LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 05-25-2020, 05:06 AM   #1
llsastre
LQ Newbie
 
Registered: Apr 2019
Location: Spain
Distribution: ubuntu server 16.04
Posts: 16

Rep: Reputation: Disabled
Unable to join ubuntu server to AD


Hi,
I'm trying to join an ubuntu server 20.04 to old Windows 2003 server AD.
I've installed libraries and configured krb5.conf and smb.conf (guides https://www.server-world.info/en/not...04&p=samba&f=4 and https://elbinario.net/2019/02/13/int...ive-directory/ ), using the general configuration and following instructions on https://wiki.samba.org/index.php/Con..._a_Samba_AD_DC.
In krb5.conf I add these lines, because without it I can not create a kinit ticket.
Code:
# for Windows 2003
      default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
      default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
      permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
With this lines I create a successful kinit ticket with kinit Administrador@IESAMAURA.LOCAL command. When use
Code:
net ads join -U Administrador
or
Code:
net ads join -U Administrador -S CIESAMAURA.IESAMAURA.LOCAL
it fails. Message are:
Code:
root@lxsvr:/home/adminserver# net join ads -U administrador -S CIESAMAURA.IESAMAURA.LOCAL
Enter administrador's password:
Failed to join domain: failed to lookup DC info for domain 'ads' over rpc: {Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.
ADS join did not work, falling back to RPC...
Enter administrador's password:
Failed to join domain: failed to lookup DC info for domain 'IESAMAURA' over rpc: {Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.
Using nslookup with name and with IP (DC is 184.2 and Ubuntu server is 184.18)
Code:
root@lxsvr:/home/adminserver# nslookup ciesamaura.iesamaura.local
Server:         10.216.184.2
Address:        10.216.184.2#53

Name:   ciesamaura.iesamaura.local
Address: 10.216.184.2

root@lxsvr:/home/adminserver# nslookup lxsvr
;; Got SERVFAIL reply from 10.216.184.2, trying next server
Server:         8.8.8.8
Address:        8.8.8.8#53

** server can't find lxsvr: NXDOMAIN

root@lxsvr:/home/adminserver# nslookup 10.216.184.18
18.184.216.10.in-addr.arpa      name = centres.educacio.caib.es.

root@lxsvr:/home/adminserver# nslookup 10.216.184.2
2.184.216.10.in-addr.arpa       name = centres.educacio.caib.es.
Testparm
Code:
root@lxsvr:/home/adminserver# testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab
        log file = /var/log/samba/log.%m
        logging = file
        map to guest = Bad User
        max log size = 1000
        obey pam restrictions = Yes
        pam password change = Yes
        panic action = /usr/share/samba/panic-action %d
        passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        passwd program = /usr/bin/passwd %u
        realm = IESAMAURA.LOCAL
        security = ADS
        server role = standalone server
        server string = %h server (Samba, Ubuntu)
        template homedir = /home/%U
        template shell = /bin/bash
        unix password sync = Yes
        usershare allow guests = Yes
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind refresh tickets = Yes
        winbind use default domain = Yes
        workgroup = IESAMAURA
        idmap config iesamaura : range = 10000-999999
        idmap config iesamaura : backend = rid
        idmap config * : range = 3000-7999
        idmap config * : backend = tdb
        map acl inherit = Yes
        vfs objects = acl_xattr


[printers]
        browseable = No
        comment = All Printers
        create mask = 0700
        path = /var/spool/samba
        printable = Yes


[print$]
        comment = Printer Drivers
        path = /var/lib/samba/printers
krb5.conf
Code:
root@lxsvr:/home/adminserver# cat /etc/krb5.conf
[libdefaults]
        default_realm = IESAMAURA.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = true

# for Windows 2003
      default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
      default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
      permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

# The following krb5.conf variables are only for MIT Kerberos.
#       kdc_timesync = 1
#       ccache_type = 4
#       forwardable = true
#       proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#       default_tgs_enctypes = des3-hmac-sha1
#       default_tkt_enctypes = des3-hmac-sha1
#       permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
        fcc-mit-ticketflags = true

[realms]
        IESAMAURA.LOCAL = {
                kdc = ciesamaura.iesamaura.local
                admin_server = ciesamaura.iesamaura.local
        }
        ATHENA.MIT.EDU = {
                kdc = kerberos.mit.edu
                kdc = kerberos-1.mit.edu
                kdc = kerberos-2.mit.edu:88
                admin_server = kerberos.mit.edu
                default_domain = mit.edu
        }
        ZONE.MIT.EDU = {
                kdc = casio.mit.edu
                kdc = seiko.mit.edu
                admin_server = casio.mit.edu
        }
        CSAIL.MIT.EDU = {
                admin_server = kerberos.csail.mit.edu
                default_domain = csail.mit.edu
        }
        IHTFP.ORG = {
                kdc = kerberos.ihtfp.org
                admin_server = kerberos.ihtfp.org
        }
        1TS.ORG = {
                kdc = kerberos.1ts.org
                admin_server = kerberos.1ts.org
        }
        ANDREW.CMU.EDU = {
                admin_server = kerberos.andrew.cmu.edu
                default_domain = andrew.cmu.edu
        }
        CS.CMU.EDU = {
                kdc = kerberos-1.srv.cs.cmu.edu
                kdc = kerberos-2.srv.cs.cmu.edu
                kdc = kerberos-3.srv.cs.cmu.edu
                admin_server = kerberos.cs.cmu.edu
        }
        DEMENTIA.ORG = {
                kdc = kerberos.dementix.org
                kdc = kerberos2.dementix.org
                admin_server = kerberos.dementix.org
        }
        stanford.edu = {
                kdc = krb5auth1.stanford.edu
                kdc = krb5auth2.stanford.edu
                kdc = krb5auth3.stanford.edu
                master_kdc = krb5auth1.stanford.edu
                admin_server = krb5-admin.stanford.edu
                default_domain = stanford.edu
        }
        UTORONTO.CA = {
                kdc = kerberos1.utoronto.ca
                kdc = kerberos2.utoronto.ca
                kdc = kerberos3.utoronto.ca
                admin_server = kerberos1.utoronto.ca
                default_domain = utoronto.ca
        }

[domain_realm]
        .iesamaura.local = IESAMAURA.LOCAL
        iesamaura.local = IESAMAURA.LOCAL
        .mit.edu = ATHENA.MIT.EDU
        mit.edu = ATHENA.MIT.EDU
        .media.mit.edu = MEDIA-LAB.MIT.EDU
        media.mit.edu = MEDIA-LAB.MIT.EDU
        .csail.mit.edu = CSAIL.MIT.EDU
        csail.mit.edu = CSAIL.MIT.EDU
        .whoi.edu = ATHENA.MIT.EDU
        whoi.edu = ATHENA.MIT.EDU
        .stanford.edu = stanford.edu
        .slac.stanford.edu = SLAC.STANFORD.EDU
        .toronto.edu = UTORONTO.CA
        .utoronto.ca = UTORONTO.CA
I think it is a problem of resolving DNS. My /etc/resolv.conf file is
Code:
root@lxsvr:/home/adminserver# cat /etc/resolv.conf
search IESAMAURA.LOCAL
nameserver 10.216.184.2
nameserver 8.8.8.8
nameserver 9.9.9.9
and /etc/hosts
Code:
root@lxsvr:/home/adminserver# cat /etc/hosts
127.0.0.1 localhost
10.216.184.18   lxsvr.IESAMAURA.LOCAL   lxsvr.iesamaura.local   lxsvr.iesamaura lxsvr
10.216.184.2    ciesamaura.iesamaura.local ciesamaura.iesamaura ciesamaura

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
but I'm not able to see what fails.

May someone help me? What's wrong here?

Last edited by llsastre; 05-25-2020 at 05:11 AM.
 
Old 05-25-2020, 10:41 PM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,752

Rep: Reputation: Disabled
Depending on how Ubuntu does things, you may have been editing the wrong krb5.conf.

The net command is part of samba, and samba can be built in three ways with regards to Kerberos:
  • linked against MIT Kerberos, if that's what your distribution is using
  • linked against Heimdal if that's part of your distribution (known as "system Heimdal")
  • linked against an embedded version of Heimdal that ships with the samba source code (this is the default)
While a lot can be said about one project embedding an external project in its codebase, in particular if they then fail spectacularly in keeping that embedded project in sync with upstream, the result in this case is that you may be invoking two entirely different sets of Kerberos libraries when you run kinit and net ads join respectively.

See if locate krb5.conf turns up another configuration file in a path that contains "samba".
 
Old 05-26-2020, 03:08 AM   #3
llsastre
LQ Newbie
 
Registered: Apr 2019
Location: Spain
Distribution: ubuntu server 16.04
Posts: 16

Original Poster
Rep: Reputation: Disabled
I know that kerberos config is wrong, but I don't know where is wrong.
locate krb5.conf command:
Code:
root@lxsvr:/home/adminserver# locate krb5.conf
/etc/krb5.conf
/etc/krb5.conf.bak
/usr/share/kerberos-configs/krb5.conf.template
/usr/share/samba/setup/krb5.conf
and
Code:
root@lxsvr:/home/adminserver# cat /usr/share/samba/setup/krb5.conf
[libdefaults]
        default_realm = ${REALM}
        dns_lookup_realm = false
        dns_lookup_kdc = true
It seems right.

Any suggestion?
 
Old 05-26-2020, 11:32 AM   #4
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,752

Rep: Reputation: Disabled
What about those encryption settings from your first post? Those that are required for joining a Windows 2003 domain? I don't see them anywhere in /usr/share/samba/setup/krb5.conf.

Regarding your DNS settings, you must use an Active Directory DC as your DNS. If 10.216.184.2 is your Windows 2003 server, then all is well.

Keep in mind that you also have public DNS servers in /etc/resolv.conf, which means that if the Windows server fails to respond to a DNS query, your system will switch to 8.8.8.8 and will keep using it until either the next reboot or until 8.8.8.8 fail to respond, whichever happens first. You should never have a mix of internal and external DNS servers in /etc/resolv.xconf.
 
Old 05-27-2020, 07:06 AM   #5
llsastre
LQ Newbie
 
Registered: Apr 2019
Location: Spain
Distribution: ubuntu server 16.04
Posts: 16

Original Poster
Rep: Reputation: Disabled
The encryption settings from my first post is about this article https://wiki.squid-cache.org/ConfigE...icate/Kerberos, but this is to use the kinit command for getting a ticket.
If joining without kinit then is not necessary.
I've deleted it in krb5.conf.
You are right about external DNS. I had not thought about it. I've deleted too in resolv.conf and netplan config file. Now I've only 10.216.184.2 DNS.
But joining to AD fails again. The same missage:
Code:
root@lxsvr:/home/adminserver# net ads join -U administrador
Enter administrador's password:
Failed to join domain: failed to lookup DC info for domain 'IESAMAURA.LOCAL' over rpc: {Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.
Curiously I've made the same steps with the same .conf files (hosts, resolv, krb5, smb,...) on Ubuntu Server 18.04 and it has joined inmediately. No errors and working fine, with AD users and groups.
So, some protocol or library not work on 20.04 to AD.
 
Old 05-27-2020, 07:19 AM   #6
dc.901
Member
 
Registered: Aug 2018
Location: Atlanta, GA - USA
Distribution: CentOS/RHEL, openSuSE/SLES, Ubuntu
Posts: 778

Rep: Reputation: 241Reputation: 241Reputation: 241
There are 2-pieces to this:
1-Ubuntu 20.04
2-AD

Have you looked on AD logs in event viewer when a connection attempt is made from your Ubuntu 20.04?

If I am not mistaken, Windows server 2003 was EOS in 2015, very old OS, and your Ubuntu 20.x is on opposite side of spectrum. Surely there are some minimum requirements?
 
Old 05-28-2020, 04:09 AM   #7
llsastre
LQ Newbie
 
Registered: Apr 2019
Location: Spain
Distribution: ubuntu server 16.04
Posts: 16

Original Poster
Rep: Reputation: Disabled
I've read events on AD but nothing about joining. I think that when I try to join, message is: "failed to lookup DC info..." so Ubuntu 20.04 doesn't find DC and no events on AD are saved. Probably, from Ubuntu 20.04, will be not able to join to Windows 2003 AD with samba and winbind but I don't find documentation about it. I've joined with pbis-open app, but not apply samba-winbind to share folders on ubuntu for AD users. An AD user can login on ubuntu but not apply privileges automatically. I want use this ubuntu 20.04 for sharing files to AD users, and this app not seems the best tool to do it.
 
Old 06-08-2020, 05:02 AM   #8
llsastre
LQ Newbie
 
Registered: Apr 2019
Location: Spain
Distribution: ubuntu server 16.04
Posts: 16

Original Poster
Rep: Reputation: Disabled
SOLVED!

It was a protocol problem. Windows 2003 server uses SMB1 protocol which has been disabled on Ubuntu 20.04. To enable again must include this line in [global] section:
Code:
client min protocol = NT1
Then restart samba and it joins to AD.

Thanks for your help!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
join to AD domain; join with domain credential with ssh nnicola82 Linux - Server 0 11-13-2019 11:45 PM
Can't join Windows 2000 domain using net ads join The Cat Linux - Networking 2 09-23-2008 11:41 AM
Unable to join domain using Net Join command in FC3 client jeb083079 Linux - Networking 9 07-30-2007 02:41 AM
Help using 'net join' to join a windows domain Wapo Linux - Networking 1 04-28-2006 02:30 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 02:51 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration