Thierry Leurent
2010-Apr-21 14:29 UTC
[Samba] net ads testjoin failed but net rpc testjoin work
Hello,
I have a very strange trouble with samba 3.0.33 when I integrate a Linux
server in my Windows 2003 AD.
I do :
- kinit administartor, it's work.
- klist, it's work too.
- net join ads -U administrator, it's work. I hev the message that my
computer has join the domain and I see the Linux in my Domain.
- wbinfo -t give me "checking the trust secret via RPC calls
succeeded".
- wbinfo -u give me all the users of my domain.
- wbinfo -g give me all the groups of my domain.
- wbinfo -a NuteGunray%CatoNeimoida return "plaintext password
authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user NuteGunray%CatoNeimoida with
plaintext password
challenge/response password authentication succeeded"
It's normal ? Perhaps, I have "encrypt password = yes" in my
smb.conf.
But when I do net ads testjoin, I "have ads_connect: No logon servers
Join to domain is not valid: No logon servers"
With a Debug Level 3, I recieve this messages.
[2010/04/21 14:36:21, 3] param/loadparm.c:lp_load(5069)
lp_load: refreshing parameters
[2010/04/21 14:36:21, 3] param/loadparm.c:init_globals(1440)
Initialising global parameters
[2010/04/21 14:36:21, 3] param/params.c:pm_process(572)
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
[2010/04/21 14:36:21, 3] param/loadparm.c:do_section(3808)
Processing section "[global]"
[2010/04/21 14:36:21, 2] lib/interface.c:add_interface(81)
added interface ip=192.168.120.2 bcast=192.168.255.255 nmask=255.255.0.0
[2010/04/21 14:36:21, 3] libsmb/namequery.c:get_dc_list(1495)
get_dc_list: preferred server list: ", *"
[2010/04/21 14:36:21, 1] libads/cldap.c:recv_cldap_netlogon(247)
Failed to parse cldap reply
[2010/04/21 14:36:21, 3] libads/ldap.c:ads_try_connect(189)
ads_try_connect: CLDAP request 192.168.10.116 failed.
[2010/04/21 14:36:21, 1] libads/cldap.c:recv_cldap_netlogon(247)
Failed to parse cldap reply
[2010/04/21 14:36:21, 3] libads/ldap.c:ads_try_connect(189)
ads_try_connect: CLDAP request 192.168.10.110 failed.
[2010/04/21 14:36:21, 1] libads/cldap.c:recv_cldap_netlogon(247)
Failed to parse cldap reply
[2010/04/21 14:36:21, 3] libads/ldap.c:ads_try_connect(189)
ads_try_connect: CLDAP request 192.168.50.75 failed.
[2010/04/21 14:36:28, 1] libads/cldap.c:recv_cldap_netlogon(219)
no reply received to cldap netlogon
[2010/04/21 14:36:28, 3] libads/ldap.c:ads_try_connect(189)
ads_try_connect: CLDAP request 10.10.10.116 failed.
[2010/04/21 14:36:35, 1] libads/cldap.c:recv_cldap_netlogon(219)
no reply received to cldap netlogon
[2010/04/21 14:36:35, 3] libads/ldap.c:ads_try_connect(189)
ads_try_connect: CLDAP request 10.10.10.110 failed.
[2010/04/21 14:36:35, 0] utils/net_ads.c:ads_startup_int(286)
ads_connect: No logon servers
Join to domain is not valid: No logon servers
[2010/04/21 14:36:35, 2] utils/net.c:main(1075)
return code = -1
I see the IP of :
- My Linux Computer : 192.168.120.2
- My First DC general network : 192.168.10.110
- My First DC backup network : 10.10.10.110
- My Second DC general network : 192.168.10.116
- My Second DC backup network : 10.10.10.116
- My Third DC general network : 192.168.50.75 (this don't have a backup
network).
After reading lots of pages on Google, I try a net rpc testjoin -d3
[2010/04/21 15:09:25, 3] param/loadparm.c:lp_load(5069)
lp_load: refreshing parameters
[2010/04/21 15:09:25, 3] param/loadparm.c:init_globals(1440)
Initialising global parameters
[2010/04/21 15:09:25, 3] param/params.c:pm_process(572)
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
[2010/04/21 15:09:25, 3] param/loadparm.c:do_section(3808)
Processing section "[global]"
[2010/04/21 15:09:25, 2] lib/interface.c:add_interface(81)
added interface ip=192.168.120.2 bcast=192.168.255.255 nmask=255.255.0.0
[2010/04/21 15:09:25, 3] libsmb/cliconnect.c:cli_start_connection(1563)
Connecting to host=dc001
[2010/04/21 15:09:25, 3] lib/util_sock.c:open_socket_out(866)
Connecting to 192.168.10.110 at port 445
[2010/04/21 15:09:25, 3] libsmb/cliconnect.c:cli_session_setup_spnego(805)
Doing spnego session setup (blob length=119)
[2010/04/21 15:09:25, 3] libsmb/cliconnect.c:cli_session_setup_spnego(832)
got OID=1 2 840 48018 1 2 2
[2010/04/21 15:09:25, 3] libsmb/cliconnect.c:cli_session_setup_spnego(832)
got OID=1 2 840 113554 1 2 2
[2010/04/21 15:09:25, 3] libsmb/cliconnect.c:cli_session_setup_spnego(832)
got OID=1 2 840 113554 1 2 2 3
[2010/04/21 15:09:25, 3] libsmb/cliconnect.c:cli_session_setup_spnego(832)
got OID=1 3 6 1 4 1 311 2 2 10
[2010/04/21 15:09:25, 3] libsmb/cliconnect.c:cli_session_setup_spnego(840)
got principal=dc001$@EMPIRE.LOCAL
[2010/04/21 15:09:25, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(1018)
Got challenge flags:
[2010/04/21 15:09:25, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0x62898215
[2010/04/21 15:09:25, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(1040)
NTLMSSP: Set final flags:
[2010/04/21 15:09:25, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0x60088215
[2010/04/21 15:09:25, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338)
NTLMSSP Sign/Seal - Initialising with flags:
[2010/04/21 15:09:25, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0x60088215
[2010/04/21 15:09:25, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2082)
rpc_pipe_bind: Remote machine dc001 pipe \NETLOGON fnum 0xc00d bind
request returned ok.
[2010/04/21 15:09:25, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2082)
rpc_pipe_bind: Remote machine dc001 pipe \NETLOGON fnum 0xc00e bind
request returned ok.
Join to 'EMPIRE' is OK
[2010/04/21 15:09:25, 2] utils/net.c:main(1075)
return code = 0
It's work !!!!!!! But why ?
Thanks
Thierry
My krb5.conf
[logging]
default = FILE:/var/log/kerberos/krb5libs.log
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmind.log
[libdefaults]
default_realm = EMPIRE.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
EMPIRE.LOCAL = {
kdc = dc001.empire.local
admin_server = dc001.empire.local
default_domain = empire.local
}
[domain_realm]
.kerberos.server = EMPIRE.LOCAL
.empire.local = EMPIRE.LOCAL
My smb.conf
# Global parameters
[global]
workgroup = empire
server string = OPROD-POX
netbios name = lsister-l
preferred master = no
# | Logs
# ----------------------------------------------------
log level = 3
log file = /var/log/samba/%m.log
#max log size = 50
# | Domain Integration
# -----------------------------------------------------
security = ads
realm = EMPIRE
winbind enum users = yes
winbind enum groups = yes
winbind separator = +
winbind nss info = rfc2307
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
#socket options = TCP_NODELAY IPTOS_LOWDELAY IPTOS_THROUGHPUT
SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192
idmap uid = 10000-19999
idmap gid = 20000-29999
Volker Lendecke
2010-Apr-21 14:41 UTC
[Samba] net ads testjoin failed but net rpc testjoin work
On Wed, Apr 21, 2010 at 04:29:27PM +0200, Thierry Leurent wrote:> - wbinfo -a NuteGunray%CatoNeimoida return "plaintext passwordPlease try wbinfo -a EMPIRE\\NuteGunray%CatoNeimoida Volker
Thierry Leurent
2010-Apr-22 11:38 UTC
[Samba] net ads testjoin failed but net rpc testjoin work
Volker,
I tried wbinfo -a EMPIRE\\NuteGunray%CatoNeimoida and it failed :(
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user EMPIRE\NuteGunray%CatoNeimoida with plaintext
password
challenge/response password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user EMPIRE\NuteGunray with challenge/response
==> /var/log/samba/wb-EMPIRE.log <=[2010/04/22 08:25:34, 3]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1755)
[ 3235]: pam auth crap domain: EMPIRE user: EMPIRE\NuteGunray
[2010/04/22 08:25:34, 2]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931)
NTLM CRAP authentication for user [EMPIRE]\[EMPIRE\NuteGunray] returned
NT_STATUS_NO_SUCH_USER (PAM: 10)
==> /var/log/samba/winbindd.log <=[2010/04/22 08:25:34, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(491)
[ 8479]: request interface version
[2010/04/22 08:25:34, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
[ 8479]: request location of privileged pipe
[2010/04/22 08:25:34, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(751)
[ 8479]: pam auth EMPIRE\NuteGunray
[2010/04/22 08:25:34, 3] nsswitch/winbindd_misc.c:winbindd_info(479)
[ 8479]: request misc info
[2010/04/22 08:25:34, 3] nsswitch/winbindd_misc.c:winbindd_domain_name(501)
[ 8479]: request domain name
[2010/04/22 08:25:34, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(1689)
[ 8479]: pam auth crap domain: [EMPIRE] user: EMPIRE\NuteGunray
Yesterday, I saw a little error in my krb5.conf, I forgot last newline.
This morning after "your test", I corrected it but wbinfo -t failed
the
RPC with "error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
(0xc0000233)" :(
After few search, I resolved the problem by adding lines in my
configurations files.
In my smb.conf it the general section, I add this 2 lines:
winbind use default domain = Yes
winbind nested groups = Yes
In My krb5.conf, I add this section
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
After a restart of winbind, wbinto -t worked
I tried wbinfo -a EMPIRE\\NuteGunray%CatoNeimoida and it failed but in my
/var/log/samba/wb-EMPIRE.log, I saw "dual pam auth
EMPIRE+EMPIRE\NuteGunray".
+ is my winbind separator, it's look like, samba used 2 EMPIRE one as the
domain implicit, and one as a group explicit in my wbinfo command.
I joined the domain again with a net join ads.
net ads testjoin don't work and net rpc testjoin work like yesterday.
wbinfo -a EMPIRE\\NuteGunray%CatoNeimoida
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user EMPIRE\NuteGunray%CatoNeimoida with plaintext
password
challenge/response password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user EMPIRE\NuteGunray with challenge/response
==> /var/log/samba/wb-EMPIRE.log <=[2010/04/22 11:54:47, 3]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1341)
[ 8693]: dual pam auth EMPIRE+EMPIRE\NuteGunray
[2010/04/22 11:54:47, 2] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1584)
Plain-text authentication for user EMPIRE+EMPIRE\NuteGunray returned
NT_STATUS_NO_SUCH_USER (PAM: 10)
[2010/04/22 11:54:47, 3]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1755)
[ 8693]: pam auth crap domain: EMPIRE user: EMPIRE\NuteGunray
[2010/04/22 11:54:47, 2]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931)
NTLM CRAP authentication for user [EMPIRE]\[EMPIRE\NuteGunray] returned
NT_STATUS_NO_SUCH_USER (PAM: 10)
==> /var/log/samba/winbindd.log <=[2010/04/22 11:54:47, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(491)
[ 8950]: request interface version
[2010/04/22 11:54:47, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
[ 8950]: request location of privileged pipe
[2010/04/22 11:54:47, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(751)
[ 8950]: pam auth EMPIRE\NuteGunray
[2010/04/22 11:54:47, 3] nsswitch/winbindd_misc.c:winbindd_info(479)
[ 8950]: request misc info
[2010/04/22 11:54:47, 3] nsswitch/winbindd_misc.c:winbindd_domain_name(501)
[ 8950]: request domain name
[2010/04/22 11:54:47, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(1689)
[ 8950]: pam auth crap domain: [EMPIRE] user: EMPIRE\NuteGunray
wbinfo -a EMPIRE+NuteGunray%CatoNeimoida
plaintext password authentication succeeded
challenge/response password authentication succeeded
[2010/04/22 13:10:23, 3] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1341)
[ 8693]: dual pam auth EMPIRE+NuteGunray
[2010/04/22 13:10:23, 3]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1755)
[ 8693]: pam auth crap domain: EMPIRE user: NuteGunray
==> /var/log/samba/winbindd.log <=[2010/04/22 13:10:23, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(491)
[ 9081]: request interface version
[2010/04/22 13:10:23, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
[ 9081]: request location of privileged pipe
[2010/04/22 13:10:23, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(751)
[ 9081]: pam auth EMPIRE+NuteGunray
[2010/04/22 13:10:23, 3] nsswitch/winbindd_misc.c:winbindd_info(479)
[ 9081]: request misc info
[2010/04/22 13:10:23, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(1689)
[ 9081]: pam auth crap domain: [EMPIRE] user: NuteGunray
I really have some troubles to understand Samba and Active Directory.
Thierry
Volker Lendecke
2010-Apr-23 04:32 UTC
[Samba] net ads testjoin failed but net rpc testjoin work
On Thu, Apr 22, 2010 at 01:38:53PM +0200, Thierry Leurent wrote:> wbinfo -a EMPIRE+NuteGunray%CatoNeimoida > plaintext password authentication succeeded > challenge/response password authentication succeededSorry, I had not seen that you have set your winbind separator to + .> I really have some troubles to understand Samba and Active Directory.Samba is a very flexible tool. You might start out with an almost empty smb.conf tool just using the workgroup parameter and make that work. The advantage of this approach is that much of the documentation out there does not take many of the possible settings into account. Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20100423/75b250b2/attachment.pgp>