François Legal
2022-May-03 20:00 UTC
[Samba] ?==?utf-8?q? ?==?utf-8?q? ?= Joining a samba ad dc domain from another samba installatio
Le Lundi, Mai 02, 2022 12:02 CEST, Rowland Penny via samba <samba at lists.samba.org> a ?crit:> On Mon, 2022-05-02 at 10:47 +0200, Fran?ois Legal wrote: > > Le Vendredi, Avril 29, 2022 09:23 CEST, Rowland Penny via samba < > > samba at lists.samba.org> a ?crit: > > > > > On Fri, 2022-04-29 at 09:09 +0200, Fran?ois Legal via samba wrote: > > > > Le Mercredi, Avril 27, 2022 22:57 CEST, Fran?ois Legal via samba > > > > < > > > > samba at lists.samba.org> a ?crit: > > > > > > > > > Le Mardi, Avril 26, 2022 11:10 CEST, Rowland Penny via samba < > > > > > samba at lists.samba.org> a ?crit: > > > > > > > > > > > On Tue, 2022-04-26 at 10:36 +0200, Fran?ois Legal via samba > > > > > > wrote: > > > > > > > Le Lundi, Avril 25, 2022 15:24 CEST, Jonathon Reinhart < > > > > > > > jonathon.reinhart at gmail.com> a ?crit: > > > > > > > > > > > > > > > On Mon, Apr 25, 2022 at 7:13 AM Fran?ois Legal via samba > > > > > > > > <> > > > > > > > > > > > samba at lists.samba.org> wrote: > > > > > > > > > samba-tool domain join [my samba domain] DC -k yes -- > > > > > > > > > dns- > > > > > > > > > backend=BIND9_DLZ > > > > > > > > > --option='idmap_ldb:use rfc2307 = yes' > > > > > > > > > INFO 2022-04-25 10:41:04,952 pid:374 > > > > > > > > > /usr/lib/python3/dist-packages/samba/join.py #107: > > > > > > > > > Finding > > > > > > > > > a > > > > > > > > > writeable DC > > > > > > > > > for domain '[my samba domain]' > > > > > > > > > INFO 2022-04-25 10:41:04,973 pid:374 > > > > > > > > > /usr/lib/python3/dist-packages/samba/join.py #109: > > > > > > > > > Found > > > > > > > > > DC [my- > > > > > > > > > dc].[my > > > > > > > > > samba domain] > > > > > > > > > ERROR(<class 'samba.join.DCJoinException'>): uncaught > > > > > > > > > exception - > > > > > > > > > Can't > > > > > > > > > join, error: 00002020: Operation unavailable without > > > > > > > > > authentication > > > > > > > > > > > > > > > > > > > > > > > > > I see you used "-k yes". Did you confirm that you have a > > > > > > > > valid > > > > > > > > Kerberos TGT > > > > > > > > for a Domain Admin account? (Run "kinit" to get a ticket > > > > > > > > and > > > > > > > > "klist" to > > > > > > > > check.) > > > > > > > > > > > > > > Yes. I?ve kinit administrator@[my realm], the ticket shows > > > > > > > out > > > > > > > in > > > > > > > klist afterwards. > > > > > > > But either using -U administrator (for which no password is > > > > > > > requested), either --krb5-ccache=/tmp/krb5cc_0 produce the > > > > > > > same > > > > > > > result > > > > > > > > > > > > > > Fran?ois > > > > > > > > > > > > Provided that krb5.conf and DNS are set up correctly, you > > > > > > should > > > > > > just > > > > > > run 'kinit administrator' to get a ticket. > > > > > > I take it that you are doing this as root. > > > > > > > > > > > > Rowland > > > > > > > > > > > > > > > > Yes, krb5.conf is setup correctly, dns resolver too. KDC is > > > > > discovered through NS requests successfully, kinit & samba-tool > > > > > run > > > > > as root. > > > > > > > > > > Fran?ois > > > > > > > > > > > > > Just to make sure : > > > > > > > > root@[my new dc hostname]:~# more /etc/krb5.conf > > > > [libdefaults] > > > > default_realm = [my realm] > > > > dns_lookup_realm = false > > > > dns_lookup_kdc = false > > > > > > > > [realms] > > > > [my realm] = { > > > > kdc = [my dc ip] > > > > } > > > > > > Good job you did, it is wrong :-) > > > > > > Try it like this: > > > > > > [libdefaults] > > > default_realm = [my realm] > > > dns_lookup_realm = false > > > dns_lookup_kdc = true > > > > > > Rowland > > > > > > > > > > Correct. I tried with the same result. > > > > Fran?ois > > OK, go here: > https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh > > Run it on your unix domain member and post the output inline to this > list. > > Rowland > >Here comes the output : root@[new dc]:~# ./samba-collect-debug-info.sh Please wait, collecting debug info. Password for Administrator@[my realm]: grep: : No such file or directory Load smb config files from /etc/samba/smb.conf Error loading services. The debug info about your system can be found in this file: /tmp/samba-debug-info.txt Please check this and if required, sanitise it. Then copy & paste it into an email to the samba list Do not attach it to the email, the Samba mailing list strips attachments. root at tls-srv-03:~# more /tmp/samba-debug-info.txt Collected config --- 2022-05-03-18:05 ----------- Hostname: [new dc] DNS Domain: [my domain] FQDN: [new dc].[my domain] ipaddress: 192.168.1.210 ----------- Kerberos SRV _kerberos._tcp.[my domain] record verified ok, sample output: Server: 10.211.254.253 Address: 10.211.254.253#53 _kerberos._tcp.[my domain] service = 0 100 88 [my current dc].[my domain]. Samba is not being run as a DC or a Unix domain member. ----------- Checking file: /etc/os-release PRETTY_NAME="Debian GNU/Linux 11 (bullseye)" NAME="Debian GNU/Linux" VERSION_ID="11" VERSION="11 (bullseye)" VERSION_CODENAME=bullseye ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" ----------- This computer is running Debian 11.3 x86_64 ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:16:3e:bd:bb:3a brd ff:ff:ff:ff:ff:ff inet 192.168.1.210/24 brd 192.168.1.255 scope global eth0 inet6 fe80::216:3eff:febd:bb3a/64 scope link ----------- Checking file: /etc/hosts 127.0.0.1 localhost 192.168.1.210 [new dc].[my domain] [new dc] 10.211.254.253 [current dc].[my domain] [current dc] # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts ----------- Checking file: /etc/resolv.conf nameserver 10.211.254.253 search [my domain] ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = [my realm] dns_lookup_realm = false dns_lookup_kdc = true [realms] [my realm] = { kdc = 10.211.254.253 } ----------- Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: files group: files shadow: files gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ----------- Warning, does not exist ----------- Installed packages: ii krb5-config 2.6+nmu1 all Configuration files for Kerberos Version 5 ii krb5-user 1.18.3-6+deb11u1 amd64 basic programs to authenticate using MIT Kerberos ii libacl1:amd64 2.2.53-10 amd64 access control list - shared library ii libattr1:amd64 1:2.4.48-6 amd64 extended attribute handling - shared library ii libgssapi-krb5-2:amd64 1.18.3-6+deb11u1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-3:amd64 1.18.3-6+deb11u1 amd64 MIT Kerberos runtime libraries ii libkrb5support0:amd64 1.18.3-6+deb11u1 amd64 MIT Kerberos runtime libraries - Support library ii libwbclient0:amd64 2:4.13.13+dfsg-1~deb11u3 amd64 Samba winbind client library ii python3-samba 2:4.13.13+dfsg-1~deb11u3 amd64 Python 3 bindings for Samba ii samba 2:4.13.13+dfsg-1~deb11u3 amd64 SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.13.13+dfsg-1~deb11u3 all common files used by both the Samba server and client ii samba-common-bin 2:4.13.13+dfsg-1~deb11u3 amd64 Samba common files used by both the server and the client ii samba-libs:amd64 2:4.13.13+dfsg-1~deb11u3 amd64 Samba core libraries I also tried to paste the [global] section of my current DC smb.conf to my new DC smb.conf, changing the netbios name, but that did not help. I also check the time synchronisation which is good. Fran?ois
Rowland Penny
2022-May-03 20:36 UTC
[Samba] ?= Joining a samba ad dc domain from another samba installatio
On Tue, 2022-05-03 at 22:00 +0200, Fran?ois Legal wrote:> > > Here comes the output : > root@[new dc]:~# ./samba-collect-debug-info.sh > Please wait, collecting debug info. > > Password for Administrator@[my realm]: > grep: : No such file or directory > Load smb config files from /etc/samba/smb.conf > Error loading services. > The debug info about your system can be found in this file: > /tmp/samba-debug-info.txt > Please check this and if required, sanitise it. > Then copy & paste it into an email to the samba list > Do not attach it to the email, the Samba mailing list strips > attachments. > root at tls-srv-03:~# more /tmp/samba-debug-info.txt > Collected config --- 2022-05-03-18:05 ----------- > > Hostname: [new dc] > DNS Domain: [my domain] > FQDN: [new dc].[my domain] > ipaddress: 192.168.1.210 > > ----------- > > Kerberos SRV _kerberos._tcp.[my domain] record verified ok, sample > output: > Server: 10.211.254.253 > Address: 10.211.254.253#53 > > _kerberos._tcp.[my domain] service = 0 100 88 [my current dc].[my > domain]. > Samba is not being run as a DC or a Unix domain member. > > ----------- > Checking file: /etc/os-release > > PRETTY_NAME="Debian GNU/Linux 11 (bullseye)" > NAME="Debian GNU/Linux" > VERSION_ID="11" > VERSION="11 (bullseye)" > VERSION_CODENAME=bullseye > ID=debian > HOME_URL="https://www.debian.org/" > SUPPORT_URL="https://www.debian.org/support" > BUG_REPORT_URL="https://bugs.debian.org/" > > ----------- > > > This computer is running Debian 11.3 x86_64 > > ----------- > running command : ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN > group default qlen 1000 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP > group default qlen 1000 > link/ether 00:16:3e:bd:bb:3a brd ff:ff:ff:ff:ff:ff > inet 192.168.1.210/24 brd 192.168.1.255 scope global eth0 > inet6 fe80::216:3eff:febd:bb3a/64 scope link > > ----------- > Checking file: /etc/hosts > > 127.0.0.1 localhost > 192.168.1.210 [new dc].[my domain] [new dc] > 10.211.254.253 [current dc].[my domain] [current dc]Remove the 'current dc' line from /etc/hosts, it shouldn't be there.> > # The following lines are desirable for IPv6 capable hosts > ::1 ip6-localhost ip6-loopback > fe00::0 ip6-localnet > ff00::0 ip6-mcastprefix > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > ff02::3 ip6-allhosts > > ----------- > > Checking file: /etc/resolv.conf > > nameserver 10.211.254.253 > search [my domain] > > ----------- > > Checking file: /etc/krb5.conf > > [libdefaults] > default_realm = [my realm] > dns_lookup_realm = false > dns_lookup_kdc = true > > [realms] > [my realm] = { > kdc = 10.211.254.253 > } > > ----------- > > Checking file: /etc/nsswitch.conf > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages > installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: files > group: files > shadow: files > gshadow: files > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > ----------- > > Warning, does not existThe smb.conf wouldn't exist on a non joined DC, you would get an error during the join if it did.> > ----------- > > > Installed packages: > ii krb5- > config 2.6+nmu1 all Conf > iguration files for Kerberos Version 5 > ii krb5-user 1.18.3- > 6+deb11u1 amd64 basic programs to authenticate > using MIT Kerberos > ii libacl1:amd64 2.2.53- > 10 amd64 access control list - shared > library > ii libattr1:amd64 1:2.4.48- > 6 amd64 extended attribute handling - shared > library > ii libgssapi-krb5-2:amd64 1.18.3- > 6+deb11u1 amd64 MIT Kerberos runtime libraries - > krb5 GSS-API Mechanism > ii libkrb5-3:amd64 1.18.3- > 6+deb11u1 amd64 MIT Kerberos runtime libraries > ii libkrb5support0:amd64 1.18.3- > 6+deb11u1 amd64 MIT Kerberos runtime libraries - > Support library > ii libwbclient0:amd64 2:4.13.13+dfsg- > 1~deb11u3 amd64 Samba winbind client library > ii python3-samba 2:4.13.13+dfsg- > 1~deb11u3 amd64 Python 3 bindings for Samba > ii samba 2:4.13.13+dfsg- > 1~deb11u3 amd64 SMB/CIFS file, print, and login server for > Unix > ii samba-common 2:4.13.13+dfsg- > 1~deb11u3 all common files used by both the Samba server > and client > ii samba-common-bin 2:4.13.13+dfsg- > 1~deb11u3 amd64 Samba common files used by both the server > and the client > ii samba-libs:amd64 2:4.13.13+dfsg- > 1~deb11u3 amd64 Samba core librariesYou appear to have a few packages missing: apt install acl attr python3-xattr samba-dsdb-modules samba-vfs-modules winbind xattr> > > I also tried to paste the [global] section of my current DC smb.conf > to my new DC smb.conf, changing the netbios name, but that did not > help.It wouldn't, do not do this. Install the missing packages, remove the smb.conf Check if the old DC still exists in AD, remove it if it does, with: samba-tool domain demote -H ldap://current dc --remove-other-dead- server='THE_OLD_DC' Then attempt to join the new DC again. Rowland