Hello,
I'm trying to join a Windows domain with samba on an ubuntu 18.04 server and so far I didn't get it to work.
I'm able to do the kinit and I see the token with klist but when I try to join like this:
Code:
net ads join -U Administrator@d1.lan -d3
I get an error message
Code:
DNS Update for zfs1.d1.lan failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL
With debug options, there's a lot more details but I don't see any information that could give a hint about what's the problem.
If I don't follow that procedure and install and use realm join, I can join just fine and I can see my Windows users so I know it's possible. The problem in that case is that samba doesn't seem to understand how to use that connection to do the authentication because the attempts to connect to a shared directory fails. It tries to connect as guest even when I explicitly provide username and password information from the Windows machine. If I add a user with smbpasswd then it works fine so the share itself is working.
The test environment is pretty simple, I have 1 Windows server 2019 that is used as AD and the client for testing the smb connection. I also have 1 Ubuntu 18.04 machine that I'm trying to just join to the domain.
I followed the procedure described in this document: https://discourse.ubuntu.com/t/service-sssd/11579
I'll include a few of the key configuration files in case there's a problem in one of them.
Code:
cat resolv.conf
nameserver 192.168.0.60
domain d1.lan
search d1.lan
Code:
cat hosts
127.0.0.1 localhost
192.168.0.40 zfs1.d1.lan zfs1
Code:
cat /etc/chrony/chrony.conf
server 192.168.0.60 iburst
keyfile /etc/chrony/chrony.keys
driftfile /var/lib/chrony/chrony.drift
logdir /var/log/chrony
maxupdateskew 100.0
rtcsync
makestep 1 3
Code:
# cat /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = D1.LAN
[domain/D1.LAN]
id_provider = ad
access_provider = ad
# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as /root. Use with pam_mkhomedir.so
override_homedir = /home/%u
use_fully_qualified_names = False
# Uncomment if the client machine hostname doesn't match the computer object on the DC.
# ad_hostname = mymachine.myubuntu.example.com
# Uncomment if DNS SRV resolution is not working
# ad_server = dc.mydomain.example.com
# Uncomment if the AD domain is named differently than the Samba domain
# ad_domain = MYUBUNTU.EXAMPLE.COM
# Enumeration is discouraged for performance reasons.
# enumerate = true
Code:
cat /etc/samba/smb.conf
[global]
workgroup = D1
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = D1.LAN
security = ads
log level = 3
Code:
cat /etc/krb5.conf
[libdefaults]
default_realm = D1.LAN
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
D1.LAN = {
kdc = 192.168.0.60
admin_server = 192.168.0.60
}
[domain_realm]
.d1.lan = D1.LAN
d1.lan = D1.LAN
Bookmarks