samba - Apr 2022 - Domain join not happening on Debian/Ubuntu machines

Hi Team,

Your question is correct. We are using media domain account whereas we wish
to join the server in AP-MEDIA domain. I explained the same thing to my AD
team to give us the service account in AP-MEDIA domain . But there rational
argument is that when we join using media\svc_domjoin02 it is resolving to
AP.MEDIA.GLOBAL.LOC as I posted in the above mail in the "net ads
join"
output.

root at cngzh1dnl01:~# net ads join -U media\\svc_domjoin02
Enter media\svc_domjoin02's password:
kerberos_kinit_password *svc_domjoin02 at AP.MEDIA.GLOBAL.LOC* failed: Client
not found in Kerberos database  - - > This line which is resolving to
AP.MEDIA.GLOBAL.LOC
Failed to join domain: failed to connect to AD: Client not found in
Kerberos database

Can you provide us technical justification that why the server will not
join with media domain account . My initial question was the same - The
MEDIA domain account joins the RHEL machines in other domain however that
fails with Debian/Ubuntu machines. According to you - creating the service
account in AP-MEDIA domain to join the server will only resolve the issue.
If yes , then what is the technical concept behind this.

Regards
Sachin Kumar


On Thu, Apr 28, 2022 at 6:21 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Thu, 2022-04-28 at 17:52 +0100, Sac Isilia via samba wrote:
> > Hi Team,
> >
> > I have done all the settings as mentioned but still the domain join
> > via
> > winbind fails.
> >
> > root at cngzh1dnl01:~# net ads join -U media\\svc_domjoin02
>
> You posted this:
> workgroup = AP-MEDIA
>
> So why are you using the user 'media\\svc_domjoin02' to join to the
> 'AP-MEDIA' domain ? the user 'media\\svc_domjoin02' appears
to be
> fromanother domain.
>
> > Enter media\svc_domjoin02's password:
> > kerberos_kinit_password svc_domjoin02 at AP.MEDIA.GLOBAL.LOC failed:
> > Client
> > not found in Kerberos database
> > Failed to join domain: failed to connect to AD: Client not found in
> > Kerberos database
>
> This is probably because the user is unknown to the domain.
>
> >
> > Also as quoted above - "If you are going to use multiple domains,
you
> > will
> > need to use
> > 'trusts'." - How to do the same ?
>
> Try reading these:
> https://wiki.samba.org/index.php/Active_Directory_Trusts
> https://wiki.samba.org/index.php/Samba4/Linking_AD_and_unix_directories
>
> However, there isn't really much on the Samba wiki and I don't use
> trusts (I once set up a POC forest, but this was way back at Samba
> 4.9.x). Is there anyone using trusts that could help here ?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Thu, 2022-04-28 at 18:31 +0100, Sac Isilia via samba
wrote:
> Hi Team,
> 
> Your question is correct. We are using media domain account whereas
> we wish
> to join the server in AP-MEDIA domain. I explained the same thing to
> my AD
> team to give us the service account in AP-MEDIA domain . But there
> rational
> argument is that when we join using media\svc_domjoin02 it is
> resolving to
> AP.MEDIA.GLOBAL.LOC as I posted in the above mail in the "net ads
> join"
> output.
There are three things in play here, the Netbios domain, the REALM and
the DNS domain. The DNS domain is what is after the computers short
hostname, in your case it sounds like it is 'ap.media.global.loc', the
REALM is the DNS domain in uppercase 'AP.MEDIA.GLOBAL.LOC'. The Netbios
domain is usually the left hand part of the REALM, but it can be
anything, but it must be unique.

Unless your domains trust each other, then the users from another
domain will be unknown to your domain.

I have found you this:

https://www.kania-online.de/wp-content/uploads/2019/06/trusts-tutorial.pdf

You are going to need to get trusts working before you can attempt to
join a computer using a user from another domain and I am not sure if
it will work then. The best idea would be to use a user from the domain
you are joining to.

Rowland