Hi, I want to authenticate against Samba 4 using samba and sssd on FreeBSD using this guide: http://serverfault.com/questions/599200/how-to-integrate-active-directory-with-freebsd-10-0-using-security-sssd The problem is, the machine I want to install authentication on is the domain controller itsself. So the following commands show the errors: net ads join createupn=host/macy.ronnyforberger.de at RONNYFORBERGER.DE -k -d1 Host is not configured as a member server. Invalid configuration. Exiting.... Failed to join domain: This operation is only allowed for the PDC of the domain. The host role is active directory domain controller. Any ideas how i can join the domain with this host? Best regards, Ronny -- ___________________________________ Ronny Forberger ronnyforberger at ronnyforberger.de PGP: http://www.ronnyforberger.de/pgp/email-encryption.html
On Fri, 11 Nov 2016 17:19:13 +0100 Ronny Forberger via samba <samba at lists.samba.org> wrote:> Hi, > > I want to authenticate against Samba 4 using samba and sssd on FreeBSD > using this guide: > > http://serverfault.com/questions/599200/how-to-integrate-active-directory-with-freebsd-10-0-using-security-sssd > > The problem is, the machine I want to install authentication on is the > domain controller itsself. > > So the following commands show the errors: > > net ads join createupn=host/macy.ronnyforberger.de at RONNYFORBERGER.DE > -k -d1 Host is not configured as a member server. > Invalid configuration. Exiting.... > Failed to join domain: This operation is only allowed for the PDC of > the domain. > > The host role is active directory domain controller. > Any ideas how i can join the domain with this host? > > Best regards, > Ronny >Two things here, one, you don't join a DC to the domain, it is already joined. Secondly, you are asking in the wrong place for SSSD problems, try the sssd-users list, they are the sssd experts. Rowland
Hello Ronny, Am 11.11.2016 um 17:19 schrieb Ronny Forberger via samba:> I want to authenticate against Samba 4 using samba and sssd on FreeBSD > using this guide: > > http://serverfault.com/questions/599200/how-to-integrate-active-directory-with-freebsd-10-0-using-security-sssd > > The problem is, the machine I want to install authentication on is the > domain controller itsself. > > So the following commands show the errors: > > net ads join createupn=host/macy.ronnyforberger.de at RONNYFORBERGER.DE -k -d1 > Host is not configured as a member server. > Invalid configuration. Exiting.... > Failed to join domain: This operation is only allowed for the PDC of the > domain. > > The host role is active directory domain controller. > Any ideas how i can join the domain with this host?If you set up the host as DC, then it is naturally already a member of the AD domain. You don't join it. Just install SSSD and configure it to retrieve user and groups from AD + configure PAM. There are several guides on the internet how to configure SSSD for AD. Regards, Marc
Am 11.11.2016 um 17:33 schrieb Marc Muehlfeld:> Hello Ronny, > > Am 11.11.2016 um 17:19 schrieb Ronny Forberger via samba: >> I want to authenticate against Samba 4 using samba and sssd on FreeBSD >> using this guide: >> >> http://serverfault.com/questions/599200/how-to-integrate-active-directory-with-freebsd-10-0-using-security-sssd >> >> The problem is, the machine I want to install authentication on is the >> domain controller itsself. >> >> So the following commands show the errors: >> >> net ads join createupn=host/macy.ronnyforberger.de at RONNYFORBERGER.DE -k -d1 >> Host is not configured as a member server. >> Invalid configuration. Exiting.... >> Failed to join domain: This operation is only allowed for the PDC of the >> domain. >> >> The host role is active directory domain controller. >> Any ideas how i can join the domain with this host? > > If you set up the host as DC, then it is naturally already a member of > the AD domain. You don't join it. > > Just install SSSD and configure it to retrieve user and groups from AD + > configure PAM. There are several guides on the internet how to configure > SSSD for AD. > > > Regards, > MarcHi Marc, thanks, I guessed that. But the SSSD tell me the following error: [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab (Fri Nov 11 17:10:11 2016) [sssd[be[ronnyforberger.de]]] [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed. (Fri Nov 11 17:10:11 2016) [sssd[be[ronnyforberger.de]]] [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed. (Fri Nov 11 17:10:11 2016) [sssd[be[ronnyforberger.de]]] [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed. (Fri Nov 11 17:10:11 2016) [sssd[be[ronnyforberger.de]]] [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed. (Fri Nov 11 17:10:11 2016) [sssd[be[ronnyforberger.de]]] [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed. (Fri Nov 11 17:10:11 2016) [sssd[be[ronnyforberger.de]]] [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed. (Fri Nov 11 17:10:11 2016) [sssd[be[ronnyforberger.de]]] [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed. (Fri Nov 11 17:10:11 2016) [sssd[be[ronnyforberger.de]]] [select_principal_from_keytab] (0x0080): No suitable principal found in keytab (Fri Nov 11 17:10:11 2016) [sssd[be[ronnyforberger.de]]] [ad_set_ad_id_options] (0x0040): Cannot set the SASL-related options (Fri Nov 11 17:10:11 2016) [sssd[be[ronnyforberger.de]]] [load_backend_module] (0x0010): Error (2) in module (ad) initialization (sssm_ad_id_init)! (Fri Nov 11 17:10:11 2016) [sssd[be[ronnyforberger.de]]] [be_process_init] (0x0010): fatal error initializing data providers (Fri Nov 11 17:10:11 2016) [sssd[be[ronnyforberger.de]]] [main] (0x0010): Could not initialize backend [2] I thought this is because of not having joined the domain. It's complaining about the keytab. Do you have any ideas here? Best regards, Ronny>-- ___________________________________ Ronny Forberger ronnyforberger at ronnyforberger.de PGP: http://www.ronnyforberger.de/pgp/email-encryption.html