0002333: Can't AD join

(0003191)
simon-endian (developer)
2009-10-30 12:42

at moment there is a problem with joining w2k domains (see 0002204)

- with 2.3 it is not required anymore to create host and dns entries manually because they are autogenerated
- quick workaround for the moment is to use ldap with w2k domains
- for joining and winbind /etc/samba/winbind.conf.tmpl are used.
- smb and nmbd are not required to run anymore and winbind will only start/run if join was successfully.

can you post the output of:

net ads join -U <ad admin user>

(0003192)
zael (reporter)
2009-10-30 12:49

simon, here's the output:

# net ads join -U a_idjjunior
Host is not configured as a member server.
Invalid configuration. Exiting....
Failed to join domain: WERR_INVALID_DOMAIN_ROLE

(0003194)
luca-endian (developer)
2009-10-30 14:21

> Correcting it as suggested in bug report doesn't change a thing, as I keep
> getting "Failed to join domain" error.

But you still get this error?
AttributeError: 'str' object has no attribute 'VFFSL'

(0003196)
zael (reporter)
2009-10-30 14:30

After removing BDC from HTTP Proxy config /usr/local/bin/restartsamba.py --winbindonly says Winbind services were started. No AttributeError is given.

(0003199)
nathan_peterson (reporter)
2009-10-30 22:09

Removed BDC from error log however winbind still crashed.
Still could not join domain. From command line ran:

net ads join -U{user) that failed.

Found that /etc/smb.conf is not getting created from template.
Copied smb.conf from previous version and ran net ad join again with success.

workgroup = <Workgroup Name>
password server = <Domain Server1> <Domain Server2>
security = ADS
realm = <Full Domain Name>
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = Yes
local master = no
winbind separator = +
unix charset = UTF8
hosts allow = localhost
interfaces = br0 br2
bind interfaces only = yes
preferred master = no
dns proxy = no
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

(0003227)
zael (reporter)
2009-11-03 18:32

Following nathan_peterson's suggestion, net ads join runs succesfully:

# net ads join -U <admin_user>
Enter <admin_user>'s password:
Using short domain name -- <SHORT_DOMAIN>
Joined 'EFW-SEDE' to realm '<domain_name>'

(0003228)
simon-endian (developer)
2009-11-03 21:39

the gui uses the command net ads join -U <admin_user> -s /etc/samba/winbind.conf
winbind.conf is generated by restartsamba.py --winbindonly

can you please test if the generated winbind.conf is correct by running

net ads join -U <admin_user> -s /etc/samba/winbind.conf -d 5

and then post the output if it fails and maybe also the /etc/samba/winbind.conf to see the difference between winbind.conf and the postet smb.conf

winbind.conf is used because only winbind (not smb and nmbd) is required to run in order to be able to join, read user/groups from ad and to authenticate a user. smb.conf is not used, to keep the possibility to use it to create smb shares with samba.

regards simon

(0003229)
nathan_peterson (reporter)
2009-11-03 21:49

when running restartsamba.py i get the following:

root@thomas:~ # restartsamba.py --winbindonly
usage: restartsamba.py <options>

restartsamba.py: error: no such option: --winbindonly

That said the net ads join fails:

root@thomas:/etc/samba # net ads join -U npp -s /etc/samba/winbind.conf -d 5
[2009/11/03 14:45:21, 5] lib/debug.c:debug_dump_status(407) INFO: Current debug levels:
    all: True/5
    tdb: False/0
    printdrivers: False/0
    lanman: False/0
    smb: False/0
    rpc_parse: False/0
    rpc_srv: False/0
    rpc_cli: False/0
    passdb: False/0
    sam: False/0
    auth: False/0
    winbind: False/0
    vfs: False/0
    idmap: False/0
    quota: False/0
    acls: False/0
    locking: False/0
    msdfs: False/0
    dmapi: False/0
    registry: False/0
[2009/11/03 14:45:21, 3] param/loadparm.c:lp_load_ex(8753) lp_load_ex: refreshing parameters
[2009/11/03 14:45:21, 3] param/loadparm.c:init_globals(4597) Initialising global parameters
[2009/11/03 14:45:21, 3] param/params.c:pm_process(569) params.c:pm_process() - Processing configuration file "/etc/samba/winbind.conf"
[2009/11/03 14:45:21, 3] param/loadparm.c:do_section(7416) Processing section "[global]"
  doing parameter security = ADS
  doing parameter password server = <Domain Controller>
  doing parameter realm = <Domain>
  doing parameter syslog only = Yes
Enter npp's password:
Failed to join domain: Invalid configuration and configuration modification was not requested

(0003231)
nathan_peterson (reporter)
2009-11-03 23:15

winbind does use the samba smb.conf configuration file. The net ads join command defaults to /etc/samba/smb.conf if the configuration file is not specified.

I reset my configuration with the restartsamba.py and removed the smb.conf file in my workaround and started working line by line through the winbind.conf file; It appears as the workgroup parameter is set incorrectly. In the configuration, workgroup is set to the short domain name(constco) instead of the full domain name(constco.com). Once this was changed updated, i was able to join my domain.

(0003234)
zael (reporter)
2009-11-04 11:26

simon, net ads join fails here too:

# net ads join -U <admin_user> -s winbind.conf -d 5
[2009/11/04 04:24:49, 5] lib/debug.c:debug_dump_status(407) INFO: Current debug levels:
    all: True/5
    tdb: False/0
    printdrivers: False/0
    lanman: False/0
    smb: False/0
    rpc_parse: False/0
    rpc_srv: False/0
    rpc_cli: False/0
    passdb: False/0
    sam: False/0
    auth: False/0
    winbind: False/0
    vfs: False/0
    idmap: False/0
    quota: False/0
    acls: False/0
    locking: False/0
    msdfs: False/0
    dmapi: False/0
    registry: False/0
[2009/11/04 04:24:49, 3] param/loadparm.c:lp_load_ex(8753) lp_load_ex: refreshing parameters
[2009/11/04 04:24:49, 3] param/loadparm.c:init_globals(4597) Initialising global parameters
[2009/11/04 04:24:49, 3] param/params.c:pm_process(569) params.c:pm_process() - Processing configuration file "winbind.conf"
[2009/11/04 04:24:49, 3] param/loadparm.c:do_section(7416) Processing section "[global]"
  doing parameter security = ADS
  doing parameter password server = <dc_hostname>
  doing parameter realm = <FULL_DOMAIN_NAME>
  doing parameter syslog only = Yes
Enter <admin_user>'s password:
Failed to join domain: Invalid configuration and configuration modification was not requested

(0003264)
bodo olschewski (reporter)
2009-11-07 14:47
edited on: 2009-11-07 14:52

Hello,

the problem can be fixed by editing the /etc/samba/winbind.conf.tmpl file.

The line "workgroup = ${AUTH_REALM.split(".")[0].upper()}" has to be changed.

For me it was ok to change it to
"workgroup = ${NTLM_DOMAIN.upper()}"

(changed file is uploaded ...)

(0003278)
nathan_peterson (reporter)
2009-11-09 23:02

Just noticed that if smb.conf is missing, the Authentication groups under access policy -> Authentication -> Group Based does not populate. When you return the smb.conf as a copy of winbind.conf it will populate.

(0003303)
zael (reporter)
2009-11-16 11:19

Following bodo olschewski's suggestion didn't work for me. I got this error on Endian web interface:

Failed to join domain: Invalid configuration and configuration modification was not requested

(0003323)
zael (reporter)
2009-11-19 19:46

Any suggestion, guys?

(0003529)
GianniCorona (reporter)
2009-12-09 11:40

Hi
I modified winbind.conf.tmpl
# password server = $NTLM_PDC.$NTLM_DOMAIN #if $NTLM_BDC != '' then $NTLM_BDC.$NTLM_DOMAIN else ""#
password server = $NTLM_PDC.${AUTH_REALM.upper()}

I then remade the autentication process and join to domain.

The Group Base is correct populated now.

(0003682)
luca-endian (developer)
2010-01-21 15:14

As soon as I removed the BDC configuration this error disappeared..

(0003683)
luca-endian (developer)
2010-01-21 16:32

This is the fix for this issue.
Basically the on-line if on the third line doesn't work.. I know it's a bit ugly but it works..

root@kenny:/etc/samba # cat winbind.conf.tmpl
[global]
security = ADS
password server = $NTLM_PDC.$NTLM_DOMAIN #slurp
#if $NTLM_BDC != ''
$NTLM_BDC.$NTLM_DOMAIN
#else

#end if
realm = $AUTH_REALM.upper()
# handle logging
syslog only = Yes
log level = 0 winbind:2
syslog = 1
max log size = 1000

(0003707)
luca-endian (developer)
2010-01-27 10:43

Ok the fix is the one already applied to the files krb5.conf.tmpl and smb.conf.tmpl. Also the file winbind.conf.tmpl must be patched.
This is the bug report: http://bugs.endian.it/view.php?id=2202 [^]

Forget the fix above it's unclean compared to the following.
You have to change the third line with this:

password server = ${NTLM_PDC}.${NTLM_DOMAIN} #if $NTLM_BDC != '' then "%s.%s" % ($NTLM_BDC, $NTLM_DOMAIN) else ""#

(0003731)
zael (reporter)
2010-02-01 19:09

Alright, lucagiove, let's go. These are the steps I've done:

1. Installed Endian 2.3, configured everything except HTTP Proxy;
2. Changed "password server" line on winbind.conf.tmpl as suggested. krb5.conf.tmpl didn't need any changes (was already as suggested on the other bug report). smb.conf.tmpl didn't need changes;
3. Tried to join AD through web interface, but didn't work;
4. Run 'net ads join -U<username> -s /etc/samba/winbind.conf' and it worked;
5. Removed computer account in AD;
6. Tried to join AD through web interface, and it worked.

Don't know what went wrong, but it finally worked. Groups and Users are populated.

(0003732)
luca-endian (developer)
2010-02-01 19:17

You always have to avoid the common pitfalls:
http://kb.endian.com/entry/49/ [^]

Issue History
Date Modified	Username	Field	Change
2009-10-30 12:29	zael	New Issue
2009-10-30 12:33	simon-endian	Relationship added	duplicate of 0002204
2009-10-30 12:42	simon-endian	Note Added: 0003191
2009-10-30 12:49	zael	Note Added: 0003192
2009-10-30 14:19	luca-endian	Note Added: 0003193
2009-10-30 14:20	luca-endian	Note Deleted: 0003193
2009-10-30 14:21	luca-endian	Note Added: 0003194
2009-10-30 14:30	zael	Note Added: 0003196
2009-10-30 22:09	nathan_peterson	Note Added: 0003199
2009-11-03 18:32	zael	Note Added: 0003227
2009-11-03 21:39	simon-endian	Note Added: 0003228
2009-11-03 21:49	nathan_peterson	Note Added: 0003229
2009-11-03 21:49	nathan_peterson	File Added: winbind.conf
2009-11-03 23:15	nathan_peterson	Note Added: 0003231
2009-11-04 11:26	zael	Note Added: 0003234
2009-11-07 14:47	bodo olschewski	Note Added: 0003264
2009-11-07 14:51	bodo olschewski	File Added: winbind.conf.tmpl
2009-11-07 14:52	bodo olschewski	Note Edited: 0003264
2009-11-09 23:02	nathan_peterson	Note Added: 0003278
2009-11-16 11:19	zael	Note Added: 0003303
2009-11-19 19:46	zael	Note Added: 0003323
2009-11-25 11:13	christian-endian	Assigned To	=> simon-endian
2009-11-25 11:13	christian-endian	Status	new => acknowledged
2009-11-25 18:36	peter-endian	Target Version	=> 2.3.1
2009-12-09 11:40	GianniCorona	Note Added: 0003529
2009-12-10 00:48	simon-endian	Status	acknowledged => resolved
2009-12-10 00:48	simon-endian	Fixed in Version	=> 2.3.1
2009-12-10 00:48	simon-endian	Resolution	open => unable to reproduce
2010-01-21 15:14	luca-endian	Note Added: 0003682
2010-01-21 15:14	luca-endian	Status	resolved => confirmed
2010-01-21 16:32	luca-endian	Note Added: 0003683
2010-01-27 10:43	luca-endian	Note Added: 0003707
2010-01-27 10:44	luca-endian	Relationship added	parent of 0002202
2010-01-27 11:05	luca-endian	Relationship replaced	child of 0002202
2010-01-27 17:54	luca-endian	Relationship deleted	child of 0002202
2010-01-28 12:27	Anonymous	Note Added: 0003712
2010-01-28 12:27	Anonymous	Status	confirmed => feedback
2010-01-28 12:28	Anonymous	Note Edited: 0003712
2010-01-28 13:06	Anonymous	Note Deleted: 0003712
2010-01-28 17:14	zael	Note Added: 0003714
2010-01-29 11:37	luca-endian	Relationship added	related to 0002202
2010-02-01 19:02	zael	Note Deleted: 0003714
2010-02-01 19:09	zael	Note Added: 0003731
2010-02-01 19:17	luca-endian	Note Added: 0003732
2010-02-01 19:18	luca-endian	Status	feedback => resolved
2010-02-01 19:18	luca-endian	Resolution	unable to reproduce => fixed
2010-11-22 13:06	peter-endian	Status	resolved => closed

Notes
(0003191) simon-endian (developer) 2009-10-30 12:42	at moment there is a problem with joining w2k domains (see 0002204) - with 2.3 it is not required anymore to create host and dns entries manually because they are autogenerated - quick workaround for the moment is to use ldap with w2k domains - for joining and winbind /etc/samba/winbind.conf.tmpl are used. - smb and nmbd are not required to run anymore and winbind will only start/run if join was successfully. can you post the output of: net ads join -U <ad admin user>

(0003192) zael (reporter) 2009-10-30 12:49	simon, here's the output: # net ads join -U a_idjjunior Host is not configured as a member server. Invalid configuration. Exiting.... Failed to join domain: WERR_INVALID_DOMAIN_ROLE

(0003194) luca-endian (developer) 2009-10-30 14:21	> Correcting it as suggested in bug report doesn't change a thing, as I keep > getting "Failed to join domain" error. But you still get this error? AttributeError: 'str' object has no attribute 'VFFSL'

(0003196) zael (reporter) 2009-10-30 14:30	After removing BDC from HTTP Proxy config /usr/local/bin/restartsamba.py --winbindonly says Winbind services were started. No AttributeError is given.

(0003199) nathan_peterson (reporter) 2009-10-30 22:09	Removed BDC from error log however winbind still crashed. Still could not join domain. From command line ran: net ads join -U{user) that failed. Found that /etc/smb.conf is not getting created from template. Copied smb.conf from previous version and ran net ad join again with success. workgroup = <Workgroup Name> password server = <Domain Server1> <Domain Server2> security = ADS realm = <Full Domain Name> winbind uid = 10000-20000 winbind gid = 10000-20000 winbind use default domain = Yes local master = no winbind separator = + unix charset = UTF8 hosts allow = localhost interfaces = br0 br2 bind interfaces only = yes preferred master = no dns proxy = no socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

(0003227) zael (reporter) 2009-11-03 18:32	Following nathan_peterson's suggestion, net ads join runs succesfully: # net ads join -U <admin_user> Enter <admin_user>'s password: Using short domain name -- <SHORT_DOMAIN> Joined 'EFW-SEDE' to realm '<domain_name>'

(0003228) simon-endian (developer) 2009-11-03 21:39	the gui uses the command net ads join -U <admin_user> -s /etc/samba/winbind.conf winbind.conf is generated by restartsamba.py --winbindonly can you please test if the generated winbind.conf is correct by running net ads join -U <admin_user> -s /etc/samba/winbind.conf -d 5 and then post the output if it fails and maybe also the /etc/samba/winbind.conf to see the difference between winbind.conf and the postet smb.conf winbind.conf is used because only winbind (not smb and nmbd) is required to run in order to be able to join, read user/groups from ad and to authenticate a user. smb.conf is not used, to keep the possibility to use it to create smb shares with samba. regards simon

(0003229) nathan_peterson (reporter) 2009-11-03 21:49	when running restartsamba.py i get the following: root@thomas:~ # restartsamba.py --winbindonly usage: restartsamba.py <options> restartsamba.py: error: no such option: --winbindonly That said the net ads join fails: root@thomas:/etc/samba # net ads join -U npp -s /etc/samba/winbind.conf -d 5 [2009/11/03 14:45:21, 5] lib/debug.c:debug_dump_status(407) INFO: Current debug levels: all: True/5 tdb: False/0 printdrivers: False/0 lanman: False/0 smb: False/0 rpc_parse: False/0 rpc_srv: False/0 rpc_cli: False/0 passdb: False/0 sam: False/0 auth: False/0 winbind: False/0 vfs: False/0 idmap: False/0 quota: False/0 acls: False/0 locking: False/0 msdfs: False/0 dmapi: False/0 registry: False/0 [2009/11/03 14:45:21, 3] param/loadparm.c:lp_load_ex(8753) lp_load_ex: refreshing parameters [2009/11/03 14:45:21, 3] param/loadparm.c:init_globals(4597) Initialising global parameters [2009/11/03 14:45:21, 3] param/params.c:pm_process(569) params.c:pm_process() - Processing configuration file "/etc/samba/winbind.conf" [2009/11/03 14:45:21, 3] param/loadparm.c:do_section(7416) Processing section "[global]" doing parameter security = ADS doing parameter password server = <Domain Controller> doing parameter realm = <Domain> doing parameter syslog only = Yes Enter npp's password: Failed to join domain: Invalid configuration and configuration modification was not requested

(0003231) nathan_peterson (reporter) 2009-11-03 23:15	winbind does use the samba smb.conf configuration file. The net ads join command defaults to /etc/samba/smb.conf if the configuration file is not specified. I reset my configuration with the restartsamba.py and removed the smb.conf file in my workaround and started working line by line through the winbind.conf file; It appears as the workgroup parameter is set incorrectly. In the configuration, workgroup is set to the short domain name(constco) instead of the full domain name(constco.com). Once this was changed updated, i was able to join my domain.

(0003234) zael (reporter) 2009-11-04 11:26	simon, net ads join fails here too: # net ads join -U <admin_user> -s winbind.conf -d 5 [2009/11/04 04:24:49, 5] lib/debug.c:debug_dump_status(407) INFO: Current debug levels: all: True/5 tdb: False/0 printdrivers: False/0 lanman: False/0 smb: False/0 rpc_parse: False/0 rpc_srv: False/0 rpc_cli: False/0 passdb: False/0 sam: False/0 auth: False/0 winbind: False/0 vfs: False/0 idmap: False/0 quota: False/0 acls: False/0 locking: False/0 msdfs: False/0 dmapi: False/0 registry: False/0 [2009/11/04 04:24:49, 3] param/loadparm.c:lp_load_ex(8753) lp_load_ex: refreshing parameters [2009/11/04 04:24:49, 3] param/loadparm.c:init_globals(4597) Initialising global parameters [2009/11/04 04:24:49, 3] param/params.c:pm_process(569) params.c:pm_process() - Processing configuration file "winbind.conf" [2009/11/04 04:24:49, 3] param/loadparm.c:do_section(7416) Processing section "[global]" doing parameter security = ADS doing parameter password server = <dc_hostname> doing parameter realm = <FULL_DOMAIN_NAME> doing parameter syslog only = Yes Enter <admin_user>'s password: Failed to join domain: Invalid configuration and configuration modification was not requested

(0003264) bodo olschewski (reporter) 2009-11-07 14:47 edited on: 2009-11-07 14:52	Hello, the problem can be fixed by editing the /etc/samba/winbind.conf.tmpl file. The line "workgroup = ${AUTH_REALM.split(".")[0].upper()}" has to be changed. For me it was ok to change it to "workgroup = ${NTLM_DOMAIN.upper()}" (changed file is uploaded ...)

(0003278) nathan_peterson (reporter) 2009-11-09 23:02	Just noticed that if smb.conf is missing, the Authentication groups under access policy -> Authentication -> Group Based does not populate. When you return the smb.conf as a copy of winbind.conf it will populate.

(0003303) zael (reporter) 2009-11-16 11:19	Following bodo olschewski's suggestion didn't work for me. I got this error on Endian web interface: Failed to join domain: Invalid configuration and configuration modification was not requested

(0003323) zael (reporter) 2009-11-19 19:46	Any suggestion, guys?

(0003529) GianniCorona (reporter) 2009-12-09 11:40	Hi I modified winbind.conf.tmpl # password server = $NTLM_PDC.$NTLM_DOMAIN #if $NTLM_BDC != '' then $NTLM_BDC.$NTLM_DOMAIN else ""# password server = $NTLM_PDC.${AUTH_REALM.upper()} I then remade the autentication process and join to domain. The Group Base is correct populated now.

(0003682) luca-endian (developer) 2010-01-21 15:14	As soon as I removed the BDC configuration this error disappeared..

(0003683) luca-endian (developer) 2010-01-21 16:32	This is the fix for this issue. Basically the on-line if on the third line doesn't work.. I know it's a bit ugly but it works.. root@kenny:/etc/samba # cat winbind.conf.tmpl [global] security = ADS password server = $NTLM_PDC.$NTLM_DOMAIN #slurp #if $NTLM_BDC != '' $NTLM_BDC.$NTLM_DOMAIN #else #end if realm = $AUTH_REALM.upper() # handle logging syslog only = Yes log level = 0 winbind:2 syslog = 1 max log size = 1000

(0003707) luca-endian (developer) 2010-01-27 10:43	Ok the fix is the one already applied to the files krb5.conf.tmpl and smb.conf.tmpl. Also the file winbind.conf.tmpl must be patched. This is the bug report: http://bugs.endian.it/view.php?id=2202 [^] Forget the fix above it's unclean compared to the following. You have to change the third line with this: password server = ${NTLM_PDC}.${NTLM_DOMAIN} #if $NTLM_BDC != '' then "%s.%s" % ($NTLM_BDC, $NTLM_DOMAIN) else ""#

(0003731) zael (reporter) 2010-02-01 19:09	Alright, lucagiove, let's go. These are the steps I've done: 1. Installed Endian 2.3, configured everything except HTTP Proxy; 2. Changed "password server" line on winbind.conf.tmpl as suggested. krb5.conf.tmpl didn't need any changes (was already as suggested on the other bug report). smb.conf.tmpl didn't need changes; 3. Tried to join AD through web interface, but didn't work; 4. Run 'net ads join -U<username> -s /etc/samba/winbind.conf' and it worked; 5. Removed computer account in AD; 6. Tried to join AD through web interface, and it worked. Don't know what went wrong, but it finally worked. Groups and Users are populated.

(0003732) luca-endian (developer) 2010-02-01 19:17	You always have to avoid the common pitfalls: http://kb.endian.com/entry/49/ [^]