I'm trying to join a samba server as an additional dc to an existing windows dc without success.
I found many informations for similar problem on the internet, but no workable solution.
Abstract from zentyal.log while starting "File Sharing and Domain Services":
....
Cannot do GSSAPI to an IP address
Failed to start GENSEC client mech
gssapi_krb5: NT_STATUS_INVALID_PARAMETER
....
Given conditions:
-- Windows Server 2012R2 with domain/forest-function-level Windows2008
host/ip: srv2012ads/192.168.0.3
-- Linux Zentyal Server 3.3.2 with samba 4.1.3
host/ip: zentyal/192.168.0.4[/size]
-- Linux configuration files:
#### krb5.conf ##################################################
[libdefaults]
default_realm = HATEC.LOCAL
dns_lookup_kdc = true
dns_lookup_realm = true
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1
preferred_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1
[realms]
HATEC.LOCAL = {
kdc = srv2012ads.hatec.local
default_domain = hatec.local
}
[domain_realm]
hatec.local = HATEC.LOCAL
.hatec.local = HATEC.LOCAL
[appdefaults]
pam = {
debug = false
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 500
try_first_pass = true
}
[kadmin]
default_keys = des-cbc-crc:pw-salt des-cbc-md5:pw-salt arcfour-hmac-md5:pw-salt aes256-cts-hmac-sha1-96:pw-salt aes128-cts-hmac-sha1-96:pw-salt
#### krb5.conf ##################################################
#### smb.conf ##################################################
[global]
workgroup = HATEC
netbios name = zentyal
realm = HATEC.LOCAL
domain logons = Yes
domain master = No
security = ads
server string = Zentyal Server
server role = dc
server role check:inhibit = yes
server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
server signing = auto
log level = 3
log file = /var/log/samba/samba.log
load printers = no
printcap name = /dev/null
show add printer wizard = no
disable spoolss = yes
[netlogon]
path = /opt/samba4/var/locks/sysvol/hatec.local/scripts
browseable = no
read only = yes
[sysvol]
path = /opt/samba4/var/locks/sysvol
read only = no
[homes]
comment = Eigener Ordner
path = /home/%S
read only = no
browseable = no
create mask = 0611
directory mask = 0711
vfs objects = acl_xattr full_audit
full_audit:success = connect opendir disconnect unlink mkdir rmdir open rename
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
# No shares configured
#### smb.conf ##################################################
#### nsswitch.conf ###############################################
passwd: compat ldap
group: compat ldap
shadow: compat ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: compat ldap
#### nsswitch.conf ###############################################
-- Running the following command to join in a terminal:
> sudo samba-tool domain join hatec.local DC -d5 -Uadministrator --realm=hatec.local
..
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[homes]"
pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
added interface lo ip=127.0.1.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth1 ip=192.168.0.4 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=192.168.10.4 bcast=192.168.10.255 netmask=255.255.255.0
added interface lo ip=127.0.1.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth1 ip=192.168.0.4 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=192.168.10.4 bcast=192.168.10.255 netmask=255.255.255.0
added interface lo ip=127.0.1.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth1 ip=192.168.0.4 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=192.168.10.4 bcast=192.168.10.255 netmask=255.255.255.0
added interface lo ip=127.0.1.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth1 ip=192.168.0.4 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=192.168.10.4 bcast=192.168.10.255 netmask=255.255.255.0
Finding a writeable DC for domain 'hatec.local'
added interface lo ip=127.0.1.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth1 ip=192.168.0.4 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=192.168.10.4 bcast=192.168.10.255 netmask=255.255.255.0
added interface lo ip=127.0.1.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth1 ip=192.168.0.4 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=192.168.10.4 bcast=192.168.10.255 netmask=255.255.255.0
finddcs: searching for a DC by DNS domain hatec.local
finddcs: looking for SRV records for _ldap._tcp.hatec.local
ads_dns_lookup_srv: 1 records returned in the answer section.
finddcs: DNS SRV response 0 at '192.168.0.3'
finddcs: performing CLDAP query on 192.168.0.3
finddcs: Found matching DC 192.168.0.3 with server_type=0x0000f3fd
Found DC srv2012ads.hatec.local
added interface lo ip=127.0.1.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth1 ip=192.168.0.4 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=192.168.10.4 bcast=192.168.10.255 netmask=255.255.255.0
added interface lo ip=127.0.1.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth1 ip=192.168.0.4 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=192.168.10.4 bcast=192.168.10.255 netmask=255.255.255.0
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Password for [HATEC\administrator]:
Received smb_krb5 packet of length 190
Received smb_krb5 packet of length 94
gensec_gssapi: credentials were delegated
GSSAPI Connection will be cryptographically sealed
workgroup is hatec
realm is hatec.local
checking sAMAccountName
Adding CN=ZENTYAL,OU=Domain Controllers,DC=hatec,DC=local
Adding CN=ZENTYAL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hatec,DC=local
Adding CN=NTDS Settings,CN=ZENTYAL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hatec,DC=local
Using binding ncacn_ip_tcp:srv2012ads.hatec.local[,seal,print]
Mapped to DCERPC endpoint 135
added interface lo ip=127.0.1.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth1 ip=192.168.0.4 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=192.168.10.4 bcast=192.168.10.255 netmask=255.255.255.0
added interface lo ip=127.0.1.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth1 ip=192.168.0.4 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=192.168.10.4 bcast=192.168.10.255 netmask=255.255.255.0
Mapped to DCERPC endpoint 49156
added interface lo ip=127.0.1.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth1 ip=192.168.0.4 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=192.168.10.4 bcast=192.168.10.255 netmask=255.255.255.0
added interface lo ip=127.0.1.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth1 ip=192.168.0.4 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=192.168.10.4 bcast=192.168.10.255 netmask=255.255.255.0
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Received smb_krb5 packet of length 190
Received smb_krb5 packet of length 94
gensec_gssapi: credentials were delegated
GSSAPI Connection will be cryptographically sealed
drsuapi_DsBind: struct drsuapi_DsBind
in: struct drsuapi_DsBind
bind_guid : *
bind_guid : e24d201a-4fd6-11d1-a3da-0000f875ae0d
bind_info : *
bind_info: struct drsuapi_DsBindInfoCtr
length : 0x0000001c (28)
info : union drsuapi_DsBindInfo(case 28)
info28: struct drsuapi_DsBindInfo28
supported_extensions : 0x0fefff7f (267386751)
1: DRSUAPI_SUPPORTED_EXTENSION_BASE
1: DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION
1: DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI
1: DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2
1: DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS
1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1
1: DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION
0: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY
1: DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE
1: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2
1: DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION
1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2
1: DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD
1: DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND
1: DRSUAPI_SUPPORTED_EXTENSION_GET_REPL_INFO
1: DRSUAPI_SUPPORTED_EXTENSION_STRONG_ENCRYPTION
1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V01
1: DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP
1: DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY
1: DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3
0: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V5
1: DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2
1: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6
1: DRSUAPI_SUPPORTED_EXTENSION_NONDOMAIN_NCS
1: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8
1: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V5
1: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V6
1: DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3
1: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7
1: DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT
0: DRSUAPI_SUPPORTED_EXTENSION_XPRESS_COMPRESS
0: DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V10
0: DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART2
0: DRSUAPI_SUPPORTED_EXTENSION_RESERVED_PART3
site_guid : 00000000-0000-0000-0000-000000000000
pid : 0x00000000 (0)
repl_epoch : 0x00000000 (0)
drsuapi_DsBind: struct drsuapi_DsBind
out: struct drsuapi_DsBind
bind_info : *
bind_info: struct drsuapi_DsBindInfoCtr
length : 0x00000034 (52)
info : union drsuapi_DsBindInfo(case 52)
FallBack: struct drsuapi_DsBindInfoFallBack
info : DATA_BLOB length=52
[0000] 7F FF FF 3F 32 CC 5C A3 C6 88 43 41 86 0A CC EC ...?2.\. ..CA....
[0010] 2E 38 80 60 50 02 00 00 00 00 00 00 0A 00 00 00 .8.`P... ........
[0020] 44 2A 7F 35 E7 77 02 45 88 82 A3 3D FD 3E 81 91 D*.5.w.E ...=.>..
[0030] 7F 00 00 00 ....
bind_handle : *
bind_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 13fe2a7d-ae01-4b26-8078-2c913b5e0ef6
result : WERR_OK
Join failed - cleaning up
checking sAMAccountName
Deleted CN=ZENTYAL,OU=Domain Controllers,DC=hatec,DC=local
Deleted CN=ZENTYAL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hatec,DC=local
ERROR(<type 'exceptions.AttributeError'>): uncaught exception - 'drsuapi.DsBindInfoFallBack' object has no attribute 'supported_extensions'
File "/opt/samba4/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
return self.run(*args, **kwargs)
File "/opt/samba4/lib/python2.7/site-packages/samba/netcmd/domain.py", line 552, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/opt/samba4/lib/python2.7/site-packages/samba/join.py", line 1172, in join_DC
ctx.do_join()
File "/opt/samba4/lib/python2.7/site-packages/samba/join.py", line 1075, in do_join
ctx.join_add_objects()
File "/opt/samba4/lib/python2.7/site-packages/samba/join.py", line 541, in join_add_objects
ctx.join_add_ntdsdsa()
File "/opt/samba4/lib/python2.7/site-packages/samba/join.py", line 474, in join_add_ntdsdsa
ctx.DsAddEntry([rec])
File "/opt/samba4/lib/python2.7/site-packages/samba/join.py", line 384, in DsAddEntry
ctx.drsuapi_connect()
File "/opt/samba4/lib/python2.7/site-packages/samba/join.py", line 363, in drsuapi_connect
(ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drs_DsBind(ctx.drsuapi)
File "/opt/samba4/lib/python2.7/site-packages/samba/drs_utils.py", line 144, in drs_DsBind
return (handle, info.info.supported_extensions)..
##########################################################
While joining, the windows security-eventlog reports that a computer account (ZENTAYL$) is successfully added, but a few messages later, it is erased (in consequence of the failed join and following clean-up).
Because of joining to a Windows Server 2008R2 domain, with exact the same windows and linux settings, works like a charm(!), I can assume, that settings for dns, kerberos, etc are correct.
Thanks for any Response.
Regards,
Armin