Home / server / Questions / 1167532
Accepted
somenxavier
Asked: 2024-11-08 00:37:26 +0800 CST

Unable to join a new Samba Active Directory from Windows 11 and Linux

  • 772

I have a network with Windows Server 2003 Active Directory server and Windows 11 computers. My plan is to replace Windows Server 2003 with Fedora Linux Server Edition - fedora 40. I could test it with Windows 11 clients and one Fedora Linux 40 client.

The old realm is SONCANALS. The new realm is SCNG.

I followed guide of the Fedora Magazine.

Configurations

  • The server IP is10.216.1.16 and domain is scng.educaib

  • Server hostname is l1.scng.educaib

  • samba.conf:

    cat /etc/samba/smb.conf
# Global parameters
[global]
        dns forwarder = 1.1.1.1
        netbios name = L1
        realm = SCNG.EDUCAIB
        server role = active directory domain controller
        workgroup = SCNG
        idmap_ldb:use rfc2307 = yes
        ldap server require strong auth = no 

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/scng/scripts
        read only = No

  • Kerberos config:

    # cat /etc/krb5.conf.d/samba-dc 
[libdefaults]
        default_realm = SCNG.EDUCAIB
        dns_lookup_realm = false
        dns_lookup_kdc = true

[realms]
SCNG.EDUCAIB = {
        default_domain = SCNG
}

[domain_realm]
        l1.scng.educaib = SCNG.EDUCAIB

  • /etc/systemd/resolved.conf.d/custom.conf:

    [Resolve]
DNSStubListener=no
Domains=scng.educaib
DNS=10.216.1.16

I have one machine with Fedora 40 which I use to test samba. When I test all is fine (section "Testing" in tutorial guide). When I run realm discover, I get only old realm, not the new one:

realm discover -v
 * Resolving: _ldap._tcp.soncanals
 * Performing LDAP DSE lookup on: 10.216.1.2
 * Performing LDAP DSE lookup on: 10.216.1.10
 * Performing LDAP DSE lookup on: 10.216.1.4
 * Successfully discovered: soncanals
soncanals
  type: kerberos
  realm-name: SONCANALS
  domain-name: soncanals
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: sssd-common
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd-ad
  required-package: adcli
  required-package: samba-common-tools

In Windows, when I try to join to SCNG, I am prompted for administrator logon, but when I put credentials it takes too long and it leaves dialog.

image

How can I triage the problem here? For example, which logs can I see (I have a lot in /var/log/samba/). My samba version i 4.20.5.

My priority is to join new domain and login to Windows as regular user in this domain. I discard for the moment sharing directories.

Edit (2024-11-11): The tests in Fedora Magazine guide are passed OK:

Testing

Connectivity test

$ smbclient -L localhost -N
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        sysvol          Disk      
        netlogon        Disk      
        IPC$            IPC       IPC Service (Samba 4.21.1)
SMB1 disabled -- no workgroup available

$ smbclient //localhost/netlogon -UAdministrator -c 'ls'
Password for [SCNG\Administrator]:
  .                                   D        0  Thu Oct 31 10:17:05 2024
  ..                                  D        0  Thu Oct 31 10:17:05 2024

                15663104 blocks of size 1024. 12979380 blocks available

DNS Test

$ host -t SRV _ldap._tcp.scng.educaib.
_ldap._tcp.scng.educaib has SRV record 0 100 389 l1.scng.educaib.
$ host -t SRV _kerberos._udp.scng.educaib.
_kerberos._udp.scng.educaib has SRV record 0 100 88 l1.scng.educaib.
$ host -t A l1.scng.educaib.
l1.scng.educaib has address 10.216.1.16

Kerberos test

$  kinit administrator
Password for [email protected]: 
ladmin@l1:~$ klist
Ticket cache: KCM:1000
Default principal: [email protected]

Valid starting     Expires            Service principal
11/11/24 10:15:10  11/11/24 20:15:10  krbtgt/[email protected]
        renew until 18/11/24 10:15:06
active-directory

2 Answers

  1. You almost definitely need to add the DNS records for your new domain. The fedora magazine has subheadings "DNS test" that show how to know if you did it right.

    • 0
  2. Best Answer

    The problem is that the server and clients needs to be in the same domain. As we need Full Qualified Domain, we need SCNG.LOCAL instead just SCNG or SCNG.EDUCAIB.

    In my case the Samba server has hostname l1.scng.local and static IP 10.216.1.16. My gateway is 10.216.1.1

    • On the server side, follow the instruccions on the guide. I changed the samba-tool domain provision step to this:

      samba-tool domain provision --server-role=dc --use-rfc2307 --interactive

      because it allows to type admin password interactively. My configuration is:

       # cat /etc/samba/smb.conf
 # Global parameters
 [global]
         dns forwarder = 1.1.1.1
         netbios name = L1
         realm = SCNG.LOCAL
         server role = active directory domain controller
         workgroup = SCNG
         idmap_ldb:use rfc2307 = yes

 [sysvol]
         path = /var/lib/samba/sysvol
         read only = No

 [netlogon]
         path = /var/lib/samba/sysvol/scng.local/scripts
         read only = No

  # cat /etc/krb5.conf.d/samba-dc
  [libdefaults]
          default_realm = SCNG.LOCAL
          dns_lookup_realm = false
          dns_lookup_kdc = true

  [realms]
         SCNG.LOCAL = {
            default_domain = SCNG
         }

  [domain_realm]
         l1.scng.local = SCNG.LOCAL

      Other important configuration is:

       # cat /etc/systemd/resolved.conf.d/custom.conf 
 [Resolve]
 DNSStubListener=no
 Domains=scng.local
 DNS=10.216.1.16

 root@l1:/home/ladmin# cat /etc/hostname 
 l1.scng.local

 root@l1:/home/ladmin# cat /etc/resolv.conf 
 # This is /run/systemd/resolve/resolv.conf managed by man:systemd-resolved(8).
 # Do not edit.
 #
 # This file might be symlinked as /etc/resolv.conf. If you're looking at
 # /etc/resolv.conf and seeing this text, you have followed the symlink.
 #
 # This is a dynamic resolv.conf file for connecting local clients directly to
 # all known uplink DNS servers. This file lists all configured search domains.
 #
 # Third party programs should typically not access this file directly, but only
 # through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
 # different way, replace this symlink by a static file or a different symlink.
 #
 # See man:systemd-resolved.service(8) for details about the supported modes of
 # operation for /etc/resolv.conf.

 nameserver 10.216.1.16
 nameserver 10.216.1.4
 nameserver 1.1.1.1
 search scng.local

      The 10.216.1.4 is the my DNS of my local network. It is optional to put it. I replace 8.8.8.8 with 1.1.1.1 in the Fedora Guide.

    • On the client side, we need to set client DNS as the server IP. This DNS setting is crucial. In my case, the client has static IP 10.216.1.192. So I need to configure network with gateway 10.216.1.1 and DNS IP 10.216.1.16:

      1. Set the hostname with the same network as server: hostnamectl hostname l192.scng.local

      2. Setting the DNS server as Samba server. Repeat the same step as in server guide: create /etc/systemd/resolved.conf.d/custom.conf with content:

         [Resolve]
 DNSStubListener=no
 Domains=scng.local
 DNS=10.216.1.16

      and run systemctl restart systemd-resolved. So the config is:

          cat /etc/resolv.conf 
    nameserver 10.216.1.16
    nameserver 10.216.1.16
    search scng.local

    And then realm discover -v works (scng.local appears). And you could join in the client to scng.local: realm join scng.local. You could now login with <your username>@scng.local.

    • 0