I have NS7 running with a Samba4 AD account provider. To make my network a bit more modular, I decided to install a second NS7 server with 2 networkadapters with only 1 functionality: Gateway. I joined the Samba4 domain with this second server and was confirmed the join was ok.
When I look at Status/Domain Accounts, it has the same info as on the DC.
But when I go to Management/Users and Groups, I get an empty table and red bar: AccountProvider_Error_82
Times are synce through ntp.org so they are on par with both servers.
outcome of list-users:
[root@fw ~]# /usr/libexec/nethserver/list-users
(82) GSSAPI Error (init): Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database
In /var/log/messages I probably have found the cause:
Aug 2 21:40:49 fw realmd: * Resolving: interlin.nl
Aug 2 21:40:49 fw realmd: * Performing LDAP DSE lookup on: 178.21.118.63
Aug 2 21:40:49 fw realmd: * Successfully discovered: interlin.nl
Aug 2 21:40:49 fw realmd: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli
Aug 2 21:40:49 fw realmd: * LANG=C /usr/sbin/adcli join --verbose --domain interlin.nl --domain-realm INTERLIN.NL --domain-controller 178.21.118.63 --login-type user --login-user rob --stdin-password
Aug 2 21:40:49 fw realmd: * Using domain name: interlin.nl
Aug 2 21:40:49 fw realmd: * Calculated computer account name from fqdn: FW
Aug 2 21:40:49 fw realmd: * Using domain realm: interlin.nl
Aug 2 21:40:49 fw realmd: * Sending netlogon pings to domain controller: cldap://178.21.118.63
Aug 2 21:40:49 fw realmd: * Received NetLogon info from: kvs1.interlin.nl
Aug 2 21:40:49 fw realmd: * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-FO4yYn/krb5.d/adcli-krb5-conf-WtXJr9
Aug 2 21:40:50 fw realmd: * Authenticated as user: rob@INTERLIN.NL
The domain which the server has joined is not the NethServer Samba4 AD DC, but the server where interlin.nl is hosted on a VPS in a datacenter.
Maybe I should opt for a local tld (lan or local or something like that) as Samba4 Domain Or could I make this work and make a domain based on 3 servers of which one is off site? I have my email served on that VPS and it would be nice if it all was the same domain. Would it be possible to use a server to server VPN from home to the datacenter and still have the server in the datacenter have a direct connection to internet with an external IP address?
IIUC, you have two separate DCs with the same domain name? This is a bad situation
Support to multiple DCs is still limited to migration scenarios. In production environments, I recommend only a single DC per domain.
About the domain name, the best practice is pointed out in the manual: use a private subdomain of the public domain; i.e. ad.interlin.nl, corp.interlin.nl, home.interlin.nlā¦
Ok, I removed the server from the domain by leaving the domain. By mistake I joined interlin.nl instead of ad.interlin.nl
ad.interlin.nl is running on another NS7 on my local network.
After leaving, I joined ad.interlin.nl but I still have the same error: AccountProvider_Error_82
I had to try a few times before the join succeeded. Therefor you see a failed in row #65 and #177
What troubles me is the multiple entries of:
fw admin-todos: (82) GSSAPI Error (init): Unspecified GSS failure. Minor code may provide more information
fw admin-todos: Server not found in Kerberos database
What does that mean? Something wrong with DNS settings?
/edit:
Maybe something that points to the problem:
When I do a klist on the server that joined the domain I get:
[root@fw ~]# klist
klist: Credentials cache keyring āpersistent:0:0ā not found
Seems trhe server doesnāt get a (valid) Kerberos token?
//edit:
Info from Domain Accounts looks good to me:
Domain ad.interlin.nl
NetBIOS domain name: INTERLIN
LDAP server: 192.168.10.6
LDAP server name: nsdc-ns7.ad.interlin.nl
Realm: AD.INTERLIN.NL
Bind Path: dc=AD,dc=INTERLIN,dc=NL
LDAP port: 389
Server time: Fri, 04 Aug 2017 20:41:11 CEST
KDC server: 192.168.10.6
Server time offset: 0
Last machine account password change: Fri, 04 Aug 2017 20:01:09 CEST
Should I change the interlin.nl entries to ad.interlin.nl? ONly ad.interlin.nl is on my local LAN.
There is definately something wrong with krb config:
[root@fw ~]# /usr/libexec/nethserver/list-users
klist: Improper format of Kerberos configuration file while initializing krb5
kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library
(82) GSSAPI Error (init): Unspecified GSS failure. Minor code may provide more information
Improper format of Kerberos configuration file
