samba - Jul 2007 - ADS Join on Windows 2008 domain not working in 3.0.25b?

Hi,

Using samba 3.0.25b, testing to join to a Windows 2008 domain using ADS 
security with kerberos and it doesn't seem to work.  Anybody else tried this
combination?

Same configuration worked joining to a Windows 2003 R2 domain.


I'm not a samba expert but looking at the log it looks like the 
not_defined_in_RFC4178@please_ignore have something to do with it?


Output from "net ads join"

[2007/07/04 08:02:12, 3] libads/ldap.c:ads_connect(394)
  Connected to LDAP server 192.168.x.x
[2007/07/04 08:02:12, 4] libads/ldap.c:ads_current_time(2414)
  time offset is 0 seconds
[2007/07/04 08:02:12, 4] libads/sasl.c:ads_sasl_bind(521)
  Found SASL mechanism GSS-SPNEGO
[2007/07/04 08:02:12, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2007/07/04 08:02:12, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2007/07/04 08:02:12, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2007/07/04 08:02:12, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2007/07/04 08:02:12, 3] libads/sasl.c:ads_sasl_spnego_bind(222)
  ads_sasl_spnego_bind: got server principal name = 
not_defined_in_RFC4178@please_ignore
[2007/07/04 08:02:12, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
  ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2007/07/04 08:02:13, 1] libsmb/clikrb5.c:ads_krb5_mk_req(602)
  ads_krb5_mk_req: krb5_get_credentials failed for 
not_defined_in_RFC4178@please_ignore (Server not found in Kerberos database)
[2007/07/04 08:02:13, 1] utils/net_ads.c:net_ads_join(1470)
  error on ads_startup: Server not found in Kerberos database
Failed to join domain: Improperly formed account name



Output from "net ads testjoin"

[2007/07/04 07:57:00, 3] libads/ldap.c:ads_connect(394)
  Connected to LDAP server 192.168.x.x
[2007/07/04 07:57:00, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2007/07/04 07:57:00, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2007/07/04 07:57:00, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2007/07/04 07:57:00, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2007/07/04 07:57:00, 3] libads/sasl.c:ads_sasl_spnego_bind(222)
  ads_sasl_spnego_bind: got server principal name = 
not_defined_in_RFC4178@please_ignore
[2007/07/04 07:57:00, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
  ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2007/07/04 07:57:04, 1] libsmb/clikrb5.c:ads_krb5_mk_req(602)
  ads_krb5_mk_req: krb5_get_credentials failed for 
not_defined_in_RFC4178@please_ignore (Server not found in Kerberos database)
[2007/07/04 07:57:04, 3] libsmb/namequery.c:get_dc_list(1489)
  get_dc_list: preferred server list: "192.168.x.x, xxx.xxx.xxx"
[2007/07/04 07:57:04, 3] libads/ldap.c:ads_connect(394)
  Connected to LDAP server 192.168.x.x
[2007/07/04 07:57:04, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2007/07/04 07:57:04, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2007/07/04 07:57:04, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2007/07/04 07:57:04, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2007/07/04 07:57:04, 3] libads/sasl.c:ads_sasl_spnego_bind(222)
  ads_sasl_spnego_bind: got server principal name = 
not_defined_in_RFC4178@please_ignore
[2007/07/04 07:57:07, 1] libsmb/clikrb5.c:ads_krb5_mk_req(602)
  ads_krb5_mk_req: krb5_get_credentials failed for 
not_defined_in_RFC4178@please_ignore (Server not found in Kerberos database)
[2007/07/04 07:57:11, 1] libsmb/clikrb5.c:ads_krb5_mk_req(602)
  ads_krb5_mk_req: krb5_get_credentials failed for 
not_defined_in_RFC4178@please_ignore (Server not found in Kerberos database)
Join to domain is not valid: Improperly formed account name
[2007/07/04 07:57:11, 2] utils/net.c:main(1032)
  return code = -1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Eddie Tse wrote:
> Hi,
> 
> Using samba 3.0.25b, testing to join to a Windows 2008 domain using ADS
> security with kerberos and it doesn't seem to work.  Anybody else tried
> this combination?
There's a few huckups that we're working on with Longhorn.





cheers, jerry
====================================================================Samba       
------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGjlAAIR7qMdg1EfYRAn9GAKDNXTo+g1MsTQSwhOCjzvfVkzJQUACgiF31
WB5t2GNMa/hWJNbZ6po/lWA=AV/T
-----END PGP SIGNATURE-----

On Jul 3, 2007, at 3:04 PM, Eddie Tse wrote:
> Using samba 3.0.25b, testing to join to a Windows 2008 domain using  
> ADS security with kerberos and it doesn't seem to work.  Anybody  
> else tried this combination?
Ironic - this is the issue I was just describing in the mail " SPNEGO  
in Samba" .  I'm working on getting this fixed.  Stay tuned.


Todd Stecher | Windows Interop Dev
Isilon Systems    P +1-206-315-7500     F  +1-206-315-7501
www.isilon.com    D +1-206-315-7638    M +1-425-205-1180