samba - Nov 2021 - Unable to net ads join samba to an active directory domain Failed to join domain: failed to connect to AD: Can't contact LDAP server

First, Sorry, It isn't as obvious when Outlook is mostly used in an office
and everyone's using the defaults, but it becomes really obvious when
interacting with a mailing list: those defaults are super confusing for
conversations with many replies.  I had to google where the configuration to
conform with non-Redmond email clients was.  Mostly.  It keeps inserting []
even when I don't give it a name to put in the middle, which is aggravating
to the point that I see why I must have never kept that change.
> -----Original Message-----
> From: Michael Evans [mailto:michael.evans at nor-consult.com]
> Sent: Wednesday, November 17, 2021 3:37 PM
> To: 'Rowland Penny'
> Cc: 'samba at lists.samba.org'
> Subject: RE: [Samba] Unable to net ads join samba to an active directory
> domain Failed to join domain: failed to connect to AD: Can't contact
LDAP
> server
> 
> -----Original Message-----
> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of
> Rowland Penny via samba
> Sent: Wednesday, November 17, 2021 2:37 PM
> To: sambalist
> Subject: Re: [Samba] Unable to net ads join samba to an active directory
> domain Failed to join domain: failed to connect to AD: Can't contact
LDAP
> server
> 
> On Wed, 2021-11-17 at 13:11 -0800, Michael Evans wrote:
> >
> > Your Third point: If I DO need it then it isn't _optional_ and the
> > documentation is incorrect / confusing.
> 
> Granted, I will fix.
[Michael Evans] 
Thank you.
> 
> >
> > Documentation error: Hyperlink is NOT default hyperlink colors and
> > NOT
> > underlined.
> 
> You may have a point there, but it does say above the box:
> 
> Select one of the following hyperlinks to find information about the
> relevant Samba domain back end and what idmap config lines to add:
> 
> >
> 
[Michael Evans]
It's in the middle of a BIG blob of text someone expecting to just
set the configuration value to "idmap config ad" since it's all
stored in the AD and not need to set anything else, will skim past.
 
Also, for readability, hyperlinks should always present as hyperlinks.
It would also help to hyperlink to the details page each time the topic
Is mentioned.
> 
> > idmap config ad <<< That looks like just text with emphasis,
NOT a
> > hyperlink.
> 
> Well yes, but normal hyperlinks can look just like text until you hover
> your mouse pointer over them.
[Michael Evans] 
(added since the previous reply)
Who's going to do that if it doesn't look like a hyperlink?

It seems to be a deliberate style anti-pattern on the whole wiki.
The AD page _also_ has disguised hyperlinks that are thus
Skipped because unless you know they /might/ be hyperlinks
it would never occur to you that it isn't a
single line configuration flag that is required.
> 
> >
> > https://wiki.samba.org/index.php/Idmap_config_ad
> >
> > The Config AD Backend and NSS info sections should be in that order,
> > not the
> > NSS then AD order.
> 
> I must be missing something, for as far as I can see, the wiki does
> show how to set up the winbind backend before how to set up NSS. If you
> can show where this is different, I will try to fix it.
> 
[Michael Evans]
I'm saying the sections should be re-arranged in this order:

Configuring the ad Back End
then
The RFC2307 and template Mode Options

This would present the config outline first, then explain variations and
what the different value options mean.

I would have found it much clearer as a first time / long time ago returning
reader.

The example also clarifies given the difference that SAMDOM and DOMAIN
are placeholder variables for the workgroup/domain.
> >
> >
> > This still fails (r2 is in every group Administrator is in; I expect
> > the
> > same output)
> >
> > net ads join -U r2 -d 5 2>&1
> ...
> > _kerberos._tcp.nc.nor-consult.com       service = 0 100 88
> > ad-mo3.nc.nor-consult.com.
> > Samba is running as an Unix domain member but 'winbindd' is
NOT
> > running.
> > Check that the winbind package is installed.
> 
> 
> This shows that at least one Samba daemon is running (but not winbind),
> so find which are and stop them.
> 
> >
> 
[Michael Evans]
I must have forgotten to stop them again at some point after restarting the
VM during troubleshooting.


systemctl disable smbd nmbd winbind ; systemctl stop smbd nmbd winbind

As I write this reply I am trying again with them stopped.

HOWEVER I'm 99% sure it's going to fail again since it stalled at that
place
it
hangs for 15+min.  Do I need to purge the local samba databases again?

rm -r /run/samba/*.?db\
 /var/cache/samba/*.?db\
 /var/lib/samba/*.?db\
 /var/lib/samba/private/*.?db

Additional: it failed again as expected, also after purging the above on
v-fs5.
> 
> >
> 
> Do you really need all those ethernet devices ?
> Do you really need IPv6 ?
> 
> > -----------
> 
The altnames are junk systemd adds... /etc/network/interfaces
only calls them lo eth0 and eth1 as is proper for a VM.

IPv6 yes, If I have to migrate to a new domain it's far past time that I
should
enable IPv6 internally as well.  It might not be required today, but it's
well
past time to be IPv4 only.
> 
> >        Checking file: /etc/hosts
> >
> > 127.0.0.1       localhost
> > 10.2.0.45       v-fs5.nc.nor-consult.com v-fs5
> > fd00:6959:d45d:0200::2d v-fs5.nc.nor-consult.com v-fs5
> 
> Does this computer have a fixed IP ?
> 
> >
> >
Those are its static IPs yes.
> 
> >        Checking file: /etc/resolv.conf
> >
> > domain nc.nor-consult.com
> > search nc.nor-consult.com norconsult.local nor-consult.com
> 
> 'domain' and search are mutually exclusive, the last one wins, so
you
> might as well remove the 'domain' line.
> Your 'search' line should only search the AD dns domain, nothing
else.
> 
> > nameserver 10.2.0.35
> 
> There are legacy resources that live in other places and shortnames for
> servers that live outside of the domain.  That's the search order I
want
to
> look for hosts in.
> 
> >
> 
> Not that it matters at this point, but you need to add winbind to the
> passwd and group lines, also the hosts line should be:
> hosts:		files dns
> 
> > -----------
> 
[Michael Evans] 
Good, I hate how apple tookover .local and no one told them that was a bad
idea.
> 
> >
> >         idmap config NC:range = 3500-999999
> 
> Why start the 'DOMAIN' range at '3500' ?
> 
> Rowland
> 
> >
[Michael Evans] 
Reasons of annoyances for migration plans, and I also read that 'machine
accounts' need UIDs as well, which wasn't in the initial plans.  It
makes
sense
as each machine must have an agent ID to pair with the machine keytab.

The question about the member server's IP addresses being static made me
wonder: should I add records for those services too?  Which records?


Revisiting the records that helped the LDAP tool (external to samba) work
for those tests:


# Add in-addr.arpa and ip6.arpa reverse lookup zones (I would have
appreciated -k also working for Kerberos auth here)

# static IPv4 /16 netmask

samba-tool dns zonecreate ::1 2.10.in-addr.arpa -U Administrator

samba-tool dns add ::1 2.10.in-addr.arpa 35.0 PTR ad-mo3.nc.nor-consult.com
-U Administrator

# static IPv6 /60 netmask

samba-tool dns zonecreate ::1 0.2.0.d.5.4.d.9.5.9.6.0.0.d.f.ip6.arpa -U
Administrator

samba-tool dns add ::1 0.2.0.d.5.4.d.9.5.9.6.0.0.d.f.ip6.arpa
3.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR ad-mo3.nc.nor-consult.com

Test method:

host 10.2.0.35

35.0.2.10.in-addr.arpa domain name pointer ad-mo3.nc.nor-consult.com.

host fd00:6959:d45d:200::23

3.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.d.5.4.d.9.5.9.6.0.0.d.f.ip6.arpa
domain name pointer ad-mo3.nc.nor-consult.com.

Note: the output of host is particularly useful as it reverses and divides
the uncompressed IPv6 notation exactly as necessary on error:
3.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.d.5.4.d.9.5.9.6.0.0.d.f.ip6.arpa has
no PTR record  Simple cut and paste string operations are sufficient.


+++

samba-tool dns add ::1 2.10.in-addr.arpa 45.0 PTR v-fs5.nc.nor-consult.com
-U r2

samba-tool dns add ::1 0.2.0.d.5.4.d.9.5.9.6.0.0.d.f.ip6.arpa
d.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR v-fs5.nc.nor-consult.com -U r2

samba-tool dns add ::1 nc.nor-consult.com  v-fs5 A 10.2.0.45 -U r2

samba-tool dns add ::1 nc.nor-consult.com  v-fs5 AAAA fd00:6959:d45d:200::2d
-U r2

samba-tool dns query ::1 nc.nor-consult.com '@' ALL

  Name=, Records=4, Children=0
    AAAA: fd00:6959:d45d:0200:0000:0000:0000:0023 (flags=600000f0,
serial=110, ttl=900)
    SOA: serial=4, refresh=900, retry=600, expire=86400, minttl=3600,
ns=ad-mo3.nc.nor-consult.com., email=hostmaster.nc.nor-consult.com.
(flags=600000f0, serial=4, ttl=3600)
    NS: ad-mo3.nc.nor-consult.com. (flags=600000f0, serial=110, ttl=900)
    A: 10.2.0.35 (flags=600000f0, serial=110, ttl=900)
  Name=_msdcs, Records=0, Children=0
  Name=_sites, Records=0, Children=1
  Name=_tcp, Records=0, Children=4
  Name=_udp, Records=0, Children=2
  Name=ad-mo3, Records=2, Children=0
    AAAA: fd00:6959:d45d:0200:0000:0000:0000:0023 (flags=f0, serial=2,
ttl=900)
    A: 10.2.0.35 (flags=f0, serial=110, ttl=900)
  Name=DomainDnsZones, Records=0, Children=2
  Name=ForestDnsZones, Records=0, Children=2
  Name=v-fs5, Records=2, Children=0
    A: 10.2.0.45 (flags=f0, serial=3, ttl=900)
    AAAA: fd00:6959:d45d:0200:0000:0000:0000:002d (flags=f0, serial=4,
ttl=900)

Retested: Failed.

Re-thought about hyperlinks missing _ and the wrong color.  ad-mo3, the DC,
is also missing idmap config.

Retested Windows PC join, still works anyway.

v-fs5 passed
kinit u2
ldapsearch -H ldap://ad-mo3.nc.nor-consult.com -Y GSSAPI -b
'DC=nc,DC=nor-consult,DC=com'

# on the AD DC
getfacl  /var/lib/samba/sysvol/nc.nor-consult.com/

Q: winbind doesn't seem to show the User or Group names, even with the enum
users / groups config lines in smb.conf... How to fix nss?
A: Debian doesn't install libnss-winbind nor libpam-winbind by default.

apt install libnss-winbind libpam-winbind
Update /etc/nsswitch.conf if the packages don't add winbind to the end of
passwd and group lines.



This is a long email by necessity, I'm out of ideas so I'm collecting
data
on both the AD DC and the member server that fails to join as a member
server.

https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-i
nfo.sh

### AD ###

Collected config  --- 2021-11-18-07:23 -----------

Hostname: ad-mo3
DNS Domain: nc.nor-consult.com
FQDN: ad-mo3.nc.nor-consult.com
ipaddress: 10.2.0.35 REDACTED.35 fd00:6959:d45d:200:a800:ff:fead:3b23
REDACTED:a800:ff:fead:3b23 fd00:6959:d45d:200::23 

-----------

Kerberos SRV _kerberos._tcp.nc.nor-consult.com record verified ok, sample
output: 
Server:         127.0.0.1
Address:        127.0.0.1#53

_kerberos._tcp.nc.nor-consult.com       service = 0 100 88
ad-mo3.nc.nor-consult.com.
Samba is running as an AD DC

-----------
       Checking file: /etc/os-release

PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

-----------


This computer is running Debian 11.1 x86_64

-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast state
UP group default qlen 1000
    link/ether aa:00:00:ad:3b:23 brd ff:ff:ff:ff:ff:ff
    altname enp0s13
    altname ens13
    inet 10.2.0.35/16 brd 10.2.255.255 scope global eth0
    inet6 fd00:6959:d45d:200:a800:ff:fead:3b23/64 scope global dynamic
mngtmpaddr 
    inet6 REDACTED:a800:ff:fead:3b23/64 scope global dynamic mngtmpaddr 
    inet6 fd00:6959:d45d:200::23/56 scope global 
    inet6 fe80::a800:ff:fead:3b23/64 scope link 
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast state
UP group default qlen 1000
    link/ether aa:00:00:6a:ed:d1 brd ff:ff:ff:ff:ff:ff
    altname enp0s14
    altname ens14
    inet REDACTED.35/16 brd 10.202.255.255 scope global eth1
    inet6 fe80::a800:ff:fe6a:edd1/64 scope link 

-----------
       Checking file: /etc/hosts

127.0.0.1       localhost

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

-----------

       Checking file: /etc/resolv.conf

domain nc.nor-consult.com
search nc.nor-consult.com norconsult.local nor-consult.com
nameserver 127.0.0.1

-----------

       Checking file: /etc/krb5.conf

[libdefaults]
        default_realm = NC.NOR-CONSULT.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true

[realms]
NC.NOR-CONSULT.COM = {
        default_domain = nc.nor-consult.com
}

[domain_realm]
        ad-mo3 = NC.NOR-CONSULT.COM

-----------

       Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.

passwd:         files winbind
group:          files winbind
shadow:         files
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

-----------

       Checking file: /etc/samba/smb.conf

# Global parameters
[global]
        #bind interfaces only = Yes
        dns forwarder = 10.2.0.10
        #interfaces = lo eth0
        netbios name = AD-MO3
        realm = NC.NOR-CONSULT.COM
        server role = active directory domain controller
        workgroup = NC
        idmap_ldb:use rfc2307 = yes
        bind interfaces only = yes
        interfaces = 127.0.0.1 10.2.0.35 ::1 fd00:6959:d45d:200::23

        winbind enum users = yes
        winbind enum groups = yes

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/nc.nor-consult.com/scripts
        read only = No

-----------

BIND_DLZ not detected in smb.conf

-----------

Installed packages:
ii  acl                              2.2.53-10                      amd64
access control list - utilities
ii  attr                             1:2.4.48-6                     amd64
utilities for manipulating filesystem extended attributes
ii  krb5-config                      2.6+nmu1                       all
Configuration files for Kerberos Version 5
ii  krb5-user                        1.18.3-6+deb11u1               amd64
basic programs to authenticate using MIT Kerberos
ii  libacl1:amd64                    2.2.53-10                      amd64
access control list - shared library
ii  libattr1:amd64                   1:2.4.48-6                     amd64
extended attribute handling - shared library
ii  libgssapi-krb5-2:amd64           1.18.3-6+deb11u1               amd64
MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-3:amd64                  1.18.3-6+deb11u1               amd64
MIT Kerberos runtime libraries
ii  libkrb5support0:amd64            1.18.3-6+deb11u1               amd64
MIT Kerberos runtime libraries - Support library
ii  libnss-winbind:amd64             2:4.13.13+dfsg-1~deb11u2       amd64
Samba nameservice integration plugins
ii  libpam-krb5:amd64                4.9-2                          amd64
PAM module for MIT Kerberos
ii  libpam-winbind:amd64             2:4.13.13+dfsg-1~deb11u2       amd64
Windows domain authentication integration plugin
ii  libsmbclient:amd64               2:4.13.13+dfsg-1~deb11u2       amd64
shared library for communication with SMB/CIFS servers
ii  libwbclient0:amd64               2:4.13.13+dfsg-1~deb11u2       amd64
Samba winbind client library
ii  python3-samba                    2:4.13.13+dfsg-1~deb11u2       amd64
Python 3 bindings for Samba
ii  samba                            2:4.13.13+dfsg-1~deb11u2       amd64
SMB/CIFS file, print, and login server for Unix
ii  samba-common                     2:4.13.13+dfsg-1~deb11u2       all
common files used by both the Samba server and client
ii  samba-common-bin                 2:4.13.13+dfsg-1~deb11u2       amd64
Samba common files used by both the server and the client
ii  samba-dsdb-modules:amd64         2:4.13.13+dfsg-1~deb11u2       amd64
Samba Directory Services Database
ii  samba-libs:amd64                 2:4.13.13+dfsg-1~deb11u2       amd64
Samba core libraries
ii  samba-vfs-modules:amd64          2:4.13.13+dfsg-1~deb11u2       amd64
Samba Virtual FileSystem plugins
ii  smbclient                        2:4.13.13+dfsg-1~deb11u2       amd64
command-line SMB/CIFS clients for Unix
ii  winbind                          2:4.13.13+dfsg-1~deb11u2       amd64
service to resolve user and group information from Windows NT servers

-----------



### to-be member server (net ads join fails) ###

Collected config  --- 2021-11-18-07:23 -----------

Hostname: v-fs5
DNS Domain: nc.nor-consult.com
FQDN: v-fs5.nc.nor-consult.com
ipaddress: 10.2.0.45 REDACTED.45 fd00:6959:d45d:200:a800:ff:fe48:dc6f
REDACTED:a800:ff:fe48:dc6f fd00:6959:d45d:200::2d 

-----------

Kerberos SRV _kerberos._tcp.nc.nor-consult.com record verified ok, sample
output: 
Server:         10.2.0.35
Address:        10.2.0.35#53

_kerberos._tcp.nc.nor-consult.com       service = 0 100 88
ad-mo3.nc.nor-consult.com.
Samba is not being run as a DC or a Unix domain member.

-----------
       Checking file: /etc/os-release

PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

-----------


This computer is running Debian 11.1 x86_64

-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast state
UP group default qlen 1000
    link/ether aa:00:00:48:dc:6f brd ff:ff:ff:ff:ff:ff
    altname enp0s13
    altname ens13
    inet 10.2.0.45/16 brd 10.2.255.255 scope global eth0
    inet6 fd00:6959:d45d:200:a800:ff:fe48:dc6f/64 scope global dynamic
mngtmpaddr 
    inet6 REDACTED:a800:ff:fe48:dc6f/64 scope global dynamic mngtmpaddr 
    inet6 fd00:6959:d45d:200::2d/56 scope global 
    inet6 fe80::a800:ff:fe48:dc6f/64 scope link 
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast state
UP group default qlen 1000
    link/ether aa:00:00:89:ed:9e brd ff:ff:ff:ff:ff:ff
    altname enp0s14
    altname ens14
    inet REDACTED.45/16 brd 10.202.255.255 scope global eth1
    inet6 fe80::a800:ff:fe89:ed9e/64 scope link 

-----------
       Checking file: /etc/hosts

127.0.0.1       localhost
10.2.0.45       v-fs5.nc.nor-consult.com v-fs5
fd00:6959:d45d:0200::2d v-fs5.nc.nor-consult.com v-fs5


# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

-----------

       Checking file: /etc/resolv.conf

search nc.nor-consult.com norconsult.local nor-consult.com
nameserver 10.2.0.35

-----------

       Checking file: /etc/krb5.conf

[libdefaults]
        default_realm = NC.NOR-CONSULT.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true

-----------

       Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.

passwd:         files winbind
group:          files winbind
shadow:         files
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

-----------

    Warning,  does not exist

-----------


Installed packages:
ii  acl                                   2.2.53-10
amd64        access control list - utilities
ii  attr                                  1:2.4.48-6
amd64        utilities for manipulating filesystem extended attributes
ii  krb5-config                           2.6+nmu1                       all
Configuration files for Kerberos Version 5
ii  krb5-user                             1.18.3-6+deb11u1
amd64        basic programs to authenticate using MIT Kerberos
ii  libacl1:amd64                         2.2.53-10
amd64        access control list - shared library
ii  libattr1:amd64                        1:2.4.48-6
amd64        extended attribute handling - shared library
ii  libgssapi-krb5-2:amd64                1.18.3-6+deb11u1
amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-26-heimdal:amd64              7.7.0+dfsg-2
amd64        Heimdal Kerberos - libraries
ii  libkrb5-3:amd64                       1.18.3-6+deb11u1
amd64        MIT Kerberos runtime libraries
ii  libkrb5support0:amd64                 1.18.3-6+deb11u1
amd64        MIT Kerberos runtime libraries - Support library
ii  libnss-winbind:amd64                  2:4.13.13+dfsg-1~deb11u2
amd64        Samba nameservice integration plugins
ii  libpam-krb5:amd64                     4.9-2
amd64        PAM module for MIT Kerberos
ii  libpam-winbind:amd64                  2:4.13.13+dfsg-1~deb11u2
amd64        Windows domain authentication integration plugin
ii  libwbclient0:amd64                    2:4.13.13+dfsg-1~deb11u2
amd64        Samba winbind client library
ii  python3-samba                         2:4.13.13+dfsg-1~deb11u2
amd64        Python 3 bindings for Samba
ii  samba                                 2:4.13.13+dfsg-1~deb11u2
amd64        SMB/CIFS file, print, and login server for Unix
ii  samba-common                          2:4.13.13+dfsg-1~deb11u2       all
common files used by both the Samba server and client
ii  samba-common-bin                      2:4.13.13+dfsg-1~deb11u2
amd64        Samba common files used by both the server and the client
ii  samba-dsdb-modules:amd64              2:4.13.13+dfsg-1~deb11u2
amd64        Samba Directory Services Database
ii  samba-libs:amd64                      2:4.13.13+dfsg-1~deb11u2
amd64        Samba core libraries
ii  samba-vfs-modules:amd64               2:4.13.13+dfsg-1~deb11u2
amd64        Samba Virtual FileSystem plugins
ii  winbind                               2:4.13.13+dfsg-1~deb11u2
amd64        service to resolve user and group information from Windows NT
servers

-----------


It's still failing in the same spot, and gse_krb5 doesn't give me enough
data to know _why_ it's failing or _what_ it's failing to do.

cat /run/samba/smb_krb5/krb5.conf.NC
[libdefaults]
        default_realm = NC.NOR-CONSULT.COM
        default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
arcfour-hmac-md5 des-cbc-crc des-cbc-md5
        dns_lookup_realm = false
        dns_lookup_kdc = true

[realms]
        NC.NOR-CONSULT.COM = {
                kdc = [fd00:6959:d45d:200::23]:88
                kdc = 10.2.0.35
        }
        NC = {
                kdc = [fd00:6959:d45d:200::23]:88
                kdc = 10.2.0.35
        }

# net ads join -U Administrator -d 10
...
sitename_store: realm = [NC], sitename = [Default-First-Site-Name], expire
[2085923199]
gencache_set_data_blob: Adding cache entry with key=[AD_SITENAME/DOMAIN/NC]
and timeout=[Wed Dec 31 11:59:59 PM -2147481749 UTC] (67768034554456348
seconds ahead)
sitename_store: realm = [nc.nor-consult.com], sitename
[Default-First-Site-Name], expire = [2085923199]
gencache_set_data_blob: Adding cache entry with
key=[AD_SITENAME/DOMAIN/NC.NOR-CONSULT.COM] and timeout=[Wed Dec 31 11:59:59
PM -2147481749 UTC] (67768034554456348 seconds ahead)
Successfully contacted LDAP server 10.2.0.35
Opening connection to LDAP server 'ad-mo3.nc.nor-consult.com:389',
timeout
15 seconds
Connecting to 10.2.0.35 at port 389
Initialized connection for LDAP server
'ldap://ad-mo3.nc.nor-consult.com:389'
Connected to LDAP server ad-mo3.nc.nor-consult.com
ads_closest_dc: NBT_SERVER_CLOSEST flag set
saf_store: domain = [NC], server = [ad-mo3.nc.nor-consult.com], expire
[1637221351]
gencache_set_data_blob: Adding cache entry with key=[SAF/DOMAIN/NC] and
timeout=[Thu Nov 18 07:42:31 AM 2021 UTC] (900 seconds ahead)
saf_store: domain = [nc.nor-consult.com], server [ad-mo3.nc.nor-consult.com],
expire = [1637221351]
gencache_set_data_blob: Adding cache entry with
key=[SAF/DOMAIN/NC.NOR-CONSULT.COM] and timeout=[Thu Nov 18 07:42:31 AM 2021
UTC] (900 seconds ahead)
KDC time offset is 0 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
kerberos_kinit_password_ext: as Administrator at NC.NOR-CONSULT.COM using
[MEMORY:libnet_join_user_creds] as ccache and config
[/run/samba/smb_krb5/krb5.conf.NC]
kerberos_kinit_password_ext: Administrator at NC.NOR-CONSULT.COM mapped to
Administrator at NC.NOR-CONSULT.COM
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
gensec_update_send: gse_krb5[0x55cff9e4c6b0]: subreq: 0x55cff9e482f0
gensec_update_send: spnego[0x55cff9e67410]: subreq: 0x55cff9e72330
gensec_update_done: gse_krb5[0x55cff9e4c6b0]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x55cff9e482f0/../../source3/librpc/crypto/gse.c:848]: state[2]
error[0 (0x0)]  state[struct gensec_gse_update_state (0x55cff9e484a0)]
timer[(nil)] finish[../../source3/librpc/crypto/gse.c:859]
gensec_update_done: spnego[0x55cff9e67410]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x55cff9e72330/../../auth/gensec/spnego.c:1631]: state[2] error[0
(0x0)]  state[struct gensec_spnego_update_state (0x55cff9e724e0)]
timer[(nil)] finish[../../auth/gensec/spnego.c:2116]

### Stalls here for 15-20 min.  No joke, this is tedious hell. ###

How can I fix this, or collect more data to figure out where it's failing?

kinit u2
ldapsearch -H ldap://ad-mo3.nc.nor-consult.com -Y GSSAPI -b
'DC=nc,DC=nor-consult,DC=com'

The above works and dumps a surprising number of objects given 1 dc 1
attempted member server join, and 2 Win10 test PCs joined / parted.

I also wonder, what _should_ the AD and member server look like in a working
realm?

Maybe the host / machine name must be allcaps in DNS unlike the
all-lowercase I use by default?  Though if that's the case, why doesn't
Samba just upper()/lower() case places it only expects to use that?

PTR ad-mo3.nc.nor-consult.com


kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for
ldap/ad-mo3.nc.nor-consult.com with user[Administrator]
realm[NC.NOR-CONSULT.COM]: Can't contact LDAP server
ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/ad-mo3.nc.nor-consult.com
with user[Administrator] realm[NC.NOR-CONSULT.COM]: Can't contact LDAP
server, fallback to NTLMSSP
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
     negotiate: struct NEGOTIATE_MESSAGE
        Signature                : 'NTLMSSP'
        MessageType              : NtLmNegotiate (1)
        NegotiateFlags           : 0x62088235 (1644724789)
               1: NTLMSSP_NEGOTIATE_UNICODE
               0: NTLMSSP_NEGOTIATE_OEM    
               1: NTLMSSP_REQUEST_TARGET   
               1: NTLMSSP_NEGOTIATE_SIGN   
               1: NTLMSSP_NEGOTIATE_SEAL   
               0: NTLMSSP_NEGOTIATE_DATAGRAM
               0: NTLMSSP_NEGOTIATE_LM_KEY 
               0: NTLMSSP_NEGOTIATE_NETWARE
               1: NTLMSSP_NEGOTIATE_NTLM   
               0: NTLMSSP_NEGOTIATE_NT_ONLY
               0: NTLMSSP_ANONYMOUS        
               0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
               0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
               0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
               1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
               0: NTLMSSP_TARGET_TYPE_DOMAIN
               0: NTLMSSP_TARGET_TYPE_SERVER
               0: NTLMSSP_TARGET_TYPE_SHARE
               1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
               0: NTLMSSP_NEGOTIATE_IDENTIFY
               0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
               0: NTLMSSP_NEGOTIATE_TARGET_INFO
               1: NTLMSSP_NEGOTIATE_VERSION
               1: NTLMSSP_NEGOTIATE_128    
               1: NTLMSSP_NEGOTIATE_KEY_EXCH
               0: NTLMSSP_NEGOTIATE_56     
        DomainNameLen            : 0x0000 (0)
        DomainNameMaxLen         : 0x0000 (0)
        DomainName               : *
            DomainName               : ''
        WorkstationLen           : 0x0000 (0)
        WorkstationMaxLen        : 0x0000 (0)
        Workstation              : *
            Workstation              : ''
        Version: struct ntlmssp_VERSION
            ProductMajorVersion      : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6)
            ProductMinorVersion      : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1)
            ProductBuild             : 0x0000 (0)
            Reserved: ARRAY(3)
                [0]                      : 0x00 (0)
                [1]                      : 0x00 (0)
                [2]                      : 0x00 (0)
            NTLMRevisionCurrent      : NTLMSSP_REVISION_W2K3 (15)
gensec_update_send: ntlmssp[0x55cff9e71550]: subreq: 0x55cff9e482f0
gensec_update_send: spnego[0x55cff9e67410]: subreq: 0x55cff9e72330
gensec_update_done: ntlmssp[0x55cff9e71550]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x55cff9e482f0/../../auth/ntlmssp/ntlmssp.c:180]: state[2]
error[0 (0x0)]  state[struct gensec_ntlmssp_update_state (0x55cff9e484a0)]
timer[(nil)] finish[../../auth/ntlmssp/ntlmssp.c:215]
gensec_update_done: spnego[0x55cff9e67410]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x55cff9e72330/../../auth/gensec/spnego.c:1631]: state[2] error[0
(0x0)]  state[struct gensec_spnego_update_state (0x55cff9e724e0)]
timer[(nil)] finish[../../auth/gensec/spnego.c:2116]
ads_sasl_spnego_gensec_bind(NTLMSSP) failed for
ldap/ad-mo3.nc.nor-consult.com with user[Administrator]
realm=[NC.NOR-CONSULT.COM]: Can't contact LDAP server
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : 'V-FS5$'
            netbios_domain_name      : 'NC'
            dns_domain_name          : 'nc.nor-consult.com'
            forest_name              : 'nc.nor-consult.com'
            dn                       : NULL
            domain_guid              : 250143d6-aebe-440e-94c5-f27c7af7857b
            domain_sid               : *
                domain_sid               :
S-1-5-21-3458735564-2487305582-1134572456
            modified_config          : 0x00 (0)
            error_string             : 'failed to connect to AD: Can't
contact LDAP server'
            domain_is_ad             : 0x01 (1)
            set_encryption_types     : 0x00000000 (0)
            krb5_salt                : NULL
            result                   : WERR_NERR_DEFAULTJOINREQUIRED
return code = -1

Failed to join domain: failed to connect to AD: Can't contact LDAP server

On Thu, 2021-11-18 at 00:15 -0800, Michael Evans wrote:
> First, Sorry, It isn't as obvious when Outlook is mostly used in an
> office
> and everyone's using the defaults, but it becomes really obvious when
> interacting with a mailing list: those defaults are super confusing
> for
> conversations with many replies.  I had to google where the
> configuration to
> conform with non-Redmond email clients was.  Mostly.  It keeps
> inserting []
> even when I don't give it a name to put in the middle, which is
> aggravating
> to the point that I see why I must have never kept that change.
> 
> > 
> > 
> > 
> > On Wed, 2021-11-17 at 13:11 -0800, Michael Evans wrote:
> > > Your Third point: If I DO need it then it isn't _optional_
and
> > > the
> > > documentation is incorrect / confusing.
> > 
> > Granted, I will fix.
> 
> [Michael Evans] 
> Thank you.
Now fixed.
> 
> > > Documentation error: Hyperlink is NOT default hyperlink colors
> > > and
> > > NOT
> > > underlined.
> > 
> > You may have a point there, but it does say above the box:
> > 
> > Select one of the following hyperlinks to find information about
> > the
> > relevant Samba domain back end and what idmap config lines to add:
> > 
> 
> [Michael Evans]
> It's in the middle of a BIG blob of text someone expecting to just
> set the configuration value to "idmap config ad" since it's
all
> stored in the AD and not need to set anything else, will skim past.
We cannot stop anyone 'skimming' the wiki documentation, we can only
advise that it is read fully.
>  
> Also, for readability, hyperlinks should always present as
> hyperlinks.
> It would also help to hyperlink to the details page each time the
> topic
> Is mentioned.
> > > idmap config ad <<< That looks like just text with
emphasis, NOT
> > > a
> > > hyperlink.
> > 
> > Well yes, but normal hyperlinks can look just like text until you
> > hover
> > your mouse pointer over them.
> 
> [Michael Evans] 
> (added since the previous reply)
> Who's going to do that if it doesn't look like a hyperlink?
Sorry, but you are the first person (that I can remember) to complain
about hyperlinks on the wiki.
> 
> It seems to be a deliberate style anti-pattern on the whole wiki.
> The AD page _also_ has disguised hyperlinks that are thus
> Skipped because unless you know they /might/ be hyperlinks
> it would never occur to you that it isn't a
> single line configuration flag that is required.
What would like ? Something along the lines of 'Hey, this is an
hyperlink' ?
> 
> > > https://wiki.samba.org/index.php/Idmap_config_ad
> > > 
> > > The Config AD Backend and NSS info sections should be in that
> > > order,
> > > not the
> > > NSS then AD order.
> > 
> > I must be missing something, for as far as I can see, the wiki does
> > show how to set up the winbind backend before how to set up NSS. If
> > you
> > can show where this is different, I will try to fix it.
> > 
> 
> [Michael Evans]
> I'm saying the sections should be re-arranged in this order:
> 
> Configuring the ad Back End
> then
> The RFC2307 and template Mode Options
> 
> This would present the config outline first, then explain variations
> and
> what the different value options mean.
At one time, setting up a Unix domain member was all on one page,
basically as you are suggesting and it confused everyone. After it was
split up into separate pages, the confusion level went down
significantly. It isn't perfect and will probably get tweaked over
time.
> 
> I would have found it much clearer as a first time / long time ago
> returning
> reader.
> 
> The example also clarifies given the difference that SAMDOM and
> DOMAIN
> are placeholder variables for the workgroup/domain.
The wiki tends to use 'DOMAIN' as a placeholder for the netbios domain
name (aka workgroup) in descriptions and 'SAMDOM' in examples.
> 
> > > 
> > > This still fails (r2 is in every group Administrator is in; I
> > > expect
> > > the
> > > same output)
> > > 
> > > net ads join -U r2 -d 5 2>&1
> > ...
> > > _kerberos._tcp.nc.nor-consult.com       service = 0 100 88
> > > ad-mo3.nc.nor-consult.com.
> > > Samba is running as an Unix domain member but 'winbindd'
is NOT
> > > running.
> > > Check that the winbind package is installed.
> > 
> > This shows that at least one Samba daemon is running (but not
> > winbind),
> > so find which are and stop them.
> > 
> 
> [Michael Evans]
> I must have forgotten to stop them again at some point after
> restarting the
> VM during troubleshooting.
> 
> 
> systemctl disable smbd nmbd winbind ; systemctl stop smbd nmbd
> winbind
> 
> As I write this reply I am trying again with them stopped.
> 
> HOWEVER I'm 99% sure it's going to fail again since it stalled at
> that place
> it
> hangs for 15+min.  Do I need to purge the local samba databases
> again?
> 
> rm -r /run/samba/*.?db\
>  /var/cache/samba/*.?db\
>  /var/lib/samba/*.?db\
>  /var/lib/samba/private/*.?db
> 
> Additional: it failed again as expected, also after purging the above
> on
> v-fs5.
> 
> > 
> > Do you really need all those ethernet devices ?
> > Do you really need IPv6 ?
> > 
> > > -----------
> The altnames are junk systemd adds... /etc/network/interfaces
> only calls them lo eth0 and eth1 as is proper for a VM.
> 
> IPv6 yes, If I have to migrate to a new domain it's far past time
> that I
> should
> enable IPv6 internally as well.  It might not be required today, but
> it's
> well
> past time to be IPv4 only.
If you use 192.168.0.0/16 it would give you 65,534 possible hosts, do
you have or expect to have that number of hosts ?

 
> > >        Checking file: /etc/hosts
> > > 
> > > 127.0.0.1       localhost
> > > 10.2.0.45       v-fs5.nc.nor-consult.com v-fs5
> > > fd00:6959:d45d:0200::2d v-fs5.nc.nor-consult.com v-fs5
> > 
> > Does this computer have a fixed IP ?
> > 
> > > 
> 
> Those are its static IPs yes.
> 
> > >        Checking file: /etc/resolv.conf
> > > 
> > > domain nc.nor-consult.com
> > > search nc.nor-consult.com norconsult.local nor-consult.com
> > 
> > 'domain' and search are mutually exclusive, the last one wins,
so
> > you
> > might as well remove the 'domain' line.
> > Your 'search' line should only search the AD dns domain,
nothing
> > else.
> > 
> > > nameserver 10.2.0.35
> > 
> > There are legacy resources that live in other places and shortnames
> > for
> > servers that live outside of the domain.  That's the search order
I
> > want
> to
> > look for hosts in.
You might want to, but you shouldn't set them in your /etc/resolv.conf
> > 
> > 
> > Not that it matters at this point, but you need to add winbind to
> > the
> > passwd and group lines, also the hosts line should be:
> > hosts:		files dns
> > 
> > > -----------
> 
> [Michael Evans] 
> Good, I hate how apple tookover .local and no one told them that was
> a bad
> idea.
> 
> > >         idmap config NC:range = 3500-999999
> > 
> > Why start the 'DOMAIN' range at '3500' ?
> > 
> > Rowland
> > 
> 
> [Michael Evans] 
> Reasons of annoyances for migration plans, and I also read that
> 'machine
> accounts' need UIDs as well, which wasn't in the initial plans.  It
> makes
> sense
> as each machine must have an agent ID to pair with the machine
> keytab.
Your computers do not require Unix ID's
> 
> The question about the member server's IP addresses being static made
> me
> wonder: should I add records for those services too?  Which records?
Yes, if your computer is using a fixed IP, you should add A and PTR
records to AD.
> 
> 
> Revisiting the records that helped the LDAP tool (external to samba)
> work
> for those tests:
> 
> 
> # Add in-addr.arpa and ip6.arpa reverse lookup zones (I would have
> appreciated -k also working for Kerberos auth here)
> 
> # static IPv4 /16 netmask
> 
> samba-tool dns zonecreate ::1 2.10.in-addr.arpa -U Administrator
> 
> samba-tool dns add ::1 2.10.in-addr.arpa 35.0 PTR ad-mo3.nc.nor-
> consult.com
> -U Administrator
> 
> # static IPv6 /60 netmask
> 
> samba-tool dns zonecreate ::1 0.2.0.d.5.4.d.9.5.9.6.0.0.d.f.ip6.arpa
> -U
> Administrator
> 
> samba-tool dns add ::1 0.2.0.d.5.4.d.9.5.9.6.0.0.d.f.ip6.arpa
> 3.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR ad-mo3.nc.nor-consult.com
> 
> Test method:
> 
> host 10.2.0.35
> 
> 35.0.2.10.in-addr.arpa domain name pointer ad-mo3.nc.nor-consult.com.
> 
> host fd00:6959:d45d:200::23
> 
> 3.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.d.5.4.d.9.5.9.6.0.0.d.f.ip6.a
> rpa
> domain name pointer ad-mo3.nc.nor-consult.com.
> 
> Note: the output of host is particularly useful as it reverses and
> divides
> the uncompressed IPv6 notation exactly as necessary on error:
> 3.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.d.5.4.d.9.5.9.6.0.0.d.f.ip6.a
> rpa has
> no PTR record  Simple cut and paste string operations are sufficient.
> 
> 
> +++
> 
> samba-tool dns add ::1 2.10.in-addr.arpa 45.0 PTR v-fs5.nc.nor-
> consult.com
> -U r2
> 
> samba-tool dns add ::1 0.2.0.d.5.4.d.9.5.9.6.0.0.d.f.ip6.arpa
> d.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR v-fs5.nc.nor-consult.com -U r2
> 
> samba-tool dns add ::1 nc.nor-consult.com  v-fs5 A 10.2.0.45 -U r2
> 
> samba-tool dns add ::1 nc.nor-consult.com  v-fs5 AAAA
> fd00:6959:d45d:200::2d
> -U r2
> 
> samba-tool dns query ::1 nc.nor-consult.com '@' ALL
> 
>   Name=, Records=4, Children=0
>     AAAA: fd00:6959:d45d:0200:0000:0000:0000:0023 (flags=600000f0,
> serial=110, ttl=900)
>     SOA: serial=4, refresh=900, retry=600, expire=86400, minttl=3600,
> ns=ad-mo3.nc.nor-consult.com., email=hostmaster.nc.nor-consult.com.
> (flags=600000f0, serial=4, ttl=3600)
>     NS: ad-mo3.nc.nor-consult.com. (flags=600000f0, serial=110,
> ttl=900)
>     A: 10.2.0.35 (flags=600000f0, serial=110, ttl=900)
>   Name=_msdcs, Records=0, Children=0
>   Name=_sites, Records=0, Children=1
>   Name=_tcp, Records=0, Children=4
>   Name=_udp, Records=0, Children=2
>   Name=ad-mo3, Records=2, Children=0
>     AAAA: fd00:6959:d45d:0200:0000:0000:0000:0023 (flags=f0,
> serial=2,
> ttl=900)
>     A: 10.2.0.35 (flags=f0, serial=110, ttl=900)
>   Name=DomainDnsZones, Records=0, Children=2
>   Name=ForestDnsZones, Records=0, Children=2
>   Name=v-fs5, Records=2, Children=0
>     A: 10.2.0.45 (flags=f0, serial=3, ttl=900)
>     AAAA: fd00:6959:d45d:0200:0000:0000:0000:002d (flags=f0,
> serial=4,
> ttl=900)
> 
> Retested: Failed.
> 
> Re-thought about hyperlinks missing _ and the wrong color.  ad-mo3,
> the DC,
> is also missing idmap config.
> 
> Retested Windows PC join, still works anyway.
> 
> v-fs5 passed
> kinit u2
> ldapsearch -H ldap://ad-mo3.nc.nor-consult.com -Y GSSAPI -b
> 'DC=nc,DC=nor-consult,DC=com'
> 
> # on the AD DC
> getfacl  /var/lib/samba/sysvol/nc.nor-consult.com/
> 
> Q: winbind doesn't seem to show the User or Group names, even with
> the enum
> users / groups config lines in smb.conf... How to fix nss?
> A: Debian doesn't install libnss-winbind nor libpam-winbind by
> default.
> 
> apt install libnss-winbind libpam-winbind
> Update /etc/nsswitch.conf if the packages don't add winbind to the
> end of
> passwd and group lines.
I would suggest you also install libpam-krb5
> 
> 
> 
> This is a long email by necessity, I'm out of ideas so I'm
collecting
> data
> on both the AD DC and the member server that fails to join as a
> member
> server.
I can confirm that running Samba as Unix domain member on Debian 11
works, you just need to set it up correctly.

Rowland

On 11/18/21 02:15, Michael Evans via samba wrote:
> [Michael Evans]
> (added since the previous reply)
> Who's going to do that if it doesn't look like a hyperlink?
> 
> It seems to be a deliberate style anti-pattern on the whole wiki.
> The AD page_also_  has disguised hyperlinks that are thus
> Skipped because unless you know they/might/  be hyperlinks
> it would never occur to you that it isn't a
> single line configuration flag that is required.

Can you post the URL where you're seeing this? And are you sure this 
isn't an issue with your browser configuration? Hyperlinks in the Samba 
Wiki show up as (clearly formatted) hyperlinks for me.

And yes, I am unable to follow your posts to the list. If you're forced 
to use tools like Outlook, you might need to format your responses to 
the list like this

 > What you're commenting on

Your comment

removing anything that's not relevant.  I find that more readable, but 
everyone on these linux listservs appears to favor the 
insert-your-two-cents-in-the-middle-of-it-all style, so I started doing 
it to (except here).