Roman Bigler
2007-Feb-27 16:35 UTC
[Samba] Update/Repost: Kerberos works, but "net ads join" fails
My original message did not seem to come through, so I'm including it in this message. Update to the Symptoms: It does not matter which user or password (wrong/correct) I use for "net ads join", it fails in any case. This is really confusing. Begin forwarded message:> Hi List, > > this is gonna be a really funky/interesting/uncommon error you're > going to deal with (if you do). > > Developer(s): I'd be really happy if you can point me at the right > source files or describe at which > stage of the "discussion" between my servers fail. This might be of > some use.. > > But let's get to the facts: > > SYMPTOMS > -------- > 1) Invoked "kinit", no error messages are generated, verbose mode > says "Authenticated to Kerberos v5". > 2) "klist" thereafter returns a valid ticket. > 3) Trying to join the AD with "net ads join" et cetera however > results in a "ads_connect: Operations error" after about 40 seconds. > 4) "net" exits with errcode -1 (looks like an unspecified error to > me?) > > Further investigation revealed that "net" indeed can connect to the > PDC, but fails with the errors described above. > > MORE DETAILED OUTPUT OF TOOLS > ----------------------------- > Unfortunately, the debug output of "net" does not help a lot, even > with level 10. Here's the interesting part: > --snip-- > [2007/02/27 14:35:14, 3] libads/ldap.c:ads_connect(287) > Connected to LDAP server 192.168.0.4 > [2007/02/27 14:35:54, 0] utils/net_ads.c:ads_startup(289) > ads_connect: Operations error > [2007/02/27 14:35:54, 2] utils/net.c:main(988) > return code = -1 > --snap-- > Please note 40 seconds gap between the first two messages. > > CURRENT SETUP > ------------- > - Windows 2003 Active Directory (functional level 2003, not 2000 > native). > - Linux 2.6.18.2-34, custom kernel, recent SuSE 10.2 distribution > - Samba 3.0.24-SerNet-SuSE > > ADDITIONAL INFORMATION > ---------------------- > The whole thing was working until recently. After it stopped > working, I've done several things: > - tweaked configurations several times (use DNS or fixed IP's / > minimal config / etc.) > - removed the Samba server from the domain in order to rejoin it > (helped in an earlier situation) > - updated Samba (from 3.0.23d to 3.0.24) > - raised the AD functional level > - checked kerberos messages on windows > - the usual google, man-page and mailing-list-crawling, even looked > at the sources > > ASSUMPTIONS > ----------- > I assume that an unspecified service on the windows-side fails and > causes the communication to halt (or similar), which in turn > triggers a timeout. > > > Thanks in advance to anyone helping me out with this very strange > error. > > Cheers, > Roman
Hi List, this is gonna be a really funky/interesting/uncommon error you're going to deal with (if you do). Developer(s): I'd be really happy if you can point me at the right source files or describe at which stage of the "discussion" between my servers fail. This might be of some use.. But let's get to the facts: SYMPTOMS -------- 1) Invoked "kinit", no error messages are generated, verbose mode says "Authenticated to Kerberos v5". 2) "klist" thereafter returns a valid ticket. 3) Trying to join the AD with "net ads join" et cetera however results in a "ads_connect: Operations error" after about 40 seconds. 4) "net" exits with errcode -1 (looks like an unspecified error to me?) Further investigation revealed that "net" indeed can connect to the PDC, but fails with the errors described above. MORE DETAILED OUTPUT OF TOOLS ----------------------------- Unfortunately, the debug output of "net" does not help a lot, even with level 10. Here's the interesting part: --snip-- [2007/02/27 14:35:14, 3] libads/ldap.c:ads_connect(287) Connected to LDAP server 192.168.0.4 [2007/02/27 14:35:54, 0] utils/net_ads.c:ads_startup(289) ads_connect: Operations error [2007/02/27 14:35:54, 2] utils/net.c:main(988) return code = -1 --snap-- Please note 40 seconds gap between the first two messages. CURRENT SETUP ------------- - Windows 2003 Active Directory (functional level 2003, not 2000 native). - Linux 2.6.18.2-34, custom kernel, recent SuSE 10.2 distribution - Samba 3.0.24-SerNet-SuSE ADDITIONAL INFORMATION ---------------------- The whole thing was working until recently. After it stopped working, I've done several things: - tweaked configurations several times (use DNS or fixed IP's / minimal config / etc.) - removed the Samba server from the domain in order to rejoin it (helped in an earlier situation) - updated Samba (from 3.0.23d to 3.0.24) - raised the AD functional level - checked kerberos messages on windows - the usual google, man-page and mailing-list-crawling, even looked at the sources ASSUMPTIONS ----------- I assume that an unspecified service on the windows-side fails and causes the communication to halt (or similar), which in turn triggers a timeout. Thanks in advance to anyone helping me out with this very strange error. Cheers, Roman -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20070227/b00dd18b/PGP.bin
On Tuesday 27 February 2007 20:15, Roman Bigler wrote:> SYMPTOMS > -------- > 1) Invoked "kinit", no error messages are generated, verbose mode > says "Authenticated to Kerberos v5". > 2) "klist" thereafter returns a valid ticket. > 3) Trying to join the AD with "net ads join" et cetera however > results in a "ads_connect: Operations error" after about 40 seconds. > 4) "net" exits with errcode -1 (looks like an unspecified error to me?)I have got similar error, when I hadn't set DC's IP as FIRST DNS (for my FreeBSD that's done by editing /etc/resolv.conf and placing DC IP as FIRST line). And Samba should be 3.0.23b or higher. -- With Best Regards. Rashid N. Achilov (RNA1-RIPE), Web: http://www.askd.ru/~shelton OOO "ACK" telecommunications administrator, e-mail: achilov-rn [at] askd.ru PGP: 83 CD E2 A7 37 4A D5 81 D6 D6 52 BF C9 2F 85 AF 97 BE CB 0A