samba - Nov 2015 - Samba 4.1.6-Ubuntu on 14.04 domain join seems successful with caveats, testjoin reports no logon servers...

When I sent the original note, I had it configured this way:

[realms]
HIJ.KLM.COM <http://hij.klm.com/> = {
kdc = ad1.hij.klm.com
kdc = ad2.hij.klm.com
admin_server = ad.hij.klm.com
default_domain = hij.klm.com
}

[domain_realm]
.xyz.hij.klm.com = HIJ.KLM.COM <http://hij.klm.com/>
.hij.klm.com = HIJ.KLM.COM <http://hij.klm.com/>

But then after reading about kerberos on the samba site, it seemed to
suggest to not configure krb5.conf and instead rely on DNS.  I then noticed
these two lines in the krb5.conf that seemed to say "ignore DNS for
kerberos":

        dns_lookup_realm = false
        dns_lookup_kdc = false

After changing those to true and commenting all the realm and domain_realm
stuff out, I could still do a kinit of my domain account and login to the
server using kerberos but still have issues with the testjoin and starting
smbd gives me errors such as:

[2015/11/17 20:16:58.660864,  0]
../source3/libads/kerberos_util.c:74(ads_kinit_password)
  kerberos_kinit_password THIS$@HIJ.KLM.COM failed: Cannot contact any KDC
for requested realm

On Wed, Nov 18, 2015 at 3:03 AM L.P.H. van Belle <belle at bazuin.nl>
wrote:
> Hai,
>
> From the logs.
> > ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or
> > directory) kerberos_kinit_password THIS$@HIJ.KLM.COM failed: Cannot
> > contact any KDC for requested realm
> > ads_connect: Cannot contact any KDC for requested realm Join to domain
> > is not valid: No logon servers return code = -1
>
> In your krb5.conf
>
> ad.hij.klm.com does that exist in the domain.
> Because in you logs is see also.
>
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > AD1.HIJ.KLM.COM<0x20>
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > AD1.HIJ.KLM.COM<0x20>
> > resolve_wins: WINS server resolution selected and no WINS servers
listed.
> > resolve_hosts: Attempting host lookup for name
AD1.HIJ.KLM.COM<0x20>
> > Successfully contacted LDAP server a.b.c.d Connected to LDAP server
> > ad1.hij.klm.com
>
>
> Your sure in krb5.conf
> > admin_server = ad.hij.klm.com is correct ?
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland
Penny
> > Verzonden: dinsdag 17 november 2015 23:05
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] Samba 4.1.6-Ubuntu on 14.04 domain join seems
> > successful with caveats, testjoin reports no logon servers...
> >
> > On 17/11/15 21:41, Schuyler Bishop wrote:
> > > Interesting.  So would having the account I'm creating it
with in the
> > > same subdomain fix the potential trust issues, or is samba's
function
> > > in a subdomain in general in question?
> > >
> >
> > I honestly don't know, what I can say is that when you try to join
a
> > Samba domain member to a DC in the same domain, it just works.
> >
> > Has anybody been able to make this work ?
> >
> > Rowland
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 18/11/15 18:08, Schuyler Bishop wrote:
> When I sent the original note, I had it configured this way:
>
> [realms]
> HIJ.KLM.COM <http://hij.klm.com/> = {
> kdc = ad1.hij.klm.com
> kdc = ad2.hij.klm.com
> admin_server = ad.hij.klm.com
> default_domain = hij.klm.com
> }
>
> [domain_realm]
> .xyz.hij.klm.com = HIJ.KLM.COM <http://hij.klm.com/>
> .hij.klm.com = HIJ.KLM.COM <http://hij.klm.com/>
>
> But then after reading about kerberos on the samba site, it seemed to
> suggest to not configure krb5.conf and instead rely on DNS.  I then noticed
> these two lines in the krb5.conf that seemed to say "ignore DNS for
> kerberos":
>
>          dns_lookup_realm = false
>          dns_lookup_kdc = false
>
> After changing those to true and commenting all the realm and domain_realm
> stuff out, I could still do a kinit of my domain account and login to the
> server using kerberos but still have issues with the testjoin and starting
> smbd gives me errors such as:
>
> [2015/11/17 20:16:58.660864,  0]
> ../source3/libads/kerberos_util.c:74(ads_kinit_password)
>    kerberos_kinit_password THIS$@HIJ.KLM.COM failed: Cannot contact any KDC
> for requested realm
>
>
OK, it would seem that you really only need this in krb5.conf:

[libdefaults]
         default_realm = HIJ.KLM.COM

Now as long as your /etc/resolv.conf contains something like this:

search hij.klm.com
nameserver <ipaddress of the DC>

and time is the same on the DC and the domain member, you should be able 
to join the domain

Also, as you are on Ubuntu, check that Network Manager isn't using 
dnsmasq, if it is, turn it off in the conf file. Check that you haven't 
got a line in /etc/hosts that starts '127.0.1.1' , if you do, remove it,
if you are using DHCP you only need a line like this:

127.0.0.1    localhost

If you are not using DHCP, you also need a line like this:

192.168.0.34    host.hij.klm.com    host

Where '192.168.0.34' is the ipaddress of the machine, 'host' is
the
machines hostname.

Rowland

So - the fix was to put it into klm.com rather than hij.klm.com.  Kind of
verifies one of the thoughts earlier in the stream - don't use a subdomain
with a trust.  Or try to but if it doesn't work, you'll just have to put
it
in the forrest root domain.

On Wed, Nov 18, 2015 at 1:53 PM Rowland Penny <rowlandpenny241155 at
gmail.com>
wrote:
> On 18/11/15 18:08, Schuyler Bishop wrote:
> > When I sent the original note, I had it configured this way:
> >
> > [realms]
> > HIJ.KLM.COM <http://hij.klm.com/> = {
> > kdc = ad1.hij.klm.com
> > kdc = ad2.hij.klm.com
> > admin_server = ad.hij.klm.com
> > default_domain = hij.klm.com
> > }
> >
> > [domain_realm]
> > .xyz.hij.klm.com = HIJ.KLM.COM <http://hij.klm.com/>
> > .hij.klm.com = HIJ.KLM.COM <http://hij.klm.com/>
> >
> > But then after reading about kerberos on the samba site, it seemed to
> > suggest to not configure krb5.conf and instead rely on DNS.  I then
> noticed
> > these two lines in the krb5.conf that seemed to say "ignore DNS
for
> > kerberos":
> >
> >          dns_lookup_realm = false
> >          dns_lookup_kdc = false
> >
> > After changing those to true and commenting all the realm and
> domain_realm
> > stuff out, I could still do a kinit of my domain account and login to
the
> > server using kerberos but still have issues with the testjoin and
> starting
> > smbd gives me errors such as:
> >
> > [2015/11/17 20:16:58.660864,  0]
> > ../source3/libads/kerberos_util.c:74(ads_kinit_password)
> >    kerberos_kinit_password THIS$@HIJ.KLM.COM failed: Cannot contact
any
> KDC
> > for requested realm
> >
> >
>
> OK, it would seem that you really only need this in krb5.conf:
>
> [libdefaults]
>          default_realm = HIJ.KLM.COM
>
> Now as long as your /etc/resolv.conf contains something like this:
>
> search hij.klm.com
> nameserver <ipaddress of the DC>
>
> and time is the same on the DC and the domain member, you should be able
> to join the domain
>
> Also, as you are on Ubuntu, check that Network Manager isn't using
> dnsmasq, if it is, turn it off in the conf file. Check that you haven't
> got a line in /etc/hosts that starts '127.0.1.1' , if you do,
remove it,
> if you are using DHCP you only need a line like this:
>
> 127.0.0.1    localhost
>
> If you are not using DHCP, you also need a line like this:
>
> 192.168.0.34    host.hij.klm.com    host
>
> Where '192.168.0.34' is the ipaddress of the machine,
'host' is the
> machines hostname.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>