L.P.H. van Belle
2019-Dec-10 12:51 UTC
[Samba] security = ads parameter not working in samba 4.9.5
I've re-read this thread but its a bit confusing due to 2 persons with the same probem in one thread. Im thinking here, how is samba started, since winbind is not running. Im suspecting samba-addc or samba is starting. Not smbd nmbd winbind. I suggest to run this: Disable that all again. systemctl disable samba-addc samba smbd nmbd winbind systemctl mask samba-addc samba smbd nmbd winbind systemctl stop samba-addc samba smbd nmbd winbind Make sure you config matches up with we already showed. my setup or Rowland's are the same. Now try to join again with : net ads join -UAdministrator -d6 And post the needed output to see what is still going on. Enable only the needed for a member server. !note, only nmbd if you really need, less remove it from the below lines. systemctl unmask smbd winbind nmbd systemctl enable smbd winbind nmbd systemctl start smbd winbind Greetz, Louis (ps. Expect slow responce from me, im on vacation)> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: dinsdag 10 december 2019 12:29 > Aan: sambalist > Onderwerp: Re: [Samba] security = ads parameter not working > in samba 4.9.5 > > On 10/12/2019 11:10, Sac Isilia wrote: > > Hi Rowland, > > > > Please let me know what else I can try from my?side. We are > stuck as > > the server cant be joined to domain. > > > Sorry, I thought you had fixed this :-( > > You seem to be doing everything correctly, so it should work, but > obviously, it isn't for you. > > Can I suggest you use Louis's repo: http://apt.van-belle.nl/ > > This will get you a more up to date Samba version and may, by itself, > fix your problem. > > Try this smb.conf: > > [global] > ??? workgroup = SAMDOM > ??? security = ADS > ??? realm = SAMDOM.EXAMPLE.COM > > ??? dedicated keytab file = /etc/krb5.keytab > ??? kerberos method = secrets and keytab > > ??? winbind use default domain = yes > ??? winbind expand groups = 2 > ??? winbind refresh tickets = Yes > > ??? idmap config *:backend = tdb > ??? idmap config *:range = 3000-7999 > ??? idmap config SAMDOM : backend = rid > ??? idmap config SAMDOM : range = 10000-999999 > ??? template shell = /bin/bash > ??? template homedir = /home/%U > > ??? # user Administrator workaround, without it you are > unable to set > privileges > ??? username map = /etc/samba/user.map > > ??? # For ACL support on domain member > ??? vfs objects = acl_xattr > ??? map acl inherit = Yes > ??? store dos attributes = Yes > > ??? # disable printing completely > ??? load printers = no > ??? printing = bsd > ??? printcap name = /dev/null > ??? disable spoolss = yes > > ??? # logging > ??? log level = 4 > > Create /etc/samba/user.map > !root = SAMDOM\Administrator > > Replace 'SAMDOM' with your workgroup name and the realm name > 'SAMDOM.EXAMPLE.COM' with your realm name (which must be the > dns domain > in uppercase) > > If this doesn't work, I am running out of ideas, it normally > just works. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Sac Isilia
2019-Dec-11 12:54 UTC
[Samba] security = ads parameter not working in samba 4.9.5
Hi Belle,
Below is the output after I performed the suggested steps.
root at esmad1apl01:~# net ads join -U media\\svc_domjoin02 -d6
INFO: Current debug levels:
all: 6
tdb: 6
printdrivers: 6
lanman: 6
smb: 6
rpc_parse: 6
rpc_srv: 6
rpc_cli: 6
passdb: 6
sam: 6
auth: 6
winbind: 6
vfs: 6
idmap: 6
quota: 6
acls: 6
locking: 6
msdfs: 6
dmapi: 6
registry: 6
scavenger: 6
dns: 6
ldb: 6
tevent: 6
auth_audit: 6
auth_json_audit: 6
kerberos: 6
drs_repl: 6
smb2: 6
smb2_credits: 6
dsdb_audit: 6
dsdb_json_audit: 6
dsdb_password_audit: 6
dsdb_password_json_audit: 6
dsdb_transaction_audit: 6
dsdb_transaction_json_audit: 6
dsdb_group_audit: 6
dsdb_group_json_audit: 6
lp_load_ex: refreshing parameters
Initialising global parameters
INFO: Current debug levels:
all: 6
tdb: 6
printdrivers: 6
lanman: 6
smb: 6
rpc_parse: 6
rpc_srv: 6
rpc_cli: 6
passdb: 6
sam: 6
auth: 6
winbind: 6
vfs: 6
idmap: 6
quota: 6
acls: 6
locking: 6
msdfs: 6
dmapi: 6
registry: 6
scavenger: 6
dns: 6
ldb: 6
tevent: 6
auth_audit: 6
auth_json_audit: 6
kerberos: 6
drs_repl: 6
smb2: 6
smb2_credits: 6
dsdb_audit: 6
dsdb_json_audit: 6
dsdb_password_audit: 6
dsdb_password_json_audit: 6
dsdb_transaction_audit: 6
dsdb_transaction_json_audit: 6
dsdb_group_audit: 6
dsdb_group_json_audit: 6
Processing section "[global]"
doing parameter workgroup = EMEA-MEDIA
doing parameter realm = EMEA.MEDIA.GLOBAL.LOC
doing parameter security = ADS
doing parameter dedicated keytab file = /etc/krb5.keytab
doing parameter kerberos method = secrets and keytab
doing parameter winbind use default domain = yes
doing parameter winbind expand groups = 2
doing parameter winbind refresh tickets = Yes
doing parameter idmap config * : backend = tdb
doing parameter idmap config * : range = 3000-7999
doing parameter idmap config EMEA-MEDIA : backend = ad
doing parameter idmap config EMEA-MEDIA : schema_mode = rfc2307
doing parameter idmap config EMEA-MEDIA : unix_nss_info = yes
doing parameter idmap config EMEA-MEDIA : range = 16777216-33554431
doing parameter domain master = no
doing parameter local master = no
doing parameter preferred master = no
doing parameter username map = /etc/samba/user.map
doing parameter vfs objects = acl_xattr
doing parameter map acl inherit = yes
doing parameter store dos attributes = yes
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 1000
doing parameter logging = file
doing parameter panic action = /usr/share/samba/panic-action %d
pm_process() returned Yes
Registering messaging pointer for type 2 - private_data=(nil)
Registering messaging pointer for type 9 - private_data=(nil)
Registered MSG_REQ_POOL_USAGE
Registering messaging pointer for type 11 - private_data=(nil)
Registering messaging pointer for type 12 - private_data=(nil)
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Registering messaging pointer for type 1 - private_data=(nil)
Registering messaging pointer for type 5 - private_data=(nil)
Registering messaging pointer for type 51 - private_data=(nil)
lp_load_ex: refreshing parameters
Freeing parametrics:
Initialising global parameters
INFO: Current debug levels:
all: 6
tdb: 6
printdrivers: 6
lanman: 6
smb: 6
rpc_parse: 6
rpc_srv: 6
rpc_cli: 6
passdb: 6
sam: 6
auth: 6
winbind: 6
vfs: 6
idmap: 6
quota: 6
acls: 6
locking: 6
msdfs: 6
dmapi: 6
registry: 6
scavenger: 6
dns: 6
ldb: 6
tevent: 6
auth_audit: 6
auth_json_audit: 6
kerberos: 6
drs_repl: 6
smb2: 6
smb2_credits: 6
dsdb_audit: 6
dsdb_json_audit: 6
dsdb_password_audit: 6
dsdb_password_json_audit: 6
dsdb_transaction_audit: 6
dsdb_transaction_json_audit: 6
dsdb_group_audit: 6
dsdb_group_json_audit: 6
Processing section "[global]"
doing parameter workgroup = EMEA-MEDIA
doing parameter realm = EMEA.MEDIA.GLOBAL.LOC
doing parameter security = ADS
doing parameter dedicated keytab file = /etc/krb5.keytab
doing parameter kerberos method = secrets and keytab
doing parameter winbind use default domain = yes
doing parameter winbind expand groups = 2
doing parameter winbind refresh tickets = Yes
doing parameter idmap config * : backend = tdb
doing parameter idmap config * : range = 3000-7999
doing parameter idmap config EMEA-MEDIA : backend = ad
doing parameter idmap config EMEA-MEDIA : schema_mode = rfc2307
doing parameter idmap config EMEA-MEDIA : unix_nss_info = yes
doing parameter idmap config EMEA-MEDIA : range = 16777216-33554431
doing parameter domain master = no
doing parameter local master = no
doing parameter preferred master = no
doing parameter username map = /etc/samba/user.map
doing parameter vfs objects = acl_xattr
doing parameter map acl inherit = yes
doing parameter store dos attributes = yes
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 1000
doing parameter logging = file
doing parameter panic action = /usr/share/samba/panic-action %d
pm_process() returned Yes
Netbios name list:-
my_netbios_names[0]="ESMAD1APL01"
added interface ens192 ip=10.34.54.152 bcast=10.34.54.255
netmask=255.255.255.0
Enter media\svc_domjoin02's password:
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'ESMAD1APL01'
domain_name : *
domain_name : 'EMEA.MEDIA.GLOBAL.LOC'
domain_name_type : JoinDomNameTypeDNS (1)
account_ou : NULL
admin_account : 'media\svc_domjoin02'
admin_domain : NULL
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
os_servicepack : NULL
create_upn : 0x00 (0)
upn : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
desired_encryption_types : 0x0000001f (31)
Opening cache file at /var/cache/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
sitename_fetch: Returning sitename for realm 'EMEA.MEDIA.GLOBAL.LOC':
"ESMAD2"
ads_dns_lookup_srv: 2 records returned in the answer section.
sitename_fetch: Returning sitename for realm 'EMEA.MEDIA.GLOBAL.LOC':
"ESMAD2"
no entry for ESMAD2DCM03.emea.media.global.loc#20 found.
resolve_hosts: Attempting host lookup for name
ESMAD2DCM03.emea.media.global.loc<0x20>
namecache_store: storing 1 address for
ESMAD2DCM03.emea.media.global.loc#20: 10.34.54.47
Connecting to 10.34.54.47 at port 445
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 87040
SO_RCVBUF = 372480
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_TARGET_TYPE_DOMAIN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
signed SMB2 message
signed SMB2 message
Bind RPC Pipe: host ESMAD2DCM03.emea.media.global.loc auth_type 0,
auth_level 1
rpc_api_pipe: host ESMAD2DCM03.emea.media.global.loc
signed SMB2 message
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host ESMAD2DCM03.emea.media.global.loc
signed SMB2 message
rpc_read_send: data_to_read: 32
rpc_api_pipe: host ESMAD2DCM03.emea.media.global.loc
signed SMB2 message
rpc_read_send: data_to_read: 212
rpc_api_pipe: host ESMAD2DCM03.emea.media.global.loc
signed SMB2 message
rpc_read_send: data_to_read: 32
signed SMB2 message
saf_fetch: failed to find server for "emea.media.global.loc" domain
get_dc_list: preferred server list: ", *"
resolve_ads: Attempting to resolve KDCs for emea.media.global.loc using DNS
ads_dns_lookup_srv: 2 records returned in the answer section.
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 10.34.54.46:88 10.34.54.47:88
saf_fetch: failed to find server for "emea.media.global.loc" domain
get_dc_list: preferred server list: ", *"
resolve_ads: Attempting to resolve KDCs for emea.media.global.loc using DNS
ads_dns_lookup_srv: 19 records returned in the answer section.
get_dc_list: returning 19 ip addresses in an ordered list
get_dc_list: 10.34.54.47:88 10.57.102.101:88 10.43.2.2:88 10.19.26.136:88
10.48.128.12:88 10.53.75.3:88 10.19.26.137:88 10.10.136.85:88
10.10.136.101:88 10.53.4.3:88 10.34.54.46:88 10.8.32.53:88 10.53.4.2:88
10.19.17.132:88 10.49.67.180:88 10.8.32.54:88 10.10.136.95:88
10.19.17.133:88 10.49.214.7:88
create_local_private_krb5_conf_for_domain: wrote file
/var/run/samba/smb_krb5/krb5.conf.EMEA-MEDIA with realm
EMEA.MEDIA.GLOBAL.LOC KDC list = kdc = 10.34.54.47
kdc = 10.34.54.46
kdc = 10.43.2.2
kdc = 10.19.26.136
sitename_fetch: Returning sitename for realm 'EMEA.MEDIA.GLOBAL.LOC':
"ESMAD2"
name ESMAD2DCM03.emea.media.global.loc#20 found.
ads_try_connect: sending CLDAP request to 10.34.54.47 (realm:
emea.media.global.loc)
Successfully contacted LDAP server 10.34.54.47
Connected to LDAP server ESMAD2DCM03.emea.media.global.loc
KDC time offset is 0 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
kerberos_kinit_password svc_domjoin02 at EMEA.MEDIA.GLOBAL.LOC failed: Client
not found in Kerberos database
ads_sasl_spnego_gensec_bind(KRB5) failed for
ldap/esmad2dcm03.emea.media.global.loc with user[svc_domjoin02]
realm=[EMEA.MEDIA.GLOBAL.LOC]: Client not found in Kerberos database
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : 'ESMAD1APL01$'
netbios_domain_name : 'EMEA-MEDIA'
dns_domain_name : 'emea.media.global.loc'
forest_name : 'global.loc'
dn : NULL
domain_guid : 28b8ead4-212a-4eb4-b9ce-b9b2096fab5e
domain_sid : *
domain_sid :
S-1-5-21-1175101033-2187731779-11171261
modified_config : 0x00 (0)
error_string : 'failed to connect to AD: Client not
found in Kerberos database'
domain_is_ad : 0x01 (1)
set_encryption_types : 0x00000000 (0)
krb5_salt : NULL
result : WERR_NERR_DEFAULTJOINREQUIRED
Failed to join domain: failed to connect to AD: Client not found in
Kerberos database
return code = -1
root at esmad1apl01:~# systemctl unmask smbd winbind
Removed /etc/systemd/system/smbd.service.
Removed /etc/systemd/system/winbind.service.
root at esmad1apl01:~# systemctl enable smbd winbind
Synchronizing state of smbd.service with SysV service script with
/lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable smbd
Synchronizing state of winbind.service with SysV service script with
/lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable winbind
Created symlink /etc/systemd/system/multi-user.target.wants/smbd.service ->
/lib/systemd/system/smbd.service.
Created symlink /etc/systemd/system/multi-user.target.wants/winbind.service
-> /lib/systemd/system/winbind.service.
root at esmad1apl01:~# systemctl start smbd winbind
Job for winbind.service failed because the control process exited with
error code.
See "systemctl status winbind.service" and "journalctl -xe"
for details.
Regards
Sachin Kumar
On Tue, Dec 10, 2019 at 6:21 PM L.P.H. van Belle via samba <
samba at lists.samba.org> wrote:
> I've re-read this thread but its a bit confusing due to 2 persons with
the
> same probem in one thread.
>
> Im thinking here, how is samba started, since winbind is not running.
> Im suspecting samba-addc or samba is starting. Not smbd nmbd winbind.
>
> I suggest to run this:
>
> Disable that all again.
> systemctl disable samba-addc samba smbd nmbd winbind
> systemctl mask samba-addc samba smbd nmbd winbind
> systemctl stop samba-addc samba smbd nmbd winbind
>
> Make sure you config matches up with we already showed.
> my setup or Rowland's are the same.
>
> Now try to join again with :
> net ads join -UAdministrator -d6
> And post the needed output to see what is still going on.
>
> Enable only the needed for a member server.
> !note, only nmbd if you really need, less remove it from the below lines.
>
> systemctl unmask smbd winbind nmbd
> systemctl enable smbd winbind nmbd
>
> systemctl start smbd winbind
>
> Greetz,
>
> Louis
> (ps. Expect slow responce from me, im on vacation)
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Rowland penny via samba
> > Verzonden: dinsdag 10 december 2019 12:29
> > Aan: sambalist
> > Onderwerp: Re: [Samba] security = ads parameter not working
> > in samba 4.9.5
> >
> > On 10/12/2019 11:10, Sac Isilia wrote:
> > > Hi Rowland,
> > >
> > > Please let me know what else I can try from my side. We are
> > stuck as
> > > the server cant be joined to domain.
> > >
> > Sorry, I thought you had fixed this :-(
> >
> > You seem to be doing everything correctly, so it should work, but
> > obviously, it isn't for you.
> >
> > Can I suggest you use Louis's repo: http://apt.van-belle.nl/
> >
> > This will get you a more up to date Samba version and may, by itself,
> > fix your problem.
> >
> > Try this smb.conf:
> >
> > [global]
> > workgroup = SAMDOM
> > security = ADS
> > realm = SAMDOM.EXAMPLE.COM
> >
> > dedicated keytab file = /etc/krb5.keytab
> > kerberos method = secrets and keytab
> >
> > winbind use default domain = yes
> > winbind expand groups = 2
> > winbind refresh tickets = Yes
> >
> > idmap config *:backend = tdb
> > idmap config *:range = 3000-7999
> > idmap config SAMDOM : backend = rid
> > idmap config SAMDOM : range = 10000-999999
> > template shell = /bin/bash
> > template homedir = /home/%U
> >
> > # user Administrator workaround, without it you are
> > unable to set
> > privileges
> > username map = /etc/samba/user.map
> >
> > # For ACL support on domain member
> > vfs objects = acl_xattr
> > map acl inherit = Yes
> > store dos attributes = Yes
> >
> > # disable printing completely
> > load printers = no
> > printing = bsd
> > printcap name = /dev/null
> > disable spoolss = yes
> >
> > # logging
> > log level = 4
> >
> > Create /etc/samba/user.map
> > !root = SAMDOM\Administrator
> >
> > Replace 'SAMDOM' with your workgroup name and the realm name
> > 'SAMDOM.EXAMPLE.COM' with your realm name (which must be the
> > dns domain
> > in uppercase)
> >
> > If this doesn't work, I am running out of ideas, it normally
> > just works.
> >
> > Rowland
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
Sac Isilia
2019-Dec-11 13:04 UTC
[Samba] security = ads parameter not working in samba 4.9.5
Hi Belle/Rowland, Below is the journalctl logs. Dec 11 14:01:10 esmad1apl01 systemd[1]: /lib/systemd/system/samba-ad-dc.service:9: PIDFile= references path below legacy directory /var/run/, updating /var/run/samba/sa Dec 11 14:01:10 esmad1apl01 systemd[1]: /lib/systemd/system/oddjobd.service:6: PIDFile= references path below legacy directory /var/run/, updating /var/run/oddjobd.pid Dec 11 14:01:10 esmad1apl01 systemd[1]: Reloading. Dec 11 14:01:10 esmad1apl01 systemd[1]: /lib/systemd/system/winbind.service:8: PIDFile= references path below legacy directory /var/run/, updating /var/run/samba/winbin Dec 11 14:01:10 esmad1apl01 systemd[1]: /lib/systemd/system/smbd.service:9: PIDFile= references path below legacy directory /var/run/, updating /var/run/samba/smbd.pid Dec 11 14:01:10 esmad1apl01 systemd[1]: /lib/systemd/system/samba-ad-dc.service:9: PIDFile= references path below legacy directory /var/run/, updating /var/run/samba/sa Dec 11 14:01:10 esmad1apl01 systemd[1]: /lib/systemd/system/oddjobd.service:6: PIDFile= references path below legacy directory /var/run/, updating /var/run/oddjobd.pid Dec 11 14:01:10 esmad1apl01 systemd[1]: Reloading. Dec 11 14:01:10 esmad1apl01 systemd[1]: /lib/systemd/system/winbind.service:8: PIDFile= references path below legacy directory /var/run/, updating /var/run/samba/winbin Dec 11 14:01:10 esmad1apl01 systemd[1]: /lib/systemd/system/smbd.service:9: PIDFile= references path below legacy directory /var/run/, updating /var/run/samba/smbd.pid Dec 11 14:01:10 esmad1apl01 systemd[1]: /lib/systemd/system/samba-ad-dc.service:9: PIDFile= references path below legacy directory /var/run/, updating /var/run/samba/sa Dec 11 14:01:10 esmad1apl01 systemd[1]: /lib/systemd/system/oddjobd.service:6: PIDFile= references path below legacy directory /var/run/, updating /var/run/oddjobd.pid Dec 11 14:01:10 esmad1apl01 systemd[1]: Reloading. Dec 11 14:01:11 esmad1apl01 systemd[1]: /lib/systemd/system/winbind.service:8: PIDFile= references path below legacy directory /var/run/, updating /var/run/samba/winbin Dec 11 14:01:11 esmad1apl01 systemd[1]: /lib/systemd/system/smbd.service:9: PIDFile= references path below legacy directory /var/run/, updating /var/run/samba/smbd.pid Dec 11 14:01:11 esmad1apl01 systemd[1]: /lib/systemd/system/samba-ad-dc.service:9: PIDFile= references path below legacy directory /var/run/, updating /var/run/samba/sa Dec 11 14:01:11 esmad1apl01 systemd[1]: /lib/systemd/system/oddjobd.service:6: PIDFile= references path below legacy directory /var/run/, updating /var/run/oddjobd.pid Dec 11 14:01:20 esmad1apl01 systemd[1]: Starting Samba Winbind Daemon... -- Subject: A start job for unit winbind.service has begun execution -- Defined-By: systemd -- Support: https://www.debian.org/support -- -- A start job for unit winbind.service has begun execution. -- -- The job identifier is 35804. Dec 11 14:01:20 esmad1apl01 systemd[1]: winbind.service: Main process exited, code=exited, status=1/FAILURE -- Subject: Unit process exited -- Defined-By: systemd -- Support: https://www.debian.org/support -- -- An ExecStart= process belonging to unit winbind.service has exited. -- -- The process' exit code is 'exited' and its exit status is 1. Dec 11 14:01:20 esmad1apl01 systemd[1]: winbind.service: Failed with result 'exit-code'. -- Subject: Unit failed -- Defined-By: systemd -- Support: https://www.debian.org/support -- -- The unit winbind.service has entered the 'failed' state with result 'exit-code'. Dec 11 14:01:20 esmad1apl01 systemd[1]: Failed to start Samba Winbind Daemon. -- Subject: A start job for unit winbind.service has failed -- Defined-By: systemd Regards Sachin Kumar On Wed, Dec 11, 2019 at 6:24 PM Sac Isilia <udaypratap.singh65 at gmail.com> wrote:> Hi Belle, > > Below is the output after I performed the suggested steps. > > root at esmad1apl01:~# net ads join -U media\\svc_domjoin02 -d6 > INFO: Current debug levels: > all: 6 > tdb: 6 > printdrivers: 6 > lanman: 6 > smb: 6 > rpc_parse: 6 > rpc_srv: 6 > rpc_cli: 6 > passdb: 6 > sam: 6 > auth: 6 > winbind: 6 > vfs: 6 > idmap: 6 > quota: 6 > acls: 6 > locking: 6 > msdfs: 6 > dmapi: 6 > registry: 6 > scavenger: 6 > dns: 6 > ldb: 6 > tevent: 6 > auth_audit: 6 > auth_json_audit: 6 > kerberos: 6 > drs_repl: 6 > smb2: 6 > smb2_credits: 6 > dsdb_audit: 6 > dsdb_json_audit: 6 > dsdb_password_audit: 6 > dsdb_password_json_audit: 6 > dsdb_transaction_audit: 6 > dsdb_transaction_json_audit: 6 > dsdb_group_audit: 6 > dsdb_group_json_audit: 6 > lp_load_ex: refreshing parameters > Initialising global parameters > INFO: Current debug levels: > all: 6 > tdb: 6 > printdrivers: 6 > lanman: 6 > smb: 6 > rpc_parse: 6 > rpc_srv: 6 > rpc_cli: 6 > passdb: 6 > sam: 6 > auth: 6 > winbind: 6 > vfs: 6 > idmap: 6 > quota: 6 > acls: 6 > locking: 6 > msdfs: 6 > dmapi: 6 > registry: 6 > scavenger: 6 > dns: 6 > ldb: 6 > tevent: 6 > auth_audit: 6 > auth_json_audit: 6 > kerberos: 6 > drs_repl: 6 > smb2: 6 > smb2_credits: 6 > dsdb_audit: 6 > dsdb_json_audit: 6 > dsdb_password_audit: 6 > dsdb_password_json_audit: 6 > dsdb_transaction_audit: 6 > dsdb_transaction_json_audit: 6 > dsdb_group_audit: 6 > dsdb_group_json_audit: 6 > Processing section "[global]" > doing parameter workgroup = EMEA-MEDIA > doing parameter realm = EMEA.MEDIA.GLOBAL.LOC > doing parameter security = ADS > doing parameter dedicated keytab file = /etc/krb5.keytab > doing parameter kerberos method = secrets and keytab > doing parameter winbind use default domain = yes > doing parameter winbind expand groups = 2 > doing parameter winbind refresh tickets = Yes > doing parameter idmap config * : backend = tdb > doing parameter idmap config * : range = 3000-7999 > doing parameter idmap config EMEA-MEDIA : backend = ad > doing parameter idmap config EMEA-MEDIA : schema_mode = rfc2307 > doing parameter idmap config EMEA-MEDIA : unix_nss_info = yes > doing parameter idmap config EMEA-MEDIA : range = 16777216-33554431 > doing parameter domain master = no > doing parameter local master = no > doing parameter preferred master = no > doing parameter username map = /etc/samba/user.map > doing parameter vfs objects = acl_xattr > doing parameter map acl inherit = yes > doing parameter store dos attributes = yes > doing parameter log file = /var/log/samba/log.%m > doing parameter max log size = 1000 > doing parameter logging = file > doing parameter panic action = /usr/share/samba/panic-action %d > pm_process() returned Yes > Registering messaging pointer for type 2 - private_data=(nil) > Registering messaging pointer for type 9 - private_data=(nil) > Registered MSG_REQ_POOL_USAGE > Registering messaging pointer for type 11 - private_data=(nil) > Registering messaging pointer for type 12 - private_data=(nil) > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED > Registering messaging pointer for type 1 - private_data=(nil) > Registering messaging pointer for type 5 - private_data=(nil) > Registering messaging pointer for type 51 - private_data=(nil) > lp_load_ex: refreshing parameters > Freeing parametrics: > Initialising global parameters > INFO: Current debug levels: > all: 6 > tdb: 6 > printdrivers: 6 > lanman: 6 > smb: 6 > rpc_parse: 6 > rpc_srv: 6 > rpc_cli: 6 > passdb: 6 > sam: 6 > auth: 6 > winbind: 6 > vfs: 6 > idmap: 6 > quota: 6 > acls: 6 > locking: 6 > msdfs: 6 > dmapi: 6 > registry: 6 > scavenger: 6 > dns: 6 > ldb: 6 > tevent: 6 > auth_audit: 6 > auth_json_audit: 6 > kerberos: 6 > drs_repl: 6 > smb2: 6 > smb2_credits: 6 > dsdb_audit: 6 > dsdb_json_audit: 6 > dsdb_password_audit: 6 > dsdb_password_json_audit: 6 > dsdb_transaction_audit: 6 > dsdb_transaction_json_audit: 6 > dsdb_group_audit: 6 > dsdb_group_json_audit: 6 > Processing section "[global]" > doing parameter workgroup = EMEA-MEDIA > doing parameter realm = EMEA.MEDIA.GLOBAL.LOC > doing parameter security = ADS > doing parameter dedicated keytab file = /etc/krb5.keytab > doing parameter kerberos method = secrets and keytab > doing parameter winbind use default domain = yes > doing parameter winbind expand groups = 2 > doing parameter winbind refresh tickets = Yes > doing parameter idmap config * : backend = tdb > doing parameter idmap config * : range = 3000-7999 > doing parameter idmap config EMEA-MEDIA : backend = ad > doing parameter idmap config EMEA-MEDIA : schema_mode = rfc2307 > doing parameter idmap config EMEA-MEDIA : unix_nss_info = yes > doing parameter idmap config EMEA-MEDIA : range = 16777216-33554431 > doing parameter domain master = no > doing parameter local master = no > doing parameter preferred master = no > doing parameter username map = /etc/samba/user.map > doing parameter vfs objects = acl_xattr > doing parameter map acl inherit = yes > doing parameter store dos attributes = yes > doing parameter log file = /var/log/samba/log.%m > doing parameter max log size = 1000 > doing parameter logging = file > doing parameter panic action = /usr/share/samba/panic-action %d > pm_process() returned Yes > Netbios name list:- > my_netbios_names[0]="ESMAD1APL01" > added interface ens192 ip=10.34.54.152 bcast=10.34.54.255 > netmask=255.255.255.0 > Enter media\svc_domjoin02's password: > libnet_Join: > libnet_JoinCtx: struct libnet_JoinCtx > in: struct libnet_JoinCtx > dc_name : NULL > machine_name : 'ESMAD1APL01' > domain_name : * > domain_name : 'EMEA.MEDIA.GLOBAL.LOC' > domain_name_type : JoinDomNameTypeDNS (1) > account_ou : NULL > admin_account : 'media\svc_domjoin02' > admin_domain : NULL > machine_password : NULL > join_flags : 0x00000023 (35) > 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS > 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME > 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT > 0: WKSSVC_JOIN_FLAGS_DEFER_SPN > 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED > 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE > 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED > 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE > 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE > 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE > 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE > os_version : NULL > os_name : NULL > os_servicepack : NULL > create_upn : 0x00 (0) > upn : NULL > modify_config : 0x00 (0) > ads : NULL > debug : 0x01 (1) > use_kerberos : 0x00 (0) > secure_channel_type : SEC_CHAN_WKSTA (2) > desired_encryption_types : 0x0000001f (31) > Opening cache file at /var/cache/samba/gencache.tdb > Opening cache file at /var/run/samba/gencache_notrans.tdb > sitename_fetch: Returning sitename for realm 'EMEA.MEDIA.GLOBAL.LOC': > "ESMAD2" > ads_dns_lookup_srv: 2 records returned in the answer section. > sitename_fetch: Returning sitename for realm 'EMEA.MEDIA.GLOBAL.LOC': > "ESMAD2" > no entry for ESMAD2DCM03.emea.media.global.loc#20 found. > resolve_hosts: Attempting host lookup for name > ESMAD2DCM03.emea.media.global.loc<0x20> > namecache_store: storing 1 address for > ESMAD2DCM03.emea.media.global.loc#20: 10.34.54.47 > Connecting to 10.34.54.47 at port 445 > Socket options: > SO_KEEPALIVE = 0 > SO_REUSEADDR = 0 > SO_BROADCAST = 0 > TCP_NODELAY = 1 > TCP_KEEPCNT = 9 > TCP_KEEPIDLE = 7200 > TCP_KEEPINTVL = 75 > IPTOS_LOWDELAY = 0 > IPTOS_THROUGHPUT = 0 > SO_REUSEPORT = 0 > SO_SNDBUF = 87040 > SO_RCVBUF = 372480 > SO_SNDLOWAT = 1 > SO_RCVLOWAT = 1 > SO_SNDTIMEO = 0 > SO_RCVTIMEO = 0 > TCP_QUICKACK = 1 > TCP_DEFER_ACCEPT = 0 > got OID=1.3.6.1.4.1.311.2.2.30 > got OID=1.2.840.48018.1.2.2 > GENSEC backend 'gssapi_spnego' registered > GENSEC backend 'gssapi_krb5' registered > GENSEC backend 'gssapi_krb5_sasl' registered > GENSEC backend 'spnego' registered > GENSEC backend 'schannel' registered > GENSEC backend 'naclrpc_as_system' registered > GENSEC backend 'sasl-EXTERNAL' registered > GENSEC backend 'ntlmssp' registered > GENSEC backend 'ntlmssp_resume_ccache' registered > GENSEC backend 'http_basic' registered > GENSEC backend 'http_ntlm' registered > GENSEC backend 'http_negotiate' registered > GENSEC backend 'krb5' registered > GENSEC backend 'fake_gssapi_krb5' registered > Starting GENSEC mechanism spnego > Starting GENSEC submechanism ntlmssp > Got challenge flags: > Got NTLMSSP neg_flags=0x62898215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_TARGET_TYPE_DOMAIN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_TARGET_INFO > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > NTLMSSP: Set final flags: > Got NTLMSSP neg_flags=0x62088215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0x62088215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0x62088215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > signed SMB2 message > signed SMB2 message > Bind RPC Pipe: host ESMAD2DCM03.emea.media.global.loc auth_type 0, > auth_level 1 > rpc_api_pipe: host ESMAD2DCM03.emea.media.global.loc > signed SMB2 message > rpc_read_send: data_to_read: 52 > check_bind_response: accepted! > rpc_api_pipe: host ESMAD2DCM03.emea.media.global.loc > signed SMB2 message > rpc_read_send: data_to_read: 32 > rpc_api_pipe: host ESMAD2DCM03.emea.media.global.loc > signed SMB2 message > rpc_read_send: data_to_read: 212 > rpc_api_pipe: host ESMAD2DCM03.emea.media.global.loc > signed SMB2 message > rpc_read_send: data_to_read: 32 > signed SMB2 message > saf_fetch: failed to find server for "emea.media.global.loc" domain > get_dc_list: preferred server list: ", *" > resolve_ads: Attempting to resolve KDCs for emea.media.global.loc using DNS > ads_dns_lookup_srv: 2 records returned in the answer section. > get_dc_list: returning 2 ip addresses in an ordered list > get_dc_list: 10.34.54.46:88 10.34.54.47:88 > saf_fetch: failed to find server for "emea.media.global.loc" domain > get_dc_list: preferred server list: ", *" > resolve_ads: Attempting to resolve KDCs for emea.media.global.loc using DNS > ads_dns_lookup_srv: 19 records returned in the answer section. > get_dc_list: returning 19 ip addresses in an ordered list > get_dc_list: 10.34.54.47:88 10.57.102.101:88 10.43.2.2:88 10.19.26.136:88 > 10.48.128.12:88 10.53.75.3:88 10.19.26.137:88 10.10.136.85:88 > 10.10.136.101:88 10.53.4.3:88 10.34.54.46:88 10.8.32.53:88 10.53.4.2:88 > 10.19.17.132:88 10.49.67.180:88 10.8.32.54:88 10.10.136.95:88 > 10.19.17.133:88 10.49.214.7:88 > create_local_private_krb5_conf_for_domain: wrote file > /var/run/samba/smb_krb5/krb5.conf.EMEA-MEDIA with realm > EMEA.MEDIA.GLOBAL.LOC KDC list = kdc = 10.34.54.47 > kdc = 10.34.54.46 > kdc = 10.43.2.2 > kdc = 10.19.26.136 > > sitename_fetch: Returning sitename for realm 'EMEA.MEDIA.GLOBAL.LOC': > "ESMAD2" > name ESMAD2DCM03.emea.media.global.loc#20 found. > ads_try_connect: sending CLDAP request to 10.34.54.47 (realm: > emea.media.global.loc) > Successfully contacted LDAP server 10.34.54.47 > Connected to LDAP server ESMAD2DCM03.emea.media.global.loc > KDC time offset is 0 seconds > Found SASL mechanism GSS-SPNEGO > ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30 > ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3 > ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 > kerberos_kinit_password svc_domjoin02 at EMEA.MEDIA.GLOBAL.LOC failed: > Client not found in Kerberos database > ads_sasl_spnego_gensec_bind(KRB5) failed for > ldap/esmad2dcm03.emea.media.global.loc with user[svc_domjoin02] > realm=[EMEA.MEDIA.GLOBAL.LOC]: Client not found in Kerberos database > libnet_Join: > libnet_JoinCtx: struct libnet_JoinCtx > out: struct libnet_JoinCtx > account_name : 'ESMAD1APL01$' > netbios_domain_name : 'EMEA-MEDIA' > dns_domain_name : 'emea.media.global.loc' > forest_name : 'global.loc' > dn : NULL > domain_guid : 28b8ead4-212a-4eb4-b9ce-b9b2096fab5e > domain_sid : * > domain_sid : > S-1-5-21-1175101033-2187731779-11171261 > modified_config : 0x00 (0) > error_string : 'failed to connect to AD: Client > not found in Kerberos database' > domain_is_ad : 0x01 (1) > set_encryption_types : 0x00000000 (0) > krb5_salt : NULL > result : WERR_NERR_DEFAULTJOINREQUIRED > Failed to join domain: failed to connect to AD: Client not found in > Kerberos database > return code = -1 > root at esmad1apl01:~# systemctl unmask smbd winbind > Removed /etc/systemd/system/smbd.service. > Removed /etc/systemd/system/winbind.service. > root at esmad1apl01:~# systemctl enable smbd winbind > Synchronizing state of smbd.service with SysV service script with > /lib/systemd/systemd-sysv-install. > Executing: /lib/systemd/systemd-sysv-install enable smbd > Synchronizing state of winbind.service with SysV service script with > /lib/systemd/systemd-sysv-install. > Executing: /lib/systemd/systemd-sysv-install enable winbind > Created symlink /etc/systemd/system/multi-user.target.wants/smbd.service > -> /lib/systemd/system/smbd.service. > Created symlink > /etc/systemd/system/multi-user.target.wants/winbind.service -> > /lib/systemd/system/winbind.service. > root at esmad1apl01:~# systemctl start smbd winbind > Job for winbind.service failed because the control process exited with > error code. > See "systemctl status winbind.service" and "journalctl -xe" for details. > > Regards > Sachin Kumar > > On Tue, Dec 10, 2019 at 6:21 PM L.P.H. van Belle via samba < > samba at lists.samba.org> wrote: > >> I've re-read this thread but its a bit confusing due to 2 persons with >> the same probem in one thread. >> >> Im thinking here, how is samba started, since winbind is not running. >> Im suspecting samba-addc or samba is starting. Not smbd nmbd winbind. >> >> I suggest to run this: >> >> Disable that all again. >> systemctl disable samba-addc samba smbd nmbd winbind >> systemctl mask samba-addc samba smbd nmbd winbind >> systemctl stop samba-addc samba smbd nmbd winbind >> >> Make sure you config matches up with we already showed. >> my setup or Rowland's are the same. >> >> Now try to join again with : >> net ads join -UAdministrator -d6 >> And post the needed output to see what is still going on. >> >> Enable only the needed for a member server. >> !note, only nmbd if you really need, less remove it from the below lines. >> >> systemctl unmask smbd winbind nmbd >> systemctl enable smbd winbind nmbd >> >> systemctl start smbd winbind >> >> Greetz, >> >> Louis >> (ps. Expect slow responce from me, im on vacation) >> >> >> >> > -----Oorspronkelijk bericht----- >> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> > Rowland penny via samba >> > Verzonden: dinsdag 10 december 2019 12:29 >> > Aan: sambalist >> > Onderwerp: Re: [Samba] security = ads parameter not working >> > in samba 4.9.5 >> > >> > On 10/12/2019 11:10, Sac Isilia wrote: >> > > Hi Rowland, >> > > >> > > Please let me know what else I can try from my side. We are >> > stuck as >> > > the server cant be joined to domain. >> > > >> > Sorry, I thought you had fixed this :-( >> > >> > You seem to be doing everything correctly, so it should work, but >> > obviously, it isn't for you. >> > >> > Can I suggest you use Louis's repo: http://apt.van-belle.nl/ >> > >> > This will get you a more up to date Samba version and may, by itself, >> > fix your problem. >> > >> > Try this smb.conf: >> > >> > [global] >> > workgroup = SAMDOM >> > security = ADS >> > realm = SAMDOM.EXAMPLE.COM >> > >> > dedicated keytab file = /etc/krb5.keytab >> > kerberos method = secrets and keytab >> > >> > winbind use default domain = yes >> > winbind expand groups = 2 >> > winbind refresh tickets = Yes >> > >> > idmap config *:backend = tdb >> > idmap config *:range = 3000-7999 >> > idmap config SAMDOM : backend = rid >> > idmap config SAMDOM : range = 10000-999999 >> > template shell = /bin/bash >> > template homedir = /home/%U >> > >> > # user Administrator workaround, without it you are >> > unable to set >> > privileges >> > username map = /etc/samba/user.map >> > >> > # For ACL support on domain member >> > vfs objects = acl_xattr >> > map acl inherit = Yes >> > store dos attributes = Yes >> > >> > # disable printing completely >> > load printers = no >> > printing = bsd >> > printcap name = /dev/null >> > disable spoolss = yes >> > >> > # logging >> > log level = 4 >> > >> > Create /etc/samba/user.map >> > !root = SAMDOM\Administrator >> > >> > Replace 'SAMDOM' with your workgroup name and the realm name >> > 'SAMDOM.EXAMPLE.COM' with your realm name (which must be the >> > dns domain >> > in uppercase) >> > >> > If this doesn't work, I am running out of ideas, it normally >> > just works. >> > >> > Rowland >> > >> > >> > >> > -- >> > To unsubscribe from this list go to the following URL and read the >> > instructions: https://lists.samba.org/mailman/options/samba >> > >> > >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >
Rowland penny
2019-Dec-11 13:19 UTC
[Samba] security = ads parameter not working in samba 4.9.5
On 11/12/2019 12:54, Sac Isilia via samba wrote:> Hi Belle, > > Below is the output after I performed the suggested steps. > > root at esmad1apl01:~# net ads join -U media\\svc_domjoin02 -d6You have a major problem here, you seem to attempting to join using 'media\\svc_domjoin' The workgroup is 'media' and the user is 'svc_domjoin'. First possible problem, who is 'svc_domjoin' ? and does the user have the required privileges to join a computer the domain ? However your main problem is that you are using a user from the 'media' workgroup, but your workgroup on the proposed Unix domain member is 'EMEA-MEDIA', they cannot be different.> Processing section "[global]" > doing parameter workgroup = EMEA-MEDIA > doing parameter realm = EMEA.MEDIA.GLOBAL.LOCRowland
L.P.H. van Belle
2019-Dec-11 14:33 UTC
[Samba] security = ads parameter not working in samba 4.9.5
And in addition of Rowland's comment. Verify if the DC's have the PTR dns records set. dig -x ip_dc Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: woensdag 11 december 2019 14:20 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] security = ads parameter not working > in samba 4.9.5 > > On 11/12/2019 12:54, Sac Isilia via samba wrote: > > Hi Belle, > > > > Below is the output after I performed the suggested steps. > > > > root at esmad1apl01:~# net ads join -U media\\svc_domjoin02 -d6 > > You have a major problem here, you seem to attempting to join using > 'media\\svc_domjoin' > > The workgroup is 'media' and the user is 'svc_domjoin'. > > First possible problem, who is 'svc_domjoin' ? and does the user have > the required privileges to join a computer the domain ? > > However your main problem is that you are using a user from > the 'media' > workgroup, but your workgroup on the proposed Unix domain member is > 'EMEA-MEDIA', they cannot be different. > > > Processing section "[global]" > > doing parameter workgroup = EMEA-MEDIA > > doing parameter realm = EMEA.MEDIA.GLOBAL.LOC > > Rowland > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Rowland penny
2019-Dec-11 14:34 UTC
[Samba] security = ads parameter not working in samba 4.9.5
On 11/12/2019 14:10, Sac Isilia wrote:> Hi Rowland, > > The good news is that server is joined to EMEA-MEDIA domain. But I can > not id my user however SID is returned when I run wbinfo. > > root at esmad1apl01:~# wbinfo -t > checking the trust secret for domain EMEA-MEDIA via RPC calls succeeded > root at esmad1apl01:~# wbinfo -m > BUILTIN > ESMAD1APL01 > EMEA-MEDIA > INT > DMZ > EXPLIDO > WEST > RAN > LATAM > CC-GLOBAL > MBSINTL > GLOBAL > MEDIA > AP-MEDIA > MEDIAGROUP > PLC-GLOBAL > ECOMMERA0 > GRUPOALESPORT > MITCH > JBCP > USCONCEPTS > MCGARRYBOWEN > AXDEV > AXTEST > GRUPOPPR > MGNTX > SWIRL-DS > BI > CORP > YMEDIA > FLOCK > MERKLE > root at esmad1apl01:~# id media\\skumar17 > id: 'media\\skumar17': no such user > root at esmad1apl01:~# wbinfo -n media\\skumar17 > S-1-5-21-781940509-1026920532-2428315864-69799 SID_USER (1) > root at esmad1apl01:~# >So, what I read from this is,? your 19 DCs are all in different workgroups and if you continue to use the winbind 'ad' backend, then you will need to add an 'idmap config' block for every DOMAIN and use different ranges for each DOMAIN. OR you can remove 'winbind use default domain = yes' and change: idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config EMEA-MEDIA : backend = ad idmap config EMEA-MEDIA : schema_mode = rfc2307 idmap config EMEA-MEDIA : unix_nss_info = yes idmap config EMEA-MEDIA : range = 16777216-33554431 To: idmap config * : backend = autorid idmap config * : range = 10000-9999999 I think you need to fully explain your setup. Rowland
Sac Isilia
2019-Dec-12 10:47 UTC
[Samba] security = ads parameter not working in samba 4.9.5
Hi Rowland, A million thanks for your excellent support all this time. The issue is resolved by making the changes you suggested. Also a dumb question - How can i join samba and have such killer debugging skills? Regards Sachin Kumar On Wed, 11 Dec 2019, 20:05 Rowland penny via samba, <samba at lists.samba.org> wrote:> On 11/12/2019 14:10, Sac Isilia wrote: > > Hi Rowland, > > > > The good news is that server is joined to EMEA-MEDIA domain. But I can > > not id my user however SID is returned when I run wbinfo. > > > > root at esmad1apl01:~# wbinfo -t > > checking the trust secret for domain EMEA-MEDIA via RPC calls succeeded > > root at esmad1apl01:~# wbinfo -m > > BUILTIN > > ESMAD1APL01 > > EMEA-MEDIA > > INT > > DMZ > > EXPLIDO > > WEST > > RAN > > LATAM > > CC-GLOBAL > > MBSINTL > > GLOBAL > > MEDIA > > AP-MEDIA > > MEDIAGROUP > > PLC-GLOBAL > > ECOMMERA0 > > GRUPOALESPORT > > MITCH > > JBCP > > USCONCEPTS > > MCGARRYBOWEN > > AXDEV > > AXTEST > > GRUPOPPR > > MGNTX > > SWIRL-DS > > BI > > CORP > > YMEDIA > > FLOCK > > MERKLE > > root at esmad1apl01:~# id media\\skumar17 > > id: 'media\\skumar17': no such user > > root at esmad1apl01:~# wbinfo -n media\\skumar17 > > S-1-5-21-781940509-1026920532-2428315864-69799 SID_USER (1) > > root at esmad1apl01:~# > > > So, what I read from this is, your 19 DCs are all in different > workgroups and if you continue to use the winbind 'ad' backend, then you > will need to add an 'idmap config' block for every DOMAIN and use > different ranges for each DOMAIN. > > OR > > you can remove 'winbind use default domain = yes' and change: > > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > idmap config EMEA-MEDIA : backend = ad > idmap config EMEA-MEDIA : schema_mode = rfc2307 > idmap config EMEA-MEDIA : unix_nss_info = yes > idmap config EMEA-MEDIA : range = 16777216-33554431 > > To: > > idmap config * : backend = autorid > idmap config * : range = 10000-9999999 > > I think you need to fully explain your setup. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Possibly Parallel Threads
- security = ads parameter not working in samba 4.9.5
- security = ads parameter not working in samba 4.9.5
- security = ads parameter not working in samba 4.9.5
- security = ads parameter not working in samba 4.9.5
- security = ads parameter not working in samba 4.9.5