thr3ads.net - samba - [Samba] Failing to join existing AD as DC [Aug 2019]

If this information is useful, please help other people find it:
Share via:

Alexander Harm

2019-Aug-15 11:25 UTC

[Samba] Failing to join existing AD as DC

I tried joining the same AD before and succeeded, however after upgrading to
Debian Buster and installing AD Certificate Services on the Windows DC my join
does not work anymore:

samba-tool domain join samdom.example.com DC -U?SAMDOM\adadmin? ?site=?KA-H9?

fails during the ldap part with:

Join failed - cleaning up

Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr:
DSID?0C090569, comment: AcceptSecurityContext error, data 52e, v4563>
<> Failed to connect to ?ldap://dc01.samdom.example.com? with backend
?ldap?: LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr:
DSID?0C090569, comment: AcceptSecurityContext error, data 52e, v4563>
<>

ERROR(ldb): uncaught exception - LDAP error 1 LDAP_OPERATIONS_ERROR -
?<000021A2: SvcErr: DSID-030A08C1, problem 5012 (DIR_ERROR), data 8610
> <>
? File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 177, in _run

? ? return self.run(*args, **kwargs)

? File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
716, in run

? ? backend_store=backend_store)

? File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1501, in
join_DC

? ? ctx.do_join()

? File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1397, in
do_join

? ? ctx.join_add_objects()

? File "/usr/lib/python2.7/dist-packages/samba/join.py", line 683, in
join_add_objects

? ? ctx.samdb.modify(m)

I verified password etc. but I believe this boils down to certificate issues. I
added the root cert of the AD to the local certificates and OpenSSL verifies
everything as being OK.

Does anyone have an idea on what I could try next?

Thanks

L.P.H. van Belle

2019-Aug-15 12:24 UTC

head link

[Samba] Failing to join existing AD as DC

Can you try this: 

kinit Administrator
samba-tool domain join samdom.example.com DC --site=?KA-H9? -k yes

If that isnt working.. 
Post output of :
cat /etc/ldap/ldap.conf

And tell me how did you setup your ssl certificates on this server. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Alexander Harm via samba
> Verzonden: donderdag 15 augustus 2019 13:25
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Failing to join existing AD as DC
> 
> I tried joining the same AD before and succeeded, however 
> after upgrading to Debian Buster and installing AD 
> Certificate Services on the Windows DC my join does not work anymore:
> 
> samba-tool domain join samdom.example.com DC 
> -U?SAMDOM\adadmin? ?site=?KA-H9?
> 
> fails during the ldap part with:
> 
> Join failed - cleaning up
> 
> Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - 
> <8009030C: LdapErr: DSID?0C090569, comment: 
> AcceptSecurityContext error, data 52e, v4563> <> Failed to 
> connect to ?ldap://dc01.samdom.example.com? with backend 
> ?ldap?: LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: 
> LdapErr: DSID?0C090569, comment: AcceptSecurityContext error, 
> data 52e, v4563> <>
> 
> ERROR(ldb): uncaught exception - LDAP error 1 
> LDAP_OPERATIONS_ERROR - ?<000021A2: SvcErr: DSID-030A08C1, 
> problem 5012 (DIR_ERROR), data 8610
> 
> > <>
> 
> ? File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
> line 177, in _run
> 
> ? ? return self.run(*args, **kwargs)
> 
> ? File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", 
> line 716, in run
> 
> ? ? backend_store=backend_store)
> 
> ? File "/usr/lib/python2.7/dist-packages/samba/join.py", line 
> 1501, in join_DC
> 
> ? ? ctx.do_join()
> 
> ? File "/usr/lib/python2.7/dist-packages/samba/join.py", line 
> 1397, in do_join
> 
> ? ? ctx.join_add_objects()
> 
> ? File "/usr/lib/python2.7/dist-packages/samba/join.py", line 
> 683, in join_add_objects
> 
> ? ? ctx.samdb.modify(m)
> 
> I verified password etc. but I believe this boils down to 
> certificate issues. I added the root cert of the AD to the 
> local certificates and OpenSSL verifies everything as being OK.
> 
> Does anyone have an idea on what I could try next?
> 
> Thanks
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

L.P.H. van Belle

2019-Aug-15 13:08 UTC

head link

[Samba] Failing to join existing AD as DC

Hai, 
?
From what i see below. 
?
kinit that should work, or error in krb5.conf or resolv.conf. 
What is the first resolver in resolv.conf and is samba configured with internal
DNS or Bind9_DLZ?
?
This is in /etc/ldap/ldap.conf 
TLS_CACERT????? /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT allow


?
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
not really needed, but it does not hurt. 
?
Well, can you run this for me and post the output. 
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
if needed anonymize it . 
?
That will tell me enough, what is wrong. 
?
?
Greetz, 
?
Louis
?

?


Van: Alexander Harm [mailto:contact at aharm.de] 
Verzonden: donderdag 15 augustus 2019 15:00
Aan: L.P.H. van Belle
Onderwerp: Re: [Samba] Failing to join existing AD as DC




kinit fails for me:




kinit Administrator

kinit: Client 'Administrator at SAMDOM.EXAMPLE.COM' not found in
Kerberos database while getting initial credentials?

?




#/etc/ldap/ldap.conf

TLS_CACERT /etc/ssl/certs/ca-certificates.crt




I added the Windows DC certs like this:




cp wdc.crt?/usr/local/share/ca-certificates/wdc.crt

update-ca-certificates





I installed Samba like this


# Cleanup
find /var/run/samba /var/lib/samba /var/cache/samba /var/lib/samba/private -name
'*.tdb' -name '*.ldb' -delete
rm /etc/samba/smb.conf


# Provision domain
samba-tool domain provision --use-rfc2307 --interactive


# configure kerberos
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf


# start samba
systemctl stop smbd nmbd winbind
systemctl disable smbd nmbd winbind
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
systemctl start samba-ad-dc






On 15. August 2019 at 14:25:48, L.P.H. van Belle via samba (samba at
lists.samba.org) wrote:

Can you try this: 

kinit Administrator 
samba-tool domain join samdom.example.com DC --site=?KA-H9? -k yes 

If that isnt working.. 
Post output of : 
cat /etc/ldap/ldap.conf 

And tell me how did you setup your ssl certificates on this server. 

Greetz, 

Louis 

> -----Oorspronkelijk bericht----- 
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Alexander Harm via samba 
> Verzonden: donderdag 15 augustus 2019 13:25 
> Aan: samba at lists.samba.org 
> Onderwerp: [Samba] Failing to join existing AD as DC 
> 
> I tried joining the same AD before and succeeded, however 
> after upgrading to Debian Buster and installing AD 
> Certificate Services on the Windows DC my join does not work anymore: 
> 
> samba-tool domain join samdom.example.com DC 
> -U?SAMDOM\adadmin? ?site=?KA-H9? 
> 
> fails during the ldap part with: 
> 
> Join failed - cleaning up 
> 
> Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - 
> <8009030C: LdapErr: DSID?0C090569, comment: 
> AcceptSecurityContext error, data 52e, v4563> <> Failed to 
> connect to ?ldap://dc01.samdom.example.com? with backend 
> ?ldap?: LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: 
> LdapErr: DSID?0C090569, comment: AcceptSecurityContext error, 
> data 52e, v4563> <> 
> 
> ERROR(ldb): uncaught exception - LDAP error 1 
> LDAP_OPERATIONS_ERROR - ?<000021A2: SvcErr: DSID-030A08C1, 
> problem 5012 (DIR_ERROR), data 8610 
> 
> > <> 
> 
> ? File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
> line 177, in _run 
> 
> ? ? return self.run(*args, **kwargs) 
> 
> ? File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", 
> line 716, in run 
> 
> ? ? backend_store=backend_store) 
> 
> ? File "/usr/lib/python2.7/dist-packages/samba/join.py", line 
> 1501, in join_DC 
> 
> ? ? ctx.do_join() 
> 
> ? File "/usr/lib/python2.7/dist-packages/samba/join.py", line 
> 1397, in do_join 
> 
> ? ? ctx.join_add_objects() 
> 
> ? File "/usr/lib/python2.7/dist-packages/samba/join.py", line 
> 683, in join_add_objects 
> 
> ? ? ctx.samdb.modify(m) 
> 
> I verified password etc. but I believe this boils down to 
> certificate issues. I added the root cert of the AD to the 
> local certificates and OpenSSL verifies everything as being OK. 
> 
> Does anyone have an idea on what I could try next? 
> 
> Thanks 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the 
> instructions: https://lists.samba.org/mailman/options/samba 
> 
> 

-- 
To unsubscribe from this list go to the following URL and read the 
instructions: https://lists.samba.org/mailman/options/samba

Maybe Matching Threads

Search for more apparently analagous threads

samba - Aug 2019 - Failing to join existing AD as DC

[Samba] Failing to join existing AD as DC

[Samba] Failing to join existing AD as DC

[Samba] Failing to join existing AD as DC

Maybe Matching Threads