samba - Nov 2024 - First Linux Machine Domain Join

On Sat, 16 Nov 2024 15:44:12 -0500
"John R. Graham via samba" <samba at lists.samba.org> wrote:
> On 11/16/24 11:59, Rowland Penny via samba wrote:
> > Samba doesn't start any daemons on a Unix domain member, you have
> > to do it yourself.
> 
> I did. My Gentoo samba service scripts starts smbd and nmbd. Oh. Ugh. 
It isn't really required to run nmbd now, it is the NetBIOS deamon and
isn't really used. You just need to start the smbd and winbindd deamons.
> Sorry. Found an untweaked option in the samba service script 
> configuration file--that I had apparently known about while setting
> up the AD DC--which was necessary to start winbindd. It's now
> running, and the wbinfo and getent utilities are now behaving better:
> 
>  ??? terra ~ # wbinfo --ping-dc
>  ??? checking the NETLOGON for domain[HOME] dc connection to 
> "ceres.home.graham-family.org" succeeded
> terra ~ # getent passwd SAMDOM\\jgraham 
> HOME\jgraham:*:10000:11001::/home/jgraham:/bin/bash
> 
> >> Sorry but that is incorrect, it should be 'security = ADS'
> 
> Thanks; fixed.
> 
> I've been following the Samba Member Server Troubleshooting wiki page 
> and have resolved almost everything. The only thing I've got at the 
> moment that's undiagnosed is getting the domain join to be completely 
> clean:
> 
> terra ~ # net ads leave -U Administrator Deleted account for
'TERRA'
> in realm 'SAMDOM.EXAMPLE.COM terra ~ # net ads join -U Administrator
> Using short domain name -- SAMDOM Joined 'TERRA' to dns domain 
> 'samdom.example.com' DNS Update for terra.samdom.example.com
failed:
> ERROR_DNS_UPDATE_FAILED DNS update failed: NT_STATUS_UNSUCCESSFUL
> 
> /var/log/samba/log.winbindd shows:
> 
> [2024/11/16 15:18:03.248389, 1] 
> ../../source3/winbindd/winbindd_getpwuid.c:118(winbindd_getpwuid_recv) 
> Could not convert sid S-0-0: NT_STATUS_NO_SUCH_USER [2024/11/16 
> 15:18:03.248560, 1] 
>
../../source3/winbindd/winbindd_getpwuid.c:83(winbindd_getpwuid_uid2sid_done)
> Failed with NT_STATUS_NO_SUCH_USER.
> 
> > That is usually caused by a mis-configuration of /etc/hosts.
> My /etc/hosts is, I think, exactly correct:
> 
> 127.0.0.1 localhost ::1 localhost
> 
> (Note that this machine uses dhcpcd to get its IP address and the 
> contents of /etc/resolv.conf.)
If by 'dhcpcd' you mean dhcpdc5, then I could never get that to work, I
always removed it, but you might.

What should work (well it does on Debian), 'hostname -s' should produce
the computers short hostname, 'hostname -d' should produce the dns
domain name, 'hostname -i' should produce the computers ipaddress (but
could possibly give 127.0.0.1), 'hostname -I' should also produce the
ipaddress (but could give more)

Rowland

On 11/16/24 16:15, Rowland Penny via samba wrote:
> It isn't really required to run nmbd now, it is the NetBIOS deamon and
> isn't really used. You just need to start the smbd and winbindd
deamons.
Understood. I'm working on getting Gentoo's configuration defaults
changed.
>> (Note that this machine uses dhcpcd to get its IP address and the
>> contents of /etc/resolv.conf.)
> If by 'dhcpcd' you mean dhcpdc5, then I could never get that to
work, I
> always removed it, but you might.
It works very well "out of the box" here; a Gentoo developer is the 
current maintainer. Then again, it's at version 10.1.0 now.
> What should work (well it does on Debian), 'hostname -s' should
produce
> the computers short hostname, 'hostname -d' should produce the dns
> domain name, 'hostname -i' should produce the computers ipaddress
(but
> could possibly give 127.0.0.1), 'hostname -I' should also produce
the
> ipaddress (but could give more)
>
All of these produce the output you've described, except for the last 
one because Gentoo's hostname (from the net-utils package) doesn't have 
an -I option.

I've been working through the Testing Dynamic DNS Updates wiki page. I'm
getting a slew of "TSIG error with server: tsig verify failure"
messages
from that:

 ??? ceres ~ # samba_dnsupdate --verbose --all-names --debuglevel=10
 ??? ...
 ??? 29 DNS updates and 0 DNS deletes needed
 ??? ldb_wrap open of secrets.ldb
 ??? Received smb_krb5 packet of length 352
 ??? Received smb_krb5 packet of length 285
 ??? kinit for CERES$@SAMDOM.EXAMPLE.COM succeeded
 ??? GENSEC backend 'gssapi_spnego' registered
 ??? GENSEC backend 'gssapi_krb5' registered
 ??? GENSEC backend 'gssapi_krb5_sasl' registered
 ??? GENSEC backend 'spnego' registered
 ??? GENSEC backend 'schannel' registered
 ??? GENSEC backend 'ncalrpc_as_system' registered
 ??? GENSEC backend 'sasl-EXTERNAL' registered
 ??? GENSEC backend 'ntlmssp' registered
 ??? GENSEC backend 'ntlmssp_resume_ccache' registered
 ??? GENSEC backend 'http_basic' registered
 ??? GENSEC backend 'http_ntlm' registered
 ??? GENSEC backend 'http_negotiate' registered
 ??? GENSEC backend 'krb5' registered
 ??? GENSEC backend 'fake_gssapi_krb5' registered
 ??? Starting GENSEC mechanism gssapi_krb5_sasl
 ??? Ticket in credentials cache for CERES$@SAMDOM.EXAMPLE.COM will 
expire in 36000 secs
 ??? gensec_update_send: gssapi_krb5_sasl[0x55641a320e90]: subreq: 
0x5564186e3970
 ??? gensec_update_done: gssapi_krb5_sasl[0x55641a320e90]: 
NT_STATUS_MORE_PROCESSING_REQUIRED 
tevent_req[0x5564186e3970/../../source4/auth/gensec/gensec_gssapi.c:1059]: 
state[2] error[0 (0x0)]? state[struct gensec_gssapi_update_state 
(0x5564186e3b50)] timer[(nil)] 
finish[../../source4/auth/gensec/gensec_gssapi.c:1070]
 ??? Successfully obtained Kerberos ticket to 
DNS/ceres.samdom.example.com as CERES$
 ??? update(nsupdate): A ceres.samdom.example.com 192.168.123.250
 ??? Calling nsupdate for A ceres.samdom.example.com 192.168.123.250 (add)
 ??? Starting GENSEC mechanism gssapi_krb5_sasl
 ??? GSSAPI credentials for CERES$@SAMDOM.EXAMPLE.COM will expire in 
36000 secs
 ??? gensec_update_send: gssapi_krb5_sasl[0x55641a320e90]: subreq: 
0x5564186e3970
 ??? gensec_update_done: gssapi_krb5_sasl[0x55641a320e90]: 
NT_STATUS_MORE_PROCESSING_REQUIRED 
tevent_req[0x5564186e3970/../../source4/auth/gensec/gensec_gssapi.c:1059]: 
state[2] error[0 (0x0)]? state[struct gensec_gssapi_update_state 
(0x5564186e3b50)] timer[(nil)] 
finish[../../source4/auth/gensec/gensec_gssapi.c:1070]
 ??? Successfully obtained Kerberos ticket to 
DNS/ceres.samdom.example.com as CERES$
 ??? Outgoing update query:
 ??? ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:????? 0
 ??? ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 ??? ;; UPDATE SECTION:
 ??? ceres.samdom.example.com. 900 IN??? A?? 192.168.123.250

 ??? ; TSIG error with server: tsig verify failure
 ??? Failed nsupdate: 2
 ??? update(nsupdate): CNAME 
86845c01-74f5-4851-be8d-8efa6f3580c4._msdcs.samdom.example.com 
ceres.samdom.example.com
 ??? Calling nsupdate for CNAME 
86845c01-74f5-4851-be8d-8efa6f3580c4._msdcs.samdom.example.com 
ceres.samdom.example.com (add)
 ??? Starting GENSEC mechanism gssapi_krb5_sasl
 ??? GSSAPI credentials for CERES$@SAMDOM.EXAMPLE.COM will expire in 
36000 secs
 ??? gensec_update_send: gssapi_krb5_sasl[0x55641a4e9840]: subreq: 
0x5564186e3970
 ??? gensec_update_done: gssapi_krb5_sasl[0x55641a4e9840]: 
NT_STATUS_MORE_PROCESSING_REQUIRED 
tevent_req[0x5564186e3970/../../source4/auth/gensec/gensec_gssapi.c:1059]: 
state[2] error[0 (0x0)]? state[struct gensec_gssapi_update_state 
(0x5564186e3b50)] timer[(nil)] 
finish[../../source4/auth/gensec/gensec_gssapi.c:1070]
 ??? Successfully obtained Kerberos ticket to 
DNS/ceres.samdom.example.com as CERES$
 ??? Outgoing update query:
 ??? ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:????? 0
 ??? ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 ??? ;; UPDATE SECTION:
86845c01-74f5-4851-be8d-8efa6f3580c4._msdcs.samdom.example.com. 900 IN 
CNAME ceres.samdom.example.com.

 ??? ; TSIG error with server: tsig verify failure
 ??? ...

I saw some earlier list posts about this error but didn't see a 
definitive diagnosis.

- John