Gaeseric Vandal
2017-Sep-19 02:45 UTC
[Samba] samba on solaris 11 can not longer join Windows AD domain
I would like to move my Samba file server (Samba 4.4.14 on Solaris 11) from a classic domain into an Active Directory domain. The active directory domain has one Win 2008 directory server / domain controller, and one Win 2012 R2 DS. E-mail, among other things, depends on a Microsoft AD backend. A few months ago I was able to join a test server to the AD domain. Today I tried joining a 2nd one, but without success. testmachine1# net ads join -U Administrator at mydomain.com Enter Administrator at mydomain.com's password: Failed to join domain: Failed to set machine spn: Time limit exceeded Do you have sufficient permissions to create machine accounts? I thought that I may have not properly replicated the configuration, so I tried it on the first test server, with the same error. The event log on the AD DS shows Log Name: System Source: Microsoft-Windows-Security-Kerberos Date: 9/18/2017 10:01:27 PM Event ID: 3 Task Category: None Level: Error Keywords: Classic User: N/A Computer: DS1.mydomain.com Description: A Kerberos Error Message was received: on logon session Client Time: Server Time: 2:1:27.0000 9/19/2017 Z Error Code: 0xd KDC_ERR_BADOPTION Extended Error: 0xc00000bb KLIN(0) Client Realm: Client Name: Server Realm: MYDOMAIN.COM Server Name: DS1.mydomain.com Target Name: DS1.mydomain.com at MYDOMAIN.COM <mailto:DS1.mydomain.com at MYDOMAIN.COM> I have applied patches over the last few months to the Windows servers. Can't think of any significant changes on the windows side. I have copied and pasted the partial output of testparm -v. root at testmachine1:~# testparm -v Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (256) to minimum Windows limit (16384) WARNING: The "syslog" option is deprecated . WARNING: You have some share names that are longer than 12 characters. These may not be accessible to some older clients. (Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.) Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions # Global parameters [global] bind interfaces only = No config backend = file dos charset = CP850 enable core files = Yes interfaces multicast dns register = Yes netbios aliases netbios name = ZION netbios scope realm = SSCI.COM server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate, dns server string = Samba Server Version %v share backend = classic unix charset = UTF-8 workgroup = SSCI browse list = Yes domain master = No enhanced browsing = Yes lm announce = Auto lm interval = 60 local master = Yes os level = 20 preferred master = Auto allow dns updates = secure only dns forwarder dns update command = /usr/lib/samba/sbin/samba_dnsupdate machine password timeout = 604800 nsupdate command = /usr/bin/nsupdate -g rndc command = /usr/sbin/rndc spn update command = /usr/lib/samba/sbin/samba_spnupdate mangle prefix = 1 mangling method = hash2 max stat cache size = 256 stat cache = Yes client ldap sasl wrapping = plain . cldap port = 389 client ipc max protocol = default client ipc min protocol = default client max protocol = default client min protocol = CORE client use spnego = Yes dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver defer sharing violations = Yes dgram port = 138 disable netbios = No enable asu support = No eventlog list large readwrite = Yes max mux = 50 max ttl = 259200 max wins ttl = 518400 max xmit = 16644 min receivefile size = 0 min wins ttl = 21600 name resolve order = lmhosts wins host bcast nbt port = 137 nt pipe support = Yes nt status support = Yes read raw = Yes rpc big endian = No server max protocol = SMB3 server min protocol = LANMAN1 server multi channel support = No . name resolve order = lmhosts wins host bcast nbt port = 137 nt pipe support = Yes nt status support = Yes read raw = Yes rpc big endian = No server max protocol = SMB3 server min protocol = LANMAN1 server multi channel support = No smb2 max credits = 8192 smb2 max read = 8388608 smb2 max trans = 8388608 smb2 max write = 8388608 smb ports = 445 139 svcctl list time server = No unicode = Yes unix extensions = Yes use spnego = Yes web port = 901 write raw = Yes algorithmic rid base = 1000 allow dcerpc auth level connect = No allow trusted domains = Yes auth methods check password script client ipc signing = default client lanman auth = No client NTLMv2 auth = Yes client plaintext auth = No client schannel = Auto client signing = default client use spnego principal = No dedicated keytab file encrypt passwords = Yes guest account = nobody kerberos method = default kpasswd port = 464 krb5 port = 88 lanman auth = No log nt token command map to guest = Never map untrusted to domain = No ntlm auth = Yes ntp signd socket directory = /var/samba/lib/ntp_signd null passwords = No obey pam restrictions = No old password allowed period = 60 pam password change = No passdb backend = tdbsam passdb expand explicit = No passwd chat = *new*password* %n\n *new*password* %n\n *changed* passwd chat debug = No passwd chat timeout = 2 passwd program password server = * preload modules private dir = /etc/samba/private raw NTLMv2 auth = No rename user script restrict anonymous = 0 root directory samba kcc command = /usr/lib/samba/sbin/samba_kcc security = ADS server role = auto server schannel = Auto server signing = default smb passwd file = /etc/samba/private/smbpasswd tls cafile = tls/ca.pem tls certfile = tls/cert.pem tls crlfile tls dh params file tls enabled = Yes tls keyfile = tls/key.pem tls priority = NORMAL:-VERS-SSL3.0 tls verify peer = as_strict_as_possible unix password sync = No username level = 0 username map username map cache time = 0 username map script aio max threads = 100 deadtime = 0 getwd cache = Yes hostname lookups = No keepalive = 300 max disk size = 0 max open files = 16384 max smbd processes = 0 name cache timeout = 660 socket options = TCP_NODELAY use mmap = Yes get quota command host msdfs = Yes set quota command create krb5 conf = No idmap backend = tdb idmap cache time = 604800 idmap gid idmap negative cache time = 120 idmap uid include system krb5 conf = Yes neutralize nt4 emulation = No reject md5 servers = No require strong key = Yes template homedir = /home/%D/%U template shell = /bin/false winbind cache time = 300 winbindd privileged socket directory /var/samba/lib/winbindd_privileged winbindd socket directory = /var/samba/run/winbindd winbind enum groups = Yes winbind enum users = Yes winbind expand groups = 0 winbind max clients = 200 winbind max domain connections = 1 winbind nested groups = Yes winbind normalize names = No winbind nss info = rfc2307 winbind offline logon = No winbind reconnect delay = 30 winbind refresh tickets = No winbind request timeout = 60 winbind rpc only = No winbind sealed pipes = Yes winbind separator = \ winbind trusted domains only = No winbind use default domain = No dns proxy = Yes wins hook wins proxy = No wins server = 192.x.x.x wins support = No ... Appreciate any advice Thanks
Rowland Penny
2017-Sep-19 09:30 UTC
[Samba] samba on solaris 11 can not longer join Windows AD domain
On Mon, 18 Sep 2017 22:45:04 -0400 Gaeseric Vandal via samba <samba at lists.samba.org> wrote:> I would like to move my Samba file server (Samba 4.4.14 on Solaris > 11) from a classic domain into an Active Directory domain. The > active directory domain has one Win 2008 directory server / domain > controller, and one Win 2012 R2 DS. E-mail, among other things, > depends on a Microsoft AD backend. > > > A few months ago I was able to join a test server to the AD > domain. Today I tried joining a 2nd one, but without success. > > > > testmachine1# net ads join -U Administrator at mydomain.com > > Enter Administrator at mydomain.com's password: > > Failed to join domain: Failed to set machine spn: Time limit exceeded > > Do you have sufficient permissions to create machine accounts? > > > > > > I thought that I may have not properly replicated the configuration, > so I tried it on the first test server, with the same error. > > > > The event log on the AD DS shows > > > > > > > > Log Name: System > > Source: Microsoft-Windows-Security-Kerberos > > Date: 9/18/2017 10:01:27 PM > > Event ID: 3 > > Task Category: None > > Level: Error > > Keywords: Classic > > User: N/A > > Computer: DS1.mydomain.com > > Description: > > A Kerberos Error Message was received: > > on logon session > > Client Time: > > Server Time: 2:1:27.0000 9/19/2017 Z > > Error Code: 0xd KDC_ERR_BADOPTION > > Extended Error: 0xc00000bb KLIN(0) > > Client Realm: > > Client Name: > > Server Realm: MYDOMAIN.COM > > Server Name: DS1.mydomain.com > > Target Name: DS1.mydomain.com at MYDOMAIN.COM > <mailto:DS1.mydomain.com at MYDOMAIN.COM> > > > > > > > > I have applied patches over the last few months to the Windows > servers. Can't think of any significant changes on the windows side. > > > > I have copied and pasted the partial output of testparm -v. > > > > root at testmachine1:~# testparm -v >Please don't ever do that again, never send the verbose output from testparm, just send the output of 'cat' I believe your smb.conf on disk will look like this: [global] netbios name = ZION realm = SSCI.COM server string = Samba Server Version %v workgroup = SSCI domain master = No client ldap sasl wrapping = plain ntlm auth = Yes private dir = /etc/samba/private security = ADS smb passwd file = /etc/samba/private/smbpasswd create krb5 conf = No winbind enum groups = Yes winbind enum users = Yes winbind nss info = rfc2307 wins server = 192.x.x.x Before going any further, can I ask how you how (once you have joined the domain) you propose to make your Windows users known to the Unix system ? There is a distinct lack of 'idmap config' lines. Does the /etc/resolv.conf point to a DC as a nameserver ? Does the proposed Unix domain member get its IP via DHCP ? What is in /etc/hosts ? What is in /etc/krb5.conf ? Rowland
Gaiseric Vandal
2017-Sep-19 12:26 UTC
[Samba] samba on solaris 11 can not longer join Windows AD domain
On 09/19/17 05:30, Rowland Penny via samba wrote:> On Mon, 18 Sep 2017 22:45:04 -0400 > Gaeseric Vandal via samba <samba at lists.samba.org> wrote: > >> I would like to move my Samba file server (Samba 4.4.14 on Solaris >> 11) from a classic domain into an Active Directory domain. The >> active directory domain has one Win 2008 directory server / domain >> controller, and one Win 2012 R2 DS. E-mail, among other things, >> depends on a Microsoft AD backend. >> >> >> A few months ago I was able to join a test server to the AD >> domain. Today I tried joining a 2nd one, but without success. >> >> >> >> testmachine1# net ads join -U Administrator at mydomain.com >> >> Enter Administrator at mydomain.com's password: >> >> Failed to join domain: Failed to set machine spn: Time limit exceeded >> >> Do you have sufficient permissions to create machine accounts? >> >> >> >> >> >> I thought that I may have not properly replicated the configuration, >> so I tried it on the first test server, with the same error. >> >> >> >> The event log on the AD DS shows >> >> >> >> >> >> >> >> Log Name: System >> >> Source: Microsoft-Windows-Security-Kerberos >> >> Date: 9/18/2017 10:01:27 PM >> >> Event ID: 3 >> >> Task Category: None >> >> Level: Error >> >> Keywords: Classic >> >> User: N/A >> >> Computer: DS1.mydomain.com >> >> Description: >> >> A Kerberos Error Message was received: >> >> on logon session >> >> Client Time: >> >> Server Time: 2:1:27.0000 9/19/2017 Z >> >> Error Code: 0xd KDC_ERR_BADOPTION >> >> Extended Error: 0xc00000bb KLIN(0) >> >> Client Realm: >> >> Client Name: >> >> Server Realm: MYDOMAIN.COM >> >> Server Name: DS1.mydomain.com >> >> Target Name: DS1.mydomain.com at MYDOMAIN.COM >> <mailto:DS1.mydomain.com at MYDOMAIN.COM> >> >> >> >> >> >> >> >> I have applied patches over the last few months to the Windows >> servers. Can't think of any significant changes on the windows side. >> >> >> >> I have copied and pasted the partial output of testparm -v. >> >> >> >> root at testmachine1:~# testparm -v >> > Please don't ever do that again, never send the verbose output from > testparm, just send the output of 'cat' >> > Before going any further, can I ask how you how (once you have joined > the domain) you propose to make your Windows users known to the Unix > system ? There is a distinct lack of 'idmap config' lines. > > Does the /etc/resolv.conf point to a DC as a nameserver ? > Does the proposed Unix domain member get its IP via DHCP ? > What is in /etc/hosts ? > What is in /etc/krb5.conf ? > > Rowland >Sorry, meant to copy and paste only the relevant stuff. I think I hit paste twice. The problem with showing just the config file is that options not explicitly set may have different defaults depending on version. I have attached part of cat smb.conf below. /etc/hosts does not include the AD Domain controllers. /etc/resolv.conf shows 2ndary DNS servers, which in turn sync data from the AD Domain controllers. I don't think this is a DNS issue since "net join" and "net ads join" are locating the AD domain controllers. /etc/krb5/krb5.conf is set up for the MYDOMAIN realm. I can use the ldapclient and kinit to join the machine to the MYDOMAIN AD realm for "Unix" level user and group lookups (via ldap) and kerberos authentication. I did find that Solaris "native" kerberos and Samba expect krb5.keytab files in different locations , which I resolved with a sym link between /etc/krb5.keytab and /etc/krb5/krb5.keytab. All member servers use static IP. Thanks ________________________________________________________________________________________________________________ #cat /etc/samba/smb.conf ... #======================= Global Settings ==================================== [global] private dir = /etc/samba/private smb passwd file = /etc/samba/private/smbpasswd syslog = 3 log level = 10 client ldap sasl wrapping = plain ldap server require strong auth = no create krb5 conf = no ... # max protocol = used to define the supported protocol. The default is NT1. You # can set it to SMB2 if you want experimental SMB2 support. # workgroup = MYDOMAIN server string = Samba Server Version %v netbios name = MYSERVER ; max protocol = SMB2 passdb backend = tdbsam security = ads realm = MYDOMAIN.COM idmap config *:backend = tdb idmap config *:range = 2000-2999 idmap config MYDOMAIN:backend = ad idmap config MYDOMAIN:schema_mode = rfc2307 idmap config MYDOMAIN:range = 100-1999 # Use settings from AD for login shell and home directory winbind nss info = rfc2307 winbind enum users = yes winbind enum groups = yes domain master = no domain logons = no _______________________________________________________________________________________________________________