The avahi is turned off on all unix mashines. I have allready taking a look https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member but I have this problem kinit succeeded but ads_sasl_spnego_krb5_bind failed. any idea? On 09/04/16 08:22, Lists wrote:> I am trying to setup a Samba4 as Domain Member to Samba 4 AD DC. > The OS is Centos 7 and the samba is sernet samba 4.3 > When I run the following command > > net ads join -U Administrator -S solae.local > > I take the following message: > > kinit succeeded but ads_sasl_spnego_krb5_bind failed: Miscellaneous failure (see text) : Server (ldap/solae.local at SOLAE.LOCAL) unknown > Failed to join domain: failed to connect to AD: Miscellaneous failure (see text) : Server (ldap/solae.local at SOLAE.LOCAL) unknown > > here is the smb.conf > > # Global parameters > [global] > netbios name = SOLAD > workgroup = SOLAE > realm = SOLAE.LOCAL > security = ADS > server role = member server > idmap config SOLAE : backend = rid > # idmap config SOLAE :schema_mode = rfc2307 > idmap config SOLAE : range = 10000-9999999 > idmap config * : backend = tdb > idmap config * : range = 10000000-19999999 > > # winbind nss info = rfc2307 > # winbind trusted domains only = no > # winbind use default domain = yes > # winbind enum users = yes > # winbind enum groups = yes > # dns forwarder = 10.0.0.2 > #[home] > # path = /home/users > # read only = No > > #[profiles] > # path = /var/lib/samba/profiles > # read only = no > > [Public] > path = /home/Public > read only = no > > #[Application] > # path = /home/Application > # read only = no > > here is the krb5.conf > [libdefaults] > default_realm = SOLAE.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = true > > any idea? > > Georgios Liolios >I take it you didn't see the info about not using '.local', I would suggest either changing this, or turn off avahi on all Unix machines. Try having a look here for how to setup a domain member: https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member Finally, you shouldn't need the '-S solae.local', the net command should find the DC via dns Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba *************************************************************************************** Αποποίηση ευθύνης: Οι πληροφορίες σε αυτό το email είναι εμπιστευτικές και προορίζονται αποκλειστικά για τον παραλήπτη. Εάν έχετε λάβει αυτό το μήνυμα από λάθος και δεν είστε εσείς ο προοριζόμενος παραλήπτης, σας ενημερώνουμε ότι αποκάλυψη, αντιγραφή, διανομή ή χρήση αυτού του μηνύματος ή των περιεχομένων του απαγορεύεται. Επιπλέον, σας παρακαλούμε να μας στείλετε πίσω το αρχικό μήνυμα στη διεύθυνση postmaster at solae.gr και να διαγράψετε το μήνυμα από το σύστημά σας αμέσως. Οι επικοινωνίες μέσω του Διαδικτύου δεν είναι ασφαλείς και επομένως η ΣΟΛ Α.Ε. � �εν αποδέχεται τη νομική ευθύνη για τα περιεχόμενα αυτού του μηνύματος και για οποιαδήποτε ζημιά μπορεί να προκληθεί από ιούς. Απόψεις που διατυπώνονται, είναι αποκλειστικά του συντάκτη και δεν αντιπροσωπεύουν απαραίτητα τις απόψεις της ΣΟΛ Α.Ε. Σας ευχαριστούμε, ΣΟΛ Α.Ε. - ΣΥΝΕΡΓΑΖΟΜΕΝΟΙ ΟΡΚΩΤΟΙ ΛΟΓΙΣΤΕΣ Α.Ε. Email Disclaimer: The information in this email is confidential and is intended solely for the addressee(s). If you have received this transmission in error, and you are not an intended recipient, be aware that any disclosure, copying, distribution or use of this transmission or its contents is prohibited. Furthermore, you are kindly requested to send us back the original message at the address postmaster at solae.gr and delete the message from your system immediately. Internet communications are not secure and therefore the SOL S.A. does not accept legal responsibility for the contents of this message and for any damage whatsoever that is caused by viruses being passed. Any views or opinions presented are solely those of the author and do not necessarily represent those of SOL S.A. Thank You, SOL S.A. - ASSOCIATED CERTIFIED PUBLIC ACCOUNTANTS S.A. ***************************************************************************************
Rowland penny
2016-Apr-09 09:04 UTC
[Samba] kinit succeeded but ads_sasl_spnego_krb5_bind failed
On 09/04/16 09:06, Lists wrote:> The avahi is turned off on all unix mashines.Are you 100% sure it is off, even better would be to remove it (or change '.local' to something else)> I have allready taking a look https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_MemberTry making your smb.conf look like the example one on the wiki page, this is known to work.> > but I have this problem kinit succeeded but ads_sasl_spnego_krb5_bind failed.Does the machine you are trying to join, have the DCs ipaddress as the first (and preferably only) nameserver in /etc/resolv.conf ? Are you using dhcp on the domain member you are trying to join ? If so, is your DHCP server sending the full and correct data ? Do you have a line starting 127.0.1.1 in /etc/hosts, if so. I would suggest removing it. If it has a fixed ip, is /etc/hosts set up correctly. You could always try the correct, and known to work, join command: net ads join -U Administrator Rowland> > any idea? > > >
Rowland penny
2016-Apr-09 09:54 UTC
[Samba] kinit succeeded but ads_sasl_spnego_krb5_bind failed
Taking this back on list where it belongs: On 09/04/16 10:31, Lists wrote:>> Are you 100% sure it is off, even better would be to remove it (or >> change '.local' to something else) > yes I am. > > systemctl list-unit-files | grep avahi > avahi-daemon.service disabled > avahi-daemon.socket disabled >OK>> Try making your smb.conf look like the example one on the wiki page, >> this is known to work. > ???Like this: [global] netbios name = SOLAD security = ADS workgroup = SOLAE realm = SOLAE.LOCAL log file = /var/log/samba/%m.log log level = 1 dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab winbind refresh tickets = yes winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes # Important: The ranges of the default (*) idmap config # and the domain(s) must not overlap! # Default idmap config used for BUILTIN and local accounts/groups idmap config *:backend = tdb idmap config *:range = 2000-9999 # idmap config for domain SOLAE idmap config SOLAE:backend = rid idmap config SOLAE:range = 10000-99999 # Use template settings for login shell and home directory winbind nss info = template template shell = /sbin/bash template homedir = /home/%U> > https://wiki.samba.org/index.php/Idmap_config_rid > >> Does the machine you are trying to join, have the DCs ipaddress as the >> first (and preferably only) nameserver in /etc/resolv.conf ? > here is the /etc/resolv.conf > > # Generated by NetworkManager > search solae.local > nameserver 10.0.0.22 > nameserver 10.0.0.2 > >> Are you using dhcp on the domain member you are trying to join ? >> If so, is your DHCP server sending the full and correct data ? > No. I am not using DHCP. > >> Do you have a line starting 127.0.1.1 in /etc/hosts, if so. I would > ?suggest removing it. > > here is the /etc/hosts > > #10.0.0.22 solad solad.solae.local > 10.0.0.25 solfs solfs.solae.local > #127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 > #::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 > >Hmm, bit confused here, it looks like '10.0.0.22' is the ipaddress of the machine you are trying to join, but you have it commented out in /etc/hosts , I would suggest you remove the comment '#' from '10.0.0.22', '127.0.0.1' and '::1', I would also suggest you remove the entire '10.0.0.25' line, it doesn't seem to have anything to do with this client. If '10.0.0.22' is the ipaddress of the client you are trying to join, then it also seems to be trying to use itself as a nameserver: # Generated by NetworkManager search solae.local nameserver 10.0.0.22 nameserver 10.0.0.2 I would suggest removing the '10.0.0.22' line from /etc/resolv.conf and if '10.0.0.2' isn't the ipaddress of the DC, change it to the ip of the DC. Once the changes are made, try again with: net ads join -U Administrator Rowland
Rowland penny
2016-Apr-09 10:24 UTC
[Samba] kinit succeeded but ads_sasl_spnego_krb5_bind failed
On 09/04/16 11:09, Lists wrote:> First at all the ip of Samba AD DC is 10.0.0.22 and the smb.conf of this ad server is the following: > [global] > workgroup = SOLAE > realm = SOLAE.LOCAL > #security = ads > # Use password server option only with security = server > #password server = solad.solae.local > netbios name = SOLAD > server role = active directory domain controller > dns forwarder = 10.0.0.2 > idmap_ldb:use rfc2307 = yes > > [netlogon] > path = /var/lib/samba/sysvol/solae.local/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > >> Like this: >> >> [global] >> netbios name = SOLAD >> security = ADS >> workgroup = SOLAE >> realm = SOLAE.LOCAL >> log file = /var/log/samba/%m.log >> log level = 1 >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> winbind refresh tickets = yes >> winbind trusted domains only = no >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes >> # Important: The ranges of the default (*) idmap config >> # and the domain(s) must not overlap! >> # Default idmap config used for BUILTIN and local accounts/groups >> idmap config *:backend = tdb >> idmap config *:range = 2000-9999 >> # idmap config for domain SOLAE >> idmap config SOLAE:backend = rid >> idmap config SOLAE:range = 10000-99999 >> # Use template settings for login shell and home directory >> winbind nss info = template >> template shell = /sbin/bash >> template homedir = /home/%U > I have change and /etc/hosts: > > 10.0.0.22 solad solad.solae.local > 10.0.0.25 solfs solfs.solae.local > 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 > ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 > > I changed the smb.conf as previous and I take the same massage: > > net ads join -U Administrator > Enter Administrator's password: > kinit succeeded but ads_sasl_spnego_krb5_bind failed: Miscellaneous failure (see text) : Server (ldap/solad.solae.local at SOLAE.LOCAL) unknown > Failed to join domain: failed to connect to AD: Miscellaneous failure (see text) : Server (ldap/solad.solae.local at SOLAE.LOCAL) unknown > > Also take a look to the link https://wiki.samba.org/index.php/Idmap_config_rid. > > > > ----- Αρχικό μήνυμα ----- > Από: "Rowland penny" <rpenny at samba.org> > Προς: "Lists" <list at solae.gr>, "samba" <samba at lists.samba.org> > Απεσταλμένα: Σάββατο, Απρίλιος 9, 2016 12:54:50 μ.μ. > Θέμα: Re: [Samba] kinit succeeded but ads_sasl_spnego_krb5_bind failed > > Taking this back on list where it belongs: > et ads join -U Administrator > Enter Administrator's password: > kinit succeeded but ads_sasl_spnego_krb5_bind failed: Miscellaneous failure (see text) : Server (ldap/solad.solae.local at SOLAE.LOCAL) unknown > Failed to join domain: failed to connect to AD: Miscellaneous failure (see text) : Server (ldap/solad.solae.local at SOLAE.LOCAL) unknown > > On 09/04/16 10:31, Lists wrote: >>> Are you 100% sure it is off, even better would be to remove it (or >>> change '.local' to something else) >> yes I am. >> >> systemctl list-unit-files | grep avahi >> avahi-daemon.service disabled >> avahi-daemon.socket disabled >> > OK > >>> Try making your smb.conf look like the example one on the wiki page, >>> this is known to work. >> ??? > Like this: > > [global] > netbios name = SOLAD > security = ADS > workgroup = SOLAE > realm = SOLAE.LOCAL > > log file = /var/log/samba/%m.log > log level = 1 > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind refresh tickets = yes > > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > > # Important: The ranges of the default (*) idmap config > # and the domain(s) must not overlap! > > # Default idmap config used for BUILTIN and local accounts/groups > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > # idmap config for domain SOLAE > idmap config SOLAE:backend = rid > idmap config SOLAE:range = 10000-99999 > > # Use template settings for login shell and home directory > winbind nss info = template > template shell = /sbin/bash > template homedir = /home/%U > >> https://wiki.samba.org/index.php/Idmap_config_rid >> >>> Does the machine you are trying to join, have the DCs ipaddress as the >>> first (and preferably only) nameserver in /etc/resolv.conf ? >> here is the /etc/resolv.conf >> >> # Generated by NetworkManager >> search solae.local >> nameserver 10.0.0.22 >> nameserver 10.0.0.2 >> >>> Are you using dhcp on the domain member you are trying to join ? >>> If so, is your DHCP server sending the full and correct data ? >> No. I am not using DHCP. >> >>> Do you have a line starting 127.0.1.1 in /etc/hosts, if so. I would >> ?suggest removing it. >> >> here is the /etc/hosts >> >> #10.0.0.22 solad solad.solae.local >> 10.0.0.25 solfs solfs.solae.local >> #127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 >> #::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 >> >> >Getting even more confused now: You tell me that the ip of the AD DC is: 10.0.0.22 Your new /etc/hosts says that 10.0.0.22 has the hostname: solad (note this shouldn't be in /etc/hosts on the domain member) You original post had this: [global] netbios name = SOLAD workgroup = SOLAE realm = SOLAE.LOCAL security = ADS server role = member server You have now posted this: [global] workgroup = SOLAE realm = SOLAE.LOCAL #security = ads # Use password server option only with security = server #password server = solad.solae.local netbios name = SOLAD server role = active directory domain controller Notice any similarity ?? I will give you a hint Domain member: netbios name = SOLAD AD DC : netbios name = SOLAD The netbios name *must* be the short hostname of the computer, therefore they cannot be the same. Rowland
Rowland penny
2016-Apr-09 10:40 UTC
[Samba] kinit succeeded but ads_sasl_spnego_krb5_bind failed
On 09/04/16 11:30, Lists wrote:> Ok I am sorry was a test I send you again the smb.conf > > # Global parameters > [global] > netbios name = SOLFS > security = ADS > workgroup = SOLAE > realm = SOLAE.LOCAL > > log file = /var/log/samba/%m.log > log level = 1 > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind refresh tickets = yes > > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > > # Important: The ranges of the default (*) idmap config > # and the domain(s) must not overlap! > > # Default idmap config used for BUILTIN and local accounts/groups > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > # idmap config for domain SOLAE > idmap config SOLAE:backend = rid > idmap config SOLAE:range = 10000-99999 > > # Use template settings for login shell and home directory > winbind nss info = template > template shell = /sbin/bash > template homedir = /home/%U > #[profiles] > # path = /var/lib/samba/profiles > # read only = no > > #[Public] > # path = /home/Public > # read only = no > > #[Application] > # path = /home/Application > # read only = no > > > >Set /etc/resolv.conf on the machine you are trying to join to: search solae.local nameserver 10.0.0.22 Set /etc/hosts to: 10.0.0.25 solfs solfs.solae.local 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 Now try a few tests: ping -c1 10.0.0.25 ping -c1 10.0.0.22 ping -c1 solad ping -c1 solad.solae.local If all these tests pass, try the join again Rowland
Rowland penny
2016-Apr-09 11:14 UTC
[Samba] kinit succeeded but ads_sasl_spnego_krb5_bind failed
On 09/04/16 11:55, Lists wrote:> nop, the same message. > > I made all change, the tests are success but the same message. > > ----- Αρχικό μήνυμα ----- > Από: "Rowland penny" <rpenny at samba.org> > Προς: "samba" <samba at lists.samba.org> > Απεσταλμένα: Σάββατο, Απρίλιος 9, 2016 1:40:50 μ.μ. > Θέμα: Re: [Samba] kinit succeeded but ads_sasl_spnego_krb5_bind failed > > On 09/04/16 11:30, Lists wrote: >> Ok I am sorry was a test I send you again the smb.conf >> >> # Global parameters >> [global] >> netbios name = SOLFS >> security = ADS >> workgroup = SOLAE >> realm = SOLAE.LOCAL >> >> log file = /var/log/samba/%m.log >> log level = 1 >> >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> winbind refresh tickets = yes >> >> winbind trusted domains only = no >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes >> >> # Important: The ranges of the default (*) idmap config >> # and the domain(s) must not overlap! >> >> # Default idmap config used for BUILTIN and local accounts/groups >> idmap config *:backend = tdb >> idmap config *:range = 2000-9999 >> >> # idmap config for domain SOLAE >> idmap config SOLAE:backend = rid >> idmap config SOLAE:range = 10000-99999 >> >> # Use template settings for login shell and home directory >> winbind nss info = template >> template shell = /sbin/bash >> template homedir = /home/%U >> #[profiles] >> # path = /var/lib/samba/profiles >> # read only = no >> >> #[Public] >> # path = /home/Public >> # read only = no >> >> #[Application] >> # path = /home/Application >> # read only = no >> >> >> >> > Set /etc/resolv.conf on the machine you are trying to join to: > > search solae.local > nameserver 10.0.0.22 > > Set /etc/hosts to: > > 10.0.0.25 solfs solfs.solae.local > 127.0.0.1 localhost localhost.localdomain localhost4 > localhost4.localdomain4 > ::1 localhost localhost.localdomain localhost6 > localhost6.localdomain6 > > Now try a few tests: > > ping -c1 10.0.0.25 > > ping -c1 10.0.0.22 > > ping -c1 solad > > ping -c1 solad.solae.local > > If all these tests pass, try the join again > > Rowland > >OK, lets just check a few things, starting with the machine you are trying to join: /etc/resolv.conf contains : search solae.local nameserver 10.0.0.22 10.0.0.22 is the ipaddress of the Samba4 AD DC /etc/hosts contains just: 10.0.0.25 solfs solfs.solae.local 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.0.0.25 is the ipaddress of the machine you are trying to join and its short hostname is solfs Pinging the DC by ip, short hostname and fqdn succeeds. /etc/krb5.conf contains: [libdefaults] default_realm = SOLAE.LOCAL dns_lookup_realm = false dns_lookup_kdc = true Does /etc/krb5.keytab exist ? if so, remove it. Now on the DC /etc/resolv.conf should contain : search solae.local nameserver 10.0.0.22 /etc/hosts should contain just: 10.0.0.22 solad solad.solae.local 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 /etc/krb5.conf should contain: [libdefaults] default_realm = SOLAE.LOCAL dns_lookup_realm = false dns_lookup_kdc = true You should be able to ping the machine you want to join by ip ping -c1 10.0.0.25 If all the above are correct, you should be able to join the machine. All I can think of after that is: Selinux, is this enabled and blocking something ? Is a firewall running and blocking ports ? Finally, is the time between the two machines in sync ? Rowland
Rowland penny
2016-Apr-09 13:07 UTC
[Samba] kinit succeeded but ads_sasl_spnego_krb5_bind failed
On 09/04/16 13:56, Lists wrote:>> How did you provision Samba ? > samba-tool domain provision --use-rfc2307 --interactive > >> Is Samba running on the DC ?? >> Does 'ps ax | grep samba' produce something similar to this: > [root at solad ~]# ps ax | grep samba > 2309 ? Ss 0:00 /usr/sbin/samba -D > 2328 ? S 0:00 /usr/sbin/samba -D > 2329 ? S 0:00 /usr/sbin/samba -D > 2331 ? S 0:01 /usr/sbin/samba -D > 2332 ? S 0:00 /usr/sbin/samba -D > 2333 ? S 0:01 /usr/sbin/samba -D > 2334 ? S 0:00 /usr/sbin/samba -D > 2335 ? S 0:01 /usr/sbin/samba -D > 2336 ? S 0:02 /usr/sbin/samba -D > 2337 ? S 0:00 /usr/sbin/samba -D > 2338 ? S 0:00 /usr/sbin/samba -D > 2340 ? S 0:00 /usr/sbin/samba -D > 2341 ? S 0:00 /usr/sbin/samba -D > 2342 ? S 0:04 /usr/sbin/samba -D > > >OK, found something on the net, what does the 'hosts' line in /etc/nsswitch.conf contain ? Rowland