Since 4.10.4 (and in 4.10.5 also) don't work net ads join: [root@clw0 ~]# net ads join -UAdministrator Enter Administrator's password: Failed to join domain: failed to join domain 'DOMAIN.ALT' over rpc: None of the information to be translated has been translated. Client on samba-4.10.3 with same build options on same environment work properly.
can you try : net ads join -U "ADDOM\Administrator" and it handy for us to have a bug report with some extra info like. smb.conf resolv.conf hosts krb5.conf
I have next configuration: [root@clw0 ~]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 86:64:95:78:6f:26 brd ff:ff:ff:ff:ff:ff inet 10.64.170.100/24 brd 10.64.170.255 scope global eth0 valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 7a:db:fb:9f:a3:8f brd ff:ff:ff:ff:ff:ff inet 10.64.180.100/24 brd 10.64.180.255 scope global eth1 valid_lft forever preferred_lft forever [root@clw0 ~]# cat /etc/resolv.conf # Generated by resolvconf # Do not edit manually, use # /etc/net/ifaces/<interface>/resolv.conf instead. domain domain.alt nameserver 10.64.180.10 nameserver 8.8.8.8 [root@clw0 ~]# cat /etc/krb5.conf #includedir /etc/krb5.conf.d/ [logging] # default = FILE:/var/log/krb5libs.log # kdc = FILE:/var/log/krb5kdc.log # admin_server = FILE:/var/log/kadmind.log [libdefaults] default_ccache_name = KEYRING:persistent:%{uid} dns_lookup_kdc = true dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_realm = DOMAIN.ALT # default_ccache_name = KEYRING:persistent:%{uid} [realms] # EXAMPLE.COM = { # default_domain = example.com # } [domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM [root@clw0 ~]# cat /etc/samba/smb.conf [global] security = ads realm = DOMAIN.ALT workgroup = DOMAIN netbios name = CLW0 template shell = /bin/bash kerberos method = system keytab wins support = no idmap config * : range = 10000-20000000 idmap config * : backend = tdb ; encrypt passwords = true ; dns proxy = no ; socket options = TCP_NODELAY ; domain master = no ; local master = no ; preferred master = no ; os level = 0 ; domain logons = no ; load printers = no ; show add printer wizard = no ; printcap name = /dev/null ; disable spoolss = yes [homes] comment = Home Directories browseable = no writable = yes [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes [root@clw0 ~]# host domain.alt domain.alt has address 10.64.180.10 domain.alt has address 10.64.180.11 domain.alt has address 10.64.180.12 [root@clw0 ~]# host dc0.domain.alt dc0.domain.alt has address 10.64.180.10 [root@clw0 ~]# cat /etc/hosts 127.0.0.1 localhost.localdomain localhost #10.64.170.222 dc2 #10.64.170.100 clw0 #10.64.170.101 clw1 #10.64.170.102 clw2 #10.64.170.225 dc1 #10.64.170.223 dc0 [root@clw0 ~]# net ads join -U"DOMAIN\Administrator" Enter DOMAIN\Administrator's password: kerberos_kinit_password Administrator@DOMAIN failed: Cannot find KDC for requested realm Failed to join domain: failed to join domain 'DOMAIN.ALT' over rpc: None of the information to be translated has been translated. [root@clw0 ~]# rpm -qf /usr/bin/net samba-common-tools-4.10.5-alt1.x86_64 [root@clw0 ~]# klist klist: Credentials cache keyring 'persistent:0:0' not found [root@clw0 ~]# kinit administrator Password for administrator@DOMAIN.ALT: Warning: Your password will expire in 39 days on Пн 05 авг 2019 12:06:21 [root@clw0 ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: administrator@DOMAIN.ALT Valid starting Expires Service principal 26.06.2019 18:45:22 27.06.2019 04:45:22 krbtgt/DOMAIN.ALT@DOMAIN.ALT renew until 03.07.2019 18:45:09 [root@clw0 ~]# smbclient -k -L //dc0 Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.10.5) Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- ------- [root@clw0 ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: administrator@DOMAIN.ALT Valid starting Expires Service principal 26.06.2019 18:45:33 27.06.2019 04:45:22 cifs/dc0@DOMAIN.ALT renew until 03.07.2019 18:45:09 26.06.2019 18:45:22 27.06.2019 04:45:22 krbtgt/DOMAIN.ALT@DOMAIN.ALT renew until 03.07.2019 18:45:09
ok, start with this. note, not into RH, do normaly only Debian/related /etc/net/ifaces/<interface>/resolv.conf domain domain.alt nameserver 10.64.180.10 << is this your DC, then its ok. nameserver 8.8.8.8 < should not be needed, use the forward in the AD-DC or if you use bind9_dlz, then in bind. krb5.conf [libdefaults] default_realm = DOMAIN.ALT dns_lookup_realm = false dns_lookup_kdc = true All you need, if you resolving is correct. The rest are defaults, make if work first, then add things you need. /etc/samba/smb.conf your missing the member parts... read : https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member for example where is : idmap config DOMAIN : range = 10000-20000000 idmap config DOMAIN : backend = AD or RID This : host domain.alt so you have 3 DC's correct? then why are there not 3 DC's in the resolv.conf. ( its possible, but that depends on you network, which can not see from here ) i suggest, add the 3 DC's in resolv.conf /etc/hosts 127.0.0.1 localhost.localdomain localhost $(hostname -i) $(hostname -f) $(hostname -s) ( run these and add as shown. ) then, this, after you fixed above, this should work now. net ads join -U"DOMAIN\Administrator" Enter DOMAIN\Administrator's password: kerberos_kinit_password Administrator@DOMAIN failed: Cannot find KDC for requested realm i hope you change this. list Ticket cache: KEYRING:persistent:0:0 Default principal: administrator@DOMAIN.ALT Valid starting Expires Service principal 26.06.2019 18:45:33 27.06.2019 04:45:22 cifs/dc0@DOMAIN.ALT this is plain wrong: cifs/dc0@DOMAIN.ALT Should be minimal cifs/dc0.domain.alt@DOMAIN.ALT
This is defaults. On 4.10.3 all works: [root@clw2 ~]# kinit administrator Password for administrator@DEMO.ALT: Warning: Your password will expire in 41 days on Fri Aug 30 21:05:36 2019 [root@clw2 ~]# smbclient -k -L //dc0.demo.alt Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.10.2) Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- ------- [root@clw2 ~]# id administrator uid=441600500(administrator) gid=441600513(domain users) groups=441600513(domain users),441600512(domain admins),441600518(schema admins),441600520(group policy creator owners),441600572(denied rodc password replication group),441600519(enterprise admins),100(users),80(cdwriter),22(cdrom),81(audio),470(video),19(proc),83(radio),460(camera),71(floppy),498(xgrp),499(scanner),14(uucp),489(vboxusers),465(fuse),455(localadmins),10(wheel) [root@clw2 ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: administrator@DEMO.ALT Valid starting Expires Service principal 07/19/19 21:05:56 07/20/19 07:05:45 cifs/dc0.demo.alt@DEMO.ALT renew until 07/26/19 21:05:43 07/19/19 21:05:45 07/20/19 07:05:45 krbtgt/DEMO.ALT@DEMO.ALT renew until 07/26/19 21:05:43 [root@clw2 ~]# net ads testjoin Join is OK [root@clw2 ~]# rpm -q samba-client samba-client-4.10.3-alt4.x86_64 ____________________________________ [root@clw2 ~]# cat /etc/samba/smb.conf [global] security = ads realm = DEMO.ALT workgroup = DEMO netbios name = CLW2 template shell = /bin/bash kerberos method = system keytab wins support = no idmap config * : range = 10000-20000000 idmap config * : backend = tdb ; encrypt passwords = true ; dns proxy = no ; socket options = TCP_NODELAY ; domain master = no ; local master = no ; preferred master = no ; os level = 0 ; domain logons = no ; load printers = no ; show add printer wizard = no ; printcap name = /dev/null ; disable spoolss = yes [homes] comment = Home Directories browseable = no writable = yes [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes ____________________________________ Try to rejoin: [root@clw2 ~]# net ads join -UAdministrator Enter Administrator's password: Using short domain name -- DEMO Joined 'CLW2' to dns domain 'demo.alt' kerberos_kinit_password CLW2$@DEMO.ALT failed: Preauthentication failed DNS update failed: kinit failed: Preauthentication failed So, how to reproduce problem: [root@clw2 ~]# apt-get install samba-client Reading Package Lists... Done Building Dependency Tree... Done The following extra packages will be installed: libldb-modules-dc libnetapi libsmbclient libwbclient python3-module-samba samba-common samba-common-libs samba-common-tools samba-dc-libs samba-libs The following packages will be upgraded libldb-modules-dc libnetapi libsmbclient libwbclient python3-module-samba samba-client samba-common samba-common-libs samba-common-tools samba-dc-libs samba-libs 11 upgraded, 0 newly installed, 0 removed and 629 not upgraded. Need to get 9947kB of archives. After unpacking 6054B of additional disk space will be used. Do you want to continue? [Y/n] Get:1 http://git.altlinux.org repo/232723/x86_64/task samba-client 4.10.5-alt1@1561045371 [514kB] Get:2 http://git.altlinux.org repo/232723/x86_64/task samba-common-tools 4.10.5-alt1@1561045371 [442kB] Get:3 http://git.altlinux.org repo/232723/x86_64/task samba-common 4.10.5-alt1@1561045371 [207kB] Get:4 http://git.altlinux.org repo/232723/x86_64/task python3-module-samba 4.10.5-alt1@1561045371 [2864kB] Get:5 http://git.altlinux.org repo/232723/x86_64/task libldb-modules-dc 4.10.5-alt1@1561045371 [309kB] Get:6 http://git.altlinux.org repo/232723/x86_64/task samba-dc-libs 4.10.5-alt1@1561045371 [525kB] Get:7 http://git.altlinux.org repo/232723/x86_64/task libsmbclient 4.10.5-alt1@1561045371 [78.5kB] Get:8 http://git.altlinux.org repo/232723/x86_64/task samba-common-libs 4.10.5-alt1@1561045371 [1617kB] Get:9 http://git.altlinux.org repo/232723/x86_64/task samba-libs 4.10.5-alt1@1561045371 [3210kB] Get:10 http://git.altlinux.org repo/232723/x86_64/task libnetapi 4.10.5-alt1@1561045371 [127kB] Get:11 http://git.altlinux.org repo/232723/x86_64/task libwbclient 4.10.5-alt1@1561045371 [54.3kB] Fetched 9947kB in 2s (4829kB/s) Committing changes... Preparing... #### [100%] Updating / installing... 1: libwbclient-4.10.5-alt1 #### [ 5%] 2: samba-common-libs-4.10.5-alt1 #### [ 9%] 3: libnetapi-4.10.5-alt1 #### [ 14%] 4: samba-libs-4.10.5-alt1 #### [ 18%] 5: libsmbclient-4.10.5-alt1 #### [ 23%] 6: samba-common-4.10.5-alt1 #### [ 27%] 7: samba-common-tools-4.10.5-alt1 #### [ 32%] 8: libldb-modules-dc-4.10.5-alt1 #### [ 36%] 9: samba-dc-libs-4.10.5-alt1 #### [ 41%] 10: python3-module-samba-4.10.5-alt1 #### [ 45%] 11: samba-client-4.10.5-alt1 #### [ 50%] Cleaning up / removing... 12: libldb-modules-dc-4.10.3-alt4 #### [ 55%] 13: samba-dc-libs-4.10.3-alt4 #### [ 59%] 14: python3-module-samba-4.10.3-alt4 #### [ 64%] 15: samba-client-4.10.3-alt4 #### [ 68%] 16: samba-common-tools-4.10.3-alt4 #### [ 73%] 17: samba-common-4.10.3-alt4 #### [ 77%] 18: libnetapi-4.10.3-alt4 #### [ 82%] 19: samba-libs-4.10.3-alt4 #### [ 86%] 20: libsmbclient-4.10.3-alt4 #### [ 91%] 21: samba-common-libs-4.10.3-alt4 #### [ 95%] 22: libwbclient-4.10.3-alt4 #### [100%] Done. [root@clw2 ~]# net ads join -UAdministrator Enter Administrator's password: Using short domain name -- DEMO Joined 'CLW2' to dns domain 'demo.alt' kerberos_kinit_password CLW2$@DEMO.ALT failed: Preauthentication failed DNS update failed: kinit failed: Preauthentication failed [root@clw2 ~]# hostnamectl Static hostname: clw2.demo.alt Icon name: computer-vm Chassis: vm Machine ID: c5b6832f0506d76f0e08a6305ce911f0 Boot ID: c520cbed557d4b829105a6ea84de5b48 Virtualization: kvm Operating System: ALT Workstation K 8.3 (Centaurea Ruthenica) CPE OS Name: cpe:/o:alt:kworkstation:8.3 Kernel: Linux 4.9.50-un-def-alt0.M80P.1 Architecture: x86-64 [root@clw2 ~]# hostnamectl set-hostname clw2x.demo.alt [root@clw2 ~]# hostname clw2x.demo.alt [root@clw2 ~]# net ads join -UAdministrator Enter Administrator's password: Using short domain name -- DEMO Joined 'CLW2' to dns domain 'demo.alt' kerberos_kinit_password CLW2$@DEMO.ALT failed: Preauthentication failed DNS update failed: kinit failed: Preauthentication failed _________________________________________ Looks like works, really? But if we change hostname in smb.conf to new CLW2X [root@clw2 ~]# grep netbios /etc/samba/smb.conf netbios name = CLW2X [root@clw2 ~]# net ads join -UAdministrator Enter Administrator's password: Failed to join domain: failed to join domain 'DEMO.ALT' over rpc: None of the information to be translated has been translated. _________________________________________ Same problem we got with clear installation on 4.10.4, 4.10.5 and 4.9.10 now.
Ok, I found it via git bisect. Bad patch is (from 4.10.4): commit 2b203fae26d79a792c867d66fdc738d4ce269442 (HEAD) Author: Guenther Deschner <gd@samba.org> Date: Mon Apr 1 17:40:03 2019 +0200 s3:ldap: Leave add machine code early for pre-existing accounts This avoids numerous LDAP constraint violation errors when we try to re-precreate an already existing machine account. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 Pair-Programmed-With: Andreas Schneider <asn@samba.org> Signed-off-by: Guenther Deschner <gd@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 2044ca0e20bd3180720a82506b3af041d14b5c68) From this commit on samba-4.10 we got this regression. Test looks like this: [test@clw2y hasher]$ ldapsearch -h dc0.demo.alt -b dc=DEMO,dc=ALT '(samAccountName=CLW2X5$)' SASL/GSSAPI authentication started SASL username: administrator@DEMO.ALT SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <dc=DEMO,dc=ALT> with scope subtree # filter: (samAccountName=CLW2X5$) # requesting: ALL # # search reference ref: ldap://demo.alt/CN=Configuration,DC=demo,DC=alt # search reference ref: ldap://demo.alt/DC=DomainDnsZones,DC=demo,DC=alt # search reference ref: ldap://demo.alt/DC=ForestDnsZones,DC=demo,DC=alt # search result search: 5 result: 0 Success # numResponses: 4 # numReferences: 3 [test@clw2y hasher]$ echo -n peebieY4 | sudo su -c "net ads join -v -U Administrator" Enter Administrator's password: Failed to join domain: failed to join domain 'DEMO.ALT' over rpc: None of the information to be translated has been translated. [test@clw2y hasher]$ echo -n peebieY4 | sudo su -c "net ads join -v -d10 -U Administrator" 2>&1 | grep -C2 "Host account for " gensec_update_done: spnego[0x55a5f5d23150]: NT_STATUS_OK tevent_req[0x55a5f5d2c140/../../auth/gensec/spnego.c:1601]: state[2] error[0 (0x0)] state[struct gensec_spnego_upd ate_state (0x55a5f5d2c2f0)] timer[(nil)] finish[../../auth/gensec/spnego.c:2070] ads_domain_func_level: 4 ads_create_machine_acct: Host account for CLW2X5 already exists. signed SMB2 message Bind RPC Pipe: host dc0.demo.alt auth_type 0, auth_level 1 [test@clw2y hasher]$ rpm -q --lastchange samba-client * Пт июл 26 2019 Evgeny Sinelikov <sin@altlinux.org> 4.10.4-alt1.11 - Build for 2b203fae26d [test@clw2y hasher]$ grep CLW2 /etc/samba/smb.conf netbios name = CLW2X5 [test@clw2y hasher]$ hostname clw2x5.demo.alt
Created attachment 15361 [details] Fix join with don't exists machine account Found and test solution: [test@clw2y samba.git.test]$ ldapsearch -Q -LLL -h dc0.demo.alt -b dc=DEMO,dc=ALT '(samAccountName=CLW2X5$)' sAMAccountName dn: CN=CLW2X5,CN=Computers,DC=demo,DC=alt sAMAccountName: CLW2X5$ # refldap://demo.alt/CN=Configuration,DC=demo,DC=alt # refldap://demo.alt/DC=DomainDnsZones,DC=demo,DC=alt # refldap://demo.alt/DC=ForestDnsZones,DC=demo,DC=alt [test@clw2y samba.git.test]$ ldapsearch -Q -LLL -h dc0.demo.alt -b dc=DEMO,dc=ALT '(samAccountName=CLW2X6$)' sAMAccountName # refldap://demo.alt/CN=Configuration,DC=demo,DC=alt # refldap://demo.alt/DC=DomainDnsZones,DC=demo,DC=alt # refldap://demo.alt/DC=ForestDnsZones,DC=demo,DC=alt [test@clw2x samba.git.test]$ grep CLW2 /etc/samba/smb.conf netbios name = CLW2X6 [test@clw2x samba.git.test]$ hostname clw2x6.demo.alt [test@clw2x samba.git.test]$ rpm -q --lastchange samba-client * Пт июл 26 2019 Evgeny Sinelikov <sin@altlinux.org> 4.10.4-alt1.112 - Build for 95ace7e3078 [test@clw2x samba.git.test]$ sudo su -c "net ads join -v -U Administrator" Enter Administrator's password: Using short domain name -- DEMO Joined 'CLW2X6' to dns domain 'demo.alt' No DNS domain configured for clw2x6. Unable to perform DNS Update. DNS update failed: NT_STATUS_INVALID_PARAMETER
I really suggest you fix you smb.conf first. First, id administrator uid=441600500(administrator) gid=441600513(domain users) Administrator = root = uid 0 and should have have any other ID. You did not configure the backends correctly, see : https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Choose_backend_for_id_mapping_in_winbindd your missing the member settings : # For ACL support on member servers vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes user Administrator workaround, without it you are unable to set privileges username map = /etc/samba/samba_usermapping ADD : !root = NTDOM\Administrator the idmap part should look like: ## map id's outside to domain to tdb files. idmap config *: backend = tdb idmap config *: range = 2000-9999 ## map ids from the domain and (*) the range may not overlap ! idmap config NTDOM: backend = ad idmap config NTDOM: schema_mode = rfc2307 idmap config NTDOM: range = 10000-3999999
Hello, I have a similiar Problem joining a new Machine with "net ads join" to AD My Error Message while "net ads join" was: 'Failed to join domain: failed to precreate account in ou xxx: Invalid DN syntax' Using Debug Mode, I got the Message: "Host account for xxxx already exists." With the Patch from Evgeny, "net ads join" is working again for me. The change causing the problem was introduced by patch: https://bugzilla.samba.org/show_bug.cgi?id=13861 (Version 4.9.7) I joined the Linux Machine without Fileservices and a very reduced smb.conf [global] workgroup = NTDOM security = ADS realm = AD.DOMAIN.AT password server = server1 server2 server3 kerberos method = system keytab
(In reply to Hubert Hoffmann from comment #8) It seems this commit is the problem: 2044ca0e20bd3180720a82506b3af041d14b5c68 s3:ldap: Leave add machine code early for pre-existing accounts A possible fix could be this: https://gitlab.com/samba-team/devel/samba/commit/e33162659ff9cff2e4aea7b385e85ad94315aeec from https://gitlab.com/samba-team/samba/merge_requests/716
(In reply to Stefan Metzmacher from comment #9) The Patch is working for me. Thank you Stefan.
*** Bug 14114 has been marked as a duplicate of this bug. ***
Created attachment 15460 [details] patch from master for v4.9, v4.10 and v4.11
Created attachment 15461 [details] patch from master for v4.9, v4.10 and v4.11
Comment on attachment 15461 [details] patch from master for v4.9, v4.10 and v4.11 LGTM.
Pushed to autobuild-v4-{11,10,9}-test.
(In reply to Karolin Seeger from comment #15) Pushed to all branches. Closing out bug report. Thanks!