samba - Feb 2019 - Unable to join to a SAMBA4 domain

Hi folks

I'm using samba 4.8.3 in CentOS client and samba 4.9.3 from Van Belle repos
on server

I cannot join to the domain as

net ads join -k -d 1

libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        in: struct libnet_JoinCtx
            dc_name                  : NULL
            machine_name             : 'TINY-FISHWIFE'
            domain_name              : *
                domain_name              : 'EXAMPLE.COM'
            domain_name_type         : JoinDomNameTypeDNS (1)
            account_ou               : NULL
            admin_account            : 'root'
            admin_domain             : NULL
            machine_password         : NULL
            join_flags               : 0x00000023 (35)
                   0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
                   0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
                   0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
                   0: WKSSVC_JOIN_FLAGS_DEFER_SPN
                   0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
                   0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
                   1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
                   0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
                   0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
                   1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
                   1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
            os_version               : NULL
            os_name                  : NULL
            os_servicepack           : NULL
            create_upn               : 0x00 (0)
            upn                      : NULL
            modify_config            : 0x00 (0)
            ads                      : NULL
            debug                    : 0x01 (1)
            use_kerberos             : 0x01 (1)
            secure_channel_type      : SEC_CHAN_WKSTA (2)
            desired_encryption_types : 0x0000001f (31)
gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype
in NEG_TOKEN_INIT
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : 'TINY-FISHWIFE$'
            netbios_domain_name      : NULL
            dns_domain_name          : NULL
            forest_name              : NULL
            dn                       : NULL
            domain_guid              : 00000000-0000-0000-0000-000000000000
            domain_sid               : NULL
                domain_sid               : (NULL SID)
            modified_config          : 0x00 (0)
            error_string             : 'failed to lookup DC info for domain
'EXAMPLE.COM' over rpc: An invalid parameter was passed to a service or
function.'
            domain_is_ad             : 0x00 (0)
            set_encryption_types     : 0x00000000 (0)
            krb5_salt                : NULL
            result                   : WERR_INVALID_PARAMETER
Failed to join domain: failed to lookup DC info for domain 'EXAMPLE.COM'
over rpc: An invalid parameter was passed to a service or function.

# End of outpout

Please could you help me to fix it?  I can provide more configs and outputs
if needed.

Thanks in advance

-- 
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org

On Tue, 5 Feb 2019 16:51:36 -0300
Sergio Belkin via samba <samba at lists.samba.org> wrote:
> Hi folks
> 
> I'm using samba 4.8.3 in CentOS client and samba 4.9.3 from Van Belle
> repos on server
> 
> I cannot join to the domain as
> 
> net ads join -k -d 1
> 
Can you post the following files from both machines:

/etc/hostname
/etc/hosts
/etc/resolv.conf
/etc/krb5.conf
smb.conf

Rowland

El mar., 5 feb. 2019 a las 17:07, Rowland Penny via samba (<
samba at lists.samba.org>) escribió:
> On Tue, 5 Feb 2019 16:51:36 -0300
> Sergio Belkin via samba <samba at lists.samba.org> wrote:
>
> > Hi folks
> >
> > I'm using samba 4.8.3 in CentOS client and samba 4.9.3 from Van
Belle
> > repos on server
> >
> > I cannot join to the domain as
> >
> > net ads join -k -d 1
> >
>
> Can you post the following files from both machines:
>
> /etc/hostname
> /etc/hosts
> /etc/resolv.conf
> /etc/krb5.conf
> smb.conf
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Hi Rowland,

Centos files:

/etc/hostname
tiny-fishwife.example.com

/etc/hosts
127.0.0.1       localhost       localhost.localdomain
192.168.50.30           tiny-fishwife.example.com tiny-fishwife
192.168.254.252         tiny-fishwife.example.com tiny-fishwife
192.168.34.7            tiny-fishwife.example.com tiny-fishwife
office.example.com
192.168.34.7    groupware.example.com

/etc/resolv.conf
domain example.com
search example.com
nameserver 192.168.34.4

/etc/krb5.conf
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_ccache_name = KEYRING:persistent:%{uid}
 default_realm = EXAMPLE.COM
[realms]
 EXAMPLE.COM = {
 }
[domain_realm]
 example.com = EXAMPLE.COM
 .example.com = EXAMPLE.COM


smb.conf
[global]
workgroup = EXAMPLE.COM
server string = NethServer 7.6.1810 final (Samba %v)
security = ADS
realm = EXAMPLE.COM
kerberos method = secrets and keytab
netbios name = TINY-FISHWIFE

Debian 9 ( Samba Server) files:

/etc/hosts
127.0.0.1       localhost
127.0.1.1       dc000.example.com       dc000.example.com
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.34.4 ldap.example.com ldap sambaexample

/etc/hostname
dc000.example.com

/etc/resolv.conf
domain example.com
search example.com
nameserver 192.168.34.4

/etc/krb5.conf
[libdefaults]
    default_realm = EXAMPLE.COM
    dns_lookup_kdc = true
    dns_lookup_realm = false
    forwardable = true
    proxiable = true
    default_tgs_enctypes =  aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5


smb.conf:

[libdefaults]
    default_realm = EXAMPLE.COM
    dns_lookup_kdc = true
    dns_lookup_realm = false
    forwardable = true
    proxiable = true
    default_tgs_enctypes =  aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5

/smb.conf
[global]
        dns forwarder = 192.168.0.2 8.8.8.8
        netbios name = DC000
        realm = EXAMPLE.COM
        server role = active directory domain controller
        workgroup = EXAMPLE
        idmap_ldb:use rfc2307 = yes
        # Audit settings
        full_audit:prefix = %u|%I|%m|%S
        full_audit:failure = connect
        full_audit:success =  mkdir rmdir read pread write pwrite rename
unlink
        full_audit:facility = local5
        full_audit:priority = notice
        # TLS settings
        tls enabled = yes
        tls certfile = tls/ldap.example.com/fullchain1.pem

        tls keyfile = tls/ldap.example.com/privkey1.pem

        tls cafile         #log auth
        log level = 1 auth_audit:3 auth_json_audit:3
[netlogon]
        path = /var/lib/samba/sysvol/example.com/scripts
        read only = No
[sysvol]
        path = /var/lib/samba/sysvol
        read only = No



Thanks in advance!
-- 
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org