Dear list users,
I have a problem when joining an Active Directory domain. In this
project we have one Main Dc in capital city and one read only dc in
one remote city.
We join to main DC succesfully. However, we can not join to local
Replicate (rodc14). We are using this method for winbind / squid ntlm
authentication purposes not a full samba server. ?nternet conection is
not fast and we have thousands of users. Remote joining is not our
first choice.
First of all I try to join without lmhosts entry. That time , I got
"Failed to join domain: failed to find DC for domain". /etc/hosts
entry was in place and AD dns server was running. Anyway, I have
overcomed this problem after adding lmhosts entry.
Now my problem is:
"result : WERR_NOT_SUPPORTED
Failed to join domain: Failed to set account flags for machine account
(NT_STATUS_NOT_SUPPORTED)"
I have searched and come up with, this may be about read only dc.We
have changed dc to normal mode. Nothing has changed.
I need some help for joining to a read only dc and the problem debugged below.
System is Centos 5 i386
AD Server is "Windows Server 2008 R2 Enterprise 7601 Service Pack 1"
Samba is
samba3-utils-3.6.8-44.el5
samba3-3.6.8-44.el5
samba3-winbind-3.6.8-44.el5
samba3-client-3.6.8-44.el5
Rpms from sernet. (actually I was using samba3x rpms fron Centos. I
have upgrades when I have encountered these problems)
net ads -d 10 testjoin
net ads join -d 3 -U test14%pass
Debugs are below.
DC: rodc14.testdom.com.tr, 10.10.25.4
domain: TESTDOM.COM.TR
Machine Name: TEST14
AD USER: test14 (In administrator group)
Best Regards,
Oguz
[root at test14 ~]# kinit
Password for test14 at TESTDOM.COM.TR:
[root at test14 ~]# echo $?
0
[root at test14 ~]# net ads testjoin
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Decrypt
integrity check failed
kerberos_kinit_password TEST14$@TESTDOM.COM.TR failed: A service is
not available that is required to process the request
Join to domain is not valid: Undetermined error
cat /etc/hosts:
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost test14
::1 localhost6.localdomain6 localhost6
10.10.25.4 rodc14.testdom.com.tr #Do not edit/remove this line,
required for labris AD integration
cat /etc/samba/lmhosts:
# This file provides the same function that the lmhosts file does for
# Windows. It's another way to map netbios names to ip addresses.
#
# Cf. section 'name resolve order' in the manual page of smb.conf for
# more information.
127.0.0.1 localhost
#127.0.0.1 FOO#20
#192.168.1.1 MYDOM#1C
10.10.25.4 TESTDOM
/etc/samba/smb.conf:
[global]
netbios name = TEST14
realm = testdom.com.tr
workgroup = TEST
security = ads
encrypt passwords = yes
password server = 10.10.25.4
log level = 3
log file = /var/log/samba.log
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = /
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
domain master = no
local master = no
preferred master = no
template shell = /sbin/nologin
getwd cache = yes
winbind cache time = 100000
ldap connection timeout = 1200
ldap timeout = 2400
allow trusted domains = yes
# ldap ssl = off
# winbind offline logon = yes
# winbind refresh tickets = yes
# client use spnego = no
# use spnego = no
# ldap ssl ads = no
# client ldap sasl wrapping = plain
/etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = TESTDOM.COM.TR
default_tkt_enctypes = rc4-hmac des-cbc-crc
default_tgs_enctypes = rc4-hmac des-cbc-crc
# dns_lookup_realm = false
# dns_lookup_kdc = false
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
TESTDOM.COM.TR = {
kdc = 10.10.25.4
admin_server = 10.10.25.4
default_domain = TESTDOM.COM.TR
}
[domain_realm]
.testdom.com.tr = TESTDOM.COM.TR
testdom.com.tr = TESTDOM.COM.TR
net ads join Log:
net ads join -d 3 -U test14%pass
lp_load_ex: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
Processing section "[global]"
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
added interface eth9.102 ip=fe80::20c:bdff:fe05:28f8%eth9.102
bcast=fe80::ffff:ffff:ffff:ffff%eth9.102 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=fe80::290:bff:fe21:43ac%eth1
bcast=fe80::ffff:ffff:ffff:ffff%eth1 netmask=ffff:ffff:ffff:ffff::
added interface eth2 ip=fe80::290:bff:fe21:43ad%eth2
bcast=fe80::ffff:ffff:ffff:ffff%eth2 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=fe80::290:bff:fe27:b5bf%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth9.102 ip=95.0.0.26 bcast=**** netmask=255.255.255.248
added interface eth9.102:0 ip=95.0.0.27 bcast=95.0.0.31 netmask=255.255.255.248
added interface eth9.102:1 ip=95.0.0.28 bcast=95.0.0.31 netmask=255.255.255.248
added interface eth9.102:2 ip=95.0.0.29 bcast=95.0.0.31 netmask=255.255.255.248
added interface eth0 ip=169.254.1.1 bcast=169.254.255.255 netmask=255.255.0.0
added interface eth1 ip=10.10.1.5 bcast=10.10.1.255 netmask=255.255.255.0
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'TEST14'
domain_name : *
domain_name : 'TESTDOM.COM.TR'
account_ou : NULL
admin_account : 'test14'
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
create_upn : 0x00 (0)
upn : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
resolve_lmhosts: Attempting lmhosts lookup for name TESTDOM.COM.TR<0x1c>
resolve_lmhosts: Attempting lmhosts lookup for name TESTDOM.COM.TR<0x1c>
resolve_wins: Attempting wins lookup for name TESTDOM.COM.TR<0x1c>
resolve_wins: WINS server resolution selected and no WINS servers listed.
name_resolve_bcast: Attempting broadcast lookup for name
TESTDOM.COM.TR<0x1c>
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : NULL
dns_domain_name : NULL
forest_name : NULL
dn : NULL
domain_sid : NULL
domain_sid : (NULL SID)
modified_config : 0x00 (0)
error_string : 'failed to find DC for domain
TESTDOM.COM.TR'
domain_is_ad : 0x00 (0)
result : WERR_DCNOTFOUND
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'TEST14'
domain_name : *
domain_name : 'TESTDOM'
account_ou : NULL
admin_account : 'test14'
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
create_upn : 0x00 (0)
upn : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
ads_dns_lookup_srv: Failed to resolve
_ldap._tcp.TEST._sites.dc._msdcs.TESTDOM (Success)
ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_UNSUCCESSFUL)
ads_dns_lookup_srv: Failed to resolve _ldap._tcp.dc._msdcs.TESTDOM (Success)
ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_UNSUCCESSFUL)
resolve_lmhosts: Attempting lmhosts lookup for name TESTDOM<0x1c>
resolve_lmhosts: Attempting lmhosts lookup for name TESTDOM<0x1c>
No nmbd found
Connecting to host=RODC14
Connecting to 10.10.25.4 at port 445
Doing spnego session setup (blob length=136)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
get_dc_list: preferred server list: ", 10.10.25.4"
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : 'TESTDOM'
dns_domain_name : 'TESTDOM.COM.TR'
forest_name : 'TESTDOM.COM.TR'
dn : NULL
domain_sid : *
domain_sid :
S-1-5-21-2754586502-4077412898-2490043728
modified_config : 0x00 (0)
error_string : 'Failed to set account flags
for machine account (NT_STATUS_NOT_SUPPORTED)
'
domain_is_ad : 0x01 (1)
result : WERR_NOT_SUPPORTED
Failed to join domain: Failed to set account flags for machine account
(NT_STATUS_NOT_SUPPORTED)
return code = -1
[root at test14 ~]# net ads -d 10 testjoin
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
lp_load_ex: refreshing parameters
Initialising global parameters
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
Processing section "[global]"
doing parameter netbios name = TEST14
handle_netbios_name: set global_myname to: TEST14
doing parameter realm = TESTDOM.COM.TR
doing parameter workgroup = TESTDOM
doing parameter security = ads
doing parameter encrypt passwords = yes
doing parameter password server = 10.10.25.4
doing parameter log level = 3
doing parameter log file = /var/log/samba.log
doing parameter ldap ssl = no
doing parameter idmap uid = 10000-20000
WARNING: The "idmap uid" option is deprecated
doing parameter idmap gid = 10000-20000
WARNING: The "idmap gid" option is deprecated
doing parameter winbind separator = /
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter winbind use default domain = yes
doing parameter domain master = no
doing parameter local master = no
doing parameter preferred master = no
doing parameter template shell = /sbin/nologin
doing parameter getwd cache = yes
doing parameter winbind cache time = 100000
doing parameter ldap connection timeout = 1200
doing parameter ldap timeout = 2400
doing parameter allow trusted domains = yes
pm_process() returned Yes
lp_servicenumber: couldn't find homes
set_server_role: role = ROLE_DOMAIN_MEMBER
Substituting charset 'UTF-8' for LOCALE
Netbios name list:-
my_netbios_names[0]="TEST14"
added interface eth9.102 ip=fe80::20c:bdff:fe05:28f8%eth9.102
bcast=fe80::ffff:ffff:ffff:ffff%eth9.102 netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=fe80::290:bff:fe21:43ac%eth1
bcast=fe80::ffff:ffff:ffff:ffff%eth1 netmask=ffff:ffff:ffff:ffff::
added interface eth2 ip=fe80::290:bff:fe21:43ad%eth2
bcast=fe80::ffff:ffff:ffff:ffff%eth2 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=fe80::290:bff:fe27:b5bf%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth9.102 ip=95.0.0.26 bcast=95.0.0.31 netmask=255.255.255.248
added interface eth9.102:0 ip=95.0.0.27 bcast=95.0.0.31 netmask=255.255.255.248
added interface eth9.102:1 ip=95.0.0.28 bcast=95.0.0.31 netmask=255.255.255.248
added interface eth9.102:2 ip=95.0.0.29 bcast=95.0.0.31 netmask=255.255.255.248
added interface eth0 ip=169.254.1.1 bcast=169.254.255.255 netmask=255.255.0.0
added interface eth1 ip=10.10.1.5 bcast=10.10.1.255 netmask=255.255.255.0
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Opening cache file at /var/lib/samba/gencache.tdb
Opening cache file at /var/lib/samba/gencache_notrans.tdb
sitename_fetch: Returning sitename for TESTDOM.COM.TR: "TEST"
ads_dc_name: domain=TESTDOM
sitename_fetch: Returning sitename for TESTDOM.COM.TR: "TEST"
ads_find_dc: (cldap) looking for realm 'TESTDOM.COM.TR'
get_sorted_dc_list: attempting lookup for name TESTDOM.COM.TR
(sitename TEST) using [ads]
saf_fetch: Returning "RODC14.TESTDOM.COM.TR" for
"TESTDOM.COM.TR" domain
get_dc_list: preferred server list: "RODC14.TESTDOM.COM.TR,
10.10.25.4"
sitename_fetch: Returning sitename for TESTDOM.COM.TR: "TEST"
internal_resolve_name: looking up RODC14.TESTDOM.COM.TR#20 (sitename TEST)
name RODC14.TESTDOM.COM.TR#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
check_negative_conn_cache returning result 0 for domain TESTDOM.COM.TR
server 10.10.25.4
check_negative_conn_cache returning result 0 for domain TESTDOM.COM.TR
server 10.10.25.4
remove_duplicate_addrs2: looking for duplicate address/port pairs
get_dc_list: returning 1 ip addresses in an ordered list
get_dc_list: 10.10.25.4:389
check_negative_conn_cache returning result 0 for domain TESTDOM.COM.TR
server 10.10.25.4
ads_try_connect: sending CLDAP request to 10.10.25.4 (realm: TESTDOM.COM.TR)
&response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
command : LOGON_SAM_LOGON_RESPONSE_EX (23)
sbz : 0x0000 (0)
server_type : 0x000028fc (10492)
0: NBT_SERVER_PDC
1: NBT_SERVER_GC
1: NBT_SERVER_LDAP
1: NBT_SERVER_DS
1: NBT_SERVER_KDC
1: NBT_SERVER_TIMESERV
1: NBT_SERVER_CLOSEST
0: NBT_SERVER_WRITABLE
0: NBT_SERVER_GOOD_TIMESERV
0: NBT_SERVER_NDNC
1: NBT_SERVER_SELECT_SECRET_DOMAIN_6
0: NBT_SERVER_FULL_SECRET_DOMAIN_6
1: NBT_SERVER_ADS_WEB_SERVICE
0: NBT_SERVER_HAS_DNS_NAME
0: NBT_SERVER_IS_DEFAULT_NC
0: NBT_SERVER_FOREST_ROOT
domain_uuid : c7ed3d57-928e-4c24-bccb-68d28cc2f56a
forest : 'TESTDOM.COM.TR'
dns_domain : 'TESTDOM.COM.TR'
pdc_dns_name : 'RODC14.TESTDOM.COM.TR'
domain_name : 'TESTDOM'
pdc_name : 'RODC14'
user_name : ''
server_site : 'TEST'
client_site : 'TEST'
sockaddr_size : 0x00 (0)
sockaddr: struct nbt_sockaddr
sockaddr_family : 0x00000000 (0)
pdc_ip : (null)
remaining : DATA_BLOB length=0
next_closest_site : NULL
nt_version : 0x00000005 (5)
1: NETLOGON_NT_VERSION_1
0: NETLOGON_NT_VERSION_5
1: NETLOGON_NT_VERSION_5EX
0: NETLOGON_NT_VERSION_5EX_WITH_IP
0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
0: NETLOGON_NT_VERSION_PDC
0: NETLOGON_NT_VERSION_IP
0: NETLOGON_NT_VERSION_LOCAL
0: NETLOGON_NT_VERSION_GC
lmnt_token : 0xffff (65535)
lm20_token : 0xffff (65535)
sitename_store: realm = [TESTDOM], sitename = [TEST], expire = [2147483647]
Adding cache entry with key = AD_SITENAME/DOMAIN/TESTDOM and timeout Tue Jan 19
05:14:07 2038
(797526619 seconds ahead)
sitename_store: realm = [TESTDOM.COM.TR], sitename = [TEST], expire [2147483647]
Adding cache entry with key = AD_SITENAME/DOMAIN/TESTDOM.COM.TR and
timeout = Tue Jan 19 05:14:07 2038
(797526618 seconds ahead)
Successfully contacted LDAP server 10.10.25.4
sitename_fetch: Returning sitename for TESTDOM.COM.TR: "TEST"
ads_closest_dc: NBT_SERVER_CLOSEST flag set
create_local_private_krb5_conf_for_domain: fname
/var/lib/samba/smb_krb5/krb5.conf.TESTDOM, realm = TESTDOM.COM.TR,
domain = TESTDOM
saf_fetch: Returning "RODC14.TESTDOM.COM.TR" for
"TESTDOM.COM.TR" domain
get_dc_list: preferred server list: "RODC14.TESTDOM.COM.TR,
10.10.25.4"
sitename_fetch: Returning sitename for TESTDOM.COM.TR: "TEST"
internal_resolve_name: looking up RODC14.TESTDOM.COM.TR#20 (sitename TEST)
name RODC14.TESTDOM.COM.TR#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
check_negative_conn_cache returning result 0 for domain TESTDOM.COM.TR
server 10.10.25.4
check_negative_conn_cache returning result 0 for domain TESTDOM.COM.TR
server 10.10.25.4
remove_duplicate_addrs2: looking for duplicate address/port pairs
get_dc_list: returning 1 ip addresses in an ordered list
get_dc_list: 10.10.25.4:389
saf_fetch: Returning "RODC14.TESTDOM.COM.TR" for
"TESTDOM.COM.TR" domain
get_dc_list: preferred server list: "RODC14.TESTDOM.COM.TR,
10.10.25.4"
sitename_fetch: Returning sitename for TESTDOM.COM.TR: "TEST"
internal_resolve_name: looking up RODC14.TESTDOM.COM.TR#20 (sitename TEST)
name RODC14.TESTDOM.COM.TR#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
check_negative_conn_cache returning result 0 for domain TESTDOM.COM.TR
server 10.10.25.4
check_negative_conn_cache returning result 0 for domain TESTDOM.COM.TR
server 10.10.25.4
remove_duplicate_addrs2: looking for duplicate address/port pairs
get_dc_list: returning 1 ip addresses in an ordered list
get_dc_list: 10.10.25.4:389
get_kdc_ip_string: Returning kdc = 10.10.25.4
create_local_private_krb5_conf_for_domain: wrote file
/var/lib/samba/smb_krb5/krb5.conf.TESTDOM with realm TESTDOM.COM.TR
KDC list = kdc = 10.10.25.4
ads_dc_name: using server='RODC14.TESTDOM.COM.TR' IP=10.10.25.4
ads_find_dc: (ldap) looking for realm 'TESTDOM.COM.TR'
sitename_fetch: Returning sitename for TESTDOM.COM.TR: "TEST"
ads_dc_name: domain=TESTDOM
sitename_fetch: Returning sitename for TESTDOM.COM.TR: "TEST"
ads_find_dc: (cldap) looking for realm 'TESTDOM.COM.TR'
get_sorted_dc_list: attempting lookup for name TESTDOM.COM.TR
(sitename TEST) using [ads]
saf_fetch: Returning "RODC14.TESTDOM.COM.TR" for
"TESTDOM.COM.TR" domain
get_dc_list: preferred server list: "RODC14.TESTDOM.COM.TR,
10.10.25.4"
sitename_fetch: Returning sitename for TESTDOM.COM.TR: "TEST"
internal_resolve_name: looking up RODC14.TESTDOM.COM.TR#20 (sitename TEST)
name RODC14.TESTDOM.COM.TR#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
check_negative_conn_cache returning result 0 for domain TESTDOM.COM.TR
server 10.10.25.4
check_negative_conn_cache returning result 0 for domain TESTDOM.COM.TR
server 10.10.25.4
remove_duplicate_addrs2: looking for duplicate address/port pairs
get_dc_list: returning 1 ip addresses in an ordered list
get_dc_list: 10.10.25.4:389
check_negative_conn_cache returning result 0 for domain TESTDOM.COM.TR
server 10.10.25.4
ads_try_connect: sending CLDAP request to 10.10.25.4 (realm: TESTDOM.COM.TR)
&response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
command : LOGON_SAM_LOGON_RESPONSE_EX (23)
sbz : 0x0000 (0)
server_type : 0x000028fc (10492)
0: NBT_SERVER_PDC
1: NBT_SERVER_GC
1: NBT_SERVER_LDAP
1: NBT_SERVER_DS
1: NBT_SERVER_KDC
1: NBT_SERVER_TIMESERV
1: NBT_SERVER_CLOSEST
0: NBT_SERVER_WRITABLE
0: NBT_SERVER_GOOD_TIMESERV
0: NBT_SERVER_NDNC
1: NBT_SERVER_SELECT_SECRET_DOMAIN_6
0: NBT_SERVER_FULL_SECRET_DOMAIN_6
1: NBT_SERVER_ADS_WEB_SERVICE
0: NBT_SERVER_HAS_DNS_NAME
0: NBT_SERVER_IS_DEFAULT_NC
0: NBT_SERVER_FOREST_ROOT
domain_uuid : c7ed3d57-928e-4c24-bccb-68d28cc2f56a
forest : 'TESTDOM.COM.TR'
dns_domain : 'TESTDOM.COM.TR'
pdc_dns_name : 'RODC14.TESTDOM.COM.TR'
domain_name : 'TESTDOM'
pdc_name : 'RODC14'
user_name : ''
server_site : 'TEST'
client_site : 'TEST'
sockaddr_size : 0x00 (0)
sockaddr: struct nbt_sockaddr
sockaddr_family : 0x00000000 (0)
pdc_ip : (null)
remaining : DATA_BLOB length=0
next_closest_site : NULL
nt_version : 0x00000005 (5)
1: NETLOGON_NT_VERSION_1
0: NETLOGON_NT_VERSION_5
1: NETLOGON_NT_VERSION_5EX
0: NETLOGON_NT_VERSION_5EX_WITH_IP
0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
0: NETLOGON_NT_VERSION_PDC
0: NETLOGON_NT_VERSION_IP
0: NETLOGON_NT_VERSION_LOCAL
0: NETLOGON_NT_VERSION_GC
lmnt_token : 0xffff (65535)
lm20_token : 0xffff (65535)
sitename_store: realm = [TESTDOM], sitename = [TEST], expire = [2147483647]
Adding cache entry with key = AD_SITENAME/DOMAIN/TESTDOM and timeout Tue Jan 19
05:14:07 2038
(797526618 seconds ahead)
sitename_store: realm = [TESTDOM.COM.TR], sitename = [TEST], expire [2147483647]
Adding cache entry with key = AD_SITENAME/DOMAIN/TESTDOM.COM.TR and
timeout = Tue Jan 19 05:14:07 2038
(797526618 seconds ahead)
Successfully contacted LDAP server 10.10.25.4
sitename_fetch: Returning sitename for TESTDOM.COM.TR: "TEST"
ads_closest_dc: NBT_SERVER_CLOSEST flag set
create_local_private_krb5_conf_for_domain: fname
/var/lib/samba/smb_krb5/krb5.conf.TESTDOM, realm = TESTDOM.COM.TR,
domain = TESTDOM
saf_fetch: Returning "RODC14.TESTDOM.COM.TR" for
"TESTDOM.COM.TR" domain
get_dc_list: preferred server list: "RODC14.TESTDOM.COM.TR,
10.10.25.4"
sitename_fetch: Returning sitename for TESTDOM.COM.TR: "TEST"
internal_resolve_name: looking up RODC14.TESTDOM.COM.TR#20 (sitename TEST)
name RODC14.TESTDOM.COM.TR#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
check_negative_conn_cache returning result 0 for domain TESTDOM.COM.TR
server 10.10.25.4
check_negative_conn_cache returning result 0 for domain TESTDOM.COM.TR
server 10.10.25.4
remove_duplicate_addrs2: looking for duplicate address/port pairs
get_dc_list: returning 1 ip addresses in an ordered list
get_dc_list: 10.10.25.4:389
saf_fetch: Returning "RODC14.TESTDOM.COM.TR" for
"TESTDOM.COM.TR" domain
get_dc_list: preferred server list: "RODC14.TESTDOM.COM.TR,
10.10.25.4"
sitename_fetch: Returning sitename for TESTDOM.COM.TR: "TEST"
internal_resolve_name: looking up RODC14.TESTDOM.COM.TR#20 (sitename TEST)
name RODC14.TESTDOM.COM.TR#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
check_negative_conn_cache returning result 0 for domain TESTDOM.COM.TR
server 10.10.25.4
check_negative_conn_cache returning result 0 for domain TESTDOM.COM.TR
server 10.10.25.4
remove_duplicate_addrs2: looking for duplicate address/port pairs
get_dc_list: returning 1 ip addresses in an ordered list
get_dc_list: 10.10.25.4:389
get_kdc_ip_string: Returning kdc = 10.10.25.4
create_local_private_krb5_conf_for_domain: wrote file
/var/lib/samba/smb_krb5/krb5.conf.TESTDOM with realm TESTDOM.COM.TR
KDC list = kdc = 10.10.25.4
ads_dc_name: using server='RODC14.TESTDOM.COM.TR' IP=10.10.25.4
sitename_fetch: Returning sitename for TESTDOM.COM.TR: "TEST"
internal_resolve_name: looking up RODC14.TESTDOM.COM.TR#20 (sitename TEST)
name RODC14.TESTDOM.COM.TR#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
ads_try_connect: sending CLDAP request to 10.10.25.4 (realm: TESTDOM.COM.TR)
&response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
command : LOGON_SAM_LOGON_RESPONSE_EX (23)
sbz : 0x0000 (0)
server_type : 0x000028fc (10492)
0: NBT_SERVER_PDC
1: NBT_SERVER_GC
1: NBT_SERVER_LDAP
1: NBT_SERVER_DS
1: NBT_SERVER_KDC
1: NBT_SERVER_TIMESERV
1: NBT_SERVER_CLOSEST
0: NBT_SERVER_WRITABLE
0: NBT_SERVER_GOOD_TIMESERV
0: NBT_SERVER_NDNC
1: NBT_SERVER_SELECT_SECRET_DOMAIN_6
0: NBT_SERVER_FULL_SECRET_DOMAIN_6
1: NBT_SERVER_ADS_WEB_SERVICE
0: NBT_SERVER_HAS_DNS_NAME
0: NBT_SERVER_IS_DEFAULT_NC
0: NBT_SERVER_FOREST_ROOT
domain_uuid : c7ed3d57-928e-4c24-bccb-68d28cc2f56a
forest : 'TESTDOM.COM.TR'
dns_domain : 'TESTDOM.COM.TR'
pdc_dns_name : 'RODC14.TESTDOM.COM.TR'
domain_name : 'TESTDOM'
pdc_name : 'RODC14'
user_name : ''
server_site : 'TEST'
client_site : 'TEST'
sockaddr_size : 0x00 (0)
sockaddr: struct nbt_sockaddr
sockaddr_family : 0x00000000 (0)
pdc_ip : (null)
remaining : DATA_BLOB length=0
next_closest_site : NULL
nt_version : 0x00000005 (5)
1: NETLOGON_NT_VERSION_1
0: NETLOGON_NT_VERSION_5
1: NETLOGON_NT_VERSION_5EX
0: NETLOGON_NT_VERSION_5EX_WITH_IP
0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
0: NETLOGON_NT_VERSION_PDC
0: NETLOGON_NT_VERSION_IP
0: NETLOGON_NT_VERSION_LOCAL
0: NETLOGON_NT_VERSION_GC
lmnt_token : 0xffff (65535)
lm20_token : 0xffff (65535)
sitename_store: realm = [TESTDOM], sitename = [TEST], expire = [2147483647]
Adding cache entry with key = AD_SITENAME/DOMAIN/TESTDOM and timeout Tue Jan 19
05:14:07 2038
(797526618 seconds ahead)
sitename_store: realm = [TESTDOM.COM.TR], sitename = [TEST], expire [2147483647]
Adding cache entry with key = AD_SITENAME/DOMAIN/TESTDOM.COM.TR and
timeout = Tue Jan 19 05:14:07 2038
(797526618 seconds ahead)
Successfully contacted LDAP server 10.10.25.4
Opening connection to LDAP server 'RODC14.TESTDOM.COM.TR:389', timeout
2400 seconds
Connected to LDAP server 'RODC14.TESTDOM.COM.TR:389'
Connected to LDAP server RODC14.TESTDOM.COM.TR
ads_closest_dc: NBT_SERVER_CLOSEST flag set
saf_store: domain = [TESTDOM], server = [RODC14.TESTDOM.COM.TR],
expire = [1349957929]
Adding cache entry with key = SAF/DOMAIN/TESTDOM and timeout = Thu Oct
11 15:18:49 2012
(900 seconds ahead)
saf_store: domain = [TESTDOM.COM.TR], server [RODC14.TESTDOM.COM.TR], expire =
[1349957929]
Adding cache entry with key = SAF/DOMAIN/TESTDOM.COM.TR and timeout Thu Oct 11
15:18:49 2012
(900 seconds ahead)
Substituting charset 'UTF-8' for LOCALE
time offset is -3 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
ads_sasl_spnego_bind: got server principal name not_defined_in_RFC4178 at
please_ignore
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
ads_sasl_spnego_krb5_bind failed with: No credentials cache found, calling kinit
kerberos_kinit_password: as TEST14$@TESTDOM.COM.TR using
[MEMORY:net_ads] as ccache and config
[/var/lib/samba/smb_krb5/krb5.conf.TESTDOM]
ads_krb5_mk_req: smb_krb5_get_credentials failed for
ldap/rodc14.TESTDOM.COM.TR at TESTDOM.COM.TR (Decrypt integrity check
failed)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Decrypt
integrity check failed
ads_find_dc: (ldap) looking for realm 'TESTDOM.COM.TR'
sitename_fetch: Returning sitename for TESTDOM.COM.TR: "TEST"
ads_dc_name: domain=TESTDOM
sitename_fetch: Returning sitename for TESTDOM.COM.TR: "TEST"
ads_find_dc: (cldap) looking for realm 'TESTDOM.COM.TR'
get_sorted_dc_list: attempting lookup for name TESTDOM.COM.TR
(sitename TEST) using [ads]
saf_fetch: Returning "RODC14.TESTDOM.COM.TR" for
"TESTDOM.COM.TR" domain
get_dc_list: preferred server list: "RODC14.TESTDOM.COM.TR,
10.10.25.4"
sitename_fetch: Returning sitename for TESTDOM.COM.TR: "TEST"
internal_resolve_name: looking up RODC14.TESTDOM.COM.TR#20 (sitename TEST)
name RODC14.TESTDOM.COM.TR#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
check_negative_conn_cache returning result 0 for domain TESTDOM.COM.TR
server 10.10.25.4
check_negative_conn_cache returning result 0 for domain TESTDOM.COM.TR
server 10.10.25.4
remove_duplicate_addrs2: looking for duplicate address/port pairs
get_dc_list: returning 1 ip addresses in an ordered list
get_dc_list: 10.10.25.4:389
check_negative_conn_cache returning result 0 for domain TESTDOM.COM.TR
server 10.10.25.4
ads_try_connect: sending CLDAP request to 10.10.25.4 (realm: TESTDOM.COM.TR)
&response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
command : LOGON_SAM_LOGON_RESPONSE_EX (23)
sbz : 0x0000 (0)
server_type : 0x000028fc (10492)
0: NBT_SERVER_PDC
1: NBT_SERVER_GC
1: NBT_SERVER_LDAP
1: NBT_SERVER_DS
1: NBT_SERVER_KDC
1: NBT_SERVER_TIMESERV
1: NBT_SERVER_CLOSEST
0: NBT_SERVER_WRITABLE
0: NBT_SERVER_GOOD_TIMESERV
0: NBT_SERVER_NDNC
1: NBT_SERVER_SELECT_SECRET_DOMAIN_6
0: NBT_SERVER_FULL_SECRET_DOMAIN_6
1: NBT_SERVER_ADS_WEB_SERVICE
0: NBT_SERVER_HAS_DNS_NAME
0: NBT_SERVER_IS_DEFAULT_NC
0: NBT_SERVER_FOREST_ROOT
domain_uuid : c7ed3d57-928e-4c24-bccb-68d28cc2f56a
forest : 'TESTDOM.COM.TR'
dns_domain : 'TESTDOM.COM.TR'
pdc_dns_name : 'RODC14.TESTDOM.COM.TR'
domain_name : 'TESTDOM'
pdc_name : 'RODC14'
user_name : ''
server_site : 'TEST'
client_site : 'TEST'
sockaddr_size : 0x00 (0)
sockaddr: struct nbt_sockaddr
sockaddr_family : 0x00000000 (0)
pdc_ip : (null)
remaining : DATA_BLOB length=0
next_closest_site : NULL
nt_version : 0x00000005 (5)
1: NETLOGON_NT_VERSION_1
0: NETLOGON_NT_VERSION_5
1: NETLOGON_NT_VERSION_5EX
0: NETLOGON_NT_VERSION_5EX_WITH_IP
0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
0: NETLOGON_NT_VERSION_PDC
0: NETLOGON_NT_VERSION_IP
0: NETLOGON_NT_VERSION_LOCAL
0: NETLOGON_NT_VERSION_GC
lmnt_token : 0xffff (65535)
lm20_token : 0xffff (65535)
sitename_store: realm = [TESTDOM], sitename = [TEST], expire = [2147483647]
Adding cache entry with key = AD_SITENAME/DOMAIN/TESTDOM and timeout Tue Jan 19
05:14:07 2038
(797526618 seconds ahead)
sitename_store: realm = [TESTDOM.COM.TR], sitename = [TEST], expire [2147483647]
Adding cache entry with key = AD_SITENAME/DOMAIN/TESTDOM.COM.TR and
timeout = Tue Jan 19 05:14:07 2038
(797526618 seconds ahead)
Successfully contacted LDAP server 10.10.25.4
sitename_fetch: Returning sitename for TESTDOM.COM.TR: "TEST"
ads_closest_dc: NBT_SERVER_CLOSEST flag set
create_local_private_krb5_conf_for_domain: fname
/var/lib/samba/smb_krb5/krb5.conf.TESTDOM, realm = TESTDOM.COM.TR,
domain = TESTDOM
saf_fetch: Returning "RODC14.TESTDOM.COM.TR" for
"TESTDOM.COM.TR" domain
get_dc_list: preferred server list: "RODC14.TESTDOM.COM.TR,
10.10.25.4"
sitename_fetch: Returning sitename for TESTDOM.COM.TR: "TEST"
internal_resolve_name: looking up RODC14.TESTDOM.COM.TR#20 (sitename TEST)
name RODC14.TESTDOM.COM.TR#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
check_negative_conn_cache returning result 0 for domain TESTDOM.COM.TR
server 10.10.25.4
check_negative_conn_cache returning result 0 for domain TESTDOM.COM.TR
server 10.10.25.4
remove_duplicate_addrs2: looking for duplicate address/port pairs
get_dc_list: returning 1 ip addresses in an ordered list
get_dc_list: 10.10.25.4:389
saf_fetch: Returning "RODC14.TESTDOM.COM.TR" for
"TESTDOM.COM.TR" domain
get_dc_list: preferred server list: "RODC14.TESTDOM.COM.TR,
10.10.25.4"
sitename_fetch: Returning sitename for TESTDOM.COM.TR: "TEST"
internal_resolve_name: looking up RODC14.TESTDOM.COM.TR#20 (sitename TEST)
name RODC14.TESTDOM.COM.TR#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
check_negative_conn_cache returning result 0 for domain TESTDOM.COM.TR
server 10.10.25.4
check_negative_conn_cache returning result 0 for domain TESTDOM.COM.TR
server 10.10.25.4
remove_duplicate_addrs2: looking for duplicate address/port pairs
get_dc_list: returning 1 ip addresses in an ordered list
get_dc_list: 10.10.25.4:389
get_kdc_ip_string: Returning kdc = 10.10.25.4
create_local_private_krb5_conf_for_domain: wrote file
/var/lib/samba/smb_krb5/krb5.conf.TESTDOM with realm TESTDOM.COM.TR
KDC list = kdc = 10.10.25.4
ads_dc_name: using server='RODC14.TESTDOM.COM.TR' IP=10.10.25.4
sitename_fetch: Returning sitename for TESTDOM.COM.TR: "TEST"
internal_resolve_name: looking up RODC14.TESTDOM.COM.TR#20 (sitename TEST)
name RODC14.TESTDOM.COM.TR#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
ads_try_connect: sending CLDAP request to 10.10.25.4 (realm: TESTDOM.COM.TR)
&response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
command : LOGON_SAM_LOGON_RESPONSE_EX (23)
sbz : 0x0000 (0)
server_type : 0x000028fc (10492)
0: NBT_SERVER_PDC
1: NBT_SERVER_GC
1: NBT_SERVER_LDAP
1: NBT_SERVER_DS
1: NBT_SERVER_KDC
1: NBT_SERVER_TIMESERV
1: NBT_SERVER_CLOSEST
0: NBT_SERVER_WRITABLE
0: NBT_SERVER_GOOD_TIMESERV
0: NBT_SERVER_NDNC
1: NBT_SERVER_SELECT_SECRET_DOMAIN_6
0: NBT_SERVER_FULL_SECRET_DOMAIN_6
1: NBT_SERVER_ADS_WEB_SERVICE
0: NBT_SERVER_HAS_DNS_NAME
0: NBT_SERVER_IS_DEFAULT_NC
0: NBT_SERVER_FOREST_ROOT
domain_uuid : c7ed3d57-928e-4c24-bccb-68d28cc2f56a
forest : 'TESTDOM.COM.TR'
dns_domain : 'TESTDOM.COM.TR'
pdc_dns_name : 'RODC14.TESTDOM.COM.TR'
domain_name : 'TESTDOM'
pdc_name : 'RODC14'
user_name : ''
server_site : 'TEST'
client_site : 'TEST'
sockaddr_size : 0x00 (0)
sockaddr: struct nbt_sockaddr
sockaddr_family : 0x00000000 (0)
pdc_ip : (null)
remaining : DATA_BLOB length=0
next_closest_site : NULL
nt_version : 0x00000005 (5)
1: NETLOGON_NT_VERSION_1
0: NETLOGON_NT_VERSION_5
1: NETLOGON_NT_VERSION_5EX
0: NETLOGON_NT_VERSION_5EX_WITH_IP
0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
0: NETLOGON_NT_VERSION_PDC
0: NETLOGON_NT_VERSION_IP
0: NETLOGON_NT_VERSION_LOCAL
0: NETLOGON_NT_VERSION_GC
lmnt_token : 0xffff (65535)
lm20_token : 0xffff (65535)
sitename_store: realm = [TESTDOM], sitename = [TEST], expire = [2147483647]
Adding cache entry with key = AD_SITENAME/DOMAIN/TESTDOM and timeout Tue Jan 19
05:14:07 2038
(797526618 seconds ahead)
sitename_store: realm = [TESTDOM.COM.TR], sitename = [TEST], expire [2147483647]
Adding cache entry with key = AD_SITENAME/DOMAIN/TESTDOM.COM.TR and
timeout = Tue Jan 19 05:14:07 2038
(797526618 seconds ahead)
Successfully contacted LDAP server 10.10.25.4
Opening connection to LDAP server 'RODC14.TESTDOM.COM.TR:389', timeout
2400 seconds
Connected to LDAP server 'RODC14.TESTDOM.COM.TR:389'
Connected to LDAP server RODC14.TESTDOM.COM.TR
ads_closest_dc: NBT_SERVER_CLOSEST flag set
saf_store: domain = [TESTDOM], server = [RODC14.TESTDOM.COM.TR],
expire = [1349957929]
Adding cache entry with key = SAF/DOMAIN/TESTDOM and timeout = Thu Oct
11 15:18:49 2012
(900 seconds ahead)
saf_store: domain = [TESTDOM.COM.TR], server [RODC14.TESTDOM.COM.TR], expire =
[1349957929]
Adding cache entry with key = SAF/DOMAIN/TESTDOM.COM.TR and timeout Thu Oct 11
15:18:49 2012
(900 seconds ahead)
time offset is -3 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
ads_sasl_spnego_bind: got server principal name not_defined_in_RFC4178 at
please_ignore
ads_krb5_mk_req: smb_krb5_get_credentials failed for
ldap/rodc14.TESTDOM.COM.TR at TESTDOM.COM.TR (Decrypt integrity check
failed)
ads_sasl_spnego_krb5_bind failed with: Decrypt integrity check failed,
calling kinit
kerberos_kinit_password: as TEST14$@TESTDOM.COM.TR using
[MEMORY:net_ads] as ccache and config
[/var/lib/samba/smb_krb5/krb5.conf.TESTDOM]
kerberos_kinit_password TEST14$@TESTDOM.COM.TR failed: A service is
not available that is required to process the request
Join to domain is not valid: Undetermined error
return code = -1