.bcu. : ok m at serv1602:~$ m at serv1602:~$ m at serv1602:~$ m at serv1602:~$ m at serv1602:~$ m at serv1602:~$ cat ./script1.sh #!/bin/bash echo "Content of /etc/resolv.conf" echo -e "------------------------" cat /etc/resolv.conf echo -e "------------------------------------------------" echo -e "\nContent of /etc/hosts" echo -e "------------------------" cat /etc/hosts echo -e "------------------------------------------------" echo -e "\nContent of /etc/hostname" echo -e "------------------------" cat /etc/hostname echo -e "------------------------------------------------" SETDNSDOMAIN=`hostname -d` SETHOSTNAME=`hostname -f` SETSHORTHOSTNAME=`hostname -s` echo -e "\nLocal names" echo -e "------------------------" echo "domain: " $SETDNSDOMAIN echo "host long:" $SETHOSTNAME echo "host short:" $SETSHORTHOSTNAME echo -e "------------------------------------------------" echo "test 1" if [ -z "`host -t SRV _ldap._tcp.${SETDNSDOMAIN}. | grep 'not found'`" ]; then echo "testing of : host -t SRV _ldap._tcp.${SETDNSDOMAIN}. : ok" else echo "testing of : host -t SRV _ldap._tcp.${SETDNSDOMAIN}. : FAILED" fi echo "test 2" if [ -z "`host -t SRV _kerberos._udp.${SETDNSDOMAIN}. | grep "not found" `" ]; then echo "testing of : host -t SRV _kerberos._udp.${SETDNSDOMAIN}. : ok"; else echo "testing of : host -t SRV _kerberos._udp.${SETDNSDOMAIN}. : FAILED"; fi echo "test3" if [ -z "`host -t A ${SETSHORTHOSTNAME}.${SETDNSDOMAIN}. | grep "not found" `" ]; then echo "testing of : host -t A ${SETSHORTHOSTNAME}.${SETDNSDOMAIN}. : ok"; else echo "testing of : host -t A ${SETSHORTHOSTNAME}.${SETDNSDOMAIN}. : FAILED"; fi echo -e "------------------------------------------------\n\n" echo "domain: " $SETDNSDOMAIN echo "host:" $SETHOSTNAME echo "host short:" $SETSHORTHOSTNAME m at serv1602:~$ m at serv1602:~$ m at serv1602:~$ m at serv1602:~$ m at serv1602:~$ cat ./script2.sh #!/bin/bash SETDNSDOMAIN="myco.bcu" SETHOSTNAME=`hostname -f` echo $SETDNSDOMAIN if [ -z "`host -t SRV _ldap._tcp.${SETDNSDOMAIN}. | grep 'not found'`" ]; then echo "testing of : host -t SRV _ldap._tcp.${SETDNSDOMAIN}. : ok" else echo "testing of : host -t SRV _ldap._tcp.${SETDNSDOMAIN}. : FAILED" fi if [ -z "`host -t SRV _kerberos._udp.${SETDNSDOMAIN}. | grep "not found" `" ]; then echo "testing of : host -t SRV _kerberos._udp.${SETDNSDOMAIN}. : ok"; else echo "testing of : host -t SRV _kerberos._udp.${SETDNSDOMAIN}. : FAILED"; fi if [ -z "`host -t A ${SETHOSTNAME}. | grep "not found" `" ]; then echo "testing of : host -t A ${SETHOSTNAME}. : ok"; else echo "testing of : host -t A ${SETHOSTNAME}. : FAILED"; fi m at serv1602:~$ -- View this message in context: http://samba.2283325.n4.nabble.com/Cannot-join-Ubuntu12-04-Samba-4-1-17-to-domain-tp4684555p4686918.html Sent from the Samba - General mailing list archive at Nabble.com.
Rowland Penny
2015-Jun-08 11:21 UTC
[Samba] Cannot join Ubuntu12.04 Samba 4.1.17 to domain
On 08/06/15 10:42, ivenhov wrote:> Thanks all for helping with this and for script > Still no luck though. > > I've modified scripts as they had some bugs, my output and modified version > at the end. > As I mentioned, I don't have any issues with joining samba 4.1 or 4.2 in the > lab, only on that site. > >>> if so, try the following. >>> in resolv.conf, add >>> search mynat.myco.bcu myco.bcu > I haven't tried that yet. Will do next. > > There is myco.bcu domain along with mynat.myco.bcu, I'm not sure if that > makes it more tricky. > In the meantime there were some firewall issues discovered and fixed > (filtering of the IPs connecting to LDAP ports). Issue persists though. > > I don't have full access unfortunately to see exactly what's happening on AD > but I can make necessary changes on samba box. > > At this point I'm thinking error: > Failed to join domain: failed to connect to AD: Cannot contact any KDC for > requested realm > > is a bogus and real problem lies somewhere else (shown by result > WERR_DEFAULT_JOIN_REQUIRED and WERR_GENERAL_FAILURE) > >>> Could it be that allowing a normal user to join computers has been >>> turned off ? > Yes it is possible. But apparently my user should have enough permission (I > sceptical) > Does user doing join has to be Domain Admin, or only permission to creating > objects in OU is necessary? > How can I check via command line if user have enough permissions ? > > In my lab I get WERR_DEFAULT_JOIN_REQUIRED when user is not DomainAdmin. > > Here are my results and modified scripts. > > > m at serv1602:~$ ./script1.sh > Content of /etc/resolv.conf > ------------------------ > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by > resolvconf(8) > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN > nameserver 10.80.8.88 > nameserver 10.80.96.13 > nameserver 10.80.96.17 > ------------------------------------------------ > > Content of /etc/hosts > ------------------------ > 127.0.0.1 localhost > 10.80.100.74 serv1602.mynat.myco.bcu serv1602 > 10.80.8.88 dc1001.mynat.myco.bcu > 10.80.137.41 dc1003.mynat.myco.bcu > ------------------------------------------------ > > Content of /etc/hostname > ------------------------ > serv1602.mynat.myco.bcu > ------------------------------------------------ > > Local names > ------------------------ > domain: mynat.myco.bcu > host long: serv1602.mynat.myco.bcu > host short: serv1602 > ------------------------------------------------ > test 1 > testing of : host -t SRV _ldap._tcp.mynat.myco.bcu. : ok > test 2 > testing of : host -t SRV _kerberos._udp.mynat.myco.bcu. : ok > test3 > testing of : host -t A serv1602.mynat.myco.bcu. : ok > ------------------------------------------------ > > > domain: mynat.myco.bcu > host: serv1602.mynat.myco.bcu > host short: serv1602 > m at serv1602:~$ > m at serv1602:~$ > m at serv1602:~$ ./script2.sh > myco.bcu > testing of : host -t SRV _ldap._tcp.myco.bcu. : ok > testing of : host -t SRV _kerberos._udp.myco.bcu. : ok > testing of : host -t A serv1602.mynat.myco.bcu. : ok > m at serv1602:~$ > m at serv1602:~$ > m at serv1602:~$ > m at serv1602:~$ > m at serv1602:~$ > m at serv1602:~$ cat ./script1.sh > #!/bin/bash > > echo "Content of /etc/resolv.conf" > echo -e "------------------------" > cat /etc/resolv.conf > echo -e "------------------------------------------------" > > echo -e "\nContent of /etc/hosts" > echo -e "------------------------" > cat /etc/hosts > echo -e "------------------------------------------------" > > echo -e "\nContent of /etc/hostname" > echo -e "------------------------" > cat /etc/hostname > echo -e "------------------------------------------------" > > SETDNSDOMAIN=`hostname -d` > SETHOSTNAME=`hostname -f` > SETSHORTHOSTNAME=`hostname -s` > > echo -e "\nLocal names" > echo -e "------------------------" > echo "domain: " $SETDNSDOMAIN > echo "host long:" $SETHOSTNAME > echo "host short:" $SETSHORTHOSTNAME > echo -e "------------------------------------------------" > > echo "test 1" > if [ -z "`host -t SRV _ldap._tcp.${SETDNSDOMAIN}. | grep 'not found'`" ]; > then > echo "testing of : host -t SRV _ldap._tcp.${SETDNSDOMAIN}. : ok" > else > echo "testing of : host -t SRV _ldap._tcp.${SETDNSDOMAIN}. : FAILED" > fi > > echo "test 2" > if [ -z "`host -t SRV _kerberos._udp.${SETDNSDOMAIN}. | grep "not found" `" > ]; then > echo "testing of : host -t SRV _kerberos._udp.${SETDNSDOMAIN}. : ok"; > else > echo "testing of : host -t SRV _kerberos._udp.${SETDNSDOMAIN}. : > FAILED"; > fi > > echo "test3" > if [ -z "`host -t A ${SETSHORTHOSTNAME}.${SETDNSDOMAIN}. | grep "not found" > `" ]; then > echo "testing of : host -t A ${SETSHORTHOSTNAME}.${SETDNSDOMAIN}. : ok"; > else > echo "testing of : host -t A ${SETSHORTHOSTNAME}.${SETDNSDOMAIN}. : > FAILED"; > fi > > echo -e "------------------------------------------------\n\n" > > echo "domain: " $SETDNSDOMAIN > echo "host:" $SETHOSTNAME > echo "host short:" $SETSHORTHOSTNAME > m at serv1602:~$ > m at serv1602:~$ > m at serv1602:~$ > m at serv1602:~$ > m at serv1602:~$ cat ./script2.sh > #!/bin/bash > > SETDNSDOMAIN="myco.bcu" > SETHOSTNAME=`hostname -f` > > echo $SETDNSDOMAIN > if [ -z "`host -t SRV _ldap._tcp.${SETDNSDOMAIN}. | grep 'not found'`" ]; > then > echo "testing of : host -t SRV _ldap._tcp.${SETDNSDOMAIN}. : ok" > else > echo "testing of : host -t SRV _ldap._tcp.${SETDNSDOMAIN}. : FAILED" > fi > if [ -z "`host -t SRV _kerberos._udp.${SETDNSDOMAIN}. | grep "not found" `" > ]; then > echo "testing of : host -t SRV _kerberos._udp.${SETDNSDOMAIN}. : ok"; > else > echo "testing of : host -t SRV _kerberos._udp.${SETDNSDOMAIN}. : > FAILED"; > fi > if [ -z "`host -t A ${SETHOSTNAME}. | grep "not found" `" ]; then > echo "testing of : host -t A ${SETHOSTNAME}. : ok"; > else > echo "testing of : host -t A ${SETHOSTNAME}. : FAILED"; > fi > m at serv1602:~$ > > > > > -- > View this message in context: http://samba.2283325.n4.nabble.com/Cannot-join-Ubuntu12-04-Samba-4-1-17-to-domain-tp4684555p4686918.html > Sent from the Samba - General mailing list archive at Nabble.com.There was another instance similar to this over the weekend, everything seemed to be ok, but a DC join couldn't find the original DC. This turned out to be a firewall issue, so could this be your problem ? Rowland
L.P.H. van Belle
2015-Jun-08 12:08 UTC
[Samba] Cannot join Ubuntu12.04 Samba 4.1.17 to domain
Hai, After reading all below i can only conclude this must be firewalling, as Rowland is saying also. check if all of these ports are acceccable for the server your trying to join. tcp 0 0 192.168.X.1:1024 0.0.0.0:* LISTEN 2146/samba tcp 0 0 192.168.X.1:135 0.0.0.0:* LISTEN 2146/samba tcp 0 0 192.168.X.1:139 0.0.0.0:* LISTEN 2147/smbd tcp 0 0 192.168.X.1:3268 0.0.0.0:* LISTEN 2162/samba tcp 0 0 192.168.X.1:3269 0.0.0.0:* LISTEN 2162/samba tcp 0 0 192.168.X.1:389 0.0.0.0:* LISTEN 2162/samba tcp 0 0 192.168.X.1:42 0.0.0.0:* LISTEN 2157/samba tcp 0 0 192.168.X.1:445 0.0.0.0:* LISTEN 2147/smbd tcp 0 0 192.168.X.1:464 0.0.0.0:* LISTEN 2170/samba tcp 0 0 192.168.X.1:636 0.0.0.0:* LISTEN 2162/samba tcp 0 0 192.168.X.1:88 0.0.0.0:* LISTEN 2170/samba Greetz, Louis>-----Oorspronkelijk bericht----- >Van: rowlandpenny at googlemail.com >[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny >Verzonden: maandag 8 juni 2015 13:21 >Aan: samba at lists.samba.org >Onderwerp: Re: [Samba] Cannot join Ubuntu12.04 Samba 4.1.17 to domain > >On 08/06/15 10:42, ivenhov wrote: >> Thanks all for helping with this and for script >> Still no luck though. >> >> I've modified scripts as they had some bugs, my output and >modified version >> at the end. >> As I mentioned, I don't have any issues with joining samba >4.1 or 4.2 in the >> lab, only on that site. >> >>>> if so, try the following. >>>> in resolv.conf, add >>>> search mynat.myco.bcu myco.bcu >> I haven't tried that yet. Will do next. >> >> There is myco.bcu domain along with mynat.myco.bcu, I'm not >sure if that >> makes it more tricky. >> In the meantime there were some firewall issues discovered and fixed >> (filtering of the IPs connecting to LDAP ports). Issue >persists though. >> >> I don't have full access unfortunately to see exactly what's >happening on AD >> but I can make necessary changes on samba box. >> >> At this point I'm thinking error: >> Failed to join domain: failed to connect to AD: Cannot >contact any KDC for >> requested realm >> >> is a bogus and real problem lies somewhere else (shown by result >> WERR_DEFAULT_JOIN_REQUIRED and WERR_GENERAL_FAILURE) >> >>>> Could it be that allowing a normal user to join computers has been >>>> turned off ? >> Yes it is possible. But apparently my user should have >enough permission (I >> sceptical) >> Does user doing join has to be Domain Admin, or only >permission to creating >> objects in OU is necessary? >> How can I check via command line if user have enough permissions ? >> >> In my lab I get WERR_DEFAULT_JOIN_REQUIRED when user is not >DomainAdmin. >> >> Here are my results and modified scripts. >> >> >> m at serv1602:~$ ./script1.sh >> Content of /etc/resolv.conf >> ------------------------ >> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by >> resolvconf(8) >> # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE >OVERWRITTEN >> nameserver 10.80.8.88 >> nameserver 10.80.96.13 >> nameserver 10.80.96.17 >> ------------------------------------------------ >> >> Content of /etc/hosts >> ------------------------ >> 127.0.0.1 localhost >> 10.80.100.74 serv1602.mynat.myco.bcu serv1602 >> 10.80.8.88 dc1001.mynat.myco.bcu >> 10.80.137.41 dc1003.mynat.myco.bcu >> ------------------------------------------------ >> >> Content of /etc/hostname >> ------------------------ >> serv1602.mynat.myco.bcu >> ------------------------------------------------ >> >> Local names >> ------------------------ >> domain: mynat.myco.bcu >> host long: serv1602.mynat.myco.bcu >> host short: serv1602 >> ------------------------------------------------ >> test 1 >> testing of : host -t SRV _ldap._tcp.mynat.myco.bcu. : ok >> test 2 >> testing of : host -t SRV _kerberos._udp.mynat.myco.bcu. : ok >> test3 >> testing of : host -t A serv1602.mynat.myco.bcu. : ok >> ------------------------------------------------ >> >> >> domain: mynat.myco.bcu >> host: serv1602.mynat.myco.bcu >> host short: serv1602 >> m at serv1602:~$ >> m at serv1602:~$ >> m at serv1602:~$ ./script2.sh >> myco.bcu >> testing of : host -t SRV _ldap._tcp.myco.bcu. : ok >> testing of : host -t SRV _kerberos._udp.myco.bcu. : ok >> testing of : host -t A serv1602.mynat.myco.bcu. : ok >> m at serv1602:~$ >> m at serv1602:~$ >> m at serv1602:~$ >> m at serv1602:~$ >> m at serv1602:~$ >> m at serv1602:~$ cat ./script1.sh >> #!/bin/bash >> >> echo "Content of /etc/resolv.conf" >> echo -e "------------------------" >> cat /etc/resolv.conf >> echo -e "------------------------------------------------" >> >> echo -e "\nContent of /etc/hosts" >> echo -e "------------------------" >> cat /etc/hosts >> echo -e "------------------------------------------------" >> >> echo -e "\nContent of /etc/hostname" >> echo -e "------------------------" >> cat /etc/hostname >> echo -e "------------------------------------------------" >> >> SETDNSDOMAIN=`hostname -d` >> SETHOSTNAME=`hostname -f` >> SETSHORTHOSTNAME=`hostname -s` >> >> echo -e "\nLocal names" >> echo -e "------------------------" >> echo "domain: " $SETDNSDOMAIN >> echo "host long:" $SETHOSTNAME >> echo "host short:" $SETSHORTHOSTNAME >> echo -e "------------------------------------------------" >> >> echo "test 1" >> if [ -z "`host -t SRV _ldap._tcp.${SETDNSDOMAIN}. | grep >'not found'`" ]; >> then >> echo "testing of : host -t SRV >_ldap._tcp.${SETDNSDOMAIN}. : ok" >> else >> echo "testing of : host -t SRV >_ldap._tcp.${SETDNSDOMAIN}. : FAILED" >> fi >> >> echo "test 2" >> if [ -z "`host -t SRV _kerberos._udp.${SETDNSDOMAIN}. | grep >"not found" `" >> ]; then >> echo "testing of : host -t SRV >_kerberos._udp.${SETDNSDOMAIN}. : ok"; >> else >> echo "testing of : host -t SRV >_kerberos._udp.${SETDNSDOMAIN}. : >> FAILED"; >> fi >> >> echo "test3" >> if [ -z "`host -t A ${SETSHORTHOSTNAME}.${SETDNSDOMAIN}. | >grep "not found" >> `" ]; then >> echo "testing of : host -t A >${SETSHORTHOSTNAME}.${SETDNSDOMAIN}. : ok"; >> else >> echo "testing of : host -t A >${SETSHORTHOSTNAME}.${SETDNSDOMAIN}. : >> FAILED"; >> fi >> >> echo -e "------------------------------------------------\n\n" >> >> echo "domain: " $SETDNSDOMAIN >> echo "host:" $SETHOSTNAME >> echo "host short:" $SETSHORTHOSTNAME >> m at serv1602:~$ >> m at serv1602:~$ >> m at serv1602:~$ >> m at serv1602:~$ >> m at serv1602:~$ cat ./script2.sh >> #!/bin/bash >> >> SETDNSDOMAIN="myco.bcu" >> SETHOSTNAME=`hostname -f` >> >> echo $SETDNSDOMAIN >> if [ -z "`host -t SRV _ldap._tcp.${SETDNSDOMAIN}. | grep >'not found'`" ]; >> then >> echo "testing of : host -t SRV >_ldap._tcp.${SETDNSDOMAIN}. : ok" >> else >> echo "testing of : host -t SRV >_ldap._tcp.${SETDNSDOMAIN}. : FAILED" >> fi >> if [ -z "`host -t SRV _kerberos._udp.${SETDNSDOMAIN}. | grep >"not found" `" >> ]; then >> echo "testing of : host -t SRV >_kerberos._udp.${SETDNSDOMAIN}. : ok"; >> else >> echo "testing of : host -t SRV >_kerberos._udp.${SETDNSDOMAIN}. : >> FAILED"; >> fi >> if [ -z "`host -t A ${SETHOSTNAME}. | grep "not found" `" ]; then >> echo "testing of : host -t A ${SETHOSTNAME}. : ok"; >> else >> echo "testing of : host -t A ${SETHOSTNAME}. : FAILED"; >> fi >> m at serv1602:~$ >> >> >> >> >> -- >> View this message in context: >http://samba.2283325.n4.nabble.com/Cannot-join-Ubuntu12-04-Samb >a-4-1-17-to-domain-tp4684555p4686918.html >> Sent from the Samba - General mailing list archive at Nabble.com. > >There was another instance similar to this over the weekend, >everything >seemed to be ok, but a DC join couldn't find the original DC. This >turned out to be a firewall issue, so could this be your problem ? > >Rowland >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >