Schuyler Bishop
2015-Nov-18 18:08 UTC
[Samba] Samba 4.1.6-Ubuntu on 14.04 domain join seems successful with caveats, testjoin reports no logon servers...
When I sent the original note, I had it configured this way: [realms] HIJ.KLM.COM <http://hij.klm.com/> = { kdc = ad1.hij.klm.com kdc = ad2.hij.klm.com admin_server = ad.hij.klm.com default_domain = hij.klm.com } [domain_realm] .xyz.hij.klm.com = HIJ.KLM.COM <http://hij.klm.com/> .hij.klm.com = HIJ.KLM.COM <http://hij.klm.com/> But then after reading about kerberos on the samba site, it seemed to suggest to not configure krb5.conf and instead rely on DNS. I then noticed these two lines in the krb5.conf that seemed to say "ignore DNS for kerberos": dns_lookup_realm = false dns_lookup_kdc = false After changing those to true and commenting all the realm and domain_realm stuff out, I could still do a kinit of my domain account and login to the server using kerberos but still have issues with the testjoin and starting smbd gives me errors such as: [2015/11/17 20:16:58.660864, 0] ../source3/libads/kerberos_util.c:74(ads_kinit_password) kerberos_kinit_password THIS$@HIJ.KLM.COM failed: Cannot contact any KDC for requested realm On Wed, Nov 18, 2015 at 3:03 AM L.P.H. van Belle <belle at bazuin.nl> wrote:> Hai, > > From the logs. > > ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or > > directory) kerberos_kinit_password THIS$@HIJ.KLM.COM failed: Cannot > > contact any KDC for requested realm > > ads_connect: Cannot contact any KDC for requested realm Join to domain > > is not valid: No logon servers return code = -1 > > In your krb5.conf > > ad.hij.klm.com does that exist in the domain. > Because in you logs is see also. > > > resolve_lmhosts: Attempting lmhosts lookup for name > > AD1.HIJ.KLM.COM<0x20> > > resolve_lmhosts: Attempting lmhosts lookup for name > > AD1.HIJ.KLM.COM<0x20> > > resolve_wins: WINS server resolution selected and no WINS servers listed. > > resolve_hosts: Attempting host lookup for name AD1.HIJ.KLM.COM<0x20> > > Successfully contacted LDAP server a.b.c.d Connected to LDAP server > > ad1.hij.klm.com > > > Your sure in krb5.conf > > admin_server = ad.hij.klm.com is correct ? > > Greetz, > > Louis > > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny > > Verzonden: dinsdag 17 november 2015 23:05 > > Aan: samba at lists.samba.org > > Onderwerp: Re: [Samba] Samba 4.1.6-Ubuntu on 14.04 domain join seems > > successful with caveats, testjoin reports no logon servers... > > > > On 17/11/15 21:41, Schuyler Bishop wrote: > > > Interesting. So would having the account I'm creating it with in the > > > same subdomain fix the potential trust issues, or is samba's function > > > in a subdomain in general in question? > > > > > > > I honestly don't know, what I can say is that when you try to join a > > Samba domain member to a DC in the same domain, it just works. > > > > Has anybody been able to make this work ? > > > > Rowland > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2015-Nov-18 18:48 UTC
[Samba] Samba 4.1.6-Ubuntu on 14.04 domain join seems successful with caveats, testjoin reports no logon servers...
On 18/11/15 18:08, Schuyler Bishop wrote:> When I sent the original note, I had it configured this way: > > [realms] > HIJ.KLM.COM <http://hij.klm.com/> = { > kdc = ad1.hij.klm.com > kdc = ad2.hij.klm.com > admin_server = ad.hij.klm.com > default_domain = hij.klm.com > } > > [domain_realm] > .xyz.hij.klm.com = HIJ.KLM.COM <http://hij.klm.com/> > .hij.klm.com = HIJ.KLM.COM <http://hij.klm.com/> > > But then after reading about kerberos on the samba site, it seemed to > suggest to not configure krb5.conf and instead rely on DNS. I then noticed > these two lines in the krb5.conf that seemed to say "ignore DNS for > kerberos": > > dns_lookup_realm = false > dns_lookup_kdc = false > > After changing those to true and commenting all the realm and domain_realm > stuff out, I could still do a kinit of my domain account and login to the > server using kerberos but still have issues with the testjoin and starting > smbd gives me errors such as: > > [2015/11/17 20:16:58.660864, 0] > ../source3/libads/kerberos_util.c:74(ads_kinit_password) > kerberos_kinit_password THIS$@HIJ.KLM.COM failed: Cannot contact any KDC > for requested realm > >OK, it would seem that you really only need this in krb5.conf: [libdefaults] default_realm = HIJ.KLM.COM Now as long as your /etc/resolv.conf contains something like this: search hij.klm.com nameserver <ipaddress of the DC> and time is the same on the DC and the domain member, you should be able to join the domain Also, as you are on Ubuntu, check that Network Manager isn't using dnsmasq, if it is, turn it off in the conf file. Check that you haven't got a line in /etc/hosts that starts '127.0.1.1' , if you do, remove it, if you are using DHCP you only need a line like this: 127.0.0.1 localhost If you are not using DHCP, you also need a line like this: 192.168.0.34 host.hij.klm.com host Where '192.168.0.34' is the ipaddress of the machine, 'host' is the machines hostname. Rowland
Schuyler Bishop
2015-Nov-18 19:43 UTC
[Samba] Samba 4.1.6-Ubuntu on 14.04 domain join seems successful with caveats, testjoin reports no logon servers... - SOLVED!!!
So - the fix was to put it into klm.com rather than hij.klm.com. Kind of verifies one of the thoughts earlier in the stream - don't use a subdomain with a trust. Or try to but if it doesn't work, you'll just have to put it in the forrest root domain. On Wed, Nov 18, 2015 at 1:53 PM Rowland Penny <rowlandpenny241155 at gmail.com> wrote:> On 18/11/15 18:08, Schuyler Bishop wrote: > > When I sent the original note, I had it configured this way: > > > > [realms] > > HIJ.KLM.COM <http://hij.klm.com/> = { > > kdc = ad1.hij.klm.com > > kdc = ad2.hij.klm.com > > admin_server = ad.hij.klm.com > > default_domain = hij.klm.com > > } > > > > [domain_realm] > > .xyz.hij.klm.com = HIJ.KLM.COM <http://hij.klm.com/> > > .hij.klm.com = HIJ.KLM.COM <http://hij.klm.com/> > > > > But then after reading about kerberos on the samba site, it seemed to > > suggest to not configure krb5.conf and instead rely on DNS. I then > noticed > > these two lines in the krb5.conf that seemed to say "ignore DNS for > > kerberos": > > > > dns_lookup_realm = false > > dns_lookup_kdc = false > > > > After changing those to true and commenting all the realm and > domain_realm > > stuff out, I could still do a kinit of my domain account and login to the > > server using kerberos but still have issues with the testjoin and > starting > > smbd gives me errors such as: > > > > [2015/11/17 20:16:58.660864, 0] > > ../source3/libads/kerberos_util.c:74(ads_kinit_password) > > kerberos_kinit_password THIS$@HIJ.KLM.COM failed: Cannot contact any > KDC > > for requested realm > > > > > > OK, it would seem that you really only need this in krb5.conf: > > [libdefaults] > default_realm = HIJ.KLM.COM > > Now as long as your /etc/resolv.conf contains something like this: > > search hij.klm.com > nameserver <ipaddress of the DC> > > and time is the same on the DC and the domain member, you should be able > to join the domain > > Also, as you are on Ubuntu, check that Network Manager isn't using > dnsmasq, if it is, turn it off in the conf file. Check that you haven't > got a line in /etc/hosts that starts '127.0.1.1' , if you do, remove it, > if you are using DHCP you only need a line like this: > > 127.0.0.1 localhost > > If you are not using DHCP, you also need a line like this: > > 192.168.0.34 host.hij.klm.com host > > Where '192.168.0.34' is the ipaddress of the machine, 'host' is the > machines hostname. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Possibly Parallel Threads
- Samba 4.1.6-Ubuntu on 14.04 domain join seems successful with caveats, testjoin reports no logon servers...
- Samba 4.1.6-Ubuntu on 14.04 domain join seems successful with caveats, testjoin reports no logon servers...
- Samba 4.1.6-Ubuntu on 14.04 domain join seems successful with caveats, testjoin reports no logon servers...
- Samba 4.1.6-Ubuntu on 14.04 domain join seems successful with caveats, testjoin reports no logon servers...
- Samba 4.1.6-Ubuntu on 14.04 domain join seems successful with caveats, testjoin reports no logon servers...