Kerberos/Samba can't join Active Directory [DEBIAN 8]












2














I have an issue when I try to join my domain.



I am able to create the kerberos ticket successfully.



root@debian:~# kinit Administrateur@ASP.DOMAIN

Password for Administrateur@ASP.DOMAIN:

root@debian:~# klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: Administrateur@ASP.DOMAIN



Valid starting       Expires              Service principal

26/04/2016 18:20:18  27/04/2016 04:20:18  krbtgt/ASP.DOMAIN@ASP.DOMAIN

        renew until 27/04/2016 18:20:11


and when I try to join the domain :



    root@debian:~# net ads join -k 

Failed to join domain: failed to lookup

    DC info for domain 'ASP.DOMAIN' over rpc: {Device Timeout} The

    specified I/O operation on %hs was not completed before the time-out period expired.


my krb5.conf is:



[libdefaults]

        default_realm = ASP.DOMAIN



# The following krb5.conf variables are only for MIT Kerberos.

        krb4_config = /etc/krb.conf

        krb4_realms = /etc/krb.realms

        kdc_timesync = 1

        ccache_type = 4

        forwardable = true

        proxiable = true



[realms]

        ASP.DOMAIN = {

                kdc = asp.domain

                admin_server = server.domain

                default_domain = DOMAIN

        }



[domain_realm]

        .asp.domain = ASP.DOMAIN

        asp.domain = ASP.DOMAIN


My smb.conf :



[global]

        security = ADS

        realm = ASP.DOMAIN

        password server = server.domain

        workgroup = asp.domain

        winbind separator = /

        idmap uid = 10000-20000

        idmap gid = 10000-20000

        winbind enum users = yes

        winbind enum groups = yes

        template homedir = /home/%D/%U

        template shell = /bin/bash

        client use spnego = yes

        winbind use default domain = yes

        domain master = no

        local master = no

        preferred master = no

        os level = 0


I have no idea: there is no drop on my firewall. The ticket is ok. I've tried with 3 Domain Controlers.



PS : Domain is a variable



EDIT : I've tried to do it with samba-tool too



root@debian:~# samba-tool domain join ASP.DOMAIN MEMBER -UAdministrateur --real=ASP.DOMAIN

ERROR(runtime): uncaught exception - Connection to SAMR pipe of PDC for ASP.DOMAIN failed: Connection to DC failed: NT_STATUS_IO_TIMEOUT

  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run

    return self.run(*args, **kwargs)

  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 606, in run

    machinepass=machinepass)


EDIT 2 : Join is ok ? But wbinfo -u is not ok



root@debian:~# net ads join -U Administrateur

Enter Administrateur's password:

Using short domain name -- DOMAIN

Joined 'ASP.DOMAIN' to dns domain 'asp.domain'

DNS Update for asp.kapia failed: ERROR_DNS_GSS_ERROR

DNS update failed: NT_STATUS_UNSUCCESSFUL

root@debian:~# net ads testjoin

Join is OK



root@debian:~# wbinfo -u

could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE

could not obtain winbind domain name!

Error looking up domain users


EDIT 3 :



enter image description here
EDIT 4 :



root@debian:~# service winbind status

● winbind.service - LSB: start Winbind daemon

   Loaded: loaded (/etc/init.d/winbind)

   Active: active (exited) since mer. 2016-04-27 16:16:00 CEST; 55s ago

  Process: 2222 ExecStart=/etc/init.d/winbind start (code=exited, status=0/SUCCESS)



avril 27 16:16:00 debian winbindd[2233]: #5 /usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_timer_delay+0xcd) [0x7fbc2b11e1cd]

avril 27 16:16:00 debian winbindd[2233]: #6 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x91ca) [0x7fbc2b11f1ca]

avril 27 16:16:00 debian winbindd[2233]: #7 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x78e7) [0x7fbc2b11d8e7]

avril 27 16:16:00 debian winbindd[2233]: #8 /usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x8d) [0x7fbc2b11a12d]

avril 27 16:16:00 debian winbindd[2233]: #9 /usr/sbin/winbindd(main+0xb7c) [0x7fbc325cbc8c]

avril 27 16:16:00 debian winbindd[2233]: #10 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7fbc2a92db45]

avril 27 16:16:00 debian winbindd[2233]: #11 /usr/sbin/winbindd(+0x25318) [0x7fbc325cc318]

avril 27 16:16:00 debian winbindd[2233]: [2016/04/27 16:16:00.971185,  0] ../source3/lib/dumpcore.c:318(dump_core)

avril 27 16:16:00 debian winbindd[2233]: dumping core in /var/log/samba/cores/winbindd

avril 27 16:16:00 debian winbindd[2233]:





samba active-directory kerberos







share|improve this question
















bumped to the homepage by Community 2 days ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.















  • Can you ping the admin_server defined in your krb5.conf? You have the default_realm set there but you might also want to add dns_lookup_realm = true and dns_lookup_kdc = true in the same [libdefaults] section.
    – roaima
    Apr 27 '16 at 9:49










  • Hi thank you all but i against have issue with your modification. when i try to join with debut mode, i can see : Using short domain name -- DOMAIN Joined 'ASP.DOMAIN' to dns domain 'asp.domain' added interface eth0 ip=192.168.1.X bcast=192.168.1.255 netmask=255.255.255.0 ads_dns_lookup_ns: 1 records returned in the answer section. DNS Update for asp.domain failed: ERROR_DNS_GSS_ERROR DNS update failed: NT_STATUS_UNSUCCESSFUL
    – Mikael Denis
    Apr 27 '16 at 13:07












  • With this command : ` net ads join -U Administrateur -d 5`
    – Mikael Denis
    Apr 27 '16 at 13:13










  • Same error : lists.samba.org/archive/samba/2014-December/187820.html
    – Mikael Denis
    Apr 27 '16 at 13:20










  • I think your server has now joined the domain. (The only error I can see in your update is for DNS.) Please check your Domain Controller and if this is the case I'll create an Answer for you to Accept.
    – roaima
    Apr 27 '16 at 13:24


















2














I have an issue when I try to join my domain.



I am able to create the kerberos ticket successfully.



root@debian:~# kinit Administrateur@ASP.DOMAIN

Password for Administrateur@ASP.DOMAIN:

root@debian:~# klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: Administrateur@ASP.DOMAIN



Valid starting       Expires              Service principal

26/04/2016 18:20:18  27/04/2016 04:20:18  krbtgt/ASP.DOMAIN@ASP.DOMAIN

        renew until 27/04/2016 18:20:11


and when I try to join the domain :



    root@debian:~# net ads join -k 

Failed to join domain: failed to lookup

    DC info for domain 'ASP.DOMAIN' over rpc: {Device Timeout} The

    specified I/O operation on %hs was not completed before the time-out period expired.


my krb5.conf is:



[libdefaults]

        default_realm = ASP.DOMAIN



# The following krb5.conf variables are only for MIT Kerberos.

        krb4_config = /etc/krb.conf

        krb4_realms = /etc/krb.realms

        kdc_timesync = 1

        ccache_type = 4

        forwardable = true

        proxiable = true



[realms]

        ASP.DOMAIN = {

                kdc = asp.domain

                admin_server = server.domain

                default_domain = DOMAIN

        }



[domain_realm]

        .asp.domain = ASP.DOMAIN

        asp.domain = ASP.DOMAIN


My smb.conf :



[global]

        security = ADS

        realm = ASP.DOMAIN

        password server = server.domain

        workgroup = asp.domain

        winbind separator = /

        idmap uid = 10000-20000

        idmap gid = 10000-20000

        winbind enum users = yes

        winbind enum groups = yes

        template homedir = /home/%D/%U

        template shell = /bin/bash

        client use spnego = yes

        winbind use default domain = yes

        domain master = no

        local master = no

        preferred master = no

        os level = 0


I have no idea: there is no drop on my firewall. The ticket is ok. I've tried with 3 Domain Controlers.



PS : Domain is a variable



EDIT : I've tried to do it with samba-tool too



root@debian:~# samba-tool domain join ASP.DOMAIN MEMBER -UAdministrateur --real=ASP.DOMAIN

ERROR(runtime): uncaught exception - Connection to SAMR pipe of PDC for ASP.DOMAIN failed: Connection to DC failed: NT_STATUS_IO_TIMEOUT

  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run

    return self.run(*args, **kwargs)

  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 606, in run

    machinepass=machinepass)


EDIT 2 : Join is ok ? But wbinfo -u is not ok



root@debian:~# net ads join -U Administrateur

Enter Administrateur's password:

Using short domain name -- DOMAIN

Joined 'ASP.DOMAIN' to dns domain 'asp.domain'

DNS Update for asp.kapia failed: ERROR_DNS_GSS_ERROR

DNS update failed: NT_STATUS_UNSUCCESSFUL

root@debian:~# net ads testjoin

Join is OK



root@debian:~# wbinfo -u

could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE

could not obtain winbind domain name!

Error looking up domain users


EDIT 3 :



enter image description here
EDIT 4 :



root@debian:~# service winbind status

● winbind.service - LSB: start Winbind daemon

   Loaded: loaded (/etc/init.d/winbind)

   Active: active (exited) since mer. 2016-04-27 16:16:00 CEST; 55s ago

  Process: 2222 ExecStart=/etc/init.d/winbind start (code=exited, status=0/SUCCESS)



avril 27 16:16:00 debian winbindd[2233]: #5 /usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_timer_delay+0xcd) [0x7fbc2b11e1cd]

avril 27 16:16:00 debian winbindd[2233]: #6 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x91ca) [0x7fbc2b11f1ca]

avril 27 16:16:00 debian winbindd[2233]: #7 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x78e7) [0x7fbc2b11d8e7]

avril 27 16:16:00 debian winbindd[2233]: #8 /usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x8d) [0x7fbc2b11a12d]

avril 27 16:16:00 debian winbindd[2233]: #9 /usr/sbin/winbindd(main+0xb7c) [0x7fbc325cbc8c]

avril 27 16:16:00 debian winbindd[2233]: #10 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7fbc2a92db45]

avril 27 16:16:00 debian winbindd[2233]: #11 /usr/sbin/winbindd(+0x25318) [0x7fbc325cc318]

avril 27 16:16:00 debian winbindd[2233]: [2016/04/27 16:16:00.971185,  0] ../source3/lib/dumpcore.c:318(dump_core)

avril 27 16:16:00 debian winbindd[2233]: dumping core in /var/log/samba/cores/winbindd

avril 27 16:16:00 debian winbindd[2233]:





samba active-directory kerberos







share|improve this question
















bumped to the homepage by Community 2 days ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.















  • Can you ping the admin_server defined in your krb5.conf? You have the default_realm set there but you might also want to add dns_lookup_realm = true and dns_lookup_kdc = true in the same [libdefaults] section.
    – roaima
    Apr 27 '16 at 9:49










  • Hi thank you all but i against have issue with your modification. when i try to join with debut mode, i can see : Using short domain name -- DOMAIN Joined 'ASP.DOMAIN' to dns domain 'asp.domain' added interface eth0 ip=192.168.1.X bcast=192.168.1.255 netmask=255.255.255.0 ads_dns_lookup_ns: 1 records returned in the answer section. DNS Update for asp.domain failed: ERROR_DNS_GSS_ERROR DNS update failed: NT_STATUS_UNSUCCESSFUL
    – Mikael Denis
    Apr 27 '16 at 13:07












  • With this command : ` net ads join -U Administrateur -d 5`
    – Mikael Denis
    Apr 27 '16 at 13:13










  • Same error : lists.samba.org/archive/samba/2014-December/187820.html
    – Mikael Denis
    Apr 27 '16 at 13:20










  • I think your server has now joined the domain. (The only error I can see in your update is for DNS.) Please check your Domain Controller and if this is the case I'll create an Answer for you to Accept.
    – roaima
    Apr 27 '16 at 13:24
















2












2








2


1





I have an issue when I try to join my domain.



I am able to create the kerberos ticket successfully.



root@debian:~# kinit Administrateur@ASP.DOMAIN

Password for Administrateur@ASP.DOMAIN:

root@debian:~# klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: Administrateur@ASP.DOMAIN



Valid starting       Expires              Service principal

26/04/2016 18:20:18  27/04/2016 04:20:18  krbtgt/ASP.DOMAIN@ASP.DOMAIN

        renew until 27/04/2016 18:20:11


and when I try to join the domain :



    root@debian:~# net ads join -k 

Failed to join domain: failed to lookup

    DC info for domain 'ASP.DOMAIN' over rpc: {Device Timeout} The

    specified I/O operation on %hs was not completed before the time-out period expired.


my krb5.conf is:



[libdefaults]

        default_realm = ASP.DOMAIN



# The following krb5.conf variables are only for MIT Kerberos.

        krb4_config = /etc/krb.conf

        krb4_realms = /etc/krb.realms

        kdc_timesync = 1

        ccache_type = 4

        forwardable = true

        proxiable = true



[realms]

        ASP.DOMAIN = {

                kdc = asp.domain

                admin_server = server.domain

                default_domain = DOMAIN

        }



[domain_realm]

        .asp.domain = ASP.DOMAIN

        asp.domain = ASP.DOMAIN


My smb.conf :



[global]

        security = ADS

        realm = ASP.DOMAIN

        password server = server.domain

        workgroup = asp.domain

        winbind separator = /

        idmap uid = 10000-20000

        idmap gid = 10000-20000

        winbind enum users = yes

        winbind enum groups = yes

        template homedir = /home/%D/%U

        template shell = /bin/bash

        client use spnego = yes

        winbind use default domain = yes

        domain master = no

        local master = no

        preferred master = no

        os level = 0


I have no idea: there is no drop on my firewall. The ticket is ok. I've tried with 3 Domain Controlers.



PS : Domain is a variable



EDIT : I've tried to do it with samba-tool too



root@debian:~# samba-tool domain join ASP.DOMAIN MEMBER -UAdministrateur --real=ASP.DOMAIN

ERROR(runtime): uncaught exception - Connection to SAMR pipe of PDC for ASP.DOMAIN failed: Connection to DC failed: NT_STATUS_IO_TIMEOUT

  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run

    return self.run(*args, **kwargs)

  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 606, in run

    machinepass=machinepass)


EDIT 2 : Join is ok ? But wbinfo -u is not ok



root@debian:~# net ads join -U Administrateur

Enter Administrateur's password:

Using short domain name -- DOMAIN

Joined 'ASP.DOMAIN' to dns domain 'asp.domain'

DNS Update for asp.kapia failed: ERROR_DNS_GSS_ERROR

DNS update failed: NT_STATUS_UNSUCCESSFUL

root@debian:~# net ads testjoin

Join is OK



root@debian:~# wbinfo -u

could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE

could not obtain winbind domain name!

Error looking up domain users


EDIT 3 :



enter image description here
EDIT 4 :



root@debian:~# service winbind status

● winbind.service - LSB: start Winbind daemon

   Loaded: loaded (/etc/init.d/winbind)

   Active: active (exited) since mer. 2016-04-27 16:16:00 CEST; 55s ago

  Process: 2222 ExecStart=/etc/init.d/winbind start (code=exited, status=0/SUCCESS)



avril 27 16:16:00 debian winbindd[2233]: #5 /usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_timer_delay+0xcd) [0x7fbc2b11e1cd]

avril 27 16:16:00 debian winbindd[2233]: #6 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x91ca) [0x7fbc2b11f1ca]

avril 27 16:16:00 debian winbindd[2233]: #7 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x78e7) [0x7fbc2b11d8e7]

avril 27 16:16:00 debian winbindd[2233]: #8 /usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x8d) [0x7fbc2b11a12d]

avril 27 16:16:00 debian winbindd[2233]: #9 /usr/sbin/winbindd(main+0xb7c) [0x7fbc325cbc8c]

avril 27 16:16:00 debian winbindd[2233]: #10 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7fbc2a92db45]

avril 27 16:16:00 debian winbindd[2233]: #11 /usr/sbin/winbindd(+0x25318) [0x7fbc325cc318]

avril 27 16:16:00 debian winbindd[2233]: [2016/04/27 16:16:00.971185,  0] ../source3/lib/dumpcore.c:318(dump_core)

avril 27 16:16:00 debian winbindd[2233]: dumping core in /var/log/samba/cores/winbindd

avril 27 16:16:00 debian winbindd[2233]:





samba active-directory kerberos







share|improve this question















I have an issue when I try to join my domain.



I am able to create the kerberos ticket successfully.



root@debian:~# kinit Administrateur@ASP.DOMAIN

Password for Administrateur@ASP.DOMAIN:

root@debian:~# klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: Administrateur@ASP.DOMAIN



Valid starting       Expires              Service principal

26/04/2016 18:20:18  27/04/2016 04:20:18  krbtgt/ASP.DOMAIN@ASP.DOMAIN

        renew until 27/04/2016 18:20:11


and when I try to join the domain :



    root@debian:~# net ads join -k 

Failed to join domain: failed to lookup

    DC info for domain 'ASP.DOMAIN' over rpc: {Device Timeout} The

    specified I/O operation on %hs was not completed before the time-out period expired.


my krb5.conf is:



[libdefaults]

        default_realm = ASP.DOMAIN



# The following krb5.conf variables are only for MIT Kerberos.

        krb4_config = /etc/krb.conf

        krb4_realms = /etc/krb.realms

        kdc_timesync = 1

        ccache_type = 4

        forwardable = true

        proxiable = true



[realms]

        ASP.DOMAIN = {

                kdc = asp.domain

                admin_server = server.domain

                default_domain = DOMAIN

        }



[domain_realm]

        .asp.domain = ASP.DOMAIN

        asp.domain = ASP.DOMAIN


My smb.conf :



[global]

        security = ADS

        realm = ASP.DOMAIN

        password server = server.domain

        workgroup = asp.domain

        winbind separator = /

        idmap uid = 10000-20000

        idmap gid = 10000-20000

        winbind enum users = yes

        winbind enum groups = yes

        template homedir = /home/%D/%U

        template shell = /bin/bash

        client use spnego = yes

        winbind use default domain = yes

        domain master = no

        local master = no

        preferred master = no

        os level = 0


I have no idea: there is no drop on my firewall. The ticket is ok. I've tried with 3 Domain Controlers.



PS : Domain is a variable



EDIT : I've tried to do it with samba-tool too



root@debian:~# samba-tool domain join ASP.DOMAIN MEMBER -UAdministrateur --real=ASP.DOMAIN

ERROR(runtime): uncaught exception - Connection to SAMR pipe of PDC for ASP.DOMAIN failed: Connection to DC failed: NT_STATUS_IO_TIMEOUT

  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run

    return self.run(*args, **kwargs)

  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 606, in run

    machinepass=machinepass)


EDIT 2 : Join is ok ? But wbinfo -u is not ok



root@debian:~# net ads join -U Administrateur

Enter Administrateur's password:

Using short domain name -- DOMAIN

Joined 'ASP.DOMAIN' to dns domain 'asp.domain'

DNS Update for asp.kapia failed: ERROR_DNS_GSS_ERROR

DNS update failed: NT_STATUS_UNSUCCESSFUL

root@debian:~# net ads testjoin

Join is OK



root@debian:~# wbinfo -u

could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE

could not obtain winbind domain name!

Error looking up domain users


EDIT 3 :



enter image description here
EDIT 4 :



root@debian:~# service winbind status

● winbind.service - LSB: start Winbind daemon

   Loaded: loaded (/etc/init.d/winbind)

   Active: active (exited) since mer. 2016-04-27 16:16:00 CEST; 55s ago

  Process: 2222 ExecStart=/etc/init.d/winbind start (code=exited, status=0/SUCCESS)



avril 27 16:16:00 debian winbindd[2233]: #5 /usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_timer_delay+0xcd) [0x7fbc2b11e1cd]

avril 27 16:16:00 debian winbindd[2233]: #6 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x91ca) [0x7fbc2b11f1ca]

avril 27 16:16:00 debian winbindd[2233]: #7 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x78e7) [0x7fbc2b11d8e7]

avril 27 16:16:00 debian winbindd[2233]: #8 /usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x8d) [0x7fbc2b11a12d]

avril 27 16:16:00 debian winbindd[2233]: #9 /usr/sbin/winbindd(main+0xb7c) [0x7fbc325cbc8c]

avril 27 16:16:00 debian winbindd[2233]: #10 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7fbc2a92db45]

avril 27 16:16:00 debian winbindd[2233]: #11 /usr/sbin/winbindd(+0x25318) [0x7fbc325cc318]

avril 27 16:16:00 debian winbindd[2233]: [2016/04/27 16:16:00.971185,  0] ../source3/lib/dumpcore.c:318(dump_core)

avril 27 16:16:00 debian winbindd[2233]: dumping core in /var/log/samba/cores/winbindd

avril 27 16:16:00 debian winbindd[2233]:





samba active-directory kerberos




samba active-directory kerberos






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Apr 27 '16 at 14:19







Mikael Denis

















asked Apr 27 '16 at 8:41









Mikael DenisMikael Denis

1114




1114





bumped to the homepage by Community 2 days ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.







bumped to the homepage by Community 2 days ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.














  • Can you ping the admin_server defined in your krb5.conf? You have the default_realm set there but you might also want to add dns_lookup_realm = true and dns_lookup_kdc = true in the same [libdefaults] section.
    – roaima
    Apr 27 '16 at 9:49










  • Hi thank you all but i against have issue with your modification. when i try to join with debut mode, i can see : Using short domain name -- DOMAIN Joined 'ASP.DOMAIN' to dns domain 'asp.domain' added interface eth0 ip=192.168.1.X bcast=192.168.1.255 netmask=255.255.255.0 ads_dns_lookup_ns: 1 records returned in the answer section. DNS Update for asp.domain failed: ERROR_DNS_GSS_ERROR DNS update failed: NT_STATUS_UNSUCCESSFUL
    – Mikael Denis
    Apr 27 '16 at 13:07












  • With this command : ` net ads join -U Administrateur -d 5`
    – Mikael Denis
    Apr 27 '16 at 13:13










  • Same error : lists.samba.org/archive/samba/2014-December/187820.html
    – Mikael Denis
    Apr 27 '16 at 13:20










  • I think your server has now joined the domain. (The only error I can see in your update is for DNS.) Please check your Domain Controller and if this is the case I'll create an Answer for you to Accept.
    – roaima
    Apr 27 '16 at 13:24




















  • Can you ping the admin_server defined in your krb5.conf? You have the default_realm set there but you might also want to add dns_lookup_realm = true and dns_lookup_kdc = true in the same [libdefaults] section.
    – roaima
    Apr 27 '16 at 9:49










  • Hi thank you all but i against have issue with your modification. when i try to join with debut mode, i can see : Using short domain name -- DOMAIN Joined 'ASP.DOMAIN' to dns domain 'asp.domain' added interface eth0 ip=192.168.1.X bcast=192.168.1.255 netmask=255.255.255.0 ads_dns_lookup_ns: 1 records returned in the answer section. DNS Update for asp.domain failed: ERROR_DNS_GSS_ERROR DNS update failed: NT_STATUS_UNSUCCESSFUL
    – Mikael Denis
    Apr 27 '16 at 13:07












  • With this command : ` net ads join -U Administrateur -d 5`
    – Mikael Denis
    Apr 27 '16 at 13:13










  • Same error : lists.samba.org/archive/samba/2014-December/187820.html
    – Mikael Denis
    Apr 27 '16 at 13:20










  • I think your server has now joined the domain. (The only error I can see in your update is for DNS.) Please check your Domain Controller and if this is the case I'll create an Answer for you to Accept.
    – roaima
    Apr 27 '16 at 13:24


















Can you ping the admin_server defined in your krb5.conf? You have the default_realm set there but you might also want to add dns_lookup_realm = true and dns_lookup_kdc = true in the same [libdefaults] section.
– roaima
Apr 27 '16 at 9:49




Can you ping the admin_server defined in your krb5.conf? You have the default_realm set there but you might also want to add dns_lookup_realm = true and dns_lookup_kdc = true in the same [libdefaults] section.
– roaima
Apr 27 '16 at 9:49












Hi thank you all but i against have issue with your modification. when i try to join with debut mode, i can see : Using short domain name -- DOMAIN Joined 'ASP.DOMAIN' to dns domain 'asp.domain' added interface eth0 ip=192.168.1.X bcast=192.168.1.255 netmask=255.255.255.0 ads_dns_lookup_ns: 1 records returned in the answer section. DNS Update for asp.domain failed: ERROR_DNS_GSS_ERROR DNS update failed: NT_STATUS_UNSUCCESSFUL
– Mikael Denis
Apr 27 '16 at 13:07






Hi thank you all but i against have issue with your modification. when i try to join with debut mode, i can see : Using short domain name -- DOMAIN Joined 'ASP.DOMAIN' to dns domain 'asp.domain' added interface eth0 ip=192.168.1.X bcast=192.168.1.255 netmask=255.255.255.0 ads_dns_lookup_ns: 1 records returned in the answer section. DNS Update for asp.domain failed: ERROR_DNS_GSS_ERROR DNS update failed: NT_STATUS_UNSUCCESSFUL
– Mikael Denis
Apr 27 '16 at 13:07














With this command : ` net ads join -U Administrateur -d 5`
– Mikael Denis
Apr 27 '16 at 13:13




With this command : ` net ads join -U Administrateur -d 5`
– Mikael Denis
Apr 27 '16 at 13:13












Same error : lists.samba.org/archive/samba/2014-December/187820.html
– Mikael Denis
Apr 27 '16 at 13:20




Same error : lists.samba.org/archive/samba/2014-December/187820.html
– Mikael Denis
Apr 27 '16 at 13:20












I think your server has now joined the domain. (The only error I can see in your update is for DNS.) Please check your Domain Controller and if this is the case I'll create an Answer for you to Accept.
– roaima
Apr 27 '16 at 13:24






I think your server has now joined the domain. (The only error I can see in your update is for DNS.) Please check your Domain Controller and if this is the case I'll create an Answer for you to Accept.
– roaima
Apr 27 '16 at 13:24












1 Answer
1






active

oldest

votes


















0














You have the default_realm set there but you might also want to modify your krb5.conf like this:



[libdefaults]

    default_realm = ASP.DOMAIN

    dns_lookup_realm = true

    dns_lookup_kdc = true


I have these entries in my smb.conf for winbind, but actually I now use sssd:



winbind trusted domains only = no

winbind use default domain = yes

; winbind enum users = yes            

; winbind enum groups = yes



winbind nested groups = yes

winbind expand groups = 4



winbind offline logon = yes

winbind refresh tickets = yes



winbind normalize names = no


The winbind enum * settings may slow everything down. Try it and see whether it works well for you, or not. It's one of the reasons I switched to sssd.



I find that when joining a Samba client to an AD domain I always get a DNS Update error. The client gets added correctly but just cannot update its DNS entry. (Since the majority of my clients are actually Linux-based servers with static IP addresses this has never bothered me.)






share|improve this answer





















  • Thank you again, i've done your modification but same problem for wbinfo (look EDIT2)... just want to authentificate on the server by using Active Directory
    – Mikael Denis
    Apr 27 '16 at 14:11











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f279411%2fkerberos-samba-cant-join-active-directory-debian-8%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














You have the default_realm set there but you might also want to modify your krb5.conf like this:



[libdefaults]

    default_realm = ASP.DOMAIN

    dns_lookup_realm = true

    dns_lookup_kdc = true


I have these entries in my smb.conf for winbind, but actually I now use sssd:



winbind trusted domains only = no

winbind use default domain = yes

; winbind enum users = yes            

; winbind enum groups = yes



winbind nested groups = yes

winbind expand groups = 4



winbind offline logon = yes

winbind refresh tickets = yes



winbind normalize names = no


The winbind enum * settings may slow everything down. Try it and see whether it works well for you, or not. It's one of the reasons I switched to sssd.



I find that when joining a Samba client to an AD domain I always get a DNS Update error. The client gets added correctly but just cannot update its DNS entry. (Since the majority of my clients are actually Linux-based servers with static IP addresses this has never bothered me.)






share|improve this answer





















  • Thank you again, i've done your modification but same problem for wbinfo (look EDIT2)... just want to authentificate on the server by using Active Directory
    – Mikael Denis
    Apr 27 '16 at 14:11
















0














You have the default_realm set there but you might also want to modify your krb5.conf like this:



[libdefaults]

    default_realm = ASP.DOMAIN

    dns_lookup_realm = true

    dns_lookup_kdc = true


I have these entries in my smb.conf for winbind, but actually I now use sssd:



winbind trusted domains only = no

winbind use default domain = yes

; winbind enum users = yes            

; winbind enum groups = yes



winbind nested groups = yes

winbind expand groups = 4



winbind offline logon = yes

winbind refresh tickets = yes



winbind normalize names = no


The winbind enum * settings may slow everything down. Try it and see whether it works well for you, or not. It's one of the reasons I switched to sssd.



I find that when joining a Samba client to an AD domain I always get a DNS Update error. The client gets added correctly but just cannot update its DNS entry. (Since the majority of my clients are actually Linux-based servers with static IP addresses this has never bothered me.)






share|improve this answer





















  • Thank you again, i've done your modification but same problem for wbinfo (look EDIT2)... just want to authentificate on the server by using Active Directory
    – Mikael Denis
    Apr 27 '16 at 14:11














0












0








0






You have the default_realm set there but you might also want to modify your krb5.conf like this:



[libdefaults]

    default_realm = ASP.DOMAIN

    dns_lookup_realm = true

    dns_lookup_kdc = true


I have these entries in my smb.conf for winbind, but actually I now use sssd:



winbind trusted domains only = no

winbind use default domain = yes

; winbind enum users = yes            

; winbind enum groups = yes



winbind nested groups = yes

winbind expand groups = 4



winbind offline logon = yes

winbind refresh tickets = yes



winbind normalize names = no


The winbind enum * settings may slow everything down. Try it and see whether it works well for you, or not. It's one of the reasons I switched to sssd.



I find that when joining a Samba client to an AD domain I always get a DNS Update error. The client gets added correctly but just cannot update its DNS entry. (Since the majority of my clients are actually Linux-based servers with static IP addresses this has never bothered me.)






share|improve this answer












You have the default_realm set there but you might also want to modify your krb5.conf like this:



[libdefaults]

    default_realm = ASP.DOMAIN

    dns_lookup_realm = true

    dns_lookup_kdc = true


I have these entries in my smb.conf for winbind, but actually I now use sssd:



winbind trusted domains only = no

winbind use default domain = yes

; winbind enum users = yes            

; winbind enum groups = yes



winbind nested groups = yes

winbind expand groups = 4



winbind offline logon = yes

winbind refresh tickets = yes



winbind normalize names = no


The winbind enum * settings may slow everything down. Try it and see whether it works well for you, or not. It's one of the reasons I switched to sssd.



I find that when joining a Samba client to an AD domain I always get a DNS Update error. The client gets added correctly but just cannot update its DNS entry. (Since the majority of my clients are actually Linux-based servers with static IP addresses this has never bothered me.)







share|improve this answer












share|improve this answer



share|improve this answer










answered Apr 27 '16 at 13:57









roaimaroaima

42.9k551116




42.9k551116












  • Thank you again, i've done your modification but same problem for wbinfo (look EDIT2)... just want to authentificate on the server by using Active Directory
    – Mikael Denis
    Apr 27 '16 at 14:11


















  • Thank you again, i've done your modification but same problem for wbinfo (look EDIT2)... just want to authentificate on the server by using Active Directory
    – Mikael Denis
    Apr 27 '16 at 14:11
















Thank you again, i've done your modification but same problem for wbinfo (look EDIT2)... just want to authentificate on the server by using Active Directory
– Mikael Denis
Apr 27 '16 at 14:11




Thank you again, i've done your modification but same problem for wbinfo (look EDIT2)... just want to authentificate on the server by using Active Directory
– Mikael Denis
Apr 27 '16 at 14:11


















draft saved

draft discarded




















































Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f279411%2fkerberos-samba-cant-join-active-directory-debian-8%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

How to reconfigure Docker Trusted Registry 2.x.x to use CEPH FS mount instead of NFS and other traditional...

Image
0 I am having trouble trying to reconfigure my DTR container to try and use a CEPH FS mount we created to act as a storage backend for our image repository. The Docs are very vague on this and nothing exactly explains on how to do it. Has anyone yet connected the dots? linux filesystems mount storage docker share | improve this question asked Feb 1 at 6:40 jRapp3r jRapp3r 1 1 add a comment  | 
Read more

is 'sed' thread safe

Image
2 If I have a shell/python script that uses sed to modify a file in place based on user inputs, and then two users run the same script at the same time or approx. same time, is 'sed' thread safe ? Or perhaps it is not an issue because the file_descripor that was opened by the first thread will be used to lock the file anyway ? thx linux sed python share | improve this question edited 7 hours ago Jeff Schaller 42.9k 11 59 137 asked 7 hours ago terreys terreys
Read more

How to make a Squid Proxy server?

Image
1 I want to set up squid proxy server for monitoring user activity in a network and Internet Web URL filtering for user. I also want to configure the user login, user log, user access group, and block unwanted web sites in my network. Please help me and guide me the full process to do this. server proxy squid share | improve this question edited Jul 31 '12 at 14:45 Jorge Castro 37.1k 107 422 617 asked Jul 31 '12 at 5:16 Goivind Tiwari Goivind Tiwari
Read more