networking -- Samba as a DC on Kubernetes, can't join the domain

by Sentrigan   Last Updated July 11, 2019 19:00 PM - source

As the title would lead you to believe, I'm trying to run Samba as a Domain Controller for Active Directory, running on a Centos 7 container, which is handled by Kubernetes.

The hostname of the container running the Domain Controller is samba-dc1 and the container trying to join is samba-dm1.

When working with Docker standalone, using the default bridge network, nothing goes wrong: a domain is provisioned (let's call it cool.domain), and other containers can join this domain.

This is the result of attempting to join this domain, when the container runs on Kubernetes:

echo cool.password | adcli join --domain COOL.DOMAIN --login-user Administrator --stdin-password --verbose
 * Using domain name: COOL.DOMAIN
 * Calculated computer account name from fqdn: SAMBA-DM1
 * Calculated domain realm from name: COOL.DOMAIN
 * Discovering domain controllers: _ldap._tcp.COOL.DOMAIN
 * Sending netlogon pings to domain controller: cldap://10.248.x.x
 * Sending netlogon pings to domain controller: cldap://172.17.x.x
 * Sending netlogon pings to domain controller: cldap://10.42.x.x
 * Sending netlogon pings to domain controller: cldap://10.248.x.x
 * Received NetLogon info from: samba-dc1.cool.domain
 * Wrote out krb5.conf snippet to /tmp/adcli-krb5-9v6tQG/krb5.d/adcli-krb5-conf-aVRvyG
 * Authenticated as user: [email protected]
 ! Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)
adcli: couldn't connect to COOL.DOMAIN domain: Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)

We can see there's a lot wrong, whatever automatic DNS records Samba is making are using every network interface available, and Kerberos is having some problems finding the server. At this point, I check:

  • The contents of /etc/krb5.conf (see below)
  • Connectivity between both nodes (ping, telnet & tcpdump)
  • Credentials (work)
  • kinit (works)
  • nslookup (see below)
  • Changing the DNS records with samba-tool and samba_dnsupdate
...
[realms]
COOL.DOMAIN = {
kdc = SAMBA-DC1.COOL.DOMAIN
admin_server = SAMBA-DC1.COOL.DOMAIN
kdc = SAMBA-DC1.EC2.INTERNAL.COOL.DOMAIN
admin_server = SAMBA-DC1.EC2.INTERNAL.COOL.DOMAIN
}
...
([email protected] /)$ nslookup cool.domain
Server:         10.248.x.x
Address:        10.248.x.x#53

Name:   cool.domain
Address: 10.248.x.x
Name:   cool.domain
Address: 172.17.x.x
Name:   cool.domain
Address: 10.42.x.x

Updating the DNS records changed the output, although not as expected. I also must be missing something somewhere, because Samba seems to periodically roll back to the original entries (tried using --host-ip during samba domain provision, but I guess I'm misunderstanding what it does?) Also, to clarify, both 10.248.x.x addresses below are the same address. That's why the output is unexpected.

echo cool.password | adcli join --domain COOL.DOMAIN --login-user Administrator --stdin-password --verbose
 * Using domain name: COOL.DOMAIN
 * Calculated computer account name from fqdn: SAMBA-DM1
 * Calculated domain realm from name: COOL.DOMAIN
 * Discovering domain controllers: _ldap._tcp.COOL.DOMAIN
 * Sending netlogon pings to domain controller: cldap://10.248.x.x
 * Sending netlogon pings to domain controller: cldap://10.248.x.x
 * Received NetLogon info from: samba-dc1.cool.domain
 * Wrote out krb5.conf snippet to /tmp/adcli-krb5-9v6tQG/krb5.d/adcli-krb5-conf-aVRvyG
 * Authenticated as user: [email protected]
 ! Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)
adcli: couldn't connect to COOL.DOMAIN domain: Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)

After some googling, it seems like this is a DNS issue, but I'm not sure how to continue troubleshooting this. The only idea I have left is running this same setup on Docker standalone on some testing node, but I don't think I could get much information out of that.


Some info:

  • Kubernetes is being handled through Rancher, though if I understand it correctly its just a GUI, so I'm not sure that's relevant.
  • Because joining (at least with adcli) doesn't allow specifying ports, the pod is running on the host's network namespace. Originally wanted an AWS Load balancer, but needing UDP (and some other reasons) got in the way.
  • The DC and the container trying to join the domain can reach each other, confirmed via a combination of ping, telnet and tcpdump -- Specifically interested in 88 and 88/udp, since this seems like an issue with Kerberos
  • Ports in question are (using Docker syntax):
    • 53 53/udp
    • 88 88/udp
    • 135
    • 137-138/udp
    • 139
    • 389 389/udp
    • 445
    • 464/udp
    • 636
    • 1024-1044
    • 3268-3269
  • Provision is done with:
samba-tool domain provision \
    --use-rfc2307 \
    --domain=cool \
    --realm=COOL.DOMAIN \
    --server-role="dc" \
    --dns-backend="SAMBA_INTERNAL" \
    --adminpass=coolpassword \
    --host-ip=10.248.x.x \
    --host-name=samba-dc1 \
    --dnspass=coolpassword

I'm not sure what else could be of use, but please let me know if I can add anything. Thanks for your time.



Related Questions





Set Windows share as network home for AD-joined Mac users

Updated September 26, 2015 07:00 AM