Daniel Carrasco Marín
2015-Apr-25 13:02 UTC
[Samba] I can't join the new AD server with Samba4
Sorry, I forgot to revert another test i did, but the result is the same:
---------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------
sudo net ads join -U "Administrator" -d 5
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
scavenger: 5
dns: 5
ldb: 5
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
scavenger: 5
dns: 5
ldb: 5
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
Processing section "[global]"
doing parameter workgroup = TTU
doing parameter security = ADS
doing parameter realm = TTU.RED
doing parameter dedicated keytab file = /etc/krb5.keytab
doing parameter kerberos method = secrets and keytab
doing parameter idmap config *:backend = tdb
doing parameter idmap config *:range = 2000-9999
doing parameter idmap config TTU:backend = ad
doing parameter idmap config TTU:schema_mode = rfc2307
doing parameter idmap config TTU:range = 10000-99999
doing parameter winbind nss info = rfc2307
doing parameter winbind trusted domains only = no
doing parameter winbind use default domain = yes
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter winbind refresh tickets = Yes
doing parameter winbind expand groups = 4
doing parameter winbind normalize names = Yes
doing parameter domain master = no
doing parameter local master = no
doing parameter vfs objects = acl_xattr
doing parameter map acl inherit = Yes
doing parameter store dos attributes = Yes
pm_process() returned Yes
Netbios name list:-
my_netbios_names[0]="GLOTON"
added interface eth1 ip=172.30.0.230 bcast=172.30.0.255
netmask=255.255.255.0
added interface eth0 ip=192.168.2.230 bcast=192.168.2.255
netmask=255.255.255.0
Registering messaging pointer for type 2 - private_data=(nil)
Registering messaging pointer for type 9 - private_data=(nil)
Registered MSG_REQ_POOL_USAGE
Registering messaging pointer for type 11 - private_data=(nil)
Registering messaging pointer for type 12 - private_data=(nil)
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Registering messaging pointer for type 1 - private_data=(nil)
Registering messaging pointer for type 5 - private_data=(nil)
Enter Administrator's password:
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'GLOTON'
domain_name : *
domain_name : 'TTU.RED'
account_ou : NULL
admin_account : 'Administrator'
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
create_upn : 0x00 (0)
upn : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
Opening cache file at /var/cache/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
sitename_fetch: Returning sitename for TTU.RED:
"Default-First-Site-Name"
ads_dns_lookup_srv: 1 records returned in the answer section.
sitename_fetch: Returning sitename for TTU.RED:
"Default-First-Site-Name"
name pdc.ttu.red#20 found.
Connecting to 192.168.2.251 at port 445
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_SNDBUF = 24040
SO_RCVBUF = 87380
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
Bind RPC Pipe: host pdc.ttu.red auth_type 0, auth_level 1
rpc_api_pipe: host pdc.ttu.red
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host pdc.ttu.red
rpc_read_send: data_to_read: 32
rpc_api_pipe: host pdc.ttu.red
rpc_read_send: data_to_read: 168
rpc_api_pipe: host pdc.ttu.red
rpc_read_send: data_to_read: 32
saf_fetch[join]: Returning "pdc.ttu.red" for "ttu.red"
domain
get_dc_list: preferred server list: "pdc.ttu.red, *"
name ttu.red#1C found.
sitename_fetch: Returning sitename for TTU.RED:
"Default-First-Site-Name"
name pdc.ttu.red#20 found.
get_dc_list: returning 1 ip addresses in an ordered list
get_dc_list: 192.168.2.251:389
create_local_private_krb5_conf_for_domain: wrote file
/var/run/samba/smb_krb5/krb5.conf.TTU with realm TTU.RED KDC list kdc =
192.168.2.251
Bind RPC Pipe: host pdc.ttu.red auth_type 0, auth_level 1
rpc_api_pipe: host pdc.ttu.red
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host pdc.ttu.red
rpc_read_send: data_to_read: 32
rpc_api_pipe: host pdc.ttu.red
rpc_read_send: data_to_read: 32
rpc_api_pipe: host pdc.ttu.red
rpc_read_send: data_to_read: 40
rpc_api_pipe: host pdc.ttu.red
rpc_read_send: data_to_read: 44
rpc_api_pipe: host pdc.ttu.red
rpc_read_send: data_to_read: 32
rpc_api_pipe: host pdc.ttu.red
rpc_read_send: data_to_read: 12
rpc_api_pipe: host pdc.ttu.red
rpc_read_send: data_to_read: 12
rpc_api_pipe: host pdc.ttu.red
rpc_read_send: data_to_read: 32
rpc_api_pipe: host pdc.ttu.red
rpc_read_send: data_to_read: 32
rpc_api_pipe: host pdc.ttu.red
rpc_read_send: data_to_read: 32
check lock order 1 for /var/lib/samba/private/secrets.tdb
release lock order 1 for /var/lib/samba/private/secrets.tdb
check lock order 1 for /var/lib/samba/private/secrets.tdb
release lock order 1 for /var/lib/samba/private/secrets.tdb
check lock order 1 for /var/lib/samba/private/secrets.tdb
release lock order 1 for /var/lib/samba/private/secrets.tdb
check lock order 1 for /var/lib/samba/private/secrets.tdb
release lock order 1 for /var/lib/samba/private/secrets.tdb
check lock order 1 for /var/lib/samba/private/secrets.tdb
release lock order 1 for /var/lib/samba/private/secrets.tdb
sitename_fetch: Returning sitename for TTU.RED:
"Default-First-Site-Name"
name pdc.ttu.red#20 found.
ads_try_connect: sending CLDAP request to 192.168.2.251 (realm: ttu.red)
Successfully contacted LDAP server 192.168.2.251
Connected to LDAP server pdc.ttu.red
KDC time offset is 0 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
ads_sasl_spnego_bind: got server principal name not_defined_in_RFC4178 at
please_ignore
ads_krb5_mk_req: krb5_cc_get_principal failed (No existe el fichero o el
directorio)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration dom,
26 abr 2015 00:59:09 CEST
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : 'TTU'
dns_domain_name : 'ttu.red'
forest_name : 'ttu.red'
dn : NULL
domain_sid : *
domain_sid :
S-1-5-21-127850397-371183867-665961664
modified_config : 0x00 (0)
error_string : 'failed to connect to AD: Invalid
credentials'
domain_is_ad : 0x01 (1)
result : WERR_GENERAL_FAILURE
Failed to join domain: failed to connect to AD: Invalid credentials
return code = -1
---------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------
Greetings!!
2015-04-25 14:52 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:
> On 25/04/15 13:27, Daniel Carrasco Mar?n wrote:
>
>> Hi, I'm sorry for my english.
>>
>> i've migrated an old 3.6 samba domain to Samba 4.1 and the windows
part is
>> working fine (i can join and manage the server from a Windows Machine),
>> but
>> when I try to join the domain from another linux server it fails.
>>
>> I've followed this guide to migrate:
>>
>>
https://wiki.samba.org/index.php/Samba_Classic_Upgrade_%28NT4-style_domain_to_AD%29
>>
>> and this for join:
>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>
>> Mi config file looks like the guide
>>
>
> From what you have posted, your smb.conf doesn't seem to look anything
> like the one on the member server page:
>
> [global]
> security = domain
> workgroup = TTU
> realm = ttu.red
> wins server = 192.168.2.251
> server role = standalone server
> passdb backend = tdbsam
> domain master = no
> server string = Print Server
> encrypt passwords = yes
> winbind nss info = rfc2307
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind refresh tickets = Yes
> winbind normalize names = yes
> idmap config TTU : backend = ad
> idmap config * : backend = tdb
> idmap config * : range = 1000-20000000
>
> There is also this:
>
> params.c:Parameter() - Ignoring badly formed line in configuration file:
> rfc2307
>
> Rowland
>
>
> and the join command shows:
>> -----------------------------------------------------------------------
>> -----------------------------------------------------------------------
>> # net ads join -UAdministrator -d 5
>> INFO: Current debug levels:
>> all: 5
>> tdb: 5
>> printdrivers: 5
>> lanman: 5
>> smb: 5
>> rpc_parse: 5
>> rpc_srv: 5
>> rpc_cli: 5
>> passdb: 5
>> sam: 5
>> auth: 5
>> winbind: 5
>> vfs: 5
>> idmap: 5
>> quota: 5
>> acls: 5
>> locking: 5
>> msdfs: 5
>> dmapi: 5
>> registry: 5
>> scavenger: 5
>> dns: 5
>> ldb: 5
>> lp_load_ex: refreshing parameters
>> Initialising global parameters
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
(16384)
>> INFO: Current debug levels:
>> all: 5
>> tdb: 5
>> printdrivers: 5
>> lanman: 5
>> smb: 5
>> rpc_parse: 5
>> rpc_srv: 5
>> rpc_cli: 5
>> passdb: 5
>> sam: 5
>> auth: 5
>> winbind: 5
>> vfs: 5
>> idmap: 5
>> quota: 5
>> acls: 5
>> locking: 5
>> msdfs: 5
>> dmapi: 5
>> registry: 5
>> scavenger: 5
>> dns: 5
>> ldb: 5
>> params.c:pm_process() - Processing configuration file
>> "/etc/samba/smb.conf"
>> params.c:Parameter() - Ignoring badly formed line in configuration
file:
>> rfc2307[global]
>> doing parameter security = domain
>> doing parameter workgroup = TTU
>> doing parameter realm = ttu.red
>> doing parameter wins server = 192.168.2.251
>> doing parameter server role = standalone server
>> doing parameter passdb backend = tdbsam
>> doing parameter domain master = no
>> doing parameter server string = Print Server
>> doing parameter encrypt passwords = yes
>> doing parameter winbind nss info = rfc2307
>> doing parameter winbind enum users = Yes
>> doing parameter winbind enum groups = Yes
>> doing parameter winbind use default domain = Yes
>> doing parameter winbind refresh tickets = Yes
>> doing parameter winbind normalize names = yes
>> doing parameter idmap config TTU : backend = ad
>> doing parameter idmap config * : backend = tdb
>> doing parameter idmap config * : range = 1000-20000000
>> pm_process() returned Yes
>> Netbios name list:-
>> my_netbios_names[0]="GLOTON"
>> added interface eth1 ip=172.30.0.230 bcast=172.30.0.255
>> netmask=255.255.255.0
>> added interface eth0 ip=192.168.2.230 bcast=192.168.2.255
>> netmask=255.255.255.0
>> Registering messaging pointer for type 2 - private_data=(nil)
>> Registering messaging pointer for type 9 - private_data=(nil)
>> Registered MSG_REQ_POOL_USAGE
>> Registering messaging pointer for type 11 - private_data=(nil)
>> Registering messaging pointer for type 12 - private_data=(nil)
>> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
>> Registering messaging pointer for type 1 - private_data=(nil)
>> Registering messaging pointer for type 5 - private_data=(nil)
>> Enter Administrator's password:
>> libnet_Join:
>> libnet_JoinCtx: struct libnet_JoinCtx
>> in: struct libnet_JoinCtx
>> dc_name : NULL
>> machine_name : 'GLOTON'
>> domain_name : *
>> domain_name : 'TTU.RED'
>> account_ou : NULL
>> admin_account : 'Administrator'
>> machine_password : NULL
>> join_flags : 0x00000023 (35)
>> 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
>> 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
>> 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
>> 0: WKSSVC_JOIN_FLAGS_DEFER_SPN
>> 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
>> 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
>> 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
>> 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
>> 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
>> 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
>> 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
>> os_version : NULL
>> os_name : NULL
>> create_upn : 0x00 (0)
>> upn : NULL
>> modify_config : 0x00 (0)
>> ads : NULL
>> debug : 0x01 (1)
>> use_kerberos : 0x00 (0)
>> secure_channel_type : SEC_CHAN_WKSTA (2)
>> Opening cache file at /var/cache/samba/gencache.tdb
>> Opening cache file at /var/run/samba/gencache_notrans.tdb
>> sitename_fetch: Returning sitename for TTU.RED:
"Default-First-Site-Name"
>> ads_dns_lookup_srv: 1 records returned in the answer section.
>> sitename_fetch: Returning sitename for TTU.RED:
"Default-First-Site-Name"
>> no entry for pdc.ttu.red#20 found.
>> resolve_lmhosts: Attempting lmhosts lookup for name
pdc.ttu.red<0x20>
>> resolve_lmhosts: Attempting lmhosts lookup for name
pdc.ttu.red<0x20>
>> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was
No
>> existe el fichero o el directorio
>> wins_srv_is_dead: 192.168.2.251 is alive
>> resolve_wins: using WINS server 192.168.2.251 and tag '*'
>> samba_tevent: EPOLL_CTL_DEL EBADF for fde[0x7fcb85f853b0]
mpx_fde[(nil)]
>> fd[13] - disabling
>> wins_srv_is_dead: 192.168.2.251 is alive
>> Marking wins server 192.168.2.251 dead for 600 seconds from source
>> 192.168.2.251
>> resolve_hosts: Attempting host lookup for name pdc.ttu.red<0x20>
>> namecache_store: storing 1 address for pdc.ttu.red#20: 192.168.2.251
>> Connecting to 192.168.2.251 at port 445
>> Socket options:
>> SO_KEEPALIVE = 0
>> SO_REUSEADDR = 0
>> SO_BROADCAST = 0
>> TCP_NODELAY = 1
>> TCP_KEEPCNT = 9
>> TCP_KEEPIDLE = 7200
>> TCP_KEEPINTVL = 75
>> IPTOS_LOWDELAY = 0
>> IPTOS_THROUGHPUT = 0
>> SO_SNDBUF = 24040
>> SO_RCVBUF = 87380
>> SO_SNDLOWAT = 1
>> SO_RCVLOWAT = 1
>> SO_SNDTIMEO = 0
>> SO_RCVTIMEO = 0
>> TCP_QUICKACK = 1
>> TCP_DEFER_ACCEPT = 0
>> Doing spnego session setup (blob length=96)
>> got OID=1.2.840.48018.1.2.2
>> got OID=1.2.840.113554.1.2.2
>> got OID=1.3.6.1.4.1.311.2.2.10
>> got principal=not_defined_in_RFC4178 at please_ignore
>> Got challenge flags:
>> Got NTLMSSP neg_flags=0x60898215
>> NTLMSSP_NEGOTIATE_UNICODE
>> NTLMSSP_REQUEST_TARGET
>> NTLMSSP_NEGOTIATE_SIGN
>> NTLMSSP_NEGOTIATE_NTLM
>> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>> NTLMSSP_NEGOTIATE_NTLM2
>> NTLMSSP_NEGOTIATE_TARGET_INFO
>> NTLMSSP_NEGOTIATE_128
>> NTLMSSP_NEGOTIATE_KEY_EXCH
>> NTLMSSP: Set final flags:
>> Got NTLMSSP neg_flags=0x60088215
>> NTLMSSP_NEGOTIATE_UNICODE
>> NTLMSSP_REQUEST_TARGET
>> NTLMSSP_NEGOTIATE_SIGN
>> NTLMSSP_NEGOTIATE_NTLM
>> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>> NTLMSSP_NEGOTIATE_NTLM2
>> NTLMSSP_NEGOTIATE_128
>> NTLMSSP_NEGOTIATE_KEY_EXCH
>> NTLMSSP Sign/Seal - Initialising with flags:
>> Got NTLMSSP neg_flags=0x60088215
>> NTLMSSP_NEGOTIATE_UNICODE
>> NTLMSSP_REQUEST_TARGET
>> NTLMSSP_NEGOTIATE_SIGN
>> NTLMSSP_NEGOTIATE_NTLM
>> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>> NTLMSSP_NEGOTIATE_NTLM2
>> NTLMSSP_NEGOTIATE_128
>> NTLMSSP_NEGOTIATE_KEY_EXCH
>> Bind RPC Pipe: host pdc.ttu.red auth_type 0, auth_level 1
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 52
>> check_bind_response: accepted!
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 168
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 32
>> saf_fetch[join]: Returning "pdc.ttu.red" for
"ttu.red" domain
>> get_dc_list: preferred server list: "pdc.ttu.red, *"
>> no entry for ttu.red#1C found.
>> resolve_ads: Attempting to resolve KDCs for ttu.red using DNS
>> ads_dns_lookup_srv: 1 records returned in the answer section.
>> sitename_fetch: Returning sitename for TTU.RED:
"Default-First-Site-Name"
>> name pdc.ttu.red#20 found.
>> get_dc_list: returning 2 ip addresses in an ordered list
>> get_dc_list: 192.168.2.251:0 192.168.2.251:88
>> create_local_private_krb5_conf_for_domain: wrote file
>> /var/run/samba/smb_krb5/krb5.conf.TTU with realm TTU.RED KDC list
>> kdc = 192.168.2.251
>>
>> Bind RPC Pipe: host pdc.ttu.red auth_type 0, auth_level 1
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 52
>> check_bind_response: accepted!
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 40
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 44
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 12
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 12
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host pdc.ttu.red
>> rpc_read_send: data_to_read: 32
>> check lock order 1 for /var/lib/samba/private/secrets.tdb
>> release lock order 1 for /var/lib/samba/private/secrets.tdb
>> check lock order 1 for /var/lib/samba/private/secrets.tdb
>> release lock order 1 for /var/lib/samba/private/secrets.tdb
>> check lock order 1 for /var/lib/samba/private/secrets.tdb
>> release lock order 1 for /var/lib/samba/private/secrets.tdb
>> check lock order 1 for /var/lib/samba/private/secrets.tdb
>> release lock order 1 for /var/lib/samba/private/secrets.tdb
>> check lock order 1 for /var/lib/samba/private/secrets.tdb
>> release lock order 1 for /var/lib/samba/private/secrets.tdb
>> sitename_fetch: Returning sitename for TTU.RED:
"Default-First-Site-Name"
>> name pdc.ttu.red#20 found.
>> ads_try_connect: sending CLDAP request to 192.168.2.251 (realm:
ttu.red)
>> Successfully contacted LDAP server 192.168.2.251
>> Connected to LDAP server pdc.ttu.red
>> KDC time offset is 0 seconds
>> Found SASL mechanism GSS-SPNEGO
>> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
>> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
>> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
>> ads_sasl_spnego_bind: got server principal name >>
not_defined_in_RFC4178 at please_ignore
>> ads_krb5_mk_req: krb5_cc_get_principal failed (No existe el fichero o
el
>> directorio)
>> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration
>> dom,
>> 26 abr 2015 00:04:50 CEST
>> kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid
credentials
>> libnet_Join:
>> libnet_JoinCtx: struct libnet_JoinCtx
>> out: struct libnet_JoinCtx
>> account_name : NULL
>> netbios_domain_name : 'TTU'
>> dns_domain_name : 'ttu.red'
>> forest_name : 'ttu.red'
>> dn : NULL
>> domain_sid : *
>> domain_sid :
>> S-1-5-21-127850397-371183867-665961664
>> modified_config : 0x00 (0)
>> error_string : 'failed to connect to AD:
Invalid
>> credentials'
>> domain_is_ad : 0x01 (1)
>> result : WERR_GENERAL_FAILURE
>> Failed to join domain: failed to connect to AD: Invalid credentials
>> return code = -1
>> -----------------------------------------------------------------------
>> -----------------------------------------------------------------------
>>
>> I've tried commands like:
>> smbclient -L 192.168.2.251 -U%
>> kinit administrator@ <administrator at CASA.RED>TTU.RED
>> klist -c
>>
>> All are workign.
>> I've tried to create a test domain instead upgrade, with same
config and
>> join ads is working... ?can be the upgrade progress?
>>
>> Thanks!!
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
On 25/04/15 14:02, Daniel Carrasco Mar?n wrote:> Sorry, I forgot to revert another test i did, but the result is the same: > > --------------------------------------------------------------------------------------------------------------------------------------- > --------------------------------------------------------------------------------------------------------------------------------------- > sudo net ads join -U "Administrator" -d 5 > INFO: Current debug levels: > all: 5 > tdb: 5 > printdrivers: 5 > lanman: 5 > smb: 5 > rpc_parse: 5 > rpc_srv: 5 > rpc_cli: 5 > passdb: 5 > sam: 5 > auth: 5 > winbind: 5 > vfs: 5 > idmap: 5 > quota: 5 > acls: 5 > locking: 5 > msdfs: 5 > dmapi: 5 > registry: 5 > scavenger: 5 > dns: 5 > ldb: 5 > lp_load_ex: refreshing parameters > Initialising global parameters > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > INFO: Current debug levels: > all: 5 > tdb: 5 > printdrivers: 5 > lanman: 5 > smb: 5 > rpc_parse: 5 > rpc_srv: 5 > rpc_cli: 5 > passdb: 5 > sam: 5 > auth: 5 > winbind: 5 > vfs: 5 > idmap: 5 > quota: 5 > acls: 5 > locking: 5 > msdfs: 5 > dmapi: 5 > registry: 5 > scavenger: 5 > dns: 5 > ldb: 5 > params.c:pm_process() - Processing configuration file > "/etc/samba/smb.conf" > Processing section "[global]" > doing parameter workgroup = TTU > doing parameter security = ADS > doing parameter realm = TTU.RED > doing parameter dedicated keytab file = /etc/krb5.keytab > doing parameter kerberos method = secrets and keytab > doing parameter idmap config *:backend = tdb > doing parameter idmap config *:range = 2000-9999 > doing parameter idmap config TTU:backend = ad > doing parameter idmap config TTU:schema_mode = rfc2307 > doing parameter idmap config TTU:range = 10000-99999 > doing parameter winbind nss info = rfc2307 > doing parameter winbind trusted domains only = no > doing parameter winbind use default domain = yes > doing parameter winbind enum users = yes > doing parameter winbind enum groups = yes > doing parameter winbind refresh tickets = Yes > doing parameter winbind expand groups = 4 > doing parameter winbind normalize names = Yes > doing parameter domain master = no > doing parameter local master = no > doing parameter vfs objects = acl_xattr > doing parameter map acl inherit = Yes > doing parameter store dos attributes = Yes > pm_process() returned Yes > Netbios name list:- > my_netbios_names[0]="GLOTON" > added interface eth1 ip=172.30.0.230 bcast=172.30.0.255 > netmask=255.255.255.0 > added interface eth0 ip=192.168.2.230 bcast=192.168.2.255 > netmask=255.255.255.0 > Registering messaging pointer for type 2 - private_data=(nil) > Registering messaging pointer for type 9 - private_data=(nil) > Registered MSG_REQ_POOL_USAGE > Registering messaging pointer for type 11 - private_data=(nil) > Registering messaging pointer for type 12 - private_data=(nil) > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED > Registering messaging pointer for type 1 - private_data=(nil) > Registering messaging pointer for type 5 - private_data=(nil) > Enter Administrator's password: > libnet_Join: > libnet_JoinCtx: struct libnet_JoinCtx > in: struct libnet_JoinCtx > dc_name : NULL > machine_name : 'GLOTON' > domain_name : * > domain_name : 'TTU.RED' > account_ou : NULL > admin_account : 'Administrator' > machine_password : NULL > join_flags : 0x00000023 (35) > 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS > 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME > 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT > 0: WKSSVC_JOIN_FLAGS_DEFER_SPN > 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED > 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE > 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED > 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE > 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE > 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE > 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE > os_version : NULL > os_name : NULL > create_upn : 0x00 (0) > upn : NULL > modify_config : 0x00 (0) > ads : NULL > debug : 0x01 (1) > use_kerberos : 0x00 (0) > secure_channel_type : SEC_CHAN_WKSTA (2) > Opening cache file at /var/cache/samba/gencache.tdb > Opening cache file at /var/run/samba/gencache_notrans.tdb > sitename_fetch: Returning sitename for TTU.RED: "Default-First-Site-Name" > ads_dns_lookup_srv: 1 records returned in the answer section. > sitename_fetch: Returning sitename for TTU.RED: "Default-First-Site-Name" > name pdc.ttu.red#20 found. > Connecting to 192.168.2.251 at port 445 > Socket options: > SO_KEEPALIVE = 0 > SO_REUSEADDR = 0 > SO_BROADCAST = 0 > TCP_NODELAY = 1 > TCP_KEEPCNT = 9 > TCP_KEEPIDLE = 7200 > TCP_KEEPINTVL = 75 > IPTOS_LOWDELAY = 0 > IPTOS_THROUGHPUT = 0 > SO_SNDBUF = 24040 > SO_RCVBUF = 87380 > SO_SNDLOWAT = 1 > SO_RCVLOWAT = 1 > SO_SNDTIMEO = 0 > SO_RCVTIMEO = 0 > TCP_QUICKACK = 1 > TCP_DEFER_ACCEPT = 0 > Doing spnego session setup (blob length=96) > got OID=1.2.840.48018.1.2.2 > got OID=1.2.840.113554.1.2.2 > got OID=1.3.6.1.4.1.311.2.2.10 > got principal=not_defined_in_RFC4178 at please_ignore > Got challenge flags: > Got NTLMSSP neg_flags=0x60898215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_NTLM2 > NTLMSSP_NEGOTIATE_TARGET_INFO > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > NTLMSSP: Set final flags: > Got NTLMSSP neg_flags=0x60088215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_NTLM2 > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0x60088215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_NTLM2 > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > Bind RPC Pipe: host pdc.ttu.red auth_type 0, auth_level 1 > rpc_api_pipe: host pdc.ttu.red > rpc_read_send: data_to_read: 52 > check_bind_response: accepted! > rpc_api_pipe: host pdc.ttu.red > rpc_read_send: data_to_read: 32 > rpc_api_pipe: host pdc.ttu.red > rpc_read_send: data_to_read: 168 > rpc_api_pipe: host pdc.ttu.red > rpc_read_send: data_to_read: 32 > saf_fetch[join]: Returning "pdc.ttu.red" for "ttu.red" domain > get_dc_list: preferred server list: "pdc.ttu.red, *" > name ttu.red#1C found. > sitename_fetch: Returning sitename for TTU.RED: "Default-First-Site-Name" > name pdc.ttu.red#20 found. > get_dc_list: returning 1 ip addresses in an ordered list > get_dc_list: 192.168.2.251:389 <http://192.168.2.251:389> > create_local_private_krb5_conf_for_domain: wrote file > /var/run/samba/smb_krb5/krb5.conf.TTU with realm TTU.RED KDC list > = kdc = 192.168.2.251 > > Bind RPC Pipe: host pdc.ttu.red auth_type 0, auth_level 1 > rpc_api_pipe: host pdc.ttu.red > rpc_read_send: data_to_read: 52 > check_bind_response: accepted! > rpc_api_pipe: host pdc.ttu.red > rpc_read_send: data_to_read: 32 > rpc_api_pipe: host pdc.ttu.red > rpc_read_send: data_to_read: 32 > rpc_api_pipe: host pdc.ttu.red > rpc_read_send: data_to_read: 40 > rpc_api_pipe: host pdc.ttu.red > rpc_read_send: data_to_read: 44 > rpc_api_pipe: host pdc.ttu.red > rpc_read_send: data_to_read: 32 > rpc_api_pipe: host pdc.ttu.red > rpc_read_send: data_to_read: 12 > rpc_api_pipe: host pdc.ttu.red > rpc_read_send: data_to_read: 12 > rpc_api_pipe: host pdc.ttu.red > rpc_read_send: data_to_read: 32 > rpc_api_pipe: host pdc.ttu.red > rpc_read_send: data_to_read: 32 > rpc_api_pipe: host pdc.ttu.red > rpc_read_send: data_to_read: 32 > check lock order 1 for /var/lib/samba/private/secrets.tdb > release lock order 1 for /var/lib/samba/private/secrets.tdb > check lock order 1 for /var/lib/samba/private/secrets.tdb > release lock order 1 for /var/lib/samba/private/secrets.tdb > check lock order 1 for /var/lib/samba/private/secrets.tdb > release lock order 1 for /var/lib/samba/private/secrets.tdb > check lock order 1 for /var/lib/samba/private/secrets.tdb > release lock order 1 for /var/lib/samba/private/secrets.tdb > check lock order 1 for /var/lib/samba/private/secrets.tdb > release lock order 1 for /var/lib/samba/private/secrets.tdb > sitename_fetch: Returning sitename for TTU.RED: "Default-First-Site-Name" > name pdc.ttu.red#20 found. > ads_try_connect: sending CLDAP request to 192.168.2.251 (realm: ttu.red) > Successfully contacted LDAP server 192.168.2.251 > Connected to LDAP server pdc.ttu.red > KDC time offset is 0 seconds > Found SASL mechanism GSS-SPNEGO > ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 > ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 > ads_sasl_spnego_bind: got server principal name = > not_defined_in_RFC4178 at please_ignore > ads_krb5_mk_req: krb5_cc_get_principal failed (No existe el fichero o > el directorio) > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration > dom, 26 abr 2015 00:59:09 CEST > kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials > libnet_Join: > libnet_JoinCtx: struct libnet_JoinCtx > out: struct libnet_JoinCtx > account_name : NULL > netbios_domain_name : 'TTU' > dns_domain_name : 'ttu.red' > forest_name : 'ttu.red' > dn : NULL > domain_sid : * > domain_sid : > S-1-5-21-127850397-371183867-665961664 > modified_config : 0x00 (0) > error_string : 'failed to connect to AD: > Invalid credentials' > domain_is_ad : 0x01 (1) > result : WERR_GENERAL_FAILURE > Failed to join domain: failed to connect to AD: Invalid credentials > return code = -1 > --------------------------------------------------------------------------------------------------------------------------------------- > --------------------------------------------------------------------------------------------------------------------------------------- > > Greetings!! > > 2015-04-25 14:52 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com > <mailto:rowlandpenny at googlemail.com>>: > > On 25/04/15 13:27, Daniel Carrasco Mar?n wrote: > > Hi, I'm sorry for my english. > > i've migrated an old 3.6 samba domain to Samba 4.1 and the > windows part is > working fine (i can join and manage the server from a Windows > Machine), but > when I try to join the domain from another linux server it fails. > > I've followed this guide to migrate: > https://wiki.samba.org/index.php/Samba_Classic_Upgrade_%28NT4-style_domain_to_AD%29 > > and this for join: > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server > > Mi config file looks like the guide > > > From what you have posted, your smb.conf doesn't seem to look > anything like the one on the member server page: > > [global] > security = domain > workgroup = TTU > realm = ttu.red > wins server = 192.168.2.251 > server role = standalone server > passdb backend = tdbsam > domain master = no > server string = Print Server > encrypt passwords = yes > winbind nss info = rfc2307 > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > winbind refresh tickets = Yes > winbind normalize names = yes > idmap config TTU : backend = ad > idmap config * : backend = tdb > idmap config * : range = 1000-20000000 > > There is also this: > > params.c:Parameter() - Ignoring badly formed line in configuration > file: rfc2307 > > Rowland > > > and the join command shows: > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > # net ads join -UAdministrator -d 5 > INFO: Current debug levels: > all: 5 > tdb: 5 > printdrivers: 5 > lanman: 5 > smb: 5 > rpc_parse: 5 > rpc_srv: 5 > rpc_cli: 5 > passdb: 5 > sam: 5 > auth: 5 > winbind: 5 > vfs: 5 > idmap: 5 > quota: 5 > acls: 5 > locking: 5 > msdfs: 5 > dmapi: 5 > registry: 5 > scavenger: 5 > dns: 5 > ldb: 5 > lp_load_ex: refreshing parameters > Initialising global parameters > rlimit_max: increasing rlimit_max (1024) to minimum Windows > limit (16384) > INFO: Current debug levels: > all: 5 > tdb: 5 > printdrivers: 5 > lanman: 5 > smb: 5 > rpc_parse: 5 > rpc_srv: 5 > rpc_cli: 5 > passdb: 5 > sam: 5 > auth: 5 > winbind: 5 > vfs: 5 > idmap: 5 > quota: 5 > acls: 5 > locking: 5 > msdfs: 5 > dmapi: 5 > registry: 5 > scavenger: 5 > dns: 5 > ldb: 5 > params.c:pm_process() - Processing configuration file > "/etc/samba/smb.conf" > params.c:Parameter() - Ignoring badly formed line in > configuration file: > rfc2307[global] > doing parameter security = domain > doing parameter workgroup = TTU > doing parameter realm = ttu.red > doing parameter wins server = 192.168.2.251 > doing parameter server role = standalone server > doing parameter passdb backend = tdbsam > doing parameter domain master = no > doing parameter server string = Print Server > doing parameter encrypt passwords = yes > doing parameter winbind nss info = rfc2307 > doing parameter winbind enum users = Yes > doing parameter winbind enum groups = Yes > doing parameter winbind use default domain = Yes > doing parameter winbind refresh tickets = Yes > doing parameter winbind normalize names = yes > doing parameter idmap config TTU : backend = ad > doing parameter idmap config * : backend = tdb > doing parameter idmap config * : range = 1000-20000000 > pm_process() returned Yes > Netbios name list:- > my_netbios_names[0]="GLOTON" > added interface eth1 ip=172.30.0.230 bcast=172.30.0.255 > netmask=255.255.255.0 > added interface eth0 ip=192.168.2.230 bcast=192.168.2.255 > netmask=255.255.255.0 > Registering messaging pointer for type 2 - private_data=(nil) > Registering messaging pointer for type 9 - private_data=(nil) > Registered MSG_REQ_POOL_USAGE > Registering messaging pointer for type 11 - private_data=(nil) > Registering messaging pointer for type 12 - private_data=(nil) > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED > Registering messaging pointer for type 1 - private_data=(nil) > Registering messaging pointer for type 5 - private_data=(nil) > Enter Administrator's password: > libnet_Join: > libnet_JoinCtx: struct libnet_JoinCtx > in: struct libnet_JoinCtx > dc_name : NULL > machine_name : 'GLOTON' > domain_name : * > domain_name : 'TTU.RED' > account_ou : NULL > admin_account : 'Administrator' > machine_password : NULL > join_flags : 0x00000023 (35) > 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS > 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME > 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT > 0: WKSSVC_JOIN_FLAGS_DEFER_SPN > 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED > 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE > 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED > 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE > 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE > 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE > 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE > os_version : NULL > os_name : NULL > create_upn : 0x00 (0) > upn : NULL > modify_config : 0x00 (0) > ads : NULL > debug : 0x01 (1) > use_kerberos : 0x00 (0) > secure_channel_type : SEC_CHAN_WKSTA (2) > Opening cache file at /var/cache/samba/gencache.tdb > Opening cache file at /var/run/samba/gencache_notrans.tdb > sitename_fetch: Returning sitename for TTU.RED: > "Default-First-Site-Name" > ads_dns_lookup_srv: 1 records returned in the answer section. > sitename_fetch: Returning sitename for TTU.RED: > "Default-First-Site-Name" > no entry for pdc.ttu.red#20 found. > resolve_lmhosts: Attempting lmhosts lookup for name > pdc.ttu.red<0x20> > resolve_lmhosts: Attempting lmhosts lookup for name > pdc.ttu.red<0x20> > startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. > Error was No > existe el fichero o el directorio > wins_srv_is_dead: 192.168.2.251 is alive > resolve_wins: using WINS server 192.168.2.251 and tag '*' > samba_tevent: EPOLL_CTL_DEL EBADF for fde[0x7fcb85f853b0] > mpx_fde[(nil)] > fd[13] - disabling > wins_srv_is_dead: 192.168.2.251 is alive > Marking wins server 192.168.2.251 dead for 600 seconds from source > 192.168.2.251 > resolve_hosts: Attempting host lookup for name pdc.ttu.red<0x20> > namecache_store: storing 1 address for pdc.ttu.red#20: > 192.168.2.251 > Connecting to 192.168.2.251 at port 445 > Socket options: > SO_KEEPALIVE = 0 > SO_REUSEADDR = 0 > SO_BROADCAST = 0 > TCP_NODELAY = 1 > TCP_KEEPCNT = 9 > TCP_KEEPIDLE = 7200 > TCP_KEEPINTVL = 75 > IPTOS_LOWDELAY = 0 > IPTOS_THROUGHPUT = 0 > SO_SNDBUF = 24040 > SO_RCVBUF = 87380 > SO_SNDLOWAT = 1 > SO_RCVLOWAT = 1 > SO_SNDTIMEO = 0 > SO_RCVTIMEO = 0 > TCP_QUICKACK = 1 > TCP_DEFER_ACCEPT = 0 > Doing spnego session setup (blob length=96) > got OID=1.2.840.48018.1.2.2 > got OID=1.2.840.113554.1.2.2 > got OID=1.3.6.1.4.1.311.2.2.10 > got principal=not_defined_in_RFC4178 at please_ignore > Got challenge flags: > Got NTLMSSP neg_flags=0x60898215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_NTLM2 > NTLMSSP_NEGOTIATE_TARGET_INFO > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > NTLMSSP: Set final flags: > Got NTLMSSP neg_flags=0x60088215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_NTLM2 > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0x60088215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_NTLM2 > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > Bind RPC Pipe: host pdc.ttu.red auth_type 0, auth_level 1 > rpc_api_pipe: host pdc.ttu.red > rpc_read_send: data_to_read: 52 > check_bind_response: accepted! > rpc_api_pipe: host pdc.ttu.red > rpc_read_send: data_to_read: 32 > rpc_api_pipe: host pdc.ttu.red > rpc_read_send: data_to_read: 168 > rpc_api_pipe: host pdc.ttu.red > rpc_read_send: data_to_read: 32 > saf_fetch[join]: Returning "pdc.ttu.red" for "ttu.red" domain > get_dc_list: preferred server list: "pdc.ttu.red, *" > no entry for ttu.red#1C found. > resolve_ads: Attempting to resolve KDCs for ttu.red using DNS > ads_dns_lookup_srv: 1 records returned in the answer section. > sitename_fetch: Returning sitename for TTU.RED: > "Default-First-Site-Name" > name pdc.ttu.red#20 found. > get_dc_list: returning 2 ip addresses in an ordered list > get_dc_list: 192.168.2.251:0 <http://192.168.2.251:0> > 192.168.2.251:88 <http://192.168.2.251:88> > create_local_private_krb5_conf_for_domain: wrote file > /var/run/samba/smb_krb5/krb5.conf.TTU with realm TTU.RED KDC > list > kdc = 192.168.2.251 > > Bind RPC Pipe: host pdc.ttu.red auth_type 0, auth_level 1 > rpc_api_pipe: host pdc.ttu.red > rpc_read_send: data_to_read: 52 > check_bind_response: accepted! > rpc_api_pipe: host pdc.ttu.red > rpc_read_send: data_to_read: 32 > rpc_api_pipe: host pdc.ttu.red > rpc_read_send: data_to_read: 32 > rpc_api_pipe: host pdc.ttu.red > rpc_read_send: data_to_read: 40 > rpc_api_pipe: host pdc.ttu.red > rpc_read_send: data_to_read: 44 > rpc_api_pipe: host pdc.ttu.red > rpc_read_send: data_to_read: 32 > rpc_api_pipe: host pdc.ttu.red > rpc_read_send: data_to_read: 12 > rpc_api_pipe: host pdc.ttu.red > rpc_read_send: data_to_read: 12 > rpc_api_pipe: host pdc.ttu.red > rpc_read_send: data_to_read: 32 > rpc_api_pipe: host pdc.ttu.red > rpc_read_send: data_to_read: 32 > rpc_api_pipe: host pdc.ttu.red > rpc_read_send: data_to_read: 32 > check lock order 1 for /var/lib/samba/private/secrets.tdb > release lock order 1 for /var/lib/samba/private/secrets.tdb > check lock order 1 for /var/lib/samba/private/secrets.tdb > release lock order 1 for /var/lib/samba/private/secrets.tdb > check lock order 1 for /var/lib/samba/private/secrets.tdb > release lock order 1 for /var/lib/samba/private/secrets.tdb > check lock order 1 for /var/lib/samba/private/secrets.tdb > release lock order 1 for /var/lib/samba/private/secrets.tdb > check lock order 1 for /var/lib/samba/private/secrets.tdb > release lock order 1 for /var/lib/samba/private/secrets.tdb > sitename_fetch: Returning sitename for TTU.RED: > "Default-First-Site-Name" > name pdc.ttu.red#20 found. > ads_try_connect: sending CLDAP request to 192.168.2.251 > (realm: ttu.red) > Successfully contacted LDAP server 192.168.2.251 > Connected to LDAP server pdc.ttu.red > KDC time offset is 0 seconds > Found SASL mechanism GSS-SPNEGO > ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 > ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 > ads_sasl_spnego_bind: got server principal name > not_defined_in_RFC4178 at please_ignore > ads_krb5_mk_req: krb5_cc_get_principal failed (No existe el > fichero o el > directorio) > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] > expiration dom, > 26 abr 2015 00:04:50 CEST > kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid > credentials > libnet_Join: > libnet_JoinCtx: struct libnet_JoinCtx > out: struct libnet_JoinCtx > account_name : NULL > netbios_domain_name : 'TTU' > dns_domain_name : 'ttu.red' > forest_name : 'ttu.red' > dn : NULL > domain_sid : * > domain_sid : > S-1-5-21-127850397-371183867-665961664 <tel:665961664> > modified_config : 0x00 (0) > error_string : 'failed to connect to > AD: Invalid > credentials' > domain_is_ad : 0x01 (1) > result : WERR_GENERAL_FAILURE > Failed to join domain: failed to connect to AD: Invalid > credentials > return code = -1 > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > > I've tried commands like: > smbclient -L 192.168.2.251 -U% > kinit administrator@ <administrator at CASA.RED>TTU.RED > klist -c > > All are workign. > I've tried to create a test domain instead upgrade, with same > config and > join ads is working... ?can be the upgrade progress? > > Thanks!! > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >OK, there is this: ads_krb5_mk_req: krb5_cc_get_principal failed (No existe el fichero o el directorio) The last part seems to translate to: There is no such file or directory, so what have you got in /etc/krb5.conf ? Does /etc/krb5.keytab exist, if it does, remove it. Does /etc/resolv.conf point to the DC ? Are you sure that you are using the correct password for Administrator ? Rowland
Daniel Carrasco Marín
2015-Apr-25 14:44 UTC
[Samba] I can't join the new AD server with Samba4
2015-04-25 15:17 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:> On 25/04/15 14:02, Daniel Carrasco Mar?n wrote: > >> Sorry, I forgot to revert another test i did, but the result is the same: >> >> >> --------------------------------------------------------------------------------------------------------------------------------------- >> >> --------------------------------------------------------------------------------------------------------------------------------------- >> sudo net ads join -U "Administrator" -d 5 >> INFO: Current debug levels: >> all: 5 >> tdb: 5 >> printdrivers: 5 >> lanman: 5 >> smb: 5 >> rpc_parse: 5 >> rpc_srv: 5 >> rpc_cli: 5 >> passdb: 5 >> sam: 5 >> auth: 5 >> winbind: 5 >> vfs: 5 >> idmap: 5 >> quota: 5 >> acls: 5 >> locking: 5 >> msdfs: 5 >> dmapi: 5 >> registry: 5 >> scavenger: 5 >> dns: 5 >> ldb: 5 >> lp_load_ex: refreshing parameters >> Initialising global parameters >> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) >> INFO: Current debug levels: >> all: 5 >> tdb: 5 >> printdrivers: 5 >> lanman: 5 >> smb: 5 >> rpc_parse: 5 >> rpc_srv: 5 >> rpc_cli: 5 >> passdb: 5 >> sam: 5 >> auth: 5 >> winbind: 5 >> vfs: 5 >> idmap: 5 >> quota: 5 >> acls: 5 >> locking: 5 >> msdfs: 5 >> dmapi: 5 >> registry: 5 >> scavenger: 5 >> dns: 5 >> ldb: 5 >> params.c:pm_process() - Processing configuration file >> "/etc/samba/smb.conf" >> Processing section "[global]" >> doing parameter workgroup = TTU >> doing parameter security = ADS >> doing parameter realm = TTU.RED >> doing parameter dedicated keytab file = /etc/krb5.keytab >> doing parameter kerberos method = secrets and keytab >> doing parameter idmap config *:backend = tdb >> doing parameter idmap config *:range = 2000-9999 >> doing parameter idmap config TTU:backend = ad >> doing parameter idmap config TTU:schema_mode = rfc2307 >> doing parameter idmap config TTU:range = 10000-99999 >> doing parameter winbind nss info = rfc2307 >> doing parameter winbind trusted domains only = no >> doing parameter winbind use default domain = yes >> doing parameter winbind enum users = yes >> doing parameter winbind enum groups = yes >> doing parameter winbind refresh tickets = Yes >> doing parameter winbind expand groups = 4 >> doing parameter winbind normalize names = Yes >> doing parameter domain master = no >> doing parameter local master = no >> doing parameter vfs objects = acl_xattr >> doing parameter map acl inherit = Yes >> doing parameter store dos attributes = Yes >> pm_process() returned Yes >> Netbios name list:- >> my_netbios_names[0]="GLOTON" >> added interface eth1 ip=172.30.0.230 bcast=172.30.0.255 >> netmask=255.255.255.0 >> added interface eth0 ip=192.168.2.230 bcast=192.168.2.255 >> netmask=255.255.255.0 >> Registering messaging pointer for type 2 - private_data=(nil) >> Registering messaging pointer for type 9 - private_data=(nil) >> Registered MSG_REQ_POOL_USAGE >> Registering messaging pointer for type 11 - private_data=(nil) >> Registering messaging pointer for type 12 - private_data=(nil) >> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED >> Registering messaging pointer for type 1 - private_data=(nil) >> Registering messaging pointer for type 5 - private_data=(nil) >> Enter Administrator's password: >> libnet_Join: >> libnet_JoinCtx: struct libnet_JoinCtx >> in: struct libnet_JoinCtx >> dc_name : NULL >> machine_name : 'GLOTON' >> domain_name : * >> domain_name : 'TTU.RED' >> account_ou : NULL >> admin_account : 'Administrator' >> machine_password : NULL >> join_flags : 0x00000023 (35) >> 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS >> 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME >> 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT >> 0: WKSSVC_JOIN_FLAGS_DEFER_SPN >> 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED >> 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE >> 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED >> 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE >> 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE >> 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE >> 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE >> os_version : NULL >> os_name : NULL >> create_upn : 0x00 (0) >> upn : NULL >> modify_config : 0x00 (0) >> ads : NULL >> debug : 0x01 (1) >> use_kerberos : 0x00 (0) >> secure_channel_type : SEC_CHAN_WKSTA (2) >> Opening cache file at /var/cache/samba/gencache.tdb >> Opening cache file at /var/run/samba/gencache_notrans.tdb >> sitename_fetch: Returning sitename for TTU.RED: "Default-First-Site-Name" >> ads_dns_lookup_srv: 1 records returned in the answer section. >> sitename_fetch: Returning sitename for TTU.RED: "Default-First-Site-Name" >> name pdc.ttu.red#20 found. >> Connecting to 192.168.2.251 at port 445 >> Socket options: >> SO_KEEPALIVE = 0 >> SO_REUSEADDR = 0 >> SO_BROADCAST = 0 >> TCP_NODELAY = 1 >> TCP_KEEPCNT = 9 >> TCP_KEEPIDLE = 7200 >> TCP_KEEPINTVL = 75 >> IPTOS_LOWDELAY = 0 >> IPTOS_THROUGHPUT = 0 >> SO_SNDBUF = 24040 >> SO_RCVBUF = 87380 >> SO_SNDLOWAT = 1 >> SO_RCVLOWAT = 1 >> SO_SNDTIMEO = 0 >> SO_RCVTIMEO = 0 >> TCP_QUICKACK = 1 >> TCP_DEFER_ACCEPT = 0 >> Doing spnego session setup (blob length=96) >> got OID=1.2.840.48018.1.2.2 >> got OID=1.2.840.113554.1.2.2 >> got OID=1.3.6.1.4.1.311.2.2.10 >> got principal=not_defined_in_RFC4178 at please_ignore >> Got challenge flags: >> Got NTLMSSP neg_flags=0x60898215 >> NTLMSSP_NEGOTIATE_UNICODE >> NTLMSSP_REQUEST_TARGET >> NTLMSSP_NEGOTIATE_SIGN >> NTLMSSP_NEGOTIATE_NTLM >> NTLMSSP_NEGOTIATE_ALWAYS_SIGN >> NTLMSSP_NEGOTIATE_NTLM2 >> NTLMSSP_NEGOTIATE_TARGET_INFO >> NTLMSSP_NEGOTIATE_128 >> NTLMSSP_NEGOTIATE_KEY_EXCH >> NTLMSSP: Set final flags: >> Got NTLMSSP neg_flags=0x60088215 >> NTLMSSP_NEGOTIATE_UNICODE >> NTLMSSP_REQUEST_TARGET >> NTLMSSP_NEGOTIATE_SIGN >> NTLMSSP_NEGOTIATE_NTLM >> NTLMSSP_NEGOTIATE_ALWAYS_SIGN >> NTLMSSP_NEGOTIATE_NTLM2 >> NTLMSSP_NEGOTIATE_128 >> NTLMSSP_NEGOTIATE_KEY_EXCH >> NTLMSSP Sign/Seal - Initialising with flags: >> Got NTLMSSP neg_flags=0x60088215 >> NTLMSSP_NEGOTIATE_UNICODE >> NTLMSSP_REQUEST_TARGET >> NTLMSSP_NEGOTIATE_SIGN >> NTLMSSP_NEGOTIATE_NTLM >> NTLMSSP_NEGOTIATE_ALWAYS_SIGN >> NTLMSSP_NEGOTIATE_NTLM2 >> NTLMSSP_NEGOTIATE_128 >> NTLMSSP_NEGOTIATE_KEY_EXCH >> Bind RPC Pipe: host pdc.ttu.red auth_type 0, auth_level 1 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 52 >> check_bind_response: accepted! >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 32 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 168 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 32 >> saf_fetch[join]: Returning "pdc.ttu.red" for "ttu.red" domain >> get_dc_list: preferred server list: "pdc.ttu.red, *" >> name ttu.red#1C found. >> sitename_fetch: Returning sitename for TTU.RED: "Default-First-Site-Name" >> name pdc.ttu.red#20 found. >> get_dc_list: returning 1 ip addresses in an ordered list >> get_dc_list: 192.168.2.251:389 <http://192.168.2.251:389> >> >> create_local_private_krb5_conf_for_domain: wrote file >> /var/run/samba/smb_krb5/krb5.conf.TTU with realm TTU.RED KDC list >> kdc = 192.168.2.251 >> >> Bind RPC Pipe: host pdc.ttu.red auth_type 0, auth_level 1 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 52 >> check_bind_response: accepted! >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 32 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 32 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 40 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 44 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 32 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 12 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 12 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 32 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 32 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 32 >> check lock order 1 for /var/lib/samba/private/secrets.tdb >> release lock order 1 for /var/lib/samba/private/secrets.tdb >> check lock order 1 for /var/lib/samba/private/secrets.tdb >> release lock order 1 for /var/lib/samba/private/secrets.tdb >> check lock order 1 for /var/lib/samba/private/secrets.tdb >> release lock order 1 for /var/lib/samba/private/secrets.tdb >> check lock order 1 for /var/lib/samba/private/secrets.tdb >> release lock order 1 for /var/lib/samba/private/secrets.tdb >> check lock order 1 for /var/lib/samba/private/secrets.tdb >> release lock order 1 for /var/lib/samba/private/secrets.tdb >> sitename_fetch: Returning sitename for TTU.RED: "Default-First-Site-Name" >> name pdc.ttu.red#20 found. >> ads_try_connect: sending CLDAP request to 192.168.2.251 (realm: ttu.red) >> Successfully contacted LDAP server 192.168.2.251 >> Connected to LDAP server pdc.ttu.red >> KDC time offset is 0 seconds >> Found SASL mechanism GSS-SPNEGO >> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 >> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 >> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 >> ads_sasl_spnego_bind: got server principal name >> not_defined_in_RFC4178 at please_ignore >> ads_krb5_mk_req: krb5_cc_get_principal failed (No existe el fichero o el >> directorio) >> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration >> dom, 26 abr 2015 00:59:09 CEST >> kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials >> libnet_Join: >> libnet_JoinCtx: struct libnet_JoinCtx >> out: struct libnet_JoinCtx >> account_name : NULL >> netbios_domain_name : 'TTU' >> dns_domain_name : 'ttu.red' >> forest_name : 'ttu.red' >> dn : NULL >> domain_sid : * >> domain_sid : S-1-5-21-127850397-371183867- >> 665961664 >> modified_config : 0x00 (0) >> error_string : 'failed to connect to AD: Invalid >> credentials' >> domain_is_ad : 0x01 (1) >> result : WERR_GENERAL_FAILURE >> Failed to join domain: failed to connect to AD: Invalid credentials >> return code = -1 >> >> --------------------------------------------------------------------------------------------------------------------------------------- >> >> --------------------------------------------------------------------------------------------------------------------------------------- >> >> Greetings!! >> >> 2015-04-25 14:52 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com >> <mailto:rowlandpenny at googlemail.com>>: >> >> >> On 25/04/15 13:27, Daniel Carrasco Mar?n wrote: >> >> Hi, I'm sorry for my english. >> >> i've migrated an old 3.6 samba domain to Samba 4.1 and the >> windows part is >> working fine (i can join and manage the server from a Windows >> Machine), but >> when I try to join the domain from another linux server it fails. >> >> I've followed this guide to migrate: >> >> https://wiki.samba.org/index.php/Samba_Classic_Upgrade_%28NT4-style_domain_to_AD%29 >> >> and this for join: >> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >> >> Mi config file looks like the guide >> >> >> From what you have posted, your smb.conf doesn't seem to look >> anything like the one on the member server page: >> >> [global] >> security = domain >> workgroup = TTU >> realm = ttu.red >> wins server = 192.168.2.251 >> server role = standalone server >> passdb backend = tdbsam >> domain master = no >> server string = Print Server >> encrypt passwords = yes >> winbind nss info = rfc2307 >> winbind enum users = Yes >> winbind enum groups = Yes >> winbind use default domain = Yes >> winbind refresh tickets = Yes >> winbind normalize names = yes >> idmap config TTU : backend = ad >> idmap config * : backend = tdb >> idmap config * : range = 1000-20000000 >> >> There is also this: >> >> params.c:Parameter() - Ignoring badly formed line in configuration >> file: rfc2307 >> >> Rowland >> >> >> and the join command shows: >> >> ----------------------------------------------------------------------- >> >> ----------------------------------------------------------------------- >> # net ads join -UAdministrator -d 5 >> INFO: Current debug levels: >> all: 5 >> tdb: 5 >> printdrivers: 5 >> lanman: 5 >> smb: 5 >> rpc_parse: 5 >> rpc_srv: 5 >> rpc_cli: 5 >> passdb: 5 >> sam: 5 >> auth: 5 >> winbind: 5 >> vfs: 5 >> idmap: 5 >> quota: 5 >> acls: 5 >> locking: 5 >> msdfs: 5 >> dmapi: 5 >> registry: 5 >> scavenger: 5 >> dns: 5 >> ldb: 5 >> lp_load_ex: refreshing parameters >> Initialising global parameters >> rlimit_max: increasing rlimit_max (1024) to minimum Windows >> limit (16384) >> INFO: Current debug levels: >> all: 5 >> tdb: 5 >> printdrivers: 5 >> lanman: 5 >> smb: 5 >> rpc_parse: 5 >> rpc_srv: 5 >> rpc_cli: 5 >> passdb: 5 >> sam: 5 >> auth: 5 >> winbind: 5 >> vfs: 5 >> idmap: 5 >> quota: 5 >> acls: 5 >> locking: 5 >> msdfs: 5 >> dmapi: 5 >> registry: 5 >> scavenger: 5 >> dns: 5 >> ldb: 5 >> params.c:pm_process() - Processing configuration file >> "/etc/samba/smb.conf" >> params.c:Parameter() - Ignoring badly formed line in >> configuration file: >> rfc2307[global] >> doing parameter security = domain >> doing parameter workgroup = TTU >> doing parameter realm = ttu.red >> doing parameter wins server = 192.168.2.251 >> doing parameter server role = standalone server >> doing parameter passdb backend = tdbsam >> doing parameter domain master = no >> doing parameter server string = Print Server >> doing parameter encrypt passwords = yes >> doing parameter winbind nss info = rfc2307 >> doing parameter winbind enum users = Yes >> doing parameter winbind enum groups = Yes >> doing parameter winbind use default domain = Yes >> doing parameter winbind refresh tickets = Yes >> doing parameter winbind normalize names = yes >> doing parameter idmap config TTU : backend = ad >> doing parameter idmap config * : backend = tdb >> doing parameter idmap config * : range = 1000-20000000 >> pm_process() returned Yes >> Netbios name list:- >> my_netbios_names[0]="GLOTON" >> added interface eth1 ip=172.30.0.230 bcast=172.30.0.255 >> netmask=255.255.255.0 >> added interface eth0 ip=192.168.2.230 bcast=192.168.2.255 >> netmask=255.255.255.0 >> Registering messaging pointer for type 2 - private_data=(nil) >> Registering messaging pointer for type 9 - private_data=(nil) >> Registered MSG_REQ_POOL_USAGE >> Registering messaging pointer for type 11 - private_data=(nil) >> Registering messaging pointer for type 12 - private_data=(nil) >> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED >> Registering messaging pointer for type 1 - private_data=(nil) >> Registering messaging pointer for type 5 - private_data=(nil) >> Enter Administrator's password: >> libnet_Join: >> libnet_JoinCtx: struct libnet_JoinCtx >> in: struct libnet_JoinCtx >> dc_name : NULL >> machine_name : 'GLOTON' >> domain_name : * >> domain_name : 'TTU.RED' >> account_ou : NULL >> admin_account : 'Administrator' >> machine_password : NULL >> join_flags : 0x00000023 (35) >> 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS >> 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME >> 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT >> 0: WKSSVC_JOIN_FLAGS_DEFER_SPN >> 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED >> 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE >> 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED >> 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE >> 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE >> 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE >> 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE >> os_version : NULL >> os_name : NULL >> create_upn : 0x00 (0) >> upn : NULL >> modify_config : 0x00 (0) >> ads : NULL >> debug : 0x01 (1) >> use_kerberos : 0x00 (0) >> secure_channel_type : SEC_CHAN_WKSTA (2) >> Opening cache file at /var/cache/samba/gencache.tdb >> Opening cache file at /var/run/samba/gencache_notrans.tdb >> sitename_fetch: Returning sitename for TTU.RED: >> "Default-First-Site-Name" >> ads_dns_lookup_srv: 1 records returned in the answer section. >> sitename_fetch: Returning sitename for TTU.RED: >> "Default-First-Site-Name" >> no entry for pdc.ttu.red#20 found. >> resolve_lmhosts: Attempting lmhosts lookup for name >> pdc.ttu.red<0x20> >> resolve_lmhosts: Attempting lmhosts lookup for name >> pdc.ttu.red<0x20> >> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. >> Error was No >> existe el fichero o el directorio >> wins_srv_is_dead: 192.168.2.251 is alive >> resolve_wins: using WINS server 192.168.2.251 and tag '*' >> samba_tevent: EPOLL_CTL_DEL EBADF for fde[0x7fcb85f853b0] >> mpx_fde[(nil)] >> fd[13] - disabling >> wins_srv_is_dead: 192.168.2.251 is alive >> Marking wins server 192.168.2.251 dead for 600 seconds from source >> 192.168.2.251 >> resolve_hosts: Attempting host lookup for name pdc.ttu.red<0x20> >> namecache_store: storing 1 address for pdc.ttu.red#20: >> 192.168.2.251 >> Connecting to 192.168.2.251 at port 445 >> Socket options: >> SO_KEEPALIVE = 0 >> SO_REUSEADDR = 0 >> SO_BROADCAST = 0 >> TCP_NODELAY = 1 >> TCP_KEEPCNT = 9 >> TCP_KEEPIDLE = 7200 >> TCP_KEEPINTVL = 75 >> IPTOS_LOWDELAY = 0 >> IPTOS_THROUGHPUT = 0 >> SO_SNDBUF = 24040 >> SO_RCVBUF = 87380 >> SO_SNDLOWAT = 1 >> SO_RCVLOWAT = 1 >> SO_SNDTIMEO = 0 >> SO_RCVTIMEO = 0 >> TCP_QUICKACK = 1 >> TCP_DEFER_ACCEPT = 0 >> Doing spnego session setup (blob length=96) >> got OID=1.2.840.48018.1.2.2 >> got OID=1.2.840.113554.1.2.2 >> got OID=1.3.6.1.4.1.311.2.2.10 >> got principal=not_defined_in_RFC4178 at please_ignore >> Got challenge flags: >> Got NTLMSSP neg_flags=0x60898215 >> NTLMSSP_NEGOTIATE_UNICODE >> NTLMSSP_REQUEST_TARGET >> NTLMSSP_NEGOTIATE_SIGN >> NTLMSSP_NEGOTIATE_NTLM >> NTLMSSP_NEGOTIATE_ALWAYS_SIGN >> NTLMSSP_NEGOTIATE_NTLM2 >> NTLMSSP_NEGOTIATE_TARGET_INFO >> NTLMSSP_NEGOTIATE_128 >> NTLMSSP_NEGOTIATE_KEY_EXCH >> NTLMSSP: Set final flags: >> Got NTLMSSP neg_flags=0x60088215 >> NTLMSSP_NEGOTIATE_UNICODE >> NTLMSSP_REQUEST_TARGET >> NTLMSSP_NEGOTIATE_SIGN >> NTLMSSP_NEGOTIATE_NTLM >> NTLMSSP_NEGOTIATE_ALWAYS_SIGN >> NTLMSSP_NEGOTIATE_NTLM2 >> NTLMSSP_NEGOTIATE_128 >> NTLMSSP_NEGOTIATE_KEY_EXCH >> NTLMSSP Sign/Seal - Initialising with flags: >> Got NTLMSSP neg_flags=0x60088215 >> NTLMSSP_NEGOTIATE_UNICODE >> NTLMSSP_REQUEST_TARGET >> NTLMSSP_NEGOTIATE_SIGN >> NTLMSSP_NEGOTIATE_NTLM >> NTLMSSP_NEGOTIATE_ALWAYS_SIGN >> NTLMSSP_NEGOTIATE_NTLM2 >> NTLMSSP_NEGOTIATE_128 >> NTLMSSP_NEGOTIATE_KEY_EXCH >> Bind RPC Pipe: host pdc.ttu.red auth_type 0, auth_level 1 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 52 >> check_bind_response: accepted! >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 32 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 168 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 32 >> saf_fetch[join]: Returning "pdc.ttu.red" for "ttu.red" domain >> get_dc_list: preferred server list: "pdc.ttu.red, *" >> no entry for ttu.red#1C found. >> resolve_ads: Attempting to resolve KDCs for ttu.red using DNS >> ads_dns_lookup_srv: 1 records returned in the answer section. >> sitename_fetch: Returning sitename for TTU.RED: >> "Default-First-Site-Name" >> name pdc.ttu.red#20 found. >> get_dc_list: returning 2 ip addresses in an ordered list >> get_dc_list: 192.168.2.251:0 <http://192.168.2.251:0> >> 192.168.2.251:88 <http://192.168.2.251:88> >> >> create_local_private_krb5_conf_for_domain: wrote file >> /var/run/samba/smb_krb5/krb5.conf.TTU with realm TTU.RED KDC >> list >> kdc = 192.168.2.251 >> >> Bind RPC Pipe: host pdc.ttu.red auth_type 0, auth_level 1 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 52 >> check_bind_response: accepted! >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 32 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 32 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 40 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 44 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 32 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 12 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 12 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 32 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 32 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 32 >> check lock order 1 for /var/lib/samba/private/secrets.tdb >> release lock order 1 for /var/lib/samba/private/secrets.tdb >> check lock order 1 for /var/lib/samba/private/secrets.tdb >> release lock order 1 for /var/lib/samba/private/secrets.tdb >> check lock order 1 for /var/lib/samba/private/secrets.tdb >> release lock order 1 for /var/lib/samba/private/secrets.tdb >> check lock order 1 for /var/lib/samba/private/secrets.tdb >> release lock order 1 for /var/lib/samba/private/secrets.tdb >> check lock order 1 for /var/lib/samba/private/secrets.tdb >> release lock order 1 for /var/lib/samba/private/secrets.tdb >> sitename_fetch: Returning sitename for TTU.RED: >> "Default-First-Site-Name" >> name pdc.ttu.red#20 found. >> ads_try_connect: sending CLDAP request to 192.168.2.251 >> (realm: ttu.red) >> Successfully contacted LDAP server 192.168.2.251 >> Connected to LDAP server pdc.ttu.red >> KDC time offset is 0 seconds >> Found SASL mechanism GSS-SPNEGO >> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 >> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 >> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 >> ads_sasl_spnego_bind: got server principal name >> not_defined_in_RFC4178 at please_ignore >> ads_krb5_mk_req: krb5_cc_get_principal failed (No existe el >> fichero o el >> directorio) >> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] >> expiration dom, >> 26 abr 2015 00:04:50 CEST >> kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid >> credentials >> libnet_Join: >> libnet_JoinCtx: struct libnet_JoinCtx >> out: struct libnet_JoinCtx >> account_name : NULL >> netbios_domain_name : 'TTU' >> dns_domain_name : 'ttu.red' >> forest_name : 'ttu.red' >> dn : NULL >> domain_sid : * >> domain_sid : >> S-1-5-21-127850397-371183867-665961664 <tel:665961664> >> modified_config : 0x00 (0) >> error_string : 'failed to connect to >> AD: Invalid >> credentials' >> domain_is_ad : 0x01 (1) >> result : WERR_GENERAL_FAILURE >> Failed to join domain: failed to connect to AD: Invalid >> credentials >> return code = -1 >> >> ----------------------------------------------------------------------- >> >> ----------------------------------------------------------------------- >> >> I've tried commands like: >> smbclient -L 192.168.2.251 -U% >> kinit administrator@ <administrator at CASA.RED>TTU.RED >> klist -c >> >> All are workign. >> I've tried to create a test domain instead upgrade, with same >> config and >> join ads is working... ?can be the upgrade progress? >> >> Thanks!! >> >> >> -- To unsubscribe from this list go to the following URL and read >> the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> > OK, there is this: > ads_krb5_mk_req: krb5_cc_get_principal failed (No existe el fichero o el > directorio) > > The last part seems to translate to: There is no such file or directory, > so what have you got in /etc/krb5.conf ? >Thanks!! On AD server i've linked the kerberos file on samba folder: lrwxrwxrwx 1 root root 32 abr 25 16:23 krb5.conf -> /var/lib/samba/private/krb5.conf On client i've the default: [libdefaults] default_realm = TTU.RED # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true ........ [realms] TTU.RED = { kdc = pdc admin_server = pdc } ........> Does /etc/krb5.keytab exist, if it does, remove it. >Deleted, but nothing changed.> Does /etc/resolv.conf point to the DC ? >Yes: cat /etc/resolv.conf domain TTU nameserver 192.168.2.251> Are you sure that you are using the correct password for Administrator ? >Yes, even i've tried to cange the PW to another, and other commands works fine, for example with "kinit administrator at TTU.RED" and "klist -c": Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator at TTU.RED Valid starting Expires Service principal 25/04/15 16:36:10 26/04/15 02:36:10 krbtgt/TTU.RED at TTU.RED renew until 26/04/15 16:36:06 I've linked the file showed on log to krb5.conf: ln -s /var/run/samba/smb_krb5/krb5.conf.TTU /etc/krb5.conf I got the same error: ....... ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 ads_sasl_spnego_bind: got server principal name not_defined_in_RFC4178 at please_ignore ads_krb5_mk_req: krb5_cc_get_principal failed (No existe el fichero o el directorio) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration dom, 26 abr 2015 02:37:30 CEST kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : 'TTU' dns_domain_name : 'ttu.red' forest_name : 'ttu.red' dn : NULL domain_sid : * domain_sid : S-1-5-21-127850397-371183867-665961664 modified_config : 0x00 (0) error_string : 'failed to connect to AD: Invalid credentials' domain_is_ad : 0x01 (1) result : WERR_GENERAL_FAILURE Failed to join domain: failed to connect to AD: Invalid credentials return code = -1 I can run commands like "net ads rpc -U "Administrator" and works fine, i even can get some AD info: # net rpc info -U Administrator Enter Administrator's password: Domain Name: TTU Domain SID: S-1-5-21-127850397-371183867-665961664 Sequence number: 1 Num users: 144 Num domain groups: 42 Num local groups: 26 Is strange because as i said, if i create a new domain without upgrade then i can join that domain even without krb5-client installed. Greetings!!> > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >