Hello anodos,
thanks for your reply :)
I test your suggestion. The results I attached as code-segment.
I have check the kinit with different users and I write and a second test with the same user I copy the password to go secure to write it correctly.
I skip the last 3 steps ...
Have you an idea were there can be the error ?
I get the order to censor some informations. I hope I have overwrite all domain, names, hostnames, ips and ids correctly.
Code:
root@FREENAS01:~ # cp /data/freenas-v1.db /root/freenas-v1.db.ORIG
root@FREENAS01:~ #
root@FREENAS01:~ # sqlite3 /data/freenas-v1.db "UPDATE directoryservice_activedirectory SET ad_enable=1"
root@FREENAS01:~ # service ix-hostname start
root@FREENAS01:~ # service ix-kerberos start
root@FREENAS01:~ # service ix-kinit start
ERROR: Unable to find domain controllers for my.dom
root@FREENAS01:~ # cat /etc/krb5.conf
#
# krb5.conf(5) - configuration file for Kerberos 5
# $FreeBSD$
#
[appdefaults]
pam = {
forwardable = true
ticket_lifetime = 86400
renew_lifetime = 86400
}
[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
clockskew = 300
forwardable = yes
default_realm = MY.DOM
[domain_realm]
my.dom = MY.DOM
.my.dom = MY.DOM
MY.DOM = MY.DOM
.MY.DOM = MY.DOM
[realms]
MY.DOM = {
default_domain = MY.DOM
kdc = 10.10.10.21
admin_server = 10.10.10.21
kpasswd_server = 10.10.10.21
}
[logging]
default = SYSLOG:INFO:LOCAL7
root@FREENAS01:~ # kinit myadmin@my.dom
myadmin@my.dom's Password:
kinit: Password incorrect
root@FREENAS01:~ # kinit administrator@my.dom
administrator@my.dom's Password:
kinit: Password incorrect
***
root@FREENAS01:~ # klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: myadmin@MY.DOM
Issued Expires Principal
May 22 15:30:00 2019 May 23 01:30:00 2019 krbtgt/MY.DOM@MY.DOM
root@FREENAS01:~ # service ix-pre-samba start
net -k ads testjoin
Join to domain is not valid: NT code 0xfffffff6
root@FREENAS01:~ # net -d 5 -k ads join
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
scavenger: 5
dns: 5
ldb: 5
tevent: 5
auth_audit: 5
auth_json_audit: 5
kerberos: 5
drs_repl: 5
smb2: 5
smb2_credits: 5
dsdb_audit: 5
dsdb_json_audit: 5
dsdb_password_audit: 5
dsdb_password_json_audit: 5
dsdb_transaction_audit: 5
dsdb_transaction_json_audit: 5
dsdb_group_audit: 5
dsdb_group_json_audit: 5
lp_load_ex: refreshing parameters
Initialising global parameters
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
scavenger: 5
dns: 5
ldb: 5
tevent: 5
auth_audit: 5
auth_json_audit: 5
kerberos: 5
drs_repl: 5
smb2: 5
smb2_credits: 5
dsdb_audit: 5
dsdb_json_audit: 5
dsdb_password_audit: 5
dsdb_password_json_audit: 5
dsdb_transaction_audit: 5
dsdb_transaction_json_audit: 5
dsdb_group_audit: 5
dsdb_group_json_audit: 5
Processing section "[global]"
doing parameter server min protocol = SMB2_02
doing parameter server max protocol = SMB3
doing parameter interfaces = 127.0.0.1 10.10.10.100
doing parameter bind interfaces only = yes
doing parameter encrypt passwords = yes
doing parameter dns proxy = no
doing parameter strict locking = no
doing parameter oplocks = yes
doing parameter deadtime = 15
doing parameter max log size = 51200
doing parameter private dir = /var/db/samba4/private
doing parameter max open files = 2121905
doing parameter logging = file
doing parameter load printers = no
doing parameter printing = bsd
doing parameter printcap name = /dev/null
doing parameter disable spoolss = yes
doing parameter getwd cache = yes
doing parameter guest account = nobody
doing parameter obey pam restrictions = yes
doing parameter ntlm auth = no
doing parameter directory name cache size = 0
doing parameter kernel change notify = no
doing parameter nsupdate command = /usr/local/bin/samba-nsupdate -g
doing parameter server string = FreeNAS Server
doing parameter ea support = yes
doing parameter store dos attributes = yes
doing parameter lm announce = yes
doing parameter hostname lookups = yes
doing parameter time server = yes
doing parameter acl allow execute always = true
doing parameter dos filemode = yes
doing parameter multicast dns register = yes
doing parameter domain logons = no
doing parameter idmap config *: backend = tdb
doing parameter idmap config *: range = 90000001-100000000
doing parameter server role = member server
doing parameter workgroup = WORKGROUP
doing parameter realm = MY.DOM
doing parameter security = ADS
doing parameter client use spnego = yes
doing parameter local master = no
doing parameter domain master = no
doing parameter preferred master = no
doing parameter ads dns update = yes
doing parameter winbind cache time = 7200
doing parameter winbind offline logon = yes
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter winbind nested groups = yes
doing parameter winbind use default domain = no
doing parameter winbind refresh tickets = yes
doing parameter idmap config WORKGROUP: backend = rid
doing parameter idmap config WORKGROUP: range = 20000-90000000
doing parameter allow trusted domains = no
doing parameter client ldap sasl wrapping = plain
doing parameter template shell = /bin/sh
doing parameter template homedir = /home/%D/%U
doing parameter netbios name = FREENAS01
doing parameter create mask = 0666
doing parameter directory mask = 0777
doing parameter client ntlmv2 auth = yes
doing parameter dos charset = CP437
doing parameter unix charset = UTF-8
doing parameter log level = 1
pm_process() returned Yes
Registering messaging pointer for type 2 - private_data=0x0
Registering messaging pointer for type 9 - private_data=0x0
Registered MSG_REQ_POOL_USAGE
Registering messaging pointer for type 11 - private_data=0x0
Registering messaging pointer for type 12 - private_data=0x0
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Registering messaging pointer for type 1 - private_data=0x0
Registering messaging pointer for type 5 - private_data=0x0
Registering messaging pointer for type 51 - private_data=0x0
lp_load_ex: refreshing parameters
Freeing parametrics:
Initialising global parameters
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
scavenger: 5
dns: 5
ldb: 5
tevent: 5
auth_audit: 5
auth_json_audit: 5
kerberos: 5
drs_repl: 5
smb2: 5
smb2_credits: 5
dsdb_audit: 5
dsdb_json_audit: 5
dsdb_password_audit: 5
dsdb_password_json_audit: 5
dsdb_transaction_audit: 5
dsdb_transaction_json_audit: 5
dsdb_group_audit: 5
dsdb_group_json_audit: 5
Processing section "[global]"
doing parameter server min protocol = SMB2_02
doing parameter server max protocol = SMB3
doing parameter interfaces = 127.0.0.1 10.10.10.100
doing parameter bind interfaces only = yes
doing parameter encrypt passwords = yes
doing parameter dns proxy = no
doing parameter strict locking = no
doing parameter oplocks = yes
doing parameter deadtime = 15
doing parameter max log size = 51200
doing parameter private dir = /var/db/samba4/private
doing parameter max open files = 2121905
doing parameter logging = file
doing parameter load printers = no
doing parameter printing = bsd
doing parameter printcap name = /dev/null
doing parameter disable spoolss = yes
doing parameter getwd cache = yes
doing parameter guest account = nobody
doing parameter obey pam restrictions = yes
doing parameter ntlm auth = no
doing parameter directory name cache size = 0
doing parameter kernel change notify = no
doing parameter nsupdate command = /usr/local/bin/samba-nsupdate -g
doing parameter server string = FreeNAS Server
doing parameter ea support = yes
doing parameter store dos attributes = yes
doing parameter lm announce = yes
doing parameter hostname lookups = yes
doing parameter time server = yes
doing parameter acl allow execute always = true
doing parameter dos filemode = yes
doing parameter multicast dns register = yes
doing parameter domain logons = no
doing parameter idmap config *: backend = tdb
doing parameter idmap config *: range = 90000001-100000000
doing parameter server role = member server
doing parameter workgroup = WORKGROUP
doing parameter realm = MY.DOM
doing parameter security = ADS
doing parameter client use spnego = yes
doing parameter local master = no
doing parameter domain master = no
doing parameter preferred master = no
doing parameter ads dns update = yes
doing parameter winbind cache time = 7200
doing parameter winbind offline logon = yes
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter winbind nested groups = yes
doing parameter winbind use default domain = no
doing parameter winbind refresh tickets = yes
doing parameter idmap config WORKGROUP: backend = rid
doing parameter idmap config WORKGROUP: range = 20000-90000000
doing parameter allow trusted domains = no
doing parameter client ldap sasl wrapping = plain
doing parameter template shell = /bin/sh
doing parameter template homedir = /home/%D/%U
doing parameter netbios name = FREENAS01
doing parameter create mask = 0666
doing parameter directory mask = 0777
doing parameter client ntlmv2 auth = yes
doing parameter dos charset = CP437
doing parameter unix charset = UTF-8
doing parameter log level = 1
pm_process() returned Yes
Netbios name list:-
my_netbios_names[0]="FREENAS01"
added interface lo0 ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface lagg1 ip=10.10.10.100 bcast=10.10.15.255 netmask=255.255.240.0
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'FREENAS01'
domain_name : *
domain_name : 'MY.DOM'
domain_name_type : JoinDomNameTypeDNS (1)
account_ou : NULL
admin_account : 'root'
admin_domain : NULL
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
os_servicepack : NULL
create_upn : 0x00 (0)
upn : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x01 (1)
secure_channel_type : SEC_CHAN_WKSTA (2)
desired_encryption_types : 0x0000001f (31)
Opening cache file at /var/run/samba4/gencache.tdb
Opening cache file at /var/run/samba4/gencache_notrans.tdb
sitename_fetch: Returning sitename for realm 'MY.DOM': "Zentrale"
ads_dns_lookup_srv: 2 records returned in the answer section.
saf_fetch: Returning "AD02.MY.DOM" for "MY.DOM" domain
get_dc_list: preferred server list: "AD02.MY.DOM, *"
resolve_ads: Attempting to resolve KDCs for MY.DOM using DNS
ads_dns_lookup_srv: 2 records returned in the answer section.
sitename_fetch: Returning sitename for realm 'MY.DOM': "Zentrale"
name AD02.MY.DOM#20 found.
get_dc_list: returning 4 ip addresses in an ordered list
get_dc_list: 10.10.10.18:88 10.10.10.20:88 10.10.1.20:88 10.10.1.21:88
saf_fetch: Returning "AD02.MY.DOM" for "MY.DOM" domain
get_dc_list: preferred server list: "AD02.MY.DOM, *"
resolve_ads: Attempting to resolve KDCs for MY.DOM using DNS
ads_dns_lookup_srv: 2 records returned in the answer section.
sitename_fetch: Returning sitename for realm 'MY.DOM': "Zentrale"
name AD02.MY.DOM#20 found.
get_dc_list: returning 4 ip addresses in an ordered list
get_dc_list: 10.10.10.21:88 10.10.10.20:88 10.10.1.20:88 10.10.1.21:88
create_local_private_krb5_conf_for_domain: wrote file /var/run/samba4/smb_krb5/krb5.conf..JOIN with realm MY.DOM KDC list = kdc = 10.10.10.20
kdc = 10.10.10.21
kdc = 10.10.1.20
kdc = 10.10.1.21
sitename_fetch: Returning sitename for realm 'MY.DOM': "Zentrale"
no entry for AD01.MY.DOM#20 found.
resolve_hosts: Attempting host lookup for name AD01.MY.DOM<0x20>
namecache_store: storing 2 addresses for AD01.MY.DOM#20: 10.10.10.20,10.10.1.20
Connecting to 10.10.10.20 at port 445
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 4
TCP_KEEPCNT = 8
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 33580
SO_RCVBUF = 65700
SO_SNDLOWAT = 2048
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
signed SMB2 message
signed SMB2 message
signed SMB2 message
Bind RPC Pipe: host AD01.MY.DOM auth_type 0, auth_level 1
rpc_api_pipe: host AD01.MY.DOM
signed SMB2 message
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host AD01.MY.DOM
signed SMB2 message
rpc_read_send: data_to_read: 32
rpc_api_pipe: host AD01.MY.DOM
signed SMB2 message
rpc_read_send: data_to_read: 168
rpc_api_pipe: host AD01.MY.DOM
signed SMB2 message
rpc_read_send: data_to_read: 32
signed SMB2 message
signed SMB2 message
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : 'FREENAS01$'
netbios_domain_name : 'MY'
dns_domain_name : 'MY.DOM'
forest_name : 'MY.DOM'
dn : NULL
domain_guid : 938***
domain_sid : *
domain_sid : S-1-5***
modified_config : 0x00 (0)
error_string : 'Invalid configuration ("workgroup" set to 'WORKGROUP', should be 'MY') and configuration modification was not requested'
domain_is_ad : 0x01 (1)
set_encryption_types : 0x00000000 (0)
krb5_salt : NULL
result : WERR_CAN_NOT_COMPLETE
Failed to join domain: Invalid configuration ("workgroup" set to 'WORKGROUP', should be 'MY') and configuration modification was not requested
return code = -1
root@FREENAS01:~ #