I'm attempting to join a Freebsd 11-release server to a Univention Samba 4.6 box that is an AD DC. I have a mac laptop client that authenticates correctly but the server AD join side isn't working so well. I've tried to follow several how-to's but they're for different versions of samba and freebsd or linux.
Yes, forward and reverse DNS work for the freebsd server I'm trying to join and it is pointed at the AD server which is an uninvention 4.2 box. I'm using univention 99% for the interface and it too is running samba 4.6.
I can "kinit Administrator" and get a valid kerberos ticket but when I try to do a net ads join... it fails with "Failed to join domain: failed to create kerberos keytab". Below are the krb5.conf, smb4.conf and I've changed my domain to domain.org from my real domain. In my setup the domain is very long and the workgroup is truncated to a portion of it. The server's record is created in the AD DC box's records so I know something happened but I get that ugly error about the keytab.
/etc/krb5.conf
/usr/local/etc/smb4.conf
from the freebsd11 box querying the AD DC uninvention box I get this:
Forest : domain.org
Domain : domain.org
Netbios domain : DOM
DC name : ad.domain.org
DC netbios name : AD
Server site : Default-First-Site-Name
Client site : Default-First-Site-Name
Yes, forward and reverse DNS work for the freebsd server I'm trying to join and it is pointed at the AD server which is an uninvention 4.2 box. I'm using univention 99% for the interface and it too is running samba 4.6.
I can "kinit Administrator" and get a valid kerberos ticket but when I try to do a net ads join... it fails with "Failed to join domain: failed to create kerberos keytab". Below are the krb5.conf, smb4.conf and I've changed my domain to domain.org from my real domain. In my setup the domain is very long and the workgroup is truncated to a portion of it. The server's record is created in the AD DC box's records so I know something happened but I get that ugly error about the keytab.
/etc/krb5.conf
Code:
[libdefaults]
default_realm = DOMAIN.ORG
dns_lookup_realm = false
dns_lookup_kdc = true
[logging]
kdc = FILE:/var/heimdal/kdc.log
kdc = SYSLOG:INFO
default = SYSLOG:INFO:USER
/usr/local/etc/smb4.conf
Code:
[global]
security = ads
realm = DOMAIN.ORG
workgroup = DOM
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
winbind expand groups = 4
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind offline logon = yes
winbind normalize names = Yes
client signing = yes
client use spnego = yes
log file = /var/log/samba/%m.log
from the freebsd11 box querying the AD DC uninvention box I get this:
# samba-tool domain info x.x.x.x
Forest : domain.org
Domain : domain.org
Netbios domain : DOM
DC name : ad.domain.org
DC netbios name : AD
Server site : Default-First-Site-Name
Client site : Default-First-Site-Name