Hi, i've got a problem joining a domain with samba 4.1.17 on freebsd. Everytime I try it, the join fails with a core dump. Debugging it, it seems that it is stuck on authentication. Kerberos works, I get credentials, but if I try to join the domain, it fails. The problem seems to be somwhere in this debug-output: 1. net ads join: Doing spnego session setup (blob length=96) got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.3.6.1.4.1.311.2.2.10 got principal=not_defined_in_RFC4178 at please_ignore kerberos_kinit_password: as Administrator using [MEMORY:cliconnect] as ccache and config [(null)] cli_session_setup_spnego: using target hostname not SPNEGO principal cli_session_setup_spnego: guessed server principal=cifs/dc2.ad.dilken.eu at AD.DILKEN.EU Doing kerberos session setup ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] expiration Mi, 11 M?r 2015 05:00:16 CET ads_krb5_mk_req: Ticket (cifs/dc2.ad.dilken.eu at AD.DILKEN.EU) in ccache (MEMORY:cliconnect) is valid until: (Mi, 11 M?r 2015 05:00:16 CET - 1426046416) Got KRB5 session key of length 16 2. samba-tool domain join added interface nfe0 ip=192.168.2.87 bcast=192.168.2.255 netmask=255.255.255.0 added interface nfe0 ip=192.168.2.87 bcast=192.168.2.255 netmask=255.255.255.0 Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 4 TCP_KEEPCNT = 0 TCP_KEEPIDLE = 0 TCP_KEEPINTVL = 0 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 0 SO_SNDBUF = 66608 SO_RCVBUF = 66608 SO_SNDLOWAT = 2048 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 Starting GENSEC mechanism spnego Starting GENSEC submechanism gssapi_krb5 Received smb_krb5 packet of length 292 Received smb_krb5 packet of length 1293 Received smb_krb5 packet of length 1310 Received smb_krb5 packet of length 1288 gensec_gssapi: credentials were delegated GSSAPI Connection will have no cryptographic protection Bus error (Speicherabzug geschrieben) Any hints? I try the whole day but I don't find where the failure is.. Oh, and via samba36, it worked.. I think there is some issue with krb5? my smb4.conf: [global] netbios name = fileserver workgroup = AD security = ADS realm = AD.DILKEN.EU dedicated keytab file = /usr/local/etc/krb5.keytab nsupdate command = /usr/local/bin/samba-nsupdate -g server role = member server winbind refresh tickets = yes #socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072 use sendfile = true idmap_ldp:use rfc2307 = yes idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config AD:backend = ad idmap config AD:schema_mode = rfc2307 idmap config AD:range = 10000-99999 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes log level = 10 read only = no inherit permissions = No inherit acls = No inherit owner = No force unknown acl user = No store dos attributes = Yes map read only = No vfs objects = zfsacl And krb5.conf: [libdefaults] default_realm = AD.DILKEN.EU dns_lookup_realm = true dns_lookup_kdc = true forwardable = true ticket_lifetime = 24h renew_lifetime = 7d Greetings, Roman
On 10/03/15 18:05, Roman Dilken wrote:> Hi, > > i've got a problem joining a domain with samba 4.1.17 on freebsd. > > Everytime I try it, the join fails with a core dump. > Debugging it, it seems that it is stuck on authentication. Kerberos > works, I get credentials, but if I try to join the domain, it fails. > > The problem seems to be somwhere in this debug-output: > > 1. net ads join: > > Doing spnego session setup (blob length=96) > got OID=1.2.840.48018.1.2.2 > got OID=1.2.840.113554.1.2.2 > got OID=1.3.6.1.4.1.311.2.2.10 > got principal=not_defined_in_RFC4178 at please_ignore > kerberos_kinit_password: as Administrator using [MEMORY:cliconnect] as > ccache and config [(null)] > cli_session_setup_spnego: using target hostname not SPNEGO principal > cli_session_setup_spnego: guessed server > principal=cifs/dc2.ad.dilken.eu at AD.DILKEN.EU > Doing kerberos session setup > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] > expiration Mi, 11 M?r 2015 05:00:16 CET > ads_krb5_mk_req: Ticket (cifs/dc2.ad.dilken.eu at AD.DILKEN.EU) in ccache > (MEMORY:cliconnect) is valid until: (Mi, 11 M?r 2015 05:00:16 CET - > 1426046416) > Got KRB5 session key of length 16 > > 2. samba-tool domain join > > added interface nfe0 ip=192.168.2.87 bcast=192.168.2.255 > netmask=255.255.255.0 > added interface nfe0 ip=192.168.2.87 bcast=192.168.2.255 > netmask=255.255.255.0 > Socket options: > SO_KEEPALIVE = 0 > SO_REUSEADDR = 0 > SO_BROADCAST = 0 > TCP_NODELAY = 4 > TCP_KEEPCNT = 0 > TCP_KEEPIDLE = 0 > TCP_KEEPINTVL = 0 > IPTOS_LOWDELAY = 0 > IPTOS_THROUGHPUT = 0 > SO_REUSEPORT = 0 > SO_SNDBUF = 66608 > SO_RCVBUF = 66608 > SO_SNDLOWAT = 2048 > SO_RCVLOWAT = 1 > SO_SNDTIMEO = 0 > SO_RCVTIMEO = 0 > Starting GENSEC mechanism spnego > Starting GENSEC submechanism gssapi_krb5 > Received smb_krb5 packet of length 292 > Received smb_krb5 packet of length 1293 > Received smb_krb5 packet of length 1310 > Received smb_krb5 packet of length 1288 > gensec_gssapi: credentials were delegated > GSSAPI Connection will have no cryptographic protection > Bus error (Speicherabzug geschrieben) > > Any hints? I try the whole day but I don't find where the failure is.. > > Oh, and via samba36, it worked.. I think there is some issue with krb5? > > my smb4.conf: > > [global] > > netbios name = fileserver > workgroup = AD > security = ADS > realm = AD.DILKEN.EU > dedicated keytab file = /usr/local/etc/krb5.keytab > nsupdate command = /usr/local/bin/samba-nsupdate -g > server role = member server > winbind refresh tickets = yes > #socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 > SO_SNDBUF=131072 > > use sendfile = true > > idmap_ldp:use rfc2307 = yes > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > idmap config AD:backend = ad > idmap config AD:schema_mode = rfc2307 > idmap config AD:range = 10000-99999 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > > log level = 10 > > read only = no > inherit permissions = No > inherit acls = No > inherit owner = No > force unknown acl user = No > store dos attributes = Yes > map read only = No > vfs objects = zfsacl > > And krb5.conf: > [libdefaults] > default_realm = AD.DILKEN.EU > dns_lookup_realm = true > dns_lookup_kdc = true > forwardable = true > ticket_lifetime = 24h > renew_lifetime = 7d > > > > > Greetings, > > Roman > > >Hi, what are you trying to join to? Remove this line 'idmap_ldp:use rfc2307 = yes' one) it should be 'idmap_ldb:use rfc2307 = yes' two) it is only used on a DC. How are you trying to do the join ? Rowland
On 10.03.2015 19:25, Rowland Penny wrote:> > Hi, what are you trying to join to? > > Remove this line 'idmap_ldp:use rfc2307 = yes' > > one) it should be 'idmap_ldb:use rfc2307 = yes' two) it is only > used on a DC. > > How are you trying to do the join ? > > Rowland > >Hi, I commented it out but it didn't change the behaviour. I tried the following commands: 1.) samba-tool domain join ad.dilken.eu MEMBER -UAdministrator --realm=AD.DILKEN.EU --site=Neuoetting -d 10 Result (last lines): Starting GENSEC mechanism spnego Starting GENSEC submechanism gssapi_krb5 Received smb_krb5 packet of length 291 Received smb_krb5 packet of length 1293 Received smb_krb5 packet of length 1310 Received smb_krb5 packet of length 1288 gensec_gssapi: credentials were delegated GSSAPI Connection will have no cryptographic protection 2.) net ads join -UAdministrator -d 10 -k Doing spnego session setup (blob length=96) got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.3.6.1.4.1.311.2.2.10 got principal=not_defined_in_RFC4178 at please_ignore kerberos_kinit_password: as Administrator using [MEMORY:cliconnect] as ccache and config [(null)] cli_session_setup_spnego: using target hostname not SPNEGO principal cli_session_setup_spnego: guessed server principal=cifs/dc2.ad.dilken.eu at AD.DILKEN.EU Doing kerberos session setup ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] expiration Mi, 11 M?r 2015 05:58:30 CET ads_krb5_mk_req: Ticket (cifs/dc2.ad.dilken.eu at AD.DILKEN.EU) in ccache (MEMORY:cliconnect) is valid until: (Mi, 11 M?r 2015 05:58:30 CET - 1426049910) Got KRB5 session key of length 16 I want to join the freebsd-machine as member-server for winbind. It's my workstation. Greetings, Roman