While playing around with a setup where Samba 4 is running as a PDC (Primary Domain Controller) of a newly created domain EXAMPLE.COM, of course I wanted to test whether Windows clients would be able to join the Samba 4 managed domain.
The setup is not very complicated. As this is a test setup purely for my own education, it's all in the same 192.168.15.0/25 range. Samba was installed inside a LXC container running Ubuntu 20.04. Realm is set to EXAMPLE.COM, domain is example.com. Samba was set up following the official documentation and a more specific guide for Ubuntu machines (very helpful to differentiate between the different Systemd unit files!).
The domain controller was installed using a very basic samba-tool domain provision command without any special parameters.
The Windows client was installed as a virtual machine (using VMware Player) and bridged into the physical network.
It's worth to note that I ran into the problem where the Ubuntu LXC container started up not with my defined fixed IP address (in the container's config file) but rather with a DHCP address. This happens due to a problem in the netplan IP configuration package. This was fixed but the DHCP address stuck, too. So for a while and during the Domain provisioning the Ubuntu container temporarily had two ip addresses configured. Why this is important you will soon find out.
Once the Windows 7 client was installed, it was time to change the computer settings and add the machine to the domain.
However the first attempt failed as the domain EXAMPLE could not be found. The reason for this was the Windows machine received DNS servers from the DHCP server which defines public DNS servers 1.1.1.1 and 8.8.8.8. To be able to join the domain, the client needs to use the domain controller as DNS server.
So this is obviously an easy fix.
But the next attempt to join the domain still failed with the following error:
The following error occurred attempting to join the domain "EXAMPLE": Logon failure: unknown user name or bad password.
To join the domain I used the credentials of the "Administrator" user. The error would hint to a wrong password. But the password was triple-checked and was definitely correct. This can be verified by accessing the netlogon share on the domain controller:
root@focal:~# smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter EXAMPLE\Administrator's password: [entered password]
. D 0 Tue Mar 30 08:16:53 2021
.. D 0 Tue Mar 30 08:16:57 2021
10255636 blocks of size 1024. 8401408 blocks available
The first idea was that there could be a problem with the Samba DNS server (INTERNAL_DNS backend). Maybe the machine fails to register because it cannot be created in Samba's internal DNS server?
After setting log level = 3 in /etc/samba/smb.conf (global section), another domain join was tested. The following output was logged in /var/log/samba/log.samba:
==> log.samba <==
[2021/03/30 09:42:11.860552, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ Administrator@EXAMPLE.COM from ipv4:192.168.15.10:49265 for krbtgt/EXAMPLE.COM@EXAMPLE.COM
[2021/03/30 09:42:11.862685, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: 128
[2021/03/30 09:42:11.862712, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PKINIT pa-data -- Administrator@EXAMPLE.COM
[2021/03/30 09:42:11.862731, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data -- Administrator@EXAMPLE.COM
[2021/03/30 09:42:11.862759, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- Administrator@EXAMPLE.COM
[2021/03/30 09:42:11.863202, 3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2021/03/30 09:42:11.870595, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ Administrator@EXAMPLE.COM from ipv4:192.168.15.10:49266 for krbtgt/EXAMPLE.COM@EXAMPLE.COM
[2021/03/30 09:42:11.873167, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: encrypted-timestamp, 128
[2021/03/30 09:42:11.873207, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PKINIT pa-data -- Administrator@EXAMPLE.COM
[2021/03/30 09:42:11.873225, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data -- Administrator@EXAMPLE.COM
[2021/03/30 09:42:11.873284, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: ENC-TS Pre-authentication succeeded -- Administrator@EXAMPLE.COM using aes256-cts-hmac-sha1-96
[2021/03/30 09:42:11.873327, 3] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[Administrator@EXAMPLE.COM] at [Tue, 30 Mar 2021 09:42:11.873314 CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:192.168.15.10:49266] became [EXAMPLE]\[Administrator] [S-1-5-21-2031982775-3412234441-723590836-500]. local host [NULL]
{"timestamp": "2021-03-30T09:42:11.873370+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "f4940a1bcf532438", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": "ipv4:192.168.15.10:49266", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "Administrator@EXAMPLE.COM", "workstation": null, "becameAccount": "Administrator", "becameDomain": "EXAMPLE", "becameSid": "S-1-5-21-2031982775-3412234441-723590836-500", "mappedAccount": "Administrator", "mappedDomain": "EXAMPLE", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "aes256-cts-hmac-sha1-96", "duration": 2862}}
[2021/03/30 09:42:11.905040, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ authtime: 2021-03-30T09:42:11 starttime: unset endtime: 2021-03-30T19:42:11 renew till: 2021-04-06T09:42:11
[2021/03/30 09:42:11.905186, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, des-cbc-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
[2021/03/30 09:42:11.905232, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Requested flags: renewable-ok, canonicalize, renewable, forwardable
[2021/03/30 09:42:11.905895, 3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[...]
The Samba Domain Controller received the Kerberos requests from the Windows client (using DHCP address 192.168.15.10). The authentication of Administrator worked correctly (NT_STATUS_OK) but then there was a NT_STATUS_CONNECTION_DISCONNECTED at the end. No real error indicating what was causing this. Windows then re-tried the domain join for another two attempts but then stopped and finally showed the already known error message.
The Setting up Samba as an Active Directory Domain Controller wiki page contains a section to validate DNS records. So I went through them:
root@focal:~# host -t SRV _ldap._tcp.example.com.
_ldap._tcp.example.com has SRV record 0 100 389 focal.example.com.
root@focal:~# host -t SRV _kerberos._udp.example.com.
_kerberos._udp.example.com has SRV record 0 100 88 focal.example.com.
root@focal:~# host -t A focal.example.com.
focal.example.com has address 192.168.15.10
focal.example.com has address 192.168.15.192
And here we have the problem: The hostname focal.example.com points to two internal IP addresses. The static IP address configured in the LXC's config file 192.168.15.192 and the initial IP address obtained from DHCP (192.168.15.10) before the netplan fix was applied. No wonder there was a weird mixup when Windows tried to connect to the primary domain controller pointing to the same IP as is now used in the client (the freed DHCP IP went from the LXC container to the VM).
Obviously the DNS entry needs to be fixed and the wrong A record (192.168.15.10) needs to be removed. To delete a DNS record in Samba's internal DNS server the samba-tool command with the dns sub-command is used.
This sub-command expects the following input:
samba-tool dns delete <Hostname or IP of DC> <zone> <record> <type> <value>
root@focal:~# samba-tool dns delete 192.168.15.192 example.com focal A 192.168.15.10
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:192.168.15.192[,sign]
Cannot do GSSAPI to an IP address
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
Password for [Administrator@EXAMPLE.COM]: [Entered password]
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
Record deleted successfully
The record was deleted. Another host lookup now shows that only one IP address is returned for the focal hostname:
root@focal:~# host -t A focal.example.com.
focal.example.com has address 192.168.15.192
Now with the DNS entry fixed, it was time to try again. Would Windows 7 connect this time?
And yes, finally the client was able to join the domain:
The preparations on the machine BEFORE running samba-tool domain provision are very important. Make sure to:
No comments yet.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Icingaweb Icingaweb2 Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder