hi all,
I've got an issue during a machine join, my kerberos setup seem to be
good (tested with kinit), my current version of samba is : samba
2:3.2.3-1ubuntu3
Example :
net ads join -U adm-tsondag
Enter adm-tsondag's password:
Failed to join domain: failed to set machine spn: Out of memory
We've got a very complex AD setup with something like 16 AD servers on
distant sites, if you have a look to the detailed log at the this
mail, you could spot that the join is performed on the server DC05
rather than on the server DC01.
I would like to know how and why this server have been chosen, and If
I could restrict the join on the DC01 server ?
Any help would be appreciated.
#########################################
smb.conf
[global]
workgroup = MY
realm = MY.REALM
encrypt passwords = yes
password server = DC01.my.domain
security = ads
allow trusted domains = no
socket options = TCP_NODELAY IPTOS_LOWDELAY
SO_RCVBUF=8576 SO_SNDBUF=8576
template shell = /bin/bash
template homedir = /home/%D/%U
restrict anonymous = 2
use kerberos keytab = yes
winbind use default domain = yes
winbind enum users = no
winbind enum groups = no
winbind nested groups = yes
winbind cache time = 172800
winbind refresh tickets = yes
# winbind offline logon = yes
log level = 16
idmap domains = MY
idmap config EP:backend = rid
idmap config EP:base_rid = 0
idmap config EP:range = 5000-10000000
idmap config EP:readonly = yes
idmap uid = 5000-10000000
idmap gid = 5000-10000000
idmap negative cache time = 5
idmap cache time = 172800
printing = cups
printcap name = cups
load printers = yes
###############################################
krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
[libdefaults]
default_realm = MY.REALM
default_tkt_enctypes = des-cbc-md5
default_tgs_enctypes = des-cbc-md5
renew_lifetime = 7d
forwardable = true
[appdefaults]
pam = {
minimum_uid = 1000
ignore_root = true
}
[realms]
MY.REALM = {
kdc = DC01.my.domain:88
}
REALM = {
kdc = DC01.my.domain:88
}
[domain_realm]
.my.domain = MY.REALM
my.domain = MY.REALM
###############################################
debug :
[2008/11/21 14:03:26, 5] libads/ldap.c:ads_try_connect(188)
ads_try_connect: sending CLDAP request to dc05.my.domain (realm: my.domain)
r : union nbt_cldap_netlogon(case 6)
logon5: struct nbt_cldap_netlogon_5
type : NETLOGON_RESPONSE_FROM_PDC2 (23)
sbz : 0x0000 (0)
server_type : 0x000001fd (509)
1: NBT_SERVER_PDC
1: NBT_SERVER_GC
1: NBT_SERVER_LDAP
1: NBT_SERVER_DS
1: NBT_SERVER_KDC
1: NBT_SERVER_TIMESERV
1: NBT_SERVER_CLOSEST
1: NBT_SERVER_WRITABLE
0: NBT_SERVER_GOOD_TIMESERV
0: NBT_SERVER_NDNC
0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
0: NBT_SERVER_FULL_SECRET_DOMAIN_6
domain_uuid : 38e84847-17c8-4c72-a3ff-9c11911f7637
forest : 'parl.union.eu'
dns_domain : 'my.domain'
pdc_dns_name : 'epluxsdc05.my.domain'
domain : 'MY'
pdc_name : 'DC05'
user_name : ''
server_site : 'Luxembourg'
client_site : 'Luxembourg'
nt_version : 0x00000005 (5)
1: NETLOGON_VERSION_1
0: NETLOGON_VERSION_5
1: NETLOGON_VERSION_5EX
0: NETLOGON_VERSION_5EX_WITH_IP
0: NETLOGON_VERSION_WITH_CLOSEST_SITE
0: NETLOGON_VERSION_AVOID_NT4_EMUL
0: NETLOGON_VERSION_PDC
0: NETLOGON_VERSION_IP
0: NETLOGON_VERSION_LOCAL
0: NETLOGON_VERSION_GC
lmnt_token : 0xffff (65535)
lm20_token : 0xffff (65535)
[2008/11/21 14:03:26, 10] libads/dns.c:sitename_store(778)
sitename_store: realm = [MY], sitename = [Luxembourg], expire = [2147483647]
[2008/11/21 14:03:26, 10] lib/gencache.c:gencache_set(131)
Adding cache entry with key = AD_SITENAME/DOMAIN/MY; value Luxembourg and
timeout = Tue Jan 19 04:14:07 2038
(920211041 seconds ahead)
[2008/11/21 14:03:26, 10] libads/dns.c:sitename_store(778)
sitename_store: realm = [my.domain], sitename = [Luxembourg], expire
= [2147483647]
[2008/11/21 14:03:26, 10] lib/gencache.c:gencache_set(131)
Adding cache entry with key = AD_SITENAME/DOMAIN/MY.REALM; value Luxembourg
and timeout = Tue Jan 19 04:14:07 2038
(920211041 seconds ahead)
[2008/11/21 14:03:26, 3] libads/ldap.c:ads_connect(430)
Successfully contacted LDAP server 136.173.22.162
[2008/11/21 14:03:26, 10] libads/ldap.c:ldap_open_with_timeout(62)
Opening connection to LDAP server 'epluxsdc05.my.domain:389',
timeout 15 seconds
[2008/11/21 14:03:26, 10] libads/ldap.c:ldap_open_with_timeout(76)
Connected to LDAP server 'epluxsdc05.my.domain:389'
[2008/11/21 14:03:26, 3] libads/ldap.c:ads_connect(480)
Connected to LDAP server epluxsdc05.my.domain
[2008/11/21 14:03:26, 10] libads/ldap.c:ads_closest_dc(155)
ads_closest_dc: NBT_SERVER_CLOSEST flag set
[2008/11/21 14:03:26, 10] libsmb/namequery.c:saf_store(75)
saf_store: domain = [MY], server = [136.173.22.162], expire = [1227273506]
[2008/11/21 14:03:26, 10] lib/gencache.c:gencache_set(131)
Adding cache entry with key = SAF/DOMAIN/MY; value = 136.173.22.162
and timeout = Fri Nov 21 14:18:26 2008
(900 seconds ahead)
[2008/11/21 14:03:26, 10] libsmb/namequery.c:saf_store(75)
saf_store: domain = [my.domain], server = [136.173.22.162], expire
[1227273506]
[2008/11/21 14:03:26, 10] lib/gencache.c:gencache_set(131)
Adding cache entry with key = SAF/DOMAIN/MY.REALM; value 136.173.22.162 and
timeout = Fri Nov 21 14:18:26 2008
(900 seconds ahead)
[2008/11/21 14:03:26, 4] libads/ldap.c:ads_current_time(2607)
time offset is -9 seconds
[2008/11/21 14:03:26, 4] libads/sasl.c:ads_sasl_bind(1112)
Found SASL mechanism GSS-SPNEGO
[2008/11/21 14:03:26, 3] libads/sasl.c:ads_sasl_spnego_bind(780)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2008/11/21 14:03:26, 3] libads/sasl.c:ads_sasl_spnego_bind(780)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2008/11/21 14:03:26, 3] libads/sasl.c:ads_sasl_spnego_bind(780)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2008/11/21 14:03:26, 3] libads/sasl.c:ads_sasl_spnego_bind(780)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2008/11/21 14:03:26, 3] libads/sasl.c:ads_sasl_spnego_bind(789)
ads_sasl_spnego_bind: got server principal name = epluxsdc05$@MY.REALM
[2008/11/21 14:03:26, 3] libsmb/clikrb5.c:ads_krb5_mk_req(671)
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2008/11/21 14:03:26, 10] libads/sasl.c:ads_sasl_spnego_bind(810)
ads_sasl_spnego_krb5_bind failed with: No credentials cache found,
calling kinit
[2008/11/21 14:03:26, 10] libads/kerberos.c:kerberos_kinit_password_ext(217)
kerberos_kinit_password: as adm-tsondag@MY.REALM using
[MEMORY:net_ads] as ccache and config [(null)]
[2008/11/21 14:03:26, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(604)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads]
expiration Sat, 22 Nov 2008 00:03:17 CET
[2008/11/21 14:03:26, 10] libsmb/clikrb5.c:ads_krb5_mk_req(702)
ads_krb5_mk_req: Ticket (epluxsdc05$@MY.REALM) in ccache
(MEMORY:net_ads) is valid until: (Sat, 22 Nov 2008 00:03:17 CET -
1227308597)
[2008/11/21 14:03:26, 3] libsmb/clikrb5.c:ads_krb5_mk_req(713)
ads_krb5_mk_req: server marked as OK to delegate to, building forwardable TGT
[2008/11/21 14:03:26, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(868)
Got KRB5 session key of length 16
[2008/11/21 14:03:26, 6] libsmb/clientgen.c:write_socket(236)
write_socket(6,39)
[2008/11/21 14:03:26, 6] libsmb/clientgen.c:write_socket(239)
write_socket(6,39) wrote 39
[2008/11/21 14:03:26, 10] lib/util_sock.c:read_smb_length_return_keepalive(1118)
got smb length of 35
[2008/11/21 14:03:26, 5] lib/util.c:show_msg(642)
[2008/11/21 14:03:26, 5] lib/util.c:show_msg(652)
size=35
smb_com=0x71
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=136
smb_flg2=51201
smb_tid=2050
smb_pid=6058
smb_uid=2050
smb_mid=23
smt_wct=0
smb_bcc=0
[2008/11/21 14:03:26, 1] libnet/libnet_join.c:libnet_Join(1801)
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : 'MY'
dns_domain_name : 'my.domain'
dn : NULL
domain_sid : *
domain_sid :
S-1-5-21-1981966997-181496175-623647154
modified_config : 0x00 (0)
error_string : 'failed to set machine spn:
Out of memory'
domain_is_ad : 0x01 (1)
result : WERR_GENERAL_FAILURE
[2008/11/21 14:03:26, 10] intl/lang_tdb.c:lang_tdb_init(138)
lang_tdb_init: /usr/share/samba/en_US.UTF-8.msg: No such file or directory
Failed to join domain: failed to set machine spn: Out of memory
[2008/11/21 14:03:26, 2] utils/net.c:main(1172)
return code = -1
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Thomas, Thomas Sondag wrote:> I would like to know how and why this server have been chosen, and If > I could restrict the join on the DC01 server ?No idea how the selection proces works, but by specifying -S DC01 you can force it to DC01 if I'm not mistaken. Regards, Jelmer Jaarsma -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkkmxH8ACgkQ3bV1+S5veEjECgCfYfHK6kTpVUxIcW4MH93GMAMm 64kAmwWbNujQu4KnueaRJMU/nSf1KaD0 =a9ac -----END PGP SIGNATURE-----
Hi list, I found myself what's going wrong (but not why ?) If you get this error : Failed to join domain: failed to set machine spn: Out of memory Check if the account used during the join have the option "Do not require Kerberos preauthentication", if it present it would failed like descibed. Thomas On Fri, Nov 21, 2008 at 2:15 PM, Thomas Sondag <thomas.sondag@gmail.com> wrote:> hi all, > I've got an issue during a machine join, my kerberos setup seem to be > good (tested with kinit), my current version of samba is : samba > 2:3.2.3-1ubuntu3 > > Example : > net ads join -U adm-tsondag > Enter adm-tsondag's password: > Failed to join domain: failed to set machine spn: Out of memory > > We've got a very complex AD setup with something like 16 AD servers on > distant sites, if you have a look to the detailed log at the this > mail, you could spot that the join is performed on the server DC05 > rather than on the server DC01. > > I would like to know how and why this server have been chosen, and If > I could restrict the join on the DC01 server ? > > Any help would be appreciated. > > > ######################################### > smb.conf > > [global] > workgroup = MY > realm = MY.REALM > encrypt passwords = yes > > password server = DC01.my.domain > security = ads > allow trusted domains = no > socket options = TCP_NODELAY IPTOS_LOWDELAY > SO_RCVBUF=8576 SO_SNDBUF=8576 > template shell = /bin/bash > template homedir = /home/%D/%U > restrict anonymous = 2 > use kerberos keytab = yes > > winbind use default domain = yes > winbind enum users = no > winbind enum groups = no > winbind nested groups = yes > winbind cache time = 172800 > winbind refresh tickets = yes > # winbind offline logon = yes > > log level = 16 > > > idmap domains = MY > > idmap config EP:backend = rid > idmap config EP:base_rid = 0 > idmap config EP:range = 5000-10000000 > idmap config EP:readonly = yes > idmap uid = 5000-10000000 > idmap gid = 5000-10000000 > idmap negative cache time = 5 > idmap cache time = 172800 > > printing = cups > printcap name = cups > load printers = yes > > ############################################### > krb5.conf > > [logging] > default = FILE:/var/log/krb5libs.log > > [libdefaults] > default_realm = MY.REALM > default_tkt_enctypes = des-cbc-md5 > default_tgs_enctypes = des-cbc-md5 > renew_lifetime = 7d > forwardable = true > > > [appdefaults] > pam = { > minimum_uid = 1000 > ignore_root = true > } > > [realms] > MY.REALM = { > kdc = DC01.my.domain:88 > } > > REALM = { > kdc = DC01.my.domain:88 > } > > [domain_realm] > .my.domain = MY.REALM > my.domain = MY.REALM > > ############################################### > debug : > [2008/11/21 14:03:26, 5] libads/ldap.c:ads_try_connect(188) > ads_try_connect: sending CLDAP request to dc05.my.domain (realm: my.domain) > r : union nbt_cldap_netlogon(case 6) > logon5: struct nbt_cldap_netlogon_5 > type : NETLOGON_RESPONSE_FROM_PDC2 (23) > sbz : 0x0000 (0) > server_type : 0x000001fd (509) > 1: NBT_SERVER_PDC > 1: NBT_SERVER_GC > 1: NBT_SERVER_LDAP > 1: NBT_SERVER_DS > 1: NBT_SERVER_KDC > 1: NBT_SERVER_TIMESERV > 1: NBT_SERVER_CLOSEST > 1: NBT_SERVER_WRITABLE > 0: NBT_SERVER_GOOD_TIMESERV > 0: NBT_SERVER_NDNC > 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6 > 0: NBT_SERVER_FULL_SECRET_DOMAIN_6 > domain_uuid : 38e84847-17c8-4c72-a3ff-9c11911f7637 > forest : 'parl.union.eu' > dns_domain : 'my.domain' > pdc_dns_name : 'epluxsdc05.my.domain' > domain : 'MY' > pdc_name : 'DC05' > user_name : '' > server_site : 'Luxembourg' > client_site : 'Luxembourg' > nt_version : 0x00000005 (5) > 1: NETLOGON_VERSION_1 > 0: NETLOGON_VERSION_5 > 1: NETLOGON_VERSION_5EX > 0: NETLOGON_VERSION_5EX_WITH_IP > 0: NETLOGON_VERSION_WITH_CLOSEST_SITE > 0: NETLOGON_VERSION_AVOID_NT4_EMUL > 0: NETLOGON_VERSION_PDC > 0: NETLOGON_VERSION_IP > 0: NETLOGON_VERSION_LOCAL > 0: NETLOGON_VERSION_GC > lmnt_token : 0xffff (65535) > lm20_token : 0xffff (65535) > [2008/11/21 14:03:26, 10] libads/dns.c:sitename_store(778) > sitename_store: realm = [MY], sitename = [Luxembourg], expire = [2147483647] > [2008/11/21 14:03:26, 10] lib/gencache.c:gencache_set(131) > Adding cache entry with key = AD_SITENAME/DOMAIN/MY; value > Luxembourg and timeout = Tue Jan 19 04:14:07 2038 > (920211041 seconds ahead) > [2008/11/21 14:03:26, 10] libads/dns.c:sitename_store(778) > sitename_store: realm = [my.domain], sitename = [Luxembourg], expire > = [2147483647] > [2008/11/21 14:03:26, 10] lib/gencache.c:gencache_set(131) > Adding cache entry with key = AD_SITENAME/DOMAIN/MY.REALM; value > Luxembourg and timeout = Tue Jan 19 04:14:07 2038 > (920211041 seconds ahead) > [2008/11/21 14:03:26, 3] libads/ldap.c:ads_connect(430) > Successfully contacted LDAP server 136.173.22.162 > [2008/11/21 14:03:26, 10] libads/ldap.c:ldap_open_with_timeout(62) > Opening connection to LDAP server 'epluxsdc05.my.domain:389', > timeout 15 seconds > [2008/11/21 14:03:26, 10] libads/ldap.c:ldap_open_with_timeout(76) > Connected to LDAP server 'epluxsdc05.my.domain:389' > [2008/11/21 14:03:26, 3] libads/ldap.c:ads_connect(480) > Connected to LDAP server epluxsdc05.my.domain > [2008/11/21 14:03:26, 10] libads/ldap.c:ads_closest_dc(155) > ads_closest_dc: NBT_SERVER_CLOSEST flag set > [2008/11/21 14:03:26, 10] libsmb/namequery.c:saf_store(75) > saf_store: domain = [MY], server = [136.173.22.162], expire = [1227273506] > [2008/11/21 14:03:26, 10] lib/gencache.c:gencache_set(131) > Adding cache entry with key = SAF/DOMAIN/MY; value = 136.173.22.162 > and timeout = Fri Nov 21 14:18:26 2008 > (900 seconds ahead) > [2008/11/21 14:03:26, 10] libsmb/namequery.c:saf_store(75) > saf_store: domain = [my.domain], server = [136.173.22.162], expire > [1227273506] > [2008/11/21 14:03:26, 10] lib/gencache.c:gencache_set(131) > Adding cache entry with key = SAF/DOMAIN/MY.REALM; value > 136.173.22.162 and timeout = Fri Nov 21 14:18:26 2008 > (900 seconds ahead) > [2008/11/21 14:03:26, 4] libads/ldap.c:ads_current_time(2607) > time offset is -9 seconds > [2008/11/21 14:03:26, 4] libads/sasl.c:ads_sasl_bind(1112) > Found SASL mechanism GSS-SPNEGO > [2008/11/21 14:03:26, 3] libads/sasl.c:ads_sasl_spnego_bind(780) > ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 > [2008/11/21 14:03:26, 3] libads/sasl.c:ads_sasl_spnego_bind(780) > ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 > [2008/11/21 14:03:26, 3] libads/sasl.c:ads_sasl_spnego_bind(780) > ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 > [2008/11/21 14:03:26, 3] libads/sasl.c:ads_sasl_spnego_bind(780) > ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 > [2008/11/21 14:03:26, 3] libads/sasl.c:ads_sasl_spnego_bind(789) > ads_sasl_spnego_bind: got server principal name = epluxsdc05$@MY.REALM > [2008/11/21 14:03:26, 3] libsmb/clikrb5.c:ads_krb5_mk_req(671) > ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) > [2008/11/21 14:03:26, 10] libads/sasl.c:ads_sasl_spnego_bind(810) > ads_sasl_spnego_krb5_bind failed with: No credentials cache found, > calling kinit > [2008/11/21 14:03:26, 10] libads/kerberos.c:kerberos_kinit_password_ext(217) > kerberos_kinit_password: as adm-tsondag@MY.REALM using > [MEMORY:net_ads] as ccache and config [(null)] > [2008/11/21 14:03:26, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(604) > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] > expiration Sat, 22 Nov 2008 00:03:17 CET > [2008/11/21 14:03:26, 10] libsmb/clikrb5.c:ads_krb5_mk_req(702) > ads_krb5_mk_req: Ticket (epluxsdc05$@MY.REALM) in ccache > (MEMORY:net_ads) is valid until: (Sat, 22 Nov 2008 00:03:17 CET - > 1227308597) > [2008/11/21 14:03:26, 3] libsmb/clikrb5.c:ads_krb5_mk_req(713) > ads_krb5_mk_req: server marked as OK to delegate to, building forwardable TGT > [2008/11/21 14:03:26, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(868) > Got KRB5 session key of length 16 > [2008/11/21 14:03:26, 6] libsmb/clientgen.c:write_socket(236) > write_socket(6,39) > [2008/11/21 14:03:26, 6] libsmb/clientgen.c:write_socket(239) > write_socket(6,39) wrote 39 > [2008/11/21 14:03:26, 10] lib/util_sock.c:read_smb_length_return_keepalive(1118) > got smb length of 35 > [2008/11/21 14:03:26, 5] lib/util.c:show_msg(642) > [2008/11/21 14:03:26, 5] lib/util.c:show_msg(652) > size=35 > smb_com=0x71 > smb_rcls=0 > smb_reh=0 > smb_err=0 > smb_flg=136 > smb_flg2=51201 > smb_tid=2050 > smb_pid=6058 > smb_uid=2050 > smb_mid=23 > smt_wct=0 > smb_bcc=0 > [2008/11/21 14:03:26, 1] libnet/libnet_join.c:libnet_Join(1801) > libnet_Join: > libnet_JoinCtx: struct libnet_JoinCtx > out: struct libnet_JoinCtx > account_name : NULL > netbios_domain_name : 'MY' > dns_domain_name : 'my.domain' > dn : NULL > domain_sid : * > domain_sid : > S-1-5-21-1981966997-181496175-623647154 > modified_config : 0x00 (0) > error_string : 'failed to set machine spn: > Out of memory' > domain_is_ad : 0x01 (1) > result : WERR_GENERAL_FAILURE > [2008/11/21 14:03:26, 10] intl/lang_tdb.c:lang_tdb_init(138) > lang_tdb_init: /usr/share/samba/en_US.UTF-8.msg: No such file or directory > Failed to join domain: failed to set machine spn: Out of memory > [2008/11/21 14:03:26, 2] utils/net.c:main(1172) > return code = -1 >