Author Topic: Joining Zentyal 3 to existing active directory domain.  (Read 17812 times)

ccarpenter

  • Zen Monk
  • **
  • Posts: 60
  • Karma: +0/-0
    • View Profile
Joining Zentyal 3 to existing active directory domain.
« on: September 15, 2012, 02:17:05 am »
I am trying to get it to join my existing domain. I downloaded "File Sharing and Domain Services" and "Users and Groups" and in the Users and groups config I setup my domain. dc=test,dc=local and in the File Sharing setting it is still showing a default zentyal domain which I don't want. So searching I found samba4 docs here: http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC

So i changed my /etc/krb5.conf to reflect my domain TEST.local instead of the default zentyal domain and at the command line ran "kinit administrator" to test the connection and asks for the password and I put it in and receive "kinit: krb5_get_init_creds: unable to reach any KDC in realm TEST.local" I also made sure that I set a DNS record to point to my domain controller.

I have searched around and noticed other people were able to set it up, but I cannot get it to work. So for those who have gotten it to work can you give a little help. Thank you.

ccarpenter

  • Zen Monk
  • **
  • Posts: 60
  • Karma: +0/-0
    • View Profile
Re: Joining Zentyal 3 to existing active directory domain.
« Reply #1 on: September 16, 2012, 01:10:05 am »
Just a follow up with more info. These are the test from my DNS:

firewall@firewall:~$ host -t SRV _ldap._tcp.test.local
_ldap._tcp.test.local has SRV record 0 100 389 ts1.test.local.
firewall@firewall:~$ host -t SRV _kerberos._udp.test.local
_kerberos._udp.test.local has SRV record 0 100 88 ts1.test.local.
firewall@firewall:~$ host -t A ts1.test.local
ts1.test.local has address 10.1.1.8

As you can see I have all the kerberos and ldap DNS settings configured correctly, but in the File Sharing settings I cannot change the realm from the default ZENTYAL-DOMAIN.LAN to my test.local domain.

I still get the same result when trying to use the samba-tool join domain command:
firewall@firewall:~$ samba-tool domain join test.local DC -Uadministrator --realm=test.local
Finding a writeable DC for domain 'test.local'
ERROR(exception): uncaught exception - Failed to find a writeable DC for domain 'test.local'
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 160, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 256, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1057, in join_DC
    machinepass, use_ntvfs, dns_backend, promote_existing)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 77, in __init__
    ctx.server = ctx.find_dc(domain)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 234, in find_dc
    raise Exception("Failed to find a writeable DC for domain '%s'" % domain)

I am sure someone has gotten this to work. I feel like I'm missing something simple?

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: Joining Zentyal 3 to existing active directory domain.
« Reply #2 on: September 16, 2012, 07:43:11 am »
I believe that I have read elsewhere that the .local domain is not allowed.  Maybe this is the root of the problem.

ccarpenter

  • Zen Monk
  • **
  • Posts: 60
  • Karma: +0/-0
    • View Profile
Re: Joining Zentyal 3 to existing active directory domain.
« Reply #3 on: September 16, 2012, 04:43:50 pm »
I will change my test domain to .lan then and get back with the results. Seems odd though because it seems pretty common place for people to use .local for domains that just need to be supported on the local lan

ccarpenter

  • Zen Monk
  • **
  • Posts: 60
  • Karma: +0/-0
    • View Profile
Re: Joining Zentyal 3 to existing active directory domain.
« Reply #4 on: September 16, 2012, 06:56:30 pm »
I am so confused as to how others were able to get this to work. I get the same results after changing my domain to test.lan.

firewall@firewall:/etc$ host -t SRV _ldap._tcp.test.lan
_ldap._tcp.test.lan has SRV record 0 100 389 DC.test.lan.
firewall@firewall:/etc$ host -t SRV _kerberos._udp.test.lan
_kerberos._udp.test.lan has SRV record 0 100 88 DC.test.lan.
firewall@firewall:/etc$ host -t A dc.test.lan
dc.test.lan has address 10.1.1.8

firewall@firewall:/etc$ samba-tool domain join test.lan DC -Uadministrator --realm=test.lan
Finding a writeable DC for domain 'test.lan'
ERROR(exception): uncaught exception - Failed to find a writeable DC for domain 'test.lan'
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 160, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 256, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1057, in join_DC
    machinepass, use_ntvfs, dns_backend, promote_existing)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 77, in __init__
    ctx.server = ctx.find_dc(domain)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 234, in find_dc
    raise Exception("Failed to find a writeable DC for domain '%s'" % domain)

After I install the Users module and setting the ldap settings to be dc=test,dc=lan and saving it displays correctly on the admin screen.
Here is what the LDAP web settings shows:

LDAP information
Base DN:    dc=test,dc=lan
Root DN:    cn=zentyal,dc=test,dc=lan
Password:    5=zNP8aySWc=e3eYkf1i
Users DN:    ou=Users,dc=test,dc=lan
Groups DN:    ou=Groups,dc=test,dc=lan

But I still cannot change the realm in the File Sharing from ZENTYAL-DOMAIN.LAN to my TEST.LAN
I noticed after installing the Users module, configuring it and saving the /etc/krb5.conf still showed this:
[libdefaults]
    default_realm = ZENTYAL-DOMAIN.LAN
    dns_lookup_kdc = true
    dns_lookup_realm = true
    default_tgs_enctypes = arcfour-hmac-md5 des-cbc-md5 dec-cbc-crc
    default_tkt_enctypes = arcfour-hmac-md5 des-cbc-md5 dec-cbc-crc
    preferred_enctypes   = arcfour-hmac-md5 des-cbc-md5 dec-cbc-crc

[kadmin]
    default_keys = des-cbc-crc:pw-salt des-cbc-md5:pw-salt arcfour-hmac-md5:pw-salt

Why would it configure  ZENTYAL-DOMAIN.LAN to be the default realm when I just configured it to be TEST.LAN?
This is beginning to be very frustrating!

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: Joining Zentyal 3 to existing active directory domain.
« Reply #5 on: September 16, 2012, 08:42:49 pm »
Might be an oversight on the programming end.  It assigned mine right the first time during install.  Try manually editing the kerberos info and retry.  This is getting away from my expertise so please bear with me.  Hopefully someone with more samba4 knowledge will be along soon.,

ccarpenter

  • Zen Monk
  • **
  • Posts: 60
  • Karma: +0/-0
    • View Profile
Re: Joining Zentyal 3 to existing active directory domain.
« Reply #6 on: September 16, 2012, 09:00:22 pm »
I have tried editing the /etc/krb5.conf but that didn't make any effect. I also looked in the /use/share/zentyal/stubs/samba.conf.mas (path from memory?). Any way the template only had variables and no settings. Where can I make the change? And what is the point of the web LDAP settings if it doesn't have any effect either?

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: Joining Zentyal 3 to existing active directory domain.
« Reply #7 on: September 17, 2012, 04:20:12 am »
I am pretty sure that samba needs to be in sync with dns for everything to work.  I have my domain listed under dns and it can't be changed/deleted.  I have not had the time to really dig around and find all of the scripts associated with samba4 and dns.  If it is anything like past versions of Zentyal,  there will be a script to reset each module.  Hopefully a developer or someone more familiar than I will be along shortly.  If this is a test environment I might suggest starting over with a clean install.

ccarpenter

  • Zen Monk
  • **
  • Posts: 60
  • Karma: +0/-0
    • View Profile
Re: Joining Zentyal 3 to existing active directory domain.
« Reply #8 on: September 17, 2012, 05:04:27 am »
I have used the reconfigure module command and have reinstalled a few times. And I made sure I had my domain all setup in the DNS before installing the Users and File Sharing modules. I setup Kerberos, kpasswd and LDAP in my services of the domain. Do I need to configure any other services for the domain?

codedmind

  • Zen Monk
  • **
  • Posts: 54
  • Karma: +2/-0
    • View Profile
Re: Joining Zentyal 3 to existing active directory domain.
« Reply #9 on: September 18, 2012, 07:53:11 pm »
Same problem here :/

Can't have zentyal to resolve local lan hostnames and can't configure dns to do that.

Realm always put the .local and then can't make any changes

ccarpenter

  • Zen Monk
  • **
  • Posts: 60
  • Karma: +0/-0
    • View Profile
Re: Joining Zentyal 3 to existing active directory domain.
« Reply #10 on: September 18, 2012, 09:00:22 pm »
I just figured by the time the final version was released it would be figured out, but I am still struggling trying to get it working.

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: Joining Zentyal 3 to existing active directory domain.
« Reply #11 on: September 19, 2012, 02:15:15 am »
I was able to do it here using two clean copies of Zentyal.  Machine one was setup as a standalone server.  I joined an Ubuntu box to it to verify that portion.  I then configured Zentyal machine two as an additional domain controller.  Everything worked as advertised.  I then created a new user on Zentyal one.  It propogated to machine two. I tried from machine2 with the same results.  The next step will be to setup a test at work with a 2003 server and see what the results are.  More on this later. 

ccarpenter

  • Zen Monk
  • **
  • Posts: 60
  • Karma: +0/-0
    • View Profile
Re: Joining Zentyal 3 to existing active directory domain.
« Reply #12 on: September 19, 2012, 05:35:40 am »
I haven't tried two Ubuntu boxes yet as my setup requires a windows 2003 server. My test setup was a fresh install of server 2003 as a test domain and it will not see my domain

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: Joining Zentyal 3 to existing active directory domain.
« Reply #13 on: September 19, 2012, 06:00:22 am »

ccarpenter

  • Zen Monk
  • **
  • Posts: 60
  • Karma: +0/-0
    • View Profile
Re: Joining Zentyal 3 to existing active directory domain.
« Reply #14 on: September 25, 2012, 06:37:45 pm »
I need to add my zentyal 3 box to an existing windows 2003 domain, not the other way around. Has anyone gotten this to work?