Rowland Penny
2021-Nov-17 22:37 UTC
[Samba] Unable to net ads join samba to an active directory domain Failed to join domain: failed to connect to AD: Can't contact LDAP server
On Wed, 2021-11-17 at 13:11 -0800, Michael Evans wrote:> > > > > > > > > > Your Third point: If I DO need it then it isn't _optional_ and the > documentation is incorrect / confusing.Granted, I will fix.> > Still, which sections, what keywords should I be looking for, and > more to > the point, why aren't those in the Member Server documentation to > begin > with, without external references?'external references' ? they are links to separate Samba wiki pages> > > "If you need your users to have different login shells and/or Unix > home > directory paths, or you want them to have the same ID everywhere, you > will > need to use the winbind 'ad' backend and add RFC2307 attributes to > AD." > > Yes, I need that, and have done that on the DC. > > Documentation error: Hyperlink is NOT default hyperlink colors and > NOT > underlined.You may have a point there, but it does say above the box: Select one of the following hyperlinks to find information about the relevant Samba domain back end and what idmap config lines to add:> > idmap config ad <<< That looks like just text with emphasis, NOT a > hyperlink.Well yes, but normal hyperlinks can look just like text until you hover your mouse pointer over them.> > This table of 3 options should instead be broken out to small > sections, each > with a single (current version) template example and a link to the > full set > of directions. Ideally all three examples would fit on a typical PC > screen > when viewing the wiki.Sorry, but the three pages that are linked to, will each not fit on one page.> > > https://wiki.samba.org/index.php/Idmap_config_ad > > The Config AD Backend and NSS info sections should be in that order, > not the > NSS then AD order.I must be missing something, for as far as I can see, the wiki does show how to set up the winbind backend before how to set up NSS. If you can show where this is different, I will try to fix it.> > > This still fails (r2 is in every group Administrator is in; I expect > the > same output) > > net ads join -U r2 -d 5 2>&1 > get_dc_list: preferred server list: ", *" > resolve_ads: Attempting to resolve KDCs for nc.nor-consult.com using > DNS > get_dc_list: returning 2 ip addresses in an ordered list > get_dc_list: 10.2.0.35:88 fd00:6959:d45d:200::23:88 > saf_fetch: failed to find server for "nc.nor-consult.com" domain > get_dc_list: preferred server list: ", *" > resolve_ads: Attempting to resolve KDCs for nc.nor-consult.com using > DNS > get_dc_list: returning 2 ip addresses in an ordered list > get_dc_list: 10.2.0.35:88 fd00:6959:d45d:200::23:88 > create_local_private_krb5_conf_for_domain: wrote file > /run/samba/smb_krb5/krb5.conf.NC with realm NC.NOR-CONSULT.COM KDC > list > kdc = [fd00:6959:d45d:200::23]:88 > kdc = 10.2.0.35 > > sitename_fetch: Returning sitename for realm 'NC.NOR-CONSULT.COM': > "Default-First-Site-Name" > name ad-mo3.nc.nor-consult.com#20 found. > ads_try_connect: sending CLDAP request to 10.2.0.35 (realm: > nc.nor-consult.com) > Successfully contacted LDAP server 10.2.0.35 > Connecting to 10.2.0.35 at port 389 > Connected to LDAP server ad-mo3.nc.nor-consult.com > KDC time offset is 0 seconds > Found SASL mechanism GSS-SPNEGO > ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 > ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 > Starting GENSEC mechanism spnego > Starting GENSEC submechanism gse_krb5 > ----- It HANGS here for subjectively forever, probably 15+ min. > kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for > ldap/ad-mo3.nc.nor-consult.com with user[r2] realm[NC.NOR- > CONSULT.COM]: > Can't contact LDAP server > ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/ad-mo3.nc.nor- > consult.com > with user[r2] realm[NC.NOR-CONSULT.COM]: Can't contact LDAP server, > fallback > to NTLMSSP > Starting GENSEC mechanism spnego > Starting GENSEC submechanism ntlmssp > ads_sasl_spnego_gensec_bind(NTLMSSP) failed for > ldap/ad-mo3.nc.nor-consult.com with user[r2] realm=[NC.NOR- > CONSULT.COM]: > Can't contact LDAP server > libnet_Join: > libnet_JoinCtx: struct libnet_JoinCtx > out: struct libnet_JoinCtx > account_name : 'V-FS5$' > netbios_domain_name : 'NC' > dns_domain_name : 'nc.nor-consult.com' > forest_name : 'nc.nor-consult.com' > dn : NULL > domain_guid : 250143d6-aebe-440e-94c5- > f27c7af7857b > domain_sid : * > domain_sid : > S-1-5-21-3458735564-2487305582-1134572456 > modified_config : 0x00 (0) > error_string : 'failed to connect to AD: > Can't > contact LDAP server' > domain_is_ad : 0x01 (1) > set_encryption_types : 0x00000000 (0) > krb5_salt : NULL > result : WERR_NERR_DEFAULTJOINREQUIRED > return code = -1 > > Failed to join domain: failed to connect to AD: Can't contact LDAP > server > > > > > I'll run and redact public IP network data from this again... > > https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-i > nfo.sh > > bash samba-collect-debug-info.sh > Please wait, collecting debug info. > > Password for Administrator at NC.NOR-CONSULT.COM: > Warning: Your password will expire in 40 days on Tue 28 Dec 2021 > 02:07:05 AM > UTC > Load smb config files from /etc/samba/smb.conf > Loaded services file OK. > Weak crypto is allowed > Server role: ROLE_DOMAIN_MEMBER > > The debug info about your system can be found in this file: > /tmp/samba-debug-info.txt > Please check this and if required, sanitise it. > Then copy & paste it into an email to the samba list > Do not attach it to the email, the Samba mailing list strips > attachments. > > Collected config --- 2021-11-17-21:03 ----------- > > Hostname: v-fs5 > DNS Domain: nc.nor-consult.com > FQDN: v-fs5.nc.nor-consult.com > ipaddress: 10.2.0.45 10.202.0.45 fd00:6959:d45d:200:a800:ff:fe48:dc6f > REDACTED:a800:ff:fe48:dc6f fd00:6959:d45d:200::2d > > ----------- > > Kerberos SRV _kerberos._tcp.nc.nor-consult.com record verified ok, > sample > output: > Server: 10.2.0.35 > Address: 10.2.0.35#53 > > _kerberos._tcp.nc.nor-consult.com service = 0 100 88 > ad-mo3.nc.nor-consult.com. > Samba is running as an Unix domain member but 'winbindd' is NOT > running. > Check that the winbind package is installed.This shows that at least one Samba daemon is running (but not winbind), so find which are and stop them.> Checking file: /etc/os-release > > PRETTY_NAME="Debian GNU/Linux 11 (bullseye)" > NAME="Debian GNU/Linux" > VERSION_ID="11" > VERSION="11 (bullseye)" > VERSION_CODENAME=bullseye > ID=debian > HOME_URL="https://www.debian.org/" > SUPPORT_URL="https://www.debian.org/support" > BUG_REPORT_URL="https://bugs.debian.org/" > > ----------- > > > This computer is running Debian 11.1 x86_64 > > ----------- > running command : ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN > group > default qlen 1000 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast > state > UP group default qlen 1000 > link/ether REDACTED brd ff:ff:ff:ff:ff:ff > altname enp0s13 > altname ens13 > inet 10.2.0.45/16 brd 10.2.255.255 scope global eth0 > inet6 fd00:6959:d45d:200:a800:ff:fe48:dc6f/64 scope global > dynamic > mngtmpaddr > inet6 REDACTED:a800:ff:fe48:dc6f/64 scope global dynamic > mngtmpaddr > inet6 fd00:6959:d45d:200::2d/56 scope global > inet6 fe80::a800:ff:fe48:dc6f/64 scope link > 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast > state > UP group default qlen 1000 > link/ether REDACTED brd ff:ff:ff:ff:ff:ff > altname enp0s14 > altname ens14 > inet REDACTED > inet6 fe80::a800:ff:fe89:ed9e/64 scope link >Do you really need all those ethernet devices ? Do you really need IPv6 ?> ----------- > Checking file: /etc/hosts > > 127.0.0.1 localhost > 10.2.0.45 v-fs5.nc.nor-consult.com v-fs5 > fd00:6959:d45d:0200::2d v-fs5.nc.nor-consult.com v-fs5Does this computer have a fixed IP ?> > > # The following lines are desirable for IPv6 capable hosts > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > ----------- > > Checking file: /etc/resolv.conf > > domain nc.nor-consult.com > search nc.nor-consult.com norconsult.local nor-consult.com'domain' and search are mutually exclusive, the last one wins, so you might as well remove the 'domain' line. Your 'search' line should only search the AD dns domain, nothing else.> nameserver 10.2.0.35 > > ----------- > > Checking file: /etc/krb5.conf > > [libdefaults] > default_realm = NC.NOR-CONSULT.COM > dns_lookup_realm = false > dns_lookup_kdc = true > > ----------- > > Checking file: /etc/nsswitch.conf > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages > installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: files > group: files > shadow: files > gshadow: files > > hosts: files mdns4_minimal [NOTFOUND=return] dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis >Not that it matters at this point, but you need to add winbind to the passwd and group lines, also the hosts line should be: hosts: files dns> ----------- > > Checking file: /etc/samba/smb.conf > > [global] > workgroup = NC > security = ADS > realm = NC.NOR-CONSULT.COM > #server role = member server > bind interfaces only = yes > interfaces = 127.0.0.1 10.2.0.45 ::1 fd00:6959:d45d:200::2d > > winbind refresh tickets = Yes > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > winbind use default domain = yes > > # idmap config ad > # https://wiki.samba.org/index.php/Idmap_config_ad > > # local server > idmap config * : backend = tdb > idmap config * : range = 3000-3499 > > # domain > # is DOMAIN $DOMAIN or literal DOMAIN ? -- Ah there's an > example > later, that helps > idmap config NC:backend = ad > idmap config NC:schema_mode = rfc2307 > idmap config NC:range = 3500-999999Why start the 'DOMAIN' range at '3500' ? Rowland
Michael Evans
2021-Nov-17 23:37 UTC
[Samba] Unable to net ads join samba to an active directory domain Failed to join domain: failed to connect to AD: Can't contact LDAP server
-----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny via samba Sent: Wednesday, November 17, 2021 2:37 PM To: sambalist Subject: Re: [Samba] Unable to net ads join samba to an active directory domain Failed to join domain: failed to connect to AD: Can't contact LDAP server On Wed, 2021-11-17 at 13:11 -0800, Michael Evans wrote:> > Your Third point: If I DO need it then it isn't _optional_ and the > documentation is incorrect / confusing.Granted, I will fix.>Thank you.> > Documentation error: Hyperlink is NOT default hyperlink colors and > NOT > underlined.You may have a point there, but it does say above the box: Select one of the following hyperlinks to find information about the relevant Samba domain back end and what idmap config lines to add:>It's in the middle of a BIG blob of text someone expecting to just set the configuration value to "idmap config ad" since it's all stored in the AD and not need to set anything else, will skim past. Also, for readability, hyperlinks should always present as hyperlinks. It would also help to hyperlink to the details page each time the topic Is mentioned.> idmap config ad <<< That looks like just text with emphasis, NOT a > hyperlink.Well yes, but normal hyperlinks can look just like text until you hover your mouse pointer over them.> > https://wiki.samba.org/index.php/Idmap_config_ad > > The Config AD Backend and NSS info sections should be in that order, > not the > NSS then AD order.I must be missing something, for as far as I can see, the wiki does show how to set up the winbind backend before how to set up NSS. If you can show where this is different, I will try to fix it. I'm saying the sections should be re-arranged in this order: Configuring the ad Back End then The RFC2307 and template Mode Options This would present the config outline first, then explain variations and what the different value options mean. I would have found it much clearer as a first time / long time ago returning reader. The example also clarifies given the difference that SAMDOM and DOMAIN are placeholder variables for the workgroup/domain.> > > This still fails (r2 is in every group Administrator is in; I expect > the > same output) > > net ads join -U r2 -d 5 2>&1...> _kerberos._tcp.nc.nor-consult.com service = 0 100 88 > ad-mo3.nc.nor-consult.com. > Samba is running as an Unix domain member but 'winbindd' is NOT > running. > Check that the winbind package is installed.This shows that at least one Samba daemon is running (but not winbind), so find which are and stop them.>I must have forgotten to stop them again at some point after restarting the VM during troubleshooting. systemctl disable smbd nmbd winbind ; systemctl stop smbd nmbd winbind As I write this reply I am trying again with them stopped. HOWEVER I'm 99% sure it's going to fail again since it stalled at that place it hangs for 15+min. Do I need to purge the local samba databases again? rm -r /run/samba/*.?db\ /var/cache/samba/*.?db\ /var/lib/samba/*.?db\ /var/lib/samba/private/*.?db>Do you really need all those ethernet devices ? Do you really need IPv6 ?> -----------The altnames are junk systemd adds... /etc/network/interfaces only calls them lo eth0 and eth1 as is proper for a VM. IPv6 yes, If I have to migrate to a new domain it's far past time that I should enable IPv6 internally as well. It might not be required today, but it's well past time to be IPv4 only.> Checking file: /etc/hosts > > 127.0.0.1 localhost > 10.2.0.45 v-fs5.nc.nor-consult.com v-fs5 > fd00:6959:d45d:0200::2d v-fs5.nc.nor-consult.com v-fs5Does this computer have a fixed IP ?> >Those are its static IPs yes.> Checking file: /etc/resolv.conf > > domain nc.nor-consult.com > search nc.nor-consult.com norconsult.local nor-consult.com'domain' and search are mutually exclusive, the last one wins, so you might as well remove the 'domain' line. Your 'search' line should only search the AD dns domain, nothing else.> nameserver 10.2.0.35There are legacy resources that live in other places and shortnames for servers that live outside of the domain. That's the search order I want to look for hosts in.>Not that it matters at this point, but you need to add winbind to the passwd and group lines, also the hosts line should be: hosts: files dns> -----------Good, I hate how apple tookover .local and no one told them that was a bad idea.> > idmap config NC:range = 3500-999999Why start the 'DOMAIN' range at '3500' ? Rowland>Reasons of annoyances for migration plans, and I also read that 'machine accounts' need UIDs as well, which wasn't in the initial plans. It makes sense as each machine must have an agent ID to pair with the machine keytab.
Michael Evans
2021-Nov-18 08:15 UTC
[Samba] Unable to net ads join samba to an active directory domain Failed to join domain: failed to connect to AD: Can't contact LDAP server
First, Sorry, It isn't as obvious when Outlook is mostly used in an office and everyone's using the defaults, but it becomes really obvious when interacting with a mailing list: those defaults are super confusing for conversations with many replies. I had to google where the configuration to conform with non-Redmond email clients was. Mostly. It keeps inserting [] even when I don't give it a name to put in the middle, which is aggravating to the point that I see why I must have never kept that change.> -----Original Message----- > From: Michael Evans [mailto:michael.evans at nor-consult.com] > Sent: Wednesday, November 17, 2021 3:37 PM > To: 'Rowland Penny' > Cc: 'samba at lists.samba.org' > Subject: RE: [Samba] Unable to net ads join samba to an active directory > domain Failed to join domain: failed to connect to AD: Can't contact LDAP > server > > -----Original Message----- > From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of > Rowland Penny via samba > Sent: Wednesday, November 17, 2021 2:37 PM > To: sambalist > Subject: Re: [Samba] Unable to net ads join samba to an active directory > domain Failed to join domain: failed to connect to AD: Can't contact LDAP > server > > On Wed, 2021-11-17 at 13:11 -0800, Michael Evans wrote: > > > > Your Third point: If I DO need it then it isn't _optional_ and the > > documentation is incorrect / confusing. > > Granted, I will fix.[Michael Evans] Thank you.> > > > > Documentation error: Hyperlink is NOT default hyperlink colors and > > NOT > > underlined. > > You may have a point there, but it does say above the box: > > Select one of the following hyperlinks to find information about the > relevant Samba domain back end and what idmap config lines to add: > > > >[Michael Evans] It's in the middle of a BIG blob of text someone expecting to just set the configuration value to "idmap config ad" since it's all stored in the AD and not need to set anything else, will skim past. Also, for readability, hyperlinks should always present as hyperlinks. It would also help to hyperlink to the details page each time the topic Is mentioned.> > > idmap config ad <<< That looks like just text with emphasis, NOT a > > hyperlink. > > Well yes, but normal hyperlinks can look just like text until you hover > your mouse pointer over them.[Michael Evans] (added since the previous reply) Who's going to do that if it doesn't look like a hyperlink? It seems to be a deliberate style anti-pattern on the whole wiki. The AD page _also_ has disguised hyperlinks that are thus Skipped because unless you know they /might/ be hyperlinks it would never occur to you that it isn't a single line configuration flag that is required.> > > > > https://wiki.samba.org/index.php/Idmap_config_ad > > > > The Config AD Backend and NSS info sections should be in that order, > > not the > > NSS then AD order. > > I must be missing something, for as far as I can see, the wiki does > show how to set up the winbind backend before how to set up NSS. If you > can show where this is different, I will try to fix it. >[Michael Evans] I'm saying the sections should be re-arranged in this order: Configuring the ad Back End then The RFC2307 and template Mode Options This would present the config outline first, then explain variations and what the different value options mean. I would have found it much clearer as a first time / long time ago returning reader. The example also clarifies given the difference that SAMDOM and DOMAIN are placeholder variables for the workgroup/domain.> > > > > > This still fails (r2 is in every group Administrator is in; I expect > > the > > same output) > > > > net ads join -U r2 -d 5 2>&1 > ... > > _kerberos._tcp.nc.nor-consult.com service = 0 100 88 > > ad-mo3.nc.nor-consult.com. > > Samba is running as an Unix domain member but 'winbindd' is NOT > > running. > > Check that the winbind package is installed. > > > This shows that at least one Samba daemon is running (but not winbind), > so find which are and stop them. > > > >[Michael Evans] I must have forgotten to stop them again at some point after restarting the VM during troubleshooting. systemctl disable smbd nmbd winbind ; systemctl stop smbd nmbd winbind As I write this reply I am trying again with them stopped. HOWEVER I'm 99% sure it's going to fail again since it stalled at that place it hangs for 15+min. Do I need to purge the local samba databases again? rm -r /run/samba/*.?db\ /var/cache/samba/*.?db\ /var/lib/samba/*.?db\ /var/lib/samba/private/*.?db Additional: it failed again as expected, also after purging the above on v-fs5.> > > > > Do you really need all those ethernet devices ? > Do you really need IPv6 ? > > > ----------- >The altnames are junk systemd adds... /etc/network/interfaces only calls them lo eth0 and eth1 as is proper for a VM. IPv6 yes, If I have to migrate to a new domain it's far past time that I should enable IPv6 internally as well. It might not be required today, but it's well past time to be IPv4 only.> > > Checking file: /etc/hosts > > > > 127.0.0.1 localhost > > 10.2.0.45 v-fs5.nc.nor-consult.com v-fs5 > > fd00:6959:d45d:0200::2d v-fs5.nc.nor-consult.com v-fs5 > > Does this computer have a fixed IP ? > > > > >Those are its static IPs yes.> > > Checking file: /etc/resolv.conf > > > > domain nc.nor-consult.com > > search nc.nor-consult.com norconsult.local nor-consult.com > > 'domain' and search are mutually exclusive, the last one wins, so you > might as well remove the 'domain' line. > Your 'search' line should only search the AD dns domain, nothing else. > > > nameserver 10.2.0.35 > > There are legacy resources that live in other places and shortnames for > servers that live outside of the domain. That's the search order I wantto> look for hosts in. > > > > > Not that it matters at this point, but you need to add winbind to the > passwd and group lines, also the hosts line should be: > hosts: files dns > > > ----------- >[Michael Evans] Good, I hate how apple tookover .local and no one told them that was a bad idea.> > > > > idmap config NC:range = 3500-999999 > > Why start the 'DOMAIN' range at '3500' ? > > Rowland > > >[Michael Evans] Reasons of annoyances for migration plans, and I also read that 'machine accounts' need UIDs as well, which wasn't in the initial plans. It makes sense as each machine must have an agent ID to pair with the machine keytab. The question about the member server's IP addresses being static made me wonder: should I add records for those services too? Which records? Revisiting the records that helped the LDAP tool (external to samba) work for those tests: # Add in-addr.arpa and ip6.arpa reverse lookup zones (I would have appreciated -k also working for Kerberos auth here) # static IPv4 /16 netmask samba-tool dns zonecreate ::1 2.10.in-addr.arpa -U Administrator samba-tool dns add ::1 2.10.in-addr.arpa 35.0 PTR ad-mo3.nc.nor-consult.com -U Administrator # static IPv6 /60 netmask samba-tool dns zonecreate ::1 0.2.0.d.5.4.d.9.5.9.6.0.0.d.f.ip6.arpa -U Administrator samba-tool dns add ::1 0.2.0.d.5.4.d.9.5.9.6.0.0.d.f.ip6.arpa 3.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR ad-mo3.nc.nor-consult.com Test method: host 10.2.0.35 35.0.2.10.in-addr.arpa domain name pointer ad-mo3.nc.nor-consult.com. host fd00:6959:d45d:200::23 3.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.d.5.4.d.9.5.9.6.0.0.d.f.ip6.arpa domain name pointer ad-mo3.nc.nor-consult.com. Note: the output of host is particularly useful as it reverses and divides the uncompressed IPv6 notation exactly as necessary on error: 3.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.d.5.4.d.9.5.9.6.0.0.d.f.ip6.arpa has no PTR record Simple cut and paste string operations are sufficient. +++ samba-tool dns add ::1 2.10.in-addr.arpa 45.0 PTR v-fs5.nc.nor-consult.com -U r2 samba-tool dns add ::1 0.2.0.d.5.4.d.9.5.9.6.0.0.d.f.ip6.arpa d.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR v-fs5.nc.nor-consult.com -U r2 samba-tool dns add ::1 nc.nor-consult.com v-fs5 A 10.2.0.45 -U r2 samba-tool dns add ::1 nc.nor-consult.com v-fs5 AAAA fd00:6959:d45d:200::2d -U r2 samba-tool dns query ::1 nc.nor-consult.com '@' ALL Name=, Records=4, Children=0 AAAA: fd00:6959:d45d:0200:0000:0000:0000:0023 (flags=600000f0, serial=110, ttl=900) SOA: serial=4, refresh=900, retry=600, expire=86400, minttl=3600, ns=ad-mo3.nc.nor-consult.com., email=hostmaster.nc.nor-consult.com. (flags=600000f0, serial=4, ttl=3600) NS: ad-mo3.nc.nor-consult.com. (flags=600000f0, serial=110, ttl=900) A: 10.2.0.35 (flags=600000f0, serial=110, ttl=900) Name=_msdcs, Records=0, Children=0 Name=_sites, Records=0, Children=1 Name=_tcp, Records=0, Children=4 Name=_udp, Records=0, Children=2 Name=ad-mo3, Records=2, Children=0 AAAA: fd00:6959:d45d:0200:0000:0000:0000:0023 (flags=f0, serial=2, ttl=900) A: 10.2.0.35 (flags=f0, serial=110, ttl=900) Name=DomainDnsZones, Records=0, Children=2 Name=ForestDnsZones, Records=0, Children=2 Name=v-fs5, Records=2, Children=0 A: 10.2.0.45 (flags=f0, serial=3, ttl=900) AAAA: fd00:6959:d45d:0200:0000:0000:0000:002d (flags=f0, serial=4, ttl=900) Retested: Failed. Re-thought about hyperlinks missing _ and the wrong color. ad-mo3, the DC, is also missing idmap config. Retested Windows PC join, still works anyway. v-fs5 passed kinit u2 ldapsearch -H ldap://ad-mo3.nc.nor-consult.com -Y GSSAPI -b 'DC=nc,DC=nor-consult,DC=com' # on the AD DC getfacl /var/lib/samba/sysvol/nc.nor-consult.com/ Q: winbind doesn't seem to show the User or Group names, even with the enum users / groups config lines in smb.conf... How to fix nss? A: Debian doesn't install libnss-winbind nor libpam-winbind by default. apt install libnss-winbind libpam-winbind Update /etc/nsswitch.conf if the packages don't add winbind to the end of passwd and group lines. This is a long email by necessity, I'm out of ideas so I'm collecting data on both the AD DC and the member server that fails to join as a member server. https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-i nfo.sh ### AD ### Collected config --- 2021-11-18-07:23 ----------- Hostname: ad-mo3 DNS Domain: nc.nor-consult.com FQDN: ad-mo3.nc.nor-consult.com ipaddress: 10.2.0.35 REDACTED.35 fd00:6959:d45d:200:a800:ff:fead:3b23 REDACTED:a800:ff:fead:3b23 fd00:6959:d45d:200::23 ----------- Kerberos SRV _kerberos._tcp.nc.nor-consult.com record verified ok, sample output: Server: 127.0.0.1 Address: 127.0.0.1#53 _kerberos._tcp.nc.nor-consult.com service = 0 100 88 ad-mo3.nc.nor-consult.com. Samba is running as an AD DC ----------- Checking file: /etc/os-release PRETTY_NAME="Debian GNU/Linux 11 (bullseye)" NAME="Debian GNU/Linux" VERSION_ID="11" VERSION="11 (bullseye)" VERSION_CODENAME=bullseye ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" ----------- This computer is running Debian 11.1 x86_64 ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast state UP group default qlen 1000 link/ether aa:00:00:ad:3b:23 brd ff:ff:ff:ff:ff:ff altname enp0s13 altname ens13 inet 10.2.0.35/16 brd 10.2.255.255 scope global eth0 inet6 fd00:6959:d45d:200:a800:ff:fead:3b23/64 scope global dynamic mngtmpaddr inet6 REDACTED:a800:ff:fead:3b23/64 scope global dynamic mngtmpaddr inet6 fd00:6959:d45d:200::23/56 scope global inet6 fe80::a800:ff:fead:3b23/64 scope link 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast state UP group default qlen 1000 link/ether aa:00:00:6a:ed:d1 brd ff:ff:ff:ff:ff:ff altname enp0s14 altname ens14 inet REDACTED.35/16 brd 10.202.255.255 scope global eth1 inet6 fe80::a800:ff:fe6a:edd1/64 scope link ----------- Checking file: /etc/hosts 127.0.0.1 localhost # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters ----------- Checking file: /etc/resolv.conf domain nc.nor-consult.com search nc.nor-consult.com norconsult.local nor-consult.com nameserver 127.0.0.1 ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = NC.NOR-CONSULT.COM dns_lookup_realm = false dns_lookup_kdc = true [realms] NC.NOR-CONSULT.COM = { default_domain = nc.nor-consult.com } [domain_realm] ad-mo3 = NC.NOR-CONSULT.COM ----------- Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: files winbind group: files winbind shadow: files gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ----------- Checking file: /etc/samba/smb.conf # Global parameters [global] #bind interfaces only = Yes dns forwarder = 10.2.0.10 #interfaces = lo eth0 netbios name = AD-MO3 realm = NC.NOR-CONSULT.COM server role = active directory domain controller workgroup = NC idmap_ldb:use rfc2307 = yes bind interfaces only = yes interfaces = 127.0.0.1 10.2.0.35 ::1 fd00:6959:d45d:200::23 winbind enum users = yes winbind enum groups = yes [sysvol] path = /var/lib/samba/sysvol read only = No [netlogon] path = /var/lib/samba/sysvol/nc.nor-consult.com/scripts read only = No ----------- BIND_DLZ not detected in smb.conf ----------- Installed packages: ii acl 2.2.53-10 amd64 access control list - utilities ii attr 1:2.4.48-6 amd64 utilities for manipulating filesystem extended attributes ii krb5-config 2.6+nmu1 all Configuration files for Kerberos Version 5 ii krb5-user 1.18.3-6+deb11u1 amd64 basic programs to authenticate using MIT Kerberos ii libacl1:amd64 2.2.53-10 amd64 access control list - shared library ii libattr1:amd64 1:2.4.48-6 amd64 extended attribute handling - shared library ii libgssapi-krb5-2:amd64 1.18.3-6+deb11u1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-3:amd64 1.18.3-6+deb11u1 amd64 MIT Kerberos runtime libraries ii libkrb5support0:amd64 1.18.3-6+deb11u1 amd64 MIT Kerberos runtime libraries - Support library ii libnss-winbind:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 Samba nameservice integration plugins ii libpam-krb5:amd64 4.9-2 amd64 PAM module for MIT Kerberos ii libpam-winbind:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 Windows domain authentication integration plugin ii libsmbclient:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 shared library for communication with SMB/CIFS servers ii libwbclient0:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 Samba winbind client library ii python3-samba 2:4.13.13+dfsg-1~deb11u2 amd64 Python 3 bindings for Samba ii samba 2:4.13.13+dfsg-1~deb11u2 amd64 SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.13.13+dfsg-1~deb11u2 all common files used by both the Samba server and client ii samba-common-bin 2:4.13.13+dfsg-1~deb11u2 amd64 Samba common files used by both the server and the client ii samba-dsdb-modules:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 Samba Directory Services Database ii samba-libs:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 Samba core libraries ii samba-vfs-modules:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 Samba Virtual FileSystem plugins ii smbclient 2:4.13.13+dfsg-1~deb11u2 amd64 command-line SMB/CIFS clients for Unix ii winbind 2:4.13.13+dfsg-1~deb11u2 amd64 service to resolve user and group information from Windows NT servers ----------- ### to-be member server (net ads join fails) ### Collected config --- 2021-11-18-07:23 ----------- Hostname: v-fs5 DNS Domain: nc.nor-consult.com FQDN: v-fs5.nc.nor-consult.com ipaddress: 10.2.0.45 REDACTED.45 fd00:6959:d45d:200:a800:ff:fe48:dc6f REDACTED:a800:ff:fe48:dc6f fd00:6959:d45d:200::2d ----------- Kerberos SRV _kerberos._tcp.nc.nor-consult.com record verified ok, sample output: Server: 10.2.0.35 Address: 10.2.0.35#53 _kerberos._tcp.nc.nor-consult.com service = 0 100 88 ad-mo3.nc.nor-consult.com. Samba is not being run as a DC or a Unix domain member. ----------- Checking file: /etc/os-release PRETTY_NAME="Debian GNU/Linux 11 (bullseye)" NAME="Debian GNU/Linux" VERSION_ID="11" VERSION="11 (bullseye)" VERSION_CODENAME=bullseye ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" ----------- This computer is running Debian 11.1 x86_64 ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast state UP group default qlen 1000 link/ether aa:00:00:48:dc:6f brd ff:ff:ff:ff:ff:ff altname enp0s13 altname ens13 inet 10.2.0.45/16 brd 10.2.255.255 scope global eth0 inet6 fd00:6959:d45d:200:a800:ff:fe48:dc6f/64 scope global dynamic mngtmpaddr inet6 REDACTED:a800:ff:fe48:dc6f/64 scope global dynamic mngtmpaddr inet6 fd00:6959:d45d:200::2d/56 scope global inet6 fe80::a800:ff:fe48:dc6f/64 scope link 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast state UP group default qlen 1000 link/ether aa:00:00:89:ed:9e brd ff:ff:ff:ff:ff:ff altname enp0s14 altname ens14 inet REDACTED.45/16 brd 10.202.255.255 scope global eth1 inet6 fe80::a800:ff:fe89:ed9e/64 scope link ----------- Checking file: /etc/hosts 127.0.0.1 localhost 10.2.0.45 v-fs5.nc.nor-consult.com v-fs5 fd00:6959:d45d:0200::2d v-fs5.nc.nor-consult.com v-fs5 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters ----------- Checking file: /etc/resolv.conf search nc.nor-consult.com norconsult.local nor-consult.com nameserver 10.2.0.35 ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = NC.NOR-CONSULT.COM dns_lookup_realm = false dns_lookup_kdc = true ----------- Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: files winbind group: files winbind shadow: files gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ----------- Warning, does not exist ----------- Installed packages: ii acl 2.2.53-10 amd64 access control list - utilities ii attr 1:2.4.48-6 amd64 utilities for manipulating filesystem extended attributes ii krb5-config 2.6+nmu1 all Configuration files for Kerberos Version 5 ii krb5-user 1.18.3-6+deb11u1 amd64 basic programs to authenticate using MIT Kerberos ii libacl1:amd64 2.2.53-10 amd64 access control list - shared library ii libattr1:amd64 1:2.4.48-6 amd64 extended attribute handling - shared library ii libgssapi-krb5-2:amd64 1.18.3-6+deb11u1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-26-heimdal:amd64 7.7.0+dfsg-2 amd64 Heimdal Kerberos - libraries ii libkrb5-3:amd64 1.18.3-6+deb11u1 amd64 MIT Kerberos runtime libraries ii libkrb5support0:amd64 1.18.3-6+deb11u1 amd64 MIT Kerberos runtime libraries - Support library ii libnss-winbind:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 Samba nameservice integration plugins ii libpam-krb5:amd64 4.9-2 amd64 PAM module for MIT Kerberos ii libpam-winbind:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 Windows domain authentication integration plugin ii libwbclient0:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 Samba winbind client library ii python3-samba 2:4.13.13+dfsg-1~deb11u2 amd64 Python 3 bindings for Samba ii samba 2:4.13.13+dfsg-1~deb11u2 amd64 SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.13.13+dfsg-1~deb11u2 all common files used by both the Samba server and client ii samba-common-bin 2:4.13.13+dfsg-1~deb11u2 amd64 Samba common files used by both the server and the client ii samba-dsdb-modules:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 Samba Directory Services Database ii samba-libs:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 Samba core libraries ii samba-vfs-modules:amd64 2:4.13.13+dfsg-1~deb11u2 amd64 Samba Virtual FileSystem plugins ii winbind 2:4.13.13+dfsg-1~deb11u2 amd64 service to resolve user and group information from Windows NT servers ----------- It's still failing in the same spot, and gse_krb5 doesn't give me enough data to know _why_ it's failing or _what_ it's failing to do. cat /run/samba/smb_krb5/krb5.conf.NC [libdefaults] default_realm = NC.NOR-CONSULT.COM default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 dns_lookup_realm = false dns_lookup_kdc = true [realms] NC.NOR-CONSULT.COM = { kdc = [fd00:6959:d45d:200::23]:88 kdc = 10.2.0.35 } NC = { kdc = [fd00:6959:d45d:200::23]:88 kdc = 10.2.0.35 } # net ads join -U Administrator -d 10 ... sitename_store: realm = [NC], sitename = [Default-First-Site-Name], expire [2085923199] gencache_set_data_blob: Adding cache entry with key=[AD_SITENAME/DOMAIN/NC] and timeout=[Wed Dec 31 11:59:59 PM -2147481749 UTC] (67768034554456348 seconds ahead) sitename_store: realm = [nc.nor-consult.com], sitename [Default-First-Site-Name], expire = [2085923199] gencache_set_data_blob: Adding cache entry with key=[AD_SITENAME/DOMAIN/NC.NOR-CONSULT.COM] and timeout=[Wed Dec 31 11:59:59 PM -2147481749 UTC] (67768034554456348 seconds ahead) Successfully contacted LDAP server 10.2.0.35 Opening connection to LDAP server 'ad-mo3.nc.nor-consult.com:389', timeout 15 seconds Connecting to 10.2.0.35 at port 389 Initialized connection for LDAP server 'ldap://ad-mo3.nc.nor-consult.com:389' Connected to LDAP server ad-mo3.nc.nor-consult.com ads_closest_dc: NBT_SERVER_CLOSEST flag set saf_store: domain = [NC], server = [ad-mo3.nc.nor-consult.com], expire [1637221351] gencache_set_data_blob: Adding cache entry with key=[SAF/DOMAIN/NC] and timeout=[Thu Nov 18 07:42:31 AM 2021 UTC] (900 seconds ahead) saf_store: domain = [nc.nor-consult.com], server [ad-mo3.nc.nor-consult.com], expire = [1637221351] gencache_set_data_blob: Adding cache entry with key=[SAF/DOMAIN/NC.NOR-CONSULT.COM] and timeout=[Thu Nov 18 07:42:31 AM 2021 UTC] (900 seconds ahead) KDC time offset is 0 seconds Found SASL mechanism GSS-SPNEGO ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 kerberos_kinit_password_ext: as Administrator at NC.NOR-CONSULT.COM using [MEMORY:libnet_join_user_creds] as ccache and config [/run/samba/smb_krb5/krb5.conf.NC] kerberos_kinit_password_ext: Administrator at NC.NOR-CONSULT.COM mapped to Administrator at NC.NOR-CONSULT.COM Starting GENSEC mechanism spnego Starting GENSEC submechanism gse_krb5 gensec_update_send: gse_krb5[0x55cff9e4c6b0]: subreq: 0x55cff9e482f0 gensec_update_send: spnego[0x55cff9e67410]: subreq: 0x55cff9e72330 gensec_update_done: gse_krb5[0x55cff9e4c6b0]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x55cff9e482f0/../../source3/librpc/crypto/gse.c:848]: state[2] error[0 (0x0)] state[struct gensec_gse_update_state (0x55cff9e484a0)] timer[(nil)] finish[../../source3/librpc/crypto/gse.c:859] gensec_update_done: spnego[0x55cff9e67410]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x55cff9e72330/../../auth/gensec/spnego.c:1631]: state[2] error[0 (0x0)] state[struct gensec_spnego_update_state (0x55cff9e724e0)] timer[(nil)] finish[../../auth/gensec/spnego.c:2116] ### Stalls here for 15-20 min. No joke, this is tedious hell. ### How can I fix this, or collect more data to figure out where it's failing? kinit u2 ldapsearch -H ldap://ad-mo3.nc.nor-consult.com -Y GSSAPI -b 'DC=nc,DC=nor-consult,DC=com' The above works and dumps a surprising number of objects given 1 dc 1 attempted member server join, and 2 Win10 test PCs joined / parted. I also wonder, what _should_ the AD and member server look like in a working realm? Maybe the host / machine name must be allcaps in DNS unlike the all-lowercase I use by default? Though if that's the case, why doesn't Samba just upper()/lower() case places it only expects to use that? PTR ad-mo3.nc.nor-consult.com kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/ad-mo3.nc.nor-consult.com with user[Administrator] realm[NC.NOR-CONSULT.COM]: Can't contact LDAP server ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/ad-mo3.nc.nor-consult.com with user[Administrator] realm[NC.NOR-CONSULT.COM]: Can't contact LDAP server, fallback to NTLMSSP Starting GENSEC mechanism spnego Starting GENSEC submechanism ntlmssp negotiate: struct NEGOTIATE_MESSAGE Signature : 'NTLMSSP' MessageType : NtLmNegotiate (1) NegotiateFlags : 0x62088235 (1644724789) 1: NTLMSSP_NEGOTIATE_UNICODE 0: NTLMSSP_NEGOTIATE_OEM 1: NTLMSSP_REQUEST_TARGET 1: NTLMSSP_NEGOTIATE_SIGN 1: NTLMSSP_NEGOTIATE_SEAL 0: NTLMSSP_NEGOTIATE_DATAGRAM 0: NTLMSSP_NEGOTIATE_LM_KEY 0: NTLMSSP_NEGOTIATE_NETWARE 1: NTLMSSP_NEGOTIATE_NTLM 0: NTLMSSP_NEGOTIATE_NT_ONLY 0: NTLMSSP_ANONYMOUS 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN 0: NTLMSSP_TARGET_TYPE_DOMAIN 0: NTLMSSP_TARGET_TYPE_SERVER 0: NTLMSSP_TARGET_TYPE_SHARE 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY 0: NTLMSSP_NEGOTIATE_IDENTIFY 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY 0: NTLMSSP_NEGOTIATE_TARGET_INFO 1: NTLMSSP_NEGOTIATE_VERSION 1: NTLMSSP_NEGOTIATE_128 1: NTLMSSP_NEGOTIATE_KEY_EXCH 0: NTLMSSP_NEGOTIATE_56 DomainNameLen : 0x0000 (0) DomainNameMaxLen : 0x0000 (0) DomainName : * DomainName : '' WorkstationLen : 0x0000 (0) WorkstationMaxLen : 0x0000 (0) Workstation : * Workstation : '' Version: struct ntlmssp_VERSION ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6) ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1) ProductBuild : 0x0000 (0) Reserved: ARRAY(3) [0] : 0x00 (0) [1] : 0x00 (0) [2] : 0x00 (0) NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15) gensec_update_send: ntlmssp[0x55cff9e71550]: subreq: 0x55cff9e482f0 gensec_update_send: spnego[0x55cff9e67410]: subreq: 0x55cff9e72330 gensec_update_done: ntlmssp[0x55cff9e71550]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x55cff9e482f0/../../auth/ntlmssp/ntlmssp.c:180]: state[2] error[0 (0x0)] state[struct gensec_ntlmssp_update_state (0x55cff9e484a0)] timer[(nil)] finish[../../auth/ntlmssp/ntlmssp.c:215] gensec_update_done: spnego[0x55cff9e67410]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x55cff9e72330/../../auth/gensec/spnego.c:1631]: state[2] error[0 (0x0)] state[struct gensec_spnego_update_state (0x55cff9e724e0)] timer[(nil)] finish[../../auth/gensec/spnego.c:2116] ads_sasl_spnego_gensec_bind(NTLMSSP) failed for ldap/ad-mo3.nc.nor-consult.com with user[Administrator] realm=[NC.NOR-CONSULT.COM]: Can't contact LDAP server libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : 'V-FS5$' netbios_domain_name : 'NC' dns_domain_name : 'nc.nor-consult.com' forest_name : 'nc.nor-consult.com' dn : NULL domain_guid : 250143d6-aebe-440e-94c5-f27c7af7857b domain_sid : * domain_sid : S-1-5-21-3458735564-2487305582-1134572456 modified_config : 0x00 (0) error_string : 'failed to connect to AD: Can't contact LDAP server' domain_is_ad : 0x01 (1) set_encryption_types : 0x00000000 (0) krb5_salt : NULL result : WERR_NERR_DEFAULTJOINREQUIRED return code = -1 Failed to join domain: failed to connect to AD: Can't contact LDAP server