Rowland Penny
2021-Nov-02 10:02 UTC
[Samba] Not able to join Debian 10 to AD using winbind
On Tue, 2021-11-02 at 15:14 +0530, Sac Isilia wrote:> Hi Rowland, > > Below is the output. > > -------------------------------------------------- > Config collected --- 2021-11-02-09:40 ----------- > > > Hostname: AZEUW1PAPL44 > DNS Domain: emea.media.global.loc > Realm: EMEA.MEDIA.GLOBAL.LOC > FQDN: AZEUW1PAPL44.emea.media.global.loc > ipaddress: 10.19.60.25 > > ----------- > > This computer is running Debian 10.11 x86_64 > > ----------- > > Samba is running as a Unix domain member > > ----------- > > The first nameserver in /etc/resolv.conf is not an AD DC. > It should be one of these IP's: 10.49.67.180 10.34.54.47 10.190.0.7 > 10.19.17.133 10.8.32.53 10.19.28.101 10.53.4.3 10.53.75.3 10.8.32.54 > 10.190.0.6 10.19.17.132 10.19.77.158 10.19.46.196 10.19.209.4 > 10.19.28.100 10.53.4.2 10.19.209.5 10.19.26.137 10.49.214.7 10.43.2.2 > 10.19.26.136 10.48.128.12 10.34.54.46Quite a list, choose one and set it as the first nameserver (preferably the one with the PDC_Emulator FSMO role)> > ----------- > > /etc/hosts > > 127.0.0.1 localhost > 10.19.60.25 AZEUW1PAPL44.emea.media.global.loc AZEUW1PAPL44 > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > ----------- > > Kerberos SRV _kerberos._tcp.emea.media.global.loc record(s) verified > ok, sample output: > ;; Truncated, retrying in TCP mode. > Server: 10.190.0.4 > Address: 10.190.0.4#53 > > Non-authoritative answer: > _kerberos._tcp.emea.media.global.loc service = 0 100 88 > azeuw1dcem02.emea.media.global.loc. > _kerberos._tcp.emea.media.global.loc service = 0 100 88 > azeuw4dcem02.emea.media.global.loc. > _kerberos._tcp.emea.media.global.loc service = 0 100 88 > esmad2dcm03.emea.media.global.loc. > _kerberos._tcp.emea.media.global.loc service = 0 100 88 > dedus3dcm05.emea.media.global.loc. > _kerberos._tcp.emea.media.global.loc service = 0 100 88 > azeuw1dcm06.emea.media.global.loc. > _kerberos._tcp.emea.media.global.loc service = 0 100 88 > ruspb1dcm02.emea.media.global.loc. > _kerberos._tcp.emea.media.global.loc service = 0 100 88 > azsan1dcem03.emea.media.global.loc. > _kerberos._tcp.emea.media.global.loc service = 0 100 88 > azeuw1dcem01.emea.media.global.loc. > _kerberos._tcp.emea.media.global.loc service = 0 100 88 > esmad2dcm01.emea.media.global.loc. > _kerberos._tcp.emea.media.global.loc service = 0 100 88 > hubud2dcm01.emea.media.global.loc. > _kerberos._tcp.emea.media.global.loc service = 0 100 88 > azeuw1dcem03.emea.media.global.loc. > _kerberos._tcp.emea.media.global.loc service = 0 100 88 > rumsk1dcm08.emea.media.global.loc. > _kerberos._tcp.emea.media.global.loc service = 0 100 88 > dkcph1dcm05.emea.media.global.loc. > _kerberos._tcp.emea.media.global.loc service = 0 100 88 > dkcph1dcm06.emea.media.global.loc. > _kerberos._tcp.emea.media.global.loc service = 0 100 88 > azeuw1dcem04.emea.media.global.loc. > _kerberos._tcp.emea.media.global.loc service = 0 100 88 > azeuw4dcem01.emea.media.global.loc. > _kerberos._tcp.emea.media.global.loc service = 0 100 88 > atvie1dcm03.emea.media.global.loc. > _kerberos._tcp.emea.media.global.loc service = 0 100 88 > azuse2dcem01.emea.media.global.loc. > _kerberos._tcp.emea.media.global.loc service = 0 100 88 > azeuwhdcem01.emea.media.global.loc. > _kerberos._tcp.emea.media.global.loc service = 0 100 88 > deham3dcm02.emea.media.global.loc. > _kerberos._tcp.emea.media.global.loc service = 0 100 88 > azeuwhdcem02.emea.media.global.loc. > _kerberos._tcp.emea.media.global.loc service = 0 100 88 > azeuw1dcm05.emea.media.global.loc. > _kerberos._tcp.emea.media.global.loc service = 0 100 88 > rumsk1dcm07.emea.media.global.loc. > > Authoritative answers can be found from: > azeuw1dcem02.emea.media.global.loc internet address > 10.19.26.137 > azeuw4dcem02.emea.media.global.loc internet address > 10.19.209.5 > esmad2dcm03.emea.media.global.loc internet address > 10.34.54.47 > dedus3dcm05.emea.media.global.loc internet address > 10.49.214.7 > azeuw1dcm06.emea.media.global.loc internet address > 10.19.17.133 > ruspb1dcm02.emea.media.global.loc internet address = 10.53.75.3 > azsan1dcem03.emea.media.global.loc internet address > 10.19.46.196 > azeuw1dcem01.emea.media.global.loc internet address > 10.19.26.136 > esmad2dcm01.emea.media.global.loc internet address > 10.34.54.46 > hubud2dcm01.emea.media.global.loc internet address > 10.48.128.12 > azeuw1dcem03.emea.media.global.loc internet address > 10.19.28.100 > rumsk1dcm08.emea.media.global.loc internet address = 10.53.4.3 > dkcph1dcm05.emea.media.global.loc internet address = 10.8.32.53 > dkcph1dcm06.emea.media.global.loc internet address = 10.8.32.54 > azeuw1dcem04.emea.media.global.loc internet address > 10.19.28.101 > azeuw4dcem01.emea.media.global.loc internet address > 10.19.209.4 > atvie1dcm03.emea.media.global.loc internet address = 10.43.2.2 > azuse2dcem01.emea.media.global.loc internet address > 10.19.77.158 > azeuwhdcem01.emea.media.global.loc internet address = 10.190.0.6 > deham3dcm02.emea.media.global.loc internet address > 10.49.67.180 > azeuwhdcem02.emea.media.global.loc internet address = 10.190.0.7 > azeuw1dcm05.emea.media.global.loc internet address > 10.19.17.132 > rumsk1dcm07.emea.media.global.loc internet address = 10.53.4.2 > > ----------- > > 'kinit Administrator' password checked failed. > Wrong password or kerberos REALM problems.Check /etc/krb5.conf> > ----------- > > /etc/samba/smb.conf > > # Global parameters > [global] > dedicated keytab file = /etc/krb5.keytab > dns proxy = No > domain master = No > kerberos method = secrets and keytab > local master = No > log file = /var/log/samba/log.%m > max log size = 1000 > obey pam restrictions = Yes > panic action = /usr/share/samba/panic-action %d > preferred master = No > realm = EMEA.MEDIA.GLOBAL.LOC > restrict anonymous = 2 > security = ADS > syslog = 0 > template shell = /bin/bash > username map = /etc/samba/user.map > usershare allow guests = Yes > winbind offline logon = Yes > winbind refresh tickets = Yes > winbind use default domain = Yes > workgroup = EMEA-MEDIA > idmap config * : range = 10000-9999999 > idmap config * : backend = autorid > map acl inherit = Yes > vfs objects = acl_xattr > > > [homes] > browseable = No > comment = Home Directories > create mask = 0700 > directory mask = 0700 > read only = No > valid users = %S > > > [printers] > browseable = No > comment = All Printers > create mask = 0700 > path = /var/spool/samba > printable = Yes > > > [print$] > comment = Printer Drivers > path = /var/lib/samba/printers > > Running as Unix domain member and user.map detected. > > Contents of /etc/samba/user.map > > !root = EMEA-MEDIA\\Test_SachinUnless you have changed 'Administrator' with 'TEST_Sachin', set it to '!root = EMEA-MEDIA\Administrator' (you also only use one '\')> > Server Role is set to : MEMBER SERVER > > ----------- > > There are too many occurences of 'winbind' in /etc/nsswitch.conf. > They should only be set on the 'passwd' & 'group' lines.As it says.> > > Time on the DC with PDC Emulator role is: 2021-11-02T09:40:39 > > > Time on this computer is: 2021-11-02T09:40:39 > > > Time verified ok, within the allowed 300sec margin. > Time offset is currently : 0 seconds. > > > ----------- > > > > These required packages are not installed: libpam-winbind libpam- > krb5 libnss-winbind aclYou MUST install those packages.