thr3ads.net - samba - [Samba] Getting ads_connect: Strong authentication required when doing ne t ads join [Feb 2005]

If this information is useful, please help other people find it:
Share via:
jonas.back@ppm.nu
2005-Feb-24 16:41 UTC
[Samba] Getting ads_connect: Strong authentication required when doing ne t ads join

In my lab I successfully got everything working running our secured Active
Directory and Fedora Core 3. In our AD we have secured settings like
refusing NTLMv2, require LDAP signing, SMB signing and more. In the lab we
have the following rpm's:
krb5-workstation-1.3.4.7
samba-3.0.8.0.pre1.3
openldap-2.2.13-2

But now we're implementing this in production and there we're running
Red
Hat ES3 and have the following rpm's (newest so far):
krb5-workstation-1.2.7-38
samba-3.0.9-1.3E.2
openldap-2.0.27-11

Kinit and smbclient works fine but when I run net ads join it fails with
"ads_connect: Strong authentication required". I've read somewhere
that the
security policy setting: "Domain Controller: LDAP server signing
requirements" set to "Require signing" is the reason for this but
our
security team will not let me disable this setting. Is there any other way
to get around this?

I've made sure all configuration files (krb5.conf, smb.conf and ldap.conf)
have the same options.

Also found an earlier posts, but they don't really give me a solution:
http://lists.samba.org/archive/samba-technical/2003-October/032422.html
<http://lists.samba.org/archive/samba-technical/2003-October/032422.html>
and here http://lists.samba.org/archive/samba/2003-October/000806.html
<http://lists.samba.org/archive/samba/2003-October/000806.html> 

[root@xtmplin1 /]# kinit domainuser
Password for domainuser@PPM.NU: 
[root@xtmplin1 /]# klist
Ticket cache: FILE:/tmp/krb5cc_0 <FILE:/tmp/krb5cc_0> 
Default principal: domainuser@PPM.NU

Valid starting     Expires            Service principal
02/24/05 17:00:27  02/25/05 03:00:27  krbtgt/PPM.NU@PPM.NU


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root@xtmplin1 /]# net ads join "ServrarSamba" -U domainuser
domainuser's password: 
[2005/02/24 17:00:45, 0] utils/net_ads.c:ads_startup(186)
  ads_connect: Strong authentication required
[root@xtmplin1 /]# 



Here's the complete debug for net ads join:

[root@xtmplin1 samba]# net ads join "ServrarSamba" -U domainuser -d 10
[2005/02/24 16:15:22, 5] lib/debug.c:debug_dump_status(366)
  INFO: Current debug levels:
    all: True/10
    tdb: False/0
    printdrivers: False/0
    lanman: False/0
    smb: False/0
    rpc_parse: False/0
    rpc_srv: False/0
    rpc_cli: False/0
    passdb: False/0
    sam: False/0
    auth: False/0
    winbind: False/0
    vfs: False/0
    idmap: False/0
    quota: False/0
    acls: False/0
[2005/02/24 16:15:22, 3] param/loadparm.c:lp_load(3911)
  lp_load: refreshing parameters
[2005/02/24 16:15:22, 3] param/loadparm.c:init_globals(1312)
  Initialising global parameters
[2005/02/24 16:15:22, 3] param/params.c:pm_process(566)
  params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
[2005/02/24 16:15:22, 3] param/loadparm.c:do_section(3404)
  Processing section "[global]"
  doing parameter workgroup = EXAMPLE
  doing parameter realm = EXAMPLE.NU
  doing parameter use spnego = yes
  doing parameter client signing = yes
  doing parameter client use spnego = yes
  doing parameter server string = Samba Server
  doing parameter printcap name = /etc/printcap
  doing parameter load printers = yes
  doing parameter cups options = raw
  doing parameter log file = /var/log/samba/%m.log
  doing parameter max log size = 50
  doing parameter security = ads
  doing parameter encrypt passwords = yes
  doing parameter socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
  doing parameter dns proxy = no
[2005/02/24 16:15:22, 4] param/loadparm.c:lp_load(3942)
  pm_process() returned Yes
[2005/02/24 16:15:22, 7] param/loadparm.c:lp_servicenumber(4052)
  lp_servicenumber: couldn't find homes
[2005/02/24 16:15:22, 10] param/loadparm.c:set_server_role(3851)
  set_server_role: role = ROLE_DOMAIN_MEMBER
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
  Attempting to register new charset UCS-2LE
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
  Registered charset UCS-2LE
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
  Attempting to register new charset UTF-16LE
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
  Registered charset UTF-16LE
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
  Attempting to register new charset UCS-2BE
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
  Registered charset UCS-2BE
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
  Attempting to register new charset UTF-16BE
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
  Registered charset UTF-16BE
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
  Attempting to register new charset UTF8
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
  Registered charset UTF8
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
  Attempting to register new charset UTF-8
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
  Registered charset UTF-8
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
  Attempting to register new charset ASCII
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
  Registered charset ASCII
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
  Attempting to register new charset 646
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
  Registered charset 646
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
  Attempting to register new charset ISO-8859-1
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
  Registered charset ISO-8859-1
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
  Attempting to register new charset UCS2-HEX
[2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
  Registered charset UCS2-HEX
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
  Substituting charset 'ISO-8859-15' for LOCALE
[2005/02/24 16:15:22, 5] lib/util.c:init_names(278)
  Netbios name list:-
  my_netbios_names[0]="XTMPLIN1"
[2005/02/24 16:15:22, 2] lib/interface.c:add_interface(79)
  added interface ip=192.168.25.231 bcast=192.168.25.255 nmask=255.255.255.0
domainuser's password: 
[2005/02/24 16:15:35, 6] libads/ldap.c:ads_find_dc(176)
  ads_find_dc: looking for realm 'EXAMPLE.NU'
[2005/02/24 16:15:35, 8] libsmb/namequery.c:get_sorted_dc_list(1433)
  get_sorted_dc_list: attempting lookup using [ads]
[2005/02/24 16:15:35, 10] libsmb/namequery.c:internal_resolve_name(1028)
  internal_resolve_name: looking up EXAMPLE.NU#1c
[2005/02/24 16:15:35, 5] lib/gencache.c:gencache_init(59)
  Opening cache file at /var/cache/samba/gencache.tdb
[2005/02/24 16:15:35, 10] lib/gencache.c:gencache_get(263)
  Returning valid cache entry: key = NBT/EXAMPLE.NU#1C, value
192.168.40.100:389,192.168.129.100:389,192.168.115.100:389, timeout = Thu
Feb 24 16:16:40 2005
  
[2005/02/24 16:15:35, 5] libsmb/namecache.c:namecache_fetch(201)
  name EXAMPLE.NU#1C found.
[2005/02/24 16:15:35, 8] libsmb/namequery.c:get_dc_list(1316)
  Adding 3 DC's from auto lookup
[2005/02/24 16:15:35, 10] libsmb/namequery.c:remove_duplicate_addrs2(320)
  remove_duplicate_addrs2: looking for duplicate address/port pairs
[2005/02/24 16:15:35, 4] libsmb/namequery.c:get_dc_list(1406)
  get_dc_list: returning 3 ip addresses in an unordered list
[2005/02/24 16:15:35, 4] libsmb/namequery.c:get_dc_list(1407)
  get_dc_list: 192.168.40.100:389 192.168.129.100:389 192.168.115.100:389 
[2005/02/24 16:15:35, 5] libads/ldap.c:ads_try_connect(85)
  ads_try_connect: trying ldap server '192.168.40.100' port 389
[2005/02/24 16:15:35, 3] libads/ldap.c:ads_connect(247)
  Connected to LDAP server 192.168.40.100
[2005/02/24 16:15:35, 3] libads/ldap.c:ads_server_info(2432)
  got ldap server name server1@EXAMPLE.NU, using bind path: dc=EXAMPLE,dc=NU
[2005/02/24 16:15:35, 4] libads/ldap.c:ads_server_info(2438)
  time offset is 0 seconds
[2005/02/24 16:15:35, 4] libads/sasl.c:ads_sasl_bind(447)
  Found SASL mechanism GSS-SPNEGO
[2005/02/24 16:15:35, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
  ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2005/02/24 16:15:35, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2005/02/24 16:15:35, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2005/02/24 16:15:35, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
  ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2005/02/24 16:15:35, 3] libads/sasl.c:ads_sasl_spnego_bind(211)
  ads_sasl_spnego_bind: got server principal name =server1$@EXAMPLE.NU
[2005/02/24 16:15:35, 3] libsmb/clikrb5.c:ads_krb5_mk_req(382)
  ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2005/02/24 16:15:36, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(319)
  Ticket in ccache[MEMORY:net_ads] expiration Fri, 25 Feb 2005 02:15:35 GMT
[2005/02/24 16:15:36, 10] libsmb/clikrb5.c:ads_krb5_mk_req(409)
  ads_krb5_mk_req: Ticket (server1$@EXAMPLE.NU) in ccache (MEMORY:net_ads)
is valid until: (Fri, 25 Feb 2005 02:15:35 GMT - 1109294135)
[2005/02/24 16:15:36, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(510)
  Got KRB5 session key of length 16
[2005/02/24 16:15:36, 0] utils/net_ads.c:ads_startup(186)
  ads_connect: Strong authentication required
[2005/02/24 16:15:36, 2] utils/net.c:main(859)
  return code = -1
[root@xtmplin1 samba]#
Reasonably Related Threads

Search for more maybe matching threads
samba - Feb 2005 - Getting ads_connect: Strong authentication required when doing ne t ads join

[Samba] Getting ads_connect: Strong authentication required when doing ne t ads join

Reasonably Related Threads

Wisdom of the Ancients
