thr3ads.net - samba - [Samba] Can join ADS domain, all accounts/auth work fine, but leaving domain fails [Mar 2009]

If this information is useful, please help other people find it:
Share via:

Mark Casey

2009-Mar-19 19:27 UTC

[Samba] Can join ADS domain, all accounts/auth work fine, but leaving domain fails

Hello all,

As the subject says, as far as I can tell everything works on my ads 
integrated samba server. Domain accounts can be used for ssh, and 
accessing shares, I just can't leave the domain. Here is a successful 
join command followed by an unsuccessful leave command at debug level 4. 
Any ideas?

TIA,
Mark

user@dordal:~$ sudo net ads join -U administrator@MYDOMAIN.COM -d 4
[2009/03/19 14:00:07, 3] param/loadparm.c:lp_load(5063)
  lp_load: refreshing parameters
[2009/03/19 14:00:07, 3] param/loadparm.c:init_globals(1448)
  Initialising global parameters
[2009/03/19 14:00:07, 3] param/params.c:pm_process(572)
  params.c:pm_process() - Processing configuration file 
"/etc/samba/smb.conf"
[2009/03/19 14:00:07, 3] param/loadparm.c:do_section(3802)
  Processing section "[global]"
  doing parameter workgroup = MYDOMAIN
  doing parameter realm = MYDOMAIN.COM
  doing parameter security = ADS
  doing parameter password server = dal-dc1.mydomain.com, 
den-dc1.mydomain.com
  doing parameter client schannel = Yes
  doing parameter server schannel = Yes
  doing parameter username map = /etc/samba/smbusers
  doing parameter obey pam restrictions = Yes
  doing parameter enable privileges = Yes
  doing parameter restrict anonymous = 2
  doing parameter allow trusted domains = No
  doing parameter lanman auth = No
  doing parameter ntlm auth = No
  doing parameter client NTLMv2 auth = Yes
  doing parameter log level = 1
  doing parameter syslog = 0
  doing parameter min protocol = NT1
  doing parameter client signing = Yes
  doing parameter server signing = Yes
  doing parameter load printers = No
  doing parameter preferred master = No
  doing parameter local master = No
  doing parameter domain master = No
  doing parameter dns proxy = No
  doing parameter ldap ssl = no
  doing parameter host msdfs = No
  doing parameter idmap domains = MYDOMAIN
  doing parameter idmap alloc backend = ldap
  doing parameter template shell = /bin/false
  doing parameter winbind enum users = Yes
  doing parameter winbind enum groups = Yes
  doing parameter winbind use default domain = Yes
  doing parameter winbind refresh tickets = Yes
  doing parameter idmap alloc config:range = 100000 - 500000
  doing parameter idmap alloc config:ldap_url = 
ldap://dal-dc1.mydomain.com ldap://den-dc1.mydomain.com
  doing parameter idmap alloc config:ldap_user_dn = 
cn=idmapmgr,cn=users,dc=mydomain,dc=com
  doing parameter idmap alloc config:ldap_base_dn = 
ou=idmap,dc=sambaidmap,dc=mydomain,dc=com
  doing parameter idmap config MYDOMAIN:range = 100000 - 500000
  doing parameter idmap config MYDOMAIN:ldap_url = 
ldap://dal-dc1.mydomain.com ldap://den-dc1.mydomain.com
  doing parameter idmap config MYDOMAIN:ldap_user_dn = 
cn=idmapmgr,cn=users,dc=mydomain,dc=com
  doing parameter idmap config MYDOMAIN:ldap_base_dn = 
ou=idmap,dc=sambaidmap,dc=mydomain,dc=com
  doing parameter idmap config MYDOMAIN:backend = ldap
  doing parameter idmap config MYDOMAIN:default = yes
  doing parameter hosts allow = 10.0.0.0/255.255.254.0 
10.1.0.0/255.255.254.0
  doing parameter map acl inherit = No
  doing parameter hide special files = Yes
  doing parameter map archive = No
  doing parameter map readonly = No
  doing parameter map system = No
  doing parameter map hidden = No
  doing parameter ea support = No
  doing parameter store dos attributes = No
  doing parameter wide links = No
  doing parameter follow symlinks = No
  doing parameter dos filemode = No
  doing parameter add share command = /etc/samba/command.pl
  doing parameter delete share command = /etc/samba/command.pl
  doing parameter change share command = /etc/samba/command.pl
[2009/03/19 14:00:07, 4] param/loadparm.c:lp_load(5094)
  pm_process() returned Yes
[2009/03/19 14:00:07, 2] lib/interface.c:add_interface(81)
  added interface ip=10.0.1.35 bcast=10.0.1.255 nmask=255.255.254.0
[2009/03/19 14:00:07, 4] libsmb/namequery_dc.c:ads_dc_name(73)
  ads_dc_name: domain=MYDOMAIN
[2009/03/19 14:00:07, 3] libsmb/namequery.c:get_dc_list(1489)
  get_dc_list: preferred server list: "10.0.1.30, dal-dc1.mydomain.com, 
den-dc1.mydomain.com"
[2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1599)
  get_dc_list: returning 2 ip addresses in an ordered list
[2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1600)
  get_dc_list: 10.0.1.30:389 10.1.1.30:389
[2009/03/19 14:00:07, 3] libads/ldap.c:ads_connect(394)
  Connected to LDAP server 10.0.1.30
[2009/03/19 14:00:07, 3] libsmb/namequery.c:get_dc_list(1489)
  get_dc_list: preferred server list: "10.0.1.30, dal-dc1.mydomain.com, 
den-dc1.mydomain.com"
[2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1599)
  get_dc_list: returning 2 ip addresses in an ordered list
[2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1600)
  get_dc_list: 10.0.1.30:389 10.1.1.30:389
[2009/03/19 14:00:07, 3] libsmb/namequery.c:get_dc_list(1489)
  get_dc_list: preferred server list: "10.0.1.30, dal-dc1.mydomain.com, 
den-dc1.mydomain.com"
[2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1599)
  get_dc_list: returning 2 ip addresses in an ordered list
[2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1600)
  get_dc_list: 10.0.1.30:389 10.1.1.30:389
[2009/03/19 14:00:07, 4] libsmb/namequery_dc.c:ads_dc_name(139)
  ads_dc_name: using server='DAL-DC1.MYDOMAIN.COM' IP=10.0.1.30
administrator@MYDOMAIN.COM's password:
[2009/03/19 14:00:14, 3] libsmb/namequery.c:get_dc_list(1489)
  get_dc_list: preferred server list: "10.0.1.30, dal-dc1.mydomain.com, 
den-dc1.mydomain.com"
[2009/03/19 14:00:14, 4] libsmb/namequery.c:get_dc_list(1599)
  get_dc_list: returning 2 ip addresses in an ordered list
[2009/03/19 14:00:14, 4] libsmb/namequery.c:get_dc_list(1600)
  get_dc_list: 10.0.1.30:389 10.1.1.30:389
[2009/03/19 14:00:14, 3] libads/ldap.c:ads_connect(394)
  Connected to LDAP server 10.0.1.30
[2009/03/19 14:00:14, 4] libads/ldap.c:ads_current_time(2414)
  time offset is 0 seconds
[2009/03/19 14:00:14, 4] libads/sasl.c:ads_sasl_bind(587)
  Found SASL mechanism GSS-SPNEGO
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
  ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
  ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(300)
  ads_sasl_spnego_bind: got server principal name = dal-dc1$@MYDOMAIN.COM
[2009/03/19 14:00:14, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
  ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2009/03/19 14:00:14, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
  ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration 
Fri, 20 Mar 2009 00:00:14 CDT
[2009/03/19 14:00:14, 3] libsmb/namequery.c:get_dc_list(1489)
  get_dc_list: preferred server list: "10.0.1.30, dal-dc1.mydomain.com, 
den-dc1.mydomain.com"
[2009/03/19 14:00:14, 4] libsmb/namequery.c:get_dc_list(1599)
  get_dc_list: returning 2 ip addresses in an ordered list
[2009/03/19 14:00:14, 4] libsmb/namequery.c:get_dc_list(1600)
  get_dc_list: 10.0.1.30:389 10.1.1.30:389
[2009/03/19 14:00:14, 3] libads/ldap.c:ads_connect(394)
  Connected to LDAP server 10.0.1.30
[2009/03/19 14:00:14, 4] libads/ldap.c:ads_current_time(2414)
  time offset is 0 seconds
[2009/03/19 14:00:14, 4] libads/sasl.c:ads_sasl_bind(587)
  Found SASL mechanism GSS-SPNEGO
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
  ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
  ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(300)
  ads_sasl_spnego_bind: got server principal name = dal-dc1$@MYDOMAIN.COM
[2009/03/19 14:00:14, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
  ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration 
Fri, 20 Mar 2009 00:00:14 CDT
[2009/03/19 14:00:14, 3] libsmb/cliconnect.c:cli_start_connection(1556)
  Connecting to host=DAL-DC1.mydomain.com
[2009/03/19 14:00:14, 3] lib/util_sock.c:open_socket_out(866)
  Connecting to 10.0.1.30 at port 445
[2009/03/19 14:00:14, 3] libsmb/cliconnect.c:cli_session_setup_spnego(795)
  Doing spnego session setup (blob length=113)
[2009/03/19 14:00:14, 3] libsmb/cliconnect.c:cli_session_setup_spnego(820)
  got OID=1 2 840 48018 1 2 2
[2009/03/19 14:00:14, 3] libsmb/cliconnect.c:cli_session_setup_spnego(820)
  got OID=1 2 840 113554 1 2 2
[2009/03/19 14:00:14, 3] libsmb/cliconnect.c:cli_session_setup_spnego(820)
  got OID=1 2 840 113554 1 2 2 3
[2009/03/19 14:00:14, 3] libsmb/cliconnect.c:cli_session_setup_spnego(820)
  got OID=1 3 6 1 4 1 311 2 2 10
[2009/03/19 14:00:14, 3] libsmb/cliconnect.c:cli_session_setup_spnego(828)
  got principal=dal-dc1$@MYDOMAIN.COM
[2009/03/19 14:00:14, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(615)
  Doing kerberos session setup
[2009/03/19 14:00:14, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
  ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] 
expiration Fri, 20 Mar 2009 00:00:14 CDT
[2009/03/19 14:00:14, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2082)
  rpc_pipe_bind: Remote machine DAL-DC1.mydomain.com pipe \lsarpc fnum 
0x10 bind request returned ok.
[2009/03/19 14:00:14, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224)
  lsa_io_sec_qos: length c does not match size 8
[2009/03/19 14:00:14, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2082)
  rpc_pipe_bind: Remote machine DAL-DC1.mydomain.com pipe \samr fnum 
0x1e bind request returned ok.
Using short domain name -- MYDOMAIN
[2009/03/19 14:00:14, 3] libsmb/cliconnect.c:cli_start_connection(1556)
  Connecting to host=DAL-DC1.mydomain.com
[2009/03/19 14:00:14, 3] lib/util_sock.c:open_socket_out(866)
  Connecting to 10.0.1.30 at port 445
[2009/03/19 14:00:14, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2082)
  rpc_pipe_bind: Remote machine DAL-DC1.mydomain.com pipe \NETLOGON fnum 
0x400a bind request returned ok.
[2009/03/19 14:00:14, 4] rpc_client/cli_netlogon.c:rpccli_net_req_chal(46)
  cli_net_req_chal: LSA Request Challenge from DORDAL to 
\\DAL-DC1.mydomain.com
[2009/03/19 14:00:14, 4] rpc_client/cli_netlogon.c:rpccli_net_auth2(170)
  cli_net_auth2: srv:\\DAL-DC1.mydomain.com acct:DORDAL$ sc:2 mc: DORDAL 
neg: 600fffff
[2009/03/19 14:00:14, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2082)
  rpc_pipe_bind: Remote machine DAL-DC1.mydomain.com pipe \NETLOGON fnum 
0x400b bind request returned ok.
[2009/03/19 14:00:14, 3] libads/ldap.c:ads_domain_func_level(2471)
  ads_domain_func_level: 2
[2009/03/19 14:00:14, 3] 
libads/kerberos.c:kerberos_secrets_store_des_salt(337)
  kerberos_secrets_store_des_salt: Storing salt 
"host/dordal.mydomain.com@MYDOMAIN.COM"
[2009/03/19 14:00:14, 4] libads/dns.c:ads_dns_lookup_ns(508)
  ads_dns_lookup_ns: 2 records returned in the answer section.
Joined 'DORDAL' to realm 'MYDOMAIN.COM'
[2009/03/19 14:00:14, 2] utils/net.c:main(1046)
  return code = 0




user@dordal:~$ sudo net ads leave -U administrator@MYDOMAIN.COM -d 4
[2009/03/19 14:02:44, 3] param/loadparm.c:lp_load(5063)
  lp_load: refreshing parameters
[2009/03/19 14:02:44, 3] param/loadparm.c:init_globals(1448)
  Initialising global parameters
[2009/03/19 14:02:44, 3] param/params.c:pm_process(572)
  params.c:pm_process() - Processing configuration file 
"/etc/samba/smb.conf"
[2009/03/19 14:02:44, 3] param/loadparm.c:do_section(3802)
  Processing section "[global]"
  doing parameter workgroup = MYDOMAIN
  doing parameter realm = MYDOMAIN.COM
  doing parameter security = ADS
  doing parameter password server = dal-dc1.MYDOMAIN.com, 
den-dc1.MYDOMAIN.com
  doing parameter client schannel = Yes
  doing parameter server schannel = Yes
  doing parameter username map = /etc/samba/smbusers
  doing parameter obey pam restrictions = Yes
  doing parameter enable privileges = Yes
  doing parameter restrict anonymous = 2
  doing parameter allow trusted domains = No
  doing parameter lanman auth = No
  doing parameter ntlm auth = No
  doing parameter client NTLMv2 auth = Yes
  doing parameter log level = 1
  doing parameter syslog = 0
  doing parameter min protocol = NT1
  doing parameter client signing = Yes
  doing parameter server signing = Yes
  doing parameter load printers = No
  doing parameter preferred master = No
  doing parameter local master = No
  doing parameter domain master = No
  doing parameter dns proxy = No
  doing parameter ldap ssl = no
  doing parameter host msdfs = No
  doing parameter idmap domains = MYDOMAIN
  doing parameter idmap alloc backend = ldap
  doing parameter template shell = /bin/false
  doing parameter winbind enum users = Yes
  doing parameter winbind enum groups = Yes
  doing parameter winbind use default domain = Yes
  doing parameter winbind refresh tickets = Yes
  doing parameter idmap alloc config:range = 100000 - 500000
  doing parameter idmap alloc config:ldap_url = 
ldap://dal-dc1.MYDOMAIN.com ldap://den-dc1.MYDOMAIN.com
  doing parameter idmap alloc config:ldap_user_dn = 
cn=idmapmgr,cn=users,dc=MYDOMAIN,dc=com
  doing parameter idmap alloc config:ldap_base_dn = 
ou=idmap,dc=sambaidmap,dc=MYDOMAIN,dc=com
  doing parameter idmap config MYDOMAIN:range = 100000 - 500000
  doing parameter idmap config MYDOMAIN:ldap_url = 
ldap://dal-dc1.MYDOMAIN.com ldap://den-dc1.MYDOMAIN.com
  doing parameter idmap config MYDOMAIN:ldap_user_dn = 
cn=idmapmgr,cn=users,dc=MYDOMAIN,dc=com
  doing parameter idmap config MYDOMAIN:ldap_base_dn = 
ou=idmap,dc=sambaidmap,dc=MYDOMAIN,dc=com
  doing parameter idmap config MYDOMAIN:backend = ldap
  doing parameter idmap config MYDOMAIN:default = yes
  doing parameter hosts allow = 10.0.0.0/255.255.254.0 
10.1.0.0/255.255.254.0
  doing parameter map acl inherit = No
  doing parameter hide special files = Yes
  doing parameter map archive = No
  doing parameter map readonly = No
  doing parameter map system = No
  doing parameter map hidden = No
  doing parameter ea support = No
  doing parameter store dos attributes = No
  doing parameter wide links = No
  doing parameter follow symlinks = No
  doing parameter dos filemode = No
  doing parameter add share command = /etc/samba/command.pl
  doing parameter delete share command = /etc/samba/command.pl
  doing parameter change share command = /etc/samba/command.pl
[2009/03/19 14:02:44, 4] param/loadparm.c:lp_load(5094)
  pm_process() returned Yes
[2009/03/19 14:02:44, 2] lib/interface.c:add_interface(81)
  added interface ip=10.0.1.35 bcast=10.0.1.255 nmask=255.255.254.0
administrator@MYDOMAIN.COM's password:
[2009/03/19 14:02:47, 3] libsmb/namequery.c:get_dc_list(1489)
  get_dc_list: preferred server list: "10.0.1.30, dal-dc1.MYDOMAIN.com, 
den-dc1.MYDOMAIN.com"
[2009/03/19 14:02:47, 4] libsmb/namequery.c:get_dc_list(1599)
  get_dc_list: returning 2 ip addresses in an ordered list
[2009/03/19 14:02:47, 4] libsmb/namequery.c:get_dc_list(1600)
  get_dc_list: 10.0.1.30:389 10.1.1.30:389
[2009/03/19 14:02:47, 3] libads/ldap.c:ads_connect(394)
  Connected to LDAP server 10.0.1.30
[2009/03/19 14:02:47, 4] libads/ldap.c:ads_current_time(2414)
  time offset is 0 seconds
[2009/03/19 14:02:47, 4] libads/sasl.c:ads_sasl_bind(587)
  Found SASL mechanism GSS-SPNEGO
[2009/03/19 14:02:47, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
  ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2009/03/19 14:02:47, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2009/03/19 14:02:47, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2009/03/19 14:02:47, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
  ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2009/03/19 14:02:47, 3] libads/sasl.c:ads_sasl_spnego_bind(300)
  ads_sasl_spnego_bind: got server principal name = dal-dc1$@MYDOMAIN.COM
[2009/03/19 14:02:47, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
  ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2009/03/19 14:02:48, 1] libsmb/clikrb5.c:ads_krb5_mk_req(602)
  ads_krb5_mk_req: krb5_get_credentials failed for dal-dc1$@MYDOMAIN.COM 
(Ticket not yet valid)
[2009/03/19 14:02:48, 0] libads/sasl.c:ads_sasl_spnego_bind(330)
  kinit succeeded but ads_sasl_spnego_krb5_bind failed: Ticket not yet valid
[2009/03/19 14:02:48, 3] libsmb/namequery.c:get_dc_list(1489)
  get_dc_list: preferred server list: "10.0.1.30, dal-dc1.MYDOMAIN.com, 
den-dc1.MYDOMAIN.com"
[2009/03/19 14:02:48, 4] libsmb/namequery.c:get_dc_list(1599)
  get_dc_list: returning 2 ip addresses in an ordered list
[2009/03/19 14:02:48, 4] libsmb/namequery.c:get_dc_list(1600)
  get_dc_list: 10.0.1.30:389 10.1.1.30:389
[2009/03/19 14:02:48, 3] libads/ldap.c:ads_connect(394)
  Connected to LDAP server 10.0.1.30
[2009/03/19 14:02:48, 4] libads/ldap.c:ads_current_time(2414)
  time offset is 0 seconds
[2009/03/19 14:02:48, 4] libads/sasl.c:ads_sasl_bind(587)
  Found SASL mechanism GSS-SPNEGO
[2009/03/19 14:02:48, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
  ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2009/03/19 14:02:48, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2009/03/19 14:02:48, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2009/03/19 14:02:48, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
  ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2009/03/19 14:02:48, 3] libads/sasl.c:ads_sasl_spnego_bind(300)
  ads_sasl_spnego_bind: got server principal name = dal-dc1$@MYDOMAIN.COM
[2009/03/19 14:02:48, 1] libsmb/clikrb5.c:ads_krb5_mk_req(602)
  ads_krb5_mk_req: krb5_get_credentials failed for dal-dc1$@MYDOMAIN.COM 
(Ticket not yet valid)
[2009/03/19 14:02:48, 1] libsmb/clikrb5.c:ads_krb5_mk_req(602)
  ads_krb5_mk_req: krb5_get_credentials failed for dal-dc1$@MYDOMAIN.COM 
(Ticket not yet valid)
[2009/03/19 14:02:48, 0] libads/sasl.c:ads_sasl_spnego_bind(330)
  kinit succeeded but ads_sasl_spnego_krb5_bind failed: Ticket not yet valid
[2009/03/19 14:02:48, 2] utils/net.c:main(1046)
  return code = -1

Mark Casey

2009-Mar-21 15:27 UTC

head link

[Samba] Can join ADS domain, all accounts/auth work fine, but leaving domain fails

Rob LaRose wrote:>
> Hi Mark,
>
>     Mind if I ask how you're doing ssh against your Windows AD? 
I'm
> trying to do this now.  I've got a script that joins me to the domain 
> and makes SSH work but not samba.  Then I can do net ads join and 
> samba works but not ssh.  Gotta find the happy medium!
>
>     Are you somehow using samba to auth ssh too?
>
> --Rob LaRose
>    Imaginary Forces
>
>
> On Mar 19, 2009, at 3:19 PM, Mark Casey wrote:
>
>> Hello all,
>>
>> As the subject says, as far as I can tell everything works on my ads 
>> integrated samba server. Domain accounts can be used for ssh, and 
>> accessing shares, I just can't leave the domain. Here is a
successful
>> join command followed by an unsuccessful leave command at debug level 
>> 4. Any ideas?
>>
>> TIA,
>> Mark
>>
>> user@dordal:~$ sudo net ads join -U administrator@MYDOMAIN.COM -d 4
>> [2009/03/19 14:00:07, 3] param/loadparm.c:lp_load(5063)
>> lp_load: refreshing parameters
>> [2009/03/19 14:00:07, 3] param/loadparm.c:init_globals(1448)
>> Initialising global parameters
>> [2009/03/19 14:00:07, 3] param/params.c:pm_process(572)
>> params.c:pm_process() - Processing configuration file 
>> "/etc/samba/smb.conf"
>> [2009/03/19 14:00:07, 3] param/loadparm.c:do_section(3802)
>> Processing section "[global]"
>> doing parameter workgroup = MYDOMAIN
>> doing parameter realm = MYDOMAIN.COM
>> doing parameter security = ADS
>> doing parameter password server = dal-dc1.mydomain.com, 
>> den-dc1.mydomain.com
>> doing parameter client schannel = Yes
>> doing parameter server schannel = Yes
>> doing parameter username map = /etc/samba/smbusers
>> doing parameter obey pam restrictions = Yes
>> doing parameter enable privileges = Yes
>> doing parameter restrict anonymous = 2
>> doing parameter allow trusted domains = No
>> doing parameter lanman auth = No
>> doing parameter ntlm auth = No
>> doing parameter client NTLMv2 auth = Yes
>> doing parameter log level = 1
>> doing parameter syslog = 0
>> doing parameter min protocol = NT1
>> doing parameter client signing = Yes
>> doing parameter server signing = Yes
>> doing parameter load printers = No
>> doing parameter preferred master = No
>> doing parameter local master = No
>> doing parameter domain master = No
>> doing parameter dns proxy = No
>> doing parameter ldap ssl = no
>> doing parameter host msdfs = No
>> doing parameter idmap domains = MYDOMAIN
>> doing parameter idmap alloc backend = ldap
>> doing parameter template shell = /bin/false
>> doing parameter winbind enum users = Yes
>> doing parameter winbind enum groups = Yes
>> doing parameter winbind use default domain = Yes
>> doing parameter winbind refresh tickets = Yes
>> doing parameter idmap alloc config:range = 100000 - 500000
>> doing parameter idmap alloc config:ldap_url = 
>> ldap://dal-dc1.mydomain.com ldap://den-dc1.mydomain.com
>> doing parameter idmap alloc config:ldap_user_dn = 
>> cn=idmapmgr,cn=users,dc=mydomain,dc=com
>> doing parameter idmap alloc config:ldap_base_dn = 
>> ou=idmap,dc=sambaidmap,dc=mydomain,dc=com
>> doing parameter idmap config MYDOMAIN:range = 100000 - 500000
>> doing parameter idmap config MYDOMAIN:ldap_url = 
>> ldap://dal-dc1.mydomain.com ldap://den-dc1.mydomain.com
>> doing parameter idmap config MYDOMAIN:ldap_user_dn = 
>> cn=idmapmgr,cn=users,dc=mydomain,dc=com
>> doing parameter idmap config MYDOMAIN:ldap_base_dn = 
>> ou=idmap,dc=sambaidmap,dc=mydomain,dc=com
>> doing parameter idmap config MYDOMAIN:backend = ldap
>> doing parameter idmap config MYDOMAIN:default = yes
>> doing parameter hosts allow = 10.0.0.0/255.255.254.0 
>> 10.1.0.0/255.255.254.0
>> doing parameter map acl inherit = No
>> doing parameter hide special files = Yes
>> doing parameter map archive = No
>> doing parameter map readonly = No
>> doing parameter map system = No
>> doing parameter map hidden = No
>> doing parameter ea support = No
>> doing parameter store dos attributes = No
>> doing parameter wide links = No
>> doing parameter follow symlinks = No
>> doing parameter dos filemode = No
>> doing parameter add share command = /etc/samba/command.pl
>> doing parameter delete share command = /etc/samba/command.pl
>> doing parameter change share command = /etc/samba/command.pl
>> [2009/03/19 14:00:07, 4] param/loadparm.c:lp_load(5094)
>> pm_process() returned Yes
>> [2009/03/19 14:00:07, 2] lib/interface.c:add_interface(81)
>> added interface ip=10.0.1.35 bcast=10.0.1.255 nmask=255.255.254.0
>> [2009/03/19 14:00:07, 4] libsmb/namequery_dc.c:ads_dc_name(73)
>> ads_dc_name: domain=MYDOMAIN
>> [2009/03/19 14:00:07, 3] libsmb/namequery.c:get_dc_list(1489)
>> get_dc_list: preferred server list: "10.0.1.30,
dal-dc1.mydomain.com,
>> den-dc1.mydomain.com"
>> [2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1599)
>> get_dc_list: returning 2 ip addresses in an ordered list
>> [2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1600)
>> get_dc_list: 10.0.1.30:389 10.1.1.30:389
>> [2009/03/19 14:00:07, 3] libads/ldap.c:ads_connect(394)
>> Connected to LDAP server 10.0.1.30
>> [2009/03/19 14:00:07, 3] libsmb/namequery.c:get_dc_list(1489)
>> get_dc_list: preferred server list: "10.0.1.30,
dal-dc1.mydomain.com,
>> den-dc1.mydomain.com"
>> [2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1599)
>> get_dc_list: returning 2 ip addresses in an ordered list
>> [2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1600)
>> get_dc_list: 10.0.1.30:389 10.1.1.30:389
>> [2009/03/19 14:00:07, 3] libsmb/namequery.c:get_dc_list(1489)
>> get_dc_list: preferred server list: "10.0.1.30,
dal-dc1.mydomain.com,
>> den-dc1.mydomain.com"
>> [2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1599)
>> get_dc_list: returning 2 ip addresses in an ordered list
>> [2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1600)
>> get_dc_list: 10.0.1.30:389 10.1.1.30:389
>> [2009/03/19 14:00:07, 4] libsmb/namequery_dc.c:ads_dc_name(139)
>> ads_dc_name: using server='DAL-DC1.MYDOMAIN.COM' IP=10.0.1.30
>> administrator@MYDOMAIN.COM's password:
>> [2009/03/19 14:00:14, 3] libsmb/namequery.c:get_dc_list(1489)
>> get_dc_list: preferred server list: "10.0.1.30,
dal-dc1.mydomain.com,
>> den-dc1.mydomain.com"
>> [2009/03/19 14:00:14, 4] libsmb/namequery.c:get_dc_list(1599)
>> get_dc_list: returning 2 ip addresses in an ordered list
>> [2009/03/19 14:00:14, 4] libsmb/namequery.c:get_dc_list(1600)
>> get_dc_list: 10.0.1.30:389 10.1.1.30:389
>> [2009/03/19 14:00:14, 3] libads/ldap.c:ads_connect(394)
>> Connected to LDAP server 10.0.1.30
>> [2009/03/19 14:00:14, 4] libads/ldap.c:ads_current_time(2414)
>> time offset is 0 seconds
>> [2009/03/19 14:00:14, 4] libads/sasl.c:ads_sasl_bind(587)
>> Found SASL mechanism GSS-SPNEGO
>> [2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
>> ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
>> [2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
>> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
>> [2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
>> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
>> [2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
>> ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
>> [2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(300)
>> ads_sasl_spnego_bind: got server principal name = dal-dc1$@MYDOMAIN.COM
>> [2009/03/19 14:00:14, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
>> ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache 
>> found)
>> [2009/03/19 14:00:14, 3]
libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
>> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] 
>> expiration Fri, 20 Mar 2009 00:00:14 CDT
>> [2009/03/19 14:00:14, 3] libsmb/namequery.c:get_dc_list(1489)
>> get_dc_list: preferred server list: "10.0.1.30,
dal-dc1.mydomain.com,
>> den-dc1.mydomain.com"
>> [2009/03/19 14:00:14, 4] libsmb/namequery.c:get_dc_list(1599)
>> get_dc_list: returning 2 ip addresses in an ordered list
>> [2009/03/19 14:00:14, 4] libsmb/namequery.c:get_dc_list(1600)
>> get_dc_list: 10.0.1.30:389 10.1.1.30:389
>> [2009/03/19 14:00:14, 3] libads/ldap.c:ads_connect(394)
>> Connected to LDAP server 10.0.1.30
>> [2009/03/19 14:00:14, 4] libads/ldap.c:ads_current_time(2414)
>> time offset is 0 seconds
>> [2009/03/19 14:00:14, 4] libads/sasl.c:ads_sasl_bind(587)
>> Found SASL mechanism GSS-SPNEGO
>> [2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
>> ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
>> [2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
>> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
>> [2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
>> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
>> [2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
>> ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
>> [2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(300)
>> ads_sasl_spnego_bind: got server principal name = dal-dc1$@MYDOMAIN.COM
>> [2009/03/19 14:00:14, 3]
libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
>> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] 
>> expiration Fri, 20 Mar 2009 00:00:14 CDT
>> [2009/03/19 14:00:14, 3] libsmb/cliconnect.c:cli_start_connection(1556)
>> Connecting to host=DAL-DC1.mydomain.com
>> [2009/03/19 14:00:14, 3] lib/util_sock.c:open_socket_out(866)
>> Connecting to 10.0.1.30 at port 445
>> [2009/03/19 14:00:14, 3] 
>> libsmb/cliconnect.c:cli_session_setup_spnego(795)
>> Doing spnego session setup (blob length=113)
>> [2009/03/19 14:00:14, 3] 
>> libsmb/cliconnect.c:cli_session_setup_spnego(820)
>> got OID=1 2 840 48018 1 2 2
>> [2009/03/19 14:00:14, 3] 
>> libsmb/cliconnect.c:cli_session_setup_spnego(820)
>> got OID=1 2 840 113554 1 2 2
>> [2009/03/19 14:00:14, 3] 
>> libsmb/cliconnect.c:cli_session_setup_spnego(820)
>> got OID=1 2 840 113554 1 2 2 3
>> [2009/03/19 14:00:14, 3] 
>> libsmb/cliconnect.c:cli_session_setup_spnego(820)
>> got OID=1 3 6 1 4 1 311 2 2 10
>> [2009/03/19 14:00:14, 3] 
>> libsmb/cliconnect.c:cli_session_setup_spnego(828)
>> got principal=dal-dc1$@MYDOMAIN.COM
>> [2009/03/19 14:00:14, 2] 
>> libsmb/cliconnect.c:cli_session_setup_kerberos(615)
>> Doing kerberos session setup
>> [2009/03/19 14:00:14, 3]
libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
>> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] 
>> expiration Fri, 20 Mar 2009 00:00:14 CDT
>> [2009/03/19 14:00:14, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2082)
>> rpc_pipe_bind: Remote machine DAL-DC1.mydomain.com pipe \lsarpc fnum 
>> 0x10 bind request returned ok.
>> [2009/03/19 14:00:14, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224)
>> lsa_io_sec_qos: length c does not match size 8
>> [2009/03/19 14:00:14, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2082)
>> rpc_pipe_bind: Remote machine DAL-DC1.mydomain.com pipe \samr fnum 
>> 0x1e bind request returned ok.
>> Using short domain name -- MYDOMAIN
>> [2009/03/19 14:00:14, 3] libsmb/cliconnect.c:cli_start_connection(1556)
>> Connecting to host=DAL-DC1.mydomain.com
>> [2009/03/19 14:00:14, 3] lib/util_sock.c:open_socket_out(866)
>> Connecting to 10.0.1.30 at port 445
>> [2009/03/19 14:00:14, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2082)
>> rpc_pipe_bind: Remote machine DAL-DC1.mydomain.com pipe \NETLOGON 
>> fnum 0x400a bind request returned ok.
>> [2009/03/19 14:00:14, 4] 
>> rpc_client/cli_netlogon.c:rpccli_net_req_chal(46)
>> cli_net_req_chal: LSA Request Challenge from DORDAL to 
>> \\DAL-DC1.mydomain.com
>> [2009/03/19 14:00:14, 4]
rpc_client/cli_netlogon.c:rpccli_net_auth2(170)
>> cli_net_auth2: srv:\\DAL-DC1.mydomain.com acct:DORDAL$ sc:2 mc: 
>> DORDAL neg: 600fffff
>> [2009/03/19 14:00:14, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2082)
>> rpc_pipe_bind: Remote machine DAL-DC1.mydomain.com pipe \NETLOGON 
>> fnum 0x400b bind request returned ok.
>> [2009/03/19 14:00:14, 3] libads/ldap.c:ads_domain_func_level(2471)
>> ads_domain_func_level: 2
>> [2009/03/19 14:00:14, 3] 
>> libads/kerberos.c:kerberos_secrets_store_des_salt(337)
>> kerberos_secrets_store_des_salt: Storing salt 
>> "host/dordal.mydomain.com@MYDOMAIN.COM"
>> [2009/03/19 14:00:14, 4] libads/dns.c:ads_dns_lookup_ns(508)
>> ads_dns_lookup_ns: 2 records returned in the answer section.
>> Joined 'DORDAL' to realm 'MYDOMAIN.COM'
>> [2009/03/19 14:00:14, 2] utils/net.c:main(1046)
>> return code = 0
>>
>>
>>
>>
>> user@dordal:~$ sudo net ads leave -U administrator@MYDOMAIN.COM -d 4
>> [2009/03/19 14:02:44, 3] param/loadparm.c:lp_load(5063)
>> lp_load: refreshing parameters
>> [2009/03/19 14:02:44, 3] param/loadparm.c:init_globals(1448)
>> Initialising global parameters
>> [2009/03/19 14:02:44, 3] param/params.c:pm_process(572)
>> params.c:pm_process() - Processing configuration file 
>> "/etc/samba/smb.conf"
>> [2009/03/19 14:02:44, 3] param/loadparm.c:do_section(3802)
>> Processing section "[global]"
>> doing parameter workgroup = MYDOMAIN
>> doing parameter realm = MYDOMAIN.COM
>> doing parameter security = ADS
>> doing parameter password server = dal-dc1.MYDOMAIN.com, 
>> den-dc1.MYDOMAIN.com
>> doing parameter client schannel = Yes
>> doing parameter server schannel = Yes
>> doing parameter username map = /etc/samba/smbusers
>> doing parameter obey pam restrictions = Yes
>> doing parameter enable privileges = Yes
>> doing parameter restrict anonymous = 2
>> doing parameter allow trusted domains = No
>> doing parameter lanman auth = No
>> doing parameter ntlm auth = No
>> doing parameter client NTLMv2 auth = Yes
>> doing parameter log level = 1
>> doing parameter syslog = 0
>> doing parameter min protocol = NT1
>> doing parameter client signing = Yes
>> doing parameter server signing = Yes
>> doing parameter load printers = No
>> doing parameter preferred master = No
>> doing parameter local master = No
>> doing parameter domain master = No
>> doing parameter dns proxy = No
>> doing parameter ldap ssl = no
>> doing parameter host msdfs = No
>> doing parameter idmap domains = MYDOMAIN
>> doing parameter idmap alloc backend = ldap
>> doing parameter template shell = /bin/false
>> doing parameter winbind enum users = Yes
>> doing parameter winbind enum groups = Yes
>> doing parameter winbind use default domain = Yes
>> doing parameter winbind refresh tickets = Yes
>> doing parameter idmap alloc config:range = 100000 - 500000
>> doing parameter idmap alloc config:ldap_url = 
>> ldap://dal-dc1.MYDOMAIN.com ldap://den-dc1.MYDOMAIN.com
>> doing parameter idmap alloc config:ldap_user_dn = 
>> cn=idmapmgr,cn=users,dc=MYDOMAIN,dc=com
>> doing parameter idmap alloc config:ldap_base_dn = 
>> ou=idmap,dc=sambaidmap,dc=MYDOMAIN,dc=com
>> doing parameter idmap config MYDOMAIN:range = 100000 - 500000
>> doing parameter idmap config MYDOMAIN:ldap_url = 
>> ldap://dal-dc1.MYDOMAIN.com ldap://den-dc1.MYDOMAIN.com
>> doing parameter idmap config MYDOMAIN:ldap_user_dn = 
>> cn=idmapmgr,cn=users,dc=MYDOMAIN,dc=com
>> doing parameter idmap config MYDOMAIN:ldap_base_dn = 
>> ou=idmap,dc=sambaidmap,dc=MYDOMAIN,dc=com
>> doing parameter idmap config MYDOMAIN:backend = ldap
>> doing parameter idmap config MYDOMAIN:default = yes
>> doing parameter hosts allow = 10.0.0.0/255.255.254.0 
>> 10.1.0.0/255.255.254.0
>> doing parameter map acl inherit = No
>> doing parameter hide special files = Yes
>> doing parameter map archive = No
>> doing parameter map readonly = No
>> doing parameter map system = No
>> doing parameter map hidden = No
>> doing parameter ea support = No
>> doing parameter store dos attributes = No
>> doing parameter wide links = No
>> doing parameter follow symlinks = No
>> doing parameter dos filemode = No
>> doing parameter add share command = /etc/samba/command.pl
>> doing parameter delete share command = /etc/samba/command.pl
>> doing parameter change share command = /etc/samba/command.pl
>> [2009/03/19 14:02:44, 4] param/loadparm.c:lp_load(5094)
>> pm_process() returned Yes
>> [2009/03/19 14:02:44, 2] lib/interface.c:add_interface(81)
>> added interface ip=10.0.1.35 bcast=10.0.1.255 nmask=255.255.254.0
>> administrator@MYDOMAIN.COM's password:
>> [2009/03/19 14:02:47, 3] libsmb/namequery.c:get_dc_list(1489)
>> get_dc_list: preferred server list: "10.0.1.30,
dal-dc1.MYDOMAIN.com,
>> den-dc1.MYDOMAIN.com"
>> [2009/03/19 14:02:47, 4] libsmb/namequery.c:get_dc_list(1599)
>> get_dc_list: returning 2 ip addresses in an ordered list
>> [2009/03/19 14:02:47, 4] libsmb/namequery.c:get_dc_list(1600)
>> get_dc_list: 10.0.1.30:389 10.1.1.30:389
>> [2009/03/19 14:02:47, 3] libads/ldap.c:ads_connect(394)
>> Connected to LDAP server 10.0.1.30
>> [2009/03/19 14:02:47, 4] libads/ldap.c:ads_current_time(2414)
>> time offset is 0 seconds
>> [2009/03/19 14:02:47, 4] libads/sasl.c:ads_sasl_bind(587)
>> Found SASL mechanism GSS-SPNEGO
>> [2009/03/19 14:02:47, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
>> ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
>> [2009/03/19 14:02:47, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
>> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
>> [2009/03/19 14:02:47, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
>> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
>> [2009/03/19 14:02:47, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
>> ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
>> [2009/03/19 14:02:47, 3] libads/sasl.c:ads_sasl_spnego_bind(300)
>> ads_sasl_spnego_bind: got server principal name = dal-dc1$@MYDOMAIN.COM
>> [2009/03/19 14:02:47, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
>> ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache 
>> found)
>> [2009/03/19 14:02:48, 1] libsmb/clikrb5.c:ads_krb5_mk_req(602)
>> ads_krb5_mk_req: krb5_get_credentials failed for 
>> dal-dc1$@MYDOMAIN.COM (Ticket not yet valid)
>> [2009/03/19 14:02:48, 0] libads/sasl.c:ads_sasl_spnego_bind(330)
>> kinit succeeded but ads_sasl_spnego_krb5_bind failed: Ticket not yet 
>> valid
>> [2009/03/19 14:02:48, 3] libsmb/namequery.c:get_dc_list(1489)
>> get_dc_list: preferred server list: "10.0.1.30,
dal-dc1.MYDOMAIN.com,
>> den-dc1.MYDOMAIN.com"
>> [2009/03/19 14:02:48, 4] libsmb/namequery.c:get_dc_list(1599)
>> get_dc_list: returning 2 ip addresses in an ordered list
>> [2009/03/19 14:02:48, 4] libsmb/namequery.c:get_dc_list(1600)
>> get_dc_list: 10.0.1.30:389 10.1.1.30:389
>> [2009/03/19 14:02:48, 3] libads/ldap.c:ads_connect(394)
>> Connected to LDAP server 10.0.1.30
>> [2009/03/19 14:02:48, 4] libads/ldap.c:ads_current_time(2414)
>> time offset is 0 seconds
>> [2009/03/19 14:02:48, 4] libads/sasl.c:ads_sasl_bind(587)
>> Found SASL mechanism GSS-SPNEGO
>> [2009/03/19 14:02:48, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
>> ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
>> [2009/03/19 14:02:48, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
>> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
>> [2009/03/19 14:02:48, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
>> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
>> [2009/03/19 14:02:48, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
>> ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
>> [2009/03/19 14:02:48, 3] libads/sasl.c:ads_sasl_spnego_bind(300)
>> ads_sasl_spnego_bind: got server principal name = dal-dc1$@MYDOMAIN.COM
>> [2009/03/19 14:02:48, 1] libsmb/clikrb5.c:ads_krb5_mk_req(602)
>> ads_krb5_mk_req: krb5_get_credentials failed for 
>> dal-dc1$@MYDOMAIN.COM (Ticket not yet valid)
>> [2009/03/19 14:02:48, 1] libsmb/clikrb5.c:ads_krb5_mk_req(602)
>> ads_krb5_mk_req: krb5_get_credentials failed for 
>> dal-dc1$@MYDOMAIN.COM (Ticket not yet valid)
>> [2009/03/19 14:02:48, 0] libads/sasl.c:ads_sasl_spnego_bind(330)
>> kinit succeeded but ads_sasl_spnego_krb5_bind failed: Ticket not yet 
>> valid
>> [2009/03/19 14:02:48, 2] utils/net.c:main(1046)
>> return code = -1
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
Rob,

I just added winbind to pam. If you search for "add winbind pam" or 
something like that, you'll probably find it. I'm short on time at the 
moment...but the main things I can remember for this is the parameter 
(something like) "obey pam restrictions=yes", then also setting the 
default shell parameter in smb.conf, and making sure the pam module that 
makes home directories is in place, and maybe add users to sudo if 
needed. Let me know if that isn't enough to get it for you and I can 
send some of what I've got in my configs.

ty,
Mark

Apparently Analagous Threads

Search for more seemingly similar threads

samba - Mar 2009 - Can join ADS domain, all accounts/auth work fine, but leaving domain fails

[Samba] Can join ADS domain, all accounts/auth work fine, but leaving domain fails

[Samba] Can join ADS domain, all accounts/auth work fine, but leaving domain fails

Apparently Analagous Threads