samba - Feb 2021 - Unable to join domain?

Something screwy is going on. I kept getting password errors, so I 
decided I'd re-provision, just in case the password was written down 
wrong. So I re-ran samba-tool domain provision (after removing 
/etc/samba/smb.conf and /etc/krb5.conf) and recreated the whole domain. 
Then I noticed that samba didn't automatically create the reverse IP 
zone, so I went to create it:

 ?# samba-tool domain provision --interactive --use-rfc2307
Realm:? eglifamily.name
Domain [eglifamily]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) 
[SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) 
[192.168.10.3]:? 192.168.10.2
Administrator password:
Retype password:
<output deleted for brevity, no errors reported>

# kinit Administrator
<success>

 ?# samba-tool dns zonecreate janus.eglifamily.name 10.168.192.in-addr.arpa
Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for 
ncacn_ip_tcp:2600:100e:b1df:d0d3:20c:29ff:fed0:8fed[49153,sign,target_hostname=janus.eglifamily.name,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=2600:100e:b1df:d0d3:20c:29ff:fed0:8fed]
NT_STATUS_UNSUCCESSFUL
ERROR: Connecting to DNS RPC server janus.eglifamily.name failed with 
(3221225473, '{Operation Failed} The requested operation was
unsuccessful.')

What did I do wrong?

On 2/6/2021 11:52 AM, Dan Egli via samba wrote:
> I've never even heard of sssd, so it must be an incomplete smb.conf. 
> I'll check out the article. Thanks!
>
> On 2/6/2021 2:55 AM, Rowland penny via samba wrote:
>> On 05/02/2021 22:18, Dan Egli wrote:
>>> # net join -U Adminisrator%%<PASSWORD>
>>> Failed to join domain: failed to find DC for domain EGLIFAMILY -
The
>>> object was not found.
>>>
>>> # kinit administrator
>>> kinit: krb5_parse_name_flags: unable to find realm of host Athena
>>>
>>> Athena is the machine I'm trying to join into the domain, while
>>> Janus is the machine I ran samba-tool domain provision on.
>>>
>>> Here's my smb.conf for Athena - Sans comments. Not much besides
>>> printers yet because I wanted to get the machine joined, THEN 
>>> establish the shares.
>>>
>>> [global]
>>> ?? workgroup = eglifamily
>>> ?? server string = Athena
>>> ?? server role = member server
>>> ?? hosts allow = 192.128.10. 192.168.43. 127.
>>> ?? log file = /var/log/samba/log.%m
>>> ?? max log size = 50
>>> ?? realm = eglifamily.name
>>> ?? wins server = 192.168.10.3
>>> ?? wins proxy = yes
>>> ?? dns proxy = yes
>>>
>>
>> Either you are using sssd or your smb.conf is incomplete, you can no 
>> longer sssd with Samba, you must use winbind, Either way, I suggest 
>> your read this:
>>
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>>
>> Rowland
>>
>>
>>
>

I know nothing, so hesitated, but for what its worth:

-on the MS side this week, RPC security tightened up and all non MS members
and all Win7 and below will stop connecting unless explicit exceptions are
implemented.   If SMB was still to work with anything Win8+ based, these
RPC security controls would have had to have been implemented this week.
If it worked last week, it might have stopped working this week.

-i thought SaMBa went to kerberos completely, so what would be the purpose
of winbind?   I would think DNS and the three headed snake would be all
that is needed for joining.

On Sat, Feb 6, 2021 at 2:17 PM Dan Egli via samba <samba at
lists.samba.org>
wrote:
> Something screwy is going on. I kept getting password errors, so I
> decided I'd re-provision, just in case the password was written down
> wrong. So I re-ran samba-tool domain provision (after removing
> /etc/samba/smb.conf and /etc/krb5.conf) and recreated the whole domain.
> Then I noticed that samba didn't automatically create the reverse IP
> zone, so I went to create it:
>
>   # samba-tool domain provision --interactive --use-rfc2307
> Realm:  eglifamily.name
> Domain [eglifamily]:
> Server Role (dc, member, standalone) [dc]:
> DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE)
> [SAMBA_INTERNAL]:
> DNS forwarder IP address (write 'none' to disable forwarding)
> [192.168.10.3]:  192.168.10.2
> Administrator password:
> Retype password:
> <output deleted for brevity, no errors reported>
>
> # kinit Administrator
> <success>
>
>   # samba-tool dns zonecreate janus.eglifamily.name
> 10.168.192.in-addr.arpa
> Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for
>
>
ncacn_ip_tcp:2600:100e:b1df:d0d3:20c:29ff:fed0:8fed[49153,sign,target_hostname>
janus.eglifamily.name,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=2600:100e:b1df:d0d3:20c:29ff:fed0:8fed]
>
> NT_STATUS_UNSUCCESSFUL
> ERROR: Connecting to DNS RPC server janus.eglifamily.name failed with
> (3221225473, '{Operation Failed} The requested operation was
> unsuccessful.')
>
> What did I do wrong?
>
> On 2/6/2021 11:52 AM, Dan Egli via samba wrote:
>
> > I've never even heard of sssd, so it must be an incomplete
smb.conf.
> > I'll check out the article. Thanks!
> >
> > On 2/6/2021 2:55 AM, Rowland penny via samba wrote:
> >> On 05/02/2021 22:18, Dan Egli wrote:
> >>> # net join -U Adminisrator%%<PASSWORD>
> >>> Failed to join domain: failed to find DC for domain EGLIFAMILY
- The
> >>> object was not found.
> >>>
> >>> # kinit administrator
> >>> kinit: krb5_parse_name_flags: unable to find realm of host
Athena
> >>>
> >>> Athena is the machine I'm trying to join into the domain,
while
> >>> Janus is the machine I ran samba-tool domain provision on.
> >>>
> >>> Here's my smb.conf for Athena - Sans comments. Not much
besides
> >>> printers yet because I wanted to get the machine joined, THEN
> >>> establish the shares.
> >>>
> >>> [global]
> >>>    workgroup = eglifamily
> >>>    server string = Athena
> >>>    server role = member server
> >>>    hosts allow = 192.128.10. 192.168.43. 127.
> >>>    log file = /var/log/samba/log.%m
> >>>    max log size = 50
> >>>    realm = eglifamily.name
> >>>    wins server = 192.168.10.3
> >>>    wins proxy = yes
> >>>    dns proxy = yes
> >>>
> >>
> >> Either you are using sssd or your smb.conf is incomplete, you can
no
> >> longer sssd with Samba, you must use winbind, Either way, I
suggest
> >> your read this:
> >>
> >>
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> >>
> >> Rowland
> >>
> >>
> >>
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 06/02/2021 20:15, Dan Egli wrote:
> Something screwy is going on. I kept getting password errors, so I 
> decided I'd re-provision, just in case the password was written down 
> wrong. So I re-ran samba-tool domain provision (after removing 
> /etc/samba/smb.conf and /etc/krb5.conf) and recreated the whole 
> domain. Then I noticed that samba didn't automatically create the 
> reverse IP zone, so I went to create it:
>
> ?# samba-tool domain provision --interactive --use-rfc2307
> Realm:? eglifamily.name
> Domain [eglifamily]:
> Server Role (dc, member, standalone) [dc]:
> DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) 
> [SAMBA_INTERNAL]:
> DNS forwarder IP address (write 'none' to disable forwarding) 
> [192.168.10.3]:? 192.168.10.2
> Administrator password:
> Retype password:
> <output deleted for brevity, no errors reported>
>
> # kinit Administrator
> <success>
>
> ?# samba-tool dns zonecreate janus.eglifamily.name 
> 10.168.192.in-addr.arpa
> Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for 
>
ncacn_ip_tcp:2600:100e:b1df:d0d3:20c:29ff:fed0:8fed[49153,sign,target_hostname=janus.eglifamily.name,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=2600:100e:b1df:d0d3:20c:29ff:fed0:8fed]
> NT_STATUS_UNSUCCESSFUL
> ERROR: Connecting to DNS RPC server janus.eglifamily.name failed with 
> (3221225473, '{Operation Failed} The requested operation was 
> unsuccessful.')
>
> What did I do wrong?

Probably missing '-k yes' of the end of the command, without it, your 
command will not use the kerberos ticket

Rowland