samba - Oct 2021 - Not able to join Debian 10 to AD using winbind

Hi Team,

I have a Debian 10 machine and tried integrating it to AD using winbind but
when i restart the winbind service , it fails . The surprising thing is as
soon as I disable the security = ADS parameter in smb.conf , the winbind
service restart happens just fine but again the net ads join command fails.
I have been scratching my head over this for past 3 days . Any guidance
will be appreciated.

*********
smb.conf
***********
[global]
        workgroup = EMEA-MEDIA
        realm = EMEA.MEDIA.GLOBAL.LOC
        password server = 10.19.26.136
        winbind enum users = yes
        winbind enum groups = yes
        winbind offline logon = yes
        winbind refresh tickets = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash
        client use spnego = yes
        client ntlmv2 auth = yes
        encrypt passwords = yes
        winbind use default domain = yes
        restrict anonymous = 2
        domain master = no
        local master = no
        preferred master = no
        os level = 0
        allow trusted domains = yes
        winbind nested groups = yes
        winbind rpc only = yes
        idmap config * : backend = autorid
        idmap config * : range = 10000-9999999






;   wins server = w.x.y.z

   include = /var/lib/samba/dhcp.conf

   dns proxy = no


;   interfaces = 127.0.0.0/8 eth0

;   bind interfaces only = yes




   log file = /var/log/samba/log.%m

   max log size = 1000


   syslog = 0

   panic action = /usr/share/samba/panic-action %d



   server role = standalone server

   passdb backend = tdbsam

   obey pam restrictions = yes

   unix password sync = yes

   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

   pam password change = yes

   map to guest = bad user



;   logon path = \\%N\profiles\%U

;   logon drive = H:

;   logon script = logon.cmd

; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos
"" %u

; add machine script  = /usr/sbin/useradd -g machines -c "%u machine
account" -d /var/lib/samba -s /bin/false %u

; add group script = /usr/sbin/addgroup --force-badname %g


;   include = /home/samba/etc/smb.conf.%m

;   idmap uid = 10000-20000
;   idmap gid = 10000-20000
;   template shell = /bin/bash


;   usershare max shares = 100

   usershare allow guests = yes


[homes]
   comment = Home Directories
   browseable = no

   read only = yes

   create mask = 0700

   directory mask = 0700

   valid users = %S

;[netlogon]
;   comment = Network Logon Service
;   path = /home/samba/netlogon
;   guest ok = yes
;   read only = yes

;[profiles]
;   comment = Users profiles
;   path = /home/samba/profiles
;   guest ok = no
;   browseable = no
;   create mask = 0600
;   directory mask = 0700

[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700

[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no
;   write list = root, @lpadmin


**********
krb5.conf
***********
[libdefaults]
        default_realm = EMEA.MEDIA.GLOBAL.LOC

# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#       default_tgs_enctypes = des3-hmac-sha1
#       default_tkt_enctypes = des3-hmac-sha1
#       permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }
        fcc-mit-ticketflags = true

[realms]

EMEA.MEDIA.GLOBAL.LOC = {
  kdc = 10.19.26.136
  admin_server = 10.19.26.136
  default_domain = emea.media.global.loc
 }
MEDIA.GLOBAL.LOC = {
  kdc = 10.19.26.144
  admin_server = 10.19.26.144
  default_domain = media.global.loc
 }


[domain-realm]
  emea.media.global.loc = EMEA.MEDIA.GLOBAL.LOC
  .emea.media.global.loc = EMEA.MEDIA.GLOBAL.LOC
 .media.global.loc = MEDIA.GLOBAL.LOC
 media.global.loc = MEDIA.GLOBAL.LOC

[login]
        krb4_convert = true
        krb4_get_tickets = false


Please let us know if you need more information.

Regards
Sachin K

On Mon, 2021-10-11 at 20:56 +0530, Sac Isilia via samba
wrote:
> Hi Team,
> 
> I have a Debian 10 machine and tried integrating it to AD using
> winbind but
> when i restart the winbind service , it fails . The surprising thing
> is as
> soon as I disable the security = ADS parameter in smb.conf , the
> winbind
> service restart happens just fine but again the net ads join command
> fails.
> I have been scratching my head over this for past 3 days . Any
> guidance
> will be appreciated.
> 
OK, I suggest you backup your existing smb.conf & krb5.conf files, then
replace them with these:

/etc/samba/smb.conf

[global]
    workgroup = EMEA-MEDIA
    realm = EMEA.MEDIA.GLOBAL.LOC
    security = ADS

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    winbind offline logon = yes
    winbind refresh tickets = yes
    winbind use default domain = yes
    template shell = /bin/bash
    restrict anonymous = 2
    domain master = no
    local master = no
    preferred master = no

    idmap config * : backend = autorid
    idmap config * : range = 10000-9999999

    dns proxy = no
    # user Administrator workaround, without it you are unable to set
privileges
    username map = /etc/samba/user.map

    vfs objects = acl_xattr
    map acl inherit = Yes

    log file = /var/log/samba/log.%m
    max log size = 1000
    syslog = 0
    panic action = /usr/share/samba/panic-action %d
    obey pam restrictions = yes
    usershare allow guests = yes

[homes]
   comment = Home Directories
   browseable = no
   read only = no
   create mask = 0700!root = EMEA-MEDIA\Administrator
   directory mask = 0700
   valid users = %S

[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   create mask = 0700

[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers

/etc/krb5.conf

[libdefaults]
    default_realm = EMEA.MEDIA.GLOBAL.LOC
    dns_lookup_realm = false
    dns_lookup_kdc = true

Create /etc/samba/user.map containing this:

!root = EMEA-MEDIA\Administrator

Leave the domain with:

net ads leave -Uadministrator

Then join again with:

net ads join -Uadministrator

This should work.

Rowland