Unable to join ubuntu server to AD

llsastre · 05-25-2020, 05:06 AM

Hi,
I'm trying to join an ubuntu server 20.04 to old Windows 2003 server AD.
I've installed libraries and configured krb5.conf and smb.conf (guides https://www.server-world.info/en/not...04&p=samba&f=4 and https://elbinario.net/2019/02/13/int...ive-directory/ ), using the general configuration and following instructions on https://wiki.samba.org/index.php/Con..._a_Samba_AD_DC.
In krb5.conf I add these lines, because without it I can not create a kinit ticket.

Code:

# for Windows 2003
      default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
      default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
      permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

With this lines I create a successful kinit ticket with kinit Administrador@IESAMAURA.LOCAL command. When use

Code:

net ads join -U Administrador

or

Code:

net ads join -U Administrador -S CIESAMAURA.IESAMAURA.LOCAL

it fails. Message are:

Code:

root@lxsvr:/home/adminserver# net join ads -U administrador -S CIESAMAURA.IESAMAURA.LOCAL
Enter administrador's password:
Failed to join domain: failed to lookup DC info for domain 'ads' over rpc: {Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.
ADS join did not work, falling back to RPC...
Enter administrador's password:
Failed to join domain: failed to lookup DC info for domain 'IESAMAURA' over rpc: {Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.

Using nslookup with name and with IP (DC is 184.2 and Ubuntu server is 184.18)

Code:

root@lxsvr:/home/adminserver# nslookup ciesamaura.iesamaura.local
Server:         10.216.184.2
Address:        10.216.184.2#53

Name:   ciesamaura.iesamaura.local
Address: 10.216.184.2

root@lxsvr:/home/adminserver# nslookup lxsvr
;; Got SERVFAIL reply from 10.216.184.2, trying next server
Server:         8.8.8.8
Address:        8.8.8.8#53

** server can't find lxsvr: NXDOMAIN

root@lxsvr:/home/adminserver# nslookup 10.216.184.18
18.184.216.10.in-addr.arpa      name = centres.educacio.caib.es.

root@lxsvr:/home/adminserver# nslookup 10.216.184.2
2.184.216.10.in-addr.arpa       name = centres.educacio.caib.es.

Testparm

Code:

root@lxsvr:/home/adminserver# testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab
        log file = /var/log/samba/log.%m
        logging = file
        map to guest = Bad User
        max log size = 1000
        obey pam restrictions = Yes
        pam password change = Yes
        panic action = /usr/share/samba/panic-action %d
        passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        passwd program = /usr/bin/passwd %u
        realm = IESAMAURA.LOCAL
        security = ADS
        server role = standalone server
        server string = %h server (Samba, Ubuntu)
        template homedir = /home/%U
        template shell = /bin/bash
        unix password sync = Yes
        usershare allow guests = Yes
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind refresh tickets = Yes
        winbind use default domain = Yes
        workgroup = IESAMAURA
        idmap config iesamaura : range = 10000-999999
        idmap config iesamaura : backend = rid
        idmap config * : range = 3000-7999
        idmap config * : backend = tdb
        map acl inherit = Yes
        vfs objects = acl_xattr


[printers]
        browseable = No
        comment = All Printers
        create mask = 0700
        path = /var/spool/samba
        printable = Yes


[print$]
        comment = Printer Drivers
        path = /var/lib/samba/printers

krb5.conf

Code:

root@lxsvr:/home/adminserver# cat /etc/krb5.conf
[libdefaults]
        default_realm = IESAMAURA.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = true

# for Windows 2003
      default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
      default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
      permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

# The following krb5.conf variables are only for MIT Kerberos.
#       kdc_timesync = 1
#       ccache_type = 4
#       forwardable = true
#       proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#       default_tgs_enctypes = des3-hmac-sha1
#       default_tkt_enctypes = des3-hmac-sha1
#       permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
        fcc-mit-ticketflags = true

[realms]
        IESAMAURA.LOCAL = {
                kdc = ciesamaura.iesamaura.local
                admin_server = ciesamaura.iesamaura.local
        }
        ATHENA.MIT.EDU = {
                kdc = kerberos.mit.edu
                kdc = kerberos-1.mit.edu
                kdc = kerberos-2.mit.edu:88
                admin_server = kerberos.mit.edu
                default_domain = mit.edu
        }
        ZONE.MIT.EDU = {
                kdc = casio.mit.edu
                kdc = seiko.mit.edu
                admin_server = casio.mit.edu
        }
        CSAIL.MIT.EDU = {
                admin_server = kerberos.csail.mit.edu
                default_domain = csail.mit.edu
        }
        IHTFP.ORG = {
                kdc = kerberos.ihtfp.org
                admin_server = kerberos.ihtfp.org
        }
        1TS.ORG = {
                kdc = kerberos.1ts.org
                admin_server = kerberos.1ts.org
        }
        ANDREW.CMU.EDU = {
                admin_server = kerberos.andrew.cmu.edu
                default_domain = andrew.cmu.edu
        }
        CS.CMU.EDU = {
                kdc = kerberos-1.srv.cs.cmu.edu
                kdc = kerberos-2.srv.cs.cmu.edu
                kdc = kerberos-3.srv.cs.cmu.edu
                admin_server = kerberos.cs.cmu.edu
        }
        DEMENTIA.ORG = {
                kdc = kerberos.dementix.org
                kdc = kerberos2.dementix.org
                admin_server = kerberos.dementix.org
        }
        stanford.edu = {
                kdc = krb5auth1.stanford.edu
                kdc = krb5auth2.stanford.edu
                kdc = krb5auth3.stanford.edu
                master_kdc = krb5auth1.stanford.edu
                admin_server = krb5-admin.stanford.edu
                default_domain = stanford.edu
        }
        UTORONTO.CA = {
                kdc = kerberos1.utoronto.ca
                kdc = kerberos2.utoronto.ca
                kdc = kerberos3.utoronto.ca
                admin_server = kerberos1.utoronto.ca
                default_domain = utoronto.ca
        }

[domain_realm]
        .iesamaura.local = IESAMAURA.LOCAL
        iesamaura.local = IESAMAURA.LOCAL
        .mit.edu = ATHENA.MIT.EDU
        mit.edu = ATHENA.MIT.EDU
        .media.mit.edu = MEDIA-LAB.MIT.EDU
        media.mit.edu = MEDIA-LAB.MIT.EDU
        .csail.mit.edu = CSAIL.MIT.EDU
        csail.mit.edu = CSAIL.MIT.EDU
        .whoi.edu = ATHENA.MIT.EDU
        whoi.edu = ATHENA.MIT.EDU
        .stanford.edu = stanford.edu
        .slac.stanford.edu = SLAC.STANFORD.EDU
        .toronto.edu = UTORONTO.CA
        .utoronto.ca = UTORONTO.CA

I think it is a problem of resolving DNS. My /etc/resolv.conf file is

Code:

root@lxsvr:/home/adminserver# cat /etc/resolv.conf
search IESAMAURA.LOCAL
nameserver 10.216.184.2
nameserver 8.8.8.8
nameserver 9.9.9.9

and /etc/hosts

Code:

root@lxsvr:/home/adminserver# cat /etc/hosts
127.0.0.1 localhost
10.216.184.18   lxsvr.IESAMAURA.LOCAL   lxsvr.iesamaura.local   lxsvr.iesamaura lxsvr
10.216.184.2    ciesamaura.iesamaura.local ciesamaura.iesamaura ciesamaura

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

but I'm not able to see what fails.

May someone help me? What's wrong here?

Ser Olmy · 05-25-2020, 10:41 PM

Depending on how Ubuntu does things, you may have been editing the wrong krb5.conf.

The net command is part of samba, and samba can be built in three ways with regards to Kerberos:

linked against MIT Kerberos, if that's what your distribution is using
linked against Heimdal if that's part of your distribution (known as "system Heimdal")
linked against an embedded version of Heimdal that ships with the samba source code (this is the default)

While a lot can be said about one project embedding an external project in its codebase, in particular if they then fail spectacularly in keeping that embedded project in sync with upstream, the result in this case is that you may be invoking two entirely different sets of Kerberos libraries when you run kinit and net ads join respectively.

See if locate krb5.conf turns up another configuration file in a path that contains "samba".

llsastre · 05-26-2020, 03:08 AM

I know that kerberos config is wrong, but I don't know where is wrong.
locate krb5.conf command:

Code:

root@lxsvr:/home/adminserver# locate krb5.conf
/etc/krb5.conf
/etc/krb5.conf.bak
/usr/share/kerberos-configs/krb5.conf.template
/usr/share/samba/setup/krb5.conf

and

Code:

root@lxsvr:/home/adminserver# cat /usr/share/samba/setup/krb5.conf
[libdefaults]
        default_realm = ${REALM}
        dns_lookup_realm = false
        dns_lookup_kdc = true

It seems right.

Any suggestion?

Ser Olmy · 05-26-2020, 11:32 AM

What about those encryption settings from your first post? Those that are required for joining a Windows 2003 domain? I don't see them anywhere in /usr/share/samba/setup/krb5.conf.

Regarding your DNS settings, you must use an Active Directory DC as your DNS. If 10.216.184.2 is your Windows 2003 server, then all is well.

Keep in mind that you also have public DNS servers in /etc/resolv.conf, which means that if the Windows server fails to respond to a DNS query, your system will switch to 8.8.8.8 and will keep using it until either the next reboot or until 8.8.8.8 fail to respond, whichever happens first. You should never have a mix of internal and external DNS servers in /etc/resolv.xconf.

llsastre · 05-27-2020, 07:06 AM

The encryption settings from my first post is about this article https://wiki.squid-cache.org/ConfigE...icate/Kerberos, but this is to use the kinit command for getting a ticket.
If joining without kinit then is not necessary.
I've deleted it in krb5.conf.
You are right about external DNS. I had not thought about it. I've deleted too in resolv.conf and netplan config file. Now I've only 10.216.184.2 DNS.
But joining to AD fails again. The same missage:

Code:

root@lxsvr:/home/adminserver# net ads join -U administrador
Enter administrador's password:
Failed to join domain: failed to lookup DC info for domain 'IESAMAURA.LOCAL' over rpc: {Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.

Curiously I've made the same steps with the same .conf files (hosts, resolv, krb5, smb,...) on Ubuntu Server 18.04 and it has joined inmediately. No errors and working fine, with AD users and groups.
So, some protocol or library not work on 20.04 to AD.

dc.901 · 05-27-2020, 07:19 AM

There are 2-pieces to this:
1-Ubuntu 20.04
2-AD

Have you looked on AD logs in event viewer when a connection attempt is made from your Ubuntu 20.04?

If I am not mistaken, Windows server 2003 was EOS in 2015, very old OS, and your Ubuntu 20.x is on opposite side of spectrum. Surely there are some minimum requirements?

llsastre · 05-28-2020, 04:09 AM

I've read events on AD but nothing about joining. I think that when I try to join, message is: "failed to lookup DC info..." so Ubuntu 20.04 doesn't find DC and no events on AD are saved. Probably, from Ubuntu 20.04, will be not able to join to Windows 2003 AD with samba and winbind but I don't find documentation about it. I've joined with pbis-open app, but not apply samba-winbind to share folders on ubuntu for AD users. An AD user can login on ubuntu but not apply privileges automatically. I want use this ubuntu 20.04 for sharing files to AD users, and this app not seems the best tool to do it.

llsastre · 06-08-2020, 05:02 AM

SOLVED!

It was a protocol problem. Windows 2003 server uses SMB1 protocol which has been disabled on Ubuntu 20.04. To enable again must include this line in [global] section:

Code:

client min protocol = NT1

Then restart samba and it joins to AD.

Thanks for your help!