Hi,
I'm trying to set up an AD DC in an iocage jail on FreeBSD (to avoid the
issues of having the DC a file server) but I'm running into some trouble.
I've setup Kerberos and can kinit OK:
root at samba-addc:/ # kinit administrator
administrator at BEGER.COM.AU's Password:
root at samba-addc:/ # klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: administrator at BEGER.COM.AU
  Issued                Expires               Principal
Nov  8 15:51:22 2020  Nov  9 01:51:22 2020  krbtgt/BEGER.COM.AU at BEGER.COM.AU
However when I try and join the domain it complains about connecting to the LDAP
server:
root at samba-addc:/ # samba-tool domain join beger.com.au DC -k yes
INFO 2020-11-08 15:51:30,554 pid:20267
/usr/local/lib/python3.7/site-packages/samba/join.py #107: Finding a writeable
DC for domain 'beger.com.au'
INFO 2020-11-08 15:51:30,576 pid:20267
/usr/local/lib/python3.7/site-packages/samba/join.py #109: Found DC
gateway2.beger.com.au
Failed to connect to ldap URL 'ldap://gateway2.beger.com.au' - LDAP
client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldap://gateway2.beger.com.au' with backend
'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
ERROR(ldb): uncaught exception - LDAP client internal error:
NT_STATUS_INVALID_PARAMETER
  File
"/usr/local/lib/python3.7/site-packages/samba/netcmd/__init__.py",
line 186, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/lib/python3.7/site-packages/samba/netcmd/domain.py", line
668, in run
    backend_store_size=backend_store_size)
  File "/usr/local/lib/python3.7/site-packages/samba/join.py", line
1539, in join_DC
    backend_store_size=backend_store_size)
  File "/usr/local/lib/python3.7/site-packages/samba/join.py", line
112, in __init__
    credentials=ctx.creds, lp=ctx.lp)
  File "/usr/local/lib/python3.7/site-packages/samba/samdb.py", line
67, in __init__
    options=options)
  File "/usr/local/lib/python3.7/site-packages/samba/__init__.py",
line 115, in __init__
    self.connect(url, flags, options)
  File "/usr/local/lib/python3.7/site-packages/samba/samdb.py", line
82, in connect
    options=options)
root at samba-addc:/ #
'gateway2' is correct (that is what the current DC is called).
ldbsearch does not work either:
root at samba-addc:/ # samba-ldbsearch -H ldap://gateway2.beger.com.au -U
beger/darius '(objectclass=person)'
Failed to connect to ldap URL 'ldap://gateway2.beger.com.au' - LDAP
client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldap://gateway2.beger.com.au' with backend
'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to ldap://gateway2.beger.com.au - LDAP client internal error:
NT_STATUS_INVALID_PARAMETER
root at samba-addc:/ #
root at samba-addc:/ # samba-ldbsearch -H ldap://gateway2.beger.com.au -k yes
'(objectclass=person)'
Failed to connect to ldap URL 'ldap://gateway2.beger.com.au' - LDAP
client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldap://gateway2.beger.com.au' with backend
'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to ldap://gateway2.beger.com.au - LDAP client internal error:
NT_STATUS_INVALID_PARAMETER
ldbsearch *does* work on host (ie gateway2) though.
Both ldap and ldaps behave the same.
I ran ktrace on ldbsearch and it did not even open a socket, let alone try a
connection and fail..
I also tried tuning it with debugging but there wasn't anything of interest:
root at samba-addc:/ # samba-ldbsearch -d 10 --debug-stderr -H
ldaps://gateway2.beger.com.au -U beger/darius '(objectclass=person)'
INFO: Current debug levels:
  all: 10
...
  Privilege[ 22]: SeImpersonatePrivilege
  Privilege[ 23]: SeCreateGlobalPrivilege
  Privilege[ 24]: SeEnableDelegationPrivilege
 Rights (0x               0):
Failed to connect to ldap URL 'ldaps://gateway2.beger.com.au' - LDAP
client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldaps://gateway2.beger.com.au' with backend
'ldaps': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to ldaps://gateway2.beger.com.au - LDAP client internal error:
NT_STATUS_INVALID_PARAMETER
--
Daniel O'Connor
"The nice thing about standards is that there
are so many of them to choose from."
 -- Andrew Tanenbaum
On Sun, 2020-11-08 at 16:06 +1030, O'Connor, Daniel via samba wrote:> Hi, > I'm trying to set up an AD DC in an iocage jail on FreeBSD (to avoid the issues of having the DC a file server) but I'm running into some trouble. > > I've setup Kerberos and can kinit OK: > root at samba-addc:/ # kinit administrator > administrator at BEGER.COM.AU's Password: > root at samba-addc:/ # klist > Credentials cache: FILE:/tmp/krb5cc_0 > ????????Principal: administrator at BEGER.COM.AU > > ??Issued Expires Principal > Nov 8 15:51:22 2020 Nov 9 01:51:22 2020 krbtgt/BEGER.COM.AU at BEGER.COM.AU > > However when I try and join the domain it complains about connecting to the LDAP server: > root at samba-addc:/ # samba-tool domain join beger.com.au DC -k yes > INFO 2020-11-08 15:51:30,554 pid:20267 /usr/local/lib/python3.7/site-packages/samba/join.py #107: Finding a writeable DC for domain 'beger.com.au' > INFO 2020-11-08 15:51:30,576 pid:20267 /usr/local/lib/python3.7/site-packages/samba/join.py #109: Found DC gateway2.beger.com.au > Failed to connect to ldap URL 'ldap://gateway2.beger.com.au' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER > Failed to connect to 'ldap://gateway2.beger.com.au' with backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER > ERROR(ldb): uncaught exception - LDAP client internal error: NT_STATUS_INVALID_PARAMETERSorry about the horrible error message. If you didn't set '-k yes' it would just fall back to NTLM. You need to set up enough of a krb5.conf for it to find the KDC, otherwise it doesn't know where to send the packet to. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
> On 8 Nov 2020, at 16:27, Andrew Bartlett <abartlet at samba.org> wrote: > On Sun, 2020-11-08 at 16:06 +1030, O'Connor, Daniel via samba wrote: >> Hi, >> I'm trying to set up an AD DC in an iocage jail on FreeBSD (to avoid the issues of having the DC a file server) but I'm running into some trouble. >> >> I've setup Kerberos and can kinit OK: >> root at samba-addc:/ # kinit administrator >> administrator at BEGER.COM.AU's Password: >> root at samba-addc:/ # klist >> Credentials cache: FILE:/tmp/krb5cc_0 >> Principal: administrator at BEGER.COM.AU >> >> Issued Expires Principal >> Nov 8 15:51:22 2020 Nov 9 01:51:22 2020 krbtgt/BEGER.COM.AU at BEGER.COM.AU >> >> However when I try and join the domain it complains about connecting to the LDAP server: >> root at samba-addc:/ # samba-tool domain join beger.com.au DC -k yes >> INFO 2020-11-08 15:51:30,554 pid:20267 /usr/local/lib/python3.7/site-packages/samba/join.py #107: Finding a writeable DC for domain 'beger.com.au' >> INFO 2020-11-08 15:51:30,576 pid:20267 /usr/local/lib/python3.7/site-packages/samba/join.py #109: Found DC gateway2.beger.com.au >> Failed to connect to ldap URL 'ldap://gateway2.beger.com.au' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER >> Failed to connect to 'ldap://gateway2.beger.com.au' with backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER >> ERROR(ldb): uncaught exception - LDAP client internal error: NT_STATUS_INVALID_PARAMETER > > Sorry about the horrible error message. If you didn't set '-k yes' it > would just fall back to NTLM. > > You need to set up enough of a krb5.conf for it to find the KDC, > otherwise it doesn't know where to send the packet to.I did specify '-k yes', and I think I have enough krb5.conf for it to work - eg kinit works as I would expect (although I barely know anything about Kerberos so..) -- Daniel O'Connor "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum
On 08/11/2020 05:36, O'Connor, Daniel via samba wrote:> Hi, > I'm trying to set up an AD DC in an iocage jail on FreeBSD (to avoid the issues of having the DC a file server) but I'm running into some trouble. > > I've setup Kerberos and can kinit OK: > root at samba-addc:/ # kinit administrator > administrator at BEGER.COM.AU's Password: > root at samba-addc:/ # klist > Credentials cache: FILE:/tmp/krb5cc_0 > Principal: administrator at BEGER.COM.AU > > Issued Expires Principal > Nov 8 15:51:22 2020 Nov 9 01:51:22 2020 krbtgt/BEGER.COM.AU at BEGER.COM.AU > > However when I try and join the domain it complains about connecting to the LDAP server: > > ldbsearch does not work either: > root at samba-addc:/ # samba-ldbsearch -H ldap://gateway2.beger.com.au -U beger/darius '(objectclass=person)' > Failed to connect to ldap URL 'ldap://gateway2.beger.com.au' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER > Failed to connect to 'ldap://gateway2.beger.com.au' with backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETERI always shudder when I read Freebsd, jails and AD in the same sentence, it never seems to work ? You do have what appears to be a mistake in your ldbsearch command, you have 'beger/darius', it should be 'BEGER\\darius', note the forward slash replaced by two backslashes, one to escape the other. On Linux, provided you have (at least) this in /etc/krb5.conf: [libdefaults] ??? default_realm = BEGER.COM.AU and dns is set up correctly, then it should work. I know little about Freebsd jails, but if I understand them correctly, they are very similar to using a chroot on Linux and I wouldn't want to try and run a second DC in a chroot. Rowland
> On 8 Nov 2020, at 20:24, Rowland penny via samba <samba at lists.samba.org> wrote: >> ldbsearch does not work either: >> root at samba-addc:/ # samba-ldbsearch -H ldap://gateway2.beger.com.au -U beger/darius '(objectclass=person)' >> Failed to connect to ldap URL 'ldap://gateway2.beger.com.au' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER >> Failed to connect to 'ldap://gateway2.beger.com.au' with backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER > > I always shudder when I read Freebsd, jails and AD in the same sentence, it never seems to work ?It would be nice if it did though :)> You do have what appears to be a mistake in your ldbsearch command, you have 'beger/darius', it should be 'BEGER\\darius', note the forward slash replaced by two backslashes, one to escape the other.I tried that but no difference.> On Linux, provided you have (at least) this in /etc/krb5.conf: > > [libdefaults] > default_realm = BEGER.COM.AU > > and dns is set up correctly, then it should work.I have that in my krb5.conf, DNS does work as far as I can see (and kinit, klist etc work)> I know little about Freebsd jails, but if I understand them correctly, they are very similar to using a chroot on Linux and I wouldn't want to try and run a second DC in a chroot.Jails are pretty similar to chroot but more secure - like Linux containers. -- Daniel O'Connor "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum