Hello again folks,
I give up trying RPC. I'm trying to avoid update samba package of my
Ubuntu 9.04 server (amd64) so I decided to try ADS again. This way I'm
using the following versions:
krb5-user 1.6.dfsg.4~beta1-5ubuntu2
samba* 2:3.3.2-1ubuntu3.1
I'm having problem joining a AD domain. I suspect there is something
related to how my company's directory was setup and I can't change that.
Here are the information for the AD:
Realm: WIN-NET.DOMAIN.COM.BR
DNS Domain: domain.com.br
Servers: server.domain.com.br, server1.domain.com.br
NOTE: DNS servers are not in the MSDNS server. And there is no DNS
domain related to the realm WIN-NET.DOMAIN.COM.BR, only domain.com.br.
Here is my krb5.conf
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=======================================================================[libdefaults]
default_realm = WIN-NET.DOMAIN.COM.BR
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
WIN-NET.DOMAIN.COM.BR = {
kdc = server.domain.com.br
kdc = server1.domain.com.br
default_domain = domain.com.br
kpasswd_server = server.domain.com.br
admin_server = server.domain.com.br
}
[domain_realm]
.domain.com.br = WIN-NET.DOMAIN.COM.BR
domain.com.br = WIN-NET.DOMAIN.COM.BR
[login]
krb4_convert = true
krb4_get_tickets = falsea
[logging]
default = SYSLOG:err:auth
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
try_first_pass = true
}
==================================================================
With this I'm able to get a ticket using kinit and see it using klist:
root at xxxxxx:~# kinit user
Password for user at WIN-NET.DOMAIN.COM.BR:
root at xxxxxx:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user at WIN-NET.DOMAIN.COM.BR
Valid starting Expires Service principal
07/29/09 22:07:43 07/30/09 08:07:49 krbtgt/WIN-NET.DOMAIN.COM.BR at
WIN-NET.DOMAIN.COM.BR
renew until 07/30/09 22:07:43
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
==================================================================
And my smb.conf
==================================================================[global]
# server name
server string = %h
netbios name = %h
dns proxy = no
domain master = no
local master = no
preferred master = no
os level = 0
# charset options
unix charset = ISO-8859-1
# domain options
workgroup = WIN-NET
realm = WIN-NET.DOMAIN.COM.BR
password server = server.domain.com.br server1.domain.com.br
security = ads
name resolve order = wins bcast
encrypt passwords = true
client use spnego = yes
client ntlmv2 auth = yes
restrict anonymous = 2
# socket and network options
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
interfaces = eth0
bind interfaces only = yes
# log options
log level = 1
#tdb:3 winbind:10 auth:3
log file = /var/log/samba/log.%m
max log size = 1024
syslog = 0
# printer options (disabling)
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# winbind options
winbind rpc only = yes
winbind use default domain = yes
winbind normalize names = yes
winbind enum users = no
winbind enum groups = no
template shell = /bin/bash
template homedir = /home/%D/%U
# id mapping options
idmap backend = tdb
idmap config WIN-NET : backend = tdb
idmap config WIN-NET : range = 50000-55000
=
=
=
=
=
=
=
=======================================================================
However, when I try to join to the ADS I got different erros,
depending on the parameters I pass:
root at xxxxxx:~# net ads join -U user
Enter user's password:
Failed to join domain: failed to find DC for domain WIN-
NET.DOMAIN.COM.BR
root at xxxxxx:~# net ads join -U user -S server
Enter user's password:
Failed to join domain: failed to lookup DC info for domain 'WIN-
NET.DOMAIN.COM.BR' over rpc: The network name cannot be found
I tested with debugging on 10 and got this information on the latest
lines:
==============================================
[2009/07/29 22:15:24, 5] libsmb/nmblib.c:send_udp(824)
Sending a packet of len 50 to (200.234.203.255) on port 137
[2009/07/29 22:15:25, 5] libsmb/nmblib.c:send_udp(824)
Sending a packet of len 50 to (200.234.203.255) on port 137
[2009/07/29 22:15:25, 5] libsmb/nmblib.c:send_udp(824)
Sending a packet of len 50 to (200.234.203.255) on port 137
[2009/07/29 22:15:25, 1] libsmb/cliconnect.c:cli_start_connection(1656)
cli_start_connection: failed to connect to SERVER<20> (0.0.0.0).
Error NT_STATUS_BAD_NETWORK_NAME
[2009/07/29 22:15:25, 1] libnet/libnet_join.c:libnet_Join(1908)
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : NULL
dns_domain_name : NULL
forest_name : NULL
dn : NULL
domain_sid : NULL
domain_sid : (NULL SID)
modified_config : 0x00 (0)
error_string : 'failed to lookup DC info
for domain 'WIN-NET.DOMAIN.COM.BR' over rpc: The network name cannot
be found'
domain_is_ad : 0x00 (0)
result : WERR_NO_SUCH_SHARE
[2009/07/29 22:15:25, 10] intl/lang_tdb.c:lang_tdb_init(138)
lang_tdb_init: /usr/share/samba/en_US.UTF-8.msg: No such file or
directory
[2009/07/29 22:15:25, 2] utils/net.c:main(769)
return code = -1
=============================================
Any idea on what is wrong?
Thanks
On Wed, Jul 29, 2009 at 10:17:11PM -0300, Herbert G. Fischer wrote:> Hello again folks, > > I give up trying RPC. I'm trying to avoid update samba package of my > Ubuntu 9.04 server (amd64) so I decided to try ADS again. This way I'm > using the following versions: > > krb5-user 1.6.dfsg.4~beta1-5ubuntu2 > samba* 2:3.3.2-1ubuntu3.1 > > I'm having problem joining a AD domain. I suspect there is something > related to how my company's directory was setup and I can't change that. > > Here are the information for the AD: > > Realm: WIN-NET.DOMAIN.COM.BR > DNS Domain: domain.com.br > Servers: server.domain.com.br, server1.domain.com.br > > NOTE: DNS servers are not in the MSDNS server. And there is no DNS > domain related to the realm WIN-NET.DOMAIN.COM.BR, only domain.com.br. > > Here is my krb5.conf > > =================== > =======================================================================> [libdefaults] > default_realm = WIN-NET.DOMAIN.COM.BR > > # The following krb5.conf variables are only for MIT Kerberos. > krb4_config = /etc/krb.conf > krb4_realms = /etc/krb.realms > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > > v4_instance_resolve = false > v4_name_convert = { > host = { > rcmd = host > ftp = ftp > } > plain = { > something = something-else > } > } > fcc-mit-ticketflags = true > > [realms] > WIN-NET.DOMAIN.COM.BR = { > kdc = server.domain.com.br > kdc = server1.domain.com.br > default_domain = domain.com.br > kpasswd_server = server.domain.com.br > admin_server = server.domain.com.br > } > > [domain_realm] > .domain.com.br = WIN-NET.DOMAIN.COM.BR > domain.com.br = WIN-NET.DOMAIN.COM.BR > > [login] > krb4_convert = true > krb4_get_tickets = falsea > > [logging] > default = SYSLOG:err:auth > > [appdefaults] > pam = { > ticket_lifetime = 1d > renew_lifetime = 1d > forwardable = true > proxiable = false > retain_after_close = false > minimum_uid = 0 > try_first_pass = true > } > ==================================================================> > With this I'm able to get a ticket using kinit and see it using klist: > > root at xxxxxx:~# kinit user > Password for user at WIN-NET.DOMAIN.COM.BR: > root at xxxxxx:~# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: user at WIN-NET.DOMAIN.COM.BR > > Valid starting Expires Service principal > 07/29/09 22:07:43 07/30/09 08:07:49 krbtgt/WIN-NET.DOMAIN.COM.BR at WIN-NET.DOMAIN.COM.BR > renew until 07/30/09 22:07:43 > > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached > > ==================================================================> > And my smb.conf > > ==================================================================> [global] > # server name > server string = %h > netbios name = %h > dns proxy = no > domain master = no > local master = no > preferred master = no > os level = 0 > > # charset options > unix charset = ISO-8859-1 > > # domain options > workgroup = WIN-NET > realm = WIN-NET.DOMAIN.COM.BR > password server = server.domain.com.br server1.domain.com.br > security = ads > name resolve order = wins bcast > encrypt passwords = true > client use spnego = yes > client ntlmv2 auth = yes > restrict anonymous = 2 > > # socket and network options > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > interfaces = eth0 > bind interfaces only = yes > > # log options > log level = 1 > #tdb:3 winbind:10 auth:3 > log file = /var/log/samba/log.%m > max log size = 1024 > syslog = 0 > > # printer options (disabling) > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > # winbind options > winbind rpc only = yes > winbind use default domain = yes > winbind normalize names = yes > winbind enum users = no > winbind enum groups = no > template shell = /bin/bash > template homedir = /home/%D/%U > > # id mapping options > idmap backend = tdb > idmap config WIN-NET : backend = tdb > idmap config WIN-NET : range = 50000-55000 > ======= > =======================================================================> > However, when I try to join to the ADS I got different erros, depending > on the parameters I pass: > > root at xxxxxx:~# net ads join -U user > Enter user's password: > Failed to join domain: failed to find DC for domain WIN- > NET.DOMAIN.COM.BR > > root at xxxxxx:~# net ads join -U user -S server > Enter user's password: > Failed to join domain: failed to lookup DC info for domain 'WIN- > NET.DOMAIN.COM.BR' over rpc: The network name cannot be found > > > I tested with debugging on 10 and got this information on the latest > lines: > > ==============================================> > [2009/07/29 22:15:24, 5] libsmb/nmblib.c:send_udp(824) > Sending a packet of len 50 to (200.234.203.255) on port 137 > [2009/07/29 22:15:25, 5] libsmb/nmblib.c:send_udp(824) > Sending a packet of len 50 to (200.234.203.255) on port 137 > [2009/07/29 22:15:25, 5] libsmb/nmblib.c:send_udp(824) > Sending a packet of len 50 to (200.234.203.255) on port 137 > [2009/07/29 22:15:25, 1] libsmb/cliconnect.c:cli_start_connection(1656) > cli_start_connection: failed to connect to SERVER<20> (0.0.0.0). Error > NT_STATUS_BAD_NETWORK_NAME > [2009/07/29 22:15:25, 1] libnet/libnet_join.c:libnet_Join(1908) > libnet_Join: > libnet_JoinCtx: struct libnet_JoinCtx > out: struct libnet_JoinCtx > account_name : NULL > netbios_domain_name : NULL > dns_domain_name : NULL > forest_name : NULL > dn : NULL > domain_sid : NULL > domain_sid : (NULL SID) > modified_config : 0x00 (0) > error_string : 'failed to lookup DC info for > domain 'WIN-NET.DOMAIN.COM.BR' over rpc: The network name cannot be > found' > domain_is_ad : 0x00 (0) > result : WERR_NO_SUCH_SHARE > [2009/07/29 22:15:25, 10] intl/lang_tdb.c:lang_tdb_init(138) > lang_tdb_init: /usr/share/samba/en_US.UTF-8.msg: No such file or > directory > [2009/07/29 22:15:25, 2] utils/net.c:main(769) > return code = -1It can't find the name. Try hacking it into your /etc/hosts. You really need to have a working DNS for this. Can't you point your Ubuntu DNS to the same servers the Windows domain is using ? Jeremy.
Maybe Matching Threads
- Unable to join ADS domain with 3.3.0rc1 on Suse 11.0 linux
- join fails samba 3.2 & ADS 2003R2 SP2
- Failed to join domain: failed to set machine spn: Constraint violation
- Failed to join domain: failed to precreate account in ou (null): Out of memory
- net ads join -> "The connection was refused"