I opened all of these
https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In all things, Be Intentional.
On Sat, Sep 17, 2022 at 1:17 PM Rob Campbell <robcampbell08105 at
gmail.com>
wrote:
>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> In all things, Be Intentional.
>
>
> On Sat, Sep 17, 2022 at 11:59 AM Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
>>
>>
>> On 17/09/2022 16:20, Rob Campbell wrote:
>> >
>> >
>> >
>> >
>> > [Sat Sep 17 11:15:03] [root at d02~$] net ads join -U
Administrator -d3
>> > lp_load_ex: refreshing parameters
>> > Initialising global parameters
>> > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
>> (16384)
>> > Processing section "[global]"
>> > Registered MSG_REQ_POOL_USAGE
>> > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
>> > lp_load_ex: refreshing parameters
>> > Initialising global parameters
>> > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
>> (16384)
>> > Processing section "[global]"
>> > added interface enp3s0 ip=10.0.0.9 bcast=10.0.0.255
>> netmask=255.255.255.0
>> > Enter Administrator's password:
>> > libnet_Join:
>> > libnet_JoinCtx: struct libnet_JoinCtx
>> > in: struct libnet_JoinCtx
>> > dc_name : NULL
>> > machine_name : 'D02'
>> > domain_name : *
>> > domain_name :
'HOME.ROB-CAMPBELL.LAN'
>> > domain_name_type : JoinDomNameTypeDNS (1)
>> > account_ou : NULL
>> > admin_account : 'Administrator'
>> > admin_domain : NULL
>> > machine_password : NULL
>> > join_flags : 0x00000023 (35)
>> > 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
>> > 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
>> > 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
>> > 0: WKSSVC_JOIN_FLAGS_DEFER_SPN
>> > 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
>> > 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
>> > 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
>> > 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
>> > 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
>> > 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
>> > 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
>> > os_version : NULL
>> > os_name : NULL
>> > os_servicepack : NULL
>> > create_upn : 0x00 (0)
>> > upn : NULL
>> > dnshostname : NULL
>> > modify_config : 0x00 (0)
>> > ads : NULL
>> > debug : 0x01 (1)
>> > use_kerberos : 0x00 (0)
>> > secure_channel_type : SEC_CHAN_WKSTA (2)
>> > desired_encryption_types : 0x0000001f (31)
>> > resolve_hosts: Attempting host lookup for name
>> > dc01.home.rob-campbell.lan<0x20>
>> > Connecting to 10.0.0.10 at port 445
>> > GENSEC backend 'gssapi_spnego' registered
>> > GENSEC backend 'gssapi_krb5' registered
>> > GENSEC backend 'gssapi_krb5_sasl' registered
>> > GENSEC backend 'spnego' registered
>> > GENSEC backend 'schannel' registered
>> > GENSEC backend 'naclrpc_as_system' registered
>> > GENSEC backend 'sasl-EXTERNAL' registered
>> > GENSEC backend 'ntlmssp' registered
>> > GENSEC backend 'ntlmssp_resume_ccache' registered
>> > GENSEC backend 'http_basic' registered
>> > GENSEC backend 'http_ntlm' registered
>> > GENSEC backend 'http_negotiate' registered
>> > GENSEC backend 'krb5' registered
>> > GENSEC backend 'fake_gssapi_krb5' registered
>> > Got challenge flags:
>> > Got NTLMSSP neg_flags=0x62898215
>> > NTLMSSP: Set final flags:
>> > Got NTLMSSP neg_flags=0x62088215
>> > NTLMSSP Sign/Seal - Initialising with flags:
>> > Got NTLMSSP neg_flags=0x62088215
>> > NTLMSSP Sign/Seal - Initialising with flags:
>> > Got NTLMSSP neg_flags=0x62088215
>> > get_dc_list: preferred server list:
"dc01.home.rob-campbell.lan, *"
>> > get_dc_list: preferred server list:
"dc01.home.rob-campbell.lan, *"
>> > Successfully contacted LDAP server 10.0.0.10
>> > Connecting to 10.0.0.10 at port 389
>> > Connected to LDAP server dc01.home.rob-campbell.lan
>> > ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
>> > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
>> > ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
>> > libnet_join_precreate_machine_acct: Machine account successfully
created
>> > ads_domain_func_level: 4
>> > join: struct secrets_domain_infoB
>> > version : SECRETS_DOMAIN_INFO_VERSION_1
(1)
>> > reserved : 0x00000000 (0)
>> > info : union
secrets_domain_infoU(case 1)
>> > info1 : *
>> > info1: struct secrets_domain_info1
>> > reserved_flags : 0x0000000000000000 (0)
>> > join_time : Sat Sep 17 11:15:50 AM
2022
>> EDT
>> > computer_name : 'D02'
>> > account_name : 'D02$'
>> > secure_channel_type : SEC_CHAN_WKSTA (2)
>> > domain_info: struct lsa_DnsDomainInfo
>> > name: struct lsa_StringLarge
>> > length : 0x0000 (0)
>> > size : 0x0000 (0)
>> > string : *
>> > string :
'HOME'
>> > dns_domain: struct lsa_StringLarge
>> > length : 0x0000 (0)
>> > size : 0x0000 (0)
>> > string : *
>> > string :
>> > 'home.rob-campbell.lan'
>> > dns_forest: struct lsa_StringLarge
>> > length : 0x0000 (0)
>> > size : 0x0000 (0)
>> > string : *
>> > string :
>> > 'home.rob-campbell.lan'
>> > domain_guid :
>> > c1c018e3-6250-407d-9b57-42fda446aa97
>> > sid : *
>> > sid :
>> > S-1-5-21-3671967812-2164588398-1947807301
>> > trust_flags : 0x0000001a (26)
>> > 0: NETR_TRUST_FLAG_IN_FOREST
>> > 1: NETR_TRUST_FLAG_OUTBOUND
>> > 0: NETR_TRUST_FLAG_TREEROOT
>> > 1: NETR_TRUST_FLAG_PRIMARY
>> > 1: NETR_TRUST_FLAG_NATIVE
>> > 0: NETR_TRUST_FLAG_INBOUND
>> > 0: NETR_TRUST_FLAG_MIT_KRB5
>> > 0: NETR_TRUST_FLAG_AES
>> > trust_type : LSA_TRUST_TYPE_UPLEVEL
(2)
>> > trust_attributes : 0x00000040 (64)
>> > 0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
>> > 0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY
>> > 0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN
>> > 0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
>> > 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION
>> > 0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
>> > 1: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL
>> > 0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION
>> > 0:
>> > LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION
>> > 0: LSA_TRUST_ATTRIBUTE_PIM_TRUST
>> > 0:
>> > LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION
>> > reserved_routing : NULL
>> > supported_enc_types : 0x0000001f (31)
>> > 1: KERB_ENCTYPE_DES_CBC_CRC
>> > 1: KERB_ENCTYPE_DES_CBC_MD5
>> > 1: KERB_ENCTYPE_RC4_HMAC_MD5
>> > 1: KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96
>> > 1: KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96
>> > 0: KERB_ENCTYPE_FAST_SUPPORTED
>> > 0:
KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED
>> > 0: KERB_ENCTYPE_CLAIMS_SUPPORTED
>> > 0:
>> KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED
>> > salt_principal : *
>> > salt_principal :
>> > 'host/d02.home.rob-campbell.lan at HOME.ROB-CAMPBELL.LAN'
>> > password_last_change : Sat Sep 17 11:15:50 AM
2022
>> EDT
>> > password_changes : 0x0000000000000001 (1)
>> > next_change : NULL
>> > password : *
>> > password: struct
secrets_domain_info1_password
>> > change_time : Sat Sep 17
11:15:50
>> > AM 2022 EDT
>> > change_server :
>> > 'dc01.home.rob-campbell.lan'
>> > cleartext_blob : DATA_BLOB
length=260
>> > nt_hash: struct samr_Password
>> > hash: ARRAY(16): <REDACTED SECRET
VALUES>
>> > salt_data : *
>> > salt_data :
>> > 'HOME.ROB-CAMPBELL.LANhostd02.home.rob-campbell.lan'
>> > default_iteration_count : 0x00001000
(4096)
>> > num_keys : 0x0003 (3)
>> > keys: ARRAY(3)
>> > keys: struct
>> secrets_domain_info1_kerberos_key
>> > keytype :
0x00000012
>> (18)
>> > iteration_count :
0x00001000
>> > (4096)
>> > value :
DATA_BLOB
>> > length=32
>> > keys: struct
>> secrets_domain_info1_kerberos_key
>> > keytype :
0x00000011
>> (17)
>> > iteration_count :
0x00001000
>> > (4096)
>> > value :
DATA_BLOB
>> > length=16
>> > keys: struct
>> secrets_domain_info1_kerberos_key
>> > keytype :
0x00000017
>> (23)
>> > iteration_count :
0x00001000
>> > (4096)
>> > value :
DATA_BLOB
>> > length=16
>> > old_password : *
>> > old_password: struct
secrets_domain_info1_password
>> > change_time : Sat Sep 17
11:14:05
>> > AM 2022 EDT
>> > change_server :
>> > 'dc01.home.rob-campbell.lan'
>> > cleartext_blob : DATA_BLOB
length=416
>> > nt_hash: struct samr_Password
>> > hash: ARRAY(16): <REDACTED SECRET
VALUES>
>> > salt_data : *
>> > salt_data :
>> > 'HOME.ROB-CAMPBELL.LANhostd02.home.rob-campbell.lan'
>> > default_iteration_count : 0x00001000
(4096)
>> > num_keys : 0x0003 (3)
>> > keys: ARRAY(3)
>> > keys: struct
>> secrets_domain_info1_kerberos_key
>> > keytype :
0x00000012
>> (18)
>> > iteration_count :
0x00001000
>> > (4096)
>> > value :
DATA_BLOB
>> > length=32
>> > keys: struct
>> secrets_domain_info1_kerberos_key
>> > keytype :
0x00000011
>> (17)
>> > iteration_count :
0x00001000
>> > (4096)
>> > value :
DATA_BLOB
>> > length=16
>> > keys: struct
>> secrets_domain_info1_kerberos_key
>> > keytype :
0x00000017
>> (23)
>> > iteration_count :
0x00001000
>> > (4096)
>> > value :
DATA_BLOB
>> > length=16
>> > older_password : NULL
>> > ldb: ltdb: tdb(/var/lib/samba/private/secrets.ldb): tdb_open_ex:
could
>> > not open file /var/lib/samba/private/secrets.ldb: No such file or
>> directory
>> >
>> > ldb: Unable to open tdb
'/var/lib/samba/private/secrets.ldb': No such
>> > file or directory
>> > ldb: Failed to connect to
'/var/lib/samba/private/secrets.ldb' with
>> > backend 'tdb': Unable to open tdb
'/var/lib/samba/private/secrets.ldb':
>> > No such file or directory
>>
>> You can ignore errors like the above, there will never be a file called
>> 'secrets.ldb' on a Unix domain member.
>>
>> > Connecting to 10.0.0.10 at port 445
>> > libnet_Join:
>> > libnet_JoinCtx: struct libnet_JoinCtx
>> > out: struct libnet_JoinCtx
>> > account_name : 'D02$'
>> > netbios_domain_name : 'HOME'
>> > dns_domain_name :
'home.rob-campbell.lan'
>> > forest_name :
'home.rob-campbell.lan'
>> > dn :
>> > 'CN=D02,CN=Computers,DC=home,DC=rob-campbell,DC=lan'
>> > domain_guid :
>> c1c018e3-6250-407d-9b57-42fda446aa97
>> > domain_sid : *
>> > domain_sid :
>> > S-1-5-21-3671967812-2164588398-1947807301
>> > modified_config : 0x00 (0)
>> > error_string : NULL
>> > domain_is_ad : 0x01 (1)
>> > set_encryption_types : 0x0000001f (31)
>> > krb5_salt :
>> > 'host/d02.home.rob-campbell.lan at HOME.ROB-CAMPBELL.LAN'
>> > result : WERR_OK
>> > Using short domain name -- HOME
>> > Joined 'D02' to dns domain 'home.rob-campbell.lan'
>> > added interface enp3s0 ip=10.0.0.9 bcast=10.0.0.255
>> netmask=255.255.255.0
>> > DoDNSUpdate: signed update failed
>>
>> There is your error, something is stopping the update, is there a
>> firewall in the way, or is apparmor running ?
>>
>> Rowland
>>
>> No apparmor or anything but I guess there could be a port that
isn't
> open. I didn't see the wiki mention any particular ports or protocols
so I
> opened only what I found I needed. Maybe I missed something.
>
>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>