I had a server in the domain, after a while winbind broke down. When I
try joining the domain again, I get this error:
Failed to join domain: Strong(er) authentication required
I did move this server to a different OU in the directory, but that
shouldn't affect trying to rejoin. Our domain is at the Windows 2003
functionality level. The domain controller it is attaching to has been
tightened down for security a bit. I went through the Security
Configuration Wizard on it, which might have disabled some
functionality that samba needs.
Any ideas or pointers?
# net -V
Version 3.0.26a
# net -d 4 ads join -U jharr
[2008/02/23 13:54:41, 3] param/loadparm.c:lp_load(5039)
lp_load: refreshing parameters
[2008/02/23 13:54:41, 3] param/loadparm.c:init_globals(1438)
Initialising global parameters
[2008/02/23 13:54:41, 3] param/params.c:pm_process(572)
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
[2008/02/23 13:54:41, 3] param/loadparm.c:do_section(3778)
Processing section "[global]"
doing parameter workgroup = MY-DOM
doing parameter realm = DOM.FOO.COM
doing parameter server string = %h server (Samba, Ubuntu)
doing parameter dns proxy = no
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 1000
doing parameter syslog = 0
doing parameter panic action = /usr/share/samba/panic-action %d
doing parameter security = ads
doing parameter encrypt passwords = true
doing parameter passdb backend = tdbsam
doing parameter obey pam restrictions = yes
doing parameter invalid users = root
doing parameter passwd program = /usr/bin/passwd %u
doing parameter passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully*
.
doing parameter socket options = TCP_NODELAY
doing parameter domain master = no
doing parameter local master = no
doing parameter idmap uid = 10000-200000
doing parameter idmap gid = 10000-200000
doing parameter idmap domains = MY-DOM
doing parameter idmap config MY-DOM:backend = rid
doing parameter idmap config MY-DOM:default = yes
doing parameter idmap config MY-DOM:range = 11000-200000
doing parameter idmap cache time = 900
doing parameter idmap negative cache time = 120
doing parameter template shell = /bin/bash
doing parameter template homedir = /home/%U
doing parameter allow trusted domains = no
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter winbind separator = @
doing parameter winbind nested groups = yes
doing parameter winbind offline logon = yes
doing parameter winbind refresh tickets = true
doing parameter winbind use default domain = true
[2008/02/23 13:54:41, 4] param/loadparm.c:lp_load(5070)
pm_process() returned Yes
[2008/02/23 13:54:41, 2] lib/interface.c:add_interface(81)
added interface ip=10.0.0.21 bcast=10.255.255.255 nmask=255.0.0.0
[2008/02/23 13:54:41, 2] lib/interface.c:add_interface(81)
added interface ip=100.100.100.199 bcast=100.100.100.255 nmask=255.255.255.0
[2008/02/23 13:54:41, 2] lib/interface.c:add_interface(81)
added interface ip=192.168.0.21 bcast=192.168.0.255 nmask=255.255.255.0
[2008/02/23 13:54:41, 4] libsmb/namequery_dc.c:ads_dc_name(73)
ads_dc_name: domain=MY-DOM
[2008/02/23 13:54:41, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: "100.100.100.182, *"
[2008/02/23 13:54:41, 4] libsmb/namequery.c:get_dc_list(1599)
get_dc_list: returning 2 ip addresses in an ordered list
[2008/02/23 13:54:41, 4] libsmb/namequery.c:get_dc_list(1600)
get_dc_list: 100.100.100.182:389 100.100.100.181:389
[2008/02/23 13:54:41, 3] libads/ldap.c:ads_connect(394)
Connected to LDAP server 100.100.100.182
[2008/02/23 13:54:41, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: "100.100.100.182, *"
[2008/02/23 13:54:41, 4] libsmb/namequery.c:get_dc_list(1599)
get_dc_list: returning 2 ip addresses in an ordered list
[2008/02/23 13:54:41, 4] libsmb/namequery.c:get_dc_list(1600)
get_dc_list: 100.100.100.182:389 100.100.100.181:389
[2008/02/23 13:54:41, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: "100.100.100.182, *"
[2008/02/23 13:54:41, 4] libsmb/namequery.c:get_dc_list(1599)
get_dc_list: returning 2 ip addresses in an ordered list
[2008/02/23 13:54:41, 4] libsmb/namequery.c:get_dc_list(1600)
get_dc_list: 100.100.100.182:389 100.100.100.181:389
[2008/02/23 13:54:41, 4] libsmb/namequery_dc.c:ads_dc_name(139)
ads_dc_name: using server='DC2.DOM.FOO.COM' IP=100.100.100.182
jharr's password:
[2008/02/23 13:54:43, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: "100.100.100.182, *"
[2008/02/23 13:54:43, 4] libsmb/namequery.c:get_dc_list(1599)
get_dc_list: returning 2 ip addresses in an ordered list
[2008/02/23 13:54:43, 4] libsmb/namequery.c:get_dc_list(1600)
get_dc_list: 100.100.100.182:389 100.100.100.181:389
[2008/02/23 13:54:43, 3] libads/ldap.c:ads_connect(394)
Connected to LDAP server 100.100.100.182
[2008/02/23 13:54:43, 4] libads/ldap.c:ads_current_time(2414)
time offset is 0 seconds
[2008/02/23 13:54:43, 4] libads/sasl.c:ads_sasl_bind(521)
Found SASL mechanism GSS-SPNEGO
[2008/02/23 13:54:43, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2008/02/23 13:54:43, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2008/02/23 13:54:43, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2008/02/23 13:54:43, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2008/02/23 13:54:43, 3] libads/sasl.c:ads_sasl_spnego_bind(222)
ads_sasl_spnego_bind: got server principal name = dc2$@DOM.FOO.COM
[2008/02/23 13:54:43, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2008/02/23 13:54:43, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads]
expiration Sat, 23 Feb 2008 23:54:43 CST
[2008/02/23 13:54:43, 1] utils/net_ads.c:net_ads_join(1470)
error on ads_startup: Strong(er) authentication required
Failed to join domain: Strong(er) authentication required
[2008/02/23 13:54:43, 2] utils/net.c:main(1036)
return code = -1
