[Pkg-samba-maint] Bug#999797: Unable to net ads join samba to an active directory domain Failed to join domain: failed to connect to AD: Can't contact LDAP server
Michael Evans
michael.evans at nor-consult.com
Tue Nov 16 19:05:42 GMT 2021
Package: samba
Version: 2:4.13.13+dfsg-1~deb11u2
Severity: important
A samba-ad-dc has been setup using
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Dom
ain_Controller
(with some Debian specific variations).
Samba is being used as the DNS, Kerberos, and LDAP servers. None of the
external server options were setup or added.
The Active Directory domain worked for a Windows 10 client machine joining
the domain. It also shows up in the list of computer objects.
Debian 11 (bullseye) samba fails to net ads join to this same domain.
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
If I am reading the debug error message correctly, it's trying to join the
domain, with a machine account it should create by joining the domain?
### obtain kerberos credentials as an admin in the test domain
# kinit r2
### I've tried variations on the net ads join command, as the configuration
seems correct. -d 10 is very spammy. PS it stalls for a _long_ time at
Starting GENSEC submechanism gse_krb5
# net ads join -k -d 5
Processing section "[global]"
doing parameter workgroup = NC
doing parameter security = ADS
doing parameter realm = NC.NOR-CONSULT.COM
doing parameter vfs objects = acl_xattr
doing parameter map acl inherit = Yes
doing parameter store dos attributes = Yes
doing parameter winbind refresh tickets = Yes
doing parameter dedicated keytab file = /etc/krb5.keytab
doing parameter kerberos method = secrets and keytab
doing parameter winbind use default domain = yes
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
pm_process() returned Yes
Netbios name list:-
my_netbios_names[0]="V-FS5"
added interface eth0 ip=REDACTED:a800:ff:fe48:dc6f bcast=
netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=fd00:6959:d45d:200::2d bcast=
netmask=ffff:ffff:ffff:ff00::
added interface eth0 ip=fd00:6959:d45d:200:a800:ff:fe48:dc6f bcast=
netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=10.2.0.45 bcast=10.2.255.255 netmask=255.255.0.0
added interface eth1 ip=REDACTED bcast=10.202.255.255 netmask=255.255.0.0
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'V-FS5'
domain_name : *
domain_name : 'NC.NOR-CONSULT.COM'
domain_name_type : JoinDomNameTypeDNS (1)
account_ou : NULL
admin_account : 'root'
admin_domain : NULL
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME <<<<< Why isn't
this flag set as well?
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
os_servicepack : NULL
create_upn : 0x00 (0)
upn : NULL
dnshostname : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x01 (1)
secure_channel_type : SEC_CHAN_WKSTA (2)
desired_encryption_types : 0x0000001f (31)
Opening cache file at /run/samba/gencache.tdb
sitename_fetch: Returning sitename for realm 'NC.NOR-CONSULT.COM':
"Default-First-Site-Name"
saf_fetch: failed to find server for "NC.NOR-CONSULT.COM" domain
get_dc_list: preferred server list: ", *"
resolve_ads: Attempting to resolve KDCs for NC.NOR-CONSULT.COM using DNS
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 10.2.0.35:88 fd00:6959:d45d:200::23:88
saf_fetch: failed to find server for "NC.NOR-CONSULT.COM" domain
get_dc_list: preferred server list: ", *"
resolve_ads: Attempting to resolve KDCs for NC.NOR-CONSULT.COM using DNS
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 10.2.0.35:88 fd00:6959:d45d:200::23:88
create_local_private_krb5_conf_for_domain: wrote file
/run/samba/smb_krb5/krb5.conf._JOIN_ with realm NC.NOR-CONSULT.COM KDC list
= kdc = 10.2.0.35
kdc = [fd00:6959:d45d:200::23]:88
sitename_fetch: Returning sitename for realm 'NC.NOR-CONSULT.COM':
"Default-First-Site-Name"
name ad-mo3.nc.nor-consult.com#20 found.
Connecting to fd00:6959:d45d:200::23 at port 445
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 46080
SO_RCVBUF = 131072
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
TCP_USER_TIMEOUT = 0
cli_session_setup_spnego_send: Connect to ad-mo3.nc.nor-consult.com as
root at NC.NOR-CONSULT.COM using SPNEGO
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
signed SMB2 message
signed SMB2 message
Bind RPC Pipe: host ad-mo3.nc.nor-consult.com auth_type 0, auth_level 1
rpc_api_pipe: host ad-mo3.nc.nor-consult.com
signed SMB2 message
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host ad-mo3.nc.nor-consult.com
signed SMB2 message
rpc_read_send: data_to_read: 32
rpc_api_pipe: host ad-mo3.nc.nor-consult.com
signed SMB2 message
rpc_read_send: data_to_read: 204
rpc_api_pipe: host ad-mo3.nc.nor-consult.com
signed SMB2 message
rpc_read_send: data_to_read: 32
signed SMB2 message
saf_fetch: failed to find server for "nc.nor-consult.com" domain
get_dc_list: preferred server list: ", *"
resolve_ads: Attempting to resolve KDCs for nc.nor-consult.com using DNS
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 10.2.0.35:88 fd00:6959:d45d:200::23:88
saf_fetch: failed to find server for "nc.nor-consult.com" domain
get_dc_list: preferred server list: ", *"
resolve_ads: Attempting to resolve KDCs for nc.nor-consult.com using DNS
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 10.2.0.35:88 fd00:6959:d45d:200::23:88
create_local_private_krb5_conf_for_domain: wrote file
/run/samba/smb_krb5/krb5.conf.NC with realm NC.NOR-CONSULT.COM KDC list =
kdc = [fd00:6959:d45d:200::23]:88
kdc = 10.2.0.35
sitename_fetch: Returning sitename for realm 'NC.NOR-CONSULT.COM':
"Default-First-Site-Name"
name ad-mo3.nc.nor-consult.com#20 found.
ads_try_connect: sending CLDAP request to 10.2.0.35 (realm:
nc.nor-consult.com)
Successfully contacted LDAP server 10.2.0.35
Connecting to 10.2.0.35 at port 389
Connected to LDAP server ad-mo3.nc.nor-consult.com
KDC time offset is 0 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
##### It stalls on this line for like 15+ min #####
##### debug level 10 zoom-in #####
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
#
gensec_update_send: gse_krb5[0x557fe640b800]: subreq: 0x557fe64271c0
gensec_update_send: spnego[0x557fe6402310]: subreq: 0x557fe6426860
gensec_update_done: gse_krb5[0x557fe640b800]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x557fe64271c0/../../source3/librpc/crypto/gse.c:848]: state[2]
error[0 (0x0)] state[struct gensec_gse_update_state (0x
557fe6427370)] timer[(nil)] finish[../../source3/librpc/crypto/gse.c:859]
gensec_update_done: spnego[0x557fe6402310]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x557fe6426860/../../auth/gensec/spnego.c:1631]: state[2] error[0
(0x0)] state[struct gensec_spnego_update_state (0x557fe
6426a10)] timer[(nil)] finish[../../auth/gensec/spnego.c:2116]
ads_sasl_spnego_gensec_bind(KRB5) failed with: Can't contact LDAP server,
calling kinit
#
ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/ad-mo3.nc.nor-consult.com
with user[root] realm[NC.NOR-CONSULT.COM]: Cannot read password, fallback to
NTLMSSP
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
##### back to debug level 5 #####
ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/ad-mo3.nc.nor-consult.com
with user[root] realm[NC.NOR-CONSULT.COM]: Cannot read password, fallback to
NTLMSSP
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
ads_sasl_spnego_gensec_bind(NTLMSSP) failed for
ldap/ad-mo3.nc.nor-consult.com with user[root] realm=[NC.NOR-CONSULT.COM]:
Can't contact LDAP server
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : 'V-FS5$'
netbios_domain_name : 'NC'
dns_domain_name : 'nc.nor-consult.com'
forest_name : 'nc.nor-consult.com'
dn : NULL
domain_guid : 250143d6-aebe-440e-94c5-f27c7af7857b
domain_sid : *
domain_sid :
S-1-5-21-3458735564-2487305582-1134572456
modified_config : 0x00 (0)
error_string : 'failed to connect to AD: Can't
contact LDAP server'
domain_is_ad : 0x01 (1)
set_encryption_types : 0x00000000 (0)
krb5_salt : NULL
result : WERR_NERR_DEFAULTJOINREQUIRED
return code = -1
Failed to join domain: failed to connect to AD: Can't contact LDAP server
# klist ### r2 has been added to all the groups that Administrator is in,
and was able to join the Windows 10 PC successfully.
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: r2 at NC.NOR-CONSULT.COM
Valid starting Expires Service principal
11/16/2021 18:21:38 11/17/2021 04:21:38
krbtgt/NC.NOR-CONSULT.COM at NC.NOR-CONSULT.COM
renew until 11/17/2021 18:21:36
11/16/2021 18:21:56 11/17/2021 04:21:38
cifs/ad-mo3.nc.nor-consult.com at NC.NOR-CONSULT.COM
11/16/2021 18:22:03 11/17/2021 04:21:38
ldap/ad-mo3.nc.nor-consult.com at NC.NOR-CONSULT.COM
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-i
nfo.sh
Collected config --- 2021-11-16-17:56 -----------
Hostname: v-fs5
DNS Domain: nc.nor-consult.com
FQDN: v-fs5.nc.nor-consult.com
ipaddress: 10.2.0.45 REDACTED fd00:6959:d45d:200:a800:ff:fe48:dc6f
REDACTED:a800:ff:fe48:dc6f fd00:6959:d45d:200::2d
-----------
Kerberos SRV _kerberos._tcp.nc.nor-consult.com record verified ok, sample
output:
Server: 10.2.0.35
Address: 10.2.0.35#53
_kerberos._tcp.nc.nor-consult.com service = 0 100 88
ad-mo3.nc.nor-consult.com.
Samba is running as an Unix domain member but 'winbindd' is NOT running.
Check that the winbind package is installed.
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 11.1 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast state
UP group default qlen 1000
link/ether REDACTED brd ff:ff:ff:ff:ff:ff
altname enp0s13
altname ens13
inet 10.2.0.45/16 brd 10.2.255.255 scope global eth0
inet6 fd00:6959:d45d:200:a800:ff:fe48:dc6f/64 scope global dynamic
mngtmpaddr
inet6 REDACTED:a800:ff:fe48:dc6f/64 scope global dynamic mngtmpaddr
inet6 fd00:6959:d45d:200::2d/56 scope global
inet6 fe80::a800:ff:fe48:dc6f/64 scope link
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast state
UP group default qlen 1000
link/ether REDACTED brd ff:ff:ff:ff:ff:ff
altname enp0s14
altname ens14
inet REDACTED/16 brd REDACTED scope global eth1
inet6 fe80::REDACTED/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
10.2.0.45 v-fs5.nc.nor-consult.com v-fs5
fd00:6959:d45d:0200::2d v-fs5.nc.nor-consult.com v-fs5
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
domain nc.nor-consult.com
search nc.nor-consult.com norconsult.local nor-consult.com
nameserver 10.2.0.35
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = NC.NOR-CONSULT.COM
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files
group: files
shadow: files
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
[global]
workgroup = NC
security = ADS
realm = NC.NOR-CONSULT.COM
#server role = member server
idmap config ad
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
winbind refresh tickets = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = yes
# Only for testing
winbind enum users = yes
winbind enum groups = yes
-----------
Running as Unix domain member and no user.map detected.
This is possible with an auth-only setup, checking also for NFS parts
-----------
Warning, /etc/idmapd.conf does not exist
-----------
Installed packages:
ii acl 2.2.53-10 amd64
access control list - utilities
ii attr 1:2.4.48-6 amd64
utilities for manipulating filesystem extended attributes
ii krb5-config 2.6+nmu1 all
Configuration files for Kerberos Version 5
ii krb5-user 1.18.3-6+deb11u1 amd64
basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-10 amd64
access control list - shared library
ii libattr1:amd64 1:2.4.48-6 amd64
extended attribute handling - shared library
ii libgssapi-krb5-2:amd64 1.18.3-6+deb11u1 amd64
MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.18.3-6+deb11u1 amd64
MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.18.3-6+deb11u1 amd64
MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.13.13+dfsg-1~deb11u2 amd64
Samba nameservice integration plugins
ii libpam-krb5:amd64 4.9-2 amd64
PAM module for MIT Kerberos
ii libpam-winbind:amd64 2:4.13.13+dfsg-1~deb11u2 amd64
Windows domain authentication integration plugin
ii libwbclient0:amd64 2:4.13.13+dfsg-1~deb11u2 amd64
Samba winbind client library
ii python3-samba 2:4.13.13+dfsg-1~deb11u2 amd64
Python 3 bindings for Samba
ii samba 2:4.13.13+dfsg-1~deb11u2 amd64
SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.13.13+dfsg-1~deb11u2 all
common files used by both the Samba server and client
ii samba-common-bin 2:4.13.13+dfsg-1~deb11u2 amd64
Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.13.13+dfsg-1~deb11u2 amd64
Samba Directory Services Database
ii samba-libs:amd64 2:4.13.13+dfsg-1~deb11u2 amd64
Samba core libraries
ii samba-vfs-modules:amd64 2:4.13.13+dfsg-1~deb11u2 amd64
Samba Virtual FileSystem plugins
ii winbind 2:4.13.13+dfsg-1~deb11u2 amd64
service to resolve user and group information from Windows NT servers
-----------
More information about the Pkg-samba-maint
mailing list