Akash Jain
2017-Dec-01 11:25 UTC
[Samba] Intermittent failure of net ads join command with error "The transport connection is now disconnected"
Hello All I am seeing following error intermittently when I try to join the samba machine into AD controlled by windows machine. Failed to join domain: failed to lookup DC info for domain '3DFSTESTAD.COM' over rpc: The transport connection is now disconnected. If we repeat the same command with same configuration and credentials, it succeeds. Detailed logs at log level 5 are at end of the message. Command: net ads join -d5 -e -I <AD Controller IP> -U administrator%<password> configuration details are as follows -------------------- smb.conf ----------------------- [global] max log size = 0 realm = DOMAIN.COM workgroup = DOMAIN security = ADS winbind enum users = yes winbind enum groups = yes idmap config * : backend = autorid idmap config * : range = 1000000-19999999 passdb backend = tdbsam ------------------- krb5.conf ------------------------ [libdefaults] default_realm = DOMAIN.COM dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_ccache_name = KEYRING:persistent:%{uid} [realms] DOMAIN.COM = { kdc = PDC.DOMAIN.COM admin_server = PDC.DOMAIN.COM } [domain_realm] domain = DOMAIN.COM .domain = DOMAIN.COM ---------------------------------------------------------------------------------------------- Log level 5 logs for net ads command are: Enter Administrator's password:libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx in: struct libnet_JoinCtx dc_name : NULL machine_name : 'Hostname' domain_name : * domain_name : 'DOMAIN.COM' domain_name_type : JoinDomNameTypeDNS (1) account_ou : NULL admin_account : 'Administrator' admin_domain : NULL machine_password : NULL join_flags : 0x00000023 (35) 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT 0: WKSSVC_JOIN_FLAGS_DEFER_SPN 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE os_version : NULL os_name : NULL os_servicepack : NULL create_upn : 0x00 (0) upn : NULL modify_config : 0x00 (0) ads : NULL debug : 0x01 (1) use_kerberos : 0x00 (0) secure_channel_type : SEC_CHAN_WKSTA (2) desired_encryption_types : 0x0000001f (31) Opening cache file at /var/lib/samba/gencache.tdb Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb sitename_fetch: Returning sitename for realm 'DOMAIN.COM': "Default-First-Site-Name" ads_dns_lookup_srv: 1 records returned in the answer section. sitename_fetch: Returning sitename for realm 'DOMAIN.COM': "Default-First-Site-Name" no entry for PDC.DOMAIN.COM#20 found. resolve_hosts: Attempting host lookup for name PDC.DOMAIN.COM<0x20> namecache_store: storing 1 address for PDC.DOMAIN.COM#20: <AD Controller IP> Connecting to <AD Controller IP> at port 445 E2BIG: convert_string(UTF-8,CP850): srclen=26 destlen=16 - 'PDC.DOMAIN.COM' Connecting to <AD Controller IP> at port 139 Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 0 SO_SNDBUF = 87040 SO_RCVBUF = 367360 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 TCP_DEFER_ACCEPT = 0 got OID=1.3.6.1.4.1.311.2.2.10 GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered Starting GENSEC mechanism spnego Server claims it's principal name is not_defined_in_RFC4178 at PLEASE_IGNORE Starting GENSEC submechanism ntlmssp Got challenge flags: Got NTLMSSP neg_flags=0x62898215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_TARGET_TYPE_DOMAIN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_TARGET_INFO NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH SPNEGO login failed: The transport connection is now disconnected. libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : NULL dns_domain_name : NULL forest_name : NULL dn : NULL domain_sid : NULL domain_sid : (NULL SID) modified_config : 0x00 (0) error_string : 'failed to lookup DC info for domain 'DOMAIN.COM' over rpc: The transport connection is now disconnected.' domain_is_ad : 0x00 (0) set_encryption_types : 0x00000000 (0) result : WERR_NETNAME_DELETED return code = -1 Failed to join domain: failed to lookup DC info for domain 'DOMAIN.COM' over rpc: The transport connection is now disconnected. ------------------------------------------------------------------------------------------------------------------------------ If we compare the Success vs Failure logs, we see only difference of following lines: Below lines are missing in Failure case: ---------------------------------------------- Adding cache entry with key=[NBT/PDC.DOMAIN.COM#20] and timeout=[Thu Jan 1 05:30:00 1970 IST] (-1511892480 seconds in the past) no entry for PDC.DOMAIN.COM#20 found. resolve_hosts: Attempting host lookup for name PDC.DOMAIN.COM<0x20> namecache_store: storing 1 address for PDC.DOMAIN.COM#20: 172.16.72.124 Adding cache entry with key=[NBT/PDC.DOMAIN.COM#20] and timeout=[Tue Nov 28 23:49:00 2017 IST] (660 seconds ahead) internal_resolve_name: returning 1 addresses: <AD Controller IP> :0 ------------------------------------------------- Also, OIDs are different. Please help me understand in what scenarios does domain controller will revoke the transport connection with SPNEGO failed for same flags and same inputs Thanks Akash
Akash Jain
2017-Dec-06 08:12 UTC
[Samba] Intermittent failure of net ads join command with error "The transport connection is now disconnected"
Hello All Can someone please help me understand what could be the reason SPENGO fails with windows AD server? SPNEGO login failed: The transport connection is now disconnected. error_string : 'failed to lookup DC info for domain ' DOMAIN.COM <http://domain.com/>' over rpc: The transport connection is now disconnected.' Thanks in Advance Akash On Fri, Dec 1, 2017 at 4:55 PM, Akash Jain <akash.jain110683 at gmail.com> wrote:> Hello All > > I am seeing following error intermittently when I try to join the samba > machine into AD controlled by windows machine. > > Failed to join domain: failed to lookup DC info for domain '3DFSTESTAD.COM' > over rpc: The transport connection is now disconnected. > > If we repeat the same command with same configuration and credentials, it > succeeds. > > Detailed logs at log level 5 are at end of the message. > > > Command: > net ads join -d5 -e -I <AD Controller IP> -U administrator%<password> > > configuration details are as follows > > -------------------- smb.conf ----------------------- > [global] > max log size = 0 > realm = DOMAIN.COM > workgroup = DOMAIN > security = ADS > winbind enum users = yes > winbind enum groups = yes > idmap config * : backend = autorid > idmap config * : range = 1000000-19999999 > passdb backend = tdbsam > > ------------------- krb5.conf ------------------------ > [libdefaults] > default_realm = DOMAIN.COM > dns_lookup_realm = false > dns_lookup_kdc = true > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = true > rdns = false > default_ccache_name = KEYRING:persistent:%{uid} > [realms] > DOMAIN.COM = { > kdc = PDC.DOMAIN.COM > admin_server = PDC.DOMAIN.COM > } > [domain_realm] > domain = DOMAIN.COM > .domain = DOMAIN.COM > > > ------------------------------------------------------------ > ---------------------------------- > > Log level 5 logs for net ads command are: > > > Enter Administrator's password:libnet_Join: > libnet_JoinCtx: struct libnet_JoinCtx > in: struct libnet_JoinCtx > dc_name : NULL > machine_name : 'Hostname' > domain_name : * > domain_name : 'DOMAIN.COM' > domain_name_type : JoinDomNameTypeDNS (1) > account_ou : NULL > admin_account : 'Administrator' > admin_domain : NULL > machine_password : NULL > join_flags : 0x00000023 (35) > 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS > 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME > 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT > 0: WKSSVC_JOIN_FLAGS_DEFER_SPN > 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED > 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE > 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED > 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE > 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE > 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE > 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE > os_version : NULL > os_name : NULL > os_servicepack : NULL > create_upn : 0x00 (0) > upn : NULL > modify_config : 0x00 (0) > ads : NULL > debug : 0x01 (1) > use_kerberos : 0x00 (0) > secure_channel_type : SEC_CHAN_WKSTA (2) > desired_encryption_types : 0x0000001f (31) > Opening cache file at /var/lib/samba/gencache.tdb > Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb > sitename_fetch: Returning sitename for realm 'DOMAIN.COM': > "Default-First-Site-Name" > ads_dns_lookup_srv: 1 records returned in the answer section. > sitename_fetch: Returning sitename for realm 'DOMAIN.COM': > "Default-First-Site-Name" > no entry for PDC.DOMAIN.COM#20 found. > resolve_hosts: Attempting host lookup for name PDC.DOMAIN.COM<0x20> > namecache_store: storing 1 address for PDC.DOMAIN.COM#20: <AD Controller > IP> > Connecting to <AD Controller IP> at port 445 > E2BIG: convert_string(UTF-8,CP850): srclen=26 destlen=16 - 'PDC.DOMAIN.COM > ' > Connecting to <AD Controller IP> at port 139 > Socket options: > SO_KEEPALIVE = 0 > SO_REUSEADDR = 0 > SO_BROADCAST = 0 > TCP_NODELAY = 1 > TCP_KEEPCNT = 9 > TCP_KEEPIDLE = 7200 > TCP_KEEPINTVL = 75 > IPTOS_LOWDELAY = 0 > IPTOS_THROUGHPUT = 0 > SO_REUSEPORT = 0 > SO_SNDBUF = 87040 > SO_RCVBUF = 367360 > SO_SNDLOWAT = 1 > SO_RCVLOWAT = 1 > SO_SNDTIMEO = 0 > SO_RCVTIMEO = 0 > TCP_QUICKACK = 1 > TCP_DEFER_ACCEPT = 0 > got OID=1.3.6.1.4.1.311.2.2.10 > GENSEC backend 'gssapi_spnego' registered > GENSEC backend 'gssapi_krb5' registered > GENSEC backend 'gssapi_krb5_sasl' registered > GENSEC backend 'spnego' registered > GENSEC backend 'schannel' registered > GENSEC backend 'naclrpc_as_system' registered > GENSEC backend 'sasl-EXTERNAL' registered > GENSEC backend 'ntlmssp' registered > GENSEC backend 'ntlmssp_resume_ccache' registered > GENSEC backend 'http_basic' registered > GENSEC backend 'http_ntlm' registered > Starting GENSEC mechanism spnego > Server claims it's principal name is not_defined_in_RFC4178 at PLEASE_IGNORE > Starting GENSEC submechanism ntlmssp > Got challenge flags: > Got NTLMSSP neg_flags=0x62898215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_TARGET_TYPE_DOMAIN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_TARGET_INFO > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > NTLMSSP: Set final flags: > Got NTLMSSP neg_flags=0x62088215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0x62088215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > SPNEGO login failed: The transport connection is now disconnected. > libnet_Join: > libnet_JoinCtx: struct libnet_JoinCtx > out: struct libnet_JoinCtx > account_name : NULL > netbios_domain_name : NULL > dns_domain_name : NULL > forest_name : NULL > dn : NULL > domain_sid : NULL > domain_sid : (NULL SID) > modified_config : 0x00 (0) > error_string : 'failed to lookup DC info for > domain 'DOMAIN.COM' over rpc: The transport connection is now > disconnected.' > domain_is_ad : 0x00 (0) > set_encryption_types : 0x00000000 (0) > result : WERR_NETNAME_DELETED > return code = -1 > Failed to join domain: failed to lookup DC info for domain 'DOMAIN.COM' > over rpc: The transport connection is now disconnected. > > ------------------------------------------------------------ > ------------------------------------------------------------------ > > If we compare the Success vs Failure logs, we see only difference of > following lines: > > > Below lines are missing in Failure case: > ---------------------------------------------- > Adding cache entry with key=[NBT/PDC.DOMAIN.COM#20] and timeout=[Thu Jan > 1 05:30:00 1970 IST] (-1511892480 seconds in the past) > no entry for PDC.DOMAIN.COM#20 found. > resolve_hosts: Attempting host lookup for name PDC.DOMAIN.COM<0x20> > namecache_store: storing 1 address for PDC.DOMAIN.COM#20: 172.16.72.124 > Adding cache entry with key=[NBT/PDC.DOMAIN.COM#20] and timeout=[Tue Nov > 28 23:49:00 2017 IST] (660 seconds ahead) > internal_resolve_name: returning 1 addresses: <AD Controller IP> :0 > ------------------------------------------------- > > Also, OIDs are different. > > Please help me understand in what scenarios does domain controller will > revoke the transport connection with SPNEGO failed for same flags and same > inputs > > Thanks > Akash > >
Akash Jain
2017-Dec-12 11:10 UTC
[Samba] Intermittent failure of net ads join command with error "The transport connection is now disconnected"
Hello All Can I get some response on above email. More Setup Details My AD Controller is Windows 2008 R2 My Linux machine which is trying to join domain is CentOS Linux release 7.2.1511 Samba version is Version 4.6.2 Kindly help and let me know if I need to include more information in the email. Thanks Akash On Wed, Dec 6, 2017 at 1:42 PM, Akash Jain <akash.jain110683 at gmail.com> wrote:> Hello All > > Can someone please help me understand what could be the reason SPENGO > fails with windows AD server? > > SPNEGO login failed: The transport connection is now disconnected. > error_string : 'failed to lookup DC info for domain ' > DOMAIN.COM <http://domain.com/>' over rpc: The transport connection is > now disconnected.' > > > > Thanks in Advance > > Akash > > On Fri, Dec 1, 2017 at 4:55 PM, Akash Jain <akash.jain110683 at gmail.com> > wrote: > >> Hello All >> >> I am seeing following error intermittently when I try to join the samba >> machine into AD controlled by windows machine. >> >> Failed to join domain: failed to lookup DC info for domain ' >> 3DFSTESTAD.COM' over rpc: The transport connection is now disconnected. >> >> If we repeat the same command with same configuration and credentials, it >> succeeds. >> >> Detailed logs at log level 5 are at end of the message. >> >> >> Command: >> net ads join -d5 -e -I <AD Controller IP> -U administrator%<password> >> >> configuration details are as follows >> >> -------------------- smb.conf ----------------------- >> [global] >> max log size = 0 >> realm = DOMAIN.COM >> workgroup = DOMAIN >> security = ADS >> winbind enum users = yes >> winbind enum groups = yes >> idmap config * : backend = autorid >> idmap config * : range = 1000000-19999999 >> passdb backend = tdbsam >> >> ------------------- krb5.conf ------------------------ >> [libdefaults] >> default_realm = DOMAIN.COM >> dns_lookup_realm = false >> dns_lookup_kdc = true >> ticket_lifetime = 24h >> renew_lifetime = 7d >> forwardable = true >> rdns = false >> default_ccache_name = KEYRING:persistent:%{uid} >> [realms] >> DOMAIN.COM = { >> kdc = PDC.DOMAIN.COM >> admin_server = PDC.DOMAIN.COM >> } >> [domain_realm] >> domain = DOMAIN.COM >> .domain = DOMAIN.COM >> >> >> ------------------------------------------------------------ >> ---------------------------------- >> >> Log level 5 logs for net ads command are: >> >> >> Enter Administrator's password:libnet_Join: >> libnet_JoinCtx: struct libnet_JoinCtx >> in: struct libnet_JoinCtx >> dc_name : NULL >> machine_name : 'Hostname' >> domain_name : * >> domain_name : 'DOMAIN.COM' >> domain_name_type : JoinDomNameTypeDNS (1) >> account_ou : NULL >> admin_account : 'Administrator' >> admin_domain : NULL >> machine_password : NULL >> join_flags : 0x00000023 (35) >> 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS >> 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME >> 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT >> 0: WKSSVC_JOIN_FLAGS_DEFER_SPN >> 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED >> 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE >> 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED >> 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE >> 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE >> 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE >> 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE >> os_version : NULL >> os_name : NULL >> os_servicepack : NULL >> create_upn : 0x00 (0) >> upn : NULL >> modify_config : 0x00 (0) >> ads : NULL >> debug : 0x01 (1) >> use_kerberos : 0x00 (0) >> secure_channel_type : SEC_CHAN_WKSTA (2) >> desired_encryption_types : 0x0000001f (31) >> Opening cache file at /var/lib/samba/gencache.tdb >> Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb >> sitename_fetch: Returning sitename for realm 'DOMAIN.COM': >> "Default-First-Site-Name" >> ads_dns_lookup_srv: 1 records returned in the answer section. >> sitename_fetch: Returning sitename for realm 'DOMAIN.COM': >> "Default-First-Site-Name" >> no entry for PDC.DOMAIN.COM#20 found. >> resolve_hosts: Attempting host lookup for name PDC.DOMAIN.COM<0x20> >> namecache_store: storing 1 address for PDC.DOMAIN.COM#20: <AD Controller >> IP> >> Connecting to <AD Controller IP> at port 445 >> E2BIG: convert_string(UTF-8,CP850): srclen=26 destlen=16 - ' >> PDC.DOMAIN.COM' >> Connecting to <AD Controller IP> at port 139 >> Socket options: >> SO_KEEPALIVE = 0 >> SO_REUSEADDR = 0 >> SO_BROADCAST = 0 >> TCP_NODELAY = 1 >> TCP_KEEPCNT = 9 >> TCP_KEEPIDLE = 7200 >> TCP_KEEPINTVL = 75 >> IPTOS_LOWDELAY = 0 >> IPTOS_THROUGHPUT = 0 >> SO_REUSEPORT = 0 >> SO_SNDBUF = 87040 >> SO_RCVBUF = 367360 >> SO_SNDLOWAT = 1 >> SO_RCVLOWAT = 1 >> SO_SNDTIMEO = 0 >> SO_RCVTIMEO = 0 >> TCP_QUICKACK = 1 >> TCP_DEFER_ACCEPT = 0 >> got OID=1.3.6.1.4.1.311.2.2.10 >> GENSEC backend 'gssapi_spnego' registered >> GENSEC backend 'gssapi_krb5' registered >> GENSEC backend 'gssapi_krb5_sasl' registered >> GENSEC backend 'spnego' registered >> GENSEC backend 'schannel' registered >> GENSEC backend 'naclrpc_as_system' registered >> GENSEC backend 'sasl-EXTERNAL' registered >> GENSEC backend 'ntlmssp' registered >> GENSEC backend 'ntlmssp_resume_ccache' registered >> GENSEC backend 'http_basic' registered >> GENSEC backend 'http_ntlm' registered >> Starting GENSEC mechanism spnego >> Server claims it's principal name is not_defined_in_RFC4178 at PLEASE_IGNORE >> Starting GENSEC submechanism ntlmssp >> Got challenge flags: >> Got NTLMSSP neg_flags=0x62898215 >> NTLMSSP_NEGOTIATE_UNICODE >> NTLMSSP_REQUEST_TARGET >> NTLMSSP_NEGOTIATE_SIGN >> NTLMSSP_NEGOTIATE_NTLM >> NTLMSSP_NEGOTIATE_ALWAYS_SIGN >> NTLMSSP_TARGET_TYPE_DOMAIN >> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY >> NTLMSSP_NEGOTIATE_TARGET_INFO >> NTLMSSP_NEGOTIATE_VERSION >> NTLMSSP_NEGOTIATE_128 >> NTLMSSP_NEGOTIATE_KEY_EXCH >> NTLMSSP: Set final flags: >> Got NTLMSSP neg_flags=0x62088215 >> NTLMSSP_NEGOTIATE_UNICODE >> NTLMSSP_REQUEST_TARGET >> NTLMSSP_NEGOTIATE_SIGN >> NTLMSSP_NEGOTIATE_NTLM >> NTLMSSP_NEGOTIATE_ALWAYS_SIGN >> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY >> NTLMSSP_NEGOTIATE_VERSION >> NTLMSSP_NEGOTIATE_128 >> NTLMSSP_NEGOTIATE_KEY_EXCH >> NTLMSSP Sign/Seal - Initialising with flags: >> Got NTLMSSP neg_flags=0x62088215 >> NTLMSSP_NEGOTIATE_UNICODE >> NTLMSSP_REQUEST_TARGET >> NTLMSSP_NEGOTIATE_SIGN >> NTLMSSP_NEGOTIATE_NTLM >> NTLMSSP_NEGOTIATE_ALWAYS_SIGN >> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY >> NTLMSSP_NEGOTIATE_VERSION >> NTLMSSP_NEGOTIATE_128 >> NTLMSSP_NEGOTIATE_KEY_EXCH >> SPNEGO login failed: The transport connection is now disconnected. >> libnet_Join: >> libnet_JoinCtx: struct libnet_JoinCtx >> out: struct libnet_JoinCtx >> account_name : NULL >> netbios_domain_name : NULL >> dns_domain_name : NULL >> forest_name : NULL >> dn : NULL >> domain_sid : NULL >> domain_sid : (NULL SID) >> modified_config : 0x00 (0) >> error_string : 'failed to lookup DC info for >> domain 'DOMAIN.COM' over rpc: The transport connection is now >> disconnected.' >> domain_is_ad : 0x00 (0) >> set_encryption_types : 0x00000000 (0) >> result : WERR_NETNAME_DELETED >> return code = -1 >> Failed to join domain: failed to lookup DC info for domain 'DOMAIN.COM' >> over rpc: The transport connection is now disconnected. >> >> ------------------------------------------------------------ >> ------------------------------------------------------------------ >> >> If we compare the Success vs Failure logs, we see only difference of >> following lines: >> >> >> Below lines are missing in Failure case: >> ---------------------------------------------- >> Adding cache entry with key=[NBT/PDC.DOMAIN.COM#20] and timeout=[Thu >> Jan 1 05:30:00 1970 IST] (-1511892480 seconds in the past) >> no entry for PDC.DOMAIN.COM#20 found. >> resolve_hosts: Attempting host lookup for name PDC.DOMAIN.COM<0x20> >> namecache_store: storing 1 address for PDC.DOMAIN.COM#20: 172.16.72.124 >> Adding cache entry with key=[NBT/PDC.DOMAIN.COM#20] and timeout=[Tue Nov >> 28 23:49:00 2017 IST] (660 seconds ahead) >> internal_resolve_name: returning 1 addresses: <AD Controller IP> :0 >> ------------------------------------------------- >> >> Also, OIDs are different. >> >> Please help me understand in what scenarios does domain controller will >> revoke the transport connection with SPNEGO failed for same flags and same >> inputs >> >> Thanks >> Akash >> >> >
L.P.H. van Belle
2017-Dec-12 11:18 UTC
[Samba] Intermittent failure of net ads join command with error "The transport connection is now disconnected"
Your smb.conf is incorrect/incomplete. Info here on these 2 links. https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member https://wiki.samba.org/index.php/Idmap_config_rid Your smb.conf > >> [global]> >> max log size = 0 > >> realm = DOMAIN.COM > >> workgroup = DOMAIN > >> security = ADS > >> winbind enum users = yes > >> winbind enum groups = yes > >> idmap config * : backend = autorid > >> idmap config * : range = 1000000-19999999But Yours should be something like: [global] security = ADS workgroup = SAMDOM realm = SAMDOM.EXAMPLE.COM log file = /var/log/samba/%m.log log level = 1 # Default idmap config for local BUILTIN accounts and groups idmap config * : backend = tdb idmap config * : range = 3000-7999 # idmap config for the SAMDOM domain idmap config SAMDOM : backend = rid idmap config SAMDOM : range = 10000-999999 # Template settings for login shell and home directory winbind nss info = template template shell = /bin/bash template homedir = /home/%U Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Akash Jain via samba > Verzonden: dinsdag 12 december 2017 12:10 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Intermittent failure of net ads join > command with error "The transport connection is now disconnected" > > Hello All > > Can I get some response on above email. > > More Setup Details > > My AD Controller is Windows 2008 R2 > My Linux machine which is trying to join domain is CentOS > Linux release > 7.2.1511 > Samba version is Version 4.6.2 > > Kindly help and let me know if I need to include more > information in the > email. > > Thanks > Akash > > On Wed, Dec 6, 2017 at 1:42 PM, Akash Jain > <akash.jain110683 at gmail.com> > wrote: > > > Hello All > > > > Can someone please help me understand what could be the > reason SPENGO > > fails with windows AD server? > > > > SPNEGO login failed: The transport connection is now disconnected. > > error_string : 'failed to lookup DC info for domain ' > > DOMAIN.COM <http://domain.com/>' over rpc: The transport > connection is > > now disconnected.' > > > > > > > > Thanks in Advance > > > > Akash > > > > On Fri, Dec 1, 2017 at 4:55 PM, Akash Jain > <akash.jain110683 at gmail.com> > > wrote: > > > >> Hello All > >> > >> I am seeing following error intermittently when I try to > join the samba > >> machine into AD controlled by windows machine. > >> > >> Failed to join domain: failed to lookup DC info for domain ' > >> 3DFSTESTAD.COM' over rpc: The transport connection is now > disconnected. > >> > >> If we repeat the same command with same configuration and > credentials, it > >> succeeds. > >> > >> Detailed logs at log level 5 are at end of the message. > >> > >> > >> Command: > >> net ads join -d5 -e -I <AD Controller IP> -U > administrator%<password> > >> > >> configuration details are as follows > >> > >> -------------------- smb.conf ----------------------- > >> [global] > >> max log size = 0 > >> realm = DOMAIN.COM > >> workgroup = DOMAIN > >> security = ADS > >> winbind enum users = yes > >> winbind enum groups = yes > >> idmap config * : backend = autorid > >> idmap config * : range = 1000000-19999999 > >> passdb backend = tdbsam > >> > >> ------------------- krb5.conf ------------------------ > >> [libdefaults] > >> default_realm = DOMAIN.COM > >> dns_lookup_realm = false > >> dns_lookup_kdc = true > >> ticket_lifetime = 24h > >> renew_lifetime = 7d > >> forwardable = true > >> rdns = false > >> default_ccache_name = KEYRING:persistent:%{uid} > >> [realms] > >> DOMAIN.COM = { > >> kdc = PDC.DOMAIN.COM > >> admin_server = PDC.DOMAIN.COM > >> } > >> [domain_realm] > >> domain = DOMAIN.COM > >> .domain = DOMAIN.COM > >> > >> > >> ------------------------------------------------------------ > >> ---------------------------------- > >> > >> Log level 5 logs for net ads command are: > >> > >> > >> Enter Administrator's password:libnet_Join: > >> libnet_JoinCtx: struct libnet_JoinCtx > >> in: struct libnet_JoinCtx > >> dc_name : NULL > >> machine_name : 'Hostname' > >> domain_name : * > >> domain_name : 'DOMAIN.COM' > >> domain_name_type : JoinDomNameTypeDNS (1) > >> account_ou : NULL > >> admin_account : 'Administrator' > >> admin_domain : NULL > >> machine_password : NULL > >> join_flags : 0x00000023 (35) > >> 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS > >> 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME > >> 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT > >> 0: WKSSVC_JOIN_FLAGS_DEFER_SPN > >> 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED > >> 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE > >> 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED > >> 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE > >> 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE > >> 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE > >> 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE > >> os_version : NULL > >> os_name : NULL > >> os_servicepack : NULL > >> create_upn : 0x00 (0) > >> upn : NULL > >> modify_config : 0x00 (0) > >> ads : NULL > >> debug : 0x01 (1) > >> use_kerberos : 0x00 (0) > >> secure_channel_type : SEC_CHAN_WKSTA (2) > >> desired_encryption_types : 0x0000001f (31) > >> Opening cache file at /var/lib/samba/gencache.tdb > >> Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb > >> sitename_fetch: Returning sitename for realm 'DOMAIN.COM': > >> "Default-First-Site-Name" > >> ads_dns_lookup_srv: 1 records returned in the answer section. > >> sitename_fetch: Returning sitename for realm 'DOMAIN.COM': > >> "Default-First-Site-Name" > >> no entry for PDC.DOMAIN.COM#20 found. > >> resolve_hosts: Attempting host lookup for name PDC.DOMAIN.COM<0x20> > >> namecache_store: storing 1 address for PDC.DOMAIN.COM#20: > <AD Controller > >> IP> > >> Connecting to <AD Controller IP> at port 445 > >> E2BIG: convert_string(UTF-8,CP850): srclen=26 destlen=16 - ' > >> PDC.DOMAIN.COM' > >> Connecting to <AD Controller IP> at port 139 > >> Socket options: > >> SO_KEEPALIVE = 0 > >> SO_REUSEADDR = 0 > >> SO_BROADCAST = 0 > >> TCP_NODELAY = 1 > >> TCP_KEEPCNT = 9 > >> TCP_KEEPIDLE = 7200 > >> TCP_KEEPINTVL = 75 > >> IPTOS_LOWDELAY = 0 > >> IPTOS_THROUGHPUT = 0 > >> SO_REUSEPORT = 0 > >> SO_SNDBUF = 87040 > >> SO_RCVBUF = 367360 > >> SO_SNDLOWAT = 1 > >> SO_RCVLOWAT = 1 > >> SO_SNDTIMEO = 0 > >> SO_RCVTIMEO = 0 > >> TCP_QUICKACK = 1 > >> TCP_DEFER_ACCEPT = 0 > >> got OID=1.3.6.1.4.1.311.2.2.10 > >> GENSEC backend 'gssapi_spnego' registered > >> GENSEC backend 'gssapi_krb5' registered > >> GENSEC backend 'gssapi_krb5_sasl' registered > >> GENSEC backend 'spnego' registered > >> GENSEC backend 'schannel' registered > >> GENSEC backend 'naclrpc_as_system' registered > >> GENSEC backend 'sasl-EXTERNAL' registered > >> GENSEC backend 'ntlmssp' registered > >> GENSEC backend 'ntlmssp_resume_ccache' registered > >> GENSEC backend 'http_basic' registered > >> GENSEC backend 'http_ntlm' registered > >> Starting GENSEC mechanism spnego > >> Server claims it's principal name is > not_defined_in_RFC4178 at PLEASE_IGNORE > >> Starting GENSEC submechanism ntlmssp > >> Got challenge flags: > >> Got NTLMSSP neg_flags=0x62898215 > >> NTLMSSP_NEGOTIATE_UNICODE > >> NTLMSSP_REQUEST_TARGET > >> NTLMSSP_NEGOTIATE_SIGN > >> NTLMSSP_NEGOTIATE_NTLM > >> NTLMSSP_NEGOTIATE_ALWAYS_SIGN > >> NTLMSSP_TARGET_TYPE_DOMAIN > >> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > >> NTLMSSP_NEGOTIATE_TARGET_INFO > >> NTLMSSP_NEGOTIATE_VERSION > >> NTLMSSP_NEGOTIATE_128 > >> NTLMSSP_NEGOTIATE_KEY_EXCH > >> NTLMSSP: Set final flags: > >> Got NTLMSSP neg_flags=0x62088215 > >> NTLMSSP_NEGOTIATE_UNICODE > >> NTLMSSP_REQUEST_TARGET > >> NTLMSSP_NEGOTIATE_SIGN > >> NTLMSSP_NEGOTIATE_NTLM > >> NTLMSSP_NEGOTIATE_ALWAYS_SIGN > >> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > >> NTLMSSP_NEGOTIATE_VERSION > >> NTLMSSP_NEGOTIATE_128 > >> NTLMSSP_NEGOTIATE_KEY_EXCH > >> NTLMSSP Sign/Seal - Initialising with flags: > >> Got NTLMSSP neg_flags=0x62088215 > >> NTLMSSP_NEGOTIATE_UNICODE > >> NTLMSSP_REQUEST_TARGET > >> NTLMSSP_NEGOTIATE_SIGN > >> NTLMSSP_NEGOTIATE_NTLM > >> NTLMSSP_NEGOTIATE_ALWAYS_SIGN > >> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > >> NTLMSSP_NEGOTIATE_VERSION > >> NTLMSSP_NEGOTIATE_128 > >> NTLMSSP_NEGOTIATE_KEY_EXCH > >> SPNEGO login failed: The transport connection is now disconnected. > >> libnet_Join: > >> libnet_JoinCtx: struct libnet_JoinCtx > >> out: struct libnet_JoinCtx > >> account_name : NULL > >> netbios_domain_name : NULL > >> dns_domain_name : NULL > >> forest_name : NULL > >> dn : NULL > >> domain_sid : NULL > >> domain_sid : (NULL SID) > >> modified_config : 0x00 (0) > >> error_string : 'failed to lookup > DC info for > >> domain 'DOMAIN.COM' over rpc: The transport connection is now > >> disconnected.' > >> domain_is_ad : 0x00 (0) > >> set_encryption_types : 0x00000000 (0) > >> result : WERR_NETNAME_DELETED > >> return code = -1 > >> Failed to join domain: failed to lookup DC info for domain > 'DOMAIN.COM' > >> over rpc: The transport connection is now disconnected. > >> > >> ------------------------------------------------------------ > >> ------------------------------------------------------------------ > >> > >> If we compare the Success vs Failure logs, we see only > difference of > >> following lines: > >> > >> > >> Below lines are missing in Failure case: > >> ---------------------------------------------- > >> Adding cache entry with key=[NBT/PDC.DOMAIN.COM#20] and > timeout=[Thu > >> Jan 1 05:30:00 1970 IST] (-1511892480 seconds in the past) > >> no entry for PDC.DOMAIN.COM#20 found. > >> resolve_hosts: Attempting host lookup for name PDC.DOMAIN.COM<0x20> > >> namecache_store: storing 1 address for PDC.DOMAIN.COM#20: > 172.16.72.124 > >> Adding cache entry with key=[NBT/PDC.DOMAIN.COM#20] and > timeout=[Tue Nov > >> 28 23:49:00 2017 IST] (660 seconds ahead) > >> internal_resolve_name: returning 1 addresses: <AD Controller IP> :0 > >> ------------------------------------------------- > >> > >> Also, OIDs are different. > >> > >> Please help me understand in what scenarios does domain > controller will > >> revoke the transport connection with SPNEGO failed for > same flags and same > >> inputs > >> > >> Thanks > >> Akash > >> > >> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Reasonably Related Threads
- Intermittent failure of net ads join command with error "The transport connection is now disconnected"
- DRS Replication between two DC's Failing
- cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR
- Samba v3 works with LDAP, but not Samba v4
- DRS Replication between two DC's Failing