Difference between revisions of "Troubleshooting Samba Domain Members"

m (grammar)
(General: getent not finding domain users and groups)
 
(22 intermediate revisions by one other user not shown)
Line 1: Line 1:
 
= Introduction =
 
= Introduction =
  
If you're joining a Member to your domain, various errors may appear. The following gives an overview of errors that can come up and possible reasons/solutions to fix them.
+
This documentation helps you to troubleshoot problems users can encounter when running Samba as a member in an Active Directory (AD) forest or NT4 domain.
  
  
  
  
= Samba =
 
  
== Active Directory Domain Members ==
+
= General =
  
=== No DNS domain configured for ... Unable to perform DNS Update. ===
+
== Setting the Samba Log Level ==
 +
 
 +
For details, see [[Setting_the_Samba_Log_Level|Setting the Samba Log Level]].
 +
 
 +
 
 +
 
 +
== The <code>net</code> Command Fails to Connect to the <code>127.0.0.1</code> IP Address ==
 +
 
 +
Using the default settings, the <code>net</code> command connects to the <code>127.0.0.1</code> IP address. If Samba is not listening on the loopback interface, the connection fails. For example:
 +
 
 +
# net rpc rights list -U administrator
 +
Enter administrator's password:
 +
Could not connect to server 127.0.0.1
 +
Connection failed: NT_STATUS_CONNECTION_REFUSED
 +
 
 +
To fix the problem, configure Samba to additionally listen on the loopback interface. For details, see [[Configure_Samba_to_Bind_to_Specific_Interfaces|Configure Samba to Bind to Specific Interfaces]].
 +
 
 +
Alternatively, to temporarily work around the problem, pass the <code>-I ''IP_address''</code> or the <code>-S ''host_name''</code> parameter to the <code>net</code> command.
 +
 
 +
== getent not Finding Domain Users and Groups ==
 +
 
 +
If <code>getent passwd demo01</code> doesn't return anything, try
 +
 +
getent passwd "SAMDOM\demo01"
 +
 
 +
if that works but the former doesn't you may need to add the following line to your smb.conf file
 +
 
 +
winbind use default domain = yes
 +
 
 +
= Domain Members in an Active Directory Forest =
 +
 
 +
== Troubleshooting the Domain Join Procedure ==
 +
 
 +
=== No DNS domain configured. Unable to perform DNS Update. ===
 +
 
 +
When joining a host to an Active Directory (AD), the <code>net</code> command fails to update the DNS:
  
 
  # net ads join -U administrator
 
  # net ads join -U administrator
 
  Enter administrator's password:
 
  Enter administrator's password:
 
  Using short domain name -- SAMDOM
 
  Using short domain name -- SAMDOM
  Joined 'M1' to dns domain 'samdom.example.com'
+
  Joined 'AD-Member' to dns domain 'samdom.example.com'
  No DNS domain configured for m1. Unable to perform DNS Update.
+
  No DNS domain configured for AD-Member. Unable to perform DNS Update.
 
  DNS update failed: NT_STATUS_INVALID_PARAMETER
 
  DNS update failed: NT_STATUS_INVALID_PARAMETER
  
This error appears, because Samba can't find a DNS domain the host belongs to. Run the following command
+
Note, that the join was successful and only the DNS updated failed.
 +
 
 +
After the client was joined to the domain, the <code>net</code> command look up the fully qualified domain name (FQDN) using name service switch (NSS) libraries. If the FQDN can not be resolved, for example using DNS or the <code>/etc/hosts</code> file, the DNS update fails.
  
# getent hosts M1
+
To solve the problem:
10.99.0.5      M1.samdom.example.com    M1
 
  
The commands output must show the correct LAN interface IP (not 127.*.*.*!) and the hostname including the AD DNS zone. Additional alias names are optional. If you're getting a different or no output, fix it in your DNS or by adding/changing the /etc/hosts entry:
+
* Add the IP address and FQDN to the <code>/etc/hosts</code> file. For example:
  
  10.99.0.5     M1.samdom.example.com   M1
+
  10.99.0.5     AD-Member.samdom.example.com     AD-Member
  
 +
* Run the <code>net ads join</code> command again.
  
 +
If dynamic DNS updates still fail, verify on the AD DNS server that dynamic updates are working.
  
=== DNS Update for ... failed: ERROR_DNS_GSS_ERROR ===
+
 
 +
 
 +
=== DNS Update failed: ERROR_DNS_UPDATE_FAILED ===
 +
 
 +
When joining a host to an Active Directory (AD), the <code>net</code> fails to update the DNS:
  
 
  # net ads join -U administrator
 
  # net ads join -U administrator
Line 36: Line 77:
 
  Using short domain name -- SAMDOM
 
  Using short domain name -- SAMDOM
 
  Joined 'M1' to dns domain 'samdom.example.com'
 
  Joined 'M1' to dns domain 'samdom.example.com'
  DNS Update for m1.samdom.example.com failed: ERROR_DNS_GSS_ERROR
+
  DNS Update for m1.samdom.example.com failed: ERROR_DNS_UPDATE_FAILED
 +
DNS update failed: NT_STATUS_UNSUCCESSFUL
 +
 
 +
Note, that the join was successful and only the DNS updated failed.
 +
 
 +
To solve the problem:
 +
 
 +
* Verify on your Samba domain controller (DC), if dynamic DNS updates are working. For details, see [[Testing_Dynamic_DNS_Updates|Testing Dynamic DNS Updates]].
 +
 
 +
* Run the <code>net ads join</code> command again.
 +
 
 +
 
 +
 
 +
=== DNS Update failed: ERROR_DNS_GSS_ERROR ===
 +
 
 +
When using the <code>BIND9_DLZ</code> back end, dynamic DNS updates can fail because of an incorrect Kerberos setup on the AD domain controller (DC) running the DNS server:
 +
 
 +
# net ads join -U administrator
 +
Enter administrator's password:
 +
Using short domain name -- SAMDOM
 +
Joined 'AD-Member' to dns domain 'samdom.example.com'
 +
DNS Update for AD-Member.samdom.example.com failed: ERROR_DNS_GSS_ERROR
 
  DNS update failed: NT_STATUS_UNSUCCESSFUL
 
  DNS update failed: NT_STATUS_UNSUCCESSFUL
  
The dynamic DNS update failed. See [[Configure_BIND_as_backend_for_Samba_AD#DDNS_updates_not_working|DDNS updates not working]]
+
To solve the problem, see [[BIND9_DLZ_DNS_Back_End#Reconfiguring_the_BIND9_DLZ_Back_End|Reconfiguring the BIND9_DLZ Back End]].
 +
 
 +
 
 +
 
 +
=== gss_init_sec_context failed with: Miscellaneous failure: Clock skew too great ===
 +
 
 +
When joining a host to an AD, the <code>net</code> command fails with the following error:
 +
 
 +
# net ads join -U administrator
 +
Enter administrator's password:
 +
gss_init_sec_context failed with [ Miscellaneous failure (see text): Clock skew too great]
 +
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred.
 +
Failed to join domain: failed to connect to AD: An internal error occurred.
 +
 
 +
Kerberos requires a syncronised time to prevent replay attacks. The local time must not differ more than 5 minutes to the DC.
 +
 
 +
To fix, set the correct time and run the <code>net ads join</code> command again.
 +
 
 +
For further details, see [[Time_Synchronisation|Time Synchronisation]].
 +
 
 +
 
 +
 
 +
=== Failed to join domain: failed to find DC for domain SAMDOM - Undetermined error ===
 +
 
 +
When joining a host to an Active Directory (AD), the <code>net</code> command fails to locate the domain controller (DC):
 +
 
 +
# net ads join -U administrator
 +
Enter administrator's password:
 +
Failed to join domain: failed to find DC for domain SAMDOM - Undetermined error
 +
 
 +
Samba uses DNS requests and broadcasts to locate DCs when joining a domain. If both methods fail, the <code>failed to find DC for domain SAMDOM - Undetermined error</code> error is displayed.
 +
 
 +
For a short term solution, you can pass the "-S" parameter and the name of a DC to the command. For example:
 +
 
 +
# net ads join -U administrator -S DC1.samdom.example.com
 +
 
 +
However, a correct DNS configuration is important in an AD. To avoid future problems based on an incorrect DNS configuration, set up your DNS resolver configuration correctly. For details, see [[Linux_and_Unix_DNS_Configuration|Linux and Unix DNS Configuration]].
 +
 
 +
 
 +
 
 +
== Winbind and Authentication Problems ==
 +
 
 +
=== The <code>getent</code> Utility Is Unable to List All Domain Users or Groups ===
 +
 
 +
If the <code>getent</code> utility is able to list individual domain users or groups but the <code>getent passwd</code> or <code>getent group</code> command fail to list all domain users or groups:
 +
 
 +
* Verify that the name service switch (NSS) is able to use the <code>libnss_winbind</code> library. For details, see [[Libnss_winbind_Links|libnss_winbind Links]].
 +
* Enable the following parameters in your <code>smb.conf</code> file:
 +
winbind enum users = yes
 +
winbind enum groups = yes
 +
:For performance reasons, it is not recommended to enable these settings in environments with a large number of users and groups.
 +
* Reload Samba:
 +
# smbcontrol all reload-config
 +
 
 +
 
 +
 
 +
=== Connections to a Samba Domain Member Fail After Adding an <code>includedir</code> Statement to the <code>/etc/krb5.conf</code> File ===
 +
 
 +
When connecting to a Samba Active Directory (AD) domain member, the connection fails and the following error is logged, if the <code>log level</code> parameter in the <code>[global]</code> section of the <code>smb.conf</code> file is set to <code>3</code> or higher:
 +
 
 +
[2016/01/01 00:00:00.000000,  3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
 +
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_UNSUCCESSFUL] || at ../source3/smbd/smb2_sesssetup.c:134
 +
[2016/01/01 00:00:00.000000,  3] ../source3/smbd/server_exit.c:246(exit_server_common)
 +
  Server exit (NT_STATUS_CONNECTION_RESET)
 +
 
 +
The connection fails, because Samba is unable to process <code>includedir</code> statements in the <code>/etc/krb5.conf</code> file.
 +
 
 +
Note, that updating Kerberos packages on your operating system can automatically add this statement to enable the inclusion of configuration snippets. For example, when updating a Samba AD domain member with an unmodified <code>/etc/krb5.conf</code> file from Red Hat Enterprise Linux 7.2 to 7.3, the <code>includedir</code> statement is automatically added and clients fail to connect to the Samba domain member.
 +
 
 +
To work around the problem, remove the <code>includedir</code> statement from the <code>/etc/krb5.conf</code> file.
 +
 
 +
For further details, see [https://bugzilla.samba.org/show_bug.cgi?id=12488 Bug #12488].
 +
 
  
  
  
== NT4 Domain Members ==
 
  
Coming soon.
+
= Domain Members in an NT4 Domain =
  
 +
Currently, we do not have content here.
  
  
  
  
= Windows =
 
  
See http://social.technet.microsoft.com/wiki/contents/articles/1935.troubleshooting-domain-join-error-messages.aspx
+
----
 +
[[Category:Active Directory]]
 +
[[Category:NT4 Domains]]
 +
[[Category:Active Directory]]
 +
[[Category:Domain Members]]

Latest revision as of 00:44, 15 June 2017

Introduction

This documentation helps you to troubleshoot problems users can encounter when running Samba as a member in an Active Directory (AD) forest or NT4 domain.



General

Setting the Samba Log Level

For details, see Setting the Samba Log Level.


The net Command Fails to Connect to the 127.0.0.1 IP Address

Using the default settings, the net command connects to the 127.0.0.1 IP address. If Samba is not listening on the loopback interface, the connection fails. For example:

# net rpc rights list -U administrator
Enter administrator's password:
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_CONNECTION_REFUSED

To fix the problem, configure Samba to additionally listen on the loopback interface. For details, see Configure Samba to Bind to Specific Interfaces.

Alternatively, to temporarily work around the problem, pass the -I IP_address or the -S host_name parameter to the net command.

getent not Finding Domain Users and Groups

If getent passwd demo01 doesn't return anything, try

getent passwd "SAMDOM\demo01"

if that works but the former doesn't you may need to add the following line to your smb.conf file

winbind use default domain = yes

Domain Members in an Active Directory Forest

Troubleshooting the Domain Join Procedure

No DNS domain configured. Unable to perform DNS Update.

When joining a host to an Active Directory (AD), the net command fails to update the DNS:

# net ads join -U administrator
Enter administrator's password:
Using short domain name -- SAMDOM
Joined 'AD-Member' to dns domain 'samdom.example.com'
No DNS domain configured for AD-Member. Unable to perform DNS Update.
DNS update failed: NT_STATUS_INVALID_PARAMETER

Note, that the join was successful and only the DNS updated failed.

After the client was joined to the domain, the net command look up the fully qualified domain name (FQDN) using name service switch (NSS) libraries. If the FQDN can not be resolved, for example using DNS or the /etc/hosts file, the DNS update fails.

To solve the problem:

  • Add the IP address and FQDN to the /etc/hosts file. For example:
10.99.0.5     AD-Member.samdom.example.com     AD-Member
  • Run the net ads join command again.

If dynamic DNS updates still fail, verify on the AD DNS server that dynamic updates are working.


DNS Update failed: ERROR_DNS_UPDATE_FAILED

When joining a host to an Active Directory (AD), the net fails to update the DNS:

# net ads join -U administrator
Enter administrator's password:
Using short domain name -- SAMDOM
Joined 'M1' to dns domain 'samdom.example.com'
DNS Update for m1.samdom.example.com failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL

Note, that the join was successful and only the DNS updated failed.

To solve the problem:

  • Run the net ads join command again.


DNS Update failed: ERROR_DNS_GSS_ERROR

When using the BIND9_DLZ back end, dynamic DNS updates can fail because of an incorrect Kerberos setup on the AD domain controller (DC) running the DNS server:

# net ads join -U administrator
Enter administrator's password:
Using short domain name -- SAMDOM
Joined 'AD-Member' to dns domain 'samdom.example.com'
DNS Update for AD-Member.samdom.example.com failed: ERROR_DNS_GSS_ERROR
DNS update failed: NT_STATUS_UNSUCCESSFUL

To solve the problem, see Reconfiguring the BIND9_DLZ Back End.


gss_init_sec_context failed with: Miscellaneous failure: Clock skew too great

When joining a host to an AD, the net command fails with the following error:

# net ads join -U administrator 
Enter administrator's password:
gss_init_sec_context failed with [ Miscellaneous failure (see text): Clock skew too great]
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred.
Failed to join domain: failed to connect to AD: An internal error occurred.

Kerberos requires a syncronised time to prevent replay attacks. The local time must not differ more than 5 minutes to the DC.

To fix, set the correct time and run the net ads join command again.

For further details, see Time Synchronisation.


Failed to join domain: failed to find DC for domain SAMDOM - Undetermined error

When joining a host to an Active Directory (AD), the net command fails to locate the domain controller (DC):

# net ads join -U administrator
Enter administrator's password:
Failed to join domain: failed to find DC for domain SAMDOM - Undetermined error

Samba uses DNS requests and broadcasts to locate DCs when joining a domain. If both methods fail, the failed to find DC for domain SAMDOM - Undetermined error error is displayed.

For a short term solution, you can pass the "-S" parameter and the name of a DC to the command. For example:

# net ads join -U administrator -S DC1.samdom.example.com

However, a correct DNS configuration is important in an AD. To avoid future problems based on an incorrect DNS configuration, set up your DNS resolver configuration correctly. For details, see Linux and Unix DNS Configuration.


Winbind and Authentication Problems

The getent Utility Is Unable to List All Domain Users or Groups

If the getent utility is able to list individual domain users or groups but the getent passwd or getent group command fail to list all domain users or groups:

  • Verify that the name service switch (NSS) is able to use the libnss_winbind library. For details, see libnss_winbind Links.
  • Enable the following parameters in your smb.conf file:
winbind enum users = yes
winbind enum groups = yes
For performance reasons, it is not recommended to enable these settings in environments with a large number of users and groups.
  • Reload Samba:
# smbcontrol all reload-config


Connections to a Samba Domain Member Fail After Adding an includedir Statement to the /etc/krb5.conf File

When connecting to a Samba Active Directory (AD) domain member, the connection fails and the following error is logged, if the log level parameter in the [global] section of the smb.conf file is set to 3 or higher:

[2016/01/01 00:00:00.000000,  3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_UNSUCCESSFUL] || at ../source3/smbd/smb2_sesssetup.c:134
[2016/01/01 00:00:00.000000,  3] ../source3/smbd/server_exit.c:246(exit_server_common)
  Server exit (NT_STATUS_CONNECTION_RESET)

The connection fails, because Samba is unable to process includedir statements in the /etc/krb5.conf file.

Note, that updating Kerberos packages on your operating system can automatically add this statement to enable the inclusion of configuration snippets. For example, when updating a Samba AD domain member with an unmodified /etc/krb5.conf file from Red Hat Enterprise Linux 7.2 to 7.3, the includedir statement is automatically added and clients fail to connect to the Samba domain member.

To work around the problem, remove the includedir statement from the /etc/krb5.conf file.

For further details, see Bug #12488.



Domain Members in an NT4 Domain

Currently, we do not have content here.