Hi,
I'm trying to join an ubuntu server 20.04 to old Windows 2003 server AD.
I've installed libraries and configured krb5.conf and smb.conf (guides
https://www.server-world.info/en/not...04&p=samba&f=4 and
https://elbinario.net/2019/02/13/int...ive-directory/ ), using the general configuration and following instructions on
https://wiki.samba.org/index.php/Con..._a_Samba_AD_DC.
In krb5.conf I add these lines, because without it I can not create a kinit ticket.
Code:
# for Windows 2003
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
With this lines I create a successful kinit ticket with kinit
Administrador@IESAMAURA.LOCAL command. When use
Code:
net ads join -U Administrador
or
Code:
net ads join -U Administrador -S CIESAMAURA.IESAMAURA.LOCAL
it fails. Message are:
Code:
root@lxsvr:/home/adminserver# net join ads -U administrador -S CIESAMAURA.IESAMAURA.LOCAL
Enter administrador's password:
Failed to join domain: failed to lookup DC info for domain 'ads' over rpc: {Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.
ADS join did not work, falling back to RPC...
Enter administrador's password:
Failed to join domain: failed to lookup DC info for domain 'IESAMAURA' over rpc: {Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.
Using nslookup with name and with IP (DC is 184.2 and Ubuntu server is 184.18)
Code:
root@lxsvr:/home/adminserver# nslookup ciesamaura.iesamaura.local
Server: 10.216.184.2
Address: 10.216.184.2#53
Name: ciesamaura.iesamaura.local
Address: 10.216.184.2
root@lxsvr:/home/adminserver# nslookup lxsvr
;; Got SERVFAIL reply from 10.216.184.2, trying next server
Server: 8.8.8.8
Address: 8.8.8.8#53
** server can't find lxsvr: NXDOMAIN
root@lxsvr:/home/adminserver# nslookup 10.216.184.18
18.184.216.10.in-addr.arpa name = centres.educacio.caib.es.
root@lxsvr:/home/adminserver# nslookup 10.216.184.2
2.184.216.10.in-addr.arpa name = centres.educacio.caib.es.
Testparm
Code:
root@lxsvr:/home/adminserver# testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
# Global parameters
[global]
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
log file = /var/log/samba/log.%m
logging = file
map to guest = Bad User
max log size = 1000
obey pam restrictions = Yes
pam password change = Yes
panic action = /usr/share/samba/panic-action %d
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
passwd program = /usr/bin/passwd %u
realm = IESAMAURA.LOCAL
security = ADS
server role = standalone server
server string = %h server (Samba, Ubuntu)
template homedir = /home/%U
template shell = /bin/bash
unix password sync = Yes
usershare allow guests = Yes
winbind enum groups = Yes
winbind enum users = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes
workgroup = IESAMAURA
idmap config iesamaura : range = 10000-999999
idmap config iesamaura : backend = rid
idmap config * : range = 3000-7999
idmap config * : backend = tdb
map acl inherit = Yes
vfs objects = acl_xattr
[printers]
browseable = No
comment = All Printers
create mask = 0700
path = /var/spool/samba
printable = Yes
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
krb5.conf
Code:
root@lxsvr:/home/adminserver# cat /etc/krb5.conf
[libdefaults]
default_realm = IESAMAURA.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
# for Windows 2003
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
# The following krb5.conf variables are only for MIT Kerberos.
# kdc_timesync = 1
# ccache_type = 4
# forwardable = true
# proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
IESAMAURA.LOCAL = {
kdc = ciesamaura.iesamaura.local
admin_server = ciesamaura.iesamaura.local
}
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu
kdc = kerberos-1.mit.edu
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
CSAIL.MIT.EDU = {
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
ANDREW.CMU.EDU = {
admin_server = kerberos.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos-1.srv.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
kdc = kerberos-3.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementix.org
kdc = kerberos2.dementix.org
admin_server = kerberos.dementix.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
master_kdc = krb5auth1.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
UTORONTO.CA = {
kdc = kerberos1.utoronto.ca
kdc = kerberos2.utoronto.ca
kdc = kerberos3.utoronto.ca
admin_server = kerberos1.utoronto.ca
default_domain = utoronto.ca
}
[domain_realm]
.iesamaura.local = IESAMAURA.LOCAL
iesamaura.local = IESAMAURA.LOCAL
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
.toronto.edu = UTORONTO.CA
.utoronto.ca = UTORONTO.CA
I think it is a problem of resolving DNS. My /etc/resolv.conf file is
Code:
root@lxsvr:/home/adminserver# cat /etc/resolv.conf
search IESAMAURA.LOCAL
nameserver 10.216.184.2
nameserver 8.8.8.8
nameserver 9.9.9.9
and /etc/hosts
Code:
root@lxsvr:/home/adminserver# cat /etc/hosts
127.0.0.1 localhost
10.216.184.18 lxsvr.IESAMAURA.LOCAL lxsvr.iesamaura.local lxsvr.iesamaura lxsvr
10.216.184.2 ciesamaura.iesamaura.local ciesamaura.iesamaura ciesamaura
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
but I'm not able to see what fails.
May someone help me? What's wrong here?