samba - Nov 2017 - Winbind error "Could not fetch our SID - did we join?"

On Mon, 13 Nov 2017 14:32:11 +0100
Sven Schwedas via samba <samba at lists.samba.org> wrote:
> Making no additional changes to the configuration, using "net ads
> join" instead of "samba-tool domain join" immediately
worked. I'd be
> really curious where's the difference between the two and why
> samba-tool pretends to not have run into any errors…
> 
This is the first time you mentioned that you used samba-tool to join
the Unix domain member to the domain.

Did you read this Samba wikipage:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Joining_the_Domain

If you did, did you entirely miss the big fat warning in the middle of
the page ???

The one that says:

Do not provision or join a domain member using the samba-tool utility.
These options are unsupported and can cause problems with your AD
replication.

Rowland

PS, your configs are still wrong.

On 2017-11-13 14:55, Rowland Penny wrote:
> On Mon, 13 Nov 2017 14:32:11 +0100
> Sven Schwedas via samba <samba at lists.samba.org> wrote:
> 
>> Making no additional changes to the configuration, using "net ads
>> join" instead of "samba-tool domain join" immediately
worked. I'd be
>> really curious where's the difference between the two and why
>> samba-tool pretends to not have run into any errors…
>>
> 
> This is the first time you mentioned that you used samba-tool to join
> the Unix domain member to the domain.
Yeah, brain fart on my part, I figured I had it in the attachment file
name in my first email, but I just realized I named it too ambiguously.
> Did you read this Samba wikipage:
No, I foolishly assumed that manpages would suffice.
>
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Joining_the_Domain
> 
> If you did, did you entirely miss the big fat warning in the middle of
> the page ???
> 
> The one that says:
> 
> Do not provision or join a domain member using the samba-tool utility.
> These options are unsupported and can cause problems with your AD
> replication.
Sounds like something that should be added to the samba-tool manpage /
--help output. I'll try to make a pull request later this week…
> PS, your configs are still wrong.
It would be *really* helpful if you explained *why*. Sprinkling magic
pixie dust over random config files isn't exactly purposeful debugging.

-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
Mail/XMPP sven.schwedas at tao.at | Skype sven.schwedas
TAO Digital | Lendplatz 45 | A8020 Graz
https://www.tao-digital.at | Tel +43 680 301 7167

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20171113/eda56e10/signature.sig>

On Mon, 13 Nov 2017 15:20:05 +0100
Sven Schwedas <sven.schwedas at tao.at> wrote:
> 
> > PS, your configs are still wrong.
> 
> It would be *really* helpful if you explained *why*. Sprinkling magic
> pixie dust over random config files isn't exactly purposeful
> debugging.
> 
Lets start with /etc/krb5.conf

Samba doesn't need most of what you will find in it, this is mostly
because most of what you will find there, is a default setting.
Believe it, or believe it not, you only really need:

[libdefaults]
    default_realm = AD.TAO.AT

using 'search' in /etc/resolv.conf means you use host-name lookups

/etc/hosts should contain information in the following format:

ipaddress 'canonical-name' 'alias' 

'canonical-name' is anotherway of saying FQDN
'alias' is another way of saying short hostname

When trying to identify a problem, you start with the obvious from the
info supplied and fix anything that might be causing the problem.
If this doesn't work, then look further, ask other questions etc

Rowland