Joining a windows domain using YaST - fundamental changes since Leap 15.2 / .3 / .4 ?

At work I can join the following OS using YaST without any issues whatsoever:

Leap 15.0
Leap 15.1

I can configure pam to allow console / xdm logins. pam_mount works as well.

With Leap 15.2 I have to make adjustments to smb.conf to get it working. krb5.conf are identical between 15.2 and 15.1

15.2 smb.conf offending section (bad):

idmap config * : backend = tdb
idmap config * : range = 10000-20000
idmap config ads : backend = rid
idmap config ads : range = 20001-99999

15.1 smb.conf equivalent section (good):

idmap gid = 10000-20000
idmap uid = 10000-20000

I cannot join 15.3 / 15.4 at all. 15.4 claims it cannot find the DC for our domain (I did check the SRV records, they are there, and it works for 15.0 … 15.2 so …).
Also the YaST logfiles for krb5.conf and smb.conf show sections with “(null)” for the REALM config line. Something is not right. resolv.conf are identical for all versions.


# krb5.conf

 [realms]    (null) = {
    kdc = xxx.xxx.xxx (it's the right one)
    }


# smb.conf

[global]
        create krb5 conf = no
        include = /etc/samba/dhcp.conf
        kerberos method = secrets and keytab
        realm = (null) <-- this is not right
        security = ads
        workgroup = ADS
        cups options = raw

Yast error message

Failed to join domain: failed to find DC for domain XXX - The object was not found

15.3 immediately complains

Cannot use the workgroup XXX for Linux authentication. Enter a domain or disable using SMB for Linux authentication.

I would be glad if someone could try AD joining Leap clients. With tumbleweed I have identical issues as with 15.4

Manually configure the 'realm = ’ entry as required?
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Setting_up_a_Basic_smb.conf_File
https://wiki.archlinux.org/title/Active_Directory_integration#Base_Samba_configuration_file

Have you tried joining the AD manually? (Sorry I can only offer general advice here as I do not have a domain environment.)

Not really successfully. I’ve managed to “semi-join” using “realm” (part of realmd package). Now it claims to be a member server, but the LDAP server IP is unset. Very unhappy. “sssd” appears to be in some sort of startup / crash loop.
Using net ads join + winbind also did something, but essentially it ain’t working for me.


[global]
        security = ADS
        realm = **DOMAINHERE**
        workgroup = **WORKGROUPHERE**
        log file = /var/log/samba/%m.log
        kerberos method = secrets and keytab
        client signing = yes
        min protocol = SMB3
        disable spoolss = yes
        max protocol = SMB3
        winbind use default domain = yes
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind offline logon = yes
        winbind expand groups = 2
        template homedir = /home/%D/%U
        template shell = /bin/bash
        usershare allow guests = No
        winbind refresh tickets = yes
        max open files = 940790
        ea support = yes
        lm announce = yes       
        local master = no
        domain master = no
        case sensitive = true
        use sendfile = yes
        large readwrite = yes
        getwd cache = true
        block size = 262144
        idmap gid = 10000-20000
        idmap uid = 10000-20000

No problems with 2016/2019 domain here.

AD DNS is used.

Did you joing with YaST?

I’ve progressed a bit further. After completely disabling apparmor, I can join our domain with YaST. Still winbind auth fails…

Yes, no issues.

Tested with fresh 15.3 VM in VMware, bog standard 2019 DC’s, DNS hosted on the DCs themselves and SUSE box has both set via resolv.conf.

You’re not using .local as the domain name by the way? That might cause issues.

Fresh box;
YAST > Network Services > Windows Domain Membership
Type domain.fi
Use SMB Information for Linux Authentication
Create Home Directory on Login
Offline Authentication
Single Sign-on for SSH

YAST wants to install krb5-client… wait a moment.

"This host is not a member of the domain <SOMETHING>.

Join the domain <SOMETHING>

Yes > Username Domain Admin + Pass > Domain <SOMETHING> joined successfully > Machine account successfully created and net getdomainsid gives proper SID for machine, net ads info gives proper info.

No. I use our official domain name. DNS resolvable and all. It works up until Leap 15.2 (with smb.conf fix). I will check if 15.3 works with apparmor off. The last test was with tumbleweed.

Hmmm…

For me 15.3 has some issues with “SambaAD.pm(SamaAD::GetRealm)”, which returns “(null)” in my case.


#y2log

2022-05-19 18:29:05 <1> XXX.client-fqdn(1858) [Perl] modules/SambaAD.pm(SambaAD::GetADS):112 get ads: workgroup: "FQDN"
2022-05-19 18:29:05 <1> XXX.client-fqdn(1858) [Python] modules/SambaAPI.py(GetLDAPDS):30 Found LDAP/DS server "XXX.DC.FQDN" via cldap ping
2022-05-19 18:29:06 <1> XXX.client-fqdn(1858) [Perl] modules/SambaAD.pm(SambaAD::GetADS):232 returning server: "XXX.DC.FQDN"
2022-05-19 18:29:06 <1> XXX.client-fqdn(1858) [Python] modules/SambaAPI.py(ADDomain2Workgroup):42 workgroup: ADS
2022-05-19 18:29:06 <1> XXX.client-fqdn(1858) [Perl] modules/SambaAD.pm(SambaAD::GetRealm):300 realm: (null) <-- this should be "FQDN" (as with 15.0 / 15.1 / 15.2)

Said perl module also tries to create a “dummy-conf” for getting info on the “realm”. That file is empty :frowning:

Fresh install of 15.3 - apparmor off - firewall off - I can ping our domain - I can do DNS lookups of the domain, DCs and so forth.

If you run:
sudo net ads info -S YOURADSERVERFQDN

From bash, what does it say?


#Leap 15.0 (AD joined - everything OK):

LDAP server: "valid IP"
LDAP server name: "valid FQDN of a DC" resolving to LDAP server IP
Realm: "valid FQDN" of our domain (unique)
Bind Path: dc=XXX,dc=YYY,dc=ZZZ (same as realm)
LDAP port: 389
Server time: Thu, 19 May 2022 19:58:08 CEST
KDC server: "valid IP" (same as LDAP server)
Server time offset: 0
Last machine account password change: Thu, 19 May 2022 00:11:59 CEST


#Leap 15.1 (AD joined - everything OK):

LDAP server: "valid IP" (different one, we have multiple DC)
LDAP server name: "valid FQDN of a DC" resolving to LDAP server IP
Realm: valid FQDN" of our domain (unique)
Bind Path: dc=XXX,dc=YYY,dc=ZZZ (same as realm)
LDAP port: 389
Server time: Thu, 19 May 2022 20:02:37 CEST
KDC server: "valid IP" (same as LDAP server)
Server time offset: 0
Last machine account password change: Thu, 19 May 2022 10:18:28 CEST


#Leap 15.2 (AD joined - mostly OK - some smb.conf tweaking after joining):

LDAP server: "valid IP" (different one, we have multiple DC)
LDAP server name: "valid FQDN of a DC" resolving to LDAP server IP
Realm: "valid FQDN" of our domain (unique)
Bind Path: dc=XXX,dc=YYY,dc=ZZZ (same as realm)
LDAP port: 389
Server time: Thu, 19 May 2022 20:03:17 CEST
KDC server: "valid IP" (same as LDAP server)
Server time offset: 0
Last machine account password change: Thu, 19 May 2022 10:32:14 CEST


#Leap 15.3 (AD join fails):

LDAP server: 0.0.0.0
LDAP server name: (null)
Realm: (null)
Bind Path: (null)
LDAP port: 0
Server time: Thu, 19 May 2022 20:03:30 CEST
KDC server: "valid IP" (same as LDAP server should be) - IP resolves to proper name with nslookup
Server time offset: 0
Last machine account password change: Thu, 01 Jan 1970 01:00:00 CET

I think this is the bug;
https://bugzilla.samba.org/show_bug.cgi?id=14674

Looks like it works if the server has FSMO roles but fails if it doesn’t.

Can you try the 15.3 version against multiple DCs (the net ads info one)?

I think that is it!

On Leap 15.1 I can run “net ads info -S DC.xxx.xxx.xxx” against all of our DCs and it gives proper results for all of them.
Doing the same on Leap 15.3 I get one usable result and all the other ones fail with the (null) pest. So the chances of getting the right one (round robin DNS) are rather slim.

Thanks for sleuthing!

For reference: https://bugzilla.opensuse.org/show_bug.cgi?id=1199734

Good catch. That looks like the issue! :slight_smile: