Hai, ? From what i see below. ? kinit that should work, or error in krb5.conf or resolv.conf. What is the first resolver in resolv.conf and is samba configured with internal DNS or Bind9_DLZ? ? This is in /etc/ldap/ldap.conf TLS_CACERT????? /etc/ssl/certs/ca-certificates.crt TLS_REQCERT allow ? cp /var/lib/samba/private/krb5.conf /etc/krb5.conf not really needed, but it does not hurt. ? Well, can you run this for me and post the output. https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh if needed anonymize it . ? That will tell me enough, what is wrong. ? ? Greetz, ? Louis ? ? Van: Alexander Harm [mailto:contact at aharm.de] Verzonden: donderdag 15 augustus 2019 15:00 Aan: L.P.H. van Belle Onderwerp: Re: [Samba] Failing to join existing AD as DC kinit fails for me: kinit Administrator kinit: Client 'Administrator at SAMDOM.EXAMPLE.COM' not found in Kerberos database while getting initial credentials? ? #/etc/ldap/ldap.conf TLS_CACERT /etc/ssl/certs/ca-certificates.crt I added the Windows DC certs like this: cp wdc.crt?/usr/local/share/ca-certificates/wdc.crt update-ca-certificates I installed Samba like this # Cleanup find /var/run/samba /var/lib/samba /var/cache/samba /var/lib/samba/private -name '*.tdb' -name '*.ldb' -delete rm /etc/samba/smb.conf # Provision domain samba-tool domain provision --use-rfc2307 --interactive # configure kerberos cp /var/lib/samba/private/krb5.conf /etc/krb5.conf # start samba systemctl stop smbd nmbd winbind systemctl disable smbd nmbd winbind systemctl unmask samba-ad-dc systemctl enable samba-ad-dc systemctl start samba-ad-dc On 15. August 2019 at 14:25:48, L.P.H. van Belle via samba (samba at lists.samba.org) wrote: Can you try this: kinit Administrator samba-tool domain join samdom.example.com DC --site=?KA-H9? -k yes If that isnt working.. Post output of : cat /etc/ldap/ldap.conf And tell me how did you setup your ssl certificates on this server. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Alexander Harm via samba > Verzonden: donderdag 15 augustus 2019 13:25 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Failing to join existing AD as DC > > I tried joining the same AD before and succeeded, however > after upgrading to Debian Buster and installing AD > Certificate Services on the Windows DC my join does not work anymore: > > samba-tool domain join samdom.example.com DC > -U?SAMDOM\adadmin? ?site=?KA-H9? > > fails during the ldap part with: > > Join failed - cleaning up > > Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - > <8009030C: LdapErr: DSID?0C090569, comment: > AcceptSecurityContext error, data 52e, v4563> <> Failed to > connect to ?ldap://dc01.samdom.example.com? with backend > ?ldap?: LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: > LdapErr: DSID?0C090569, comment: AcceptSecurityContext error, > data 52e, v4563> <> > > ERROR(ldb): uncaught exception - LDAP error 1 > LDAP_OPERATIONS_ERROR - ?<000021A2: SvcErr: DSID-030A08C1, > problem 5012 (DIR_ERROR), data 8610 > > > <> > > ? File > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 177, in _run > > ? ? return self.run(*args, **kwargs) > > ? File > "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", > line 716, in run > > ? ? backend_store=backend_store) > > ? File "/usr/lib/python2.7/dist-packages/samba/join.py", line > 1501, in join_DC > > ? ? ctx.do_join() > > ? File "/usr/lib/python2.7/dist-packages/samba/join.py", line > 1397, in do_join > > ? ? ctx.join_add_objects() > > ? File "/usr/lib/python2.7/dist-packages/samba/join.py", line > 683, in join_add_objects > > ? ? ctx.samdb.modify(m) > > I verified password etc. but I believe this boils down to > certificate issues. I added the root cert of the AD to the > local certificates and OpenSSL verifies everything as being OK. > > Does anyone have an idea on what I could try next? > > Thanks > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On 15/08/2019 14:08, L.P.H. van Belle via samba wrote:> Hai, > > From what i see below. > > kinit that should work, or error in krb5.conf or resolv.conf. > What is the first resolver in resolv.conf and is samba configured with internal DNS or Bind9_DLZ? > > This is in /etc/ldap/ldap.conf > TLS_CACERT????? /etc/ssl/certs/ca-certificates.crt > TLS_REQCERT allow > > > > cp /var/lib/samba/private/krb5.conf /etc/krb5.conf > not really needed, but it does not hurt. > > Well, can you run this for me and post the output. > https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh > if needed anonymize it . > > That will tell me enough, what is wrong. > > > Greetz, > > Louis > > > > > > Van: Alexander Harm [mailto:contact at aharm.de] > Verzonden: donderdag 15 augustus 2019 15:00 > Aan: L.P.H. van Belle > Onderwerp: Re: [Samba] Failing to join existing AD as DC > > > > > kinit fails for me: > > > > > kinit Administrator > > kinit: Client 'Administrator at SAMDOM.EXAMPLE.COM' not found in Kerberos database while getting initial credentials > > > > > > > #/etc/ldap/ldap.conf > > TLS_CACERT /etc/ssl/certs/ca-certificates.crt > > > > > I added the Windows DC certs like this: > > > > > cp wdc.crt?/usr/local/share/ca-certificates/wdc.crt > > update-ca-certificates > > > > > > I installed Samba like this > > > # Cleanup > find /var/run/samba /var/lib/samba /var/cache/samba /var/lib/samba/private -name '*.tdb' -name '*.ldb' -delete > rm /etc/samba/smb.conf > > > # Provision domain > samba-tool domain provision --use-rfc2307 --interactive > > > # configure kerberos > cp /var/lib/samba/private/krb5.conf /etc/krb5.conf > > > # start samba > systemctl stop smbd nmbd winbind > systemctl disable smbd nmbd winbind > systemctl unmask samba-ad-dc > systemctl enable samba-ad-dc > systemctl start samba-ad-dc > > > > > > > On 15. August 2019 at 14:25:48, L.P.H. van Belle via samba (samba at lists.samba.org) wrote: > > Can you try this: > > kinit Administrator > samba-tool domain join samdom.example.com DC --site=?KA-H9? -k yes > > If that isnt working.. > Post output of : > cat /etc/ldap/ldap.conf > > And tell me how did you setup your ssl certificates on this server. > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Alexander Harm via samba >> Verzonden: donderdag 15 augustus 2019 13:25 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] Failing to join existing AD as DC >> >> I tried joining the same AD before and succeeded, however >> after upgrading to Debian Buster and installing AD >> Certificate Services on the Windows DC my join does not work anymore: >> >> samba-tool domain join samdom.example.com DC >> -U?SAMDOM\adadmin? ?site=?KA-H9? >> >> fails during the ldap part with: >> >> Join failed - cleaning up >> >> Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - >> <8009030C: LdapErr: DSID?0C090569, comment: >> AcceptSecurityContext error, data 52e, v4563> <> Failed to >> connect to ?ldap://dc01.samdom.example.com? with backend >> ?ldap?: LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: >> LdapErr: DSID?0C090569, comment: AcceptSecurityContext error, >> data 52e, v4563> <> >> >> ERROR(ldb): uncaught exception - LDAP error 1 >> LDAP_OPERATIONS_ERROR - ?<000021A2: SvcErr: DSID-030A08C1, >> problem 5012 (DIR_ERROR), data 8610 >> >>> <> >> ? File >> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", >> line 177, in _run >> >> ? ? return self.run(*args, **kwargs) >> >> ? File >> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", >> line 716, in run >> >> ? ? backend_store=backend_store) >> >> ? File "/usr/lib/python2.7/dist-packages/samba/join.py", line >> 1501, in join_DC >> >> ? ? ctx.do_join() >> >> ? File "/usr/lib/python2.7/dist-packages/samba/join.py", line >> 1397, in do_join >> >> ? ? ctx.join_add_objects() >> >> ? File "/usr/lib/python2.7/dist-packages/samba/join.py", line >> 683, in join_add_objects >> >> ? ? ctx.samdb.modify(m) >> >> I verified password etc. but I believe this boils down to >> certificate issues. I added the root cert of the AD to the >> local certificates and OpenSSL verifies everything as being OK. >> >> Does anyone have an idea on what I could try next? >> >> Thanks >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >Everything Louis said, plus: Please reply to the list, do not send replies directly to anyone, it BREAKS the thread. Rowland
Sorry, am not used to a list that has real sender addresses? Samba is configured with internal DNS. # /etc/krb5.conf [libdefaults] default_realm = SAMDOM.EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = true # /etc/ldap/ldap.conf? TLS_CACERT /etc/ssl/certs/ca-certificates.crt TLS_REQCERT allow # /etc/resolv.conf domain samdom.example.com search samdom.example.com nameserver 10.88.80.88 # windows dc ./samba-collect-debug-info.sh kinit: Client 'Administrator at SAMDOM.EXAMPLE.COM' not found in Kerberos database while getting initial credentials Wrong password, exiting now. Never asks me for a password though... On 15. August 2019 at 15:19:44, Rowland penny via samba (samba at lists.samba.org) wrote: On 15/08/2019 14:08, L.P.H. van Belle via samba wrote:> Hai, > > From what i see below. > > kinit that should work, or error in krb5.conf or resolv.conf. > What is the first resolver in resolv.conf and is samba configured with internal DNS or Bind9_DLZ? > > This is in /etc/ldap/ldap.conf > TLS_CACERT????? /etc/ssl/certs/ca-certificates.crt > TLS_REQCERT allow > > > > cp /var/lib/samba/private/krb5.conf /etc/krb5.conf > not really needed, but it does not hurt. > > Well, can you run this for me and post the output. > https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh > if needed anonymize it . > > That will tell me enough, what is wrong. > > > Greetz, > > Louis > > > > > > Van: Alexander Harm [mailto:contact at aharm.de] > Verzonden: donderdag 15 augustus 2019 15:00 > Aan: L.P.H. van Belle > Onderwerp: Re: [Samba] Failing to join existing AD as DC > > > > > kinit fails for me: > > > > > kinit Administrator > > kinit: Client 'Administrator at SAMDOM.EXAMPLE.COM' not found in Kerberos database while getting initial credentials > > > > > > > #/etc/ldap/ldap.conf > > TLS_CACERT /etc/ssl/certs/ca-certificates.crt > > > > > I added the Windows DC certs like this: > > > > > cp wdc.crt?/usr/local/share/ca-certificates/wdc.crt > > update-ca-certificates > > > > > > I installed Samba like this > > > # Cleanup > find /var/run/samba /var/lib/samba /var/cache/samba /var/lib/samba/private -name '*.tdb' -name '*.ldb' -delete > rm /etc/samba/smb.conf > > > # Provision domain > samba-tool domain provision --use-rfc2307 --interactive > > > # configure kerberos > cp /var/lib/samba/private/krb5.conf /etc/krb5.conf > > > # start samba > systemctl stop smbd nmbd winbind > systemctl disable smbd nmbd winbind > systemctl unmask samba-ad-dc > systemctl enable samba-ad-dc > systemctl start samba-ad-dc > > > > > > > On 15. August 2019 at 14:25:48, L.P.H. van Belle via samba (samba at lists.samba.org) wrote: > > Can you try this: > > kinit Administrator > samba-tool domain join samdom.example.com DC --site=?KA-H9? -k yes > > If that isnt working.. > Post output of : > cat /etc/ldap/ldap.conf > > And tell me how did you setup your ssl certificates on this server. > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Alexander Harm via samba >> Verzonden: donderdag 15 augustus 2019 13:25 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] Failing to join existing AD as DC >> >> I tried joining the same AD before and succeeded, however >> after upgrading to Debian Buster and installing AD >> Certificate Services on the Windows DC my join does not work anymore: >> >> samba-tool domain join samdom.example.com DC >> -U?SAMDOM\adadmin? ?site=?KA-H9? >> >> fails during the ldap part with: >> >> Join failed - cleaning up >> >> Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - >> <8009030C: LdapErr: DSID?0C090569, comment: >> AcceptSecurityContext error, data 52e, v4563> <> Failed to >> connect to ?ldap://dc01.samdom.example.com? with backend >> ?ldap?: LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: >> LdapErr: DSID?0C090569, comment: AcceptSecurityContext error, >> data 52e, v4563> <> >> >> ERROR(ldb): uncaught exception - LDAP error 1 >> LDAP_OPERATIONS_ERROR - ?<000021A2: SvcErr: DSID-030A08C1, >> problem 5012 (DIR_ERROR), data 8610 >> >>> <> >> ? File >> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", >> line 177, in _run >> >> ? ? return self.run(*args, **kwargs) >> >> ? File >> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", >> line 716, in run >> >> ? ? backend_store=backend_store) >> >> ? File "/usr/lib/python2.7/dist-packages/samba/join.py", line >> 1501, in join_DC >> >> ? ? ctx.do_join() >> >> ? File "/usr/lib/python2.7/dist-packages/samba/join.py", line >> 1397, in do_join >> >> ? ? ctx.join_add_objects() >> >> ? File "/usr/lib/python2.7/dist-packages/samba/join.py", line >> 683, in join_add_objects >> >> ? ? ctx.samdb.modify(m) >> >> I verified password etc. but I believe this boils down to >> certificate issues. I added the root cert of the AD to the >> local certificates and OpenSSL verifies everything as being OK. >> >> Does anyone have an idea on what I could try next? >> >> Thanks >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >Everything Louis said, plus: Please reply to the list, do not send replies directly to anyone, it BREAKS the thread. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba