Mag. Leonhard Landrock
2007-Feb-12 21:02 UTC
Fwd: [Samba] Joining a SAMBA 4 TP4 Active Directory with WinXP
Am Montag, 12. Februar 2007 14:43 schrieb paul:> Mag. Leonhard Landrock schrieb: > > *) Start a virtual machine with WinXP SP2 and trying to join the domain > > LEOSENDE.FUN. > > > > The last point (joining the domain) doesn't work. I try the username > > Administrator and the passwort as set with "./setup/provision" but it > > doesn't work. I simply get unknown username or wrong password. > > Hi, my preliminary checklist: > > - make sure XP has the samba4 server setup as dns serverChecked and OK: XP has the samba4 server set up as dns server :-)> - check dns for the varius _ldap._tcp entries from XPI'm not quite sure how I should do that. I tried nslookup but didn't get an IP adress in response.> - start samba with smbd -i -d3 or higher and check the debug messagesThat makes sense. Thank you! Ooops! Seems like a problem with the time (UTC vs. local time). Kerberos says that the time skew is to great. Here comes the output: "Initialising global parameters lp_load: refreshing parameters from /usr/local/samba/etc/samba/smb.conf params.c:pm_process() - Processing configuration file "/usr/local/samba/etc/samba/smb.conf" Processing section "[globals]" Processing section "[test]" adding hidden service IPC$ adding hidden service ADMIN$ smbd version 4.0.0tp4 started. Copyright Andrew Tridgell and the Samba Team 1992-2007 SHARE backend [ldb] registered. SHARE backend [classic] registered. AUTH backend 'winbind_samba3' registered AUTH backend 'winbind' registered AUTH backend 'name_to_ntstatus' registered AUTH backend 'fixed_challenge' registered AUTH backend 'unix' registered AUTH backend 'anonymous' registered AUTH backend 'sam' registered AUTH backend 'sam_ignoredomain' registered GENSEC backend 'krb5' registered gensec subsystem fake_gssapi_krb5 is disabled GENSEC backend 'schannel' registered GENSEC backend 'spnego' registered gensec subsystem gssapi_spnego is disabled GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'ntlmssp' registered NTPTR backend 'simple_ldb' NTVFS backend 'simple' for type 0 registered NTVFS backend 'cifs' for type 0 registered NTVFS backend 'nbench' for type 0 registered NTVFS backend 'unixuid' for type 0 registered NTVFS backend 'unixuid' for type 1 registered NTVFS backend 'unixuid' for type 2 registered NTVFS backend 'cifsposix' for type 0 registered NTVFS backend 'default' for type 2 registered NTVFS backend 'xattr' registered NTVFS backend 'nfs4acl' registered NTVFS backend 'default' for type 1 registered NTVFS backend 'default' for type 0 registered NTVFS backend 'posix' for type 0 registered PROCESS_MODEL 'standard' registered PROCESS_MODEL 'single' registered DCERPC endpoint server 'wkssvc' registered DCERPC endpoint server 'samr' registered DCERPC endpoint server 'drsuapi' registered DCERPC endpoint server 'spoolss' registered DCERPC endpoint server 'winreg' registered DCERPC endpoint server 'epmapper' registered DCERPC endpoint server 'srvsvc' registered DCERPC endpoint server 'netlogon' registered DCERPC endpoint server 'rpcecho' registered DCERPC endpoint server 'unixinfo' registered DCERPC endpoint server 'remote' registered DCERPC endpoint server 'dssetup' registered DCERPC endpoint server 'lsarpc' registered smbd: using 'standard' process model added interface ip=10.0.0.123 nmask=255.255.255.0 added interface ip=192.168.1.123 nmask=255.255.255.0 Received dgram packet of length 230 from 192.168.1.100:138 Browse LocalMasterAnnouncement (Op 15) on 'FUN<1e>' '\MAILSLOT\BROWSE' from 192.168.1.100:138 Received dgram packet of length 230 from 10.0.0.125:138 Browse LocalMasterAnnouncement (Op 15) on 'FUN<1e>' '\MAILSLOT\BROWSE' from 10.0.0.125:138 Received dgram packet of length 230 from 10.0.0.125:138 Browse LocalMasterAnnouncement (Op 15) on 'FUN<1e>' '\MAILSLOT\BROWSE' from 10.0.0.125:138 Received dgram packet of length 210 from 192.168.1.100:138 Browse DomainAnnouncement (Op 12) on '%01%02__MSBROWSE__%02<01>' '\MAILSLOT\BROWSE' from 192.168.1.100:138 Received dgram packet of length 210 from 10.0.0.125:138 Browse DomainAnnouncement (Op 12) on '%01%02__MSBROWSE__%02<01>' '\MAILSLOT\BROWSE' from 10.0.0.125:138 Received dgram packet of length 210 from 10.0.0.125:138 Browse DomainAnnouncement (Op 12) on '%01%02__MSBROWSE__%02<01>' '\MAILSLOT\BROWSE' from 10.0.0.125:138 Received dgram packet of length 230 from 192.168.1.100:138 Browse LocalMasterAnnouncement (Op 15) on 'FUN<1e>' '\MAILSLOT\BROWSE' from 192.168.1.100:138 Received dgram packet of length 210 from 192.168.1.100:138 Browse DomainAnnouncement (Op 12) on '%01%02__MSBROWSE__%02<01>' '\MAILSLOT\BROWSE' from 192.168.1.100:138 added interface ip=10.0.0.123 nmask=255.255.255.0 added interface ip=192.168.1.123 nmask=255.255.255.0 added interface ip=10.0.0.123 nmask=255.255.255.0 added interface ip=192.168.1.123 nmask=255.255.255.0 Registered DEBIAN<00> with 192.168.1.123 on interface 192.168.1.255 Registered DEBIAN<00> with 10.0.0.123 on interface 10.0.0.255 Registered DEBIAN<03> with 192.168.1.123 on interface 192.168.1.255 Registered DEBIAN<03> with 10.0.0.123 on interface 10.0.0.255 Registered DEBIAN<20> with 192.168.1.123 on interface 192.168.1.255 Registered DEBIAN<20> with 10.0.0.123 on interface 10.0.0.255 Registered LEOSENDE<1b> with 192.168.1.123 on interface 192.168.1.255 Registered LEOSENDE<1b> with 10.0.0.123 on interface 10.0.0.255 Registered LEOSENDE<1c> with 192.168.1.123 on interface 192.168.1.255 Registered LEOSENDE<1c> with 10.0.0.123 on interface 10.0.0.255 Registered LEOSENDE<00> with 192.168.1.123 on interface 192.168.1.255 Registered LEOSENDE<00> with 10.0.0.123 on interface 10.0.0.255 Received cldap packet of length 133 from 10.0.0.101:1129 Received cldap packet of length 133 from 10.0.0.101:1131 Received cldap packet of length 180 from 10.0.0.101:1132 Received cldap packet of length 180 from 10.0.0.101:1133 using SPNEGO Selected protocol [5][NT LM 0.12] Kerberos: AS-REQ Administrator@leosende.fun from 10.0.0.101 for krbtgt/leosende.fun@leosende.fun Kerberos: Client sent patypes: encrypted-timestamp, 128 Kerberos: Looking for PKINIT pa-data -- Administrator@leosende.fun Kerberos: Looking for ENC-TS pa-data -- Administrator@leosende.fun Kerberos: Too large time skew, client time 2007-02-12T21:50:57 is out by 3673> 300 seconds -- Administrator@leosende.funKerberos: AS-REQ Administrator@leosende.fun from 10.0.0.101 for krbtgt/leosende.fun@leosende.fun Kerberos: Client sent patypes: encrypted-timestamp, 128 Kerberos: Looking for PKINIT pa-data -- Administrator@leosende.fun Kerberos: Looking for ENC-TS pa-data -- Administrator@leosende.fun Kerberos: ENC-TS Pre-authentication succeeded -- Administrator@leosende.fun using arcfour-hmac-md5 Kerberos: Client supported enctypes: arcfour-hmac-md5, -133, -128, des-cbc-md5, des-cbc-crc, 24, -135 Kerberos: Using arcfour-hmac-md5/aes256-cts-hmac-sha1-96 Kerberos: Requested flags: renewable_ok, canonicalize, renewable, forwardable Kerberos: AS-REQ authtime: 2007-02-12T22:52:10 starttime: unset endtime: 2037-09-13T04:48:05 renew till: 2037-09-13T04:48:05 Kerberos: Failed to verify AP-REQ: Clock skew too great Kerberos: Failed parsing TGS-REQ from 10.0.0.101 Kerberos: TGS-REQ Administrator@LEOSENDE.FUN from 10.0.0.101 for cifs/debian.leosende.fun@LEOSENDE.FUN [renewable, forwardable] Kerberos: TGS-REQ authtime: 2007-02-12T22:52:10 starttime: 2007-02-12T22:52:10 endtime: 2037-09-13T04:48:05 renew till: unset Kerberos: TGS-REQ Administrator@LEOSENDE.FUN from 10.0.0.101 for krbtgt/LEOSENDE.FUN@LEOSENDE.FUN [renewable_ok, canonicalize, renewable, forwarded, forwardable] Kerberos: TGS-REQ authtime: 2007-02-12T22:52:10 starttime: 2007-02-12T22:52:10 endtime: 2037-09-13T04:48:05 renew till: unset GSS Update(krb5)(1) Update failed: Miscellaneous failure (see text): Clock skew too great SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE SPNEGO login failed: NT_STATUS_LOGON_FAILURE standard_terminate: reason[NT_STATUS_END_OF_FILE] using SPNEGO Selected protocol [5][NT LM 0.12] Got NTLMSSP neg_flags=0xe2088297 Got user=[] domain=[] workstation=[MAG-CD33C6A59BB] len1=1 len2=0 auth_check_password_send: Checking password for unmapped user []\[]@[MAG-CD33C6A59BB] auth_check_password_send: mapped user is: [LEOSENDE]\[]@[MAG-CD33C6A59BB] 10.0.0.101 closed connection to service IPC$ standard_terminate: reason[NT_STATUS_END_OF_FILE] Received cldap packet of length 133 from 10.0.0.101:1144 Received cldap packet of length 180 from 10.0.0.101:1145 Received cldap packet of length 180 from 10.0.0.101:1146 using SPNEGO Selected protocol [5][NT LM 0.12] Kerberos: AS-REQ Administrator@leosende.fun from 10.0.0.101 for krbtgt/leosende.fun@leosende.fun Kerberos: Client sent patypes: encrypted-timestamp, 128 Kerberos: Looking for PKINIT pa-data -- Administrator@leosende.fun Kerberos: Looking for ENC-TS pa-data -- Administrator@leosende.fun Kerberos: Too large time skew, client time 2007-02-12T21:51:00 is out by 3673> 300 seconds -- Administrator@leosende.funKerberos: AS-REQ Administrator@leosende.fun from 10.0.0.101 for krbtgt/leosende.fun@leosende.fun Kerberos: Client sent patypes: encrypted-timestamp, 128 Kerberos: Looking for PKINIT pa-data -- Administrator@leosende.fun Kerberos: Looking for ENC-TS pa-data -- Administrator@leosende.fun Kerberos: ENC-TS Pre-authentication succeeded -- Administrator@leosende.fun using arcfour-hmac-md5 Kerberos: Client supported enctypes: arcfour-hmac-md5, -133, -128, des-cbc-md5, des-cbc-crc, 24, -135 Kerberos: Using arcfour-hmac-md5/aes256-cts-hmac-sha1-96 Kerberos: Requested flags: renewable_ok, canonicalize, renewable, forwardable Kerberos: AS-REQ authtime: 2007-02-12T22:52:13 starttime: unset endtime: 2037-09-13T04:48:05 renew till: 2037-09-13T04:48:05 Kerberos: Failed to verify AP-REQ: Clock skew too great Kerberos: Failed parsing TGS-REQ from 10.0.0.101 Kerberos: TGS-REQ Administrator@LEOSENDE.FUN from 10.0.0.101 for cifs/debian.leosende.fun@LEOSENDE.FUN [renewable, forwardable] Kerberos: TGS-REQ authtime: 2007-02-12T22:52:13 starttime: 2007-02-12T22:52:13 endtime: 2037-09-13T04:48:05 renew till: unset Kerberos: TGS-REQ Administrator@LEOSENDE.FUN from 10.0.0.101 for krbtgt/LEOSENDE.FUN@LEOSENDE.FUN [renewable_ok, canonicalize, renewable, forwarded, forwardable] Kerberos: TGS-REQ authtime: 2007-02-12T22:52:13 starttime: 2007-02-12T22:52:13 endtime: 2037-09-13T04:48:05 renew till: unset GSS Update(krb5)(1) Update failed: Miscellaneous failure (see text): Clock skew too great SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE SPNEGO login failed: NT_STATUS_LOGON_FAILURE standard_terminate: reason[NT_STATUS_END_OF_FILE]"> - for w2k I had to add arcfour-hmac-md5 enctype to > $PREFIX/private/secrets.keytab, to change this edit your krb5.conf and > reprovision or put "credentials_update_all_keytabs();" in a file and run > it with smbscript (thanks to abartlet for this), you can check the > content of the keytab with "ktutil -k private/secrets.keytab list".OK.> - vista wants aes256-cts-hmac-sha1-96 but still doesn't work ;(Well ...> - post debug output to #samba-technical or here, so ppl could make more > educated guesses than this one.See above.> hope this helpsI've found one error at least. :-)> PaulLeonhard.> BTW: Is there documentation for the various ejs funcions for samba?Dont know. Sorry.
Mag. Leonhard Landrock
2007-Feb-12 21:26 UTC
Fwd: [Samba] Joining a SAMBA 4 TP4 Active Directory with WinXP
Am Montag, 12. Februar 2007 22:01 schrieb Mag. Leonhard Landrock:> Am Montag, 12. Februar 2007 14:43 schrieb paul: > > Mag. Leonhard Landrock schrieb: > > > *) Start a virtual machine with WinXP SP2 and trying to join the domain > > > LEOSENDE.FUN. > > > > > > The last point (joining the domain) doesn't work. I try the username > > > Administrator and the passwort as set with "./setup/provision" but it > > > doesn't work. I simply get unknown username or wrong password. > >SOLVED: It really was a problem with the time. After changing the time within my Debian Linux VM it worked all fine. :-) OK, now I can move on testing. Thanks again Paul for your help. Leonhard.
Possibly Parallel Threads
- Joining a SAMBA 4 TP4 Active Directory with WinXP
- can a combination of samba 4 tp4 server set as AD controiller with a samba 3.x BDC(slave) emulate a MS AD infrastructure ' well enough' right now?
- The RPC server is unavailable on Samba 4 clients
- winbindd+ win24
- CRAM-MD5 auth broken with postgresql passdb?