samba - Nov 2015 - Samba 4.1.6-Ubuntu on 14.04 domain join seems successful with caveats, testjoin reports no logon servers...

Greetings,

Long-time but very occasional samba user here with a new challenge (well
for me at least).

The basics are that on the domain join, the computer account gets created
but throws the dns error which based on my searching seems non-fatal.
 wbinfo -t gives me a succeeded, wbinfo -a klm.com\\me --ntlmv2 works fine
but yet the net ads testjoin fails.  Logs on the domain controller show "A
Kerberos authentication ticket (TGT) was requested." with an Audit Success
after I run the testjoin that fails.

The AD guys tell me that hij.klm.com is the subdomain that the computer
account exists in (hence the createcomputer string in the join) and user
accounts exist in klm.com including my account that I was using to do the
join (me at klm.com).

I did a tcpdump on the testjoin and pulled it into wireshark and I see it
contacting (amongst other things) all of the AD servers in both domains on
88/UDP and getting replies so it doesn't smell like a firewall issue.

Thanks in advance for any help.

Here's the edited and redacted output from the join (the computer account
already existed as you can see):

# net ads join
createcomputer="OU=XYZ,OU=Production,OU=ABC,OU=DEF,DC=hij,DC=klm,DC=com"
-U
me at klm.com -d 1
Enter me at KLM.COM's password:
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        in: struct libnet_JoinCtx
            dc_name                  : NULL
            machine_name             : 'this'
            domain_name              : *
                domain_name              : 'HIJ.KLM.COM'
            account_ou               :
'OU=XYZ,OU=Production,OU=ABC,OU=DEF,DC=hij,DC=klm,DC=com'
            admin_account            : 'me at KLM.COM'
            machine_password         : NULL
            join_flags               : 0x00000023 (35)
                   0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
                   0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
                   0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
                   0: WKSSVC_JOIN_FLAGS_DEFER_SPN
                   0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
                   0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
                        something = something-else
                   1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
                   0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
                   0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
                   1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
                   1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
            os_version               : NULL
            os_name                  : NULL
            create_upn               : 0x00 (0)
            upn                      : NULL
            modify_config            : 0x00 (0)
            ads                      : NULL
            debug                    : 0x01 (1)
            use_kerberos             : 0x00 (0)
            secure_channel_type      : SEC_CHAN_WKSTA (2)
The machine account already exists in the specified OU.
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : NULL
            netbios_domain_name      : 'HIJ'
            dns_domain_name          : 'hij.klm.com'
            forest_name              : 'klm.com'
            dn                       :
'CN=THIS,OU=XYZ,OU=Production,OU=ABC,OU=DEF,DC=hij,DC=klm,DC=com'
            domain_sid               : *
                domain_sid               : *REDACTED*
            modified_config          : 0x00 (0)
            error_string             : NULL
            domain_is_ad             : 0x01 (1)
            result                   : WERR_OK
Using short domain name -- HIJ
Joined 'THIS' to dns domain 'hij.klm.com'
kerberos_kinit_password THIS$@HIJ.KLM.COM failed: Cannot contact any KDC
for requested realm
DNS update failed: kinit failed: Cannot contact any KDC for requested realm

And here's the output from my testjoin:

# net ads testjoin -d 3
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
Processing section "[global]"
added interface eth0 ip=x.x.x.x bcast=x.x.x.y netmask=255.255.255.0
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
get_dc_list: preferred server list: ", *"
Successfully contacted LDAP server a.b.c.d
get_dc_list: preferred server list: ", *"
get_dc_list: preferred server list: ", *"
get_dc_list: preferred server list: ", *"
Successfully contacted LDAP server a.b.c.d
get_dc_list: preferred server list: ", *"
get_dc_list: preferred server list: ", *"
resolve_lmhosts: Attempting lmhosts lookup for name AD1.HIJ.KLM.COM<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name AD1.HIJ.KLM.COM<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name AD1.HIJ.KLM.COM<0x20>
Successfully contacted LDAP server a.b.c.d
Connected to LDAP server ad1.hij.klm.com
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
ads_sasl_spnego_bind: got server principal name not_defined_in_RFC4178 at
please_ignore
ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
kerberos_kinit_password THIS$@HIJ.KLM.COM failed: Cannot contact any KDC
for requested realm
ads_connect: Cannot contact any KDC for requested realm
Join to domain is not valid: No logon servers
return code = -1

My krb5.conf:

[libdefaults]
ticket_lifetime = 24h
default_realm = HIJ.KLM.COM
dns_lookup_realm = false
dns_lookup_kdc = false

krb4_config = /etc/krb.conf
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true

[realms]
HIJ.KLM.COM = {
kdc = ad1.hij.klm.com
kdc = ad2.hij.klm.com
admin_server = ad.hij.klm.com
default_domain = hij.klm.com
}

[domain_realm]
.xyz.hij.klm.com = HIJ.KLM.COM
.hij.klm.com = HIJ.KLM.COM

[login]
krb4_convert = true
krb4_get_tickets = false
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log

My smb.conf:

[global]

   workgroup = hij
   netbios name = this
   security = ADS
   realm = HIJ.KLM.COM
   server string = XYZ server (Samba, Ubuntu)
   dns proxy = no
   printcap name = /etc/printcap
   load printers = no
   log file = /var/log/samba/log.%m
   log level = 1
   max log size = 1000
   dedicated keytab file = /etc/krb5.keytab
   encrypt passwords = yes
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   server role = standalone server
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = no
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = no
   map to guest = bad user

Your using a samba3 config on a samba 4. 

Change your config base on : 
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member 


Gr, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Schuyler Bishop
> Verzonden: dinsdag 17 november 2015 17:11
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Samba 4.1.6-Ubuntu on 14.04 domain join seems
> successful with caveats, testjoin reports no logon servers...
> 
> Greetings,
> 
> Long-time but very occasional samba user here with a new challenge (well
> for me at least).
> 
> The basics are that on the domain join, the computer account gets created
> but throws the dns error which based on my searching seems non-fatal.
>  wbinfo -t gives me a succeeded, wbinfo -a klm.com\\me --ntlmv2 works fine
> but yet the net ads testjoin fails.  Logs on the domain controller show
"A
> Kerberos authentication ticket (TGT) was requested." with an Audit
Success
> after I run the testjoin that fails.
> 
> The AD guys tell me that hij.klm.com is the subdomain that the computer
> account exists in (hence the createcomputer string in the join) and user
> accounts exist in klm.com including my account that I was using to do the
> join (me at klm.com).
> 
> I did a tcpdump on the testjoin and pulled it into wireshark and I see it
> contacting (amongst other things) all of the AD servers in both domains on
> 88/UDP and getting replies so it doesn't smell like a firewall issue.
> 
> Thanks in advance for any help.
> 
> Here's the edited and redacted output from the join (the computer
account
> already existed as you can see):
> 
> # net ads join
>
createcomputer="OU=XYZ,OU=Production,OU=ABC,OU=DEF,DC=hij,DC=klm,DC=com"
-
> U
> me at klm.com -d 1
> Enter me at KLM.COM's password:
> libnet_Join:
>     libnet_JoinCtx: struct libnet_JoinCtx
>         in: struct libnet_JoinCtx
>             dc_name                  : NULL
>             machine_name             : 'this'
>             domain_name              : *
>                 domain_name              : 'HIJ.KLM.COM'
>             account_ou               :
> 'OU=XYZ,OU=Production,OU=ABC,OU=DEF,DC=hij,DC=klm,DC=com'
>             admin_account            : 'me at KLM.COM'
>             machine_password         : NULL
>             join_flags               : 0x00000023 (35)
>                    0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
>                    0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
>                    0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
>                    0: WKSSVC_JOIN_FLAGS_DEFER_SPN
>                    0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
>                    0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
>                         something = something-else
>                    1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
>                    0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
>                    0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
>                    1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
>                    1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
>             os_version               : NULL
>             os_name                  : NULL
>             create_upn               : 0x00 (0)
>             upn                      : NULL
>             modify_config            : 0x00 (0)
>             ads                      : NULL
>             debug                    : 0x01 (1)
>             use_kerberos             : 0x00 (0)
>             secure_channel_type      : SEC_CHAN_WKSTA (2)
> The machine account already exists in the specified OU.
> libnet_Join:
>     libnet_JoinCtx: struct libnet_JoinCtx
>         out: struct libnet_JoinCtx
>             account_name             : NULL
>             netbios_domain_name      : 'HIJ'
>             dns_domain_name          : 'hij.klm.com'
>             forest_name              : 'klm.com'
>             dn                       :
> 'CN=THIS,OU=XYZ,OU=Production,OU=ABC,OU=DEF,DC=hij,DC=klm,DC=com'
>             domain_sid               : *
>                 domain_sid               : *REDACTED*
>             modified_config          : 0x00 (0)
>             error_string             : NULL
>             domain_is_ad             : 0x01 (1)
>             result                   : WERR_OK
> Using short domain name -- HIJ
> Joined 'THIS' to dns domain 'hij.klm.com'
> kerberos_kinit_password THIS$@HIJ.KLM.COM failed: Cannot contact any KDC
> for requested realm
> DNS update failed: kinit failed: Cannot contact any KDC for requested
> realm
> 
> And here's the output from my testjoin:
> 
> # net ads testjoin -d 3
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> params.c:pm_process() - Processing configuration file
> "/etc/samba/smb.conf"
> Processing section "[global]"
> added interface eth0 ip=x.x.x.x bcast=x.x.x.y netmask=255.255.255.0
> Registered MSG_REQ_POOL_USAGE
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> get_dc_list: preferred server list: ", *"
> Successfully contacted LDAP server a.b.c.d
> get_dc_list: preferred server list: ", *"
> get_dc_list: preferred server list: ", *"
> get_dc_list: preferred server list: ", *"
> Successfully contacted LDAP server a.b.c.d
> get_dc_list: preferred server list: ", *"
> get_dc_list: preferred server list: ", *"
> resolve_lmhosts: Attempting lmhosts lookup for name
AD1.HIJ.KLM.COM<0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name
AD1.HIJ.KLM.COM<0x20>
> resolve_wins: WINS server resolution selected and no WINS servers listed.
> resolve_hosts: Attempting host lookup for name AD1.HIJ.KLM.COM<0x20>
> Successfully contacted LDAP server a.b.c.d
> Connected to LDAP server ad1.hij.klm.com
> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
> ads_sasl_spnego_bind: got server principal name > not_defined_in_RFC4178
at please_ignore
> ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
> kerberos_kinit_password THIS$@HIJ.KLM.COM failed: Cannot contact any KDC
> for requested realm
> ads_connect: Cannot contact any KDC for requested realm
> Join to domain is not valid: No logon servers
> return code = -1
> 
> My krb5.conf:
> 
> [libdefaults]
> ticket_lifetime = 24h
> default_realm = HIJ.KLM.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
> 
> krb4_config = /etc/krb.conf
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
> v4_instance_resolve = false
> v4_name_convert = {
> host = {
> rcmd = host
> ftp = ftp
> }
> plain = {
> something = something-else
> }
> }
> fcc-mit-ticketflags = true
> 
> [realms]
> HIJ.KLM.COM = {
> kdc = ad1.hij.klm.com
> kdc = ad2.hij.klm.com
> admin_server = ad.hij.klm.com
> default_domain = hij.klm.com
> }
> 
> [domain_realm]
> .xyz.hij.klm.com = HIJ.KLM.COM
> .hij.klm.com = HIJ.KLM.COM
> 
> [login]
> krb4_convert = true
> krb4_get_tickets = false
> [logging]
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmin.log
> default = FILE:/var/log/krb5lib.log
> 
> My smb.conf:
> 
> [global]
> 
>    workgroup = hij
>    netbios name = this
>    security = ADS
>    realm = HIJ.KLM.COM
>    server string = XYZ server (Samba, Ubuntu)
>    dns proxy = no
>    printcap name = /etc/printcap
>    load printers = no
>    log file = /var/log/samba/log.%m
>    log level = 1
>    max log size = 1000
>    dedicated keytab file = /etc/krb5.keytab
>    encrypt passwords = yes
>    syslog = 0
>    panic action = /usr/share/samba/panic-action %d
>    server role = standalone server
>    passdb backend = tdbsam
>    obey pam restrictions = yes
>    unix password sync = no
>    passwd program = /usr/bin/passwd %u
>    passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>    pam password change = no
>    map to guest = bad user
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Hi Louis,

Thanks for the reply.  Upon checking the URL you sent, I'm not finding
which stanzas you're referring to as being samba3 - my smb.conf looks
remarkably similar to the sample I see there.  Could you perhaps be more
specific?

Thanks,

--Schuyler

On Tue, Nov 17, 2015 at 11:23 AM L.P.H. van Belle <belle at bazuin.nl>
wrote:
> Your using a samba3 config on a samba 4.
>
> Change your config base on :
> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>
>
> Gr,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Schuyler
Bishop
> > Verzonden: dinsdag 17 november 2015 17:11
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] Samba 4.1.6-Ubuntu on 14.04 domain join seems
> > successful with caveats, testjoin reports no logon servers...
> >
> > Greetings,
> >
> > Long-time but very occasional samba user here with a new challenge
(well
> > for me at least).
> >
> > The basics are that on the domain join, the computer account gets
created
> > but throws the dns error which based on my searching seems non-fatal.
> >  wbinfo -t gives me a succeeded, wbinfo -a klm.com\\me --ntlmv2 works
> fine
> > but yet the net ads testjoin fails.  Logs on the domain controller
show
> "A
> > Kerberos authentication ticket (TGT) was requested." with an
Audit
> Success
> > after I run the testjoin that fails.
> >
> > The AD guys tell me that hij.klm.com is the subdomain that the
computer
> > account exists in (hence the createcomputer string in the join) and
user
> > accounts exist in klm.com including my account that I was using to do
> the
> > join (me at klm.com).
> >
> > I did a tcpdump on the testjoin and pulled it into wireshark and I see
it
> > contacting (amongst other things) all of the AD servers in both
domains
> on
> > 88/UDP and getting replies so it doesn't smell like a firewall
issue.
> >
> > Thanks in advance for any help.
> >
> > Here's the edited and redacted output from the join (the computer
account
> > already existed as you can see):
> >
> > # net ads join
> >
createcomputer="OU=XYZ,OU=Production,OU=ABC,OU=DEF,DC=hij,DC=klm,DC=com"
> -
> > U
> > me at klm.com -d 1
> > Enter me at KLM.COM's password:
> > libnet_Join:
> >     libnet_JoinCtx: struct libnet_JoinCtx
> >         in: struct libnet_JoinCtx
> >             dc_name                  : NULL
> >             machine_name             : 'this'
> >             domain_name              : *
> >                 domain_name              : 'HIJ.KLM.COM'
> >             account_ou               :
> > 'OU=XYZ,OU=Production,OU=ABC,OU=DEF,DC=hij,DC=klm,DC=com'
> >             admin_account            : 'me at KLM.COM'
> >             machine_password         : NULL
> >             join_flags               : 0x00000023 (35)
> >                    0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
> >                    0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
> >                    0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
> >                    0: WKSSVC_JOIN_FLAGS_DEFER_SPN
> >                    0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
> >                    0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
> >                         something = something-else
> >                    1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
> >                    0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
> >                    0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
> >                    1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
> >                    1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
> >             os_version               : NULL
> >             os_name                  : NULL
> >             create_upn               : 0x00 (0)
> >             upn                      : NULL
> >             modify_config            : 0x00 (0)
> >             ads                      : NULL
> >             debug                    : 0x01 (1)
> >             use_kerberos             : 0x00 (0)
> >             secure_channel_type      : SEC_CHAN_WKSTA (2)
> > The machine account already exists in the specified OU.
> > libnet_Join:
> >     libnet_JoinCtx: struct libnet_JoinCtx
> >         out: struct libnet_JoinCtx
> >             account_name             : NULL
> >             netbios_domain_name      : 'HIJ'
> >             dns_domain_name          : 'hij.klm.com'
> >             forest_name              : 'klm.com'
> >             dn                       :
> >
'CN=THIS,OU=XYZ,OU=Production,OU=ABC,OU=DEF,DC=hij,DC=klm,DC=com'
> >             domain_sid               : *
> >                 domain_sid               : *REDACTED*
> >             modified_config          : 0x00 (0)
> >             error_string             : NULL
> >             domain_is_ad             : 0x01 (1)
> >             result                   : WERR_OK
> > Using short domain name -- HIJ
> > Joined 'THIS' to dns domain 'hij.klm.com'
> > kerberos_kinit_password THIS$@HIJ.KLM.COM failed: Cannot contact any
KDC
> > for requested realm
> > DNS update failed: kinit failed: Cannot contact any KDC for requested
> > realm
> >
> > And here's the output from my testjoin:
> >
> > # net ads testjoin -d 3
> > lp_load_ex: refreshing parameters
> > Initialising global parameters
> > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
(16384)
> > params.c:pm_process() - Processing configuration file
> > "/etc/samba/smb.conf"
> > Processing section "[global]"
> > added interface eth0 ip=x.x.x.x bcast=x.x.x.y netmask=255.255.255.0
> > Registered MSG_REQ_POOL_USAGE
> > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> > get_dc_list: preferred server list: ", *"
> > Successfully contacted LDAP server a.b.c.d
> > get_dc_list: preferred server list: ", *"
> > get_dc_list: preferred server list: ", *"
> > get_dc_list: preferred server list: ", *"
> > Successfully contacted LDAP server a.b.c.d
> > get_dc_list: preferred server list: ", *"
> > get_dc_list: preferred server list: ", *"
> > resolve_lmhosts: Attempting lmhosts lookup for name AD1.HIJ.KLM.COM
> <0x20>
> > resolve_lmhosts: Attempting lmhosts lookup for name AD1.HIJ.KLM.COM
> <0x20>
> > resolve_wins: WINS server resolution selected and no WINS servers
listed.
> > resolve_hosts: Attempting host lookup for name
AD1.HIJ.KLM.COM<0x20>
> > Successfully contacted LDAP server a.b.c.d
> > Connected to LDAP server ad1.hij.klm.com
> > ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
> > ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
> > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
> > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
> > ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
> > ads_sasl_spnego_bind: got server principal name > >
not_defined_in_RFC4178 at please_ignore
> > ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or
directory)
> > kerberos_kinit_password THIS$@HIJ.KLM.COM failed: Cannot contact any
KDC
> > for requested realm
> > ads_connect: Cannot contact any KDC for requested realm
> > Join to domain is not valid: No logon servers
> > return code = -1
> >
> > My krb5.conf:
> >
> > [libdefaults]
> > ticket_lifetime = 24h
> > default_realm = HIJ.KLM.COM
> > dns_lookup_realm = false
> > dns_lookup_kdc = false
> >
> > krb4_config = /etc/krb.conf
> > kdc_timesync = 1
> > ccache_type = 4
> > forwardable = true
> > proxiable = true
> > v4_instance_resolve = false
> > v4_name_convert = {
> > host = {
> > rcmd = host
> > ftp = ftp
> > }
> > plain = {
> > something = something-else
> > }
> > }
> > fcc-mit-ticketflags = true
> >
> > [realms]
> > HIJ.KLM.COM = {
> > kdc = ad1.hij.klm.com
> > kdc = ad2.hij.klm.com
> > admin_server = ad.hij.klm.com
> > default_domain = hij.klm.com
> > }
> >
> > [domain_realm]
> > .xyz.hij.klm.com = HIJ.KLM.COM
> > .hij.klm.com = HIJ.KLM.COM
> >
> > [login]
> > krb4_convert = true
> > krb4_get_tickets = false
> > [logging]
> > kdc = FILE:/var/log/krb5kdc.log
> > admin_server = FILE:/var/log/kadmin.log
> > default = FILE:/var/log/krb5lib.log
> >
> > My smb.conf:
> >
> > [global]
> >
> >    workgroup = hij
> >    netbios name = this
> >    security = ADS
> >    realm = HIJ.KLM.COM
> >    server string = XYZ server (Samba, Ubuntu)
> >    dns proxy = no
> >    printcap name = /etc/printcap
> >    load printers = no
> >    log file = /var/log/samba/log.%m
> >    log level = 1
> >    max log size = 1000
> >    dedicated keytab file = /etc/krb5.keytab
> >    encrypt passwords = yes
> >    syslog = 0
> >    panic action = /usr/share/samba/panic-action %d
> >    server role = standalone server
> >    passdb backend = tdbsam
> >    obey pam restrictions = yes
> >    unix password sync = no
> >    passwd program = /usr/bin/passwd %u
> >    passwd chat = *Enter\snew\s*\spassword:* %n\n
> > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> >    pam password change = no
> >    map to guest = bad user
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>