samba - Mar 2015 - net ads join fails

Hi,

i've got a problem joining a domain with samba 4.1.17 on freebsd.

Everytime I try it, the join fails with a core dump.
Debugging it, it seems that it is stuck on authentication. Kerberos
works, I get credentials, but if I try to join the domain, it fails.

The problem seems to be somwhere in this debug-output:

1. net ads join:

Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
kerberos_kinit_password: as Administrator using [MEMORY:cliconnect] as
ccache and config [(null)]
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server
principal=cifs/dc2.ad.dilken.eu at AD.DILKEN.EU
Doing kerberos session setup
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect]
expiration Mi, 11 M?r 2015 05:00:16 CET
ads_krb5_mk_req: Ticket (cifs/dc2.ad.dilken.eu at AD.DILKEN.EU) in ccache
(MEMORY:cliconnect) is valid until: (Mi, 11 M?r 2015 05:00:16 CET -
1426046416)
Got KRB5 session key of length 16

2. samba-tool domain join

added interface nfe0 ip=192.168.2.87 bcast=192.168.2.255
netmask=255.255.255.0
added interface nfe0 ip=192.168.2.87 bcast=192.168.2.255
netmask=255.255.255.0
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 4
        TCP_KEEPCNT = 0
        TCP_KEEPIDLE = 0
        TCP_KEEPINTVL = 0
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_REUSEPORT = 0
        SO_SNDBUF = 66608
        SO_RCVBUF = 66608
        SO_SNDLOWAT = 2048
        SO_RCVLOWAT = 1
        SO_SNDTIMEO = 0
        SO_RCVTIMEO = 0
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Received smb_krb5 packet of length 292
Received smb_krb5 packet of length 1293
Received smb_krb5 packet of length 1310
Received smb_krb5 packet of length 1288
gensec_gssapi: credentials were delegated
GSSAPI Connection will have no cryptographic protection
Bus error (Speicherabzug geschrieben)

Any hints? I try the whole day but I don't find where the failure is..

Oh, and via samba36, it worked.. I think there is some issue with krb5?

my smb4.conf:

[global]

        netbios name = fileserver
        workgroup = AD
        security = ADS
        realm = AD.DILKEN.EU
        dedicated keytab file = /usr/local/etc/krb5.keytab
        nsupdate command = /usr/local/bin/samba-nsupdate -g
        server role = member server
        winbind refresh tickets = yes
        #socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072
SO_SNDBUF=131072

        use sendfile = true

        idmap_ldp:use rfc2307 = yes
        idmap config *:backend = tdb
        idmap config *:range = 2000-9999
        idmap config AD:backend = ad
        idmap config AD:schema_mode = rfc2307
        idmap config AD:range = 10000-99999

        winbind nss info = rfc2307
        winbind trusted domains only = no
        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes

        log level = 10

        read only = no
        inherit permissions = No
        inherit acls = No
        inherit owner = No
        force unknown acl user = No
        store dos attributes = Yes
        map read only = No
        vfs objects = zfsacl

And krb5.conf:
[libdefaults]
        default_realm = AD.DILKEN.EU
        dns_lookup_realm = true
        dns_lookup_kdc = true
        forwardable = true
        ticket_lifetime = 24h
        renew_lifetime = 7d




Greetings,

Roman

On 10/03/15 18:05, Roman Dilken wrote:
> Hi,
>
> i've got a problem joining a domain with samba 4.1.17 on freebsd.
>
> Everytime I try it, the join fails with a core dump.
> Debugging it, it seems that it is stuck on authentication. Kerberos
> works, I get credentials, but if I try to join the domain, it fails.
>
> The problem seems to be somwhere in this debug-output:
>
> 1. net ads join:
>
> Doing spnego session setup (blob length=96)
> got OID=1.2.840.48018.1.2.2
> got OID=1.2.840.113554.1.2.2
> got OID=1.3.6.1.4.1.311.2.2.10
> got principal=not_defined_in_RFC4178 at please_ignore
> kerberos_kinit_password: as Administrator using [MEMORY:cliconnect] as
> ccache and config [(null)]
> cli_session_setup_spnego: using target hostname not SPNEGO principal
> cli_session_setup_spnego: guessed server
> principal=cifs/dc2.ad.dilken.eu at AD.DILKEN.EU
> Doing kerberos session setup
> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect]
> expiration Mi, 11 M?r 2015 05:00:16 CET
> ads_krb5_mk_req: Ticket (cifs/dc2.ad.dilken.eu at AD.DILKEN.EU) in ccache
> (MEMORY:cliconnect) is valid until: (Mi, 11 M?r 2015 05:00:16 CET -
> 1426046416)
> Got KRB5 session key of length 16
>
> 2. samba-tool domain join
>
> added interface nfe0 ip=192.168.2.87 bcast=192.168.2.255
> netmask=255.255.255.0
> added interface nfe0 ip=192.168.2.87 bcast=192.168.2.255
> netmask=255.255.255.0
> Socket options:
>          SO_KEEPALIVE = 0
>          SO_REUSEADDR = 0
>          SO_BROADCAST = 0
>          TCP_NODELAY = 4
>          TCP_KEEPCNT = 0
>          TCP_KEEPIDLE = 0
>          TCP_KEEPINTVL = 0
>          IPTOS_LOWDELAY = 0
>          IPTOS_THROUGHPUT = 0
>          SO_REUSEPORT = 0
>          SO_SNDBUF = 66608
>          SO_RCVBUF = 66608
>          SO_SNDLOWAT = 2048
>          SO_RCVLOWAT = 1
>          SO_SNDTIMEO = 0
>          SO_RCVTIMEO = 0
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism gssapi_krb5
> Received smb_krb5 packet of length 292
> Received smb_krb5 packet of length 1293
> Received smb_krb5 packet of length 1310
> Received smb_krb5 packet of length 1288
> gensec_gssapi: credentials were delegated
> GSSAPI Connection will have no cryptographic protection
> Bus error (Speicherabzug geschrieben)
>
> Any hints? I try the whole day but I don't find where the failure is..
>
> Oh, and via samba36, it worked.. I think there is some issue with krb5?
>
> my smb4.conf:
>
> [global]
>
>          netbios name = fileserver
>          workgroup = AD
>          security = ADS
>          realm = AD.DILKEN.EU
>          dedicated keytab file = /usr/local/etc/krb5.keytab
>          nsupdate command = /usr/local/bin/samba-nsupdate -g
>          server role = member server
>          winbind refresh tickets = yes
>          #socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072
> SO_SNDBUF=131072
>
>          use sendfile = true
>
>          idmap_ldp:use rfc2307 = yes
>          idmap config *:backend = tdb
>          idmap config *:range = 2000-9999
>          idmap config AD:backend = ad
>          idmap config AD:schema_mode = rfc2307
>          idmap config AD:range = 10000-99999
>
>          winbind nss info = rfc2307
>          winbind trusted domains only = no
>          winbind use default domain = yes
>          winbind enum users = yes
>          winbind enum groups = yes
>
>          log level = 10
>
>          read only = no
>          inherit permissions = No
>          inherit acls = No
>          inherit owner = No
>          force unknown acl user = No
>          store dos attributes = Yes
>          map read only = No
>          vfs objects = zfsacl
>
> And krb5.conf:
> [libdefaults]
>          default_realm = AD.DILKEN.EU
>          dns_lookup_realm = true
>          dns_lookup_kdc = true
>          forwardable = true
>          ticket_lifetime = 24h
>          renew_lifetime = 7d
>
>
>
>
> Greetings,
>
> Roman
>
>
>
Hi, what are you trying to join to?

Remove this line 'idmap_ldp:use rfc2307 = yes'

one) it should be 'idmap_ldb:use rfc2307 = yes'
two) it is only used on a DC.

How are you trying to do the join ?

Rowland

On 10.03.2015 19:25, Rowland Penny wrote:
> 
> Hi, what are you trying to join to?
> 
> Remove this line 'idmap_ldp:use rfc2307 = yes'
> 
> one) it should be 'idmap_ldb:use rfc2307 = yes' two) it is only
> used on a DC.
> 
> How are you trying to do the join ?
> 
> Rowland
> 
> 
Hi,

I commented it out but it didn't change the behaviour.

I tried the following commands:

1.) samba-tool domain join ad.dilken.eu MEMBER -UAdministrator
--realm=AD.DILKEN.EU --site=Neuoetting -d 10


Result (last lines): Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Received smb_krb5 packet of length 291
Received smb_krb5 packet of length 1293
Received smb_krb5 packet of length 1310
Received smb_krb5 packet of length 1288
gensec_gssapi: credentials were delegated
GSSAPI Connection will have no cryptographic protection



2.)  net ads join -UAdministrator -d 10 -k

Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
kerberos_kinit_password: as Administrator using [MEMORY:cliconnect] as
ccache and config [(null)]
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server
principal=cifs/dc2.ad.dilken.eu at AD.DILKEN.EU
Doing kerberos session setup
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect]
expiration Mi, 11 M?r 2015 05:58:30 CET
ads_krb5_mk_req: Ticket (cifs/dc2.ad.dilken.eu at AD.DILKEN.EU) in ccache
(MEMORY:cliconnect) is valid until: (Mi, 11 M?r 2015 05:58:30 CET -
1426049910)
Got KRB5 session key of length 16


I want to join the freebsd-machine as member-server for winbind. It's
my workstation.

Greetings,

Roman