samba - Apr 2022 - Domain join not happening on Debian/Ubuntu machines

Hi Team,

I have done all the settings as mentioned but still the domain join via
winbind fails.

root at cngzh1dnl01:~# net ads join -U media\\svc_domjoin02
Enter media\svc_domjoin02's password:
kerberos_kinit_password svc_domjoin02 at AP.MEDIA.GLOBAL.LOC failed: Client
not found in Kerberos database
Failed to join domain: failed to connect to AD: Client not found in
Kerberos database

Also as quoted above - "If you are going to use multiple domains, you will
need to use
'trusts'." - How to do the same ?

Regards
Sachin Kumar

On Thu, Apr 28, 2022 at 3:34 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Thu, 2022-04-28 at 15:59 +0200, L. van Belle via samba wrote:
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Hai,
> >
>
> Someone has a very borked email client (either that, or there is a sale
> on for blank lines) :-D
>
> I suggest you remove these lines from the smb.conf:
>
>  passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword: * %n\n *password\supdated\ssuccessfully* .
>  passwd program = /usr/bin/passwd %u
>  unix password sync = Yes
>
> They are only meant for a standalone server.
>
> Change /etc/resolv.conf to this:
>
> search ap.media.global.loc
> nameserver AD_DC_IPADDRESS (repeat for all DCs in the
> ap.media.global.loc dns domain)
>
> If this Unix domain members hostname is 'ubuntu' replace
'127.0.1.1
> ubuntu' in /etc/hosts with:
>
> 127.0.1.1 ubuntu.ap.media.global.loc ubuntu
>
> If it isn't 'ubuntu' then replace 'ubuntu' with the
computers 'FQDN
> shorthostname'
> Remove the last two lines from /etc/hosts
>
> If you are going to use multiple domains, you will need to use
> 'trusts'.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Thu, 2022-04-28 at 17:52 +0100, Sac Isilia via samba
wrote:
> Hi Team,
> 
> I have done all the settings as mentioned but still the domain join
> via
> winbind fails.
> 
> root at cngzh1dnl01:~# net ads join -U media\\svc_domjoin02
You posted this:
workgroup = AP-MEDIA

So why are you using the user 'media\\svc_domjoin02' to join to the
'AP-MEDIA' domain ? the user 'media\\svc_domjoin02' appears to
be fromanother domain.
> Enter media\svc_domjoin02's password:
> kerberos_kinit_password svc_domjoin02 at AP.MEDIA.GLOBAL.LOC failed:
> Client
> not found in Kerberos database
> Failed to join domain: failed to connect to AD: Client not found in
> Kerberos database
This is probably because the user is unknown to the domain.
> 
> Also as quoted above - "If you are going to use multiple domains, you
> will
> need to use
> 'trusts'." - How to do the same ?
Try reading these:
https://wiki.samba.org/index.php/Active_Directory_Trusts
https://wiki.samba.org/index.php/Samba4/Linking_AD_and_unix_directories

However, there isn't really much on the Samba wiki and I don't use
trusts (I once set up a POC forest, but this was way back at Samba
4.9.x). Is there anyone using trusts that could help here ?

Rowland