Michael Evans
2021-Nov-21 00:30 UTC
[Samba] Unable to net ads join samba to an active directory domain Failed to join domain: failed to connect to AD: Can't contact LDAP server
Is there a known bug related to Samba and IPv6 Samba AD DCs?
I've seen this both in 4.13.13-Debian and 4.13-5-Debian (because I forgot to
add the security backports to my test setup).
Created two new debian 11 VMs.
Both only have DHCPed addresses.
I will be using:
DNS domain: test.nc.nor-consult.com
Realm: TEST.NC.NOR-CONSULT.COM
'workgroup': TEST
Hostnames: dtdc and dtdm
I will configure hosts/DNS to be isolated from the normal network and be served
from dtdc / hosts on dtdc.
Attempting with IPv6 enabled.
BOTH # apt update ; apt install samba winbind libnss-winbind libpam-winbind
libpam-krb5 krb5-user libgssapi3-heimdal libgssapi-krb5-2 bind9-dnsutils sntp
BOTH # systemctl stop smbd nmbd winbind samba-ad-dc ; systemctl disable smbd
nmbd winbind samba-ad-dc
# hostnamectl set-hostname ...
hostnamectl now displays a 'static hostname' with no domain portion.
# cat /etc/resolv.conf
search test.nor-consult.com ... more internal and external DNS realms to search
...
nameserver 127.0.0.1
# tail -n 2 /etc/hosts
10.2.0.46 dtdc.test.nor-consult.com dtdc
fd00:6959:d45d:200:a800:ff:fe2a:ddcf dtdc.test.nor-consult.com dtdc
# hostname -s; hostname -d; hostname -f; hostname -i; hostname -I
dtdc
test.nor-consult.com
dtdc.test.nor-consult.com
fd00:6959:d45d:200:a800:ff:fe2a:ddcf 10.2.0.46
10.2.0.46 REDACTED(management IPv4) fd00:6959:d45d:200:a800:ff:fe2a:ddcf
REDACTED:a800:ff:fe2a:ddcf
dtdm
test.nor-consult.com
dtdm.test.nor-consult.com
fd00:6959:d45d:200:a800:ff:fec5:be0f 10.2.0.47
10.2.0.47 REDACTED fd00:6959:d45d:200:a800:ff:fec5:be0f
REDACTED:a800:ff:fec5:be0f
Automate sntp to run ~1 time per day or another regular basis. (In this case
once per day)
BOTH: mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
BOTH: rm -r /run/samba/*.?db /var/cache/samba/*.?db /var/lib/samba/*.?db
/var/lib/samba/private/*.?db
systemctl unmask samba-ad-dc
samba-tool \
domain provision \
--use-rfc2307 \
--realm=TEST.NOR-CONSULT.COM --domain=TEST \
--server-role=dc --dns-backend=SAMBA_INTERNAL \
--option="interfaces=lo 10.2.0.46
fd00:6959:d45d:200:a800:ff:fe2a:ddcf" --option="bind interfaces
only=yes" \
--adminpass=bad_Test.pass \
--host-ip=10.2.0.46 --host-ip6=fd00:6959:d45d:200:a800:ff:fe2a:ddcf 2>&1
| tee /root/samba-tool-provision-test.txt
INFO 2021-11-20 23:48:01,351 pid:13524
/usr/lib/python3/dist-packages/samba/provision/__init__.py #489: Once the above
files are installed, your Samba AD server will be ready to use
INFO 2021-11-20 23:48:01,351 pid:13524
/usr/lib/python3/dist-packages/samba/provision/__init__.py #494: Server Role:
active directory domain controller
INFO 2021-11-20 23:48:01,351 pid:13524
/usr/lib/python3/dist-packages/samba/provision/__init__.py #495: Hostname:
dtdc
INFO 2021-11-20 23:48:01,351 pid:13524
/usr/lib/python3/dist-packages/samba/provision/__init__.py #496: NetBIOS Domain:
TEST
INFO 2021-11-20 23:48:01,351 pid:13524
/usr/lib/python3/dist-packages/samba/provision/__init__.py #497: DNS Domain:
test.nor-consult.com
INFO 2021-11-20 23:48:01,351 pid:13524
/usr/lib/python3/dist-packages/samba/provision/__init__.py #498: DOMAIN SID:
S-1-5-21-1856739620-2608707231-3517554343
systemctl start samba-ad-dc ;\
# host -t SRV _ldap._tcp.test.nor-consult.com ; host -t SRV
_kerberos._udp.test.nor-consult.com ; host -a dtdc.test.nor-consult.com
_ldap._tcp.test.nor-consult.com has SRV record 0 100 389
dtdc.test.nor-consult.com.
_kerberos._udp.test.nor-consult.com has SRV record 0 100 88
dtdc.test.nor-consult.com.
Trying "dtdc.test.nor-consult.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52624
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;dtdc.test.nor-consult.com. IN ANY
;; ANSWER SECTION:
dtdc.test.nor-consult.com. 900 IN A 10.2.0.46
dtdc.test.nor-consult.com. 900 IN AAAA
fd00:6959:d45d:200:a800:ff:fe2a:ddcf
;; AUTHORITY SECTION:
test.nor-consult.com. 3600 IN SOA dtdc.test.nor-consult.com.
hostmaster.test.nor-consult.com. 1 900 600 86400 3600
Received 134 bytes from 127.0.0.1#53 in 0 ms
## Both
mv /etc/krb5.conf /etc/krb5.conf.dist
editor /etc/krb5.conf
[libdefaults]
default_realm = TEST.NOR-CONSULT.COM
dns_lookup_realm = false
dns_lookup_kdc = true
chmod 644 /etc/krb5.conf
On a NON-VM host, setup a full NTP server. For a VM only periodically (and at
boot too) run sntp to correct the local clock offset.
# samba already stopped and disabled above.
mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
dtdc # cat /etc/samba/smb.conf
# Global parameters
[global]
bind interfaces only = Yes
dns forwarder = 127.0.0.1
interfaces = lo 10.2.0.46 fd00:6959:d45d:200:a800:ff:fe2a:ddcf
netbios name = DTDC
realm = TEST.NOR-CONSULT.COM
server role = active directory domain controller
workgroup = TEST
idmap_ldb:use rfc2307 = yes
### WARNING ### DO NOT config __ idmap __ on a domain controller!
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/test.nor-consult.com/scripts
read only = No
editor /etc/samba/smb.conf
[global]
security = ads
realm = TEST.NOR-CONSULT.COM
workgroup = TEST
server string = Samba Client %h
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = yes
winbind expand groups = 2
winbind refresh tickets = Yes
winbind normalize names = Yes
disable netbios = yes
# Just copied this from the recommended configuration, modify to reflect
your needs.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config SAMDOM : backend = ad
idmap config SAMDOM : schema_mode = rfc2307
idmap config SAMDOM : range = 10000-999999
idmap config SAMDOM : unix_nss_info = yes
# disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# user Administrator workaround, without it you are unable to set privileges
username map = /etc/samba/user.map
# For ACL support on domain member
vfs objects = acl_xattr
map acl inherit = Yes
# turn off usershares
usershare max shares = 0
[homes]
comment = Home Directories
browseable = no
read only = no
create mask = 0700
directory mask = 0700
valid users = %S
# editor /etc/samba/user.map
!root = TEST\Administrator
# editor /etc/resolv.conf
search test.nor-consult.com
nameserver 10.2.0.46
net ads join -d5 -U Administrator
signed SMB2 message
signed SMB2 message
Bind RPC Pipe: host dtdc.test.nor-consult.com auth_type 0, auth_level 1
rpc_api_pipe: host dtdc.test.nor-consult.com
signed SMB2 message
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host dtdc.test.nor-consult.com
signed SMB2 message
rpc_read_send: data_to_read: 32
rpc_api_pipe: host dtdc.test.nor-consult.com
signed SMB2 message
rpc_read_send: data_to_read: 216
rpc_api_pipe: host dtdc.test.nor-consult.com
signed SMB2 message
rpc_read_send: data_to_read: 32
signed SMB2 message
saf_fetch: failed to find server for "test.nor-consult.com" domain
get_dc_list: preferred server list: ", *"
resolve_ads: Attempting to resolve KDCs for test.nor-consult.com using DNS
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 10.2.0.46:88 fd00:6959:d45d:200:a800:ff:fe2a:ddcf:88
saf_fetch: failed to find server for "test.nor-consult.com" domain
get_dc_list: preferred server list: ", *"
resolve_ads: Attempting to resolve KDCs for test.nor-consult.com using DNS
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 10.2.0.46:88 fd00:6959:d45d:200:a800:ff:fe2a:ddcf:88
create_local_private_krb5_conf_for_domain: wrote file
/run/samba/smb_krb5/krb5.conf.TEST with realm TEST.NOR-CONSULT.COM KDC list =
kdc = [fd00:6959:d45d:200:a800:ff:fe2a:ddcf]:88
kdc = 10.2.0.46
sitename_fetch: Returning sitename for realm 'TEST.NOR-CONSULT.COM':
"Default-First-Site-Name"
name dtdc.test.nor-consult.com#20 found.
ads_try_connect: sending CLDAP request to 10.2.0.46 (realm:
test.nor-consult.com)
Successfully contacted LDAP server 10.2.0.46
Connecting to 10.2.0.46 at port 389
Connected to LDAP server dtdc.test.nor-consult.com
KDC time offset is 0 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
--- STALLS here for ~15 min. Replicable test-case on my setup. eth1 and
related IPs should be ignored by Samba as they are on a different 10. subnet
mask entirely and the server is only listening on specified IPs.
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for
ldap/dtdc.test.nor-consult.com with user[Administrator]
realm[TEST.NOR-CONSULT.COM]: Can't contact LDAP server
ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/dtdc.test.nor-consult.com with
user[Administrator] realm[TEST.NOR-CONSULT.COM]: Can't contact LDAP server,
fallback to NTLMSSP
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
ads_sasl_spnego_gensec_bind(NTLMSSP) failed for ldap/dtdc.test.nor-consult.com
with user[Administrator] realm=[TEST.NOR-CONSULT.COM]: Can't contact LDAP
server
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : 'DTDM$'
netbios_domain_name : 'TEST'
dns_domain_name : 'test.nor-consult.com'
forest_name : 'test.nor-consult.com'
dn : NULL
domain_guid : 11bb1fdb-22b6-4bfc-9f75-6604b90790e5
domain_sid : *
domain_sid :
S-1-5-21-1856739620-2608707231-3517554343
modified_config : 0x00 (0)
error_string : 'failed to connect to AD: Can't
contact LDAP server'
domain_is_ad : 0x01 (1)
set_encryption_types : 0x00000000 (0)
krb5_salt : NULL
result : WERR_NERR_DEFAULTJOINREQUIRED
Failed to join domain: failed to connect to AD: Can't contact LDAP server
return code = -1
The big difference I notice between my config and Rowland Penny's provided
working outline? No IPv6.
It looks easier to nuke the 1 ADDC only domain and restart from scratch.
systemctl stop samba-ad-dc
rm -r /run/samba/*.?db /var/cache/samba/*.?db /var/lib/samba/*.?db
/var/lib/samba/private/*.?db
samba-tool \
domain provision \
--use-rfc2307 \
--realm=TEST.NOR-CONSULT.COM --domain=TEST \
--server-role=dc --dns-backend=SAMBA_INTERNAL \
--option="interfaces=lo 10.2.0.46" --option="bind interfaces
only=yes" \
--adminpass=bad_Test.pass \
--host-ip=10.2.0.46 2>&1 | tee /root/samba-tool-provision-test2.txt
INFO 2021-11-21 00:22:37,440 pid:13690
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2139: Looking up
IPv6 addresses
WARNING 2021-11-21 00:22:37,440 pid:13690
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2146: No IPv6
address will be assigned
INFO 2021-11-21 00:22:37,650 pid:13690
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2290: Setting up
share.ldb
INFO 2021-11-21 00:22:39,284 pid:13690
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2294: Setting up
secrets.ldb
INFO 2021-11-21 00:22:40,449 pid:13690
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2299: Setting up the
registry
INFO 2021-11-21 00:22:43,338 pid:13690
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2302: Setting up the
privileges database
INFO 2021-11-21 00:22:45,408 pid:13690
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2305: Setting up
idmap db
INFO 2021-11-21 00:22:46,704 pid:13690
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2312: Setting up SAM
db
INFO 2021-11-21 00:22:46,852 pid:13690
/usr/lib/python3/dist-packages/samba/provision/__init__.py #897: Setting up
sam.ldb partitions and settings
INFO 2021-11-21 00:22:46,853 pid:13690
/usr/lib/python3/dist-packages/samba/provision/__init__.py #909: Setting up
sam.ldb rootDSE
INFO 2021-11-21 00:22:46,962 pid:13690
/usr/lib/python3/dist-packages/samba/provision/__init__.py #1322: Pre-loading
the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on
local domainSIDs
INFO 2021-11-21 00:22:47,628 pid:13690
/usr/lib/python3/dist-packages/samba/provision/__init__.py #1400: Adding
DomainDN: DC=test,DC=nor-consult,DC=com
INFO 2021-11-21 00:22:47,769 pid:13690
/usr/lib/python3/dist-packages/samba/provision/__init__.py #1432: Adding
configuration container
INFO 2021-11-21 00:22:48,010 pid:13690
/usr/lib/python3/dist-packages/samba/provision/__init__.py #1447: Setting up
sam.ldb schema
INFO 2021-11-21 00:22:50,125 pid:13690
/usr/lib/python3/dist-packages/samba/provision/__init__.py #1465: Setting up
sam.ldb configuration data
INFO 2021-11-21 00:22:50,244 pid:13690
/usr/lib/python3/dist-packages/samba/provision/__init__.py #1506: Setting up
display specifiers
INFO 2021-11-21 00:22:51,632 pid:13690
/usr/lib/python3/dist-packages/samba/provision/__init__.py #1514: Modifying
display specifiers and extended rights
INFO 2021-11-21 00:22:51,661 pid:13690
/usr/lib/python3/dist-packages/samba/provision/__init__.py #1521: Adding users
container
INFO 2021-11-21 00:22:51,662 pid:13690
/usr/lib/python3/dist-packages/samba/provision/__init__.py #1527: Modifying
users container
INFO 2021-11-21 00:22:51,663 pid:13690
/usr/lib/python3/dist-packages/samba/provision/__init__.py #1530: Adding
computers container
INFO 2021-11-21 00:22:51,664 pid:13690
/usr/lib/python3/dist-packages/samba/provision/__init__.py #1536: Modifying
computers container
INFO 2021-11-21 00:22:51,664 pid:13690
/usr/lib/python3/dist-packages/samba/provision/__init__.py #1540: Setting up
sam.ldb data
INFO 2021-11-21 00:22:51,772 pid:13690
/usr/lib/python3/dist-packages/samba/provision/__init__.py #1570: Setting up
well known security principals
INFO 2021-11-21 00:22:51,804 pid:13690
/usr/lib/python3/dist-packages/samba/provision/__init__.py #1584: Setting up
sam.ldb users and groups
INFO 2021-11-21 00:22:51,894 pid:13690
/usr/lib/python3/dist-packages/samba/provision/__init__.py #1592: Setting up
self join
Repacking database from v1 to v2 format (first record
CN=Cost,CN=Schema,CN=Configuration,DC=test,DC=nor-consult,DC=com)
Repack: re-packed 10000 records so far
Repacking database from v1 to v2 format (first record
CN=domainDNS-Display,CN=C0A,CN=DisplaySpecifiers,CN=Configuration,DC=test,DC=nor-consult,DC=com)
Repacking database from v1 to v2 format (first record
CN=ActiveDirectoryUpdate,CN=DomainUpdates,CN=System,DC=test,DC=nor-consult,DC=com)
INFO 2021-11-21 00:22:58,209 pid:13690
/usr/lib/python3/dist-packages/samba/provision/sambadns.py #1143: Adding DNS
accounts
INFO 2021-11-21 00:22:59,214 pid:13690
/usr/lib/python3/dist-packages/samba/provision/sambadns.py #1177: Creating
CN=MicrosoftDNS,CN=System,DC=test,DC=nor-consult,DC=com
INFO 2021-11-21 00:22:59,228 pid:13690
/usr/lib/python3/dist-packages/samba/provision/sambadns.py #1190: Creating
DomainDnsZones and ForestDnsZones partitions
INFO 2021-11-21 00:22:59,797 pid:13690
/usr/lib/python3/dist-packages/samba/provision/sambadns.py #1195: Populating
DomainDnsZones and ForestDnsZones partitions
Repacking database from v1 to v2 format (first record
DC=@,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=nor-consult,DC=com)
Repacking database from v1 to v2 format (first record
DC=_ldap._tcp.dc,DC=_msdcs.test.nor-consult.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=nor-consult,DC=com)
INFO 2021-11-21 00:23:01,933 pid:13690
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2026: Setting up
sam.ldb rootDSE marking as synchronized
INFO 2021-11-21 00:23:01,965 pid:13690
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2031: Fixing
provision GUIDs
INFO 2021-11-21 00:23:03,865 pid:13690
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2364: A Kerberos
configuration suitable for Samba AD has been generated at
/var/lib/samba/private/krb5.conf
INFO 2021-11-21 00:23:03,866 pid:13690
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2366: Merge the
contents of this file with your system krb5.conf or replace it with this one. Do
not create a symlink!
INFO 2021-11-21 00:23:04,417 pid:13690
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2096: Setting up
fake yp server settings
INFO 2021-11-21 00:23:05,376 pid:13690
/usr/lib/python3/dist-packages/samba/provision/__init__.py #489: Once the above
files are installed, your Samba AD server will be ready to use
INFO 2021-11-21 00:23:05,376 pid:13690
/usr/lib/python3/dist-packages/samba/provision/__init__.py #494: Server Role:
active directory domain controller
INFO 2021-11-21 00:23:05,376 pid:13690
/usr/lib/python3/dist-packages/samba/provision/__init__.py #495: Hostname:
dtdc
INFO 2021-11-21 00:23:05,376 pid:13690
/usr/lib/python3/dist-packages/samba/provision/__init__.py #496: NetBIOS Domain:
TEST
INFO 2021-11-21 00:23:05,376 pid:13690
/usr/lib/python3/dist-packages/samba/provision/__init__.py #497: DNS Domain:
test.nor-consult.com
INFO 2021-11-21 00:23:05,376 pid:13690
/usr/lib/python3/dist-packages/samba/provision/__init__.py #498: DOMAIN SID:
S-1-5-21-2402865183-1479636081-2572501061
# systemctl start samba-ad-dc
# host -t SRV _ldap._tcp.test.nor-consult.com ; host -t SRV
_kerberos._udp.test.nor-consult.com ; host -a dtdc.test.nor-consult.com
ldap._tcp.test.nor-consult.com has SRV record 0 100 389
dtdc.test.nor-consult.com.
_kerberos._udp.test.nor-consult.com has SRV record 0 100 88
dtdc.test.nor-consult.com.
Trying "dtdc.test.nor-consult.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63904
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;dtdc.test.nor-consult.com. IN ANY
;; ANSWER SECTION:
dtdc.test.nor-consult.com. 900 IN A 10.2.0.46
;; AUTHORITY SECTION:
test.nor-consult.com. 3600 IN SOA dtdc.test.nor-consult.com.
hostmaster.test.nor-consult.com. 1 900 600 86400 3600
Received 106 bytes from 127.0.0.1#53 in 0 ms
--
Retry joining the client
dtdm # net ads join -d5 -U Administrator
KDC time offset is 0 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
kerberos_kinit_password Administrator at TEST.NOR-CONSULT.COM failed: Cannot
contact any KDC for requested realm
ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/dtdc.test.nor-consult.com with
user[Administrator] realm[TEST.NOR-CONSULT.COM]: Cannot contact any KDC for
requested realm, fallback to NTLMSSP
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_SEAL
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_TARGET_TYPE_DOMAIN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_SEAL
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_SEAL
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_SEAL
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
ads_gen_add: AD LDAP: Adding cn=DTDM,CN=Computers,dc=TEST,dc=NOR-CONSULT,dc=COM
libnet_join_precreate_machine_acct: Machine account successfully created
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : 'DTDM$'
netbios_domain_name : 'TEST'
dns_domain_name : 'test.nor-consult.com'
forest_name : 'test.nor-consult.com'
dn : NULL
domain_guid : 9ffd802f-662b-430e-8e49-5218e62b57a1
domain_sid : *
domain_sid :
S-1-5-21-2402865183-1479636081-2572501061
modified_config : 0x00 (0)
error_string : 'Failed to set machine spn: Time
limit exceeded
Do you have sufficient permissions to create machine accounts?'
domain_is_ad : 0x01 (1)
set_encryption_types : 0x00000000 (0)
krb5_salt : NULL
result : WERR_GEN_FAILURE
Failed to join domain: Failed to set machine spn: Time limit exceeded
Do you have sufficient permissions to create machine accounts?
return code = -1
Freed frame ../../source3/utils/net.c:957, expected
../../source3/libnet/libnet_join.c:506.
This succeeded; only when the AD DC was __not listening on an IPv6 interface__ /
did not have a KDC listed on the domain in IPv6.
NOTE: IPv6 was still fully enabled on both hosts, the only changes I made from
fail to "working" were binding samba to IPv4 only (as show in the
setup command).
Michael Evans
2021-Nov-22 05:58 UTC
[Samba] Unable to net ads join samba to an active directory domain Failed to join domain: failed to connect to AD: Can't contact LDAP server
I was mistaken, I noticed that the result was really a failure; however it
failed far faster than when it was trying to talk over IPv6, so I'd assumed
it had worked and the result message looked like a success; wishful
thoughts.
Trying the full IPv6 disable test.
editor /etc/sysctl.d/98-noipv6.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
Edit the linux commandline provided by the VM environment: ipv6.disable=1
reboot from the VM to have it take effect.
host -t SRV _ldap._tcp.test.nor-consult.com ; host -t SRV
_kerberos._udp.test.nor-consult.com ; host -a dtdc.test.nor-consult.com
_ldap._tcp.test.nor-consult.com has SRV record 0 100 389
dtdc.test.nor-consult.com.
_kerberos._udp.test.nor-consult.com has SRV record 0 100 88
dtdc.test.nor-consult.com.
Trying "dtdc.test.nor-consult.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2836
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;dtdc.test.nor-consult.com. IN ANY
;; ANSWER SECTION:
dtdc.test.nor-consult.com. 900 IN A 10.2.0.46
;; AUTHORITY SECTION:
test.nor-consult.com. 3600 IN SOA dtdc.test.nor-consult.com.
hostmaster.test.nor-consult.com. 1 900 600 86400 3600
Received 106 bytes from 10.2.0.46#53 in 0 ms
net ads join -d5 -U Administrator 2>&1 | tee join-21.txt
...
resolve_ads: Attempting to resolve KDCs for test.nor-consult.com using DNS
get_dc_list: returning 1 ip addresses in an ordered list
get_dc_list: 10.2.0.46:88
create_local_private_krb5_conf_for_domain: wrote file
/run/samba/smb_krb5/krb5.conf.TEST with realm TEST.NOR-CONSULT.COM KDC list
= kdc = 10.2.0.46
sitename_fetch: Returning sitename for realm 'TEST.NOR-CONSULT.COM':
"Default-First-Site-Name"
name dtdc.test.nor-consult.com#20 found.
ads_try_connect: sending CLDAP request to 10.2.0.46 (realm:
test.nor-consult.com)
Successfully contacted LDAP server 10.2.0.46
Connecting to 10.2.0.46 at port 389
Connected to LDAP server dtdc.test.nor-consult.com
KDC time offset is 0 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
kerberos_kinit_password Administrator at TEST.NOR-CONSULT.COM failed: Cannot
contact any KDC for requested realm
ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/dtdc.test.nor-consult.com
with user[Administrator] realm[TEST.NOR-CONSULT.COM]: Cannot contact any KDC
for requested realm, fallback to NTLMSSP
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
... x4 + some console spam
ads_gen_add: AD LDAP: Adding
cn=DTDM,CN=Computers,dc=TEST,dc=NOR-CONSULT,dc=COM
... It has hung here for OVER an HOUR.
I did copy the krb5.conf file it was using though.
root at dtdm:~# cp /run/samba/smb_krb5/krb5.conf.TEST /etc/krb5.conf.brokenTEST
root at dtdm:~# cat /etc/krb5.conf.brokenTEST
[libdefaults]
default_realm = TEST.NOR-CONSULT.COM
default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
arcfour-hmac-md5 des-cbc-crc des-cbc-md5
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
TEST.NOR-CONSULT.COM = {
kdc = 10.2.0.46
}
TEST = {
kdc = 10.2.0.46
}
bad_Test.pass
KRB5_CONFIG=/etc/krb5.conf.brokenTEST kinit
Administrator at TEST.NOR-CONSULT.COM
Password for Administrator at TEST.NOR-CONSULT.COM:
kinit: Cannot contact any KDC for realm 'TEST.NOR-CONSULT.COM' while
getting
initial credentials
KRB5_TRACE=/dev/stderr KRB5_CONFIG=/etc/krb5.conf.brokenTEST kinit
Administrator at TEST.NOR-CONSULT.COM
[621] 1637559631.591668: Getting initial credentials for
Administrator at TEST.NOR-CONSULT.COM
[621] 1637559631.591670: Sending unauthenticated request
[621] 1637559631.591671: Sending request (209 bytes) to TEST.NOR-CONSULT.COM
[621] 1637559631.591672: Resolving hostname 10.2.0.46
[621] 1637559631.591673: Sending initial UDP request to dgram 10.2.0.46:88
[621] 1637559631.591674: Received answer (317 bytes) from dgram 10.2.0.46:88
[621] 1637559631.591675: Sending DNS URI query for
_kerberos.TEST.NOR-CONSULT.COM.
[621] 1637559631.591676: No URI records found
[621] 1637559631.591677: Sending DNS SRV query for
_kerberos-master._udp.TEST.NOR-CONSULT.COM.
[621] 1637559631.591678: Sending DNS SRV query for
_kerberos-master._tcp.TEST.NOR-CONSULT.COM.
[621] 1637559631.591679: No SRV records found
[621] 1637559631.591680: Response was not from master KDC
[621] 1637559631.591681: Received error from KDC: -1765328359/Additional
pre-authentication required
[621] 1637559631.591684: Preauthenticating using KDC method data
[621] 1637559631.591685: Processing preauth types: PA-PK-AS-REQ (16),
PA-PK-AS-REP_OLD (15), PA-ENC-TIMESTAMP (2), PA-ETYPE-INFO2 (19)
[621] 1637559631.591686: Selected etype info: etype aes256-cts, salt
"TEST.NOR-CONSULT.COMAdministrator", params
"\x00\x00\x10\x00"
Password for Administrator at TEST.NOR-CONSULT.COM:
[621] 1637559637.181263: AS key obtained for encrypted timestamp:
aes256-cts/4A17
[621] 1637559637.181265: Encrypted timestamp (for 1637559636.710429): plain
301AA011180F32303231313132323035343033365AA10502030AD71D, encrypted
ED6D444B0743B50F77C07302B9678692821D35A8AF259046F5C631B1FEF69C1C52CDD7AC751C
41540E7A7C83B01CE63CC06B1BA3ACCC8611
[621] 1637559637.181266: Preauth module encrypted_timestamp (2) (real)
returned: 0/Success
[621] 1637559637.181267: Produced preauth for next request: PA-ENC-TIMESTAMP
(2)
[621] 1637559637.181268: Sending request (289 bytes) to TEST.NOR-CONSULT.COM
[621] 1637559637.181269: Resolving hostname 10.2.0.46
[621] 1637559637.181270: Sending initial UDP request to dgram 10.2.0.46:88
[621] 1637559637.181271: Received answer (192 bytes) from dgram 10.2.0.46:88
[621] 1637559637.181272: Sending DNS URI query for
_kerberos.TEST.NOR-CONSULT.COM.
[621] 1637559637.181273: No URI records found
[621] 1637559637.181274: Sending DNS SRV query for
_kerberos-master._udp.TEST.NOR-CONSULT.COM.
[621] 1637559637.181275: Sending DNS SRV query for
_kerberos-master._tcp.TEST.NOR-CONSULT.COM.
[621] 1637559637.181276: No SRV records found
[621] 1637559637.181277: Response was not from master KDC
[621] 1637559637.181278: Received error from KDC: -1765328332/Response too
big for UDP, retry with TCP
[621] 1637559637.181279: Request or response is too big for UDP; retrying
with TCP
[621] 1637559637.181280: Sending request (289 bytes) to TEST.NOR-CONSULT.COM
(tcp only)
[621] 1637559637.181281: Resolving hostname 10.2.0.46
[621] 1637559637.181282: Initiating TCP connection to stream 10.2.0.46:88
[621] 1637559637.181283: Sending TCP request to stream 10.2.0.46:88
[621] 1637559661.265737: Terminating TCP connection to stream 10.2.0.46:88
kinit: Cannot contact any KDC for realm 'TEST.NOR-CONSULT.COM' while
getting
initial credentials
root at dtdc:~# ss -nl | grep :88
udp UNCONN 0 0 10.2.0.46:88
0.0.0.0:*
udp UNCONN 0 0 127.0.0.1:88
0.0.0.0:*
tcp LISTEN 0 0 10.2.0.46:88
0.0.0.0:*
tcp LISTEN 0 0 127.0.0.1:88
0.0.0.0:*
DNS strikes me as maybe an issue:
[621] 1637559631.591675: Sending DNS URI query for
_kerberos.TEST.NOR-CONSULT.COM.
[621] 1637559631.591676: No URI records found
[621] 1637559631.591677: Sending DNS SRV query for
_kerberos-master._udp.TEST.NOR-CONSULT.COM.
[621] 1637559631.591678: Sending DNS SRV query for
_kerberos-master._tcp.TEST.NOR-CONSULT.COM.
[621] 1637559631.591679: No SRV records found
[621] 1637559631.591680: Response was not from master KDC
However it ends up trying to connect anyway.
[621] 1637559637.181283: Sending TCP request to stream 10.2.0.46:88
[621] 1637559661.265737: Terminating TCP connection to stream 10.2.0.46:88
kinit: Cannot contact any KDC for realm 'TEST.NOR-CONSULT.COM' while
getting
initial credentials
What log entries need to be set to see the other side of this on the Samba
AD DC? Maybe that will illuminate what's going wrong?