When I try to join a new SLES 12 SP3 host (on System z) that is on a fairly current patch level, the ‘net ads join…’ command fails with âFailed to join domain: failed to set machine kerberos encryption types: Insufficient accessâ.
The exact same procedure was used to build several new SLES 12 SP3 hosts a few months ago and was successful. The only difference that I can find is that this host is at a patch level from October, 2018.
I found a new host that hadn’t yet had the ‘net ads join…’ command issue that was at the October, 2018, patch level and when the command was issued and ran successfully. That leads me to believe that something in the newer rpm’s has caused the issue.
The procedure I am following consists of:
- Join the host to the domain. An AD Administrator issues the command as root and supplies his password.
net ads join member -S v99xxxxx2k8-01.xxxxx.int -U u20069 --no-dns-updates createcomputer='/Member Servers/Linux and Unix Servers'- Customize Windows Domain Membership using ‘YaST → Network Services → Windows Domain Membership’. I then toggle on “Create Home Directory on Login” and “Single Sign-on for SSH”. I leave “Offline Authentication” toggled off. When I select OK YaST installs krb5-client and samba-winbind.
I stopped the host build process for seven new hosts because the ‘net ads join…’ command failed on each of them.
Is the I’m following procedure correct? This same procedure was used to clone and build dozens of new SLES 12 SP3 hosts in 2018.
I opened a SR with IBM (they provide support for my client) almost a month ago but haven’t gotten very far - that is why I created this post.
krb5.conf (modified for client privacy)
[libdefaults]
# This is the default_realm for the host server
default_realm = xxxDHS.INT
clockskew = 300
# To avoid KRB5KRB_ERR_RESPONSE_TOO_BIG response from KDC when first
# attempting to send messages via UDP, set the UDP preference
# limit to 1 to force TCP to be used instead for the first attempt.
udp_preference_limit = 1
# "dns_canonicalize_hostname" and "rdns" are better set to false for improved security.
# If set to true, the canonicalization mechanism performed by Kerberos client may
# allow service impersonification, the consequence is similar to conducting TLS certificate
# verification without checking host name.
# If left unspecified, the two parameters will have default value true, which is less secure.
dns_canonicalize_hostname = false
rdns = false
#
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
[realms]
AGENCY.xxx.LOCAL = {
# To get list of domain controllers use the following command in a Windows command prompt:
# "C:\\Windows\\System32\
ltest" /dclist:agency.xxx.local | find "xxxC"
kdc = ldp-agn01.agency.xxx.local
kdc = ldp-agn02.agency.xxx.local
kdc = ldp-agn03.agency.xxx.local
kdc = ldp-agn04-000.agency.xxx.local
default_domain = agency.xxx.local
admin_server = ldp-agn01.agency.xxx.local
# Only the auth-to-local value is checked in the default_realm specified in the libdefaults.
# You must include a check against $0 which is the REALM name to be able to distinguish different
# domains in a multiple domain environment.
####### Rule mapping principal PRINCIPAL@AGENCY.xxx.LOCAL to AGENCY\\principal
####### auth_to_local = RULE:[1:$0\\$1](AGENCY.xxx.LOCAL\\\\.*)s/A/a/g s/B/b/g s/C/c/g s/D/d/g s/E/e/g s/F/f/g s/G/g/g s/H/h/g s/I/i/g s/J/j/g s/K/k/g s/L/l/g s/M/m/g s/N/n/g s/O/o/g s/P/p/g s/Q/q/g s/R/r/g s/S/s/g s/T/t/g s/U/u/g s/V/v/g s/W/w/g s/X/x/g s/Y/y/g s/Z/z/g s/agency.xxx.local/AGENCY/
# Rule mapping principal PRINCIPAL@xxxDHS.INT to xxxDHS\\principal
auth_to_local = RULE:[1:$0\\$1](xxxDHS.INT\\\\.*)s/A/a/g s/B/b/g s/C/c/g s/D/d/g s/E/e/g s/F/f/g s/G/g/g s/H/h/g s/I/i/g s/J/j/g s/K/k/g s/L/l/g s/M/m/g s/N/n/g s/O/o/g s/P/p/g s/Q/q/g s/R/r/g s/S/s/g s/T/t/g s/U/u/g s/V/v/g s/W/w/g s/X/x/g s/Y/y/g s/Z/z/g s/xxxdhs.int/xxxDHS/
# For extra security we code a specific check in place of the DEFAULT check which we have removed. This way
# we know we are only allowing the REALMs through that we want to limit access to.
# Rule mapping principal PRINCIPAL@AGENCY.xxx.LOCAL to principal
auth_to_local = RULE:[1:$0\\$1](AGENCY.xxx.LOCAL\\\\.*)s/A/a/g s/B/b/g s/C/c/g s/D/d/g s/E/e/g s/F/f/g s/G/g/g s/H/h/g s/I/i/g s/J/j/g s/K/k/g s/L/l/g s/M/m/g s/N/n/g s/O/o/g s/P/p/g s/Q/q/g s/R/r/g s/S/s/g s/T/t/g s/U/u/g s/V/v/g s/W/w/g s/X/x/g s/Y/y/g s/Z/z/g s/agency.xxx.local\\\\//
# auth_to_local = DEFAULT
}
xxxDHS.INT = {
# To get list of domain controllers use the following command in a Windows command prompt:
# "C:\\Windows\\System32\
ltest" /dclist:xxxdhs.int | find "Mainframe"
# We add to the list the name v99xxxdhs2k8-02 in case it is stood up again.
kdc = v99xxxdhs2k8-01.xxxdhs.int
kdc = v99xxxdhs2k8-02.xxxdhs.int
# We also add s99xxxdhs6.xxxdhs.int it is on the 10.5.0.0/16 subnet thus it is reachable if agency is the default
# domain and we code a route through xxxDHS network for 10.5.0.0/16.
kdc = s99xxxdhs6.xxxdhs.int
default_domain = xxxdhs.int
admin_server = v99xxxdhs2k8-01.xxxdhs.int
# Only the auth-to-local value is checked in the default-realm specified in the libdefaults.
# You must include a check against $0 which is the REALM name to be able to distinguish different
# domains in a multiple domain environment.
# Rule mapping principal PRINCIPAL@AGENCY.xxx.LOCAL to AGENCY\\principal
auth_to_local = RULE:[1:$0\\$1](AGENCY.xxx.LOCAL\\\\.*)s/A/a/g s/B/b/g s/C/c/g s/D/d/g s/E/e/g s/F/f/g s/G/g/g s/H/h/g s/I/i/g s/J/j/g s/K/k/g s/L/l/g s/M/m/g s/N/n/g s/O/o/g s/P/p/g s/Q/q/g s/R/r/g s/S/s/g s/T/t/g s/U/u/g s/V/v/g s/W/w/g s/X/x/g s/Y/y/g s/Z/z/g s/agency.xxx.local/AGENCY/
####### Rule mapping principal PRINCIPAL@xxxDHS.INT to xxxDHS\\principal
####### auth_to_local = RULE:[1:$0\\$1](xxxDHS.INT\\\\.*)s/A/a/g s/B/b/g s/C/c/g s/D/d/g s/E/e/g s/F/f/g s/G/g/g s/H/h/g s/I/i/g s/J/j/g s/K/k/g s/L/l/g s/M/m/g s/N/n/g s/O/o/g s/P/p/g s/Q/q/g s/R/r/g s/S/s/g s/T/t/g s/U/u/g s/V/v/g s/W/w/g s/X/x/g s/Y/y/g s/Z/z/g s/xxxdhs.int/xxxDHS/
# For extra security we code a specific check in place of the DEFAULT check which we have removed. This way
# we know we are only allowing the REALMs through that we want to limit access to.
# Rule mapping principal PRINCIPAL@xxxDHS.INT to principal
auth_to_local = RULE:[1:$0\\$1](xxxDHS.INT\\\\.*)s/A/a/g s/B/b/g s/C/c/g s/D/d/g s/E/e/g s/F/f/g s/G/g/g s/H/h/g s/I/i/g s/J/j/g s/K/k/g s/L/l/g s/M/m/g s/N/n/g s/O/o/g s/P/p/g s/Q/q/g s/R/r/g s/S/s/g s/T/t/g s/U/u/g s/V/v/g s/W/w/g s/X/x/g s/Y/y/g s/Z/z/g s/xxxdhs.int\\\\//
# auth_to_local = DEFAULT
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
# default = SYSLOG:DEBUG:DAEMON
[domain_realm]
agency.xxx.local = AGENCY.xxx.LOCAL
.agency.xxx.local = AGENCY.xxx.LOCAL
xxxdhs.int = xxxDHS.INT
.xxxdhs.int = xxxDHS.INT
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 1
}smb.conf (modified for client privacy)
[CODE]# smb.conf is the main Samba configuration file. You find a full commented
version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
samba-doc package is installed.
[global]
workgroup = xxxDHS
passdb backend = tdbsam
security = ADS
kerberos method = secrets and keytab
realm = xxxDHS.INT
wins support = No
domain logons = No
domain master = No
allow trusted domains = Yes
Use the following ignore domains statement for AGENCY and xxxDHS joins
List was obtained first by issuing the following command on a sever already joined to the domain
wbinfo --trusted-domains
The list was taken, consolidated, and sorted.
The list can then be validated by loxxxing at the log files in /var/log/samba
ls -l /var/log/samba/log.wb-*
winbind:ignore domains = DCS DMHSAS EBC EDSDOMxxxXIX HCA_LAN OAG ODEQ ODOC5 OHCFS xxx xxxAGRICULTURE xxxCAREERTECH xxxDHSDMZ xxxDHSROOT xxxLADOT xxxSDE OSDH OSTNT OWRB PHIN SIB VOIP WMIS_NETWORK
Don’t use the tsm interface to send broadcasts over. This has caused problems doing a join
where the eth1 address could be used in the kerberos config file krb5.conf
interfaces = eth0 eth2
Allowing dns updates could cause eth1 address to be updated to dns, we don’t want this to occur.
allow dns updates = disabled
Per https://www.suse.com/support/kb/doc.php?id=7017489 the following statement may also help
to prevent eth1 ip address from being updated to dns. This is is not true, a join needs to be
done with net command with --no-dns-updates specified.
bind interfaces only = yes
Cut down on needless broadcasting.
name resolve order = host
If there is a problem with domain controllers retrieved via DNS then the following statement
can be used to control preference. This is particularly useful where there is a failure on
one of the AGENCY Domain Controllers either to reach it or for it to reach the xxxDHS
Domain Controllers participating in the join. When making a change to the “password server” statement
in order to implement it you must stop samba “systemctl stop service”, must delete all trivial
databases “rm /var/lib/samba/*.tdb”, and they start samba backup “systemctl start smb”. Also stop
and start winbind for safety. This is necessary because samba will cache the last good DC
it accessed and will use it first in its preference list ahead of what is specified in the
“password server” statement. To clear its mind you must do the prior mentioned delete.
########For AGENCY domain:
########password server = LDP-AGN01.agency.xxx.local, *
########For xxxDHS domain:
########password server = v99xxxdhs2k8-01.xxxdhs.int, *
password server = v99xxxdhs2k8-01.xxxdhs.int, *
###############################################################################################################
Disable smb printing
###############################################################################################################
load printers = no
show add printer wizard = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
###############################################################################################################
Logging
###############################################################################################################
max log size = 0
log file = /var/log/samba/log.%m
Some big logs with debug level 8 if left on for days.
debug level = 1
###############################################################################################################
User Configuration
###############################################################################################################
template shell = /bin/bash
map to guest = Bad User
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
template homedir = /home/%D/%U
add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$
Syncronize unix password to domain password:
unix password sync = yes
Program used to syncronize unix password note this must be specified because for SLES the passwd program
does not reside in the default location for this parameter.
passwd program = /usr/bin/passwd
###############################################################################################################
Id Mapping
###############################################################################################################
For Domain xxxDHS:
For trust to AGENCY to work DSN must point to v99xxxdhs2k8-01.xxxdhs.int
Thus recomended setting for DNS for Samba servers is: 10.5.10.22 followed by 10.8.0.52
idmap config AGENCY : backend = rid
idmap config AGENCY : range = 090000000-090999999
idmap config xxxDHS : backend = rid
idmap config xxxDHS : range = 830000000-830999999
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
Do not use base rid of 1000 because buildin sids range from 500 to 999
for example “domain users” is 513 which we require.
idmap config xxxDHS : base_rid = 1000
###############################################################################################################
Server Level Access controls
###############################################################################################################
!! Important !!
Be sure to update /etc/security/pam_winbind.conf with group names maintained here
if you want the particular users to also be able to login to the host.
To update /etc/security/pam_winbind.conf run the script: winbindconfedit
valid users = @"xxxDHS\\XXXX.zlinux.Sysprog.zLinux.admin", \\
#wfr: @“xxxDHS\XXXX.zlinux.Database.dba.oracle”, \
#wfrdhsPROD: “xxxDHS\prxy410”, \
#wfrdhsTEST: “xxxDHS\prxy415”, \
#wfrdhsDEV: “xxxDHS\prxy420”, \
#wfrkidsPROD: “xxxDHS\pxy246”, \
#wfrkidsTEST: “xxxDHS\pxy247”, \
#wfrkidsDEV: “xxxDHS\pxy248”, \
#wfrdhsPROD: @“xxxDHS\WF.PROD.zlinux.prog.dhs.afs”, \
#wfrdhsPROD: @“xxxDHS\WF.PROD.zlinux.prog.dhs.aps”, \
#wfrdhsPROD: @“xxxDHS\WF.PROD.zlinux.prog.dhs.elders”, \
#wfrdhsPROD: @“xxxDHS\WF.PROD.zlinux.prog.dhs.finpay”, \
#wfrdhsPROD: @“xxxDHS\WF.PROD.zlinux.prog.dhs.ocaccm”, \
#wfrdhsPROD: @“xxxDHS\WF.PROD.zlinux.prog.dhs.ocss”, \
#wfrdhsPROD: @“xxxDHS\WF.PROD.zlinux.prog.dhs.ppmdash”, \
#wfrdhsPROD: @“xxxDHS\WF.PROD.zlinux.prog.dhs.userrpts”, \
#wfrdhsTEST: @“xxxDHS\WF.PROD.zlinux.prog.dhs.afs”, \
#wfrdhsTEST: @“xxxDHS\WF.PROD.zlinux.prog.dhs.aps”, \
#wfrdhsTEST: @“xxxDHS\WF.PROD.zlinux.prog.dhs.elders”, \
#wfrdhsTEST: @“xxxDHS\WF.PROD.zlinux.prog.dhs.finpay”, \
#wfrdhsTEST: @“xxxDHS\WF.PROD.zlinux.prog.dhs.ocaccm”, \
#wfrdhsTEST: @“xxxDHS\WF.PROD.zlinux.prog.dhs.ocss”, \
#wfrdhsTEST: @“xxxDHS\WF.PROD.zlinux.prog.dhs.ppmdash”, \
#wfrdhsTEST: @“xxxDHS\WF.PROD.zlinux.prog.dhs.userrpts”, \
#wfrdhsDEV: @“xxxDHS\WF.PROD.zlinux.prog.dhs.afs”, \
#wfrdhsDEV: @“xxxDHS\WF.PROD.zlinux.prog.dhs.aps”, \
#wfrdhsDEV: @“xxxDHS\WF.PROD.zlinux.prog.dhs.elders”, \
#wfrdhsDEV: @“xxxDHS\WF.PROD.zlinux.prog.dhs.finpay”, \
#wfrdhsDEV: @“xxxDHS\WF.PROD.zlinux.prog.dhs.ocaccm”, \
#wfrdhsDEV: @“xxxDHS\WF.PROD.zlinux.prog.dhs.ocss”, \
#wfrdhsDEV: @“xxxDHS\WF.PROD.zlinux.prog.dhs.ppmdash”, \
#wfrdhsDEV: @“xxxDHS\WF.PROD.zlinux.prog.dhs.userrpts”, \
@“xxxDHS\WF.PROD.zlinux.admin.dhs”, \
@“xxxDHS\WF.PROD.zlinux.prog.dhs”, \
@“AGENCY\Mainframe Systems Group - zLinux Admins”
Following users get “root” authority so they can manage ACLs for shares where
we want ACLs. The users can read/write all files regardless of permissions.
admin users = \\
@"xxxDHS\\XXXX.zlinux.Sysprog.zLinux.admin", \\
@"AGENCY\\Mainframe Systems Group - zLinux Admins"
When updating invalid users also update invalid users on homes share.
invalid users = root bin daemon adm sync shutdown \\
halt mail news uucp operator \\
sysadmin sysoper oracle
usershare allow guests = No
###############################################################################################################
Winbind settings
###############################################################################################################
winbind use default domain = yes
winbind enum users = no
winbind enum groups = no
winbind refresh tickets = no
winbind offline logon = no
###############################################################################################################
General Share Definitions
###############################################################################################################
browseable = Yes
read only = No
vfs objects = acl_xattr
This parameter is forced to 0770 if using vfs objects = acl_xattr above.
directory mask = 0770
This parameter is forced to 0770 if using vfs objects = acl_xattr above.
create mask = 0770
Must use force group to prevent “Domain Users” from being granted rwx on any file
created in the share. “nobody” prevents access being granted to a group apart from
ACL definitions.
There is a warning on one of the web pages talking about using mmc snapin to
manage access that forcing group to nobody could cause a lock out of that function.
force group = nobody
Allows set ACL mask to “rwx”.
This paramter is forced to Yes if using vfs objects = acl_xattr above.
inherit acls = Yes
Allow owners with write permission to alter permissions.
This paramter is forced to Yes if using vfs objects = acl_xattr above.
dos filemode = yes
inherit owner = No
map acl inherit = Yes
acl map full control = True
map hidden = no
map system = no
map archive = no
map readonly = no
store dos attributes = yes
###############################################################################################################
Share Definitions
###############################################################################################################
[homes]
comment = Home Directories
The below line will insure that only the user can connect to his own home directory,
but if you implement the below line then mapped users will not be able
to access their home directories. As a result we do not implement the below line.
Once a user maps his own home cirectory he will be able to map any home directory
allowed by UNIX security. Of course the global valid users limits access as a whole.
valid users = %S, %D%w%S
Same list as global list except we add some additional accounts that are sensative accounts
invalid users = root bin daemon adm sync shutdown \\
halt mail news uucp operator \\
sysadmin sysoper oracle \\
sysdrrestore syssched
Use native unix security without ACLs to control access to home directory data.
We want security to be performed in a unix like manner in this share rather than a
samba manner.
vfs objects =
directory mask = 0700
create mask = 0600
inherit acls = No
dos filemode = No
inherit owner = Yes
map acl inherit = No
acl map full control = False
Share disabled by YaST
[profiles]
comment = Network Profiles Service
path = %H
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
#[users]
comment = All users
path = /home
Hide directories starting with “sys”
veto files = /sys*/
[apps]
comment = ibi apps
#wfrdhs: comment = ibi apps
#wfroig: comment = ibi wfs apps
#wfrkids: comment = ibi apps
path = /opt/ibi/apps
#wfrdhs: path = /opt/ibi/apps
#wfroig: path = /opt/ibi/oig-wfs/ibi/apps
#wfrkids: path = /opt/ibi/apps
#wfroig:
#wfroig:[dmapps]
#wfroig: comment = ibi dm apps
#wfroig: path = /opt/ibi/oig-wfs/ibi/apps
[install]
comment = ibi install
path = /opt/ibi/@install
valid users = @“xxxDHS\XXXX.zlinux.Sysprog.zLinux.admin”, \
@“xxxDHS\WF.PROD.zlinux.admin.dhs”
force user = ibi
force group = ibi
#wfrkids:# Child Password Application Share
#wfrkids:[sde]
#wfrkids: comment = Child Passport
#wfrkids: path = /opt/ibi/apps/sde
Share disabled by YaST
[groups]
comment = All groups
path = /home/groups
read only = No
inherit acls = Yes
Share disabled by YaST
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
Share disabled by YaST
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775
Share disabled by YaST
[netlogon]
[/CODE]
Harley