On 04.08.23 12:59, Rowland Penny via samba wrote:>
>
> On 04/08/2023 11:50, basti via samba wrote:
>>
>>
>> On 04.08.23 12:37, Rowland Penny via samba wrote:
>>>
>>>
>>> On 04/08/2023 11:21, basti via samba wrote:
>>>> Hello,
>>>> yesterday I setup a AD DC.
>>>> Today I try to add a Fileserver to the AD.
>>>>
>>>> https://wiki.samba.org/index.php/Idmap_config_ad
>>>>
>>>> smb.conf:
>>>>
>>>> [global]
>>>>
>>>> ?????security = ADS
>>>> ?????workgroup = NET
>>>> ?????realm = NET.EXAMPLE.COM
>>>>
>>>> ?????log file = /var/log/samba/%m.log
>>>> ?????log level = 1
>>>>
>>>> ?????# Default ID mapping configuration for local BUILTIN
accounts
>>>> ?????# and groups on a domain member. The default (*) domain:
>>>> ?????# - must not overlap with any domain ID mapping
configuration!
>>>> ?????# - must use a read-write-enabled back end, such as tdb.
>>>> ?????idmap config * : backend = tdb
>>>> ?????idmap config * : range = 3000-7999
>>>> ?????# - You must set a DOMAIN backend configuration
>>>> ?????# idmap config for the NET domain
>>>> ?????idmap config NET:backend = ad
>>>> ?????idmap config NET:schema_mode = rfc2307
>>>> ?????idmap config NET:range = 10000-999999
>>>> ?????idmap config NET:unix_nss_info = yes
>>>>
>>>> ?????vfs objects = acl_xattr
>>>> ?????map acl inherit = yes
>>>> ?????store dos attributes = yes
>>>>
>>>> [homes]
>>>> ??? comment = Home Directories
>>>> ??? browseable = no
>>>>
>>>> root at fs:/var/lib/samba# cat /etc/krb5.conf
>>>> [libdefaults]
>>>> ?????default_realm = NET.EXAMPLE.COM
>>>> ?????dns_lookup_realm = false
>>>> ?????dns_lookup_kdc = true
>>>> root at fs:/var/lib/samba#
>>>>
>>>> root at fs:/var/lib/samba# net ads join -U Administrator
>>>> Password for [NET\Administrator]:
>>>> Failed to join domain: failed to lookup DC info for domain
>>>> 'NET.EXAMPLE:COM' over rpc: Indicates the SID structure
is not valid.
>>>>
>>>> DNS also works as expected.
>>>> All tests done on
>>>>
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>>>> are OK
>>>>
>>>>
>>>>
>>>
>>> I take it this is 4.17.9 on bookworm (as your DC was).
>>> Have you added any rfc2307 attributes to AD ?
>>> If you temporarily change to the 'rid' idmap backend, does
the join
>>> then work ?
>>>
>>> Rowland
>>>
>>
>> Yes is is bookworm, sorry.
>> I setup DC with --use-rfc2307
>> temporarily change to the 'rid' idmap backend did not help, the
error
>> is the same.
>>
>>
>> Somethink seems wrong here:
>>
>> root at dc1:~# net rpc info -U Administrator
>> Password for [NET\Administrator]:
>> Could not connect to server DC1
>> Connection failed: NT_STATUS_INVALID_SID
>> root at dc1:~#
>>
>
> I cannot remember ever having that problem.
> Is Samba running at this point ? if it is, stop it and try the join again.
> Check that you can ping the DC.
> Check that /etc/resolv.conf is using the DC as its first nameserver
> Check that /etc/hosts is set up correctly
>
> Rowland
>
I get this error on both, the DC and the other pc I try to join.
I can ping DC, DNS (dig) works, resolv.conf is OK, /etc/hosts look good.
samba is running on DC on the other pc there is no smbd/nmbd/winbindd.
root at dc1:~# wbinfo --name-to-sid Administrator
S-1-5-21-3817776203-2382255991-3851830574-500 SID_USER (1)
on dc works
It seems to be a problem with rpc, ads is working:
root at dc1:~# net ads info -U Admininistrator
Password for [NET\Admininistrator]:
LDAP server: 192.168.22.23
LDAP server name: dc1.net.example.com
Realm: NET.EXAMPLE.COM
Bind Path: dc=NET,dc=EXAMPLE,dc=COM
LDAP port: 389
Server time: Fri, 04 Aug 2023 13:12:56 CEST
KDC server: 192.168.22.23
Server time offset: 0
Last machine account password change: Thu, 03 Aug 2023 13:23:31 CEST
root at dc1:~#
But i cant join via ads:
root at fs:~# net ads join -U Admininistrator
Password for [NET\Admininistrator]:
Failed to join domain: failed to lookup DC info for domain
'NET.EXAMPLE.COM' over rpc: The attempted logon is invalid. This is
either due to a bad username or authentication information.
root at fs:~#
The pc i try to join log the following on dc:
[2023/08/04 12:49:01.800779, 0]
../../source4/auth/unix_token.c:95(security_token_to_unix_token)
Unable to convert first SID
(S-1-5-21-3817776203-2382255991-3851830574-500) in user token to a UID.
Conversion was returned as type 0, full token:
[2023/08/04 12:49:01.800870, 0]
../../libcli/security/security_token.c:51(security_token_debug)
Security token SIDs (14):
SID[ 0]: S-1-5-21-3817776203-2382255991-3851830574-500
SID[ 1]: S-1-5-21-3817776203-2382255991-3851830574-513
SID[ 2]: S-1-5-21-3817776203-2382255991-3851830574-512
SID[ 3]: S-1-5-21-3817776203-2382255991-3851830574-572
SID[ 4]: S-1-5-21-3817776203-2382255991-3851830574-518
SID[ 5]: S-1-5-21-3817776203-2382255991-3851830574-519
SID[ 6]: S-1-5-21-3817776203-2382255991-3851830574-520
SID[ 7]: S-1-18-1
SID[ 8]: S-1-1-0
SID[ 9]: S-1-5-2
SID[ 10]: S-1-5-11
SID[ 11]: S-1-5-32-544
SID[ 12]: S-1-5-32-545
SID[ 13]: S-1-5-32-554
Privileges (0x 1FFFFF00):
Privilege[ 0]: SeTakeOwnershipPrivilege
Privilege[ 1]: SeBackupPrivilege
Privilege[ 2]: SeRestorePrivilege
Privilege[ 3]: SeRemoteShutdownPrivilege
Privilege[ 4]: SeSecurityPrivilege
Privilege[ 5]: SeSystemtimePrivilege
Privilege[ 6]: SeShutdownPrivilege
Privilege[ 7]: SeDebugPrivilege
Privilege[ 8]: SeSystemEnvironmentPrivilege
Privilege[ 9]: SeSystemProfilePrivilege
Privilege[ 10]: SeProfileSingleProcessPrivilege
Privilege[ 11]: SeIncreaseBasePriorityPrivilege
Privilege[ 12]: SeLoadDriverPrivilege
Privilege[ 13]: SeCreatePagefilePrivilege
Privilege[ 14]: SeIncreaseQuotaPrivilege
Privilege[ 15]: SeChangeNotifyPrivilege
Privilege[ 16]: SeUndockPrivilege
Privilege[ 17]: SeManageVolumePrivilege
Privilege[ 18]: SeImpersonatePrivilege
Privilege[ 19]: SeCreateGlobalPrivilege
Privilege[ 20]: SeEnableDelegationPrivilege
Rights (0x 403):
Right[ 0]: SeInteractiveLogonRight
Right[ 1]: SeNetworkLogonRight
Right[ 2]: SeRemoteInteractiveLogonRight
(END)