samba - Sep 2022 - Unable to join domain I think.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In all things, Be Intentional.


On Tue, Sep 13, 2022 at 4:33 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
>
>
> On 13/09/2022 21:22, Rob Campbell wrote:
> > [Tue Sep 13 16:15:43] [*root at dc02~$*] net ads testjoin
> > Join is OK
>
> If I remember correctly, DC02 is a Unix domain member, so that (from
> info provided) appears to working correctly.
>
> >
> > [Tue Sep 13 16:19:14] [*root at D01~$*] net ads testjoin
> > ads_connect: No logon servers are currently available to service the
> > logon request.
> > Join to domain is not valid: No logon servers are currently available
to
> > service the logon request.
>
> Can you go here:
>
>
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
>
> Download the script and run it on 'D01'
> post the output here in a post, do not attach it, this list strips
> attachments. Sanitise it you must.
>
[Tue Sep 13 17:04:30] [root at D01~$] samba-collect-debug-info.sh

Please wait, collecting debug info.

Password for Administrator at HOME.ROB-CAMPBELL.LAN:
Warning: Your password will expire in 41 days on Tue 25 Oct 2022 12:47:59
AM EDT
Warning: No smb.conf found


The debug info about your system can be found in this file:
/tmp/samba-debug-info.txt

Please check this and if required, sanitise it.
Then copy & paste it into an  email to the samba list
Do not attach it to the email, the Samba mailing list strips attachments.

[Tue Sep 13 17:04:41] [root at D01~$] smbd -b | grep 'CONFIGFILE' | awk
'{print $NF}'
/etc/samba/smb.conf
[Tue Sep 13 17:04:45] [root at D01~$] cat /etc/samba/smb.conf
[global]
security = ADS
workgroup = HOME
realm = HOME.ROB-CAMPBELL.LAN

log file = /var/log/samba/%m.log
log level = 1

idmap config * : backend = autorid
idmap config * : range = 10000-9999999
idmap config * : rangesize = 200000

username map = /etc/samba/user.map

template shell = /bin/bash
template homedir = /home/%U
[Tue Sep 13 17:04:47] [root at D01~$] cat /tmp/samba-debug-info.txt
Config collected --- 2022-09-13-17:04 -----------

Hostname:   D01
DNS Domain: home.rob-campbell.lan
Realm:      HOME.ROB-CAMPBELL.LAN
FQDN:       d01.home.rob-campbell.lan
ipaddress:  10.0.0.18 2600:4040:4666:f900::1406

-----------

This computer is running Debian 11.4 x86_64

-----------

running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
2: enp3s0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN
group
default qlen 1000
    link/ether c8:0a:a9:0e:93:23 brd ff:ff:ff:ff:ff:ff
3: wlo1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP group default qlen 1000
    link/ether c4:17:fe:4e:1a:8b brd ff:ff:ff:ff:ff:ff
    altname wlp2s0
    inet 10.0.0.18/24 brd 10.0.0.255 scope global dynamic noprefixroute wlo1
       valid_lft 83491sec preferred_lft 83491sec
    inet6 2600:4040:4666:f900::1406/128 scope global dynamic noprefixroute
       valid_lft 2359sec preferred_lft 559sec
    inet6 fe80::7563:2b02:c335:1a7d/64 scope link noprefixroute

-----------

Checking file: /etc/hosts

127.0.0.1 localhost
10.0.0.18 d01.home.rob-campbell.lan d01

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

-----------

Checking file: /etc/resolv.conf

nameserver 10.0.0.10
search HOME.ROB-CAMPBELL.LAN

-----------

Kerberos SRV _kerberos._tcp.home.rob-campbell.lan record(s) verified ok,
sample output:
Server: 10.0.0.10
Address: 10.0.0.10#53

_kerberos._tcp.home.rob-campbell.lan service = 0 100 88
dc01.home.rob-campbell.lan.

-----------

'kinit Administrator' checked successfully.

-----------

Samba is not being run as a DC or a Unix domain member.

-----------

Checking file: /etc/krb5.conf

[libdefaults]
default_realm = HOME.ROB-CAMPBELL.LAN
dns_lookup_realm = false
dns_lookup_kdc = true

-----------

Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.

passwd:         files winbind systemd sss
group:          files winbind systemd sss
shadow:         files sss
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns myhostname
networks:       files

protocols:      db files
services:       db files sss
ethers:         db files
rpc:            db files

netgroup:       nis sss
automount:      sss

-----------


Time on the DC with PDC Emulator role is: 2022-09-13T17:04:40


Time on this computer is:                 2022-09-13T17:04:41


Time verified ok, within the allowed 300sec margin.
Time offset is currently : 0 seconds

-----------

Installed packages:
ii  acl                                           2.2.53-10
       amd64        access control list - utilities
ii  attr                                          1:2.4.48-6
        amd64        utilities for manipulating filesystem extended
attributes
ii  fonts-quicksand                               0.2016-2.1
        all          sans-serif font with round attributes
ii  kde-spectacle                                 20.12.3-1
       amd64        Screenshot capture utility
ii  krb5-config                                   2.6+nmu1
        all          Configuration files for Kerberos Version 5
ii  krb5-locales                                  1.18.3-6+deb11u1
        all          internationalization support for MIT Kerberos
ii  krb5-user                                     1.18.3-6+deb11u1
        amd64        basic programs to authenticate using MIT Kerberos
ii  libacl1:amd64                                 2.2.53-10
       amd64        access control list - shared library
ii  libattr1:amd64                                1:2.4.48-6
        amd64        extended attribute handling - shared library
ii  libgssapi-krb5-2:amd64                        1.18.3-6+deb11u1
        amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-3:amd64                               1.18.3-6+deb11u1
        amd64        MIT Kerberos runtime libraries
ii  libkrb5support0:amd64                         1.18.3-6+deb11u1
        amd64        MIT Kerberos runtime libraries - Support library
ii  libmoox-aliases-perl                          0.001006-1.1
        all          easy aliasing of methods and attributes in Moo
ii  libnss-winbind:amd64                          2:4.13.13+dfsg-1~deb11u5
        amd64        Samba nameservice integration plugins
ii  libpam-krb5:amd64                             4.9-2
       amd64        PAM module for MIT Kerberos
ii  libpam-winbind:amd64                          2:4.13.13+dfsg-1~deb11u5
        amd64        Windows domain authentication integration plugin
ii  libsmbclient:amd64                            2:4.13.13+dfsg-1~deb11u5
        amd64        shared library for communication with SMB/CIFS servers
ii  libwbclient0:amd64                            2:4.13.13+dfsg-1~deb11u5
        amd64        Samba winbind client library
ii  python3-nacl                                  1.4.0-1+b1
        amd64        Python bindings to libsodium (Python 3)
ii  python3-pylibacl:amd64                        0.6.0-1+b1
        amd64        module for manipulating POSIX.1e ACLs (Python3 version)
ii  python3-pyxattr:amd64                         0.7.2-1+b1
        amd64        module for manipulating filesystem extended attributes
(Python3)
ii  python3-samba                                 2:4.13.13+dfsg-1~deb11u5
        amd64        Python 3 bindings for Samba
ii  samba                                         2:4.13.13+dfsg-1~deb11u5
        amd64        SMB/CIFS file, print, and login server for Unix
ii  samba-common                                  2:4.13.13+dfsg-1~deb11u5
        all          common files used by both the Samba server and client
ii  samba-common-bin                              2:4.13.13+dfsg-1~deb11u5
        amd64        Samba common files used by both the server and the
client
ii  samba-dsdb-modules:amd64                      2:4.13.13+dfsg-1~deb11u5
        amd64        Samba Directory Services Database
ii  samba-libs:amd64                              2:4.13.13+dfsg-1~deb11u5
        amd64        Samba core libraries
ii  samba-vfs-modules:amd64                       2:4.13.13+dfsg-1~deb11u5
        amd64        Samba Virtual FileSystem plugins
ii  smbclient                                     2:4.13.13+dfsg-1~deb11u5
        amd64        command-line SMB/CIFS clients for Unix
ii  sssd-krb5                                     2.4.1-2
       amd64        System Security Services Daemon -- Kerberos back end
ii  sssd-krb5-common                              2.4.1-2
       amd64        System Security Services Daemon -- Kerberos helpers
ii  vlc-plugin-samba:amd64                        3.0.17.4-0+deb11u1
        amd64        Samba plugin for VLC
ii  winbind                                       2:4.13.13+dfsg-1~deb11u5
        amd64        service to resolve user and group information from
Windows NT servers

-----------

I did fix some things but after fixing I ran it again.  Why does it think I
have no samba file?  Does it have the wrong permissions?

> >
> > [Tue Sep 13 16:19:25] [*_root at DC01/var/log/samba$_*] net ads
testjoin
> > kerberos_kinit_password HOME at HOME.ROB-CAMPBELL.LAN failed: Client
not
> > found in Kerberos database
> > Join to domain is not valid: The name provided is not a properly
formed
> > account name.
> >
> > DC01 us the DC
>
> And 'net ads testjoin' doesn't work on a DC.
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

[Tue Sep 13 17:07:54] [root at D01~$] net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- HOME
Joined 'D01' to dns domain 'home.rob-campbell.lan'
DNS Update for d01.home.rob-campbell.lan failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL
[Tue Sep 13 17:11:12] [root at D01~$] net ads testjoin
Join is OK

There is an old thread that stopped (because I rebuilt my server and didn't
get back to this until now)

   - *To*: samba at xxxxxxxxxxxxxxx
   - *Subject*: Re: DNS Update Failing
   - *From*: Rowland Penny via samba <samba at xxxxxxxxxxxxxxx>
   - *Date*: Tue, 02 Nov 2021 17:08:09 +0000
   - *In-reply-to*: <CAHej=pX9sjuiDdHt=TUoT+zjSt7JFEB37b5LUK90   iZ6A4orWw at
mail.gmail.com>
   - *Reply-to*: Rowland Penny <rpenny at xxxxxxxxx>
   - *User-agent*: Evolution 3.30.5-1.1
> Just a thought, have you added the reverse record ?
>
> Rowland
Isn't the PTR the reverse record?  I'm just asking because it appears
I am back to that same problem.  I don't have that email to continue
that chain.

[Tue Sep 13 17:16:55] [root at DC01/var/log/samba$] dig -x 10.0.0.9

; <<>> DiG 9.16.27-Debian <<>> -x 10.0.0.9
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20611
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;9.0.0.10.in-addr.arpa.		IN	PTR

;; ANSWER SECTION:
9.0.0.10.in-addr.arpa.	900	IN	PTR	dc02.HOME.ROB-CAMPBELL.LAN.

;; AUTHORITY SECTION:
0.0.10.in-addr.arpa.	3600	IN	SOA	DC01.home.rob-campbell.lan.
hostmaster.home.rob-campbell.lan. 6 900 600 86400 3600

;; Query time: 0 msec
;; SERVER: 10.0.0.10#53(10.0.0.10)
;; WHEN: Tue Sep 13 17:17:00 EDT 2022
;; MSG SIZE  rcvd: 152

[Tue Sep 13 17:17:00] [root at DC01/var/log/samba$] dig -x 10.0.0.18

; <<>> DiG 9.16.27-Debian <<>> -x 10.0.0.18
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61778
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;18.0.0.10.in-addr.arpa.		IN	PTR

;; ANSWER SECTION:
18.0.0.10.in-addr.arpa.	900	IN	PTR	D01.HOME.ROB-CAMPBELL.LAN.

;; AUTHORITY SECTION:
0.0.10.in-addr.arpa.	3600	IN	SOA	DC01.home.rob-campbell.lan.
hostmaster.home.rob-campbell.lan. 6 900 600 86400 3600

;; Query time: 0 msec
;; SERVER: 10.0.0.10#53(10.0.0.10)
;; WHEN: Tue Sep 13 17:17:05 EDT 2022
;; MSG SIZE  rcvd: 152


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In all things, Be Intentional.


On Tue, Sep 13, 2022 at 5:08 PM Rob Campbell <robcampbell08105 at
gmail.com>
wrote:
>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> In all things, Be Intentional.
>
>
> On Tue, Sep 13, 2022 at 4:33 PM Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
>>
>>
>> On 13/09/2022 21:22, Rob Campbell wrote:
>> > [Tue Sep 13 16:15:43] [*root at dc02~$*] net ads testjoin
>> > Join is OK
>>
>> If I remember correctly, DC02 is a Unix domain member, so that (from
>> info provided) appears to working correctly.
>>
>> >
>> > [Tue Sep 13 16:19:14] [*root at D01~$*] net ads testjoin
>> > ads_connect: No logon servers are currently available to service
the
>> > logon request.
>> > Join to domain is not valid: No logon servers are currently
available
>> to
>> > service the logon request.
>>
>> Can you go here:
>>
>>
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
>>
>> Download the script and run it on 'D01'
>> post the output here in a post, do not attach it, this list strips
>> attachments. Sanitise it you must.
>>
>
> [Tue Sep 13 17:04:30] [root at D01~$] samba-collect-debug-info.sh
>
> Please wait, collecting debug info.
>
> Password for Administrator at HOME.ROB-CAMPBELL.LAN:
> Warning: Your password will expire in 41 days on Tue 25 Oct 2022 12:47:59
> AM EDT
> Warning: No smb.conf found
>
>
> The debug info about your system can be found in this file:
> /tmp/samba-debug-info.txt
>
> Please check this and if required, sanitise it.
> Then copy & paste it into an  email to the samba list
> Do not attach it to the email, the Samba mailing list strips attachments.
>
> [Tue Sep 13 17:04:41] [root at D01~$] smbd -b | grep 'CONFIGFILE' |
awk
> '{print $NF}'
> /etc/samba/smb.conf
> [Tue Sep 13 17:04:45] [root at D01~$] cat /etc/samba/smb.conf
> [global]
> security = ADS
> workgroup = HOME
> realm = HOME.ROB-CAMPBELL.LAN
>
> log file = /var/log/samba/%m.log
> log level = 1
>
> idmap config * : backend = autorid
> idmap config * : range = 10000-9999999
> idmap config * : rangesize = 200000
>
> username map = /etc/samba/user.map
>
> template shell = /bin/bash
> template homedir = /home/%U
> [Tue Sep 13 17:04:47] [root at D01~$] cat /tmp/samba-debug-info.txt
> Config collected --- 2022-09-13-17:04 -----------
>
> Hostname:   D01
> DNS Domain: home.rob-campbell.lan
> Realm:      HOME.ROB-CAMPBELL.LAN
> FQDN:       d01.home.rob-campbell.lan
> ipaddress:  10.0.0.18 2600:4040:4666:f900::1406
>
> -----------
>
> This computer is running Debian 11.4 x86_64
>
> -----------
>
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group
> default qlen 1000
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
>     inet6 ::1/128 scope host
> 2: enp3s0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN
> group default qlen 1000
>     link/ether c8:0a:a9:0e:93:23 brd ff:ff:ff:ff:ff:ff
> 3: wlo1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state
> UP group default qlen 1000
>     link/ether c4:17:fe:4e:1a:8b brd ff:ff:ff:ff:ff:ff
>     altname wlp2s0
>     inet 10.0.0.18/24 brd 10.0.0.255 scope global dynamic noprefixroute
> wlo1
>        valid_lft 83491sec preferred_lft 83491sec
>     inet6 2600:4040:4666:f900::1406/128 scope global dynamic noprefixroute
>        valid_lft 2359sec preferred_lft 559sec
>     inet6 fe80::7563:2b02:c335:1a7d/64 scope link noprefixroute
>
> -----------
>
> Checking file: /etc/hosts
>
> 127.0.0.1 localhost
> 10.0.0.18 d01.home.rob-campbell.lan d01
>
> # The following lines are desirable for IPv6 capable hosts
> ::1     localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> -----------
>
> Checking file: /etc/resolv.conf
>
> nameserver 10.0.0.10
> search HOME.ROB-CAMPBELL.LAN
>
> -----------
>
> Kerberos SRV _kerberos._tcp.home.rob-campbell.lan record(s) verified ok,
> sample output:
> Server: 10.0.0.10
> Address: 10.0.0.10#53
>
> _kerberos._tcp.home.rob-campbell.lan service = 0 100 88
> dc01.home.rob-campbell.lan.
>
> -----------
>
> 'kinit Administrator' checked successfully.
>
> -----------
>
> Samba is not being run as a DC or a Unix domain member.
>
> -----------
>
> Checking file: /etc/krb5.conf
>
> [libdefaults]
> default_realm = HOME.ROB-CAMPBELL.LAN
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> -----------
>
> Checking file: /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages
installed, try:
> # `info libc "Name Service Switch"' for information about
this file.
>
> passwd:         files winbind systemd sss
> group:          files winbind systemd sss
> shadow:         files sss
> gshadow:        files
>
> hosts:          files mdns4_minimal [NOTFOUND=return] dns myhostname
> networks:       files
>
> protocols:      db files
> services:       db files sss
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis sss
> automount:      sss
>
> -----------
>
>
> Time on the DC with PDC Emulator role is: 2022-09-13T17:04:40
>
>
> Time on this computer is:                 2022-09-13T17:04:41
>
>
> Time verified ok, within the allowed 300sec margin.
> Time offset is currently : 0 seconds
>
> -----------
>
> Installed packages:
> ii  acl                                           2.2.53-10
>          amd64        access control list - utilities
> ii  attr                                          1:2.4.48-6
>         amd64        utilities for manipulating filesystem extended
> attributes
> ii  fonts-quicksand                               0.2016-2.1
>         all          sans-serif font with round attributes
> ii  kde-spectacle                                 20.12.3-1
>          amd64        Screenshot capture utility
> ii  krb5-config                                   2.6+nmu1
>         all          Configuration files for Kerberos Version 5
> ii  krb5-locales                                  1.18.3-6+deb11u1
>         all          internationalization support for MIT Kerberos
> ii  krb5-user                                     1.18.3-6+deb11u1
>         amd64        basic programs to authenticate using MIT Kerberos
> ii  libacl1:amd64                                 2.2.53-10
>          amd64        access control list - shared library
> ii  libattr1:amd64                                1:2.4.48-6
>         amd64        extended attribute handling - shared library
> ii  libgssapi-krb5-2:amd64                        1.18.3-6+deb11u1
>         amd64        MIT Kerberos runtime libraries - krb5 GSS-API
Mechanism
> ii  libkrb5-3:amd64                               1.18.3-6+deb11u1
>         amd64        MIT Kerberos runtime libraries
> ii  libkrb5support0:amd64                         1.18.3-6+deb11u1
>         amd64        MIT Kerberos runtime libraries - Support library
> ii  libmoox-aliases-perl                          0.001006-1.1
>         all          easy aliasing of methods and attributes in Moo
> ii  libnss-winbind:amd64                          2:4.13.13+dfsg-1~deb11u5
>         amd64        Samba nameservice integration plugins
> ii  libpam-krb5:amd64                             4.9-2
>          amd64        PAM module for MIT Kerberos
> ii  libpam-winbind:amd64                          2:4.13.13+dfsg-1~deb11u5
>         amd64        Windows domain authentication integration plugin
> ii  libsmbclient:amd64                            2:4.13.13+dfsg-1~deb11u5
>         amd64        shared library for communication with SMB/CIFS servers
> ii  libwbclient0:amd64                            2:4.13.13+dfsg-1~deb11u5
>         amd64        Samba winbind client library
> ii  python3-nacl                                  1.4.0-1+b1
>         amd64        Python bindings to libsodium (Python 3)
> ii  python3-pylibacl:amd64                        0.6.0-1+b1
>         amd64        module for manipulating POSIX.1e ACLs (Python3
version)
> ii  python3-pyxattr:amd64                         0.7.2-1+b1
>         amd64        module for manipulating filesystem extended attributes
> (Python3)
> ii  python3-samba                                 2:4.13.13+dfsg-1~deb11u5
>         amd64        Python 3 bindings for Samba
> ii  samba                                         2:4.13.13+dfsg-1~deb11u5
>         amd64        SMB/CIFS file, print, and login server for Unix
> ii  samba-common                                  2:4.13.13+dfsg-1~deb11u5
>         all          common files used by both the Samba server and client
> ii  samba-common-bin                              2:4.13.13+dfsg-1~deb11u5
>         amd64        Samba common files used by both the server and the
> client
> ii  samba-dsdb-modules:amd64                      2:4.13.13+dfsg-1~deb11u5
>         amd64        Samba Directory Services Database
> ii  samba-libs:amd64                              2:4.13.13+dfsg-1~deb11u5
>         amd64        Samba core libraries
> ii  samba-vfs-modules:amd64                       2:4.13.13+dfsg-1~deb11u5
>         amd64        Samba Virtual FileSystem plugins
> ii  smbclient                                     2:4.13.13+dfsg-1~deb11u5
>         amd64        command-line SMB/CIFS clients for Unix
> ii  sssd-krb5                                     2.4.1-2
>          amd64        System Security Services Daemon -- Kerberos back end
> ii  sssd-krb5-common                              2.4.1-2
>          amd64        System Security Services Daemon -- Kerberos helpers
> ii  vlc-plugin-samba:amd64                        3.0.17.4-0+deb11u1
>         amd64        Samba plugin for VLC
> ii  winbind                                       2:4.13.13+dfsg-1~deb11u5
>         amd64        service to resolve user and group information from
> Windows NT servers
>
> -----------
>
> I did fix some things but after fixing I ran it again.  Why does it think
> I have no samba file?  Does it have the wrong permissions?
>
>
>> >
>> > [Tue Sep 13 16:19:25] [*_root at DC01/var/log/samba$_*] net ads
testjoin
>> > kerberos_kinit_password HOME at HOME.ROB-CAMPBELL.LAN failed:
Client not
>> > found in Kerberos database
>> > Join to domain is not valid: The name provided is not a properly
formed
>> > account name.
>> >
>> > DC01 us the DC
>>
>> And 'net ads testjoin' doesn't work on a DC.
>> Rowland
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>

On 13/09/2022 22:08, Rob Campbell wrote:
> 
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> In all things, Be Intentional.
> 
> 
> On Tue, Sep 13, 2022 at 4:33 PM Rowland Penny via samba 
> <samba at lists.samba.org <mailto:samba at lists.samba.org>>
wrote:
> 
> 
> 
>     On 13/09/2022 21:22, Rob Campbell wrote:
>      > [Tue Sep 13 16:15:43] [*root at dc02~$*] net ads testjoin
>      > Join is OK
> 
>     If I remember correctly, DC02 is a Unix domain member, so that (from
>     info provided) appears to working correctly.
> 
>      >
>      > [Tue Sep 13 16:19:14] [*root at D01~$*] net ads testjoin
>      > ads_connect: No logon servers are currently available to service
the
>      > logon request.
>      > Join to domain is not valid: No logon servers are currently
>     available to
>      > service the logon request.
> 
>     Can you go here:
>    
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
>    
<https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh>
> 
>     Download the script and run it on 'D01'
>     post the output here in a post, do not attach it, this list strips
>     attachments. Sanitise it you must.
> 
> 
> [Tue Sep 13 17:04:30] [root at D01~$] samba-collect-debug-info.sh
> 
> Please wait, collecting debug info.
> 
> Password for Administrator at HOME.ROB-CAMPBELL.LAN:
> Warning: Your password will expire in 41 days on Tue 25 Oct 2022 
> 12:47:59 AM EDT
> Warning: No smb.conf found
> 
> 
> The debug info about your system can be found in this file:
> /tmp/samba-debug-info.txt
> 
> Please check this and if required, sanitise it.
> Then copy & paste it into an ?email to the samba list
> Do not attach it to the email, the Samba mailing list strips attachments.
> 
> [Tue Sep 13 17:04:41] [root at D01~$] smbd -b | grep 'CONFIGFILE' |
awk
> '{print $NF}'
> /etc/samba/smb.conf
> [Tue Sep 13 17:04:45] [root at D01~$] cat /etc/samba/smb.conf
> [global]
> security = ADS
> workgroup = HOME
> realm = HOME.ROB-CAMPBELL.LAN
> 
> log file = /var/log/samba/%m.log
> log level = 1
> 
> idmap config * : backend = autorid
> idmap config * : range = 10000-9999999
> idmap config * : rangesize = 200000
> 
> username map = /etc/samba/user.map
> 
> template shell = /bin/bash
> template homedir = /home/%U
> [Tue Sep 13 17:04:47] [root at D01~$] cat /tmp/samba-debug-info.txt
> Config collected --- 2022-09-13-17:04 -----------
> 
> Hostname: ? D01
> DNS Domain: home.rob-campbell.lan
> Realm: ? ? ?HOME.ROB-CAMPBELL.LAN
> FQDN: ? ? ? d01.home.rob-campbell.lan
> ipaddress: ?10.0.0.18 2600:4040:4666:f900::1406
> 
> -----------
> 
> This computer is running Debian 11.4 x86_64
> 
> -----------
> 
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
> group default qlen 1000
>  ? ? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>  ? ? inet 127.0.0.1/8 <http://127.0.0.1/8> scope host lo
>  ? ? inet6 ::1/128 scope host
> 2: enp3s0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN
> group default qlen 1000
>  ? ? link/ether c8:0a:a9:0e:93:23 brd ff:ff:ff:ff:ff:ff
> 3: wlo1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
> state UP group default qlen 1000
>  ? ? link/ether c4:17:fe:4e:1a:8b brd ff:ff:ff:ff:ff:ff
>  ? ? altname wlp2s0
>  ? ? inet 10.0.0.18/24 <http://10.0.0.18/24> brd 10.0.0.255 scope
global
> dynamic noprefixroute wlo1
>  ? ? ? ?valid_lft 83491sec preferred_lft 83491sec
>  ? ? inet6 2600:4040:4666:f900::1406/128 scope global dynamic noprefixroute
>  ? ? ? ?valid_lft 2359sec preferred_lft 559sec
>  ? ? inet6 fe80::7563:2b02:c335:1a7d/64 scope link noprefixroute
> 
> -----------
> 
> Checking file: /etc/hosts
> 
> 127.0.0.1 localhost
> 10.0.0.18 d01.home.rob-campbell.lan d01
> 
> # The following lines are desirable for IPv6 capable hosts
> ::1 ? ? localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> 
> -----------
> 
> Checking file: /etc/resolv.conf
> 
> nameserver 10.0.0.10
> search HOME.ROB-CAMPBELL.LAN
> 
> -----------
> 
> Kerberos SRV _kerberos._tcp.home.rob-campbell.lan record(s) verified ok, 
> sample output:
> Server: 10.0.0.10
> Address: 10.0.0.10#53
> 
> _kerberos._tcp.home.rob-campbell.lan service = 0 100 88 
> dc01.home.rob-campbell.lan.
> 
> -----------
> 
> 'kinit Administrator' checked successfully.
> 
> -----------
> 
> Samba is not being run as a DC or a Unix domain member.
I think that message needs changing, it really means that no Samba 
binaries are running.
> 
> -----------
> 
> Checking file: /etc/krb5.conf
> 
> [libdefaults]
> default_realm = HOME.ROB-CAMPBELL.LAN
> dns_lookup_realm = false
> dns_lookup_kdc = true
> 
> -----------
> 
> Checking file: /etc/nsswitch.conf
> 
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages
installed, try:
> # `info libc "Name Service Switch"' for information about
this file.
> 
> passwd: ? ? ? ? files winbind systemd sss
> group: ? ? ? ? ?files winbind systemd sss
> shadow: ? ? ? ? files sss
> gshadow: ? ? ? ?files
> 
> hosts: ? ? ? ? ?files mdns4_minimal [NOTFOUND=return] dns myhostname
> networks: ? ? ? files
> 
> protocols: ? ? ?db files
> services: ? ? ? db files sss
> ethers: ? ? ? ? db files
> rpc: ? ? ? ? ? ?db files
> 
> netgroup: ? ? ? nis sss
> automount: ? ? ?sss
> 
I would remove all the 'sss'
> -----------
> 
> 
> Time on the DC with PDC Emulator role is: 2022-09-13T17:04:40
> 
> 
> Time on this computer is: ? ? ? ? ? ? ? ? 2022-09-13T17:04:41
> 
> 
> Time verified ok, within the allowed 300sec margin.
> Time offset is currently : 0 seconds
> 
> -----------
> 
> Installed packages:
> ii ?acl ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 2.2.53-10             
>  ? ? ? ? ? ?amd64 ? ? ? ?access control list - utilities
> ii ?attr ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?1:2.4.48-6             
>  ? ? ? ? ? amd64 ? ? ? ?utilities for manipulating filesystem extended 
> attributes
> ii ?fonts-quicksand ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0.2016-2.1             
>  ? ? ? ? ? all ? ? ? ? ?sans-serif font with round attributes
> ii ?kde-spectacle ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 20.12.3-1             
>  ? ? ? ? ? ?amd64 ? ? ? ?Screenshot capture utility
> ii ?krb5-config ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 2.6+nmu1               
>  ? ? ? ? ? all ? ? ? ? ?Configuration files for Kerberos Version 5
> ii ?krb5-locales ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?1.18.3-6+deb11u1       
>  ? ? ? ? ? all ? ? ? ? ?internationalization support for MIT Kerberos
> ii ?krb5-user ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 1.18.3-6+deb11u1       
>  ? ? ? ? ? amd64 ? ? ? ?basic programs to authenticate using MIT Kerberos
> ii ?libacl1:amd64 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 2.2.53-10             
>  ? ? ? ? ? ?amd64 ? ? ? ?access control list - shared library
> ii ?libattr1:amd64 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?1:2.4.48-6             
>  ? ? ? ? ? amd64 ? ? ? ?extended attribute handling - shared library
> ii ?libgssapi-krb5-2:amd64 ? ? ? ? ? ? ? ? ? ? ? ?1.18.3-6+deb11u1       
>  ? ? ? ? ? amd64 ? ? ? ?MIT Kerberos runtime libraries - krb5 GSS-API 
> Mechanism
> ii ?libkrb5-3:amd64 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 1.18.3-6+deb11u1       
>  ? ? ? ? ? amd64 ? ? ? ?MIT Kerberos runtime libraries
> ii ?libkrb5support0:amd64 ? ? ? ? ? ? ? ? ? ? ? ? 1.18.3-6+deb11u1       
>  ? ? ? ? ? amd64 ? ? ? ?MIT Kerberos runtime libraries - Support library
> ii ?libmoox-aliases-perl ? ? ? ? ? ? ? ? ? ? ? ? ?0.001006-1.1           
>  ? ? ? ? ? all ? ? ? ? ?easy aliasing of methods and attributes in Moo
> ii ?libnss-winbind:amd64                         
>  ?2:4.13.13+dfsg-1~deb11u5 ? ? ? ? amd64 ? ? ? ?Samba nameservice 
> integration plugins
> ii ?libpam-krb5:amd64 ? ? ? ? ? ? ? ? ? ? ? ? ? ? 4.9-2                 
>  ? ? ? ? ? ?amd64 ? ? ? ?PAM module for MIT Kerberos
> ii ?libpam-winbind:amd64                         
>  ?2:4.13.13+dfsg-1~deb11u5 ? ? ? ? amd64 ? ? ? ?Windows domain 
> authentication integration plugin
> ii ?libsmbclient:amd64                           
>  ?2:4.13.13+dfsg-1~deb11u5 ? ? ? ? amd64 ? ? ? ?shared library for 
> communication with SMB/CIFS servers
> ii ?libwbclient0:amd64                           
>  ?2:4.13.13+dfsg-1~deb11u5 ? ? ? ? amd64 ? ? ? ?Samba winbind client
library
> ii ?python3-nacl ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?1.4.0-1+b1             
>  ? ? ? ? ? amd64 ? ? ? ?Python bindings to libsodium (Python 3)
> ii ?python3-pylibacl:amd64 ? ? ? ? ? ? ? ? ? ? ? ?0.6.0-1+b1             
>  ? ? ? ? ? amd64 ? ? ? ?module for manipulating POSIX.1e ACLs (Python3 
> version)
> ii ?python3-pyxattr:amd64 ? ? ? ? ? ? ? ? ? ? ? ? 0.7.2-1+b1             
>  ? ? ? ? ? amd64 ? ? ? ?module for manipulating filesystem extended 
> attributes (Python3)
> ii ?python3-samba                                 
> 2:4.13.13+dfsg-1~deb11u5 ? ? ? ? amd64 ? ? ? ?Python 3 bindings for Samba
> ii ?samba                                         
> 2:4.13.13+dfsg-1~deb11u5 ? ? ? ? amd64 ? ? ? ?SMB/CIFS file, print, and 
> login server for Unix
> ii ?samba-common                                 
>  ?2:4.13.13+dfsg-1~deb11u5 ? ? ? ? all ? ? ? ? ?common files used by 
> both the Samba server and client
> ii ?samba-common-bin                             
>  ?2:4.13.13+dfsg-1~deb11u5 ? ? ? ? amd64 ? ? ? ?Samba common files used 
> by both the server and the client
> ii ?samba-dsdb-modules:amd64                     
>  ?2:4.13.13+dfsg-1~deb11u5 ? ? ? ? amd64 ? ? ? ?Samba Directory Services 
> Database
> ii ?samba-libs:amd64                             
>  ?2:4.13.13+dfsg-1~deb11u5 ? ? ? ? amd64 ? ? ? ?Samba core libraries
> ii ?samba-vfs-modules:amd64                       
> 2:4.13.13+dfsg-1~deb11u5 ? ? ? ? amd64 ? ? ? ?Samba Virtual FileSystem 
> plugins
> ii ?smbclient                                     
> 2:4.13.13+dfsg-1~deb11u5 ? ? ? ? amd64 ? ? ? ?command-line SMB/CIFS 
> clients for Unix
> ii ?sssd-krb5 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 2.4.1-2               
>  ? ? ? ? ? ?amd64 ? ? ? ?System Security Services Daemon -- Kerberos 
> back end
> ii ?sssd-krb5-common ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?2.4.1-2               
>  ? ? ? ? ? ?amd64 ? ? ? ?System Security Services Daemon -- Kerberos
helpers
> ii ?vlc-plugin-samba:amd64 ? ? ? ? ? ? ? ? ? ? ? ?3.0.17.4-0+deb11u1     
>  ? ? ? ? ? amd64 ? ? ? ?Samba plugin for VLC
> ii ?winbind                                       
> 2:4.13.13+dfsg-1~deb11u5 ? ? ? ? amd64 ? ? ? ?service to resolve user 
> and group information from Windows NT servers
> 
> -----------
> 
> I did fix some things but after fixing I ran it again.? Why does it 
> think I have no samba file?? Does it have the wrong permissions?
> 
>
They are good questions, why can the script not find the smb.conf ?
What does 'testparm -s' produce ?
The permissions on the smb.conf should be '-rw-r--r--' and owned by 
'root:root'

Rowland