[Pkg-samba-maint] Bug#999797: Unable to net ads join samba to an active directory domain Failed to join domain: failed to connect to AD: Can't contact LDAP server

Michael Evans michael.evans at nor-consult.com
Tue Nov 16 19:05:42 GMT 2021


Package: samba
Version: 2:4.13.13+dfsg-1~deb11u2
Severity: important

A samba-ad-dc has been setup using
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Dom
ain_Controller
(with some Debian specific variations).

Samba is being used as the DNS, Kerberos, and LDAP servers.  None of the
external server options were setup or added.


The Active Directory domain worked for a Windows 10 client machine joining
the domain.  It also shows up in the list of computer objects.


Debian 11 (bullseye) samba fails to net ads join to this same domain.

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

If I am reading the debug error message correctly, it's trying to join the
domain, with a machine account it should create by joining the domain?


### obtain kerberos credentials as an admin in the test domain
# kinit r2

### I've tried variations on the net ads join command, as the configuration
seems correct.  -d 10 is very spammy.  PS it stalls for a _long_ time at
Starting GENSEC submechanism gse_krb5
# net ads join -k -d 5
Processing section "[global]"
doing parameter workgroup = NC
doing parameter security = ADS
doing parameter realm = NC.NOR-CONSULT.COM
doing parameter vfs objects = acl_xattr
doing parameter map acl inherit = Yes
doing parameter store dos attributes = Yes
doing parameter winbind refresh tickets = Yes
doing parameter dedicated keytab file = /etc/krb5.keytab
doing parameter kerberos method = secrets and keytab
doing parameter winbind use default domain = yes
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
pm_process() returned Yes
Netbios name list:-
my_netbios_names[0]="V-FS5"
added interface eth0 ip=REDACTED:a800:ff:fe48:dc6f bcast=
netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=fd00:6959:d45d:200::2d bcast=
netmask=ffff:ffff:ffff:ff00::
added interface eth0 ip=fd00:6959:d45d:200:a800:ff:fe48:dc6f bcast=
netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=10.2.0.45 bcast=10.2.255.255 netmask=255.255.0.0
added interface eth1 ip=REDACTED bcast=10.202.255.255 netmask=255.255.0.0
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        in: struct libnet_JoinCtx
            dc_name                  : NULL
            machine_name             : 'V-FS5'
            domain_name              : *
                domain_name              : 'NC.NOR-CONSULT.COM'
            domain_name_type         : JoinDomNameTypeDNS (1)
            account_ou               : NULL
            admin_account            : 'root'
            admin_domain             : NULL
            machine_password         : NULL
            join_flags               : 0x00000023 (35)
                   0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
                   0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME  <<<<< Why isn't
this flag set as well?
                   0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
                   0: WKSSVC_JOIN_FLAGS_DEFER_SPN
                   0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
                   0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
                   1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
                   0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
                   0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
                   1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
                   1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
            os_version               : NULL
            os_name                  : NULL
            os_servicepack           : NULL
            create_upn               : 0x00 (0)
            upn                      : NULL
            dnshostname              : NULL
            modify_config            : 0x00 (0)
            ads                      : NULL
            debug                    : 0x01 (1)
            use_kerberos             : 0x01 (1)
            secure_channel_type      : SEC_CHAN_WKSTA (2)
            desired_encryption_types : 0x0000001f (31)
Opening cache file at /run/samba/gencache.tdb
sitename_fetch: Returning sitename for realm 'NC.NOR-CONSULT.COM':
"Default-First-Site-Name"
saf_fetch: failed to find server for "NC.NOR-CONSULT.COM" domain
get_dc_list: preferred server list: ", *"
resolve_ads: Attempting to resolve KDCs for NC.NOR-CONSULT.COM using DNS
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 10.2.0.35:88 fd00:6959:d45d:200::23:88 
saf_fetch: failed to find server for "NC.NOR-CONSULT.COM" domain
get_dc_list: preferred server list: ", *"
resolve_ads: Attempting to resolve KDCs for NC.NOR-CONSULT.COM using DNS
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 10.2.0.35:88 fd00:6959:d45d:200::23:88 
create_local_private_krb5_conf_for_domain: wrote file
/run/samba/smb_krb5/krb5.conf._JOIN_ with realm NC.NOR-CONSULT.COM KDC list
=             kdc = 10.2.0.35
                kdc = [fd00:6959:d45d:200::23]:88

sitename_fetch: Returning sitename for realm 'NC.NOR-CONSULT.COM':
"Default-First-Site-Name"
name ad-mo3.nc.nor-consult.com#20 found.
Connecting to fd00:6959:d45d:200::23 at port 445
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_REUSEPORT = 0
        SO_SNDBUF = 46080
        SO_RCVBUF = 131072
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        SO_SNDTIMEO = 0
        SO_RCVTIMEO = 0
        TCP_QUICKACK = 1
        TCP_DEFER_ACCEPT = 0
        TCP_USER_TIMEOUT = 0
cli_session_setup_spnego_send: Connect to ad-mo3.nc.nor-consult.com as
root at NC.NOR-CONSULT.COM using SPNEGO
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
signed SMB2 message
signed SMB2 message
Bind RPC Pipe: host ad-mo3.nc.nor-consult.com auth_type 0, auth_level 1
rpc_api_pipe: host ad-mo3.nc.nor-consult.com
signed SMB2 message
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host ad-mo3.nc.nor-consult.com
signed SMB2 message
rpc_read_send: data_to_read: 32
rpc_api_pipe: host ad-mo3.nc.nor-consult.com
signed SMB2 message
rpc_read_send: data_to_read: 204
rpc_api_pipe: host ad-mo3.nc.nor-consult.com
signed SMB2 message
rpc_read_send: data_to_read: 32
signed SMB2 message
saf_fetch: failed to find server for "nc.nor-consult.com" domain
get_dc_list: preferred server list: ", *"
resolve_ads: Attempting to resolve KDCs for nc.nor-consult.com using DNS
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 10.2.0.35:88 fd00:6959:d45d:200::23:88 
saf_fetch: failed to find server for "nc.nor-consult.com" domain
get_dc_list: preferred server list: ", *"
resolve_ads: Attempting to resolve KDCs for nc.nor-consult.com using DNS
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 10.2.0.35:88 fd00:6959:d45d:200::23:88 
create_local_private_krb5_conf_for_domain: wrote file
/run/samba/smb_krb5/krb5.conf.NC with realm NC.NOR-CONSULT.COM KDC list =
kdc = [fd00:6959:d45d:200::23]:88
                kdc = 10.2.0.35

sitename_fetch: Returning sitename for realm 'NC.NOR-CONSULT.COM':
"Default-First-Site-Name"
name ad-mo3.nc.nor-consult.com#20 found.
ads_try_connect: sending CLDAP request to 10.2.0.35 (realm:
nc.nor-consult.com)
Successfully contacted LDAP server 10.2.0.35
Connecting to 10.2.0.35 at port 389
Connected to LDAP server ad-mo3.nc.nor-consult.com
KDC time offset is 0 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5

##### It stalls on this line for like 15+ min #####
##### debug level 10 zoom-in #####

Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
#
gensec_update_send: gse_krb5[0x557fe640b800]: subreq: 0x557fe64271c0
gensec_update_send: spnego[0x557fe6402310]: subreq: 0x557fe6426860
gensec_update_done: gse_krb5[0x557fe640b800]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x557fe64271c0/../../source3/librpc/crypto/gse.c:848]: state[2]
error[0 (0x0)]  state[struct gensec_gse_update_state (0x
557fe6427370)] timer[(nil)] finish[../../source3/librpc/crypto/gse.c:859]
gensec_update_done: spnego[0x557fe6402310]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x557fe6426860/../../auth/gensec/spnego.c:1631]: state[2] error[0
(0x0)]  state[struct gensec_spnego_update_state (0x557fe
6426a10)] timer[(nil)] finish[../../auth/gensec/spnego.c:2116]
ads_sasl_spnego_gensec_bind(KRB5) failed with: Can't contact LDAP server,
calling kinit
#
ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/ad-mo3.nc.nor-consult.com
with user[root] realm[NC.NOR-CONSULT.COM]: Cannot read password, fallback to
NTLMSSP
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp

##### back to debug level 5 #####

ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/ad-mo3.nc.nor-consult.com
with user[root] realm[NC.NOR-CONSULT.COM]: Cannot read password, fallback to
NTLMSSP
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
ads_sasl_spnego_gensec_bind(NTLMSSP) failed for
ldap/ad-mo3.nc.nor-consult.com with user[root] realm=[NC.NOR-CONSULT.COM]:
Can't contact LDAP server
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : 'V-FS5$'
            netbios_domain_name      : 'NC'
            dns_domain_name          : 'nc.nor-consult.com'
            forest_name              : 'nc.nor-consult.com'
            dn                       : NULL
            domain_guid              : 250143d6-aebe-440e-94c5-f27c7af7857b
            domain_sid               : *
                domain_sid               :
S-1-5-21-3458735564-2487305582-1134572456
            modified_config          : 0x00 (0)
            error_string             : 'failed to connect to AD: Can't
contact LDAP server'
            domain_is_ad             : 0x01 (1)
            set_encryption_types     : 0x00000000 (0)
            krb5_salt                : NULL
            result                   : WERR_NERR_DEFAULTJOINREQUIRED
return code = -1
Failed to join domain: failed to connect to AD: Can't contact LDAP server

# klist ### r2 has been added to all the groups that Administrator is in,
and was able to join the Windows 10 PC successfully.
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: r2 at NC.NOR-CONSULT.COM

Valid starting       Expires              Service principal
11/16/2021 18:21:38  11/17/2021 04:21:38
krbtgt/NC.NOR-CONSULT.COM at NC.NOR-CONSULT.COM
        renew until 11/17/2021 18:21:36
11/16/2021 18:21:56  11/17/2021 04:21:38
cifs/ad-mo3.nc.nor-consult.com at NC.NOR-CONSULT.COM
11/16/2021 18:22:03  11/17/2021 04:21:38
ldap/ad-mo3.nc.nor-consult.com at NC.NOR-CONSULT.COM






https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-i
nfo.sh

Collected config  --- 2021-11-16-17:56 -----------

Hostname: v-fs5
DNS Domain: nc.nor-consult.com
FQDN: v-fs5.nc.nor-consult.com
ipaddress: 10.2.0.45 REDACTED fd00:6959:d45d:200:a800:ff:fe48:dc6f
REDACTED:a800:ff:fe48:dc6f fd00:6959:d45d:200::2d 

-----------

Kerberos SRV _kerberos._tcp.nc.nor-consult.com record verified ok, sample
output: 
Server:         10.2.0.35
Address:        10.2.0.35#53

_kerberos._tcp.nc.nor-consult.com       service = 0 100 88
ad-mo3.nc.nor-consult.com.
Samba is running as an Unix domain member but 'winbindd' is NOT running.
Check that the winbind package is installed.
       Checking file: /etc/os-release

PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

-----------


This computer is running Debian 11.1 x86_64

-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast state
UP group default qlen 1000
    link/ether REDACTED brd ff:ff:ff:ff:ff:ff
    altname enp0s13
    altname ens13
    inet 10.2.0.45/16 brd 10.2.255.255 scope global eth0
    inet6 fd00:6959:d45d:200:a800:ff:fe48:dc6f/64 scope global dynamic
mngtmpaddr 
    inet6 REDACTED:a800:ff:fe48:dc6f/64 scope global dynamic mngtmpaddr 
    inet6 fd00:6959:d45d:200::2d/56 scope global 
    inet6 fe80::a800:ff:fe48:dc6f/64 scope link 
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast state
UP group default qlen 1000
    link/ether REDACTED brd ff:ff:ff:ff:ff:ff
    altname enp0s14
    altname ens14
    inet REDACTED/16 brd REDACTED scope global eth1
    inet6 fe80::REDACTED/64 scope link 

-----------
       Checking file: /etc/hosts

127.0.0.1       localhost
10.2.0.45       v-fs5.nc.nor-consult.com v-fs5
fd00:6959:d45d:0200::2d v-fs5.nc.nor-consult.com v-fs5


# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

-----------

       Checking file: /etc/resolv.conf

domain nc.nor-consult.com
search nc.nor-consult.com norconsult.local nor-consult.com
nameserver 10.2.0.35
-----------

       Checking file: /etc/krb5.conf

[libdefaults]
        default_realm = NC.NOR-CONSULT.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true

-----------

       Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files
group:          files
shadow:         files
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
-----------

       Checking file: /etc/samba/smb.conf

[global]
        workgroup = NC
        security = ADS
        realm = NC.NOR-CONSULT.COM
        #server role = member server

        idmap config ad

        vfs objects = acl_xattr
        map acl inherit = Yes
        store dos attributes = Yes

        winbind refresh tickets = Yes
        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab

        winbind use default domain = yes

        # Only for testing
        winbind enum users = yes
        winbind enum groups = yes

-----------

Running as Unix domain member and no user.map detected.
This is possible with an auth-only setup, checking also for NFS parts
-----------
    Warning, /etc/idmapd.conf does not exist

-----------


Installed packages:
ii  acl                            2.2.53-10                      amd64
access control list - utilities
ii  attr                           1:2.4.48-6                     amd64
utilities for manipulating filesystem extended attributes
ii  krb5-config                    2.6+nmu1                       all
Configuration files for Kerberos Version 5
ii  krb5-user                      1.18.3-6+deb11u1               amd64
basic programs to authenticate using MIT Kerberos
ii  libacl1:amd64                  2.2.53-10                      amd64
access control list - shared library
ii  libattr1:amd64                 1:2.4.48-6                     amd64
extended attribute handling - shared library
ii  libgssapi-krb5-2:amd64         1.18.3-6+deb11u1               amd64
MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-3:amd64                1.18.3-6+deb11u1               amd64
MIT Kerberos runtime libraries
ii  libkrb5support0:amd64          1.18.3-6+deb11u1               amd64
MIT Kerberos runtime libraries - Support library
ii  libnss-winbind:amd64           2:4.13.13+dfsg-1~deb11u2       amd64
Samba nameservice integration plugins
ii  libpam-krb5:amd64              4.9-2                          amd64
PAM module for MIT Kerberos
ii  libpam-winbind:amd64           2:4.13.13+dfsg-1~deb11u2       amd64
Windows domain authentication integration plugin
ii  libwbclient0:amd64             2:4.13.13+dfsg-1~deb11u2       amd64
Samba winbind client library
ii  python3-samba                  2:4.13.13+dfsg-1~deb11u2       amd64
Python 3 bindings for Samba
ii  samba                          2:4.13.13+dfsg-1~deb11u2       amd64
SMB/CIFS file, print, and login server for Unix
ii  samba-common                   2:4.13.13+dfsg-1~deb11u2       all
common files used by both the Samba server and client
ii  samba-common-bin               2:4.13.13+dfsg-1~deb11u2       amd64
Samba common files used by both the server and the client
ii  samba-dsdb-modules:amd64       2:4.13.13+dfsg-1~deb11u2       amd64
Samba Directory Services Database
ii  samba-libs:amd64               2:4.13.13+dfsg-1~deb11u2       amd64
Samba core libraries
ii  samba-vfs-modules:amd64        2:4.13.13+dfsg-1~deb11u2       amd64
Samba Virtual FileSystem plugins
ii  winbind                        2:4.13.13+dfsg-1~deb11u2       amd64
service to resolve user and group information from Windows NT servers

-----------



More information about the Pkg-samba-maint mailing list