Gaiseric Vandal
2017-Sep-19 12:26 UTC
[Samba] samba on solaris 11 can not longer join Windows AD domain
On 09/19/17 05:30, Rowland Penny via samba wrote:> On Mon, 18 Sep 2017 22:45:04 -0400 > Gaeseric Vandal via samba <samba at lists.samba.org> wrote: > >> I would like to move my Samba file server (Samba 4.4.14 on Solaris >> 11) from a classic domain into an Active Directory domain. The >> active directory domain has one Win 2008 directory server / domain >> controller, and one Win 2012 R2 DS. E-mail, among other things, >> depends on a Microsoft AD backend. >> >> >> A few months ago I was able to join a test server to the AD >> domain. Today I tried joining a 2nd one, but without success. >> >> >> >> testmachine1# net ads join -U Administrator at mydomain.com >> >> Enter Administrator at mydomain.com's password: >> >> Failed to join domain: Failed to set machine spn: Time limit exceeded >> >> Do you have sufficient permissions to create machine accounts? >> >> >> >> >> >> I thought that I may have not properly replicated the configuration, >> so I tried it on the first test server, with the same error. >> >> >> >> The event log on the AD DS shows >> >> >> >> >> >> >> >> Log Name: System >> >> Source: Microsoft-Windows-Security-Kerberos >> >> Date: 9/18/2017 10:01:27 PM >> >> Event ID: 3 >> >> Task Category: None >> >> Level: Error >> >> Keywords: Classic >> >> User: N/A >> >> Computer: DS1.mydomain.com >> >> Description: >> >> A Kerberos Error Message was received: >> >> on logon session >> >> Client Time: >> >> Server Time: 2:1:27.0000 9/19/2017 Z >> >> Error Code: 0xd KDC_ERR_BADOPTION >> >> Extended Error: 0xc00000bb KLIN(0) >> >> Client Realm: >> >> Client Name: >> >> Server Realm: MYDOMAIN.COM >> >> Server Name: DS1.mydomain.com >> >> Target Name: DS1.mydomain.com at MYDOMAIN.COM >> <mailto:DS1.mydomain.com at MYDOMAIN.COM> >> >> >> >> >> >> >> >> I have applied patches over the last few months to the Windows >> servers. Can't think of any significant changes on the windows side. >> >> >> >> I have copied and pasted the partial output of testparm -v. >> >> >> >> root at testmachine1:~# testparm -v >> > Please don't ever do that again, never send the verbose output from > testparm, just send the output of 'cat' >> > Before going any further, can I ask how you how (once you have joined > the domain) you propose to make your Windows users known to the Unix > system ? There is a distinct lack of 'idmap config' lines. > > Does the /etc/resolv.conf point to a DC as a nameserver ? > Does the proposed Unix domain member get its IP via DHCP ? > What is in /etc/hosts ? > What is in /etc/krb5.conf ? > > Rowland >Sorry, meant to copy and paste only the relevant stuff. I think I hit paste twice. The problem with showing just the config file is that options not explicitly set may have different defaults depending on version. I have attached part of cat smb.conf below. /etc/hosts does not include the AD Domain controllers. /etc/resolv.conf shows 2ndary DNS servers, which in turn sync data from the AD Domain controllers. I don't think this is a DNS issue since "net join" and "net ads join" are locating the AD domain controllers. /etc/krb5/krb5.conf is set up for the MYDOMAIN realm. I can use the ldapclient and kinit to join the machine to the MYDOMAIN AD realm for "Unix" level user and group lookups (via ldap) and kerberos authentication. I did find that Solaris "native" kerberos and Samba expect krb5.keytab files in different locations , which I resolved with a sym link between /etc/krb5.keytab and /etc/krb5/krb5.keytab. All member servers use static IP. Thanks ________________________________________________________________________________________________________________ #cat /etc/samba/smb.conf ... #======================= Global Settings ==================================== [global] private dir = /etc/samba/private smb passwd file = /etc/samba/private/smbpasswd syslog = 3 log level = 10 client ldap sasl wrapping = plain ldap server require strong auth = no create krb5 conf = no ... # max protocol = used to define the supported protocol. The default is NT1. You # can set it to SMB2 if you want experimental SMB2 support. # workgroup = MYDOMAIN server string = Samba Server Version %v netbios name = MYSERVER ; max protocol = SMB2 passdb backend = tdbsam security = ads realm = MYDOMAIN.COM idmap config *:backend = tdb idmap config *:range = 2000-2999 idmap config MYDOMAIN:backend = ad idmap config MYDOMAIN:schema_mode = rfc2307 idmap config MYDOMAIN:range = 100-1999 # Use settings from AD for login shell and home directory winbind nss info = rfc2307 winbind enum users = yes winbind enum groups = yes domain master = no domain logons = no _______________________________________________________________________________________________________________
Rowland Penny
2017-Sep-19 13:28 UTC
[Samba] samba on solaris 11 can not longer join Windows AD domain
On Tue, 19 Sep 2017 08:26:02 -0400 Gaiseric Vandal via samba <samba at lists.samba.org> wrote:> On 09/19/17 05:30, Rowland Penny via samba wrote: > > > Sorry, meant to copy and paste only the relevant stuff. I think I > hit paste twice.The problem is that 'testparm -v' prints everything, what is actually there plus ALL the default settings. What you should have done is post the output of 'cat /etc/samba/smb.conf' and tell us what version of Samba you are using.> /etc/hosts does not include the AD Domain controllers.Good, it shouldn't, but it should have the computers info in it, if you are not using DHCP.> /etc/resolv.conf shows 2ndary DNS servers, which in turn sync data > from the AD Domain controllers. I don't think this is a DNS issue > since "net join" and "net ads join" are locating the AD domain > controllers.Try pointing the nameservers directly at the DCs.> > /etc/krb5/krb5.conf is set up for the MYDOMAIN realm. I can use the > ldapclient and kinit to join the machine to the MYDOMAIN AD realm for > "Unix" level user and group lookups (via ldap) and kerberos > authentication. I did find that Solaris "native" kerberos and > Samba expect krb5.keytab files in different locations , which I > resolved with a sym link between /etc/krb5.keytab > and /etc/krb5/krb5.keytab.Long time since I used Solaris, it is that long it was on an Ultra5, but now you remind me it was in a different location.> > #cat /etc/samba/smb.conf > > [global] > > private dir = /etc/samba/private > smb passwd file = /etc/samba/private/smbpasswd > > > syslog = 3 > > log level = 10 > client ldap sasl wrapping = plain > ldap server require strong auth = no > create krb5 conf = no > > ... > # max protocol = used to define the supported protocol. The default > is NT1. You # can set it to SMB2 if you want experimental SMB2 > support. # > > workgroup = MYDOMAIN > server string = Samba Server Version %v > > > netbios name = MYSERVER > passdb backend = tdbsam > security = ads > realm = MYDOMAIN.COM > > > idmap config *:backend = tdb > idmap config *:range = 2000-2999 > > idmap config MYDOMAIN:backend = ad > idmap config MYDOMAIN:schema_mode = rfc2307 > idmap config MYDOMAIN:range = 100-1999What happens when/if you reach uidNumber 2000 ?> > > > > # Use settings from AD for login shell and home directory > winbind nss info = rfc2307 > winbind enum users = yes > winbind enum groups = yes > > > > domain master = no > domain logons = no >There doesn't seem to be anything really wrong, so you should be able to join AD, try turning up the debug level and see if anything pops out. Rowland
Gaiseric Vandal
2017-Sep-19 14:31 UTC
[Samba] samba on solaris 11 can not longer join Windows AD domain
On 09/19/17 09:28, Rowland Penny via samba wrote:> On Tue, 19 Sep 2017 08:26:02 -0400 > Gaiseric Vandal via samba <samba at lists.samba.org> wrote: > >> On 09/19/17 05:30, Rowland Penny via samba wrote: >> >> >> Sorry, meant to copy and paste only the relevant stuff. I think I >> hit paste twice. > The problem is that 'testparm -v' prints everything, what is actually > there plus ALL the default settings. > > What you should have done is post the output of > 'cat /etc/samba/smb.conf' and tell us what version of Samba you are > using. > > >> /etc/hosts does not include the AD Domain controllers. > Good, it shouldn't, but it should have the computers info in it, if you > are not using DHCP. > >> /etc/resolv.conf shows 2ndary DNS servers, which in turn sync data >> from the AD Domain controllers. I don't think this is a DNS issue >> since "net join" and "net ads join" are locating the AD domain >> controllers. > Try pointing the nameservers directly at the DCs. > >> /etc/krb5/krb5.conf is set up for the MYDOMAIN realm. I can use the >> ldapclient and kinit to join the machine to the MYDOMAIN AD realm for >> "Unix" level user and group lookups (via ldap) and kerberos >> authentication. I did find that Solaris "native" kerberos and >> Samba expect krb5.keytab files in different locations , which I >> resolved with a sym link between /etc/krb5.keytab >> and /etc/krb5/krb5.keytab. > Long time since I used Solaris, it is that long it was on an Ultra5, > but now you remind me it was in a different location. > >> #cat /etc/samba/smb.conf >> >> [global] >> >> private dir = /etc/samba/private >> smb passwd file = /etc/samba/private/smbpasswd >> >> >> syslog = 3 >> >> log level = 10 >> client ldap sasl wrapping = plain >> ldap server require strong auth = no >> create krb5 conf = no >> >> ... >> # max protocol = used to define the supported protocol. The default >> is NT1. You # can set it to SMB2 if you want experimental SMB2 >> support. # >> >> workgroup = MYDOMAIN >> server string = Samba Server Version %v >> >> >> netbios name = MYSERVER >> passdb backend = tdbsam >> security = ads >> realm = MYDOMAIN.COM >> >> >> idmap config *:backend = tdb >> idmap config *:range = 2000-2999 >> >> idmap config MYDOMAIN:backend = ad >> idmap config MYDOMAIN:schema_mode = rfc2307 >> idmap config MYDOMAIN:range = 100-1999 > What happens when/if you reach uidNumber 2000 ? > >> >> >> >> # Use settings from AD for login shell and home directory >> winbind nss info = rfc2307 >> winbind enum users = yes >> winbind enum groups = yes >> >> >> >> domain master = no >> domain logons = no >> > There doesn't seem to be anything really wrong, so you should be able > to join AD, try turning up the debug level and see if anything pops out. > > Rowland > > >One of the "fun" things with Solaris is that they would be very slow about releasing Samba updates. It took a long time until they moved from Samba 3.0.x to 3.6.x and then onto Samba 4.4.x. And unless you have updates configured correctly, it would not automatically update from 3.x to 4.x. This also means that if Microsoft pushed out a significant security patch , it may be a while until Oracle updates its packages in its repository. Although they have got better in recent years. This means that sometimes the smb.conf file has to be tweeked to handle (or bypass) the changes on the MS side. I found that SMB3 does not work in the classic domain, and sometimes SMB2 can be an issue. I went through the smb.conf and added the following lines: max protocol = SMB2 server min protocol = SMB2 server max protocol = SMB2 I don't know if the server protocol settings really matter when joining a member server, since I figure it would be a "client" of the domain controller. I think setting "client min protocol = smb2" would break joining machines to the classic domain. I also removed the following entries from smb.conf client ldap sasl wrapping = plain ldap server require strong auth = no dedicated keytab file = /etc/krb5/krb5.keytab kerberos method = secrets and keytab The ldap ones were past compatibility fixes with the classic domain. The keytab ones were to try to force samba to use the default solaris keytab file, but that parameter seemed to be ignored. One of these changes seems to have fixed the join issue # net ads join -S DC1 -U Administrator Enter Administrator's password: Using short domain name -- MYDOMAIN Joined 'testmachine1' to dns domain 'mydomain.com' # I don't think I have disabled SMB1 on the domain controllers. I think setting the UID range of 100-1999 should be large enough for years. In Active Directory Users and Computers MMC, I explicitly set the uid and gid numbers with in that range for users and groups that need to show up in Samba. This is samba 4.4.14. Thanks for your help.
Seemingly Similar Threads
- samba on solaris 11 can not longer join Windows AD domain
- Unable to contact active directory or verify claim types
- samba on solaris 11 can not longer join Windows AD domain
- Fwd: Not able to join windows 10 clients to samba 3.6.23 NT4 Style PDC
- ??????: Is the "\\x.x.x.x" type tree connect request a client related feature?