samba - Sep 2017 - samba on solaris 11 can not longer join Windows AD domain

On 09/19/17 05:30, Rowland Penny via samba wrote:
> On Mon, 18 Sep 2017 22:45:04 -0400
> Gaeseric Vandal via samba <samba at lists.samba.org> wrote:
>
>> I would like to move my Samba file server (Samba 4.4.14 on Solaris
>> 11) from a classic domain  into an Active Directory domain.    The
>> active directory domain has one Win 2008 directory server / domain
>> controller, and one Win 2012 R2 DS.    E-mail, among other things,
>> depends on a Microsoft AD backend.
>>
>>
>> A few months ago I was able to join a test server to the AD
>> domain.    Today I tried joining a 2nd one, but without success.
>>
>>   
>>
>> testmachine1# net ads join -U Administrator at mydomain.com
>>
>> Enter Administrator at mydomain.com's password:
>>
>> Failed to join domain: Failed to set machine spn: Time limit exceeded
>>
>> Do you have sufficient permissions to create machine accounts?
>>
>>   
>>
>>   
>>
>> I thought that I may  have not properly replicated the configuration,
>> so I tried it on the first test server, with the same error.
>>
>>   
>>
>> The event log on the AD DS shows
>>
>>   
>>
>>   
>>
>>   
>>
>> Log Name:      System
>>
>> Source:        Microsoft-Windows-Security-Kerberos
>>
>> Date:          9/18/2017 10:01:27 PM
>>
>> Event ID:      3
>>
>> Task Category: None
>>
>> Level:         Error
>>
>> Keywords:      Classic
>>
>> User:          N/A
>>
>> Computer:      DS1.mydomain.com
>>
>> Description:
>>
>> A Kerberos Error Message was received:
>>
>> on logon session
>>
>>   Client Time:
>>
>>   Server Time: 2:1:27.0000 9/19/2017 Z
>>
>> Error Code: 0xd KDC_ERR_BADOPTION
>>
>> Extended Error: 0xc00000bb KLIN(0)
>>
>> Client Realm:
>>
>>   Client Name:
>>
>>   Server Realm: MYDOMAIN.COM
>>
>> Server Name: DS1.mydomain.com
>>
>> Target Name:  DS1.mydomain.com at MYDOMAIN.COM
>> <mailto:DS1.mydomain.com at MYDOMAIN.COM>
>>
>>   
>>
>>   
>>
>>   
>>
>> I have applied patches over the last few months to the Windows
>> servers. Can't think of any significant changes on the windows
side.
>>
>>   
>>
>> I have copied and pasted the partial output of testparm -v.
>>
>>   
>>
>> root at testmachine1:~# testparm -v
>>
> Please don't ever do that again, never send the verbose output from
> testparm, just send the output of 'cat'
>
>
> Before going any further, can I ask how you how (once you have joined
> the domain) you propose to make your Windows users known to the Unix
> system ? There is a distinct lack of 'idmap config' lines.
>
> Does the /etc/resolv.conf point to a DC as a nameserver ?
> Does the proposed Unix domain member get its IP via DHCP ?
> What is in /etc/hosts ?
> What is in /etc/krb5.conf ?
>
> Rowland
>

Sorry, meant to copy and paste only the relevant stuff.   I think I hit paste
twice.

The problem with showing just the config file is that options not explicitly set
may have different defaults depending on version.  I have attached part of cat
smb.conf below.

/etc/hosts does not include the AD Domain controllers.
/etc/resolv.conf   shows 2ndary DNS servers, which in turn sync data from the AD
Domain controllers.   I don't think this is a DNS issue since "net
join" and "net ads join" are locating the AD domain controllers.



/etc/krb5/krb5.conf is set up for the MYDOMAIN realm.  I can use the ldapclient
and kinit to join the machine to the MYDOMAIN AD realm for "Unix"
level  user and group lookups (via ldap) and kerberos authentication.      I did
find that Solaris "native" kerberos  and Samba expect krb5.keytab
files in different locations , which I resolved with a sym link between
/etc/krb5.keytab and /etc/krb5/krb5.keytab.



All member servers use static IP.


Thanks





 
________________________________________________________________________________________________________________

#cat /etc/samba/smb.conf
...

#======================= Global Settings ====================================
[global]

         private dir = /etc/samba/private
         smb passwd file = /etc/samba/private/smbpasswd


syslog = 3

log level = 10
client ldap sasl wrapping = plain
ldap server require strong auth = no
create krb5 conf = no

...
# max protocol = used to define the supported protocol. The default is NT1. You
# can set it to SMB2 if you want experimental SMB2 support.
#
  
         workgroup = MYDOMAIN
         server string = Samba Server Version %v


         netbios name = MYSERVER
;       max protocol = SMB2

         passdb backend = tdbsam
         security = ads
         realm = MYDOMAIN.COM


       idmap config *:backend = tdb
       idmap config *:range = 2000-2999

       idmap config MYDOMAIN:backend = ad
       idmap config MYDOMAIN:schema_mode = rfc2307
       idmap config MYDOMAIN:range = 100-1999




        # Use settings from AD for login shell and home directory
        winbind nss info = rfc2307
         winbind enum users = yes
         winbind enum groups = yes



         domain master = no
         domain logons = no

_______________________________________________________________________________________________________________

On Tue, 19 Sep 2017 08:26:02 -0400
Gaiseric Vandal via samba <samba at lists.samba.org> wrote:
> On 09/19/17 05:30, Rowland Penny via samba wrote:
> 
> 
> Sorry, meant to copy and paste only the relevant stuff.   I think I
> hit paste twice.
The problem is that 'testparm -v' prints everything, what is actually
there plus ALL the default settings.

What you should have done is post the output of
'cat /etc/samba/smb.conf' and tell us what version of Samba you are
using.

 
> /etc/hosts does not include the AD Domain controllers.
Good, it shouldn't, but it should have the computers info in it, if you
are not using DHCP.
> /etc/resolv.conf   shows 2ndary DNS servers, which in turn sync data
> from the AD Domain controllers.   I don't think this is a DNS issue
> since "net join" and "net ads join" are locating the AD
domain
> controllers.
Try pointing the nameservers directly at the DCs.
> 
> /etc/krb5/krb5.conf is set up for the MYDOMAIN realm.  I can use the
> ldapclient and kinit to join the machine to the MYDOMAIN AD realm for
> "Unix" level  user and group lookups (via ldap) and kerberos
> authentication.      I did find that Solaris "native" kerberos 
and
> Samba expect krb5.keytab files in different locations , which I
> resolved with a sym link between /etc/krb5.keytab
> and /etc/krb5/krb5.keytab.
Long time since I used Solaris, it is that long it was on an Ultra5,
but now you remind me it was in a different location.
> 
> #cat /etc/samba/smb.conf
> 
> [global]
> 
>          private dir = /etc/samba/private
>          smb passwd file = /etc/samba/private/smbpasswd
> 
> 
> syslog = 3
> 
> log level = 10
> client ldap sasl wrapping = plain
> ldap server require strong auth = no
> create krb5 conf = no
> 
> ...
> # max protocol = used to define the supported protocol. The default
> is NT1. You # can set it to SMB2 if you want experimental SMB2
> support. #
>   
>          workgroup = MYDOMAIN
>          server string = Samba Server Version %v
> 
> 
>          netbios name = MYSERVER
>          passdb backend = tdbsam
>          security = ads
>          realm = MYDOMAIN.COM
> 
> 
>        idmap config *:backend = tdb
>        idmap config *:range = 2000-2999
> 
>        idmap config MYDOMAIN:backend = ad
>        idmap config MYDOMAIN:schema_mode = rfc2307
>        idmap config MYDOMAIN:range = 100-1999
What happens when/if you reach uidNumber 2000 ?
> 
> 
> 
> 
>         # Use settings from AD for login shell and home directory
>         winbind nss info = rfc2307
>          winbind enum users = yes
>          winbind enum groups = yes
> 
> 
> 
>          domain master = no
>          domain logons = no
> 
There doesn't seem to be anything really wrong, so you should be able
to join AD, try turning up the debug level and see if anything pops out.

Rowland

On 09/19/17 09:28, Rowland Penny via samba wrote:
> On Tue, 19 Sep 2017 08:26:02 -0400
> Gaiseric Vandal via samba <samba at lists.samba.org> wrote:
>
>> On 09/19/17 05:30, Rowland Penny via samba wrote:
>>
>>
>> Sorry, meant to copy and paste only the relevant stuff.   I think I
>> hit paste twice.
> The problem is that 'testparm -v' prints everything, what is
actually
> there plus ALL the default settings.
>
> What you should have done is post the output of
> 'cat /etc/samba/smb.conf' and tell us what version of Samba you are
> using.
>
>   
>> /etc/hosts does not include the AD Domain controllers.
> Good, it shouldn't, but it should have the computers info in it, if you
> are not using DHCP.
>
>> /etc/resolv.conf   shows 2ndary DNS servers, which in turn sync data
>> from the AD Domain controllers.   I don't think this is a DNS issue
>> since "net join" and "net ads join" are locating
the AD domain
>> controllers.
> Try pointing the nameservers directly at the DCs.
>
>> /etc/krb5/krb5.conf is set up for the MYDOMAIN realm.  I can use the
>> ldapclient and kinit to join the machine to the MYDOMAIN AD realm for
>> "Unix" level  user and group lookups (via ldap) and kerberos
>> authentication.      I did find that Solaris "native"
kerberos  and
>> Samba expect krb5.keytab files in different locations , which I
>> resolved with a sym link between /etc/krb5.keytab
>> and /etc/krb5/krb5.keytab.
> Long time since I used Solaris, it is that long it was on an Ultra5,
> but now you remind me it was in a different location.
>
>> #cat /etc/samba/smb.conf
>>
>> [global]
>>
>>           private dir = /etc/samba/private
>>           smb passwd file = /etc/samba/private/smbpasswd
>>
>>
>> syslog = 3
>>
>> log level = 10
>> client ldap sasl wrapping = plain
>> ldap server require strong auth = no
>> create krb5 conf = no
>>
>> ...
>> # max protocol = used to define the supported protocol. The default
>> is NT1. You # can set it to SMB2 if you want experimental SMB2
>> support. #
>>    
>>           workgroup = MYDOMAIN
>>           server string = Samba Server Version %v
>>
>>
>>           netbios name = MYSERVER
>>           passdb backend = tdbsam
>>           security = ads
>>           realm = MYDOMAIN.COM
>>
>>
>>         idmap config *:backend = tdb
>>         idmap config *:range = 2000-2999
>>
>>         idmap config MYDOMAIN:backend = ad
>>         idmap config MYDOMAIN:schema_mode = rfc2307
>>         idmap config MYDOMAIN:range = 100-1999
> What happens when/if you reach uidNumber 2000 ?
>
>>
>>
>>
>>          # Use settings from AD for login shell and home directory
>>          winbind nss info = rfc2307
>>           winbind enum users = yes
>>           winbind enum groups = yes
>>
>>
>>
>>           domain master = no
>>           domain logons = no
>>
> There doesn't seem to be anything really wrong, so you should be able
> to join AD, try turning up the debug level and see if anything pops out.
>
> Rowland
>
>
>
One of the "fun" things with Solaris is that they would be very slow 
about releasing Samba updates.     It took a long time until they moved 
from Samba 3.0.x to  3.6.x and then onto Samba 4.4.x.        And unless 
you have updates configured correctly, it would not automatically 
update  from 3.x to 4.x.    This also means that if Microsoft pushed out 
a significant security patch , it may be a while until Oracle updates 
its packages in its repository.  Although they have got better in recent 
years. This means that sometimes the smb.conf file has to be tweeked to 
handle (or bypass) the changes on the MS side.   I found that SMB3 does 
not work in the classic domain, and sometimes SMB2 can be an issue.

I went through the smb.conf and added the following lines:

     max protocol = SMB2
     server min protocol = SMB2
     server max protocol = SMB2


I don't know if the server protocol settings really matter when joining 
a member server, since I figure it would be a "client" of the domain 
controller.  I think setting "client min protocol = smb2"  would break
joining machines to the classic domain.


I also removed the following entries from smb.conf

     client ldap sasl wrapping = plain
     ldap server require strong auth = no
     dedicated keytab file = /etc/krb5/krb5.keytab
     kerberos method = secrets and keytab

The ldap ones were past compatibility fixes with the classic domain.     
The keytab ones were to try to force samba to use the default solaris 
keytab file, but that parameter seemed to be ignored.


One of these changes seems to have fixed the join issue


     #  net ads join -S DC1 -U Administrator
     Enter Administrator's password:
     Using short domain name -- MYDOMAIN
     Joined 'testmachine1' to dns domain 'mydomain.com'
     #


I don't think I have disabled SMB1 on the domain controllers.       I 
think setting


the UID range of 100-1999  should be large enough for years.     In 
Active Directory Users and Computers MMC, I explicitly set the uid and 
gid numbers with in that range for users and groups that need to show up 
in Samba.

This is samba 4.4.14.


Thanks for your help.