Hello, I noticed within last Centos7 samba (4.10) issues with joining computers to AD. Which was no problem in previous versions (and is working with samba present in Ubuntu 16.04 - 4.3) I'm joining my clients to Active directory for example domain.org, with DNS subdomain base.domain.org The issue is that the client is joined and keytab generated for FQDN: client.domain.org instead of client.base.domain.org Is this a new feature or some kind of bug? Also thank you in advance for any imput! /usr/bin/net ads join -k createupn='host/client.base.domain.org at DOMAIN.ORG' osName='Linux' osVer='CentOS 7' createcomputer='Auth/Machines/Servers/Linux' -d1 -Ujoin Enter join's password: libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx in: struct libnet_JoinCtx dc_name : NULL machine_name : 'CLIENT' domain_name : * domain_name : 'DOMAIN.ORG' domain_name_type : JoinDomNameTypeDNS (1) account_ou : 'Auth/Machines/Servers/Linux' admin_account : 'join' admin_domain : NULL machine_password : NULL join_flags : 0x00000023 (35) 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT 0: WKSSVC_JOIN_FLAGS_DEFER_SPN 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE os_version : 'CentOS 7' os_name : 'Linux' os_servicepack : NULL create_upn : 0x01 (1) upn : 'host/client.base.domain.org at DOMAIN.ORG' modify_config : 0x00 (0) ads : NULL debug : 0x01 (1) use_kerberos : 0x01 (1) secure_channel_type : SEC_CHAN_WKSTA (2) desired_encryption_types : 0x0000001f (31) libnet_join_precreate_machine_acct: Machine account successfully created join: struct secrets_domain_infoB version : SECRETS_DOMAIN_INFO_VERSION_1 (1) reserved : 0x00000000 (0) info : union secrets_domain_infoU(case 1) info1 : * info1: struct secrets_domain_info1 reserved_flags : 0x0000000000000000 (0) join_time : Fri Oct 2 04:38:44 PM 2020 CEST computer_name : 'CLIENT' account_name : 'CLIENT$' secure_channel_type : SEC_CHAN_WKSTA (2) domain_info: struct lsa_DnsDomainInfo name: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : * string : 'DOMAIN' dns_domain: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : * string : 'domain.org' dns_forest: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : * string : 'domain.org' domain_guid : 71c8bbc5-0216-4369-a0d4-6a9c793d52ce sid : * sid : S-1-5-21-3784930729-2365486616-1008349783 trust_flags : 0x0000001a (26) 0: NETR_TRUST_FLAG_IN_FOREST 1: NETR_TRUST_FLAG_OUTBOUND 0: NETR_TRUST_FLAG_TREEROOT 1: NETR_TRUST_FLAG_PRIMARY 1: NETR_TRUST_FLAG_NATIVE 0: NETR_TRUST_FLAG_INBOUND 0: NETR_TRUST_FLAG_MIT_KRB5 0: NETR_TRUST_FLAG_AES trust_type : LSA_TRUST_TYPE_UPLEVEL (2) trust_attributes : 0x00000040 (64) 0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY 0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN 0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION 0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST 1: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL 0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION reserved_routing : NULL supported_enc_types : 0x0000001f (31) 1: KERB_ENCTYPE_DES_CBC_CRC 1: KERB_ENCTYPE_DES_CBC_MD5 1: KERB_ENCTYPE_RC4_HMAC_MD5 1: KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 1: KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 0: KERB_ENCTYPE_FAST_SUPPORTED 0: KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED 0: KERB_ENCTYPE_CLAIMS_SUPPORTED 0: KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED salt_principal : * salt_principal : 'host/client.domain.org at DOMAIN.ORG ' password_last_change : Fri Oct 2 04:38:44 PM 2020 CEST password_changes : 0x0000000000000001 (1) next_change : NULL password : * password: struct secrets_domain_info1_password change_time : Fri Oct 2 04:38:44 PM 2020 CEST change_server : 'it-czbrn-pdc102.domain.org' cleartext_blob : DATA_BLOB length=448 nt_hash: struct samr_Password hash: ARRAY(16): <REDACTED SECRET VALUES> salt_data : * salt_data : 'DOMAIN.ORGhostclient.domain.org' default_iteration_count : 0x00001000 (4096) num_keys : 0x0004 (4) keys: ARRAY(4) keys: struct secrets_domain_info1_kerberos_key keytype : 0x00000012 (18) iteration_count : 0x00001000 (4096) value : DATA_BLOB length=32 keys: struct secrets_domain_info1_kerberos_key keytype : 0x00000011 (17) iteration_count : 0x00001000 (4096) value : DATA_BLOB length=16 keys: struct secrets_domain_info1_kerberos_key keytype : 0x00000017 (23) iteration_count : 0x00001000 (4096) value : DATA_BLOB length=16 keys: struct secrets_domain_info1_kerberos_key keytype : 0x00000003 (3) iteration_count : 0x00001000 (4096) value : DATA_BLOB length=8 old_password : * old_password: struct secrets_domain_info1_password change_time : Tue Sep 29 10:46:45 AM 2020 CEST change_server : 'it-czbrn-pdc102.domain.org' cleartext_blob : DATA_BLOB length=440 nt_hash: struct samr_Password hash: ARRAY(16): <REDACTED SECRET VALUES> salt_data : * salt_data : 'DOMAIN.ORGhostclient.domain.org' default_iteration_count : 0x00001000 (4096) num_keys : 0x0004 (4) keys: ARRAY(4) keys: struct secrets_domain_info1_kerberos_key keytype : 0x00000012 (18) iteration_count : 0x00001000 (4096) value : DATA_BLOB length=32 keys: struct secrets_domain_info1_kerberos_key keytype : 0x00000011 (17) iteration_count : 0x00001000 (4096) value : DATA_BLOB length=16 keys: struct secrets_domain_info1_kerberos_key keytype : 0x00000017 (23) iteration_count : 0x00001000 (4096) value : DATA_BLOB length=16 keys: struct secrets_domain_info1_kerberos_key keytype : 0x00000003 (3) iteration_count : 0x00001000 (4096) value : DATA_BLOB length=8 older_password : NULL Kinit for CLIENT$@DOMAIN.ORG to access it-czbrn-pdc102.domain.org failed: Preauthentication failed libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : 'CLIENT$' netbios_domain_name : 'DOMAIN' dns_domain_name : 'domain.org' forest_name : 'domain.org' dn : 'CN=CLIENT,OU=Linux,OU=Servers,OU=Machines,OU=Auth,DC=domain,DC=org' domain_guid : 71c8bbc5-0216-4369-a0d4-6a9c793d52ce domain_sid : * domain_sid : S-1-5-21-3784930729-2365486616-1008349783 modified_config : 0x00 (0) error_string : NULL domain_is_ad : 0x01 (1) set_encryption_types : 0x0000001f (31) krb5_salt : 'host/client.domain.org at DOMAIN.ORG' result : WERR_OK Using short domain name -- DOMAIN Joined 'CLIENT' to dns domain 'domain.org' kerberos_kinit_password CLIENT$@DOMAIN.ORG failed: Preauthentication failed DNS update failed: kinit failed: Preauthentication failed [root at client ~]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMAIN.ORG dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true proxiable = true rdns = true default_ccache_name = KEYRING:persistent:%{uid} [realms] [domain_realm] .domain.org = DOMAIN.ORG domain.org = DOMAIN.ORG [root at client ~]# cat /etc/samba/smb.conf [global] workgroup = DOMAIN realm = DOMAIN.ORG security = ads kerberos method = secrets and keytab client ipc signing = mandatory client ldap sasl wrapping = seal client signing = mandatory client use spnego = yes server min protocol = SMB2_10 client min protocol = SMB2 client max protocol = SMB3 [root at client ~]# hostname client.base.domain.org [root at client ~]# ktutil ktutil: rkt /etc/krb5.keytab ktutil: l slot KVNO Principal ---- ---- ----------------------------------------------------------- ---------- 1 2 restrictedkrbhost/client.domain.org at DOMAIN.ORG 2 2 restrictedkrbhost/CLIENT at DOMAIN.ORG 3 2 restrictedkrbhost/client.domain.org at DOMAIN.ORG 4 2 restrictedkrbhost/CLIENT at DOMAIN.ORG 5 2 restrictedkrbhost/client.domain.org at DOMAIN.ORG 6 2 restrictedkrbhost/CLIENT at DOMAIN.ORG 7 2 restrictedkrbhost/client.domain.org at DOMAIN.ORG 8 2 restrictedkrbhost/CLIENT at DOMAIN.ORG 9 2 restrictedkrbhost/client.domain.org at DOMAIN.ORG 10 2 restrictedkrbhost/CLIENT at DOMAIN.ORG 11 2 host/client.domain.org at DOMAIN.ORG 12 2 host/CLIENT at DOMAIN.ORG 13 2 host/client.domain.org at DOMAIN.ORG 14 2 host/CLIENT at DOMAIN.ORG 15 2 host/client.domain.org at DOMAIN.ORG 16 2 host/CLIENT at DOMAIN.ORG 17 2 host/client.domain.org at DOMAIN.ORG 18 2 host/CLIENT at DOMAIN.ORG 19 2 host/client.domain.org at DOMAIN.ORG 20 2 host/CLIENT at DOMAIN.ORG 21 2 CLIENT$@DOMAIN.ORG 22 2 CLIENT$@DOMAIN.ORG 23 2 CLIENT$@DOMAIN.ORG 24 2 CLIENT$@DOMAIN.ORG 25 2 CLIENT$@DOMAIN.ORG ktutil: q With Regards Jan Zhanal
Rowland penny
2020-Oct-13 08:01 UTC
[Samba] [Fwd: Joining AD - wrong DNS name, wrong keytab]
On 13/10/2020 08:36, Jan Zh??al via samba wrote:> Hello, > I noticed within last Centos7 samba (4.10) issues with joining > computers to AD. Which was no problem in previous versions (and is > working with samba present in Ubuntu 16.04 - 4.3) > > I'm joining my clients to Active directory for example domain.org, with > DNS subdomain base.domain.org > The issue is that the client is joined and keytab generated for FQDN: > client.domain.org instead of client.base.domain.org > > Is this a new feature or some kind of bug? Also thank you in advance > for any imput!If it is a bug, it is a bug that has been fixed. I am actually surprised that you could join a computer with the wrong dns domain. Samba does not do subdomains (yet) Rowland
Maybe I wrote it misleading, its just a DNS name, not whole active directory subdomain. Jan> If it is a bug, it is a bug that has been fixed. I am actually > surprised > that you could join a computer with the wrong dns domain. > > Samba does not do subdomains (yet) > > Rowland