Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am trying to join Centos 7.3 Linux to Microsoft AD through winbind and while learning, I am failing to do so. I can not use sssd because authentication needs to talk cross forest, which sssd doesn't support. That is reason winbind seems only option for us.
If anybody used similar kind of setup, I would seek help. Here are its configurations
Code:
[root@lab-serv15 etc]# cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
# default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = {IOT.AD.SEADOC.COM}
dns_lookup_kdc = true
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
IOT.AD.SEADOC.COM = {
kdc = wpsd-dc01.iot.ad.SEADOC.com
kdc = wpsd-dc02.iot.ad.SEADOC.com
admin_server = wpsd-dc01.iot.ad.SEADOC.com
default_domain = IOT.AD.SEADOC.COM
}
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
{iot.ad.SEADOC.com} = {IOT.AD.SEADOC.COM}
.{iot.ad.SEADOC.com} = {IOT.AD.SEADOC.COM}
[root@lab-serv15 etc]#
[root@lab-serv15 etc]# kinit
kinit: Cannot find KDC for realm "{IOT.AD.SEADOC.COM}" while getting initial credentials
[root@lab-serv15 etc]#
[root@lab-serv15 etc]# klist
klist: Credentials cache keyring 'persistent:0:0' not found
[root@lab-serv15 etc]#
[root@lab-serv15 etc]# klist -e
klist: Credentials cache keyring 'persistent:0:0' not found
[root@lab-serv15 etc]# cat /var/log/samba/log.winbindd
[2017/06/23 10:46:15.630100, 0] ../source3/winbindd/winbindd_cache.c:3245(initialize_winbindd_cache)
initialize_winbindd_cache: clearing cache and re-creating with version number 2
[2017/06/23 10:46:15.642199, 0] ../source3/winbindd/winbindd_util.c:869(init_domain_list)
Could not fetch our SID - did we join?
[2017/06/23 10:46:15.642228, 0] ../source3/winbindd/winbindd.c:1408(winbindd_register_handlers)
unable to initialize domain list
[2017/06/23 10:47:02.212209, 0] ../source3/winbindd/winbindd_cache.c:3245(initialize_winbindd_cache)
initialize_winbindd_cache: clearing cache and re-creating with version number 2
[2017/06/23 10:47:02.216127, 0] ../source3/winbindd/winbindd_util.c:869(init_domain_list)
Could not fetch our SID - did we join?
[2017/06/23 10:47:02.216155, 0] ../source3/winbindd/winbindd.c:1408(winbindd_register_handlers)
unable to initialize domain list
[root@lab-serv15 etc]#
Usually the SID creation is done by samba_setup. You can run command
Code:
$ smbpasswd -j -p
to create the SID.
It fails, seems like I am missing some configuration. admin_user have authority to join domain and password is also working well, as I confirmed from AD guys.
Code:
[root@lab-serv15 ~]# smbpasswd -j -p
See 'net join' for this functionality
[root@lab-serv15 ~]# net join ADS -w iot.ad.seadoc.com -U admin_user@ad.seadoc.com
Enter admin_user@ad.seadoc.com's password:
Failed to join domain: failed to find DC for domain {IOT.AD.SEADOC.COM}
[root@lab-serv15 ~]#
admin_user is already have access to join domain. I am able to join Window server on domain with same user.
And /etc/samba/smb.conf seems to have necessary configuration.
Code:
[root@lab-serv15 ~]# cat /etc/samba/smb.conf
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.
[global]
#--authconfig--start-line--
# Generated by authconfig on 2017/06/23 10:46:15
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future
workgroup = {IOT.AD.SEADOC.COM}
realm = {IOT.AD.SEADOC.COM}
security = ads
idmap config * : range = 16777216-33554431
template homedir = /home/{iot.seadoc.com}/%U
template shell = /bin/bash
kerberos method = secrets only
winbind use default domain = true
winbind offline logon = false
#--authconfig--end-line--
; workgroup = SAMBA
; security = user
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = root
create mask = 0664
directory mask = 0775
[root@lab-serv15 ~]#
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.