Hi all, I have a samba AD domain to test to; I don't administer it, I have only an administrator account. I can join without problem win PCs to the domain but I can't linux PCs. If I try to join it I get the error:> # net ads join -U administrator > Enter administrator's password: > Using short domain name -- CSATEST > Joined 'FREERADIUS-CT01' to dns domain 'ad.csatest.localcal' > DNS Update for freeradius-ct01.csatest.localcal failed: ERROR_DNS_UPDATE_FAILED > DNS update failed: NT_STATUS_UNSUCCESSFULSomeone online suggest to add -S option but this is the result:> # net ads join -S ad.csatest.localcal -U administrator > Enter administrator's password: > kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/ad.csatest.localcal with user[administrator] realm[AD.CSATEST.LOCALCAL]: An invalid parameter was passed to a service or function. > Failed to join domain: failed to connect to AD: An invalid parameter was passed to a service or function.I have followed this guide (https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member) and this is the smb.conf of the PCs that's trying to join> # Global parameters> [global] > log file = /var/log/samba/log.%m > logging = file > map to guest = Bad User > max log size = 1000 > obey pam restrictions = Yes > pam password change = Yes > panic action = /usr/share/samba/panic-action %d > passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > passwd program = /usr/bin/passwd %u > realm = AD.CSATEST.LOCALCAL > security = ADS > server role = standalone server > template homedir = /home/%U > template shell = /bin/bash > unix password sync = Yes > usershare allow guests = Yes > winbind enum groups = Yes > winbind enum users = Yes > winbind refresh tickets = Yes > workgroup = CSATEST > idmap config csatest : range = 10000-24999 > idmap config csatest : backend = rid > idmap config * : range = 3000-9999 > idmap config * : backend = tdb > map acl inherit = Yes > vfs objects = acl_xattr > > > [homes] > browseable = No > comment = Home Directories > create mask = 0700 > directory mask = 0700 > valid users = %S > > > [printers] > browseable = No > comment = All Printers > create mask = 0700 > path = /var/spool/samba > printable = Yes > > > [print$] > comment = Printer Drivers > path = /var/lib/samba/printersI'm new on AD and I can't understand what's wrong. Please can anyone help me to join to the domain? Piviul
Mandi! Piviul via samba In chel di` si favelave...> Hi all, I have a samba AD domain to test to; I don't administer it, I have > only an administrator account. I can join without problem win PCs to the > domain but I can't linux PCs. If I try to join it I get the error: > > # net ads join -U administrator > > Enter administrator's password: > > Using short domain name -- CSATEST > > Joined 'FREERADIUS-CT01' to dns domain 'ad.csatest.localcal'Seems to me that join succeded. An: net ads testjoin what say?> > DNS Update for freeradius-ct01.csatest.localcal failed: ERROR_DNS_UPDATE_FAILED > > DNS update failed: NT_STATUS_UNSUCCESSFULProbably is benign, and AFAI've understood caused by NON having the DC DNS in /etc/resoolv.conf at the join phase. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On 07/07/2020 08:06, Piviul via samba wrote:> Hi all, I have a samba AD domain to test to; I don't administer it, I > have only an administrator account. I can join without problem win PCs > to the domain but I can't linux PCs. If I try to join it I get the error: >> # net ads join -U administrator >> Enter administrator's password: >> Using short domain name -- CSATEST >> Joined 'FREERADIUS-CT01' to dns domain 'ad.csatest.localcal' >> DNS Update for freeradius-ct01.csatest.localcal failed: >> ERROR_DNS_UPDATE_FAILED >> DNS update failed: NT_STATUS_UNSUCCESSFULYou have actually joined the domain, it was the dns update that failed, this is usually because something else owns the dns records (dhcp ?) and this can be ignored.> > Someone online suggest to add -S option but this is the result:No need for that.> > I have followed this guide > (https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member) > and this is the smb.conf of the PCs that's trying to join> # Global > parametersPlease remove these lines: ??? passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . ??? passwd program = /usr/bin/passwd %u ??? server role = standalone server ??? unix password sync = Yes They have no place in a Unix domain member smb.conf Rowland
Marco Gaiarin via samba ha scritto il 07/07/20 alle 09:54:> [...] > Seems to me that join succeded. An: > > net ads testjoinHi Marco, thank you very much; in effect the join seems to be successful:> # net ads teSTJOIN > Join is OKI have started winbind and in effect all seems to works...> Probably is benign, and AFAI've understood caused by NON having the DC > DNS in /etc/resoolv.conf at the join phase.In your opinion I have to worry about it? Piviul
Rowland penny via samba ha scritto il 07/07/20 alle 09:58:> [...] > Please remove these lines: > > ??? passwd chat = *Enter\snew\s*\spassword:* %n\n > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > ??? passwd program = /usr/bin/passwd %u > ??? server role = standalone server > ??? unix password sync = Yes > > They have no place in a Unix domain member smb.confdone; thank you very much. Best regards Piviul