0

I followed these instructions: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

These instructions didn't work exactly as they read. There was one step I didn't get a result because samba was stopped and it needed to be running (for dns) to get the result in the guide but other than that, everything happens as this guide says but when I try to join the domain from a vm I created. I have just one dc at this time. I've created a Fedora Server 35 vm to add as another dc after I get it working solo bc that's how I really want to use it.

$ realm join test-server.lan -U Administrator

Password for Administrator:
See: journalctl REALMD_OPERATION=r1171585.2732805
realm: Couldn't join realm: Failed to join the domain**

$ journalctl REALMD_OPERATION=r1171585.2732805

-- Journal begins at Fri 2021-10-01 15:39:25 EDT, ends at Mon 2021-10-04 22:26:45 EDT. --
Oct 04 22:24:21 fedora realmd[2732808]:  * Resolving: _ldap._tcp.test-server.lan
Oct 04 22:24:21 fedora realmd[2732808]:  * Performing LDAP DSE lookup on: 10.0.0.10
Oct 04 22:24:21 fedora realmd[2732808]:  * Successfully discovered: test-server.lan
Oct 04 22:24:30 fedora realmd[2732808]:  * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli
Oct 04 22:24:30 fedora realmd[2732808]:  * LANG=C /usr/sbin/adcli join --verbose --domain test-server.lan --domain-realm TEST-SERVER.LAN --domain-controller 10.0.0.10 --login-type user --login-user Administrator --stdin-password
Oct 04 22:24:30 fedora realmd[2732808]:  * Using domain name: test-server.lan
Oct 04 22:24:30 fedora realmd[2732808]:  * Calculated computer account name from fqdn: FEDORA
Oct 04 22:24:30 fedora realmd[2732808]:  * Using domain realm: test-server.lan
Oct 04 22:24:30 fedora realmd[2732808]:  * Sending NetLogon ping to domain controller: 10.0.0.10
Oct 04 22:24:46 fedora realmd[2732808]:  * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-OMYnX1/krb5.d/adcli-krb5-conf-lTV3xU
Oct 04 22:24:46 fedora realmd[2732808]:  ! Couldn't authenticate as: Administrator@TEST-SERVER.LAN: Client 'Administrator@TEST-SERVER.LAN' not found in Kerberos database
Oct 04 22:24:46 fedora realmd[2732808]: adcli: couldn't connect to test-server.lan domain: Couldn't authenticate as: Administrator@TEST-SERVER.LAN: Client 'Administrator@TEST-SERVER.LAN' not found in Kerberos database
Oct 04 22:24:46 fedora realmd[2732808]:  ! Failed to join the domain

/etc/samba/smb.conf:

# Global parameters
[global]
dns forwarder = 10.0.0.1
netbios name = FS34
realm = TEST-SERVER.LAN
server role = active directory domain controller
workgroup = TEST-SERVER
idmap_ldb:use rfc2307 = yes

[sysvol]
path = /var/lib/samba/sysvol
read only = No

[netlogon]
path = /var/lib/samba/sysvol/test-server.lan/scripts
read only = No

[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = %S
; valid users = MYDOMAIN\%S

[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes

# Un-comment the following and create the netlogon directory for Domain Logons:
; [netlogon]
; comment = Network Logon Service
; path = /var/lib/samba/netlogon
; guest ok = yes
; writable = no
; share modes = no

# Un-comment the following to provide a specific roaming profile share.
# The default is to use the user's home directory:
; [Profiles]
; path = /var/lib/samba/profiles
; browseable = no
; guest ok = yes

# A publicly accessible directory that is read only, except for users in the
# "staff" group (which have write permissions):
; [public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; writable = no
; printable = no
; write list = +staff

[Photos]
comment = Photos
path = /multimedia/Photos

browseable = Yes
read only = No
inherit acls = Yes

[Videos]
comment = Videos
path = /multimedia/Videos

browseable = Yes
read only = No
inherit acls = Yes

[Movies]
comment = Videos
path = /multimedia/Movies

browseable = Yes
read only = No
inherit acls = Yes

[Music]
comment = Videos
path = /multimedia/Music

browseable = Yes
read only = No
inherit acls = Yes

[seagate]
comment = Videos
path = /media/seagate

browseable = Yes
read only = No
inherit acls = Yes

/etc/krb5.conf:

[libdefaults]
default_realm = TEST-SERVER.LAN
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h

[realms]
TEST-SERVER.LAN = {
default_domain = test-server.lan
kdc = test-server.lan
}

[domain_realm]
fs34 = TEST-SERVER.LAN
dc01 = TEST-SERVER.LAN
.test-server = TEST-SERVER.LAN
.test-server.lan = TEST-SERVER.LAN
dc01.test-server.lan = TEST-SERVER.LAN

I am able to access the shares and I have mounted them (as a user I've added).

//test-server.lan/Photos  2.7T  1.8T  926G  66% /home/user/mnt/Photos
//test-server.lan/Videos  2.8T  1.9T  926G  68% /home/user/mnt/Videos
//test-server.lan/Movies  2.8T  1.9T  926G  68% /home/user/mnt/Movies

# smbclient -L test-server.lan -U user

Enter TEST-SERVER\user's password:

Sharename       Type      Comment
---------       ----      -------
sysvol          Disk      
netlogon        Disk      
Photos          Disk      Photos
Videos          Disk      Videos
Movies          Disk      Videos
Music           Disk      Videos
seagate         Disk      Videos
IPC$            IPC       IPC Service (Samba 4.14.7)
SMB1 disabled -- no workgroup available
Rob Campbell
  • 31
  • 3
  • the user has no permissions to join the domain, it is stated on the last sentence – djdomi Sep 30 '21 at 14:36
  • If administrator and another user that is part of the Domain Admins group don't have permissions, who does? Which group would they need to be in to have the proper permissions? – Rob Campbell Sep 30 '21 at 18:34

0 Answers0