Unable to join ubuntu server to AD
by llsastre from LinuxQuestions.org on (#53WGY)
Hi,
I'm trying to join an ubuntu server 20.04 to old Windows 2003 server AD.
I've installed libraries and configured krb5.conf and smb.conf (guides https://www.server-world.info/en/not...04&p=samba&f=4 and https://elbinario.net/2019/02/13/int...ive-directory/ ), using the general configuration and following instructions on https://wiki.samba.org/index.php/Con..._a_Samba_AD_DC.
In krb5.conf I add these lines, because without it I can not create a kinit ticket.
Code:# for Windows 2003
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5With this lines I create a successful kinit ticket with kinit Administrador@IESAMAURA.LOCAL command. When use
Code:net ads join -U Administradoror
Code:net ads join -U Administrador -S CIESAMAURA.IESAMAURA.LOCALit fails. Message are:
Code:root@lxsvr:/home/adminserver# net join ads -U administrador -S CIESAMAURA.IESAMAURA.LOCAL
Enter administrador's password:
Failed to join domain: failed to lookup DC info for domain 'ads' over rpc: {Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.
ADS join did not work, falling back to RPC...
Enter administrador's password:
Failed to join domain: failed to lookup DC info for domain 'IESAMAURA' over rpc: {Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.Using nslookup with name and with IP (DC is 184.2 and Ubuntu server is 184.18)
Code:root@lxsvr:/home/adminserver# nslookup ciesamaura.iesamaura.local
Server: 10.216.184.2
Address: 10.216.184.2#53
Name: ciesamaura.iesamaura.local
Address: 10.216.184.2
root@lxsvr:/home/adminserver# nslookup lxsvr
;; Got SERVFAIL reply from 10.216.184.2, trying next server
Server: 8.8.8.8
Address: 8.8.8.8#53
** server can't find lxsvr: NXDOMAIN
root@lxsvr:/home/adminserver# nslookup 10.216.184.18
18.184.216.10.in-addr.arpa name = centres.educacio.caib.es.
root@lxsvr:/home/adminserver# nslookup 10.216.184.2
2.184.216.10.in-addr.arpa name = centres.educacio.caib.es.Testparm
Code:root@lxsvr:/home/adminserver# testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
# Global parameters
[global]
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
log file = /var/log/samba/log.%m
logging = file
map to guest = Bad User
max log size = 1000
obey pam restrictions = Yes
pam password change = Yes
panic action = /usr/share/samba/panic-action %d
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
passwd program = /usr/bin/passwd %u
realm = IESAMAURA.LOCAL
security = ADS
server role = standalone server
server string = %h server (Samba, Ubuntu)
template homedir = /home/%U
template shell = /bin/bash
unix password sync = Yes
usershare allow guests = Yes
winbind enum groups = Yes
winbind enum users = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes
workgroup = IESAMAURA
idmap config iesamaura : range = 10000-999999
idmap config iesamaura : backend = rid
idmap config * : range = 3000-7999
idmap config * : backend = tdb
map acl inherit = Yes
vfs objects = acl_xattr
[printers]
browseable = No
comment = All Printers
create mask = 0700
path = /var/spool/samba
printable = Yes
[print$]
comment = Printer Drivers
path = /var/lib/samba/printerskrb5.conf
Code:root@lxsvr:/home/adminserver# cat /etc/krb5.conf
[libdefaults]
default_realm = IESAMAURA.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
# for Windows 2003
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
# The following krb5.conf variables are only for MIT Kerberos.
# kdc_timesync = 1
# ccache_type = 4
# forwardable = true
# proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
IESAMAURA.LOCAL = {
kdc = ciesamaura.iesamaura.local
admin_server = ciesamaura.iesamaura.local
}
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu
kdc = kerberos-1.mit.edu
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
CSAIL.MIT.EDU = {
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
ANDREW.CMU.EDU = {
admin_server = kerberos.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos-1.srv.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
kdc = kerberos-3.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementix.org
kdc = kerberos2.dementix.org
admin_server = kerberos.dementix.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
master_kdc = krb5auth1.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
UTORONTO.CA = {
kdc = kerberos1.utoronto.ca
kdc = kerberos2.utoronto.ca
kdc = kerberos3.utoronto.ca
admin_server = kerberos1.utoronto.ca
default_domain = utoronto.ca
}
[domain_realm]
.iesamaura.local = IESAMAURA.LOCAL
iesamaura.local = IESAMAURA.LOCAL
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
.toronto.edu = UTORONTO.CA
.utoronto.ca = UTORONTO.CAI think it is a problem of resolving DNS. My /etc/resolv.conf file is
Code:root@lxsvr:/home/adminserver# cat /etc/resolv.conf
search IESAMAURA.LOCAL
nameserver 10.216.184.2
nameserver 8.8.8.8
nameserver 9.9.9.9and /etc/hosts
Code:root@lxsvr:/home/adminserver# cat /etc/hosts
127.0.0.1 localhost
10.216.184.18 lxsvr.IESAMAURA.LOCAL lxsvr.iesamaura.local lxsvr.iesamaura lxsvr
10.216.184.2 ciesamaura.iesamaura.local ciesamaura.iesamaura ciesamaura
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allroutersbut I'm not able to see what fails.
May someone help me? What's wrong here?
I'm trying to join an ubuntu server 20.04 to old Windows 2003 server AD.
I've installed libraries and configured krb5.conf and smb.conf (guides https://www.server-world.info/en/not...04&p=samba&f=4 and https://elbinario.net/2019/02/13/int...ive-directory/ ), using the general configuration and following instructions on https://wiki.samba.org/index.php/Con..._a_Samba_AD_DC.
In krb5.conf I add these lines, because without it I can not create a kinit ticket.
Code:# for Windows 2003
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5With this lines I create a successful kinit ticket with kinit Administrador@IESAMAURA.LOCAL command. When use
Code:net ads join -U Administradoror
Code:net ads join -U Administrador -S CIESAMAURA.IESAMAURA.LOCALit fails. Message are:
Code:root@lxsvr:/home/adminserver# net join ads -U administrador -S CIESAMAURA.IESAMAURA.LOCAL
Enter administrador's password:
Failed to join domain: failed to lookup DC info for domain 'ads' over rpc: {Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.
ADS join did not work, falling back to RPC...
Enter administrador's password:
Failed to join domain: failed to lookup DC info for domain 'IESAMAURA' over rpc: {Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.Using nslookup with name and with IP (DC is 184.2 and Ubuntu server is 184.18)
Code:root@lxsvr:/home/adminserver# nslookup ciesamaura.iesamaura.local
Server: 10.216.184.2
Address: 10.216.184.2#53
Name: ciesamaura.iesamaura.local
Address: 10.216.184.2
root@lxsvr:/home/adminserver# nslookup lxsvr
;; Got SERVFAIL reply from 10.216.184.2, trying next server
Server: 8.8.8.8
Address: 8.8.8.8#53
** server can't find lxsvr: NXDOMAIN
root@lxsvr:/home/adminserver# nslookup 10.216.184.18
18.184.216.10.in-addr.arpa name = centres.educacio.caib.es.
root@lxsvr:/home/adminserver# nslookup 10.216.184.2
2.184.216.10.in-addr.arpa name = centres.educacio.caib.es.Testparm
Code:root@lxsvr:/home/adminserver# testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
# Global parameters
[global]
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
log file = /var/log/samba/log.%m
logging = file
map to guest = Bad User
max log size = 1000
obey pam restrictions = Yes
pam password change = Yes
panic action = /usr/share/samba/panic-action %d
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
passwd program = /usr/bin/passwd %u
realm = IESAMAURA.LOCAL
security = ADS
server role = standalone server
server string = %h server (Samba, Ubuntu)
template homedir = /home/%U
template shell = /bin/bash
unix password sync = Yes
usershare allow guests = Yes
winbind enum groups = Yes
winbind enum users = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes
workgroup = IESAMAURA
idmap config iesamaura : range = 10000-999999
idmap config iesamaura : backend = rid
idmap config * : range = 3000-7999
idmap config * : backend = tdb
map acl inherit = Yes
vfs objects = acl_xattr
[printers]
browseable = No
comment = All Printers
create mask = 0700
path = /var/spool/samba
printable = Yes
[print$]
comment = Printer Drivers
path = /var/lib/samba/printerskrb5.conf
Code:root@lxsvr:/home/adminserver# cat /etc/krb5.conf
[libdefaults]
default_realm = IESAMAURA.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
# for Windows 2003
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
# The following krb5.conf variables are only for MIT Kerberos.
# kdc_timesync = 1
# ccache_type = 4
# forwardable = true
# proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
IESAMAURA.LOCAL = {
kdc = ciesamaura.iesamaura.local
admin_server = ciesamaura.iesamaura.local
}
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu
kdc = kerberos-1.mit.edu
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
CSAIL.MIT.EDU = {
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
ANDREW.CMU.EDU = {
admin_server = kerberos.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos-1.srv.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
kdc = kerberos-3.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementix.org
kdc = kerberos2.dementix.org
admin_server = kerberos.dementix.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
master_kdc = krb5auth1.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
UTORONTO.CA = {
kdc = kerberos1.utoronto.ca
kdc = kerberos2.utoronto.ca
kdc = kerberos3.utoronto.ca
admin_server = kerberos1.utoronto.ca
default_domain = utoronto.ca
}
[domain_realm]
.iesamaura.local = IESAMAURA.LOCAL
iesamaura.local = IESAMAURA.LOCAL
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
.toronto.edu = UTORONTO.CA
.utoronto.ca = UTORONTO.CAI think it is a problem of resolving DNS. My /etc/resolv.conf file is
Code:root@lxsvr:/home/adminserver# cat /etc/resolv.conf
search IESAMAURA.LOCAL
nameserver 10.216.184.2
nameserver 8.8.8.8
nameserver 9.9.9.9and /etc/hosts
Code:root@lxsvr:/home/adminserver# cat /etc/hosts
127.0.0.1 localhost
10.216.184.18 lxsvr.IESAMAURA.LOCAL lxsvr.iesamaura.local lxsvr.iesamaura lxsvr
10.216.184.2 ciesamaura.iesamaura.local ciesamaura.iesamaura ciesamaura
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allroutersbut I'm not able to see what fails.
May someone help me? What's wrong here?