Failed to join Active Directory

Hi,
I installed the newest iso at a virtual box and tried to join the domain of the production nethserver with ad at the Account Provider page. I get the following error:

Failed to join Active Directory (Discovery timed out after 15 seconds)

May 16 14:24:36 TestServer esmith::event[19033]: [INFO] service dnsmasq restart 
May 16 14:24:36 TestServer systemd: Stopping DNS caching server.... 
May 16 14:24:36 TestServer dnsmasq[18972]: exiting on receipt of SIGTERM 
May 16 14:24:36 TestServer systemd: Started DNS caching server.. 
May 16 14:24:36 TestServer systemd: Starting DNS caching server.... 
May 16 14:24:36 TestServer dnsmasq[19058]: started, version 2.76 cachesize 4000 
May 16 14:24:36 TestServer dnsmasq[19058]: compile time options: IPv6 GNU-getopt DBus no-i18n IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify 
May 16 14:24:36 TestServer dnsmasq-tftp[19058]: TFTP root is /var/lib/tftpboot 
May 16 14:24:36 TestServer dnsmasq[19058]: using nameserver 192.168.46.5#53 
May 16 14:24:36 TestServer dnsmasq[19058]: using nameserver 8.8.8.8#53 
May 16 14:24:36 TestServer dnsmasq[19058]: read /etc/hosts - 2 addresses 
May 16 14:24:36 TestServer esmith::event[19033]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [0.169002] 
May 16 14:24:36 TestServer esmith::event[19033]: Event: nethserver-dnsmasq-save SUCCESS 
May 16 14:24:36 TestServer httpd: [ERROR] Exit code from realm join operation is 1

Somebody has an idea?

Try with

yum install nmap
nmap <DC_IP>

You should get the list of DNS, Kerberos, NTP, LDAP and RPC ports open

25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
465/tcp open smtps
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
3128/tcp open squid-http

It seems the ports layout of NethServer! Use the DC IP instead :wink:

nmap 192.168.46.5

You are right, know I tried with IP from samba container:

Starting Nmap 6.40 ( http://nmap.org ) at 2018-05-17 08:47 CEST
Nmap scan report for 192.168.46.6
Host is up (0.00096s latency).
All 1000 scanned ports on 192.168.46.6 are filtered
MAC Address: B2:C1:65:74:D9:AC (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 27.42 seconds

Errors are shown, at the moment I try to bind to an nethserver ad.
I can ping the ad server by FQDN and by server IP, but not by samba IP

I think it should not be related to ns75 alpha because I successfully installed a local Samba AD accounts provider.

As usual, some sparse command to gather more info:

 account-provider-test dump
 systemctl status -M nsdc samba
 journalctl -M nsdc -u samba
 config show dns
 config show nsdc
 config show sssd
1 Like

Following commands are done at the ad server:

“BindDN” : "ldapservice@JONAS.DE",
“LdapURI” : “ldaps://jonas.de”,
“StartTls” : “”,
“port” : 636,
“host” : “jonas.de”,
“isAD” : “1”,
“isLdap” : “”,
“UserDN” : “dc=jonas,dc=de”,
“GroupDN” : “dc=jonas,dc=de”,
“BindPassword” : “MyBindPassword”,
“BaseDN” : “dc=jonas,dc=de”,
“LdapUriDn” : “ldap:///dc%3Djonas%2Cdc%3Dde”

samba.service - Samba domain controller daemon
Loaded: loaded (/usr/lib/systemd/system/samba.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2018-05-03 11:32:18 CEST; 1 weeks 6 days ago
Main PID: 16302
CGroup: /machine.slice/nsdc.service/system.slice/samba.service
├─ 2624 /usr/sbin/samba -i --debug-stderr
├─ 2628 /usr/sbin/samba -i --debug-stderr
├─21468 /usr/sbin/samba -i --debug-stderr
├─21472 /usr/sbin/samba -i --debug-stderr
├─21473 /usr/sbin/samba -i --debug-stderr
├─21475 /usr/sbin/samba -i --debug-stderr
├─21476 /usr/sbin/samba -i --debug-stderr
├─21478 /usr/sbin/samba -i --debug-stderr
├─21479 /usr/sbin/samba -i --debug-stderr
├─21480 /usr/sbin/samba -i --debug-stderr
├─21481 /usr/sbin/smbd -D --option=server role check:inhibit=yes -…
├─21482 /usr/sbin/samba -i --debug-stderr
├─21483 /usr/sbin/samba -i --debug-stderr
├─21484 /usr/sbin/samba -i --debug-stderr
├─21485 /usr/sbin/samba -i --debug-stderr
├─21486 /usr/sbin/samba -i --debug-stderr
├─21487 /usr/sbin/samba -i --debug-stderr
├─21488 /usr/sbin/samba -i --debug-stderr
├─21489 /usr/sbin/samba -i --debug-stderr
├─21491 /usr/sbin/winbindd -D --option=server role check:inhibit=y…
├─21506 /usr/sbin/smbd -D --option=server role check:inhibit=yes -…
├─21507 /usr/sbin/smbd -D --option=server role check:inhibit=yes -…
├─21514 /usr/sbin/winbindd -D --option=server role check:inhibit=y…
├─21519 /usr/sbin/winbindd -D --option=server role check:inhibit=y…
├─21520 /usr/sbin/winbindd -D --option=server role check:inhibit=y…
└─21521 /usr/sbin/smbd -D --option=server role check:inhibit=yes -…
Warning: samba.service changed on disk. Run ‘systemctl daemon-reload’ to reload units.

Failed to add match ‘samba’: Invalid argument
Failed to add filters: Invalid argument

dns=configuration
NameServers=192.168.46.2

This is our Windows DNS server. It’s an AD too, but with another domain.

nsdc=service
IpAddress=192.168.46.6
ProvisionType=newdomain
bridge=br0
status=enabled

AdDns=192.168.46.6
BindDN=ldapservice@JONAS.DE
BindPassword=MyBindPassword
LdapURI=
Provider=ad
Realm=JONAS.DE
Workgroup=JONAS
status=enabled

Of course this not the original bind password, I’ve changed it at the post.

1 Like

Everything seems running correctly… Did you enable promiscuous mode?

http://docs.nethserver.org/en/v7/accounts.html#virtualbox

:blush: sorry, it was

journalctl -M nsdc -u samba
[davidep@davidep1 docs]$ host jonas.de
jonas.de has address 109.237.222.141
jonas.de mail is handled by 10 mail.jonas.de.

You’ve picked a public DNS domain, that is a bad practice :thinking:

http://docs.nethserver.org/en/v7/accounts.html#dns-and-ad-domain

Did it now at the virtual box, but the ad is running at KVM.
A line from the docs:

Make sure the virtual machine is bridged to a real bridge (like br0) and the bridge is put in promiscuous mode.

For me it’s bridged to a real network adapter. Could this be a problem?

– Logs begin at Thu 2016-09-22 14:44:13 CEST, end at Thu 2018-05-17 09:35:06 CE
Sep 22 14:44:43 nsdc-groupware.jonas.de systemd[1]: Started Samba domain control
Sep 22 14:44:43 nsdc-groupware.jonas.de systemd[1]: Starting Samba domain contro
Sep 22 14:44:43 nsdc-groupware.jonas.de samba[36]: samba version 4.4.5 started.
Sep 22 14:44:43 nsdc-groupware.jonas.de samba[36]: Copyright Andrew Tridgell and
Sep 22 14:44:44 nsdc-groupware.jonas.de samba[36]: samba: using ‘standard’ proce
Sep 22 14:44:44 nsdc-groupware.jonas.de samba[36]: Attempting to autogenerate TL
Sep 22 14:44:44 nsdc-groupware.jonas.de winbindd[51]: [2016/09/22 14:44:44.49560
Sep 22 14:44:44 nsdc-groupware.jonas.de winbindd[51]: initialize_winbindd_cach
Sep 22 14:44:45 nsdc-groupware.jonas.de winbindd[51]: [2016/09/22 14:44:45.25675
Sep 22 14:44:45 nsdc-groupware.jonas.de winbindd[51]: STATUS=daemon 'winbindd’
Sep 22 14:44:47 nsdc-groupware.jonas.de smbd[40]: [2016/09/22 14:44:47.147082,
Sep 22 14:44:47 nsdc-groupware.jonas.de smbd[40]: STATUS=daemon ‘smbd’ finishe
Sep 22 14:44:51 nsdc-groupware.jonas.de samba[36]: TLS self-signed keys generate
Oct 24 10:08:35 nsdc-groupware.jonas.de samba[36]: Exiting pid 52 on SIGTERM
Oct 24 10:08:35 nsdc-groupware.jonas.de samba[36]: Exiting pid 39 on SIGTERM
Oct 24 10:08:35 nsdc-groupware.jonas.de samba[36]: Exiting pid 48 on SIGTERM
Oct 24 10:08:35 nsdc-groupware.jonas.de samba[36]: Exiting pid 43 on SIGTERM
Oct 24 10:08:35 nsdc-groupware.jonas.de samba[36]: Exiting pid 49 on SIGTERM
Oct 24 10:08:35 nsdc-groupware.jonas.de samba[36]: Exiting pid 38 on SIGTERM
Oct 24 10:08:35 nsdc-groupware.jonas.de samba[36]: Exiting pid 42 on SIGTERM
Oct 24 10:08:35 nsdc-groupware.jonas.de samba[36]: Exiting pid 45 on SIGTERM
Oct 24 10:08:35 nsdc-groupware.jonas.de samba[36]: Exiting pid 44 on SIGTERM

You’re right, but is it a problem if the first DNS is internal? The external domain is not ours.

Sorry but I didn’t understand correctly. You said “tried to join the domain of the production nethserver”, so I assumed you want to configure a remote account provider. But when I read “Tried with IP from samba container” I started to think it is a local account provider… :hushed:

I think I don’t understand your orders correctly.

My Nethserver ad is installed as VM at a KVM (Qemu) at an ubuntu host at the moment. The server IP of NethServer (AD) is 192.168.46.5 and the container IP is 192.168.46.6. It is a nethserver 7.4 final.
Now I tried for testing to install a 7.5 alpha at a virtual box (at a windows client) and tried to join to the ad domain with it.

The commands I executed at the ad server. Is this right?

1 Like

Yes they’re commands for a local AD provider :smile: At least we are sure it works correctly!

Back to you alpha:

Check the Network > DNS settings! You must put only the AD IP, because Google will reply as public DNS!

…then unbind & bind again the remote AD provider

I didn’t test NethServer with a capitalized host name :thinking:

Hi Davide,
thanks for your continous help.

I’ve changed it.

I changed this too, but no success.

Can you explain me what you mean please? The bind is not working at the remote ad, so I can’t unbind it, or do you think something is bind without showing me.

Never mind, I forgot the error is before the join procedure has completed.

Did you try to set the IP 192.168.46.6 as DNS instead?

Yes I tried this too, it didn’t work either.

nmap 192.168.46.6 should work at least from the NethServer instance with AD (IP .5) and any other LAN host.

Nmap scan report for 192.168.46.6
Host is up (0.000036s latency).
Not shown: 987 closed ports
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown

But from other server or windows client it does not work.

…so it’s an issue of your production server, not the alpha one. Check your KVM virtualizer:

http://docs.nethserver.org/en/v7/accounts.html#kvm

Yes you’re right.

I’ve looked at the settings at the host, how I said, the bridge is bridged to a real netwkoradapter and not to another bridge like suggested at the documentation. Could this be a problem? For information the host has 4 networkadapters, one for binding the host to network and respectively one for every virtual machine.
I tried it with inactive firewall (ufw - ubuntu firewall) at the host, this doesn’t work also.
Tried nmap from host to nethserver, all ports are filtered too. So I think the problem is nethserver or the KVM like you said, but I don’t know what to check anymore.

Did you activate promiscuous mode for the bridge? You can check it with ifconfig:

[root@server2 ~]# ifconfig br0
br0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500
1 Like