Web lists-archives.com

[Samba] Joining Ubuntu Server to Domain - "kinit succeeded but ads_sasl_spnego_gensec_bind failed"




I'm currently attempting to join an Ubuntu server to an AD domain,
eventually with the intention of allowing Windows-based domain members to
access a Samba share using their AD credentials. (As specified in the Wiki
article "Setting Up Samba as a Domain Member." The DC is running on Windows
(not Samba) and has DHCP/DNS running on a separate Linux server (using
BIND). The DC (dc0/dc0.corp.company.internal) has authority within the
"CORP" zone, which is also being used as the name of the domain itself.

Kerberos kinit/klist appear to work fine:

<-----------------------
root@samba:~# kinit
Password for administrator@CORP.COMPANY.INTERNAL:

root@samba:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@CORP.COMPANY.INTERNAL

Valid starting       Expires              Service principal
04/11/2019 00:10:39  04/11/2019 00:20:33
krbtgt/CORP.COMPANY.INTERNAL@CORP.COMPANY.INTERNAL
----------------------->

DNS appears to be working properly as well.

My assumption as to why the issue is with smb.conf, as I was able to join
before. I didn't realize this at the time as there were still some less
significant errors - so I continued to change the smb.conf file to get it
to "work." Unfortunately, I do not have/did not save the configuration
which actually worked. I'm trying to get it back to that stage, but am not
sure what's actually wrong in order to diagnose it.

Everything in the Wiki guide seems to work until "Configuring Samba" and
the steps that follow. There are several sets of errors I believe to be
most important, first from "net ads join:"

<-----------------------
root@samba:/etc/samba# net ads join -U administrator
Enter administrator's password:
gse_get_client_auth_token: gss_init_sec_context failed with [ Miscellaneous
failure (see text): Message stream modified](______)
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/dc0
with user[administrator] realm[CORP.COMPANY.INTERNAL]: The attempted logon
is invalid. This is either due to a bad username or authentication
information.
Failed to join domain: failed to connect to AD: The attempted logon is
invalid. This is either due to a bad username or authentication information.
----------------------->

Second, I get an error when I attempt to start Winbind when the line
"security = ads" is in the smb.conf file:

<-----------------------
systemd[1]: Starting Samba Winbind Daemon...
winbindd[22323]: [0]
../source3/winbindd/winbindd_cache.c:3170(initialize_winbindd_cache)
winbindd[22323]:   initialize_winbindd_cache: clearing cache and
re-creating with version number 2
winbindd[22323]: [0]
../source3/winbindd/winbindd_util.c:891(init_domain_list)
winbindd[22323]:   Could not fetch our SID - did we join?
winbindd[22323]: [0]
../source3/winbindd/winbindd.c:1366(winbindd_register_handlers)
winbindd[22323]:   unable to initialize domain list
systemd[1]: winbind.service: Main process exited, code=exited,
status=1/FAILURE
systemd[1]: winbind.service: Failed with result 'exit-code'.
systemd[1]: Failed to start Samba Winbind Daemon.
----------------------->

Additionally, when I try doing "net ads join -k -S" without winbind running
I get the following results:

<-----------------------
root@samba:~# net ads join -k -S 192.168.1.230
Kerberos auth with 'root@CORP.COMPANY.INTERNAL'
(CORP.COMPANY.INTERNAL\root) to access '192.168.1.230' not possible
Failed to join domain: failed to lookup DC info for domain
'CORP.COMPANY.INTERNAL' over rpc: {Access Denied} A process has requested
access to an object but has not been granted those access rights
----------------------->

Here is my current smb.conf file:

<-----------------------
[global]
        workgroup = CORP
        password server = dc0.corp.company.internal
        realm = CORP.COMPANY.INTERNAL
        security = ads

        idmap config * : range = 16777216-33554431
        template homedir = /home/%U
        template shell = /bin/bash
        winbind use default domain = true
        winbind offline logon = false

        dns proxy = No
        log file = /var/log/samba/log.%m
        map to guest = Bad User
        max log size = 1000
        obey pam restrictions = Yes
        pam password change = Yes
        panic action = /usr/share/samba/panic-action %d
        passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        passwd program = /usr/bin/passwd %u
        server role = standalone server
        server string = %h server (Samba, Ubuntu)
        syslog = 0
        unix password sync = Yes
        usershare allow guests = Yes
        idmap config * : backend = tdb
----------------------->

I am currently assuming (due to prior success) that the problem is not with
the DNS/DC configuration but rather with the client/member configuration,
most likely smb.conf and potentially krb5.cond.

I'm not sure if it's an issue with Ubuntu 18.04 and Winbind/Samba versions,
something about which Winbind backend I use (ad/rid/autorid) or if it would
be a better idea to use SSSD or something instead of Winbind. I might be
following the steps in the Samba wiki guide incorrectly, but I've attempted
them multiple times and unfortunately I haven't been able to figure out
exactly what I'm doing wrong.

Thanks in advance and apologies for the long message!
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba