Daniel Carrasco Marín
2015-Apr-25 14:44 UTC
[Samba] I can't join the new AD server with Samba4
2015-04-25 15:17 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:> On 25/04/15 14:02, Daniel Carrasco Mar?n wrote: > >> Sorry, I forgot to revert another test i did, but the result is the same: >> >> >> --------------------------------------------------------------------------------------------------------------------------------------- >> >> --------------------------------------------------------------------------------------------------------------------------------------- >> sudo net ads join -U "Administrator" -d 5 >> INFO: Current debug levels: >> all: 5 >> tdb: 5 >> printdrivers: 5 >> lanman: 5 >> smb: 5 >> rpc_parse: 5 >> rpc_srv: 5 >> rpc_cli: 5 >> passdb: 5 >> sam: 5 >> auth: 5 >> winbind: 5 >> vfs: 5 >> idmap: 5 >> quota: 5 >> acls: 5 >> locking: 5 >> msdfs: 5 >> dmapi: 5 >> registry: 5 >> scavenger: 5 >> dns: 5 >> ldb: 5 >> lp_load_ex: refreshing parameters >> Initialising global parameters >> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) >> INFO: Current debug levels: >> all: 5 >> tdb: 5 >> printdrivers: 5 >> lanman: 5 >> smb: 5 >> rpc_parse: 5 >> rpc_srv: 5 >> rpc_cli: 5 >> passdb: 5 >> sam: 5 >> auth: 5 >> winbind: 5 >> vfs: 5 >> idmap: 5 >> quota: 5 >> acls: 5 >> locking: 5 >> msdfs: 5 >> dmapi: 5 >> registry: 5 >> scavenger: 5 >> dns: 5 >> ldb: 5 >> params.c:pm_process() - Processing configuration file >> "/etc/samba/smb.conf" >> Processing section "[global]" >> doing parameter workgroup = TTU >> doing parameter security = ADS >> doing parameter realm = TTU.RED >> doing parameter dedicated keytab file = /etc/krb5.keytab >> doing parameter kerberos method = secrets and keytab >> doing parameter idmap config *:backend = tdb >> doing parameter idmap config *:range = 2000-9999 >> doing parameter idmap config TTU:backend = ad >> doing parameter idmap config TTU:schema_mode = rfc2307 >> doing parameter idmap config TTU:range = 10000-99999 >> doing parameter winbind nss info = rfc2307 >> doing parameter winbind trusted domains only = no >> doing parameter winbind use default domain = yes >> doing parameter winbind enum users = yes >> doing parameter winbind enum groups = yes >> doing parameter winbind refresh tickets = Yes >> doing parameter winbind expand groups = 4 >> doing parameter winbind normalize names = Yes >> doing parameter domain master = no >> doing parameter local master = no >> doing parameter vfs objects = acl_xattr >> doing parameter map acl inherit = Yes >> doing parameter store dos attributes = Yes >> pm_process() returned Yes >> Netbios name list:- >> my_netbios_names[0]="GLOTON" >> added interface eth1 ip=172.30.0.230 bcast=172.30.0.255 >> netmask=255.255.255.0 >> added interface eth0 ip=192.168.2.230 bcast=192.168.2.255 >> netmask=255.255.255.0 >> Registering messaging pointer for type 2 - private_data=(nil) >> Registering messaging pointer for type 9 - private_data=(nil) >> Registered MSG_REQ_POOL_USAGE >> Registering messaging pointer for type 11 - private_data=(nil) >> Registering messaging pointer for type 12 - private_data=(nil) >> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED >> Registering messaging pointer for type 1 - private_data=(nil) >> Registering messaging pointer for type 5 - private_data=(nil) >> Enter Administrator's password: >> libnet_Join: >> libnet_JoinCtx: struct libnet_JoinCtx >> in: struct libnet_JoinCtx >> dc_name : NULL >> machine_name : 'GLOTON' >> domain_name : * >> domain_name : 'TTU.RED' >> account_ou : NULL >> admin_account : 'Administrator' >> machine_password : NULL >> join_flags : 0x00000023 (35) >> 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS >> 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME >> 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT >> 0: WKSSVC_JOIN_FLAGS_DEFER_SPN >> 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED >> 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE >> 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED >> 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE >> 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE >> 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE >> 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE >> os_version : NULL >> os_name : NULL >> create_upn : 0x00 (0) >> upn : NULL >> modify_config : 0x00 (0) >> ads : NULL >> debug : 0x01 (1) >> use_kerberos : 0x00 (0) >> secure_channel_type : SEC_CHAN_WKSTA (2) >> Opening cache file at /var/cache/samba/gencache.tdb >> Opening cache file at /var/run/samba/gencache_notrans.tdb >> sitename_fetch: Returning sitename for TTU.RED: "Default-First-Site-Name" >> ads_dns_lookup_srv: 1 records returned in the answer section. >> sitename_fetch: Returning sitename for TTU.RED: "Default-First-Site-Name" >> name pdc.ttu.red#20 found. >> Connecting to 192.168.2.251 at port 445 >> Socket options: >> SO_KEEPALIVE = 0 >> SO_REUSEADDR = 0 >> SO_BROADCAST = 0 >> TCP_NODELAY = 1 >> TCP_KEEPCNT = 9 >> TCP_KEEPIDLE = 7200 >> TCP_KEEPINTVL = 75 >> IPTOS_LOWDELAY = 0 >> IPTOS_THROUGHPUT = 0 >> SO_SNDBUF = 24040 >> SO_RCVBUF = 87380 >> SO_SNDLOWAT = 1 >> SO_RCVLOWAT = 1 >> SO_SNDTIMEO = 0 >> SO_RCVTIMEO = 0 >> TCP_QUICKACK = 1 >> TCP_DEFER_ACCEPT = 0 >> Doing spnego session setup (blob length=96) >> got OID=1.2.840.48018.1.2.2 >> got OID=1.2.840.113554.1.2.2 >> got OID=1.3.6.1.4.1.311.2.2.10 >> got principal=not_defined_in_RFC4178 at please_ignore >> Got challenge flags: >> Got NTLMSSP neg_flags=0x60898215 >> NTLMSSP_NEGOTIATE_UNICODE >> NTLMSSP_REQUEST_TARGET >> NTLMSSP_NEGOTIATE_SIGN >> NTLMSSP_NEGOTIATE_NTLM >> NTLMSSP_NEGOTIATE_ALWAYS_SIGN >> NTLMSSP_NEGOTIATE_NTLM2 >> NTLMSSP_NEGOTIATE_TARGET_INFO >> NTLMSSP_NEGOTIATE_128 >> NTLMSSP_NEGOTIATE_KEY_EXCH >> NTLMSSP: Set final flags: >> Got NTLMSSP neg_flags=0x60088215 >> NTLMSSP_NEGOTIATE_UNICODE >> NTLMSSP_REQUEST_TARGET >> NTLMSSP_NEGOTIATE_SIGN >> NTLMSSP_NEGOTIATE_NTLM >> NTLMSSP_NEGOTIATE_ALWAYS_SIGN >> NTLMSSP_NEGOTIATE_NTLM2 >> NTLMSSP_NEGOTIATE_128 >> NTLMSSP_NEGOTIATE_KEY_EXCH >> NTLMSSP Sign/Seal - Initialising with flags: >> Got NTLMSSP neg_flags=0x60088215 >> NTLMSSP_NEGOTIATE_UNICODE >> NTLMSSP_REQUEST_TARGET >> NTLMSSP_NEGOTIATE_SIGN >> NTLMSSP_NEGOTIATE_NTLM >> NTLMSSP_NEGOTIATE_ALWAYS_SIGN >> NTLMSSP_NEGOTIATE_NTLM2 >> NTLMSSP_NEGOTIATE_128 >> NTLMSSP_NEGOTIATE_KEY_EXCH >> Bind RPC Pipe: host pdc.ttu.red auth_type 0, auth_level 1 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 52 >> check_bind_response: accepted! >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 32 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 168 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 32 >> saf_fetch[join]: Returning "pdc.ttu.red" for "ttu.red" domain >> get_dc_list: preferred server list: "pdc.ttu.red, *" >> name ttu.red#1C found. >> sitename_fetch: Returning sitename for TTU.RED: "Default-First-Site-Name" >> name pdc.ttu.red#20 found. >> get_dc_list: returning 1 ip addresses in an ordered list >> get_dc_list: 192.168.2.251:389 <http://192.168.2.251:389> >> >> create_local_private_krb5_conf_for_domain: wrote file >> /var/run/samba/smb_krb5/krb5.conf.TTU with realm TTU.RED KDC list >> kdc = 192.168.2.251 >> >> Bind RPC Pipe: host pdc.ttu.red auth_type 0, auth_level 1 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 52 >> check_bind_response: accepted! >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 32 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 32 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 40 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 44 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 32 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 12 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 12 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 32 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 32 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 32 >> check lock order 1 for /var/lib/samba/private/secrets.tdb >> release lock order 1 for /var/lib/samba/private/secrets.tdb >> check lock order 1 for /var/lib/samba/private/secrets.tdb >> release lock order 1 for /var/lib/samba/private/secrets.tdb >> check lock order 1 for /var/lib/samba/private/secrets.tdb >> release lock order 1 for /var/lib/samba/private/secrets.tdb >> check lock order 1 for /var/lib/samba/private/secrets.tdb >> release lock order 1 for /var/lib/samba/private/secrets.tdb >> check lock order 1 for /var/lib/samba/private/secrets.tdb >> release lock order 1 for /var/lib/samba/private/secrets.tdb >> sitename_fetch: Returning sitename for TTU.RED: "Default-First-Site-Name" >> name pdc.ttu.red#20 found. >> ads_try_connect: sending CLDAP request to 192.168.2.251 (realm: ttu.red) >> Successfully contacted LDAP server 192.168.2.251 >> Connected to LDAP server pdc.ttu.red >> KDC time offset is 0 seconds >> Found SASL mechanism GSS-SPNEGO >> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 >> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 >> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 >> ads_sasl_spnego_bind: got server principal name >> not_defined_in_RFC4178 at please_ignore >> ads_krb5_mk_req: krb5_cc_get_principal failed (No existe el fichero o el >> directorio) >> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration >> dom, 26 abr 2015 00:59:09 CEST >> kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials >> libnet_Join: >> libnet_JoinCtx: struct libnet_JoinCtx >> out: struct libnet_JoinCtx >> account_name : NULL >> netbios_domain_name : 'TTU' >> dns_domain_name : 'ttu.red' >> forest_name : 'ttu.red' >> dn : NULL >> domain_sid : * >> domain_sid : S-1-5-21-127850397-371183867- >> 665961664 >> modified_config : 0x00 (0) >> error_string : 'failed to connect to AD: Invalid >> credentials' >> domain_is_ad : 0x01 (1) >> result : WERR_GENERAL_FAILURE >> Failed to join domain: failed to connect to AD: Invalid credentials >> return code = -1 >> >> --------------------------------------------------------------------------------------------------------------------------------------- >> >> --------------------------------------------------------------------------------------------------------------------------------------- >> >> Greetings!! >> >> 2015-04-25 14:52 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com >> <mailto:rowlandpenny at googlemail.com>>: >> >> >> On 25/04/15 13:27, Daniel Carrasco Mar?n wrote: >> >> Hi, I'm sorry for my english. >> >> i've migrated an old 3.6 samba domain to Samba 4.1 and the >> windows part is >> working fine (i can join and manage the server from a Windows >> Machine), but >> when I try to join the domain from another linux server it fails. >> >> I've followed this guide to migrate: >> >> https://wiki.samba.org/index.php/Samba_Classic_Upgrade_%28NT4-style_domain_to_AD%29 >> >> and this for join: >> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >> >> Mi config file looks like the guide >> >> >> From what you have posted, your smb.conf doesn't seem to look >> anything like the one on the member server page: >> >> [global] >> security = domain >> workgroup = TTU >> realm = ttu.red >> wins server = 192.168.2.251 >> server role = standalone server >> passdb backend = tdbsam >> domain master = no >> server string = Print Server >> encrypt passwords = yes >> winbind nss info = rfc2307 >> winbind enum users = Yes >> winbind enum groups = Yes >> winbind use default domain = Yes >> winbind refresh tickets = Yes >> winbind normalize names = yes >> idmap config TTU : backend = ad >> idmap config * : backend = tdb >> idmap config * : range = 1000-20000000 >> >> There is also this: >> >> params.c:Parameter() - Ignoring badly formed line in configuration >> file: rfc2307 >> >> Rowland >> >> >> and the join command shows: >> >> ----------------------------------------------------------------------- >> >> ----------------------------------------------------------------------- >> # net ads join -UAdministrator -d 5 >> INFO: Current debug levels: >> all: 5 >> tdb: 5 >> printdrivers: 5 >> lanman: 5 >> smb: 5 >> rpc_parse: 5 >> rpc_srv: 5 >> rpc_cli: 5 >> passdb: 5 >> sam: 5 >> auth: 5 >> winbind: 5 >> vfs: 5 >> idmap: 5 >> quota: 5 >> acls: 5 >> locking: 5 >> msdfs: 5 >> dmapi: 5 >> registry: 5 >> scavenger: 5 >> dns: 5 >> ldb: 5 >> lp_load_ex: refreshing parameters >> Initialising global parameters >> rlimit_max: increasing rlimit_max (1024) to minimum Windows >> limit (16384) >> INFO: Current debug levels: >> all: 5 >> tdb: 5 >> printdrivers: 5 >> lanman: 5 >> smb: 5 >> rpc_parse: 5 >> rpc_srv: 5 >> rpc_cli: 5 >> passdb: 5 >> sam: 5 >> auth: 5 >> winbind: 5 >> vfs: 5 >> idmap: 5 >> quota: 5 >> acls: 5 >> locking: 5 >> msdfs: 5 >> dmapi: 5 >> registry: 5 >> scavenger: 5 >> dns: 5 >> ldb: 5 >> params.c:pm_process() - Processing configuration file >> "/etc/samba/smb.conf" >> params.c:Parameter() - Ignoring badly formed line in >> configuration file: >> rfc2307[global] >> doing parameter security = domain >> doing parameter workgroup = TTU >> doing parameter realm = ttu.red >> doing parameter wins server = 192.168.2.251 >> doing parameter server role = standalone server >> doing parameter passdb backend = tdbsam >> doing parameter domain master = no >> doing parameter server string = Print Server >> doing parameter encrypt passwords = yes >> doing parameter winbind nss info = rfc2307 >> doing parameter winbind enum users = Yes >> doing parameter winbind enum groups = Yes >> doing parameter winbind use default domain = Yes >> doing parameter winbind refresh tickets = Yes >> doing parameter winbind normalize names = yes >> doing parameter idmap config TTU : backend = ad >> doing parameter idmap config * : backend = tdb >> doing parameter idmap config * : range = 1000-20000000 >> pm_process() returned Yes >> Netbios name list:- >> my_netbios_names[0]="GLOTON" >> added interface eth1 ip=172.30.0.230 bcast=172.30.0.255 >> netmask=255.255.255.0 >> added interface eth0 ip=192.168.2.230 bcast=192.168.2.255 >> netmask=255.255.255.0 >> Registering messaging pointer for type 2 - private_data=(nil) >> Registering messaging pointer for type 9 - private_data=(nil) >> Registered MSG_REQ_POOL_USAGE >> Registering messaging pointer for type 11 - private_data=(nil) >> Registering messaging pointer for type 12 - private_data=(nil) >> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED >> Registering messaging pointer for type 1 - private_data=(nil) >> Registering messaging pointer for type 5 - private_data=(nil) >> Enter Administrator's password: >> libnet_Join: >> libnet_JoinCtx: struct libnet_JoinCtx >> in: struct libnet_JoinCtx >> dc_name : NULL >> machine_name : 'GLOTON' >> domain_name : * >> domain_name : 'TTU.RED' >> account_ou : NULL >> admin_account : 'Administrator' >> machine_password : NULL >> join_flags : 0x00000023 (35) >> 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS >> 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME >> 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT >> 0: WKSSVC_JOIN_FLAGS_DEFER_SPN >> 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED >> 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE >> 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED >> 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE >> 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE >> 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE >> 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE >> os_version : NULL >> os_name : NULL >> create_upn : 0x00 (0) >> upn : NULL >> modify_config : 0x00 (0) >> ads : NULL >> debug : 0x01 (1) >> use_kerberos : 0x00 (0) >> secure_channel_type : SEC_CHAN_WKSTA (2) >> Opening cache file at /var/cache/samba/gencache.tdb >> Opening cache file at /var/run/samba/gencache_notrans.tdb >> sitename_fetch: Returning sitename for TTU.RED: >> "Default-First-Site-Name" >> ads_dns_lookup_srv: 1 records returned in the answer section. >> sitename_fetch: Returning sitename for TTU.RED: >> "Default-First-Site-Name" >> no entry for pdc.ttu.red#20 found. >> resolve_lmhosts: Attempting lmhosts lookup for name >> pdc.ttu.red<0x20> >> resolve_lmhosts: Attempting lmhosts lookup for name >> pdc.ttu.red<0x20> >> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. >> Error was No >> existe el fichero o el directorio >> wins_srv_is_dead: 192.168.2.251 is alive >> resolve_wins: using WINS server 192.168.2.251 and tag '*' >> samba_tevent: EPOLL_CTL_DEL EBADF for fde[0x7fcb85f853b0] >> mpx_fde[(nil)] >> fd[13] - disabling >> wins_srv_is_dead: 192.168.2.251 is alive >> Marking wins server 192.168.2.251 dead for 600 seconds from source >> 192.168.2.251 >> resolve_hosts: Attempting host lookup for name pdc.ttu.red<0x20> >> namecache_store: storing 1 address for pdc.ttu.red#20: >> 192.168.2.251 >> Connecting to 192.168.2.251 at port 445 >> Socket options: >> SO_KEEPALIVE = 0 >> SO_REUSEADDR = 0 >> SO_BROADCAST = 0 >> TCP_NODELAY = 1 >> TCP_KEEPCNT = 9 >> TCP_KEEPIDLE = 7200 >> TCP_KEEPINTVL = 75 >> IPTOS_LOWDELAY = 0 >> IPTOS_THROUGHPUT = 0 >> SO_SNDBUF = 24040 >> SO_RCVBUF = 87380 >> SO_SNDLOWAT = 1 >> SO_RCVLOWAT = 1 >> SO_SNDTIMEO = 0 >> SO_RCVTIMEO = 0 >> TCP_QUICKACK = 1 >> TCP_DEFER_ACCEPT = 0 >> Doing spnego session setup (blob length=96) >> got OID=1.2.840.48018.1.2.2 >> got OID=1.2.840.113554.1.2.2 >> got OID=1.3.6.1.4.1.311.2.2.10 >> got principal=not_defined_in_RFC4178 at please_ignore >> Got challenge flags: >> Got NTLMSSP neg_flags=0x60898215 >> NTLMSSP_NEGOTIATE_UNICODE >> NTLMSSP_REQUEST_TARGET >> NTLMSSP_NEGOTIATE_SIGN >> NTLMSSP_NEGOTIATE_NTLM >> NTLMSSP_NEGOTIATE_ALWAYS_SIGN >> NTLMSSP_NEGOTIATE_NTLM2 >> NTLMSSP_NEGOTIATE_TARGET_INFO >> NTLMSSP_NEGOTIATE_128 >> NTLMSSP_NEGOTIATE_KEY_EXCH >> NTLMSSP: Set final flags: >> Got NTLMSSP neg_flags=0x60088215 >> NTLMSSP_NEGOTIATE_UNICODE >> NTLMSSP_REQUEST_TARGET >> NTLMSSP_NEGOTIATE_SIGN >> NTLMSSP_NEGOTIATE_NTLM >> NTLMSSP_NEGOTIATE_ALWAYS_SIGN >> NTLMSSP_NEGOTIATE_NTLM2 >> NTLMSSP_NEGOTIATE_128 >> NTLMSSP_NEGOTIATE_KEY_EXCH >> NTLMSSP Sign/Seal - Initialising with flags: >> Got NTLMSSP neg_flags=0x60088215 >> NTLMSSP_NEGOTIATE_UNICODE >> NTLMSSP_REQUEST_TARGET >> NTLMSSP_NEGOTIATE_SIGN >> NTLMSSP_NEGOTIATE_NTLM >> NTLMSSP_NEGOTIATE_ALWAYS_SIGN >> NTLMSSP_NEGOTIATE_NTLM2 >> NTLMSSP_NEGOTIATE_128 >> NTLMSSP_NEGOTIATE_KEY_EXCH >> Bind RPC Pipe: host pdc.ttu.red auth_type 0, auth_level 1 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 52 >> check_bind_response: accepted! >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 32 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 168 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 32 >> saf_fetch[join]: Returning "pdc.ttu.red" for "ttu.red" domain >> get_dc_list: preferred server list: "pdc.ttu.red, *" >> no entry for ttu.red#1C found. >> resolve_ads: Attempting to resolve KDCs for ttu.red using DNS >> ads_dns_lookup_srv: 1 records returned in the answer section. >> sitename_fetch: Returning sitename for TTU.RED: >> "Default-First-Site-Name" >> name pdc.ttu.red#20 found. >> get_dc_list: returning 2 ip addresses in an ordered list >> get_dc_list: 192.168.2.251:0 <http://192.168.2.251:0> >> 192.168.2.251:88 <http://192.168.2.251:88> >> >> create_local_private_krb5_conf_for_domain: wrote file >> /var/run/samba/smb_krb5/krb5.conf.TTU with realm TTU.RED KDC >> list >> kdc = 192.168.2.251 >> >> Bind RPC Pipe: host pdc.ttu.red auth_type 0, auth_level 1 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 52 >> check_bind_response: accepted! >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 32 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 32 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 40 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 44 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 32 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 12 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 12 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 32 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 32 >> rpc_api_pipe: host pdc.ttu.red >> rpc_read_send: data_to_read: 32 >> check lock order 1 for /var/lib/samba/private/secrets.tdb >> release lock order 1 for /var/lib/samba/private/secrets.tdb >> check lock order 1 for /var/lib/samba/private/secrets.tdb >> release lock order 1 for /var/lib/samba/private/secrets.tdb >> check lock order 1 for /var/lib/samba/private/secrets.tdb >> release lock order 1 for /var/lib/samba/private/secrets.tdb >> check lock order 1 for /var/lib/samba/private/secrets.tdb >> release lock order 1 for /var/lib/samba/private/secrets.tdb >> check lock order 1 for /var/lib/samba/private/secrets.tdb >> release lock order 1 for /var/lib/samba/private/secrets.tdb >> sitename_fetch: Returning sitename for TTU.RED: >> "Default-First-Site-Name" >> name pdc.ttu.red#20 found. >> ads_try_connect: sending CLDAP request to 192.168.2.251 >> (realm: ttu.red) >> Successfully contacted LDAP server 192.168.2.251 >> Connected to LDAP server pdc.ttu.red >> KDC time offset is 0 seconds >> Found SASL mechanism GSS-SPNEGO >> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 >> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 >> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 >> ads_sasl_spnego_bind: got server principal name >> not_defined_in_RFC4178 at please_ignore >> ads_krb5_mk_req: krb5_cc_get_principal failed (No existe el >> fichero o el >> directorio) >> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] >> expiration dom, >> 26 abr 2015 00:04:50 CEST >> kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid >> credentials >> libnet_Join: >> libnet_JoinCtx: struct libnet_JoinCtx >> out: struct libnet_JoinCtx >> account_name : NULL >> netbios_domain_name : 'TTU' >> dns_domain_name : 'ttu.red' >> forest_name : 'ttu.red' >> dn : NULL >> domain_sid : * >> domain_sid : >> S-1-5-21-127850397-371183867-665961664 <tel:665961664> >> modified_config : 0x00 (0) >> error_string : 'failed to connect to >> AD: Invalid >> credentials' >> domain_is_ad : 0x01 (1) >> result : WERR_GENERAL_FAILURE >> Failed to join domain: failed to connect to AD: Invalid >> credentials >> return code = -1 >> >> ----------------------------------------------------------------------- >> >> ----------------------------------------------------------------------- >> >> I've tried commands like: >> smbclient -L 192.168.2.251 -U% >> kinit administrator@ <administrator at CASA.RED>TTU.RED >> klist -c >> >> All are workign. >> I've tried to create a test domain instead upgrade, with same >> config and >> join ads is working... ?can be the upgrade progress? >> >> Thanks!! >> >> >> -- To unsubscribe from this list go to the following URL and read >> the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> > OK, there is this: > ads_krb5_mk_req: krb5_cc_get_principal failed (No existe el fichero o el > directorio) > > The last part seems to translate to: There is no such file or directory, > so what have you got in /etc/krb5.conf ? >Thanks!! On AD server i've linked the kerberos file on samba folder: lrwxrwxrwx 1 root root 32 abr 25 16:23 krb5.conf -> /var/lib/samba/private/krb5.conf On client i've the default: [libdefaults] default_realm = TTU.RED # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true ........ [realms] TTU.RED = { kdc = pdc admin_server = pdc } ........> Does /etc/krb5.keytab exist, if it does, remove it. >Deleted, but nothing changed.> Does /etc/resolv.conf point to the DC ? >Yes: cat /etc/resolv.conf domain TTU nameserver 192.168.2.251> Are you sure that you are using the correct password for Administrator ? >Yes, even i've tried to cange the PW to another, and other commands works fine, for example with "kinit administrator at TTU.RED" and "klist -c": Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator at TTU.RED Valid starting Expires Service principal 25/04/15 16:36:10 26/04/15 02:36:10 krbtgt/TTU.RED at TTU.RED renew until 26/04/15 16:36:06 I've linked the file showed on log to krb5.conf: ln -s /var/run/samba/smb_krb5/krb5.conf.TTU /etc/krb5.conf I got the same error: ....... ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 ads_sasl_spnego_bind: got server principal name not_defined_in_RFC4178 at please_ignore ads_krb5_mk_req: krb5_cc_get_principal failed (No existe el fichero o el directorio) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration dom, 26 abr 2015 02:37:30 CEST kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : 'TTU' dns_domain_name : 'ttu.red' forest_name : 'ttu.red' dn : NULL domain_sid : * domain_sid : S-1-5-21-127850397-371183867-665961664 modified_config : 0x00 (0) error_string : 'failed to connect to AD: Invalid credentials' domain_is_ad : 0x01 (1) result : WERR_GENERAL_FAILURE Failed to join domain: failed to connect to AD: Invalid credentials return code = -1 I can run commands like "net ads rpc -U "Administrator" and works fine, i even can get some AD info: # net rpc info -U Administrator Enter Administrator's password: Domain Name: TTU Domain SID: S-1-5-21-127850397-371183867-665961664 Sequence number: 1 Num users: 144 Num domain groups: 42 Num local groups: 26 Is strange because as i said, if i create a new domain without upgrade then i can join that domain even without krb5-client installed. Greetings!!> > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 25/04/15 15:44, Daniel Carrasco Mar?n wrote:> > > On AD server i've linked the kerberos file on samba folder: > lrwxrwxrwx 1 root root 32 abr 25 16:23 krb5.conf -> > /var/lib/samba/private/krb5.conf > > On client i've the default: > [libdefaults] > default_realm = TTU.RED > > # The following krb5.conf variables are only for MIT Kerberos. > krb4_config = /etc/krb.conf > krb4_realms = /etc/krb.realms > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > ........ > > [realms] > TTU.RED = { > kdc = pdc > admin_server = pdc > } > ........ > >Use the same krb5.conf as on the DC> Does /etc/krb5.keytab exist, if it does, remove it. > > > Deleted, but nothing changed.You will need to try and rejoin the domain> Does /etc/resolv.conf point to the DC ? > > > Yes: > cat /etc/resolv.conf > domain TTU > nameserver 192.168.2.251Please change /etc/resolv.conf to this: search ttu.red nameserver 192.168.2.251> > Are you sure that you are using the correct password for > Administrator ? > > > Yes, even i've tried to cange the PW to another, and other commands > works fine, for example with "kinit administrator at TTU.RED" and "klist -c": > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: administrator at TTU.RED > > Valid starting Expires Service principal > 25/04/15 16:36:10 26/04/15 02:36:10 krbtgt/TTU.RED at TTU.RED > renew until 26/04/15 16:36:06 > > > I've linked the file showed on log to krb5.conf: > ln -s /var/run/samba/smb_krb5/krb5.conf.TTU /etc/krb5.conf > > I got the same error: > ....... > ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 > ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 > ads_sasl_spnego_bind: got server principal name = > not_defined_in_RFC4178 at please_ignore > ads_krb5_mk_req: krb5_cc_get_principal failed (No existe el fichero o > el directorio) > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration > dom, 26 abr 2015 02:37:30 CEST > kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials > libnet_Join: > libnet_JoinCtx: struct libnet_JoinCtx > out: struct libnet_JoinCtx > account_name : NULL > netbios_domain_name : 'TTU' > dns_domain_name : 'ttu.red' > forest_name : 'ttu.red' > dn : NULL > domain_sid : * > domain_sid : > S-1-5-21-127850397-371183867-665961664 > modified_config : 0x00 (0) > error_string : 'failed to connect to AD: > Invalid credentials' > domain_is_ad : 0x01 (1) > result : WERR_GENERAL_FAILURE > Failed to join domain: failed to connect to AD: Invalid credentials > return code = -1 > > I can run commands like "net ads rpc -U "Administrator" and works > fine, i even can get some AD info: > # net rpc info -U Administrator > Enter Administrator's password: > Domain Name: TTU > Domain SID: S-1-5-21-127850397-371183867-665961664 > Sequence number: 1 > Num users: 144 > Num domain groups: 42 > Num local groups: 26 > > > Is strange because as i said, if i create a new domain without upgrade > then i can join that domain even without krb5-client installed. > >what OS are you using ? what version of samba on the member server ? What packages have you installed to try and get samba working anything else relevant, apparmor, selinux, firewall etc ? Rowland
Daniel Carrasco Marín
2015-Apr-25 15:24 UTC
[Samba] I can't join the new AD server with Samba4
2015-04-25 16:57 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:> On 25/04/15 15:44, Daniel Carrasco Mar?n wrote: > >> >> >> On AD server i've linked the kerberos file on samba folder: >> lrwxrwxrwx 1 root root 32 abr 25 16:23 krb5.conf -> >> /var/lib/samba/private/krb5.conf >> >> On client i've the default: >> [libdefaults] >> default_realm = TTU.RED >> >> # The following krb5.conf variables are only for MIT Kerberos. >> krb4_config = /etc/krb.conf >> krb4_realms = /etc/krb.realms >> kdc_timesync = 1 >> ccache_type = 4 >> forwardable = true >> proxiable = true >> ........ >> >> [realms] >> TTU.RED = { >> kdc = pdc >> admin_server = pdc >> } >> ........ >> >> >> > Use the same krb5.conf as on the DC >Ok copied.> > Does /etc/krb5.keytab exist, if it does, remove it. >> >> >> Deleted, but nothing changed. >> > > You will need to try and rejoin the domain > > Does /etc/resolv.conf point to the DC ? >> >> >> Yes: >> cat /etc/resolv.conf >> domain TTU >> nameserver 192.168.2.251 >> > > Please change /etc/resolv.conf to this: > > search ttu.red > > nameserver 192.168.2.251 >Changed.> > >> Are you sure that you are using the correct password for >> Administrator ? >> >> >> Yes, even i've tried to cange the PW to another, and other commands works >> fine, for example with "kinit administrator at TTU.RED" and "klist -c": >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: administrator at TTU.RED >> >> Valid starting Expires Service principal >> 25/04/15 16:36:10 26/04/15 02:36:10 krbtgt/TTU.RED at TTU.RED >> renew until 26/04/15 16:36:06 >> >> >> I've linked the file showed on log to krb5.conf: >> ln -s /var/run/samba/smb_krb5/krb5.conf.TTU /etc/krb5.conf >> >> I got the same error: >> ....... >> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 >> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 >> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 >> ads_sasl_spnego_bind: got server principal name >> not_defined_in_RFC4178 at please_ignore >> ads_krb5_mk_req: krb5_cc_get_principal failed (No existe el fichero o el >> directorio) >> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration >> dom, 26 abr 2015 02:37:30 CEST >> kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials >> libnet_Join: >> libnet_JoinCtx: struct libnet_JoinCtx >> out: struct libnet_JoinCtx >> account_name : NULL >> netbios_domain_name : 'TTU' >> dns_domain_name : 'ttu.red' >> forest_name : 'ttu.red' >> dn : NULL >> domain_sid : * >> domain_sid : S-1-5-21-127850397-371183867- >> 665961664 >> modified_config : 0x00 (0) >> error_string : 'failed to connect to AD: Invalid >> credentials' >> domain_is_ad : 0x01 (1) >> result : WERR_GENERAL_FAILURE >> Failed to join domain: failed to connect to AD: Invalid credentials >> return code = -1 >> >> I can run commands like "net ads rpc -U "Administrator" and works fine, i >> even can get some AD info: >> # net rpc info -U Administrator >> Enter Administrator's password: >> Domain Name: TTU >> Domain SID: S-1-5-21-127850397-371183867-665961664 >> Sequence number: 1 >> Num users: 144 >> Num domain groups: 42 >> Num local groups: 26 >> >> >> Is strange because as i said, if i create a new domain without upgrade >> then i can join that domain even without krb5-client installed. >> >> >> > what OS are you using ? >Debian 7u2> what version of samba on the member server ? >Same as AD: Version 4.1.17-Debian> What packages have you installed to try and get samba working >Same packages, latest from wheezy-backports. The only difference is that i've created a new domain instead upgrade the old 3.6 domain.> > anything else relevant, apparmor, selinux, firewall etc ?AD don't have any kind of firewall or apparmor. I don't have Apparmor, and the firewall have the basic configuration on client. I don't know about selinux, but the default configuracion has not changed. I'm starting to think is better to create a new domain and move the machines and users to the new domain. Greetings!!> > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >