Gaeseric Vandal
2017-Sep-19 02:45 UTC
[Samba] samba on solaris 11 can not longer join Windows AD domain
I would like to move my Samba file server (Samba 4.4.14 on Solaris 11) from
a classic domain into an Active Directory domain. The active directory
domain has one Win 2008 directory server / domain controller, and one Win
2012 R2 DS. E-mail, among other things, depends on a Microsoft AD
backend.
A few months ago I was able to join a test server to the AD domain. Today
I tried joining a 2nd one, but without success.
testmachine1# net ads join -U Administrator at mydomain.com
Enter Administrator at mydomain.com's password:
Failed to join domain: Failed to set machine spn: Time limit exceeded
Do you have sufficient permissions to create machine accounts?
I thought that I may have not properly replicated the configuration, so I
tried it on the first test server, with the same error.
The event log on the AD DS shows
Log Name: System
Source: Microsoft-Windows-Security-Kerberos
Date: 9/18/2017 10:01:27 PM
Event ID: 3
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: DS1.mydomain.com
Description:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 2:1:27.0000 9/19/2017 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: MYDOMAIN.COM
Server Name: DS1.mydomain.com
Target Name: DS1.mydomain.com at MYDOMAIN.COM
<mailto:DS1.mydomain.com at MYDOMAIN.COM>
I have applied patches over the last few months to the Windows servers.
Can't think of any significant changes on the windows side.
I have copied and pasted the partial output of testparm -v.
root at testmachine1:~# testparm -v
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (256) to minimum Windows limit (16384)
WARNING: The "syslog" option is deprecated
.
WARNING: You have some share names that are longer than 12 characters.
These may not be accessible to some older clients.
(Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.)
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
# Global parameters
[global]
bind interfaces only = No
config backend = file
dos charset = CP850
enable core files = Yes
interfaces
multicast dns register = Yes
netbios aliases
netbios name = ZION
netbios scope
realm = SSCI.COM
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate, dns
server string = Samba Server Version %v
share backend = classic
unix charset = UTF-8
workgroup = SSCI
browse list = Yes
domain master = No
enhanced browsing = Yes
lm announce = Auto
lm interval = 60
local master = Yes
os level = 20
preferred master = Auto
allow dns updates = secure only
dns forwarder
dns update command = /usr/lib/samba/sbin/samba_dnsupdate
machine password timeout = 604800
nsupdate command = /usr/bin/nsupdate -g
rndc command = /usr/sbin/rndc
spn update command = /usr/lib/samba/sbin/samba_spnupdate
mangle prefix = 1
mangling method = hash2
max stat cache size = 256
stat cache = Yes
client ldap sasl wrapping = plain
.
cldap port = 389
client ipc max protocol = default
client ipc min protocol = default
client max protocol = default
client min protocol = CORE
client use spnego = Yes
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon,
lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver
defer sharing violations = Yes
dgram port = 138
disable netbios = No
enable asu support = No
eventlog list
large readwrite = Yes
max mux = 50
max ttl = 259200
max wins ttl = 518400
max xmit = 16644
min receivefile size = 0
min wins ttl = 21600
name resolve order = lmhosts wins host bcast
nbt port = 137
nt pipe support = Yes
nt status support = Yes
read raw = Yes
rpc big endian = No
server max protocol = SMB3
server min protocol = LANMAN1
server multi channel support = No
.
name resolve order = lmhosts wins host bcast
nbt port = 137
nt pipe support = Yes
nt status support = Yes
read raw = Yes
rpc big endian = No
server max protocol = SMB3
server min protocol = LANMAN1
server multi channel support = No
smb2 max credits = 8192
smb2 max read = 8388608
smb2 max trans = 8388608
smb2 max write = 8388608
smb ports = 445 139
svcctl list
time server = No
unicode = Yes
unix extensions = Yes
use spnego = Yes
web port = 901
write raw = Yes
algorithmic rid base = 1000
allow dcerpc auth level connect = No
allow trusted domains = Yes
auth methods
check password script
client ipc signing = default
client lanman auth = No
client NTLMv2 auth = Yes
client plaintext auth = No
client schannel = Auto
client signing = default
client use spnego principal = No
dedicated keytab file
encrypt passwords = Yes
guest account = nobody
kerberos method = default
kpasswd port = 464
krb5 port = 88
lanman auth = No
log nt token command
map to guest = Never
map untrusted to domain = No
ntlm auth = Yes
ntp signd socket directory = /var/samba/lib/ntp_signd
null passwords = No
obey pam restrictions = No
old password allowed period = 60
pam password change = No
passdb backend = tdbsam
passdb expand explicit = No
passwd chat = *new*password* %n\n *new*password* %n\n *changed*
passwd chat debug = No
passwd chat timeout = 2
passwd program
password server = *
preload modules
private dir = /etc/samba/private
raw NTLMv2 auth = No
rename user script
restrict anonymous = 0
root directory
samba kcc command = /usr/lib/samba/sbin/samba_kcc
security = ADS
server role = auto
server schannel = Auto
server signing = default
smb passwd file = /etc/samba/private/smbpasswd
tls cafile = tls/ca.pem
tls certfile = tls/cert.pem
tls crlfile
tls dh params file
tls enabled = Yes
tls keyfile = tls/key.pem
tls priority = NORMAL:-VERS-SSL3.0
tls verify peer = as_strict_as_possible
unix password sync = No
username level = 0
username map
username map cache time = 0
username map script
aio max threads = 100
deadtime = 0
getwd cache = Yes
hostname lookups = No
keepalive = 300
max disk size = 0
max open files = 16384
max smbd processes = 0
name cache timeout = 660
socket options = TCP_NODELAY
use mmap = Yes
get quota command
host msdfs = Yes
set quota command
create krb5 conf = No
idmap backend = tdb
idmap cache time = 604800
idmap gid
idmap negative cache time = 120
idmap uid
include system krb5 conf = Yes
neutralize nt4 emulation = No
reject md5 servers = No
require strong key = Yes
template homedir = /home/%D/%U
template shell = /bin/false
winbind cache time = 300
winbindd privileged socket directory /var/samba/lib/winbindd_privileged
winbindd socket directory = /var/samba/run/winbindd
winbind enum groups = Yes
winbind enum users = Yes
winbind expand groups = 0
winbind max clients = 200
winbind max domain connections = 1
winbind nested groups = Yes
winbind normalize names = No
winbind nss info = rfc2307
winbind offline logon = No
winbind reconnect delay = 30
winbind refresh tickets = No
winbind request timeout = 60
winbind rpc only = No
winbind sealed pipes = Yes
winbind separator = \
winbind trusted domains only = No
winbind use default domain = No
dns proxy = Yes
wins hook
wins proxy = No
wins server = 192.x.x.x
wins support = No
...
Appreciate any advice
Thanks
Rowland Penny
2017-Sep-19 09:30 UTC
[Samba] samba on solaris 11 can not longer join Windows AD domain
On Mon, 18 Sep 2017 22:45:04 -0400 Gaeseric Vandal via samba <samba at lists.samba.org> wrote:> I would like to move my Samba file server (Samba 4.4.14 on Solaris > 11) from a classic domain into an Active Directory domain. The > active directory domain has one Win 2008 directory server / domain > controller, and one Win 2012 R2 DS. E-mail, among other things, > depends on a Microsoft AD backend. > > > A few months ago I was able to join a test server to the AD > domain. Today I tried joining a 2nd one, but without success. > > > > testmachine1# net ads join -U Administrator at mydomain.com > > Enter Administrator at mydomain.com's password: > > Failed to join domain: Failed to set machine spn: Time limit exceeded > > Do you have sufficient permissions to create machine accounts? > > > > > > I thought that I may have not properly replicated the configuration, > so I tried it on the first test server, with the same error. > > > > The event log on the AD DS shows > > > > > > > > Log Name: System > > Source: Microsoft-Windows-Security-Kerberos > > Date: 9/18/2017 10:01:27 PM > > Event ID: 3 > > Task Category: None > > Level: Error > > Keywords: Classic > > User: N/A > > Computer: DS1.mydomain.com > > Description: > > A Kerberos Error Message was received: > > on logon session > > Client Time: > > Server Time: 2:1:27.0000 9/19/2017 Z > > Error Code: 0xd KDC_ERR_BADOPTION > > Extended Error: 0xc00000bb KLIN(0) > > Client Realm: > > Client Name: > > Server Realm: MYDOMAIN.COM > > Server Name: DS1.mydomain.com > > Target Name: DS1.mydomain.com at MYDOMAIN.COM > <mailto:DS1.mydomain.com at MYDOMAIN.COM> > > > > > > > > I have applied patches over the last few months to the Windows > servers. Can't think of any significant changes on the windows side. > > > > I have copied and pasted the partial output of testparm -v. > > > > root at testmachine1:~# testparm -v >Please don't ever do that again, never send the verbose output from testparm, just send the output of 'cat' I believe your smb.conf on disk will look like this: [global] netbios name = ZION realm = SSCI.COM server string = Samba Server Version %v workgroup = SSCI domain master = No client ldap sasl wrapping = plain ntlm auth = Yes private dir = /etc/samba/private security = ADS smb passwd file = /etc/samba/private/smbpasswd create krb5 conf = No winbind enum groups = Yes winbind enum users = Yes winbind nss info = rfc2307 wins server = 192.x.x.x Before going any further, can I ask how you how (once you have joined the domain) you propose to make your Windows users known to the Unix system ? There is a distinct lack of 'idmap config' lines. Does the /etc/resolv.conf point to a DC as a nameserver ? Does the proposed Unix domain member get its IP via DHCP ? What is in /etc/hosts ? What is in /etc/krb5.conf ? Rowland
Gaiseric Vandal
2017-Sep-19 12:26 UTC
[Samba] samba on solaris 11 can not longer join Windows AD domain
On 09/19/17 05:30, Rowland Penny via samba wrote:> On Mon, 18 Sep 2017 22:45:04 -0400 > Gaeseric Vandal via samba <samba at lists.samba.org> wrote: > >> I would like to move my Samba file server (Samba 4.4.14 on Solaris >> 11) from a classic domain into an Active Directory domain. The >> active directory domain has one Win 2008 directory server / domain >> controller, and one Win 2012 R2 DS. E-mail, among other things, >> depends on a Microsoft AD backend. >> >> >> A few months ago I was able to join a test server to the AD >> domain. Today I tried joining a 2nd one, but without success. >> >> >> >> testmachine1# net ads join -U Administrator at mydomain.com >> >> Enter Administrator at mydomain.com's password: >> >> Failed to join domain: Failed to set machine spn: Time limit exceeded >> >> Do you have sufficient permissions to create machine accounts? >> >> >> >> >> >> I thought that I may have not properly replicated the configuration, >> so I tried it on the first test server, with the same error. >> >> >> >> The event log on the AD DS shows >> >> >> >> >> >> >> >> Log Name: System >> >> Source: Microsoft-Windows-Security-Kerberos >> >> Date: 9/18/2017 10:01:27 PM >> >> Event ID: 3 >> >> Task Category: None >> >> Level: Error >> >> Keywords: Classic >> >> User: N/A >> >> Computer: DS1.mydomain.com >> >> Description: >> >> A Kerberos Error Message was received: >> >> on logon session >> >> Client Time: >> >> Server Time: 2:1:27.0000 9/19/2017 Z >> >> Error Code: 0xd KDC_ERR_BADOPTION >> >> Extended Error: 0xc00000bb KLIN(0) >> >> Client Realm: >> >> Client Name: >> >> Server Realm: MYDOMAIN.COM >> >> Server Name: DS1.mydomain.com >> >> Target Name: DS1.mydomain.com at MYDOMAIN.COM >> <mailto:DS1.mydomain.com at MYDOMAIN.COM> >> >> >> >> >> >> >> >> I have applied patches over the last few months to the Windows >> servers. Can't think of any significant changes on the windows side. >> >> >> >> I have copied and pasted the partial output of testparm -v. >> >> >> >> root at testmachine1:~# testparm -v >> > Please don't ever do that again, never send the verbose output from > testparm, just send the output of 'cat' >> > Before going any further, can I ask how you how (once you have joined > the domain) you propose to make your Windows users known to the Unix > system ? There is a distinct lack of 'idmap config' lines. > > Does the /etc/resolv.conf point to a DC as a nameserver ? > Does the proposed Unix domain member get its IP via DHCP ? > What is in /etc/hosts ? > What is in /etc/krb5.conf ? > > Rowland >Sorry, meant to copy and paste only the relevant stuff. I think I hit paste twice. The problem with showing just the config file is that options not explicitly set may have different defaults depending on version. I have attached part of cat smb.conf below. /etc/hosts does not include the AD Domain controllers. /etc/resolv.conf shows 2ndary DNS servers, which in turn sync data from the AD Domain controllers. I don't think this is a DNS issue since "net join" and "net ads join" are locating the AD domain controllers. /etc/krb5/krb5.conf is set up for the MYDOMAIN realm. I can use the ldapclient and kinit to join the machine to the MYDOMAIN AD realm for "Unix" level user and group lookups (via ldap) and kerberos authentication. I did find that Solaris "native" kerberos and Samba expect krb5.keytab files in different locations , which I resolved with a sym link between /etc/krb5.keytab and /etc/krb5/krb5.keytab. All member servers use static IP. Thanks ________________________________________________________________________________________________________________ #cat /etc/samba/smb.conf ... #======================= Global Settings ==================================== [global] private dir = /etc/samba/private smb passwd file = /etc/samba/private/smbpasswd syslog = 3 log level = 10 client ldap sasl wrapping = plain ldap server require strong auth = no create krb5 conf = no ... # max protocol = used to define the supported protocol. The default is NT1. You # can set it to SMB2 if you want experimental SMB2 support. # workgroup = MYDOMAIN server string = Samba Server Version %v netbios name = MYSERVER ; max protocol = SMB2 passdb backend = tdbsam security = ads realm = MYDOMAIN.COM idmap config *:backend = tdb idmap config *:range = 2000-2999 idmap config MYDOMAIN:backend = ad idmap config MYDOMAIN:schema_mode = rfc2307 idmap config MYDOMAIN:range = 100-1999 # Use settings from AD for login shell and home directory winbind nss info = rfc2307 winbind enum users = yes winbind enum groups = yes domain master = no domain logons = no _______________________________________________________________________________________________________________