On Sat, Jul 28, 2018 at 11:40:26AM +1200, Andrew Bartlett wrote:> On Sat, 2018-07-28 at 00:10 +0100, Phillip Potter via samba wrote: > > Dear All, > > > > I have recently setup a completely new AD domain on my Linux server, running Samba 4.8.3. From the server, I can authenticate via kerberos and get users and groups through winbind etc. When I try to join a freshly installed Mac running macOS 10.13.6, I receive the error: > > "Unable to add server. Authentication server failed to completed the requested operation. (5103)" > > > > The Mac has a local IP address of 192.168.0.107, and its hostname is set to potterbook. > > > > On the Mac, no log entries at all occur to indicate what this might be. > > > > On the Linux machine, the only logs that seem to get written are in /var/log/samba/mit_kdc.log: > > Did you build Samba with MIT Kerberos support or use package so built? > If not, then perhaps you have the wrong KDC started, just start Samba > and it will handle the rest. > > If that isn't it, try re-building the AD DC without MIT Kerberos, we > have some reports of issues in this area, and it would provide a point > of comparison we can investigate. > > Thanks, > > Andrew Bartlett > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba >Dear Andrew, I built Samba 4.8.3 from scratch on a fresh Fedora 28 VM, without MIT kerberos but keeping all other dependencies at the same version as with the packaged version, and I can confirm the Mac joins to a newly provisioned AD on it with no issues. Would you like me to provide logs for future reference? Regards, Phil Potter
On Sun, 2018-07-29 at 22:14 +0100, Phillip Potter wrote:> On Sat, Jul 28, 2018 at 11:40:26AM +1200, Andrew Bartlett wrote: > > On Sat, 2018-07-28 at 00:10 +0100, Phillip Potter via samba wrote: > > > Dear All, > > > > > > I have recently setup a completely new AD domain on my Linux server, running Samba 4.8.3. From the server, I can authenticate via kerberos and get users and groups through winbind etc. When I try to join a freshly installed Mac running macOS 10.13.6, I receive the error: > > > "Unable to add server. Authentication server failed to completed the requested operation. (5103)" > > > > > > The Mac has a local IP address of 192.168.0.107, and its hostname is set to potterbook. > > > > > > On the Mac, no log entries at all occur to indicate what this might be. > > > > > > On the Linux machine, the only logs that seem to get written are in /var/log/samba/mit_kdc.log: > > > > Did you build Samba with MIT Kerberos support or use package so built? > > If not, then perhaps you have the wrong KDC started, just start Samba > > and it will handle the rest. > > > > If that isn't it, try re-building the AD DC without MIT Kerberos, we > > have some reports of issues in this area, and it would provide a point > > of comparison we can investigate. > > > > Thanks, > > > > Andrew Bartlett > > -- > > Andrew Bartlett http://samba.org/~abartlet/ > > Authentication Developer, Samba Team http://samba.org > > Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba > > > > Dear Andrew, > > I built Samba 4.8.3 from scratch on a fresh Fedora 28 VM, without MIT kerberos but keeping all other dependencies at the same version as with the packaged version, and I can confirm the Mac joins to a newly provisioned AD on it with no issues. Would you like me to provide logs for future reference?Thanks. Please file a bug and attach any logs you can. I've also CC'ed Andreas, who is a leading developer on the MIT KDC effort. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
On Mon, Jul 30, 2018 at 09:24:46AM +1200, Andrew Bartlett wrote:> On Sun, 2018-07-29 at 22:14 +0100, Phillip Potter wrote: > > On Sat, Jul 28, 2018 at 11:40:26AM +1200, Andrew Bartlett wrote: > > > On Sat, 2018-07-28 at 00:10 +0100, Phillip Potter via samba wrote: > > > > Dear All, > > > > > > > > I have recently setup a completely new AD domain on my Linux server, running Samba 4.8.3. From the server, I can authenticate via kerberos and get users and groups through winbind etc. When I try to join a freshly installed Mac running macOS 10.13.6, I receive the error: > > > > "Unable to add server. Authentication server failed to completed the requested operation. (5103)" > > > > > > > > The Mac has a local IP address of 192.168.0.107, and its hostname is set to potterbook. > > > > > > > > On the Mac, no log entries at all occur to indicate what this might be. > > > > > > > > On the Linux machine, the only logs that seem to get written are in /var/log/samba/mit_kdc.log: > > > > > > Did you build Samba with MIT Kerberos support or use package so built? > > > If not, then perhaps you have the wrong KDC started, just start Samba > > > and it will handle the rest. > > > > > > If that isn't it, try re-building the AD DC without MIT Kerberos, we > > > have some reports of issues in this area, and it would provide a point > > > of comparison we can investigate. > > > > > > Thanks, > > > > > > Andrew Bartlett > > > -- > > > Andrew Bartlett http://samba.org/~abartlet/ > > > Authentication Developer, Samba Team http://samba.org > > > Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba > > > > > > > Dear Andrew, > > > > I built Samba 4.8.3 from scratch on a fresh Fedora 28 VM, without MIT kerberos but keeping all other dependencies at the same version as with the packaged version, and I can confirm the Mac joins to a newly provisioned AD on it with no issues. Would you like me to provide logs for future reference? > > Thanks. Please file a bug and attach any logs you can. > > I've also CC'ed Andreas, who is a leading developer on the MIT KDC > effort. > > Andrew Bartlett > > -- > Andrew Bartlett > https://samba.org/~abartlet/ > Authentication Developer, Samba Team https://samba.org > Samba Development and Support, Catalyst IT > https://catalyst.net.nz/services/samba > > > >Sorry to be a pain, but I'm unable to report the bug as I've yet to receive a reply from the bugzilla-maintenance at samba.org address containing account details to allow me to file it. I e-mailed using the address I am using now, which I currently host with gmail, but I figured the warning about disposable mail providers would not apply as I am using my own domain? Anyhow, still happy to report this if someone can act on this. Many thanks. Regards, Phil Potter