alex.ranskis at free.fr
2012-May-21 16:17 UTC
[Samba] 3.6.5 and "not_defined_in_RFC4178@please_ignore" error
Hello, We're having trouble joining an AD domain with 3.6.5 This message when running net join looks fishy : "got principal=not_defined_in_RFC4178 at please_ignore" OS : Solaris 10 x64 Kerberos : MIT krb5 1.10.1 DC servers are running Windows 2008 The error message is : ./net join -U aranskis Enter aranskis's password: Failed to join domain: failed to lookup DC info for domain 'CORP.NET' over rpc: Logon failure ADS join did not work, falling back to RPC... Unable to find a suitable server for domain CORP Unable to find a suitable server for domain CORP with -d9, here's the hopefully relevant output : ads_dns_lookup_srv: 18 records returned in the answer section. namecache_store: storing 18 addresses for CORP.NET#1c: 10.219.244.253, [List of DCs IP follows] [..] Successfully contacted LDAP server 10.219.244.253 [..] got principal=not_defined_in_RFC4178 at please_ignore [..] SPNEGO login failed: Logon failure failed session setup with NT_STATUS_LOGON_FAILURE libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : NULL dns_domain_name : NULL forest_name : NULL dn : NULL domain_sid : NULL domain_sid : (NULL SID) modified_config : 0x00 (0) error_string : 'failed to lookup DC info for domain 'CIB.NET' over rpc: Logon failure' domain_is_ad : 0x00 (0) result : WERR_LOGON_FAILURE relevant configuration options : [global] realm=CORP.NET workgroup=CORP.NET security=ADS encrypt passwords = yes bind interfaces only = true interfaces = msusersncs Any hints on the best way to try and figure out what is wrong when trying to register in the AD ? (the same config worked with samba 3.4.x, but the DCs were running Windows 2003) Cheers, Alex
Jim McDonough
2012-May-23 11:59 UTC
[Samba] 3.6.5 and "not_defined_in_RFC4178@please_ignore" error
On Mon, May 21, 2012 at 12:17 PM, <alex.ranskis at free.fr> wrote:> We're having trouble joining an AD domain with 3.6.5 > > This message when running net join looks fishy : > "got principal=not_defined_in_RFC4178 at please_ignore"I'm sure it looks fishy, but it's not. This is normal for newer versions of windows (windows is sending it back).> > OS : Solaris 10 x64 > Kerberos : MIT krb5 1.10.1 > DC servers are running Windows 2008 > > The error message is : > ./net join -U aranskis > Enter aranskis's password: > Failed to join domain: failed to lookup DC info for domain 'CORP.NET' > over rpc: Logon failure > ADS join did not work, falling back to RPC... > Unable to find a suitable server for domain CORP > Unable to find a suitable server for domain CORP > > with -d9, here's the hopefully relevant output : > > ads_dns_lookup_srv: 18 records returned in the answer section. > namecache_store: storing 18 addresses for CORP.NET#1c: 10.219.244.253, [List of > DCs IP follows] > [..] > Successfully contacted LDAP server 10.219.244.253 > [..] > got principal=not_defined_in_RFC4178 at please_ignore > [..]What's cut out here might be more helpful. However, please see below and try that first.> SPNEGO login failed: Logon failure > failed session setup with NT_STATUS_LOGON_FAILURE > libnet_Join: > ? ?libnet_JoinCtx: struct libnet_JoinCtx > ? ? ? ?out: struct libnet_JoinCtx > ? ? ? ? ? ?account_name ? ? ? ? ? ? : NULL > ? ? ? ? ? ?netbios_domain_name ? ? ?: NULL > ? ? ? ? ? ?dns_domain_name ? ? ? ? ?: NULL > ? ? ? ? ? ?forest_name ? ? ? ? ? ? ?: NULL > ? ? ? ? ? ?dn ? ? ? ? ? ? ? ? ? ? ? : NULL > ? ? ? ? ? ?domain_sid ? ? ? ? ? ? ? : NULL > ? ? ? ? ? ? ? ?domain_sid ? ? ? ? ? ? ? : (NULL SID) > ? ? ? ? ? ?modified_config ? ? ? ? ?: 0x00 (0) > ? ? ? ? ? ?error_string ? ? ? ? ? ? : 'failed to lookup DC info for domain > 'CIB.NET' over rpc: Logon failure' > ? ? ? ? ? ?domain_is_ad ? ? ? ? ? ? : 0x00 (0) > ? ? ? ? ? ?result ? ? ? ? ? ? ? ? ? : WERR_LOGON_FAILURE > > > relevant configuration options : > > [global] > ? ? ? ?realm=CORP.NET > ? ? ? ?workgroup=CORP.NETPlease try changing this to just CORP (or whatever the "short" netbios name is for the domain...not the dns name).> ? ? ? ?security=ADS > ? ? ? ?encrypt passwords = yes > ? ? ? ?bind interfaces only = true > ? ? ? ?interfaces = msusersncs > > > > Any hints on the best way to try and figure out what is wrong when > trying to register in the AD ? > (the same config worked with samba 3.4.x, but the DCs were running Windows 2003)-- Jim McDonough Samba Team SUSE labs jmcd at samba dot org jmcd at themcdonoughs dot org