Schuyler Bishop
2015-Nov-17 19:32 UTC
[Samba] Samba 4.1.6-Ubuntu on 14.04 domain join seems successful with caveats, testjoin reports no logon servers...
Hi Rowland, Thanks for the response. I stripped my smb.conf down to the bare suggestions and still have a no-go on the testjoin. This really smells to me like a kerberos configuration issue due to the computer existing in one and users authenticating from the forrest root. Unfortunately I don't know where to begin to look for answers as the kerberos configurations I've found referenced don't have that concept. On Tue, Nov 17, 2015 at 12:05 PM Rowland Penny <rowlandpenny241155 at gmail.com> wrote:> On 17/11/15 16:38, Schuyler Bishop wrote: > > Hi Louis, > > > > Thanks for the reply. Upon checking the URL you sent, I'm not finding > > which stanzas you're referring to as being samba3 - my smb.conf looks > > remarkably similar to the sample I see there. Could you perhaps be more > > specific? > > > > Thanks, > > > > --Schuyler > > > > On Tue, Nov 17, 2015 at 11:23 AM L.P.H. van Belle <belle at bazuin.nl> > wrote: > > > >> Your using a samba3 config on a samba 4. > >> > >> Change your config base on : > >> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member > >> > >> > >> Gr, > >> > >> Louis > >> > >> > >> > >>> -----Oorspronkelijk bericht----- > >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Schuyler > Bishop > >>> Verzonden: dinsdag 17 november 2015 17:11 > >>> Aan: samba at lists.samba.org > >>> Onderwerp: [Samba] Samba 4.1.6-Ubuntu on 14.04 domain join seems > >>> successful with caveats, testjoin reports no logon servers... > >>> > >>> Greetings, > >>> > >>> Long-time but very occasional samba user here with a new challenge > (well > >>> for me at least). > >>> > >>> The basics are that on the domain join, the computer account gets > created > >>> but throws the dns error which based on my searching seems non-fatal. > >>> wbinfo -t gives me a succeeded, wbinfo -a klm.com\\me --ntlmv2 works > >> fine > >>> but yet the net ads testjoin fails. Logs on the domain controller show > >> "A > >>> Kerberos authentication ticket (TGT) was requested." with an Audit > >> Success > >>> after I run the testjoin that fails. > >>> > >>> The AD guys tell me that hij.klm.com is the subdomain that the > computer > >>> account exists in (hence the createcomputer string in the join) and > user > >>> accounts exist in klm.com including my account that I was using to do > >> the > >>> join (me at klm.com). > >>> > >>> I did a tcpdump on the testjoin and pulled it into wireshark and I see > it > >>> contacting (amongst other things) all of the AD servers in both domains > >> on > >>> 88/UDP and getting replies so it doesn't smell like a firewall issue. > >>> > >>> Thanks in advance for any help. > >>> > >>> Here's the edited and redacted output from the join (the computer > account > >>> already existed as you can see): > >>> > >>> # net ads join > >>> > createcomputer="OU=XYZ,OU=Production,OU=ABC,OU=DEF,DC=hij,DC=klm,DC=com" > >> - > >>> U > >>> me at klm.com -d 1 > >>> Enter me at KLM.COM's password: > >>> libnet_Join: > >>> libnet_JoinCtx: struct libnet_JoinCtx > >>> in: struct libnet_JoinCtx > >>> dc_name : NULL > >>> machine_name : 'this' > >>> domain_name : * > >>> domain_name : 'HIJ.KLM.COM' > >>> account_ou : > >>> 'OU=XYZ,OU=Production,OU=ABC,OU=DEF,DC=hij,DC=klm,DC=com' > >>> admin_account : 'me at KLM.COM' > >>> machine_password : NULL > >>> join_flags : 0x00000023 (35) > >>> 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS > >>> 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME > >>> 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT > >>> 0: WKSSVC_JOIN_FLAGS_DEFER_SPN > >>> 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED > >>> 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE > >>> something = something-else > >>> 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED > >>> 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE > >>> 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE > >>> 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE > >>> 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE > >>> os_version : NULL > >>> os_name : NULL > >>> create_upn : 0x00 (0) > >>> upn : NULL > >>> modify_config : 0x00 (0) > >>> ads : NULL > >>> debug : 0x01 (1) > >>> use_kerberos : 0x00 (0) > >>> secure_channel_type : SEC_CHAN_WKSTA (2) > >>> The machine account already exists in the specified OU. > >>> libnet_Join: > >>> libnet_JoinCtx: struct libnet_JoinCtx > >>> out: struct libnet_JoinCtx > >>> account_name : NULL > >>> netbios_domain_name : 'HIJ' > >>> dns_domain_name : 'hij.klm.com' > >>> forest_name : 'klm.com' > >>> dn : > >>> 'CN=THIS,OU=XYZ,OU=Production,OU=ABC,OU=DEF,DC=hij,DC=klm,DC=com' > >>> domain_sid : * > >>> domain_sid : *REDACTED* > >>> modified_config : 0x00 (0) > >>> error_string : NULL > >>> domain_is_ad : 0x01 (1) > >>> result : WERR_OK > >>> Using short domain name -- HIJ > >>> Joined 'THIS' to dns domain 'hij.klm.com' > >>> kerberos_kinit_password THIS$@HIJ.KLM.COM failed: Cannot contact any > KDC > >>> for requested realm > >>> DNS update failed: kinit failed: Cannot contact any KDC for requested > >>> realm > >>> > >>> And here's the output from my testjoin: > >>> > >>> # net ads testjoin -d 3 > >>> lp_load_ex: refreshing parameters > >>> Initialising global parameters > >>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit > (16384) > >>> params.c:pm_process() - Processing configuration file > >>> "/etc/samba/smb.conf" > >>> Processing section "[global]" > >>> added interface eth0 ip=x.x.x.x bcast=x.x.x.y netmask=255.255.255.0 > >>> Registered MSG_REQ_POOL_USAGE > >>> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED > >>> get_dc_list: preferred server list: ", *" > >>> Successfully contacted LDAP server a.b.c.d > >>> get_dc_list: preferred server list: ", *" > >>> get_dc_list: preferred server list: ", *" > >>> get_dc_list: preferred server list: ", *" > >>> Successfully contacted LDAP server a.b.c.d > >>> get_dc_list: preferred server list: ", *" > >>> get_dc_list: preferred server list: ", *" > >>> resolve_lmhosts: Attempting lmhosts lookup for name AD1.HIJ.KLM.COM > >> <0x20> > >>> resolve_lmhosts: Attempting lmhosts lookup for name AD1.HIJ.KLM.COM > >> <0x20> > >>> resolve_wins: WINS server resolution selected and no WINS servers > listed. > >>> resolve_hosts: Attempting host lookup for name AD1.HIJ.KLM.COM<0x20> > >>> Successfully contacted LDAP server a.b.c.d > >>> Connected to LDAP server ad1.hij.klm.com > >>> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30 > >>> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 > >>> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 > >>> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3 > >>> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 > >>> ads_sasl_spnego_bind: got server principal name > >>> not_defined_in_RFC4178 at please_ignore > >>> ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or > directory) > >>> kerberos_kinit_password THIS$@HIJ.KLM.COM failed: Cannot contact any > KDC > >>> for requested realm > >>> ads_connect: Cannot contact any KDC for requested realm > >>> Join to domain is not valid: No logon servers > >>> return code = -1 > >>> > >>> My krb5.conf: > >>> > >>> [libdefaults] > >>> ticket_lifetime = 24h > >>> default_realm = HIJ.KLM.COM > >>> dns_lookup_realm = false > >>> dns_lookup_kdc = false > >>> > >>> krb4_config = /etc/krb.conf > >>> kdc_timesync = 1 > >>> ccache_type = 4 > >>> forwardable = true > >>> proxiable = true > >>> v4_instance_resolve = false > >>> v4_name_convert = { > >>> host = { > >>> rcmd = host > >>> ftp = ftp > >>> } > >>> plain = { > >>> something = something-else > >>> } > >>> } > >>> fcc-mit-ticketflags = true > >>> > >>> [realms] > >>> HIJ.KLM.COM = { > >>> kdc = ad1.hij.klm.com > >>> kdc = ad2.hij.klm.com > >>> admin_server = ad.hij.klm.com > >>> default_domain = hij.klm.com > >>> } > >>> > >>> [domain_realm] > >>> .xyz.hij.klm.com = HIJ.KLM.COM > >>> .hij.klm.com = HIJ.KLM.COM > >>> > >>> [login] > >>> krb4_convert = true > >>> krb4_get_tickets = false > >>> [logging] > >>> kdc = FILE:/var/log/krb5kdc.log > >>> admin_server = FILE:/var/log/kadmin.log > >>> default = FILE:/var/log/krb5lib.log > >>> > >>> My smb.conf: > >>> > >>> [global] > >>> > >>> workgroup = hij > >>> netbios name = this > >>> security = ADS > >>> realm = HIJ.KLM.COM > >>> server string = XYZ server (Samba, Ubuntu) > >>> dns proxy = no > >>> printcap name = /etc/printcap > >>> load printers = no > >>> log file = /var/log/samba/log.%m > >>> log level = 1 > >>> max log size = 1000 > >>> dedicated keytab file = /etc/krb5.keytab > >>> encrypt passwords = yes > >>> syslog = 0 > >>> panic action = /usr/share/samba/panic-action %d > >>> server role = standalone server > >>> passdb backend = tdbsam > >>> obey pam restrictions = yes > >>> unix password sync = no > >>> passwd program = /usr/bin/passwd %u > >>> passwd chat = *Enter\snew\s*\spassword:* %n\n > >>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > >>> pam password change = no > >>> map to guest = bad user > >>> -- > >>> To unsubscribe from this list go to the following URL and read the > >>> instructions: https://lists.samba.org/mailman/options/samba > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > > Two things jump out from your smb.conf: > > security = ADS > > server role = standalone server > > Well, which is it? > Is it a domain member getting its authentication and users & groups from > AD, or is it a standalone server that stores its users & groups in a > file on the server? > > If it is a domain member, then follow the link Louis provided and remove > all the un-required lines from your smb.conf. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2015-Nov-17 20:21 UTC
[Samba] Samba 4.1.6-Ubuntu on 14.04 domain join seems successful with caveats, testjoin reports no logon servers...
On 17/11/15 19:32, Schuyler Bishop wrote:> Hi Rowland, > > Thanks for the response. I stripped my smb.conf down to the bare > suggestions and still have a no-go on the testjoin. This really smells > to me like a kerberos configuration issue due to the computer existing > in one and users authenticating from the forrest root. Unfortunately > I don't know where to begin to look for answers as the kerberos > configurations I've found referenced don't have that concept. >Is there actually a DC for HIJ.KLM.COM ? This could be a trust problem and I don't think trusts work fully yet Rowland
Schuyler Bishop
2015-Nov-17 21:41 UTC
[Samba] Samba 4.1.6-Ubuntu on 14.04 domain join seems successful with caveats, testjoin reports no logon servers...
Interesting. So would having the account I'm creating it with in the same subdomain fix the potential trust issues, or is samba's function in a subdomain in general in question? On Tue, Nov 17, 2015 at 3:25 PM Rowland Penny <rowlandpenny241155 at gmail.com> wrote:> On 17/11/15 19:32, Schuyler Bishop wrote: > > Hi Rowland, > > > > Thanks for the response. I stripped my smb.conf down to the bare > > suggestions and still have a no-go on the testjoin. This really smells > > to me like a kerberos configuration issue due to the computer existing > > in one and users authenticating from the forrest root. Unfortunately > > I don't know where to begin to look for answers as the kerberos > > configurations I've found referenced don't have that concept. > > > > Is there actually a DC for HIJ.KLM.COM ? > > This could be a trust problem and I don't think trusts work fully yet > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >