thr3ads.net - samba - [Samba] Unable to join domain [Oct 2021]

If this information is useful, please help other people find it:
Share via:

Rob Campbell

2021-Oct-12 17:38 UTC

[Samba] Unable to join domain

*Debian server first DC: DC01*

hostname: DC01

/etc/hosts:
127.0.0.1 localhost
10.0.0.13 dc01.internal.test-server dc01

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

# samba-tool domain provision --server-role=dc --use-rfc2307
--dns-backend=SAMBA_INTERNAL --realm=INTERNAL.TEST-SERVER.LAN
--domain=INTERNAL --adminpass="Password"
Server Role:           active directory domain controller
Hostname:              DC01
NetBIOS Domain:        INTERNAL
DNS Domain:            internal.test-server.lan
DOMAIN SID:            S-1-5-21-4291246526-3808389449-2935712140

smb.conf
# Global parameters
[global]
dns forwarder = 8.8.8.8
netbios name = DC01
realm = INTERNAL.TEST-SERVER.LAN
server role = active directory domain controller
workgroup = INTERNAL
idmap_ldb:use rfc2307 = yes

[sysvol]
path = /var/lib/samba/sysvol
read only = No

[netlogon]
path = /var/lib/samba/sysvol/internal.test-server.lan/scripts
read only = No
search internal.test-server.lan
nameserver 10.0.0.13

krb5.conf:
[libdefaults]
default_realm = INTERNAL.TEST-SERVER.LAN
dns_lookup_realm = false
dns_lookup_kdc = true

[realms]
INTERNAL.TEST-SERVER.LAN = {
default_domain = internal.test-server.lan
}

[domain_realm]
DC01 = INTERNAL.TEST-SERVER.LAN

=======================================*Fedora first file server: FS01*

smb.conf:
[global]
workgroup = INTERNAL
security = ADS
realm = INTERNAL.TEST-SERVER.LAN

winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
idmap config * : backend = autorid
idmap config * : range = 10000-24999999

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind separator = +

load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

username map = /etc/samba/usermap.txt

krb5.conf:
[libdefaults]
default_realm = INTERNAL.TEST-SERVER.LAN
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24hr
renew_lifetime = 7d
forwardable = true
rdns = false

[realms]
TEST-SERVER.LAN = {
default_domain = internal.test-server.lan
kdc = internal.test-server.lan
master_kdc = internal.test-server.lan
admin_server = internal.test-server.lan
}

[domain_realm]
test-server = INTERNAL.TEST-SERVER.LAN
test-server.lan = INTERNAL.TEST-SERVER.LAN

/etc/hosts:
127.0.0.1   localhost
::1         localhost
10.0.0.10 fs01.internal.test-server.lan fs01

hostname: FS01

resolv.conf:
# Generated by NetworkManager
nameserver 10.0.0.13
search dc01.internal.test-server.lan

I'm sure there may be some things not quite right with smb.conf but i've
been trying things online since the default didn't work.  I get the same
reply when trying to join the domain:
net ads join -U administrator
Enter administrator's password:
Using short domain name -- INTERNAL
Joined 'FS01' to dns domain 'internal.test-server.lan'
DNS Update for fs01.internal.test-server.lan failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL

netstat -tulpn | egrep 'samba|nmb|smb|bind'
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN
     5585/smbd
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN
     5585/smbd
tcp6       0      0 :::445                  :::*                    LISTEN
     5585/smbd
tcp6       0      0 :::139                  :::*                    LISTEN
     5585/smbd
udp        0      0 10.0.0.255:137          0.0.0.0:*
    5586/nmbd
udp        0      0 10.0.0.10:137           0.0.0.0:*
    5586/nmbd
udp        0      0 0.0.0.0:137             0.0.0.0:*
    5586/nmbd
udp        0      0 10.0.0.255:138          0.0.0.0:*
    5586/nmbd
udp        0      0 10.0.0.10:138           0.0.0.0:*
    5586/nmbd
udp        0      0 0.0.0.0:138             0.0.0.0:*
    5586/nmbd

wbinfo --ping-dc
checking the NETLOGON for domain[INTERNAL] dc connection to
"dc01.internal.test-server.lan" succeeded

getent passwd INTERNAL\\username (Nothing)
getent group "INTERNAL\\Domain Users" (Nothing)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In all things, Be Intentional.


On Tue, Oct 12, 2021 at 11:55 AM Patrick Goetz via samba <
samba at lists.samba.org> wrote:
>
>
> On 10/12/21 10:18, Rowland Penny via samba wrote:
> > On Tue, 2021-10-12 at 09:42 -0500, Patrick Goetz via samba wrote:
> >>
> >> On 10/12/21 04:27, Rowland Penny via samba wrote:
> >>> On Tue, 2021-10-12 at 11:14 +0200, L.P.H. van Belle via samba
> >>> wrote:
> >>>> Ow yes, this can work fine.
> >>>>
> >>>> AD-DC, time is given to the pc's over the AD. (not NTP
> >>>> directly)..
> >>>> sure you can configure that, but i didnt.
> >>>>
> >>>> Members, systemd-timedated used the AD-DC its NTP to sync.
> >>>> Standalones ( i have 1, ) same.
> >>>>
> >>>> The members dont need SNTP to sync time, only the AD-DC
<=>
> >>>> Windows
> >>>> And you can even overrule that, but im not doing that.
> >>>>
> >>>> timedatectl show-timesync
> >>>> SystemNTPServers="192.168.1.1 192.168.1.2"
> >>>>
> >>>
> >>> I repeat, your clients are not using the DC's directly for
time,
> >>> you
> >>> might be okay with this, but I am not, but hey, they are your
> >>> clients :
> >>> -)
> >>>
> >>
> >> I'm not sure why this matters if the drift is less than the
> >> allowable
> >> kerberos time difference.
> >
> > It is this: People can and will do things their own way. I cannot know
> > or remember how they do things their way, I have a bad enough time
> > remembering the recommended way :-)
> >
>
>
> That's fair. I have a dozen or so Ubuntu workstations at work bound to
> an AD domain, and haven't bothered to configure systemd-timedated on
> them, either:
>
> cnsit at armadillo:~$ timedatectl show-timesync
> FallbackNTPServers=ntp.ubuntu.com
> ServerName=ntp.ubuntu.com
> ServerAddress=91.189.89.198
> RootDistanceMaxUSec=5s
> PollIntervalMinUSec=32s
> PollIntervalMaxUSec=34min 8s
> PollIntervalUSec=34min 8s
> NTPMessage={ Leap=0, Version=4, Mode=4, Stratum=2, Precision=-23,
> RootDelay=1.113ms, RootDispersion=40.023ms, Reference=11FD227B,
> OriginateTimestamp=Tue 2021-10-12 10:08:51 CDT, ReceiveTimestamp=Tue
> 2021-10-12 10:08:51 CDT, TransmitTimestamp=Tue 2021-10-12 10:08:51 CDT,
> DestinationTimestamp=Tue 2021-10-12 10:08:51 CDT, Ignored=no
> PacketCount=541, Jitter=2.738ms }
>
>
> It just hasn't ever been a problem. The time differences are too close
> for Kerberos to care.  Yes, I probably *should* configure this, but I'm
>   a member of the old school "If it ain't broke, don't fix
it" club. One
> usually ends up there after a number of years of systems engineer
> experience. After one too many times of fixing something that was
> working and consequently breaking it; then wondering what the hell were
> you thinking not leaving well enough alone.
>
>
> > Just because I say don't do it that way, doesn't mean it will
> > definitely not work (it possibly will), but it is just not the Samba
> > recommended way of doing things and I cannot test everything (so I
know
> > it does work, or not). If anyone feels that something does work and
can
> > prove it, then register for the wiki and edit it to add that
> > information.
> >
>
> Did not know mere mortals could sign up for Wiki editing. Will do so, if
> only to fix some vaguely annoying typos I've run in to.
>
>
>
>
> > Rowland
> >
> >
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Rowland Penny

2021-Oct-12 18:17 UTC

head link

[Samba] Unable to join domain

On Tue, 2021-10-12 at 13:38 -0400, Rob Campbell via samba
wrote:> *Debian server first DC: DC01*
> 
> hostname: DC01
> 
> /etc/hosts:
> 127.0.0.1 localhost
> 10.0.0.13 dc01.internal.test-server dc01
I hope that is a typo, the fqdn has lost the '.lan' from the end
> 
> 
> 
> 
> krb5.conf:
> [libdefaults]
> default_realm = INTERNAL.TEST-SERVER.LAN
> dns_lookup_realm = false
> dns_lookup_kdc = true
> 
> [realms]
> INTERNAL.TEST-SERVER.LAN = {
> default_domain = internal.test-server.lan
> }
> 
> [domain_realm]
> DC01 = INTERNAL.TEST-SERVER.LAN
> 
You only need the first four lines and the '[domain_realm]' is totally
wrong anyway.
 > =======================================> *Fedora first file server:
FS01*
> 
> smb.conf:
> [global]
> workgroup = INTERNAL
> security = ADS
> realm = INTERNAL.TEST-SERVER.LAN
> 
> winbind refresh tickets = Yes
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
> idmap config * : backend = autorid
> idmap config * : range = 10000-24999999
> 
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
I would remove the two lines above, you do not need them and they just
slow things down.
> winbind separator = +
> 
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
> 
> username map = /etc/samba/usermap.txt
> 
> krb5.conf:
> [libdefaults]
> default_realm = INTERNAL.TEST-SERVER.LAN
> dns_lookup_realm = true
> dns_lookup_kdc = true
As the DC, you only need the lines above
> 
> /etc/hosts:
> 127.0.0.1   localhost
> ::1         localhost
> 10.0.0.10 fs01.internal.test-server.lan fs01
> 
> hostname: FS01
> 
> resolv.conf:
> # Generated by NetworkManager
> nameserver 10.0.0.13
> search dc01.internal.test-server.lan
No, your dns domain is 'internal.test-server.lan' so the line should
be:
search internal.test-server.lan
> 
> I'm sure there may be some things not quite right with smb.conf but
> i've
> been trying things online since the default didn't work.  I get the
> same
> reply when trying to join the domain:
> net ads join -U administrator
> Enter administrator's password:
> Using short domain name -- INTERNAL
> Joined 'FS01' to dns domain 'internal.test-server.lan'
> DNS Update for fs01.internal.test-server.lan failed:
> ERROR_DNS_UPDATE_FAILED
That is because you still have problems in your dns
> DNS update failed: NT_STATUS_UNSUCCESSFUL
> 
> netstat -tulpn | egrep 'samba|nmb|smb|bind'
> tcp        0      0 0.0.0.0:445             0.0.0.0:*              
> LISTEN
>      5585/smbd
> tcp        0      0 0.0.0.0:139             0.0.0.0:*              
> LISTEN
>      5585/smbd
> tcp6       0      0 :::445                  :::*                   
> LISTEN
>      5585/smbd
> tcp6       0      0 :::139                  :::*                   
> LISTEN
>      5585/smbd
> udp        0      0 10.0.0.255:137          0.0.0.0:*
>     5586/nmbd
> udp        0      0 10.0.0.10:137           0.0.0.0:*
>     5586/nmbd
> udp        0      0 0.0.0.0:137             0.0.0.0:*
>     5586/nmbd
> udp        0      0 10.0.0.255:138          0.0.0.0:*
>     5586/nmbd
> udp        0      0 10.0.0.10:138           0.0.0.0:*
>     5586/nmbd
> udp        0      0 0.0.0.0:138             0.0.0.0:*
>     5586/nmbd
> 
> wbinfo --ping-dc
> checking the NETLOGON for domain[INTERNAL] dc connection to
> "dc01.internal.test-server.lan" succeeded
How did that succeed if your dns domain is now 'internal.test-
server.lan' ?
> 
> getent passwd INTERNAL\\username (Nothing)
> getent group "INTERNAL\\Domain Users" (Nothing)
Are the winbind links set up correctly and is 'winbind' set on the
'passwd' & 'group' lines in /etc/nsswitch.conf ?
 
Rowland

samba - Oct 2021 - Unable to join domain

[Samba] Unable to join domain

[Samba] Unable to join domain