Hi Rowland, Thank you for your reply. I'll provide these information but for now I'm suspecting Samba and others things could be installed in a strange manner. I have to check that first... Best regards, mathias Le mar. 6 nov. 2018 à 10:36, Rowland Penny via samba <samba at lists.samba.org> a écrit :> On Tue, 6 Nov 2018 10:16:26 +0100 > mathias dufresne via samba <samba at lists.samba.org> wrote: > > > Hi all, > > > > I'm facing an issue I can't understand, so here I am... > > > > I'm trying to join a CentOS 7 to MS AD and it fails > > What is in smb.conf ? > How are you trying to join ? > What is the DC you are trying to join ? > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hi all, AD version is MS 2008R2. smb.conf is : [global] workgroup = AD security = ADS realm = AD.DOMAIN.TLD dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab server string = Samba 4 Client %h winbind use default domain = yes winbind expand groups = 40 winbind refresh tickets = Yes winbind normalize names = Yes ## map ids outside of domain to tdb files. idmap config *:backend = tdb idmap config *:range = 2000-9999 ## map ids from the domain the ranges may not overlap ! idmap config AD : backend = rid idmap config AD : unix_nss_info = no idmap config AD : range = 1000000-1999999 template shell = /bin/bash template homedir = /home/%U # user Administrator workaround, without it you are unable to set privileges username map = /etc/samba/user.map # disable printing completely load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes This very same smb.conf is working on others servers. Joining command is : net ads join -k with a valid Domain Admins account in that Kerberos ticket. Using -d 9 with that join command I get : Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb sitename_fetch: No stored sitename for realm 'AD.DOMAIN.TLD' ads_dns_lookup_srv: 4 records returned in the answer section. ads_cldap_netlogon: did not get a reply ads_cldap_netlogon: did not get a reply ads_cldap_netlogon: did not get a reply ads_cldap_netlogon: did not get a reply The "Default-First-Site-Name" was renamed and is now equal to domain short name. As said, others servers are able to join that domain, but they are on others networks. I've tested ports using nmap -p88,135,445,88,389,636,3268 IP and they were opened from buggy server. Note that by buggy I don't meant that this is Samba which is buggy ;) Cheers, mathias Le mar. 6 nov. 2018 à 13:12, mathias dufresne <infractory at gmail.com> a écrit :> Hi Rowland, > > Thank you for your reply. I'll provide these information but for now I'm > suspecting Samba and others things could be installed in a strange manner. > I have to check that first... > > Best regards, > > mathias > > Le mar. 6 nov. 2018 à 10:36, Rowland Penny via samba < > samba at lists.samba.org> a écrit : > >> On Tue, 6 Nov 2018 10:16:26 +0100 >> mathias dufresne via samba <samba at lists.samba.org> wrote: >> >> > Hi all, >> > >> > I'm facing an issue I can't understand, so here I am... >> > >> > I'm trying to join a CentOS 7 to MS AD and it fails >> >> What is in smb.conf ? >> How are you trying to join ? >> What is the DC you are trying to join ? >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >
Hi, After more investigations I'm now believing that we have some issue on our AD site declaration. I'll be back once I would have get more information. Best regards, M. Le jeu. 8 nov. 2018 à 11:22, mathias dufresne <infractory at gmail.com> a écrit :> Hi all, > > AD version is MS 2008R2. > > smb.conf is : > [global] > workgroup = AD > security = ADS > realm = AD.DOMAIN.TLD > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > server string = Samba 4 Client %h > > winbind use default domain = yes > winbind expand groups = 40 > winbind refresh tickets = Yes > winbind normalize names = Yes > > ## map ids outside of domain to tdb files. > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > ## map ids from the domain the ranges may not overlap ! > idmap config AD : backend = rid > idmap config AD : unix_nss_info = no > idmap config AD : range = 1000000-1999999 > template shell = /bin/bash > template homedir = /home/%U > > # user Administrator workaround, without it you are unable to set > privileges > username map = /etc/samba/user.map > > # disable printing completely > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > This very same smb.conf is working on others servers. > > Joining command is : > net ads join -k > > with a valid Domain Admins account in that Kerberos ticket. > > Using -d 9 with that join command I get : > > Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb > sitename_fetch: No stored sitename for realm 'AD.DOMAIN.TLD' > ads_dns_lookup_srv: 4 records returned in the answer section. > ads_cldap_netlogon: did not get a reply > ads_cldap_netlogon: did not get a reply > ads_cldap_netlogon: did not get a reply > ads_cldap_netlogon: did not get a reply > > The "Default-First-Site-Name" was renamed and is now equal to domain short > name. > > As said, others servers are able to join that domain, but they are on > others networks. > I've tested ports using nmap -p88,135,445,88,389,636,3268 IP and they were > opened from buggy server. Note that by buggy I don't meant that this is > Samba which is buggy ;) > > Cheers, > > mathias > > > Le mar. 6 nov. 2018 à 13:12, mathias dufresne <infractory at gmail.com> a > écrit : > >> Hi Rowland, >> >> Thank you for your reply. I'll provide these information but for now I'm >> suspecting Samba and others things could be installed in a strange manner. >> I have to check that first... >> >> Best regards, >> >> mathias >> >> Le mar. 6 nov. 2018 à 10:36, Rowland Penny via samba < >> samba at lists.samba.org> a écrit : >> >>> On Tue, 6 Nov 2018 10:16:26 +0100 >>> mathias dufresne via samba <samba at lists.samba.org> wrote: >>> >>> > Hi all, >>> > >>> > I'm facing an issue I can't understand, so here I am... >>> > >>> > I'm trying to join a CentOS 7 to MS AD and it fails >>> >>> What is in smb.conf ? >>> How are you trying to join ? >>> What is the DC you are trying to join ? >>> >>> Rowland >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>