samba - Nov 2019 - net ads join explication ?

My Dc is under linux - my version of linux is 5.2.0-3-amd64

My client os is also under linux et the version is 5.2.0-2-amd64. I have 
also client windows10.

I put the result of the test

Collected config? --- 2019-11-07-13:14 -----------

Hostname: clientblues2
DNS Domain: sambadom.calais.fr
FQDN: clientblues2.sambadom.calais.fr
ipaddress: 192.168.xx.233

-----------

Kerberos SRV _kerberos._tcp.sambadom.calais.fr record verified ok, 
sample output:
Server:??? ??? 192.168.xx.230
Address:??? 192.168.xx.230#53

_kerberos._tcp.sambadom.calais.fr??? service = 0 100 88 
blueyestest.sambadom.calais.fr.
Samba is running as an Unix domain member but 'winbindd' is NOT running.
Check that the winbind package is installed.
Detected, Samba is running winbind only. Auth-only server, Unix domain 
member
 ?????? Checking file: /etc/os-release

PRETTY_NAME="Debian GNU/Linux bullseye/sid"
NAME="Debian GNU/Linux"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

-----------


This computer is running Debian bullseye/sid x86_64

-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
group default qlen 1000
 ??? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
 ??? inet 127.0.0.1/8 scope host lo
 ??? inet6 ::1/128 scope host
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
state UP group default qlen 1000
 ??? link/ether a2:75:42:40:54:6b brd ff:ff:ff:ff:ff:ff
 ??? inet 192.168.xx.233/24 brd 192.168.22.255 scope global 
noprefixroute ens18
 ??? inet6 fe80::a075:42ff:fe40:546b/64 scope link noprefixroute

-----------
 ?????? Checking file: /etc/hosts

127.0.0.1??? localhost
192.168.xx.233??? clientblues2.sambadom.calais.fr clientblues2
192.168.xx.230??? blueyestest.sambadom.calais.fr??? blueyestest



# The following lines are desirable for IPv6 capable hosts
::1???? localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

-----------

 ?????? Checking file: /etc/resolv.conf

# Generated by NetworkManager
nameserver 192.168.xx.230
nameserver 193.49.xx.10
nameserver 195.220.xx.10

-----------

 ?????? Checking file: /etc/krb5.conf

[libdefaults]
 ??? default_realm = SAMBADOM.CALAIS.FR
 ??? kdc_timesync =1
 ??? ccache_type = 4
 ??? forwardable = true
 ??? proxiable = true
 ??? dns_lookup_realm = false
 ??? dns_lookup_kdc = true



#fcc-mit-ticketflags = true

#allow_weak_crypto = true
#default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
#default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5

default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 
rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 
rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes= as256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 
rc4-hmac des-cbc-crc des-cbc-md5



[realms]
 ??? SAMBADOM.CALAIS.FR = {
 ??? ??? kdc = blueyestest.sambadom.calais.fr
 ??? ??? admin_server = blueyestest.sambadom.calais.fr
 ??? ??? default_domain =sambadom.calais.fr
 ??? }

[domain_realm]
 ??? sambadom.calais.fr = SAMBADOM.CALAIS.FR
 ??? .sambadom.calais.fr = SAMBADOM.CALAIS.FR

[logging]
 ??? default=file:/var/log/krb5.log

-----------

 ?????? Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.

passwd:???????? files winbind systemd
group:????????? files winbind systemd
shadow:???????? files winbind systemd
gshadow:??????? files

hosts:????????? files dns
networks:?????? files

protocols:????? db files
services:?????? db files
ethers:???????? db files
rpc:??????????? db files

netgroup:?????? nis

-----------

 ?????? Checking file: /etc/samba/smb.conf

[global]
 ??? security =ADS
 ??? realm = SAMBADOM.CALAIS.FR
 ??? workgroup =SAMBADOM
 ??? netbios name = clientblues2
 ??? winbind separator = /
 ??? winbind enum users = yes
 ??? winbind enum groups = yes


 ??? idmap config * : backend=tdb
 ??? idmap config * : range=1000-2000

 ??? idmap config SAMBADOM : backend = ad
 ??? idmap config SAMBADOM : schema_mode =rfc2307
 ??? idmap config SAMBADOM : range = 10000-600000
 ??? idmap config SAMBADOM : unix_nss_info = yes
 ??? idmap config SAMBADOM : unix_primary_group = yes

 ??? winbind nss info = template
 ??? template homedir =/etudiants/%U


 ??? template shell =/bin/bash
 ??? kerberos method =? secrets and keytab
 ??? dedicated keytab file =/etc/krb5.keytab
 ??? winbind refresh tickets =yes
#
 ??? username map = /etc/samba/user.map
 ??? winbind use default domain = yes
 ??? log file =/var/log/samba/log.%m
 ??? log level = 5
# for acl support on members servers with shares
 ??? vfs object = acl_xattr
 ??? map acl inherit = yes
 ??? store dos attributes = yes
#??? winbind nss info = rfc2307

-----------

Running as Unix domain member and user.map detected.

Contents of /etc/samba/user.map

!root = SAMBADOM\administrator

Server Role is set to :? auto

-----------

Installed packages:
ii? acl 2.2.53-5??????????????????????? amd64??????? access control list 
- utilities
ii? fonts-quicksand 0.2016-2??????????????????????? all????????? 
sans-serif font with round attributes
ii? krb5-config 2.6???????????????????????????? all????????? 
Configuration files for Kerberos Version 5
ii? krb5-locales 1.17-6????????????????????????? all 
internationalization support for MIT Kerberos
ii? krb5-user 1.17-6????????????????????????? amd64??????? basic 
programs to authenticate using MIT Kerberos
ii? libacl1:amd64 2.2.53-5??????????????????????? amd64??????? access 
control list - shared library
ii? libattr1:amd64 1:2.4.48-5????????????????????? amd64??????? extended 
attribute handling - shared library
ii? libgssapi-krb5-2:amd64 1.17-6????????????????????????? amd64??????? 
MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii? libkrb5-3:amd64 1.17-6????????????????????????? amd64??????? MIT 
Kerberos runtime libraries
ii? libkrb5support0:amd64 1.17-6????????????????????????? amd64??????? 
MIT Kerberos runtime libraries - Support library
ii? libnss-winbind:amd64 2:4.9.13+dfsg-1???????????????? amd64??????? 
Samba nameservice integration plugins
ii? libpam-winbind:amd64 2:4.9.13+dfsg-1???????????????? amd64??????? 
Windows domain authentication integration plugin
ii? libsmbclient:amd64 2:4.9.13+dfsg-1???????????????? amd64??????? 
shared library for communication with SMB/CIFS servers
ii? libwbclient0:amd64 2:4.9.13+dfsg-1???????????????? amd64??????? 
Samba winbind client library
ii? python-samba 2:4.9.13+dfsg-1???????????????? amd64??????? Python 
bindings for Samba
ii? samba-common 2:4.9.13+dfsg-1???????????????? all????????? common 
files used by both the Samba server and client
ii? samba-common-bin 2:4.9.13+dfsg-1???????????????? amd64??????? Samba 
common files used by both the server and the client
ii? samba-dsdb-modules:amd64 2:4.9.13+dfsg-1???????????????? 
amd64??????? Samba Directory Services Database
ii? samba-libs:amd64 2:4.9.13+dfsg-1???????????????? amd64??????? Samba 
core libraries
ii? winbind 2:4.9.13+dfsg-1???????????????? amd64??????? service to 
resolve user and group information from Windows NT servers

-----------


Le 07/11/2019 ? 12:37, Rowland penny via samba a ?crit?:
> On 07/11/2019 11:08, nathalie ramat via samba wrote:
>> Hello ,
>>
>> I want to add my linux client in my ad .
>>
>> I use net ads join -U administrator
>> passwd : xxxx
>>
>> and I wait and I have no reponse but if I put 8 times t he key 
>> enter,? my machine is add to my add but I have? this message error : 
>> error reading from file descriptor 0 : empty password? which come 
>> from the server
>>
>> I don't understand why .
>>
>>
>> My server is samba 4.11 and? my client use winbind .
>
> There doesn't seem to be anything wrong with your smb.conf, were 
> 'smdb', 'nmbd' and 'winbind' running before the
join ?
>
> Can you download this: 
> https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh
>
> Run it on the Unix domain member and post the output into a reply to 
> this post, do not attach it, this list strips attachments.
>
> Also, what is he DC ? OS and version.
>
> Rowland
>
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
-- 
Nathalie RAMAT-LECLERCQ

Service Informatique

Universite du Littoral-C?te d'Opale
SCoSI - Service Commun du Syst?me d'Information
P?le Syst?mes et r?seaux

Centre de Gestion Universitaire de Calais
50 rue ferdinand Buisson
C.S 80699
62228 CALAIS CEDEX

On 07/11/2019 13:00, nathalie ramat wrote:
>
> My Dc is under linux - my version of linux is 5.2.0-3-amd64
No, your kernel is 5.2.0-3-amf64, you are running bullsye/sid

You may find running this helps:

apt-get install samba attr libpam-krb5 samba-vfs-modules

You do not appear to have 'samba' installed.

Rowland

I thought that only the package winbind,libnss-winbind and 
libpam_winbind are necessary for client linux to connect the server AD.
I will install the other packages and continue my test.


Le 07/11/2019 ? 14:20, Rowland penny via samba a ?crit?:
> On 07/11/2019 13:00, nathalie ramat wrote:
>>
>> My Dc is under linux - my version of linux is 5.2.0-3-amd64
> No, your kernel is 5.2.0-3-amf64, you are running bullsye/sid
>
> You may find running this helps:
>
> apt-get install samba attr libpam-krb5 samba-vfs-modules
>
> You do not appear to have 'samba' installed.
>
> Rowland
>
>
>
>
-- 
Nathalie RAMAT-LECLERCQ

Service Informatique

Universite du Littoral-C?te d'Opale
SCoSI - Service Commun du Syst?me d'Information
P?le Syst?mes et r?seaux

Centre de Gestion Universitaire de Calais
50 rue ferdinand Buisson
C.S 80699
62228 CALAIS CEDEX