Jonathon Reinhart
2019-Jun-13 09:33 UTC
[Samba] "samba-tool domain join" doesn't work with -U and -k
Hello,
Summary: "samba-tool domain join" doesn't seem to work if you pass
both "-k yes" and -U.
Samba version: 4.9.5-Debian
I have a newly-provisioned AD domain with a single DC (dc1). I'm
attempting to join a second DC (dc2), per the wiki.
On dc2:
- I have /etc/resolv.conf pointing at dc1 (confirmed all AD DNS
resolution works)
- I've copied the basic /etc/krb5.conf that was spit out during provisioning
- I've got a valid kerberos ticket ("kinit Administrator" worked)
- I can query info about the domain via dc1:
# samba-tool domain info dc1
Forest : ad-test.vx
Domain : ad-test.vx
Netbios domain : ADTEST
DC name : dc1.ad-test.vx
DC netbios name : DC1
Server site : Default-First-Site-Name
Client site : Default-First-Site-Name
I am unable to join dc2. All of the following fail:
# samba-tool domain join ad-test.vx DC -U 'Administrator' --no-pass -k
yes --option 'idmap_ldb:use rfc2307 = yes'
# samba-tool domain join ad-test.vx DC -U 'ADTEST\Administrator'
--no-pass -k yes --option 'idmap_ldb:use rfc2307 = yes'
# samba-tool domain join ad-test.vx DC -U 'Administrator at ad-test.vx'
--no-pass -k yes --option 'idmap_ldb:use rfc2307 = yes'
# samba-tool domain join ad-test.vx DC -k yes -U
Administrator at AD-TEST.VX --no-pass --option 'idmap_ldb:use rfc2307
yes'
They fail with the same error output:
Finding a writeable DC for domain 'ad-test.vx'
Found DC dc1.ad-test.vx
Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldap://dc1.ad-test.vx' with backend
'ldap': LDAP
client internal error: NT_STATUS_INVALID_PARAMETER
ERROR(ldb): uncaught exception - LDAP client internal error:
NT_STATUS_INVALID_PARAMETER
However (I just discovered while writing this email) that leaving off
-U altogether worked!
# samba-tool domain join ad-test.vx DC --no-pass -k yes --option
'idmap_ldb:use rfc2307 = yes'
So it appears, at least for "domain join", that "-U" and
"-k" are incompatible.
In the Wiki,
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Kerberos
It tells the user to use 'kinit' to confirm that Kerberos is working.
Perhaps it should say to use '-k yes' instead of '-U'?
Jonathon
Rowland penny
2019-Jun-13 09:46 UTC
[Samba] "samba-tool domain join" doesn't work with -U and -k
On 13/06/2019 10:33, Jonathon Reinhart via samba wrote:> Hello, > > Summary: "samba-tool domain join" doesn't seem to work if you pass > both "-k yes" and -U. > > Samba version: 4.9.5-Debian > > I have a newly-provisioned AD domain with a single DC (dc1). I'm > attempting to join a second DC (dc2), per the wiki. > > On dc2: > - I have /etc/resolv.conf pointing at dc1 (confirmed all AD DNS > resolution works) > - I've copied the basic /etc/krb5.conf that was spit out during provisioning > - I've got a valid kerberos ticket ("kinit Administrator" worked) > - I can query info about the domain via dc1: > > # samba-tool domain info dc1 > Forest : ad-test.vx > Domain : ad-test.vx > Netbios domain : ADTEST > DC name : dc1.ad-test.vx > DC netbios name : DC1 > Server site : Default-First-Site-Name > Client site : Default-First-Site-Name > > I am unable to join dc2. All of the following fail: > > # samba-tool domain join ad-test.vx DC -U 'Administrator' --no-pass -k > yes --option 'idmap_ldb:use rfc2307 = yes' > # samba-tool domain join ad-test.vx DC -U 'ADTEST\Administrator' > --no-pass -k yes --option 'idmap_ldb:use rfc2307 = yes' > # samba-tool domain join ad-test.vx DC -U 'Administrator at ad-test.vx' > --no-pass -k yes --option 'idmap_ldb:use rfc2307 = yes' > # samba-tool domain join ad-test.vx DC -k yes -U > Administrator at AD-TEST.VX --no-pass --option 'idmap_ldb:use rfc2307 > yes' > > They fail with the same error output: > > Finding a writeable DC for domain 'ad-test.vx' > Found DC dc1.ad-test.vx > Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER > Failed to connect to 'ldap://dc1.ad-test.vx' with backend 'ldap': LDAP > client internal error: NT_STATUS_INVALID_PARAMETER > ERROR(ldb): uncaught exception - LDAP client internal error: > NT_STATUS_INVALID_PARAMETER > > > However (I just discovered while writing this email) that leaving off > -U altogether worked! > > # samba-tool domain join ad-test.vx DC --no-pass -k yes --option > 'idmap_ldb:use rfc2307 = yes' > > So it appears, at least for "domain join", that "-U" and "-k" are incompatible. > > In the Wiki, > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Kerberos > It tells the user to use 'kinit' to confirm that Kerberos is working. > Perhaps it should say to use '-k yes' instead of '-U'? > > Jonathon >Good point, the page tells you how to set up kerberos and test it, then never uses it. You actually missed one of the kerberos auth methods, instead of '-k yes' you can use '--krb5-ccache=KRB5CCNAME', where KRB5CCNAME is the full path to a valid kerberos ticket e.g. '/tmp/krb5cc_0' Rowland