Failed to join Active Directory

local
accounts-provider
v7
activedirectory

(Michael Träumner) #1

Hi,
I installed the newest iso at a virtual box and tried to join the domain of the production nethserver with ad at the Account Provider page. I get the following error:

Failed to join Active Directory (Discovery timed out after 15 seconds)

May 16 14:24:36 TestServer esmith::event[19033]: [INFO] service dnsmasq restart 
May 16 14:24:36 TestServer systemd: Stopping DNS caching server.... 
May 16 14:24:36 TestServer dnsmasq[18972]: exiting on receipt of SIGTERM 
May 16 14:24:36 TestServer systemd: Started DNS caching server.. 
May 16 14:24:36 TestServer systemd: Starting DNS caching server.... 
May 16 14:24:36 TestServer dnsmasq[19058]: started, version 2.76 cachesize 4000 
May 16 14:24:36 TestServer dnsmasq[19058]: compile time options: IPv6 GNU-getopt DBus no-i18n IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify 
May 16 14:24:36 TestServer dnsmasq-tftp[19058]: TFTP root is /var/lib/tftpboot 
May 16 14:24:36 TestServer dnsmasq[19058]: using nameserver 192.168.46.5#53 
May 16 14:24:36 TestServer dnsmasq[19058]: using nameserver 8.8.8.8#53 
May 16 14:24:36 TestServer dnsmasq[19058]: read /etc/hosts - 2 addresses 
May 16 14:24:36 TestServer esmith::event[19033]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [0.169002] 
May 16 14:24:36 TestServer esmith::event[19033]: Event: nethserver-dnsmasq-save SUCCESS 
May 16 14:24:36 TestServer httpd: [ERROR] Exit code from realm join operation is 1

Somebody has an idea?


Testing NethServer 7.5.1804 alpha
(Davide Principi) #2

Try with

yum install nmap
nmap <DC_IP>

You should get the list of DNS, Kerberos, NTP, LDAP and RPC ports open


(Michael Träumner) #3

25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
465/tcp open smtps
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
3128/tcp open squid-http


(Davide Principi) #4

It seems the ports layout of NethServer! Use the DC IP instead :wink:

nmap 192.168.46.5

(Michael Träumner) #5

You are right, know I tried with IP from samba container:

Starting Nmap 6.40 ( http://nmap.org ) at 2018-05-17 08:47 CEST
Nmap scan report for 192.168.46.6
Host is up (0.00096s latency).
All 1000 scanned ports on 192.168.46.6 are filtered
MAC Address: B2:C1:65:74:D9:AC (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 27.42 seconds

Errors are shown, at the moment I try to bind to an nethserver ad.
I can ping the ad server by FQDN and by server IP, but not by samba IP


(Davide Principi) #6

I think it should not be related to ns75 alpha because I successfully installed a local Samba AD accounts provider.

As usual, some sparse command to gather more info:

 account-provider-test dump
 systemctl status -M nsdc samba
 journalctl -M nsdc -u samba
 config show dns
 config show nsdc
 config show sssd

(Michael Träumner) #7

Following commands are done at the ad server:

“BindDN” : "ldapservice@JONAS.DE",
“LdapURI” : “ldaps://jonas.de”,
“StartTls” : “”,
“port” : 636,
“host” : “jonas.de”,
“isAD” : “1”,
“isLdap” : “”,
“UserDN” : “dc=jonas,dc=de”,
“GroupDN” : “dc=jonas,dc=de”,
“BindPassword” : “MyBindPassword”,
“BaseDN” : “dc=jonas,dc=de”,
“LdapUriDn” : “ldap:///dc%3Djonas%2Cdc%3Dde”

samba.service - Samba domain controller daemon
Loaded: loaded (/usr/lib/systemd/system/samba.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2018-05-03 11:32:18 CEST; 1 weeks 6 days ago
Main PID: 16302
CGroup: /machine.slice/nsdc.service/system.slice/samba.service
├─ 2624 /usr/sbin/samba -i --debug-stderr
├─ 2628 /usr/sbin/samba -i --debug-stderr
├─21468 /usr/sbin/samba -i --debug-stderr
├─21472 /usr/sbin/samba -i --debug-stderr
├─21473 /usr/sbin/samba -i --debug-stderr
├─21475 /usr/sbin/samba -i --debug-stderr
├─21476 /usr/sbin/samba -i --debug-stderr
├─21478 /usr/sbin/samba -i --debug-stderr
├─21479 /usr/sbin/samba -i --debug-stderr
├─21480 /usr/sbin/samba -i --debug-stderr
├─21481 /usr/sbin/smbd -D --option=server role check:inhibit=yes -…
├─21482 /usr/sbin/samba -i --debug-stderr
├─21483 /usr/sbin/samba -i --debug-stderr
├─21484 /usr/sbin/samba -i --debug-stderr
├─21485 /usr/sbin/samba -i --debug-stderr
├─21486 /usr/sbin/samba -i --debug-stderr
├─21487 /usr/sbin/samba -i --debug-stderr
├─21488 /usr/sbin/samba -i --debug-stderr
├─21489 /usr/sbin/samba -i --debug-stderr
├─21491 /usr/sbin/winbindd -D --option=server role check:inhibit=y…
├─21506 /usr/sbin/smbd -D --option=server role check:inhibit=yes -…
├─21507 /usr/sbin/smbd -D --option=server role check:inhibit=yes -…
├─21514 /usr/sbin/winbindd -D --option=server role check:inhibit=y…
├─21519 /usr/sbin/winbindd -D --option=server role check:inhibit=y…
├─21520 /usr/sbin/winbindd -D --option=server role check:inhibit=y…
└─21521 /usr/sbin/smbd -D --option=server role check:inhibit=yes -…
Warning: samba.service changed on disk. Run ‘systemctl daemon-reload’ to reload units.

Failed to add match ‘samba’: Invalid argument
Failed to add filters: Invalid argument

dns=configuration
NameServers=192.168.46.2

This is our Windows DNS server. It’s an AD too, but with another domain.

nsdc=service
IpAddress=192.168.46.6
ProvisionType=newdomain
bridge=br0
status=enabled

AdDns=192.168.46.6
BindDN=ldapservice@JONAS.DE
BindPassword=MyBindPassword
LdapURI=
Provider=ad
Realm=JONAS.DE
Workgroup=JONAS
status=enabled

Of course this not the original bind password, I’ve changed it at the post.


(Davide Principi) #8

Everything seems running correctly… Did you enable promiscuous mode?

http://docs.nethserver.org/en/v7/accounts.html#virtualbox

:blush: sorry, it was

journalctl -M nsdc -u samba
[davidep@davidep1 docs]$ host jonas.de
jonas.de has address 109.237.222.141
jonas.de mail is handled by 10 mail.jonas.de.

You’ve picked a public DNS domain, that is a bad practice :thinking:

http://docs.nethserver.org/en/v7/accounts.html#dns-and-ad-domain


(Michael Träumner) #9

Did it now at the virtual box, but the ad is running at KVM.
A line from the docs:

Make sure the virtual machine is bridged to a real bridge (like br0) and the bridge is put in promiscuous mode.

For me it’s bridged to a real network adapter. Could this be a problem?

– Logs begin at Thu 2016-09-22 14:44:13 CEST, end at Thu 2018-05-17 09:35:06 CE
Sep 22 14:44:43 nsdc-groupware.jonas.de systemd[1]: Started Samba domain control
Sep 22 14:44:43 nsdc-groupware.jonas.de systemd[1]: Starting Samba domain contro
Sep 22 14:44:43 nsdc-groupware.jonas.de samba[36]: samba version 4.4.5 started.
Sep 22 14:44:43 nsdc-groupware.jonas.de samba[36]: Copyright Andrew Tridgell and
Sep 22 14:44:44 nsdc-groupware.jonas.de samba[36]: samba: using ‘standard’ proce
Sep 22 14:44:44 nsdc-groupware.jonas.de samba[36]: Attempting to autogenerate TL
Sep 22 14:44:44 nsdc-groupware.jonas.de winbindd[51]: [2016/09/22 14:44:44.49560
Sep 22 14:44:44 nsdc-groupware.jonas.de winbindd[51]: initialize_winbindd_cach
Sep 22 14:44:45 nsdc-groupware.jonas.de winbindd[51]: [2016/09/22 14:44:45.25675
Sep 22 14:44:45 nsdc-groupware.jonas.de winbindd[51]: STATUS=daemon 'winbindd’
Sep 22 14:44:47 nsdc-groupware.jonas.de smbd[40]: [2016/09/22 14:44:47.147082,
Sep 22 14:44:47 nsdc-groupware.jonas.de smbd[40]: STATUS=daemon ‘smbd’ finishe
Sep 22 14:44:51 nsdc-groupware.jonas.de samba[36]: TLS self-signed keys generate
Oct 24 10:08:35 nsdc-groupware.jonas.de samba[36]: Exiting pid 52 on SIGTERM
Oct 24 10:08:35 nsdc-groupware.jonas.de samba[36]: Exiting pid 39 on SIGTERM
Oct 24 10:08:35 nsdc-groupware.jonas.de samba[36]: Exiting pid 48 on SIGTERM
Oct 24 10:08:35 nsdc-groupware.jonas.de samba[36]: Exiting pid 43 on SIGTERM
Oct 24 10:08:35 nsdc-groupware.jonas.de samba[36]: Exiting pid 49 on SIGTERM
Oct 24 10:08:35 nsdc-groupware.jonas.de samba[36]: Exiting pid 38 on SIGTERM
Oct 24 10:08:35 nsdc-groupware.jonas.de samba[36]: Exiting pid 42 on SIGTERM
Oct 24 10:08:35 nsdc-groupware.jonas.de samba[36]: Exiting pid 45 on SIGTERM
Oct 24 10:08:35 nsdc-groupware.jonas.de samba[36]: Exiting pid 44 on SIGTERM

You’re right, but is it a problem if the first DNS is internal? The external domain is not ours.


(Davide Principi) #10

Sorry but I didn’t understand correctly. You said “tried to join the domain of the production nethserver”, so I assumed you want to configure a remote account provider. But when I read “Tried with IP from samba container” I started to think it is a local account provider… :hushed:


(Michael Träumner) #11

I think I don’t understand your orders correctly.

My Nethserver ad is installed as VM at a KVM (Qemu) at an ubuntu host at the moment. The server IP of NethServer (AD) is 192.168.46.5 and the container IP is 192.168.46.6. It is a nethserver 7.4 final.
Now I tried for testing to install a 7.5 alpha at a virtual box (at a windows client) and tried to join to the ad domain with it.

The commands I executed at the ad server. Is this right?


(Davide Principi) #12

Yes they’re commands for a local AD provider :smile: At least we are sure it works correctly!

Back to you alpha:

Check the Network > DNS settings! You must put only the AD IP, because Google will reply as public DNS!

…then unbind & bind again the remote AD provider

I didn’t test NethServer with a capitalized host name :thinking:


(Michael Träumner) #13

Hi Davide,
thanks for your continous help.

I’ve changed it.

I changed this too, but no success.

Can you explain me what you mean please? The bind is not working at the remote ad, so I can’t unbind it, or do you think something is bind without showing me.


(Davide Principi) #14

Never mind, I forgot the error is before the join procedure has completed.

Did you try to set the IP 192.168.46.6 as DNS instead?


(Michael Träumner) #15

Yes I tried this too, it didn’t work either.


(Davide Principi) #16

nmap 192.168.46.6 should work at least from the NethServer instance with AD (IP .5) and any other LAN host.


(Michael Träumner) #17

Nmap scan report for 192.168.46.6
Host is up (0.000036s latency).
Not shown: 987 closed ports
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown

But from other server or windows client it does not work.


(Davide Principi) #18

…so it’s an issue of your production server, not the alpha one. Check your KVM virtualizer:

http://docs.nethserver.org/en/v7/accounts.html#kvm


(Michael Träumner) #19

Yes you’re right.

I’ve looked at the settings at the host, how I said, the bridge is bridged to a real netwkoradapter and not to another bridge like suggested at the documentation. Could this be a problem? For information the host has 4 networkadapters, one for binding the host to network and respectively one for every virtual machine.
I tried it with inactive firewall (ufw - ubuntu firewall) at the host, this doesn’t work also.
Tried nmap from host to nethserver, all ports are filtered too. So I think the problem is nethserver or the KVM like you said, but I don’t know what to check anymore.


(Markus Neuberger) #20

Did you activate promiscuous mode for the bridge? You can check it with ifconfig:

[root@server2 ~]# ifconfig br0
br0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500