Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Samba] net ads join -> "The connection was refused"

328 views
Skip to first unread message

Artur Moor via samba

unread,
Dec 16, 2016, 4:10:04 AM12/16/16
to
I am unable to join to a domain. The command 'net ads join -U Administrator
-d1' produce:

Enter Administrator's password:
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'SAMBA'
domain_name : *
domain_name : 'AD.INTERDEKOR.COM.UA'
domain_name_type : JoinDomNameTypeDNS (1)
account_ou : NULL
admin_account : 'Administrator'
admin_domain : NULL
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
os_servicepack : NULL
create_upn : 0x00 (0)
upn : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
desired_encryption_types : 0x0000001f (31)
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : NULL
dns_domain_name : NULL
forest_name : NULL
dn : NULL
domain_sid : NULL
domain_sid : (NULL SID)
modified_config : 0x00 (0)
error_string : 'failed to lookup DC info for domain
'AD.INTERDEKOR.COM.UA' over rpc: The connection was refused'
domain_is_ad : 0x00 (0)
set_encryption_types : 0x00000000 (0)
result : WERR_CONNECTION_REFUSED
Failed to join domain: failed to lookup DC info for domain '
AD.INTERDEKOR.COM.UA' over rpc: The connection was refused

Does somebody has any idea?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

L.P.H. van Belle via samba

unread,
Dec 16, 2016, 4:20:03 AM12/16/16
to
Hai,

You need to use samba-tool to join the DC.

The info can be found here :
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory


Greetz,

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Artur Moor via
> samba
> Verzonden: vrijdag 16 december 2016 9:58
> Aan: sa...@lists.samba.org
> Onderwerp: [Samba] net ads join -> "The connection was refused"

Rowland Penny via samba

unread,
Dec 16, 2016, 4:30:03 AM12/16/16
to
On Fri, 16 Dec 2016 10:10:51 +0100
"L.P.H. van Belle via samba" <sa...@lists.samba.org> wrote:

> Hai,
>
> You need to use samba-tool to join the DC.
>
> The info can be found here :
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
>
>

I am not sure that the OP is trying to join a DC, but if he is, then
Louis is correct, otherwise, is everything setup correctly? Especially,
does the machine that is trying to join the domain use the DC as its
nameserver ?

Rowland

Artur Moor via samba

unread,
Dec 16, 2016, 6:20:03 AM12/16/16
to
I don't want to join samba as DC, i am trying to join samba as member to AD.

My setup ist:
DC: dc1.ad.interdekor.com.ua (10.0.140.2)
NETBIOS NAME: INTERDEKOR

------------------------
SAMBA SERVER: 10.0.140.3
------------------------
root@samba:~# uname -nrs
FreeBSD samba.ad.interdekor.com.ua 11.0-RELEASE

root@samba:~# samba-tool -V
4.4.5

root@samba:~# cat /etc/resolv.conf
search ad.interdekor.com.ua
nameserver 10.0.140.2

root@samba:~# cat /etc/krb5.conf
[libdefaults]
default_realm = AD.INTERDEKOR.COM.UA
dns_lookup_realm = true
dns_lookup_kdc = true

root@samba:~# cat /usr/local/etc/smb4.conf
[global]
netbios name = SAMBA
realm = AD.INTERDEKOR.COM.UA
security = ads
workgroup = INTERDEKOR

nmbd bind explicit broadcast = no

use sendfile = true

idmap config * : backend = tdb
idmap config * : range = 60000-69999
idmap config INTERDEKOR : backend = ad
idmap config INTERDEKOR : schema_mode = rfc2307
idmap config INTERDEKOR : range = 10000-59999

winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind refresh tickets = yes

restrict anonymous = 2

log file = /var/log/samba4/log.%m

L.P.H. van Belle via samba

unread,
Dec 16, 2016, 6:30:02 AM12/16/16
to
Ah.. Member join..

Well thats this link :
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

and now you problem is in the security settings.
(samba upgrade 4.4.0 => 4.4.1 )
Since the connection activly refused.

I summed up the changed here :
http://downloads.van-belle.nl/samba4/Upgrade-info.txt

or go through the list of changes found here :
https://wiki.samba.org/index.php/Samba_Features_added/changed_(by_release)

To test this, set : ldap server require strong auth = no
And join the member to the domain.


Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Artur Moor via
> samba

> Verzonden: vrijdag 16 december 2016 12:08
> Aan: sa...@lists.samba.org
> Onderwerp: [Samba] Fwd: net ads join -> "The connection was refused"

Rowland Penny via samba

unread,
Dec 16, 2016, 6:30:02 AM12/16/16
to

Try removing 'nmbd bind explicit broadcast = no', everything else looks
okay.
What is the AD DC ?
Is it running a firewall ?

Artur Moor via samba

unread,
Dec 16, 2016, 6:40:03 AM12/16/16
to
If I remove 'nmbd bind explicit broadcast = no' then 'smbd' can't start
because samba is running i jailed einvironment.

AD DC is a Windows Server 2016 Standard

Yes there is a firewall but I get the same error if disable the firewall.

Artur Moor via samba

unread,
Dec 16, 2016, 6:50:02 AM12/16/16
to
Setting 'ldap server require strong auth = no' in 'smb4.conf' didn't help!

2016-12-16 12:23 GMT+01:00 L.P.H. van Belle via samba <sa...@lists.samba.org
>:

Rowland Penny via samba

unread,
Dec 16, 2016, 7:10:04 AM12/16/16
to
On Fri, 16 Dec 2016 12:36:33 +0100
Artur Moor via samba <sa...@lists.samba.org> wrote:

> If I remove 'nmbd bind explicit broadcast = no' then 'smbd' can't
> start because samba is running i jailed einvironment.

You should still be able to start 'smbd', are any Samba deamons running
when you try the join?

Which Samba daemons are you starting ?

>
> AD DC is a Windows Server 2016 Standard
>

Not had to deal with one of them yet.

Artur Moor via samba

unread,
Dec 16, 2016, 7:50:03 AM12/16/16
to
If I remove 'nmbd bind explicit broadcast = no' in 'smb4.conf', then nmbd
wan't start and I get following in the log:

[2016/12/16 12:37:35.075428, 0]
../source3/lib/util_sock.c:396(open_socket_in)
bind failed on port 137 socket_addr = 10.0.140.255.
Error = Can't assign requested address
[2016/12/16 12:37:35.075626, 0]
../source3/nmbd/nmbd_subnetdb.c:127(make_subnet)
nmbd_subnetdb:make_subnet()
Failed to open nmb bcast socket on interface 10.0.140.255 for port
137. Error was Can't assign requested address
[2016/12/16 12:37:35.075718, 0]
../lib/util/become_daemon.c:111(exit_daemon)
STATUS=daemon failed to start: NMBD failed when creating subnet lists,
error code 13

Therefore 'nmbd bind explicit broadcast = no' ist set.

If I run 'net ads join -U Administrator' the smbd and the nmbd deamons are
running.

If I run 'net ads info' I get following:
root@samba:~# net ads info
LDAP server: 10.0.140.2
LDAP server name: dc1.ad.interdekor.com.ua
Realm: AD.INTERDEKOR.COM.UA
Bind Path: dc=AD,dc=INTERDEKOR,dc=COM,dc=UA
LDAP port: 389
Server time: Fr., 16 Dez. 2016 12:44:15 UTC
KDC server: 10.0.140.2
Server time offset: 0
Last machine account password change: Do., 01 Jan. 1970 00:00:00 UTC

And that tells me that the config is OK, but I'm still unable to join the
server to AD.

Rowland Penny via samba

unread,
Dec 16, 2016, 8:30:03 AM12/16/16
to
On Fri, 16 Dec 2016 13:46:24 +0100
Artur Moor via samba <sa...@lists.samba.org> wrote:

> If I remove 'nmbd bind explicit broadcast = no' in 'smb4.conf', then
> nmbd wan't start and I get following in the log:
>
> [2016/12/16 12:37:35.075428, 0]
> ../source3/lib/util_sock.c:396(open_socket_in)
> bind failed on port 137 socket_addr = 10.0.140.255.
> Error = Can't assign requested address
> [2016/12/16 12:37:35.075626, 0]
> ../source3/nmbd/nmbd_subnetdb.c:127(make_subnet)
> nmbd_subnetdb:make_subnet()
> Failed to open nmb bcast socket on interface 10.0.140.255 for port
> 137. Error was Can't assign requested address
> [2016/12/16 12:37:35.075718, 0]
> ../lib/util/become_daemon.c:111(exit_daemon)
> STATUS=daemon failed to start: NMBD failed when creating subnet
> lists, error code 13
>
> Therefore 'nmbd bind explicit broadcast = no' ist set.

It looks like something is already running on port 137.
There should be no Samba deamons running when you try to join the
domain.

once you have joined the domain, you should then start the nmbd, smbd
and winbindd deamons. They should all start, the only way I can think
of another deamon claiming port 137, is that you are also starting the
'samba' daemon, this should only be started on a Samba AD DC.

>
> If I run 'net ads join -U Administrator' the smbd and the nmbd
> deamons are running.

Stop all running Samba deamons and then try to join again.

Artur Moor via samba

unread,
Dec 16, 2016, 8:30:03 AM12/16/16
to
So I stopped samba deamons (smbd and nmbd) and ran 'net ads join -U
Administrator -d1' that gives same error:
root@samba:~# net ads join -U Administrator -d1
0 new messages