samba - Apr 2022 - Domain join not happening on Debian/Ubuntu machines

On Thu, 2022-04-28 at 17:52 +0100, Sac Isilia via samba
wrote:
> Hi Team,
> 
> I have done all the settings as mentioned but still the domain join
> via
> winbind fails.
> 
> root at cngzh1dnl01:~# net ads join -U media\\svc_domjoin02
You posted this:
workgroup = AP-MEDIA

So why are you using the user 'media\\svc_domjoin02' to join to the
'AP-MEDIA' domain ? the user 'media\\svc_domjoin02' appears to
be fromanother domain.
> Enter media\svc_domjoin02's password:
> kerberos_kinit_password svc_domjoin02 at AP.MEDIA.GLOBAL.LOC failed:
> Client
> not found in Kerberos database
> Failed to join domain: failed to connect to AD: Client not found in
> Kerberos database
This is probably because the user is unknown to the domain.
> 
> Also as quoted above - "If you are going to use multiple domains, you
> will
> need to use
> 'trusts'." - How to do the same ?
Try reading these:
https://wiki.samba.org/index.php/Active_Directory_Trusts
https://wiki.samba.org/index.php/Samba4/Linking_AD_and_unix_directories

However, there isn't really much on the Samba wiki and I don't use
trusts (I once set up a POC forest, but this was way back at Samba
4.9.x). Is there anyone using trusts that could help here ?

Rowland

On Thu, 2022-04-28 at 18:19 +0100, Rowland Penny via samba
wrote:
> On Thu, 2022-04-28 at 17:52 +0100, Sac Isilia via samba wrote:
> > Hi Team,
> > 
> > I have done all the settings as mentioned but still the domain join
> > via
> > winbind fails.
> > 
> > root at cngzh1dnl01:~# net ads join -U media\\svc_domjoin02
> 
> You posted this:
> workgroup = AP-MEDIA
> 
> So why are you using the user 'media\\svc_domjoin02' to join to the
> 'AP-MEDIA' domain ? the user 'media\\svc_domjoin02' appears
to be
> fromanother domain. 
Also, while rechecking what you posted, I found that you are using:

winbind use default domain = Yes

with the 'autorid' idmap backend, this is not allowed, I missed this
first time around.

Rowland

Hi Team,

Your question is correct. We are using media domain account whereas we wish
to join the server in AP-MEDIA domain. I explained the same thing to my AD
team to give us the service account in AP-MEDIA domain . But there rational
argument is that when we join using media\svc_domjoin02 it is resolving to
AP.MEDIA.GLOBAL.LOC as I posted in the above mail in the "net ads
join"
output.

root at cngzh1dnl01:~# net ads join -U media\\svc_domjoin02
Enter media\svc_domjoin02's password:
kerberos_kinit_password *svc_domjoin02 at AP.MEDIA.GLOBAL.LOC* failed: Client
not found in Kerberos database  - - > This line which is resolving to
AP.MEDIA.GLOBAL.LOC
Failed to join domain: failed to connect to AD: Client not found in
Kerberos database

Can you provide us technical justification that why the server will not
join with media domain account . My initial question was the same - The
MEDIA domain account joins the RHEL machines in other domain however that
fails with Debian/Ubuntu machines. According to you - creating the service
account in AP-MEDIA domain to join the server will only resolve the issue.
If yes , then what is the technical concept behind this.

Regards
Sachin Kumar


On Thu, Apr 28, 2022 at 6:21 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Thu, 2022-04-28 at 17:52 +0100, Sac Isilia via samba wrote:
> > Hi Team,
> >
> > I have done all the settings as mentioned but still the domain join
> > via
> > winbind fails.
> >
> > root at cngzh1dnl01:~# net ads join -U media\\svc_domjoin02
>
> You posted this:
> workgroup = AP-MEDIA
>
> So why are you using the user 'media\\svc_domjoin02' to join to the
> 'AP-MEDIA' domain ? the user 'media\\svc_domjoin02' appears
to be
> fromanother domain.
>
> > Enter media\svc_domjoin02's password:
> > kerberos_kinit_password svc_domjoin02 at AP.MEDIA.GLOBAL.LOC failed:
> > Client
> > not found in Kerberos database
> > Failed to join domain: failed to connect to AD: Client not found in
> > Kerberos database
>
> This is probably because the user is unknown to the domain.
>
> >
> > Also as quoted above - "If you are going to use multiple domains,
you
> > will
> > need to use
> > 'trusts'." - How to do the same ?
>
> Try reading these:
> https://wiki.samba.org/index.php/Active_Directory_Trusts
> https://wiki.samba.org/index.php/Samba4/Linking_AD_and_unix_directories
>
> However, there isn't really much on the Samba wiki and I don't use
> trusts (I once set up a POC forest, but this was way back at Samba
> 4.9.x). Is there anyone using trusts that could help here ?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>