Hello,
I'm trying to join a win2k3 ADS domain using a working config on a debian
'Lenny' (arm processor)
from another machine running gentoo (x86 processor) (only changed the netbios
name).
Samba versions are 3.0.26a on both the machines.
I'm pretty sure this is not a kerberos or ldap problem, anyone has a clue
what else it could be?
# net -d 3 ads join -U administrator
[2007/11/07 23:31:00, 3] param/loadparm.c:lp_load(5039)
lp_load: refreshing parameters
[2007/11/07 23:31:00, 3] param/loadparm.c:init_globals(1438)
Initialising global parameters
[2007/11/07 23:31:00, 3] param/params.c:pm_process(572)
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
[2007/11/07 23:31:00, 3] param/loadparm.c:do_section(3778)
Processing section "[global]"
[2007/11/07 23:31:01, 3] param/params.c:pm_process(572)
params.c:pm_process() - Processing configuration file
"/etc/samba/dhcp.conf"
[2007/11/07 23:31:01, 2] lib/interface.c:add_interface(81)
added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
[2007/11/07 23:31:01, 2] lib/interface.c:add_interface(81)
added interface ip=10.0.0.22 bcast=10.0.0.255 nmask=255.255.255.0
[2007/11/07 23:31:02, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: "10.0.0.2, thuis.local"
[2007/11/07 23:31:02, 3] libads/ldap.c:ads_connect(394)
Connected to LDAP server 10.0.0.2
[2007/11/07 23:31:02, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: "10.0.0.2, thuis.local"
[2007/11/07 23:31:02, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: "10.0.0.2, thuis.local"
administrator's password:
[2007/11/07 23:31:05, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: "10.0.0.2, thuis.local"
[2007/11/07 23:31:05, 3] libads/ldap.c:ads_connect(394)
Connected to LDAP server 10.0.0.2
[2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(222)
ads_sasl_spnego_bind: got server principal name = server2$@THUIS.LOCAL
[2007/11/07 23:31:05, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2007/11/07 23:31:05, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Thu,
08 Nov 2007 09:31:23 CET
[2007/11/07 23:31:05, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: "10.0.0.2, thuis.local"
[2007/11/07 23:31:05, 3] libads/ldap.c:ads_connect(394)
Connected to LDAP server 10.0.0.2
[2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(222)
ads_sasl_spnego_bind: got server principal name = server2$@THUIS.LOCAL
[2007/11/07 23:31:05, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Thu,
08 Nov 2007 09:31:23 CET
[2007/11/07 23:31:05, 3] libsmb/cliconnect.c:cli_start_connection(1509)
Connecting to host=server2.thuis.local
[2007/11/07 23:31:05, 3] lib/util_sock.c:open_socket_out(874)
Connecting to 10.0.0.2 at port 445
[2007/11/07 23:31:05, 3] libsmb/cliconnect.c:cli_session_setup_spnego(793)
Doing spnego session setup (blob length=108)
[2007/11/07 23:31:05, 3] libsmb/cliconnect.c:cli_session_setup_spnego(818)
got OID=1 2 840 48018 1 2 2
[2007/11/07 23:31:05, 3] libsmb/cliconnect.c:cli_session_setup_spnego(818)
got OID=1 2 840 113554 1 2 2
[2007/11/07 23:31:05, 3] libsmb/cliconnect.c:cli_session_setup_spnego(818)
got OID=1 2 840 113554 1 2 2 3
[2007/11/07 23:31:05, 3] libsmb/cliconnect.c:cli_session_setup_spnego(818)
got OID=1 3 6 1 4 1 311 2 2 10
[2007/11/07 23:31:05, 3] libsmb/cliconnect.c:cli_session_setup_spnego(826)
got principal=server2$@THUIS.LOCAL
[2007/11/07 23:31:06, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(613)
Doing kerberos session setup
[2007/11/07 23:31:06, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] expiration
Thu, 08 Nov 2007
09:31:23 CET
[2007/11/07 23:31:06, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
rpc_pipe_bind: Remote machine server2.thuis.local pipe \lsarpc fnum 0x8001
bind request returned ok.
[2007/11/07 23:31:06, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224)
lsa_io_sec_qos: length c does not match size 8
[2007/11/07 23:31:06, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
rpc_pipe_bind: Remote machine server2.thuis.local pipe \samr fnum 0xa bind
request returned ok.
[2007/11/07 23:31:06, 1]
rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(625)
cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_NDR received from
remote machine
server2.thuis.local pipe \samr fnum 0xa!
[2007/11/07 23:31:06, 1] utils/net_ads.c:net_ads_join(1548)
call of net_join_domain failed: NT code 0x000006f7
Failed to join domain: NT code 0x000006f7
[2007/11/07 23:31:06, 2] utils/net.c:main(1036)
return code = -1
smb.conf (relevant part only):
[global]
# log level = 5
enable privileges = Yes
username map = /etc/samba/smbusers
allow trusted domains = No
idmap uid = 20000-30000
idmap gid = 20000-30000
winbind enum users = Yes
winbind enum groups = Yes
winbind separator = +
winbind use default domain = Yes
winbind offline logon = Yes
winbind refresh tickets = Yes
use kerberos keytab = Yes
winbind nss info = template
template homedir = /home/%U
template shell = /bin/bash
client use spnego = Yes
obey pam restrictions = No
password server = thuis.local
null passwords = No
server signing = Auto
client signing = Auto
lm announce = No
deadtime = 15
encrypt passwords = Yes
workgroup = THUIS
realm = THUIS.LOCAL
netbios name = BACKUP
server string = Samba on %L
interfaces = lo eth0
bind interfaces only = Yes
hosts deny = 0.0.0.0/0
hosts allow = 10.0.0.0/24 127.0.0.1
os level = 20
wins support = No
# get wins server address from dhcp
include = /etc/samba/dhcp.conf
name resolve order = wins lmhosts hosts bcast
preferred master = No
load printers = No
log file = /var/log/samba/log.%m
max log size = 0
security = ads
socket options = TCP_NODELAY SO_RCVBUF=8192 IPTOS_LOWDELAY
SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = No
time server = No
hide dot files = Yes
username level = 1
admin users = @%D%w"Domain Admins"
guest ok = No
public = No
valid users = @%D%w"Domain Admins" @%D%w"Domain Power
Users" @%D%w"Domain Users"
@%D%w"Domain Controllers" @%D%w"Domain Computers"
Hmm, you have a whole bunch of stuff in smb.conf that I would not put there. Some of them may be obsolete and won't matter, but whether it will break things is hard to tell. I think you should look at the Official Howto and pare the settings down to the bare necessities, then try again. Also have a look my guide here: http://www.aeronetworks.ca/LinuxActiveDirectory.html I have found that KISS is a very important principle with ADS. Make an OU for your Linux users, define your groups and users in that OU, then apply security policies to the OU and don't reference anything outside the OU. Also note that it is possible to do things in ADS that you are not supposed to do, which can cause Winbind to get its balls in a twist. In general, don't rename records, don't drag records from one OU to another OU, don't make a user in one OU a member of a group in another OU. You are not supposed to do those things and it may cause ADS to complain, but while WinXP clients will still work, Winbind will blow up. The only way to fix it is to find the offending records and delete them, but how to find them? It is a situation that is best avoided! Cheers, Herman Lex Brugman wrote:> Hello, > > I'm trying to join a win2k3 ADS domain using a working config on a > debian 'Lenny' (arm processor) > from another machine running gentoo (x86 processor) (only changed the > netbios name). > > Samba versions are 3.0.26a on both the machines. > I'm pretty sure this is not a kerberos or ldap problem, anyone has a > clue what else it could be? > > > # net -d 3 ads join -U administrator > [2007/11/07 23:31:00, 3] param/loadparm.c:lp_load(5039) > lp_load: refreshing parameters > [2007/11/07 23:31:00, 3] param/loadparm.c:init_globals(1438) > Initialising global parameters > [2007/11/07 23:31:00, 3] param/params.c:pm_process(572) > params.c:pm_process() - Processing configuration file > "/etc/samba/smb.conf" > [2007/11/07 23:31:00, 3] param/loadparm.c:do_section(3778) > Processing section "[global]" > [2007/11/07 23:31:01, 3] param/params.c:pm_process(572) > params.c:pm_process() - Processing configuration file > "/etc/samba/dhcp.conf" > [2007/11/07 23:31:01, 2] lib/interface.c:add_interface(81) > added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0 > [2007/11/07 23:31:01, 2] lib/interface.c:add_interface(81) > added interface ip=10.0.0.22 bcast=10.0.0.255 nmask=255.255.255.0 > [2007/11/07 23:31:02, 3] libsmb/namequery.c:get_dc_list(1489) > get_dc_list: preferred server list: "10.0.0.2, thuis.local" > [2007/11/07 23:31:02, 3] libads/ldap.c:ads_connect(394) > Connected to LDAP server 10.0.0.2 > [2007/11/07 23:31:02, 3] libsmb/namequery.c:get_dc_list(1489) > get_dc_list: preferred server list: "10.0.0.2, thuis.local" > [2007/11/07 23:31:02, 3] libsmb/namequery.c:get_dc_list(1489) > get_dc_list: preferred server list: "10.0.0.2, thuis.local" > administrator's password: > [2007/11/07 23:31:05, 3] libsmb/namequery.c:get_dc_list(1489) > get_dc_list: preferred server list: "10.0.0.2, thuis.local" > [2007/11/07 23:31:05, 3] libads/ldap.c:ads_connect(394) > Connected to LDAP server 10.0.0.2 > [2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213) > ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 > [2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213) > ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 > [2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213) > ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 > [2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213) > ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 > [2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(222) > ads_sasl_spnego_bind: got server principal name = server2$@THUIS.LOCAL > [2007/11/07 23:31:05, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593) > ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache > found) > [2007/11/07 23:31:05, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528) > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] > expiration Thu, 08 Nov 2007 09:31:23 CET > [2007/11/07 23:31:05, 3] libsmb/namequery.c:get_dc_list(1489) > get_dc_list: preferred server list: "10.0.0.2, thuis.local" > [2007/11/07 23:31:05, 3] libads/ldap.c:ads_connect(394) > Connected to LDAP server 10.0.0.2 > [2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213) > ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 > [2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213) > ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 > [2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213) > ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 > [2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213) > ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 > [2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(222) > ads_sasl_spnego_bind: got server principal name = server2$@THUIS.LOCAL > [2007/11/07 23:31:05, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528) > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] > expiration Thu, 08 Nov 2007 09:31:23 CET > [2007/11/07 23:31:05, 3] libsmb/cliconnect.c:cli_start_connection(1509) > Connecting to host=server2.thuis.local > [2007/11/07 23:31:05, 3] lib/util_sock.c:open_socket_out(874) > Connecting to 10.0.0.2 at port 445 > [2007/11/07 23:31:05, 3] > libsmb/cliconnect.c:cli_session_setup_spnego(793) > Doing spnego session setup (blob length=108) > [2007/11/07 23:31:05, 3] > libsmb/cliconnect.c:cli_session_setup_spnego(818) > got OID=1 2 840 48018 1 2 2 > [2007/11/07 23:31:05, 3] > libsmb/cliconnect.c:cli_session_setup_spnego(818) > got OID=1 2 840 113554 1 2 2 > [2007/11/07 23:31:05, 3] > libsmb/cliconnect.c:cli_session_setup_spnego(818) > got OID=1 2 840 113554 1 2 2 3 > [2007/11/07 23:31:05, 3] > libsmb/cliconnect.c:cli_session_setup_spnego(818) > got OID=1 3 6 1 4 1 311 2 2 10 > [2007/11/07 23:31:05, 3] > libsmb/cliconnect.c:cli_session_setup_spnego(826) > got principal=server2$@THUIS.LOCAL > [2007/11/07 23:31:06, 2] > libsmb/cliconnect.c:cli_session_setup_kerberos(613) > Doing kerberos session setup > [2007/11/07 23:31:06, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528) > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] > expiration Thu, 08 Nov 2007 > 09:31:23 CET > [2007/11/07 23:31:06, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) > rpc_pipe_bind: Remote machine server2.thuis.local pipe \lsarpc fnum > 0x8001 bind request returned ok. > [2007/11/07 23:31:06, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224) > lsa_io_sec_qos: length c does not match size 8 > [2007/11/07 23:31:06, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) > rpc_pipe_bind: Remote machine server2.thuis.local pipe \samr fnum > 0xa bind request returned ok. > [2007/11/07 23:31:06, 1] > rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(625) > cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_NDR > received from remote machine > server2.thuis.local pipe \samr fnum 0xa! > [2007/11/07 23:31:06, 1] utils/net_ads.c:net_ads_join(1548) > call of net_join_domain failed: NT code 0x000006f7 > Failed to join domain: NT code 0x000006f7 > [2007/11/07 23:31:06, 2] utils/net.c:main(1036) > return code = -1 > > > smb.conf (relevant part only): > [global] > # log level = 5 > enable privileges = Yes > username map = /etc/samba/smbusers > allow trusted domains = No > idmap uid = 20000-30000 > idmap gid = 20000-30000 > winbind enum users = Yes > winbind enum groups = Yes > winbind separator = + > winbind use default domain = Yes > winbind offline logon = Yes > winbind refresh tickets = Yes > use kerberos keytab = Yes > winbind nss info = template > template homedir = /home/%U > template shell = /bin/bash > client use spnego = Yes > obey pam restrictions = No > password server = thuis.local > null passwords = No > server signing = Auto > client signing = Auto > lm announce = No > deadtime = 15 > encrypt passwords = Yes > workgroup = THUIS > realm = THUIS.LOCAL > netbios name = BACKUP > server string = Samba on %L > interfaces = lo eth0 > bind interfaces only = Yes > hosts deny = 0.0.0.0/0 > hosts allow = 10.0.0.0/24 127.0.0.1 > os level = 20 > wins support = No > # get wins server address from dhcp > include = /etc/samba/dhcp.conf > name resolve order = wins lmhosts hosts bcast > preferred master = No > load printers = No > log file = /var/log/samba/log.%m > max log size = 0 > security = ads > socket options = TCP_NODELAY SO_RCVBUF=8192 IPTOS_LOWDELAY > SO_RCVBUF=8192 SO_SNDBUF=8192 > dns proxy = No > time server = No > hide dot files = Yes > username level = 1 > admin users = @%D%w"Domain Admins" > guest ok = No > public = No > valid users = @%D%w"Domain Admins" @%D%w"Domain Power Users" > @%D%w"Domain Users" > @%D%w"Domain Controllers" @%D%w"Domain Computers" >
Please note that the same configuration works on another box in the same network (same win2k3 PDC)
The problem described in my post occurs on a debian box running on an ARM processor and is using the same configuration as on an Gentoo box running on a x86 processor (where it works fine). Both are running the same version of samba (3.0.26a). David kacuba wrote:> no what do you mean > > */Lex Brugman <lex.brugman@gmail.com>/* wrote: > > Please note that the same configuration works on another box in the > same network (same win2k3 PDC) > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com >
I have seen things behave differently between identical boxes and eventually the problem was solved on the server side, by rolling ADS back to a previous version. So, you got to make things as simple as possible in order to rule out as many weird interactions as possible. Bear in mind that Windows is not a finite state machine - actually, I think Heisenberg used to work for Microsoft... Cheers, H. Lex Brugman wrote:> The problem described in my post occurs on a debian box running on an > ARM processor and is using the same configuration as on an Gentoo box > running on a x86 processor (where it works fine). Both are running the > same version of samba (3.0.26a). > > > > David kacuba wrote: >> no what do you mean >> >> */Lex Brugman <lex.brugman@gmail.com>/* wrote: >> >> Please note that the same configuration works on another box in the >> same network (same win2k3 PDC) >> -- To unsubscribe from this list go to the following URL and >> read the >> instructions: https://lists.samba.org/mailman/listinfo/samba >> >> >> __________________________________________________ >> Do You Yahoo!? >> Tired of spam? Yahoo! Mail has the best spam protection around >> http://mail.yahoo.com >>
Apparently Analagous Threads
- Can join ADS domain, all accounts/auth work fine, but leaving domain fails
- SAMBA ADS integration - windows user account rights
- Domain Member Server problems
- Strong(er) authentication required when joining Active Directory (Samba 3.0.28)
- publishing printer to ADS not working