Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Domain Join
272 views
Skip to first unread message
Sandbox
May 22, 2013, 10:00:03 AM5/22/13
to
Hello,
I would like to join my samba4 to my existing samba4 DC.
The existing samba4 is a fresh, default install, every tests worked fine,
provisioned like this:
samba-tool domain provision --realm=test.domain.lan --domain=test.domain
--host-ip=10.48.16.150 --adminpass='password' --dns-backend=BIND9_DLZ
--ldapadminpass='password' --server-role=dc --use-xattrs=yes --use-rfc2307
--function-level=2008_R2
When I run: samba-tool domain join test.domain.lan DC -UAdministrator
--realm=test.domain.lan --dns-backend=BIND9_DLZ
I got this error message when i wrote the correct LDAP password, if I wrote
the incorrect password it just keep asking for the password.
Finding a writeable DC for domain 'test.domain.lan'
Found DC domainc01.test.domain.lan
Password for [WORKGROUP\Administrator]:
Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -
<SASL:[GSS-SPNEGO]: NT_STATUS_LOGON_FAILURE> <>
Failed to connect to 'ldap://domainc01.test.domain.lan' with backend
'ldap': (null)
ERROR(ldb): uncaught exception - None
File "/opt/samba4/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/opt/samba4/lib/python2.7/site-packages/samba/netcmd/domain.py",
line 552, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/opt/samba4/lib/python2.7/site-packages/samba/join.py", line 1082,
in join_DC
machinepass, use_ntvfs, dns_backend, promote_existing)
File "/opt/samba4/lib/python2.7/site-packages/samba/join.py", line 78, in
__init__
credentials=ctx.creds, lp=ctx.lp)
File "/opt/samba4/lib/python2.7/site-packages/samba/samdb.py", line 56,
in __init__
options=options)
File "/opt/samba4/lib/python2.7/site-packages/samba/__init__.py", line
114, in __init__
self.connect(url, flags, options)
File "/opt/samba4/lib/python2.7/site-packages/samba/samdb.py", line 71,
in connect
options=options)
Did I miss someting?
Thanks, Robert
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I would like to join my samba4 to my existing samba4 DC.
The existing samba4 is a fresh, default install, every tests worked fine,
provisioned like this:
samba-tool domain provision --realm=test.domain.lan --domain=test.domain
--host-ip=10.48.16.150 --adminpass='password' --dns-backend=BIND9_DLZ
--ldapadminpass='password' --server-role=dc --use-xattrs=yes --use-rfc2307
--function-level=2008_R2
When I run: samba-tool domain join test.domain.lan DC -UAdministrator
--realm=test.domain.lan --dns-backend=BIND9_DLZ
I got this error message when i wrote the correct LDAP password, if I wrote
the incorrect password it just keep asking for the password.
Finding a writeable DC for domain 'test.domain.lan'
Found DC domainc01.test.domain.lan
Password for [WORKGROUP\Administrator]:
Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -
<SASL:[GSS-SPNEGO]: NT_STATUS_LOGON_FAILURE> <>
Failed to connect to 'ldap://domainc01.test.domain.lan' with backend
'ldap': (null)
ERROR(ldb): uncaught exception - None
File "/opt/samba4/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/opt/samba4/lib/python2.7/site-packages/samba/netcmd/domain.py",
line 552, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/opt/samba4/lib/python2.7/site-packages/samba/join.py", line 1082,
in join_DC
machinepass, use_ntvfs, dns_backend, promote_existing)
File "/opt/samba4/lib/python2.7/site-packages/samba/join.py", line 78, in
__init__
credentials=ctx.creds, lp=ctx.lp)
File "/opt/samba4/lib/python2.7/site-packages/samba/samdb.py", line 56,
in __init__
options=options)
File "/opt/samba4/lib/python2.7/site-packages/samba/__init__.py", line
114, in __init__
self.connect(url, flags, options)
File "/opt/samba4/lib/python2.7/site-packages/samba/samdb.py", line 71,
in connect
options=options)
Did I miss someting?
Thanks, Robert
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Marc Muehlfeld
May 22, 2013, 1:00:02 PM5/22/13
to
Hello Robert,
Am 22.05.2013 15:56, schrieb Sandbox:
> Finding a writeable DC for domain 'test.domain.lan'
> Found DC domainc01.test.domain.lan
> Password for [WORKGROUP\Administrator]:
> Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -
> <SASL:[GSS-SPNEGO]: NT_STATUS_LOGON_FAILURE> <>
> Failed to connect to 'ldap://domainc01.test.domain.lan' with backend
> 'ldap': (null)
> ...
Just some toughts on that:
* Do you have any special characters in your password? E. g. german
umlauts are making trouble here if set on windows and when the password
is validated from unix services against AD.
* Can you do a ldapsearch from the new machine in the existing directory
or is the access there also denied?
# ldapsearch -h domainc01.test.domain.lan -b dc=test,dc=domain,dc=lan
-LLL -D cn=Administrator,..... -W
* Kerberos settings are all fine and you can get a ticket?
https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#Getting_ready_for_joining_Samba_as_a_DC_to_an_existing_domain
Regards,
Marc
Am 22.05.2013 15:56, schrieb Sandbox:
> Finding a writeable DC for domain 'test.domain.lan'
> Found DC domainc01.test.domain.lan
> Password for [WORKGROUP\Administrator]:
> Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -
> <SASL:[GSS-SPNEGO]: NT_STATUS_LOGON_FAILURE> <>
> Failed to connect to 'ldap://domainc01.test.domain.lan' with backend
> 'ldap': (null)
Just some toughts on that:
* Do you have any special characters in your password? E. g. german
umlauts are making trouble here if set on windows and when the password
is validated from unix services against AD.
* Can you do a ldapsearch from the new machine in the existing directory
or is the access there also denied?
# ldapsearch -h domainc01.test.domain.lan -b dc=test,dc=domain,dc=lan
-LLL -D cn=Administrator,..... -W
* Kerberos settings are all fine and you can get a ticket?
https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#Getting_ready_for_joining_Samba_as_a_DC_to_an_existing_domain
Regards,
Marc
Sandbox
May 22, 2013, 3:20:02 PM5/22/13
to
Hi Marc,
2013-05-22 18:55 keltezéssel, Marc Muehlfeld írta:
> Hello Robert,
>
> Am 22.05.2013 15:56, schrieb Sandbox:
>> Finding a writeable DC for domain 'test.domain.lan'
>> Found DC domainc01.test.domain.lan
>> Password for [WORKGROUP\Administrator]:
>> Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -
>> <SASL:[GSS-SPNEGO]: NT_STATUS_LOGON_FAILURE> <>
>> Failed to connect to 'ldap://domainc01.test.domain.lan' with backend
>> 'ldap': (null)
>> ...
>
>
> Just some toughts on that:
>
> * Do you have any special characters in your password? E. g. german
> umlauts are making trouble here if set on windows and when the
> password is validated from unix services against AD.
I do't have any special character in the password.
>
> Regards,
> Marc
>
--
Kind regards:
Robert
2013-05-22 18:55 keltezéssel, Marc Muehlfeld írta:
> Hello Robert,
>
> Am 22.05.2013 15:56, schrieb Sandbox:
>> Finding a writeable DC for domain 'test.domain.lan'
>> Found DC domainc01.test.domain.lan
>> Password for [WORKGROUP\Administrator]:
>> Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -
>> <SASL:[GSS-SPNEGO]: NT_STATUS_LOGON_FAILURE> <>
>> Failed to connect to 'ldap://domainc01.test.domain.lan' with backend
>> 'ldap': (null)
>> ...
>
>
> Just some toughts on that:
>
> * Do you have any special characters in your password? E. g. german
> umlauts are making trouble here if set on windows and when the
> password is validated from unix services against AD.
>
>
>
> * Can you do a ldapsearch from the new machine in the existing
> directory or is the access there also denied?
>
> # ldapsearch -h domainc01.test.domain.lan -b dc=test,dc=domain,dc=lan
> -LLL -D cn=Administrator,..... -W
I'll check it tomorrow.
>
>
> * Can you do a ldapsearch from the new machine in the existing
> directory or is the access there also denied?
>
> # ldapsearch -h domainc01.test.domain.lan -b dc=test,dc=domain,dc=lan
> -LLL -D cn=Administrator,..... -W
>
>
>
> * Kerberos settings are all fine and you can get a ticket?
>
> https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#Getting_ready_for_joining_Samba_as_a_DC_to_an_existing_domain
>
>
Looks fine, I've got the ticket on both servers
>
>
> * Kerberos settings are all fine and you can get a ticket?
>
> https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#Getting_ready_for_joining_Samba_as_a_DC_to_an_existing_domain
>
>
>
> Regards,
> Marc
>
--
Kind regards:
Robert
Sandbox
May 23, 2013, 2:10:01 AM5/23/13
to
Hi
I did the ldapsearch query the result is:
ldap_bind: Invalid credentials (49)
additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE
Simple nmap result:
22/tcp open ssh
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
636/tcp open ldapssl
1024/tcp open kdm
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
ldapsearch query with debug level 1
ldap_create
ldap_url_parse_ext(ldap://domainc01.test.domain.lan)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP domainc01.test.domain.lan:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.48.16.150:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 63 bytes to sd 3
ldap_result ld 0x7f99785fd490 msgid 1
wait4msg ld 0x7f99785fd490 msgid 1 (infinite timeout)
wait4msg continue ld 0x7f99785fd490 msgid 1 all 1
** ld 0x7f99785fd490 Connections:
* host: domainc01.test.domain.lan port: 389 (default)
refcnt: 2 status: Connected
last used: Thu May 23 07:58:13 2013
** ld 0x7f99785fd490 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x7f99785fd490 request count 1 (abandoned 0)
** ld 0x7f99785fd490 Response Queue:
Empty
ld 0x7f99785fd490 response count 0
ldap_chkResponseList ld 0x7f99785fd490 msgid 1 all 1
ldap_chkResponseList returns ld 0x7f99785fd490 NULL
ldap_int_select
read1msg: ld 0x7f99785fd490 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 55 contents:
read1msg: ld 0x7f99785fd490 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x7f99785fd490 0 new referrals
read1msg: mark request completed, ld 0x7f99785fd490 msgid 1
request done: ld 0x7f99785fd490 msgid 1
res_errno: 49, res_error: <Simple Bind Failed: NT_STATUS_LOGON_FAILURE>,
res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_err2string
ldap_bind: Invalid credentials (49)
additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed
As I see the member server could connect to the exisiting samba server and
there is a password problem.
It is weird cos I double checked the password and it should be correct :/
Cheers,
Robert
2013/5/22 Marc Muehlfeld <sa...@marc-muehlfeld.de>
> Hello Robert,
>
> Am 22.05.2013 15:56, schrieb Sandbox:
>
>> Finding a writeable DC for domain 'test.domain.lan'
>> Found DC domainc01.test.domain.lan
>> Password for [WORKGROUP\Administrator]:
>> Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -
>> <SASL:[GSS-SPNEGO]: NT_STATUS_LOGON_FAILURE> <>
>> Failed to connect to 'ldap://domainc01.test.domain.**lan' with backend
> domain_as_a_DC#Getting_ready_**for_joining_Samba_as_a_DC_to_**
> an_existing_domain<https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#Getting_ready_for_joining_Samba_as_a_DC_to_an_existing_domain>
I did the ldapsearch query the result is:
ldap_bind: Invalid credentials (49)
additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE
Simple nmap result:
22/tcp open ssh
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
636/tcp open ldapssl
1024/tcp open kdm
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
ldapsearch query with debug level 1
ldap_create
ldap_url_parse_ext(ldap://domainc01.test.domain.lan)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP domainc01.test.domain.lan:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.48.16.150:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 63 bytes to sd 3
ldap_result ld 0x7f99785fd490 msgid 1
wait4msg ld 0x7f99785fd490 msgid 1 (infinite timeout)
wait4msg continue ld 0x7f99785fd490 msgid 1 all 1
** ld 0x7f99785fd490 Connections:
* host: domainc01.test.domain.lan port: 389 (default)
refcnt: 2 status: Connected
last used: Thu May 23 07:58:13 2013
** ld 0x7f99785fd490 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x7f99785fd490 request count 1 (abandoned 0)
** ld 0x7f99785fd490 Response Queue:
Empty
ld 0x7f99785fd490 response count 0
ldap_chkResponseList ld 0x7f99785fd490 msgid 1 all 1
ldap_chkResponseList returns ld 0x7f99785fd490 NULL
ldap_int_select
read1msg: ld 0x7f99785fd490 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 55 contents:
read1msg: ld 0x7f99785fd490 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x7f99785fd490 0 new referrals
read1msg: mark request completed, ld 0x7f99785fd490 msgid 1
request done: ld 0x7f99785fd490 msgid 1
res_errno: 49, res_error: <Simple Bind Failed: NT_STATUS_LOGON_FAILURE>,
res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_err2string
ldap_bind: Invalid credentials (49)
additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed
As I see the member server could connect to the exisiting samba server and
there is a password problem.
It is weird cos I double checked the password and it should be correct :/
Cheers,
Robert
2013/5/22 Marc Muehlfeld <sa...@marc-muehlfeld.de>
> Hello Robert,
>
> Am 22.05.2013 15:56, schrieb Sandbox:
>
>> Finding a writeable DC for domain 'test.domain.lan'
>> Found DC domainc01.test.domain.lan
>> Password for [WORKGROUP\Administrator]:
>> Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -
>> <SASL:[GSS-SPNEGO]: NT_STATUS_LOGON_FAILURE> <>
>> 'ldap': (null)
>> ...
>>
>
>
> Just some toughts on that:
>
> * Do you have any special characters in your password? E. g. german
> umlauts are making trouble here if set on windows and when the password is
> validated from unix services against AD.
>
>
>
> * Can you do a ldapsearch from the new machine in the existing directory
> or is the access there also denied?
>
> # ldapsearch -h domainc01.test.domain.lan -b dc=test,dc=domain,dc=lan -LLL
> -D cn=Administrator,..... -W
>
>
>
> * Kerberos settings are all fine and you can get a ticket?
>
> https://wiki.samba.org/index.**php/Samba4/HOWTO/Join_a_**
>> ...
>>
>
>
> Just some toughts on that:
>
> * Do you have any special characters in your password? E. g. german
> umlauts are making trouble here if set on windows and when the password is
> validated from unix services against AD.
>
>
>
> * Can you do a ldapsearch from the new machine in the existing directory
> or is the access there also denied?
>
> # ldapsearch -h domainc01.test.domain.lan -b dc=test,dc=domain,dc=lan -LLL
> -D cn=Administrator,..... -W
>
>
>
> * Kerberos settings are all fine and you can get a ticket?
>
> domain_as_a_DC#Getting_ready_**for_joining_Samba_as_a_DC_to_**
> an_existing_domain<https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#Getting_ready_for_joining_Samba_as_a_DC_to_an_existing_domain>
Sandbox
May 23, 2013, 3:00:02 AM5/23/13
to
Hi,
ldapsearch is working perfectly, I accidentaly forgot to the cn=user
before dn= settings :/
Robert
2013/5/23 Sandbox <sandb...@gmail.com>
ldapsearch is working perfectly, I accidentaly forgot to the cn=user
before dn= settings :/
Robert
2013/5/23 Sandbox <sandb...@gmail.com>
Sandbox
May 23, 2013, 7:40:02 AM5/23/13
to
Hi Folks,
A little update :)
I succesfully joined to the domain with this command:
samba-tool domain join test.domain.lan DC -UAdministrator
--realm=domainc01.test.domain.lan --dns-backend=BIND9_DLZ
For some reason i had to write the master§s fqdn name into the --realm
section.
Btw, it's weird now. when i try to run the kinit administrator command on
the "slave" server I've got the
kinit: krb5_get_init_creds: Clock skew too great error.
It's weird becaouse i ran ntpdate sync on both machine :)
Cheers,
Robert
2013/5/23 Sandbox <sandb...@gmail.com>
A little update :)
I succesfully joined to the domain with this command:
samba-tool domain join test.domain.lan DC -UAdministrator
For some reason i had to write the master§s fqdn name into the --realm
section.
Btw, it's weird now. when i try to run the kinit administrator command on
the "slave" server I've got the
kinit: krb5_get_init_creds: Clock skew too great error.
It's weird becaouse i ran ntpdate sync on both machine :)
Cheers,
Robert
2013/5/23 Sandbox <sandb...@gmail.com>
0 new messages