Hi list,
I found myself what's going wrong (but not why ?)
If you get this error :
Failed to join domain: failed to set machine spn: Out of memory
Check if the account used during the join have the option "Do not
require Kerberos preauthentication", if it present it would failed
like descibed.
Thomas
On Fri, Nov 21, 2008 at 2:15 PM, Thomas Sondag <thomas.sondag@gmail.com>
wrote:> hi all,
> I've got an issue during a machine join, my kerberos setup seem to be
> good (tested with kinit), my current version of samba is : samba
> 2:3.2.3-1ubuntu3
>
> Example :
> net ads join -U adm-tsondag
> Enter adm-tsondag's password:
> Failed to join domain: failed to set machine spn: Out of memory
>
> We've got a very complex AD setup with something like 16 AD servers on
> distant sites, if you have a look to the detailed log at the this
> mail, you could spot that the join is performed on the server DC05
> rather than on the server DC01.
>
> I would like to know how and why this server have been chosen, and If
> I could restrict the join on the DC01 server ?
>
> Any help would be appreciated.
>
>
> #########################################
> smb.conf
>
> [global]
> workgroup = MY
> realm = MY.REALM
> encrypt passwords = yes
>
> password server = DC01.my.domain
> security = ads
> allow trusted domains = no
> socket options = TCP_NODELAY IPTOS_LOWDELAY
> SO_RCVBUF=8576 SO_SNDBUF=8576
> template shell = /bin/bash
> template homedir = /home/%D/%U
> restrict anonymous = 2
> use kerberos keytab = yes
>
> winbind use default domain = yes
> winbind enum users = no
> winbind enum groups = no
> winbind nested groups = yes
> winbind cache time = 172800
> winbind refresh tickets = yes
> # winbind offline logon = yes
>
> log level = 16
>
>
> idmap domains = MY
>
> idmap config EP:backend = rid
> idmap config EP:base_rid = 0
> idmap config EP:range = 5000-10000000
> idmap config EP:readonly = yes
> idmap uid = 5000-10000000
> idmap gid = 5000-10000000
> idmap negative cache time = 5
> idmap cache time = 172800
>
> printing = cups
> printcap name = cups
> load printers = yes
>
> ###############################################
> krb5.conf
>
> [logging]
> default = FILE:/var/log/krb5libs.log
>
> [libdefaults]
> default_realm = MY.REALM
> default_tkt_enctypes = des-cbc-md5
> default_tgs_enctypes = des-cbc-md5
> renew_lifetime = 7d
> forwardable = true
>
>
> [appdefaults]
> pam = {
> minimum_uid = 1000
> ignore_root = true
> }
>
> [realms]
> MY.REALM = {
> kdc = DC01.my.domain:88
> }
>
> REALM = {
> kdc = DC01.my.domain:88
> }
>
> [domain_realm]
> .my.domain = MY.REALM
> my.domain = MY.REALM
>
> ###############################################
> debug :
> [2008/11/21 14:03:26, 5] libads/ldap.c:ads_try_connect(188)
> ads_try_connect: sending CLDAP request to dc05.my.domain (realm:
my.domain)
> r : union nbt_cldap_netlogon(case 6)
> logon5: struct nbt_cldap_netlogon_5
> type : NETLOGON_RESPONSE_FROM_PDC2 (23)
> sbz : 0x0000 (0)
> server_type : 0x000001fd (509)
> 1: NBT_SERVER_PDC
> 1: NBT_SERVER_GC
> 1: NBT_SERVER_LDAP
> 1: NBT_SERVER_DS
> 1: NBT_SERVER_KDC
> 1: NBT_SERVER_TIMESERV
> 1: NBT_SERVER_CLOSEST
> 1: NBT_SERVER_WRITABLE
> 0: NBT_SERVER_GOOD_TIMESERV
> 0: NBT_SERVER_NDNC
> 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
> 0: NBT_SERVER_FULL_SECRET_DOMAIN_6
> domain_uuid : 38e84847-17c8-4c72-a3ff-9c11911f7637
> forest : 'parl.union.eu'
> dns_domain : 'my.domain'
> pdc_dns_name : 'epluxsdc05.my.domain'
> domain : 'MY'
> pdc_name : 'DC05'
> user_name : ''
> server_site : 'Luxembourg'
> client_site : 'Luxembourg'
> nt_version : 0x00000005 (5)
> 1: NETLOGON_VERSION_1
> 0: NETLOGON_VERSION_5
> 1: NETLOGON_VERSION_5EX
> 0: NETLOGON_VERSION_5EX_WITH_IP
> 0: NETLOGON_VERSION_WITH_CLOSEST_SITE
> 0: NETLOGON_VERSION_AVOID_NT4_EMUL
> 0: NETLOGON_VERSION_PDC
> 0: NETLOGON_VERSION_IP
> 0: NETLOGON_VERSION_LOCAL
> 0: NETLOGON_VERSION_GC
> lmnt_token : 0xffff (65535)
> lm20_token : 0xffff (65535)
> [2008/11/21 14:03:26, 10] libads/dns.c:sitename_store(778)
> sitename_store: realm = [MY], sitename = [Luxembourg], expire =
[2147483647]
> [2008/11/21 14:03:26, 10] lib/gencache.c:gencache_set(131)
> Adding cache entry with key = AD_SITENAME/DOMAIN/MY; value > Luxembourg
and timeout = Tue Jan 19 04:14:07 2038
> (920211041 seconds ahead)
> [2008/11/21 14:03:26, 10] libads/dns.c:sitename_store(778)
> sitename_store: realm = [my.domain], sitename = [Luxembourg], expire
> = [2147483647]
> [2008/11/21 14:03:26, 10] lib/gencache.c:gencache_set(131)
> Adding cache entry with key = AD_SITENAME/DOMAIN/MY.REALM; value >
Luxembourg and timeout = Tue Jan 19 04:14:07 2038
> (920211041 seconds ahead)
> [2008/11/21 14:03:26, 3] libads/ldap.c:ads_connect(430)
> Successfully contacted LDAP server 136.173.22.162
> [2008/11/21 14:03:26, 10] libads/ldap.c:ldap_open_with_timeout(62)
> Opening connection to LDAP server 'epluxsdc05.my.domain:389',
> timeout 15 seconds
> [2008/11/21 14:03:26, 10] libads/ldap.c:ldap_open_with_timeout(76)
> Connected to LDAP server 'epluxsdc05.my.domain:389'
> [2008/11/21 14:03:26, 3] libads/ldap.c:ads_connect(480)
> Connected to LDAP server epluxsdc05.my.domain
> [2008/11/21 14:03:26, 10] libads/ldap.c:ads_closest_dc(155)
> ads_closest_dc: NBT_SERVER_CLOSEST flag set
> [2008/11/21 14:03:26, 10] libsmb/namequery.c:saf_store(75)
> saf_store: domain = [MY], server = [136.173.22.162], expire = [1227273506]
> [2008/11/21 14:03:26, 10] lib/gencache.c:gencache_set(131)
> Adding cache entry with key = SAF/DOMAIN/MY; value = 136.173.22.162
> and timeout = Fri Nov 21 14:18:26 2008
> (900 seconds ahead)
> [2008/11/21 14:03:26, 10] libsmb/namequery.c:saf_store(75)
> saf_store: domain = [my.domain], server = [136.173.22.162], expire >
[1227273506]
> [2008/11/21 14:03:26, 10] lib/gencache.c:gencache_set(131)
> Adding cache entry with key = SAF/DOMAIN/MY.REALM; value >
136.173.22.162 and timeout = Fri Nov 21 14:18:26 2008
> (900 seconds ahead)
> [2008/11/21 14:03:26, 4] libads/ldap.c:ads_current_time(2607)
> time offset is -9 seconds
> [2008/11/21 14:03:26, 4] libads/sasl.c:ads_sasl_bind(1112)
> Found SASL mechanism GSS-SPNEGO
> [2008/11/21 14:03:26, 3] libads/sasl.c:ads_sasl_spnego_bind(780)
> ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
> [2008/11/21 14:03:26, 3] libads/sasl.c:ads_sasl_spnego_bind(780)
> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
> [2008/11/21 14:03:26, 3] libads/sasl.c:ads_sasl_spnego_bind(780)
> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
> [2008/11/21 14:03:26, 3] libads/sasl.c:ads_sasl_spnego_bind(780)
> ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
> [2008/11/21 14:03:26, 3] libads/sasl.c:ads_sasl_spnego_bind(789)
> ads_sasl_spnego_bind: got server principal name = epluxsdc05$@MY.REALM
> [2008/11/21 14:03:26, 3] libsmb/clikrb5.c:ads_krb5_mk_req(671)
> ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
> [2008/11/21 14:03:26, 10] libads/sasl.c:ads_sasl_spnego_bind(810)
> ads_sasl_spnego_krb5_bind failed with: No credentials cache found,
> calling kinit
> [2008/11/21 14:03:26, 10]
libads/kerberos.c:kerberos_kinit_password_ext(217)
> kerberos_kinit_password: as adm-tsondag@MY.REALM using
> [MEMORY:net_ads] as ccache and config [(null)]
> [2008/11/21 14:03:26, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(604)
> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads]
> expiration Sat, 22 Nov 2008 00:03:17 CET
> [2008/11/21 14:03:26, 10] libsmb/clikrb5.c:ads_krb5_mk_req(702)
> ads_krb5_mk_req: Ticket (epluxsdc05$@MY.REALM) in ccache
> (MEMORY:net_ads) is valid until: (Sat, 22 Nov 2008 00:03:17 CET -
> 1227308597)
> [2008/11/21 14:03:26, 3] libsmb/clikrb5.c:ads_krb5_mk_req(713)
> ads_krb5_mk_req: server marked as OK to delegate to, building forwardable
TGT
> [2008/11/21 14:03:26, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(868)
> Got KRB5 session key of length 16
> [2008/11/21 14:03:26, 6] libsmb/clientgen.c:write_socket(236)
> write_socket(6,39)
> [2008/11/21 14:03:26, 6] libsmb/clientgen.c:write_socket(239)
> write_socket(6,39) wrote 39
> [2008/11/21 14:03:26, 10]
lib/util_sock.c:read_smb_length_return_keepalive(1118)
> got smb length of 35
> [2008/11/21 14:03:26, 5] lib/util.c:show_msg(642)
> [2008/11/21 14:03:26, 5] lib/util.c:show_msg(652)
> size=35
> smb_com=0x71
> smb_rcls=0
> smb_reh=0
> smb_err=0
> smb_flg=136
> smb_flg2=51201
> smb_tid=2050
> smb_pid=6058
> smb_uid=2050
> smb_mid=23
> smt_wct=0
> smb_bcc=0
> [2008/11/21 14:03:26, 1] libnet/libnet_join.c:libnet_Join(1801)
> libnet_Join:
> libnet_JoinCtx: struct libnet_JoinCtx
> out: struct libnet_JoinCtx
> account_name : NULL
> netbios_domain_name : 'MY'
> dns_domain_name : 'my.domain'
> dn : NULL
> domain_sid : *
> domain_sid :
> S-1-5-21-1981966997-181496175-623647154
> modified_config : 0x00 (0)
> error_string : 'failed to set machine spn:
> Out of memory'
> domain_is_ad : 0x01 (1)
> result : WERR_GENERAL_FAILURE
> [2008/11/21 14:03:26, 10] intl/lang_tdb.c:lang_tdb_init(138)
> lang_tdb_init: /usr/share/samba/en_US.UTF-8.msg: No such file or directory
> Failed to join domain: failed to set machine spn: Out of memory
> [2008/11/21 14:03:26, 2] utils/net.c:main(1172)
> return code = -1
>