Web lists-archives.com

Re: [Samba] Joining Samba4 to existing AD




Hi Rowland, thanks for your reply.

I tried the command as suggested, and this is what I get:


[root@dc-02 ~]# samba-tool domain join EXAMPLE.COM DC -UAdministrator
 --realm=EXAMPLE.COM --dns-backend=SAMBA_INTERNAL
Finding a writeable DC for domain 'EXAMPLE.COM'
Found DC dc-01.example.com
Password for [WORKGROUP\Administrator]:
workgroup is EXAMPLE
realm is example.com
Adding CN=LIM-INF1-DNS-02,OU=Domain Controllers,DC=example,DC=com
Adding
CN=LIM-INF1-DNS-02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
Join failed - cleaning up
Deleted CN=LIM-INF1-DNS-02,OU=Domain Controllers,DC=example,DC=com
ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT -
CN=Sites,CN=Configuration,DC=example,DC=com <0000208D: NameErr:
DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:
        'CN=Sites,CN=Configuration,DC=example,DC=com'
> <>
  File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py",
line 652, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
1253, in join_DC
    ctx.do_join()
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
1151, in do_join
    ctx.join_add_objects()
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
593, in join_add_objects
    ctx.samdb.add(rec)



This is the content of /etc/hosts


[root@dc-02 ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4
localhost4.localdomain4 dc-02.example.com dc-02
::1         localhost localhost.localdomain localhost6
localhost6.localdomain6
10.3.251.19     dc-01.example.com  dc-01


Also, I tried by enabling debug level 3


[root@dc-02 ~]# samba-tool domain join EXAMPLE.COM DC -UAdministrator
 --realm=EXAMPLE.COM --dns-backend=SAMBA_INTERNAL --debug 3
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Finding a writeable DC for domain 'EXAMPLE.COM'
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.EXAMPLE.COM
<0x0>
Found DC dc-01.example.com
resolve_lmhosts: Attempting lmhosts lookup for name dc-01.example.com<0x20>
Password for [WORKGROUP\Administrator]:
Aquiring initiator credentials failed: kinit for Administrator@xxxxxxxxxxx
failed (Wrong realm)

SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_UNSUCCESSFUL
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
workgroup is EXAMPLE
realm is example.com
Adding CN=LIM-INF1-DNS-02,OU=Domain Controllers,DC=example,DC=com
Adding
CN=LIM-INF1-DNS-02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
Join failed - cleaning up
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch machine
account password for EXAMPLE from both secrets.ldb (Could not find entry to
match filter: '(&(flatname=EXAMPLE)(objectclass=primaryDomain))' base:
'cn=Primary Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4575) and from
/var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Deleted CN=LIM-INF1-DNS-02,OU=Domain Controllers,DC=example,DC=com
ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT -
CN=Sites,CN=Configuration,DC=example,DC=com <0000208D: NameErr:
DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:
        'CN=Sites,CN=Configuration,DC=example,DC=com'
> <>
  File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py",
line 652, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
1253, in join_DC
    ctx.do_join()
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
1151, in do_join
    ctx.join_add_objects()
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
593, in join_add_objects
    ctx.samdb.add(rec)


I see some lines mentioning kinit auth, but I tried to get a new ticket and
it worked


[root@dc-02 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@xxxxxxxxxxx

Valid starting       Expires              Service principal
04/12/2017 11:39:06  04/12/2017 21:39:06  krbtgt/EXAMPLE.COM@xxxxxxxxxxx
        renew until 04/13/2017 11:38:59



This machine does not get it's IP from DHCP, but yes, it is managed by
Network Manager, but IP and DNS config are static values.


On 11 April 2017 at 12:38, Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
wrote:

> On Tue, 11 Apr 2017 12:15:43 -0500
> Erick Ocrospoma via samba <samba@xxxxxxxxxxxxxxx> wrote:
>
> > Hi,
> >
> > I tried with the latest stable 4.5.x, but with no success.
> >
> > Do you think you could share your smb.conf ? and also how you built
> > from source?
> > I suspect there's something missing in the KRB5 for Samba (due to KDC
> > error messages).
> >
>
> Try it like this:
>
> samba-tool domain join EXAMPLE.COM DC -UAdministrator
> --realm=EXAMPLE.COM --dns-backend=SAMBA_INTERNAL
>
> If that doesn't work, can you post /etc/hosts, can you also explain why
> you are allowing Network-Manager to set /etc/resolv.conf, does the soon
> to be a DC get its IP from DHCP ??
>
> Does smb.conf already exist ? it shouldn't
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 


Erick.


-------------------------------------------
IRC     :   zerick
Blog    : http://zerick.me
About :  http://about.me/zerick
Linux User ID :  549567
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba